From: Greg Kroah-Hartman Date: Mon, 10 Aug 2015 21:35:03 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.87~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c357160be396e29fc7951f7362394602ec4c84d6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: drm-radeon-combios-add-some-validation-of-lvds-values.patch fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch ipr-fix-incorrect-trace-indexing.patch ipr-fix-invalid-array-indexing-for-hrrq.patch ipr-fix-locking-for-unit-attention-handling.patch mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch mips-make-set_pte-smp-safe.patch mips-malta-don-t-reinitialise-rtc.patch usb-sierra-add-1199-68ab-device-id.patch xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch --- diff --git a/queue-3.14/drm-radeon-combios-add-some-validation-of-lvds-values.patch b/queue-3.14/drm-radeon-combios-add-some-validation-of-lvds-values.patch new file mode 100644 index 00000000000..e5277523beb --- /dev/null +++ b/queue-3.14/drm-radeon-combios-add-some-validation-of-lvds-values.patch @@ -0,0 +1,45 @@ +From 0a90a0cff9f429f886f423967ae053150dce9259 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Jul 2015 19:24:31 -0400 +Subject: drm/radeon/combios: add some validation of lvds values + +From: Alex Deucher + +commit 0a90a0cff9f429f886f423967ae053150dce9259 upstream. + +Fixes a broken hsync start value uncovered by: +abc0b1447d4974963548777a5ba4a4457c82c426 +(drm: Perform basic sanity checks on probed modes) + +The driver handled the bad hsync start elsewhere, but +the above commit prevented it from getting added. + +bug: +https://bugs.freedesktop.org/show_bug.cgi?id=91401 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_combios.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -1255,10 +1255,15 @@ struct radeon_encoder_lvds *radeon_combi + + if ((RBIOS16(tmp) == lvds->native_mode.hdisplay) && + (RBIOS16(tmp + 2) == lvds->native_mode.vdisplay)) { ++ u32 hss = (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ ++ if (hss > lvds->native_mode.hdisplay) ++ hss = (10 - 1) * 8; ++ + lvds->native_mode.htotal = lvds->native_mode.hdisplay + + (RBIOS16(tmp + 17) - RBIOS16(tmp + 19)) * 8; + lvds->native_mode.hsync_start = lvds->native_mode.hdisplay + +- (RBIOS16(tmp + 21) - RBIOS16(tmp + 19) - 1) * 8; ++ hss; + lvds->native_mode.hsync_end = lvds->native_mode.hsync_start + + (RBIOS8(tmp + 23) * 8); + diff --git a/queue-3.14/fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch b/queue-3.14/fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch new file mode 100644 index 00000000000..75b985bb14a --- /dev/null +++ b/queue-3.14/fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch @@ -0,0 +1,77 @@ +From 8f2f3eb59dff4ec538de55f2e0592fec85966aab Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 6 Aug 2015 15:46:42 -0700 +Subject: fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() + +From: Jan Kara + +commit 8f2f3eb59dff4ec538de55f2e0592fec85966aab upstream. + +fsnotify_clear_marks_by_group_flags() can race with +fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked() +drops mark_mutex, a mark from the list iterated by +fsnotify_clear_marks_by_group_flags() can be freed and thus the next +entry pointer we have cached may become stale and we dereference free +memory. + +Fix the problem by first moving marks to free to a special private list +and then always free the first entry in the special list. This method +is safe even when entries from the list can disappear once we drop the +lock. + +Signed-off-by: Jan Kara +Reported-by: Ashish Sangwan +Reviewed-by: Ashish Sangwan +Cc: Lino Sanfilippo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/mark.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -293,16 +293,36 @@ void fsnotify_clear_marks_by_group_flags + unsigned int flags) + { + struct fsnotify_mark *lmark, *mark; ++ LIST_HEAD(to_free); + ++ /* ++ * We have to be really careful here. Anytime we drop mark_mutex, e.g. ++ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our ++ * to_free list so we have to use mark_mutex even when accessing that ++ * list. And freeing mark requires us to drop mark_mutex. So we can ++ * reliably free only the first mark in the list. That's why we first ++ * move marks to free to to_free list in one go and then free marks in ++ * to_free list one by one. ++ */ + mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); + list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) { +- if (mark->flags & flags) { +- fsnotify_get_mark(mark); +- fsnotify_destroy_mark_locked(mark, group); +- fsnotify_put_mark(mark); +- } ++ if (mark->flags & flags) ++ list_move(&mark->g_list, &to_free); + } + mutex_unlock(&group->mark_mutex); ++ ++ while (1) { ++ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ if (list_empty(&to_free)) { ++ mutex_unlock(&group->mark_mutex); ++ break; ++ } ++ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list); ++ fsnotify_get_mark(mark); ++ fsnotify_destroy_mark_locked(mark, group); ++ mutex_unlock(&group->mark_mutex); ++ fsnotify_put_mark(mark); ++ } + } + + /* diff --git a/queue-3.14/ipr-fix-incorrect-trace-indexing.patch b/queue-3.14/ipr-fix-incorrect-trace-indexing.patch new file mode 100644 index 00000000000..30f4c249c79 --- /dev/null +++ b/queue-3.14/ipr-fix-incorrect-trace-indexing.patch @@ -0,0 +1,52 @@ +From bb7c54339e6a10ecce5c4961adf5e75b3cf0af30 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Tue, 14 Jul 2015 11:41:31 -0500 +Subject: ipr: Fix incorrect trace indexing + +From: Brian King + +commit bb7c54339e6a10ecce5c4961adf5e75b3cf0af30 upstream. + +When ipr's internal driver trace was changed to an atomic, a signed/unsigned +bug slipped in which results in us indexing backwards in our memory buffer +writing on memory that does not belong to us. This patch fixes this by removing +the modulo and instead just mask off the low bits. + +Tested-by: Wen Xiong +Reviewed-by: Wen Xiong +Reviewed-by: Gabriel Krisman Bertazi +Signed-off-by: Brian King +Reviewed-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 5 +++-- + drivers/scsi/ipr.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -592,9 +592,10 @@ static void ipr_trc_hook(struct ipr_cmnd + { + struct ipr_trace_entry *trace_entry; + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; ++ unsigned int trace_index; + +- trace_entry = &ioa_cfg->trace[atomic_add_return +- (1, &ioa_cfg->trace_index)%IPR_NUM_TRACE_ENTRIES]; ++ trace_index = atomic_add_return(1, &ioa_cfg->trace_index) & IPR_TRACE_INDEX_MASK; ++ trace_entry = &ioa_cfg->trace[trace_index]; + trace_entry->time = jiffies; + trace_entry->op_code = ipr_cmd->ioarcb.cmd_pkt.cdb[0]; + trace_entry->type = type; +--- a/drivers/scsi/ipr.h ++++ b/drivers/scsi/ipr.h +@@ -1459,6 +1459,7 @@ struct ipr_ioa_cfg { + + #define IPR_NUM_TRACE_INDEX_BITS 8 + #define IPR_NUM_TRACE_ENTRIES (1 << IPR_NUM_TRACE_INDEX_BITS) ++#define IPR_TRACE_INDEX_MASK (IPR_NUM_TRACE_ENTRIES - 1) + #define IPR_TRACE_SIZE (sizeof(struct ipr_trace_entry) * IPR_NUM_TRACE_ENTRIES) + char trace_start[8]; + #define IPR_TRACE_START_LABEL "trace" diff --git a/queue-3.14/ipr-fix-invalid-array-indexing-for-hrrq.patch b/queue-3.14/ipr-fix-invalid-array-indexing-for-hrrq.patch new file mode 100644 index 00000000000..5d65e7da795 --- /dev/null +++ b/queue-3.14/ipr-fix-invalid-array-indexing-for-hrrq.patch @@ -0,0 +1,67 @@ +From 3f1c0581310d5d94bd72740231507e763a6252a4 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Tue, 14 Jul 2015 11:41:33 -0500 +Subject: ipr: Fix invalid array indexing for HRRQ + +From: Brian King + +commit 3f1c0581310d5d94bd72740231507e763a6252a4 upstream. + +Fixes another signed / unsigned array indexing bug in the ipr driver. +Currently, when hrrq_index wraps, it becomes a negative number. We +do the modulo, but still have a negative number, so we end up indexing +backwards in the array. Given where the hrrq array is located in memory, +we probably won't actually reference memory we don't own, but nonetheless +ipr is still looking at data within struct ipr_ioa_cfg and interpreting it as +struct ipr_hrr_queue data, so bad things could certainly happen. + +Each ipr adapter has anywhere from 1 to 16 HRRQs. By default, we use 2 on new +adapters. Let's take an example: + +Assume ioa_cfg->hrrq_index=0x7fffffffe and ioa_cfg->hrrq_num=4: + +The atomic_add_return will then return -1. We mod this with 3 and get -2, add +one and get -1 for an array index. + +On adapters which support more than a single HRRQ, we dedicate HRRQ to adapter +initialization and error interrupts so that we can optimize the other queues +for fast path I/O. So all normal I/O uses HRRQ 1-15. So we want to spread the +I/O requests across those HRRQs. + +With the default module parameter settings, this bug won't hit, only when +someone sets the ipr.number_of_msix parameter to a value larger than 3 is when +bad things start to happen. + +Tested-by: Wen Xiong +Reviewed-by: Wen Xiong +Reviewed-by: Gabriel Krisman Bertazi +Signed-off-by: Brian King +Reviewed-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -1045,10 +1045,15 @@ static void ipr_send_blocking_cmd(struct + + static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg) + { ++ unsigned int hrrq; ++ + if (ioa_cfg->hrrq_num == 1) +- return 0; +- else +- return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1; ++ hrrq = 0; ++ else { ++ hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index); ++ hrrq = (hrrq % (ioa_cfg->hrrq_num - 1)) + 1; ++ } ++ return hrrq; + } + + /** diff --git a/queue-3.14/ipr-fix-locking-for-unit-attention-handling.patch b/queue-3.14/ipr-fix-locking-for-unit-attention-handling.patch new file mode 100644 index 00000000000..985c718766a --- /dev/null +++ b/queue-3.14/ipr-fix-locking-for-unit-attention-handling.patch @@ -0,0 +1,55 @@ +From 36b8e180e1e929e00b351c3b72aab3147fc14116 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Tue, 14 Jul 2015 11:41:29 -0500 +Subject: ipr: Fix locking for unit attention handling + +From: Brian King + +commit 36b8e180e1e929e00b351c3b72aab3147fc14116 upstream. + +Make sure we have the host lock held when calling scsi_report_bus_reset. Fixes +a crash seen as the __devices list in the scsi host was changing as we were +iterating through it. + +Reviewed-by: Wen Xiong +Reviewed-by: Gabriel Krisman Bertazi +Signed-off-by: Brian King +Reviewed-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -6179,21 +6179,23 @@ static void ipr_scsi_done(struct ipr_cmn + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; + struct scsi_cmnd *scsi_cmd = ipr_cmd->scsi_cmd; + u32 ioasc = be32_to_cpu(ipr_cmd->s.ioasa.hdr.ioasc); +- unsigned long hrrq_flags; ++ unsigned long lock_flags; + + scsi_set_resid(scsi_cmd, be32_to_cpu(ipr_cmd->s.ioasa.hdr.residual_data_len)); + + if (likely(IPR_IOASC_SENSE_KEY(ioasc) == 0)) { + scsi_dma_unmap(scsi_cmd); + +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags); + list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags); + } else { +- spin_lock_irqsave(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); ++ spin_lock(&ipr_cmd->hrrq->_lock); + ipr_erp_start(ioa_cfg, ipr_cmd); +- spin_unlock_irqrestore(ipr_cmd->hrrq->lock, hrrq_flags); ++ spin_unlock(&ipr_cmd->hrrq->_lock); ++ spin_unlock_irqrestore(ioa_cfg->host->host_lock, lock_flags); + } + } + diff --git a/queue-3.14/mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch b/queue-3.14/mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch new file mode 100644 index 00000000000..6611ef1e67a --- /dev/null +++ b/queue-3.14/mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch @@ -0,0 +1,46 @@ +From 1d62d737555e1378eb62a8bba26644f7d97139d2 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sun, 19 Jul 2015 00:38:41 +0200 +Subject: MIPS: Fix sched_getaffinity with MT FPAFF enabled + +From: Felix Fietkau + +commit 1d62d737555e1378eb62a8bba26644f7d97139d2 upstream. + +p->thread.user_cpus_allowed is zero-initialized and is only filled on +the first sched_setaffinity call. + +To avoid adding overhead in the task initialization codepath, simply OR +the returned mask in sched_getaffinity with p->cpus_allowed. + +Signed-off-by: Felix Fietkau +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/10740/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/mips-mt-fpaff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/mips-mt-fpaff.c ++++ b/arch/mips/kernel/mips-mt-fpaff.c +@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffi + unsigned long __user *user_mask_ptr) + { + unsigned int real_len; +- cpumask_t mask; ++ cpumask_t allowed, mask; + int retval; + struct task_struct *p; + +@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffi + if (retval) + goto out_unlock; + +- cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask); ++ cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed); ++ cpumask_and(&mask, &allowed, cpu_active_mask); + + out_unlock: + read_unlock(&tasklist_lock); diff --git a/queue-3.14/mips-make-set_pte-smp-safe.patch b/queue-3.14/mips-make-set_pte-smp-safe.patch new file mode 100644 index 00000000000..c1ab61a18fa --- /dev/null +++ b/queue-3.14/mips-make-set_pte-smp-safe.patch @@ -0,0 +1,77 @@ +From 46011e6ea39235e4aca656673c500eac81a07a17 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Mon, 3 Aug 2015 17:48:43 -0700 +Subject: MIPS: Make set_pte() SMP safe. + +From: David Daney + +commit 46011e6ea39235e4aca656673c500eac81a07a17 upstream. + +On MIPS the GLOBAL bit of the PTE must have the same value in any +aligned pair of PTEs. These pairs of PTEs are referred to as +"buddies". In a SMP system is is possible for two CPUs to be calling +set_pte() on adjacent PTEs at the same time. There is a race between +setting the PTE and a different CPU setting the GLOBAL bit in its +buddy PTE. + +This race can be observed when multiple CPUs are executing +vmap()/vfree() at the same time. + +Make setting the buddy PTE's GLOBAL bit an atomic operation to close +the race condition. + +The case of CONFIG_64BIT_PHYS_ADDR && CONFIG_CPU_MIPS32 is *not* +handled. + +Signed-off-by: David Daney +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/10835/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/pgtable.h | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/arch/mips/include/asm/pgtable.h ++++ b/arch/mips/include/asm/pgtable.h +@@ -150,8 +150,39 @@ static inline void set_pte(pte_t *ptep, + * Make sure the buddy is global too (if it's !none, + * it better already be global) + */ ++#ifdef CONFIG_SMP ++ /* ++ * For SMP, multiple CPUs can race, so we need to do ++ * this atomically. ++ */ ++#ifdef CONFIG_64BIT ++#define LL_INSN "lld" ++#define SC_INSN "scd" ++#else /* CONFIG_32BIT */ ++#define LL_INSN "ll" ++#define SC_INSN "sc" ++#endif ++ unsigned long page_global = _PAGE_GLOBAL; ++ unsigned long tmp; ++ ++ __asm__ __volatile__ ( ++ " .set push\n" ++ " .set noreorder\n" ++ "1: " LL_INSN " %[tmp], %[buddy]\n" ++ " bnez %[tmp], 2f\n" ++ " or %[tmp], %[tmp], %[global]\n" ++ " " SC_INSN " %[tmp], %[buddy]\n" ++ " beqz %[tmp], 1b\n" ++ " nop\n" ++ "2:\n" ++ " .set pop" ++ : [buddy] "+m" (buddy->pte), ++ [tmp] "=&r" (tmp) ++ : [global] "r" (page_global)); ++#else /* !CONFIG_SMP */ + if (pte_none(*buddy)) + pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL; ++#endif /* CONFIG_SMP */ + } + #endif + } diff --git a/queue-3.14/mips-malta-don-t-reinitialise-rtc.patch b/queue-3.14/mips-malta-don-t-reinitialise-rtc.patch new file mode 100644 index 00000000000..dd3b8d920cb --- /dev/null +++ b/queue-3.14/mips-malta-don-t-reinitialise-rtc.patch @@ -0,0 +1,69 @@ +From 106eccb4d20f35ebc58ff2286c170d9e79c5ff68 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 17 Jul 2015 15:54:41 +0100 +Subject: MIPS: Malta: Don't reinitialise RTC + +From: James Hogan + +commit 106eccb4d20f35ebc58ff2286c170d9e79c5ff68 upstream. + +On Malta, since commit a87ea88d8f6c ("MIPS: Malta: initialise the RTC at +boot"), the RTC is reinitialised and forced into binary coded decimal +(BCD) mode during init, even if the bootloader has already initialised +it, and may even have already put it into binary mode (as YAMON does). +This corrupts the current time, can result in the RTC seconds being an +invalid BCD (e.g. 0x1a..0x1f) for up to 6 seconds, as well as confusing +YAMON for a while after reset, enough for it to report timeouts when +attempting to load from TFTP (it actually uses the RTC in that code). + +Therefore only initialise the RTC to the extent that is necessary so +that Linux avoids interfering with the bootloader setup, while also +allowing it to estimate the CPU frequency without hanging, without a +bootloader necessarily having done anything with the RTC (for example +when the kernel is loaded via EJTAG). + +The divider control is configured for a 32KHZ reference clock if +necessary, and the SET bit of the RTC_CONTROL register is cleared if +necessary without changing any other bits (this bit will be set when +coming out of reset if the battery has been disconnected). + +Fixes: a87ea88d8f6c ("MIPS: Malta: initialise the RTC at boot") +Signed-off-by: James Hogan +Reviewed-by: Paul Burton +Cc: Ralf Baechle +Cc: Maciej W. Rozycki +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/10739/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mti-malta/malta-time.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/arch/mips/mti-malta/malta-time.c ++++ b/arch/mips/mti-malta/malta-time.c +@@ -168,14 +168,17 @@ unsigned int get_c0_compare_int(void) + + static void __init init_rtc(void) + { +- /* stop the clock whilst setting it up */ +- CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL); ++ unsigned char freq, ctrl; + +- /* 32KHz time base */ +- CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); ++ /* Set 32KHz time base if not already set */ ++ freq = CMOS_READ(RTC_FREQ_SELECT); ++ if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ) ++ CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT); + +- /* start the clock */ +- CMOS_WRITE(RTC_24H, RTC_CONTROL); ++ /* Ensure SET bit is clear so RTC can run */ ++ ctrl = CMOS_READ(RTC_CONTROL); ++ if (ctrl & RTC_SET) ++ CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL); + } + + void __init plat_time_init(void) diff --git a/queue-3.14/series b/queue-3.14/series index 3048ff63eca..356b8dd09d2 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -1 +1,11 @@ arm-realview-fix-sparsemem-build.patch +mips-malta-don-t-reinitialise-rtc.patch +mips-fix-sched_getaffinity-with-mt-fpaff-enabled.patch +mips-make-set_pte-smp-safe.patch +fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_flags.patch +drm-radeon-combios-add-some-validation-of-lvds-values.patch +ipr-fix-locking-for-unit-attention-handling.patch +ipr-fix-incorrect-trace-indexing.patch +ipr-fix-invalid-array-indexing-for-hrrq.patch +xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch +usb-sierra-add-1199-68ab-device-id.patch diff --git a/queue-3.14/usb-sierra-add-1199-68ab-device-id.patch b/queue-3.14/usb-sierra-add-1199-68ab-device-id.patch new file mode 100644 index 00000000000..e266b5fe701 --- /dev/null +++ b/queue-3.14/usb-sierra-add-1199-68ab-device-id.patch @@ -0,0 +1,330 @@ +From 74472233233f577eaa0ca6d6e17d9017b6e53150 Mon Sep 17 00:00:00 2001 +From: Dirk Behme +Date: Mon, 27 Jul 2015 08:56:05 +0200 +Subject: USB: sierra: add 1199:68AB device ID + +From: Dirk Behme + +commit 74472233233f577eaa0ca6d6e17d9017b6e53150 upstream. + +Add support for the Sierra Wireless AR8550 device with +USB descriptor 0x1199, 0x68AB. + +It is common with MC879x modules 1199:683c/683d which +also are composite devices with 7 interfaces (0..6) +and also MDM62xx based as the AR8550. + +The major difference are only the interface attributes +02/02/01 on interfaces 3 and 4 on the AR8550. They are +vendor specific ff/ff/ff on MC879x modules. + +lsusb reports: + +Bus 001 Device 004: ID 1199:68ab Sierra Wireless, Inc. +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 (Defined at Interface level) + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x1199 Sierra Wireless, Inc. + idProduct 0x68ab + bcdDevice 0.06 + iManufacturer 3 Sierra Wireless, Incorporated + iProduct 2 AR8550 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 198 + bNumInterfaces 7 + bConfigurationValue 1 + iConfiguration 1 Sierra Configuration + bmAttributes 0xe0 + Self Powered + Remote Wakeup + MaxPower 0mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x83 EP 3 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x03 EP 3 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 3 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x84 EP 4 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x04 EP 4 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 4 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 1 AT-commands (v.25ter) + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x86 EP 6 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x87 EP 7 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x05 EP 5 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 5 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x88 EP 8 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x89 EP 9 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x06 EP 6 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 6 + bAlternateSetting 0 + bNumEndpoints 3 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 255 Vendor Specific Subclass + bInterfaceProtocol 255 Vendor Specific Protocol + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x8a EP 10 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 5 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x8b EP 11 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x07 EP 7 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 32 +Device Qualifier (for other device speed): + bLength 10 + bDescriptorType 6 + bcdUSB 2.00 + bDeviceClass 0 (Defined at Interface level) + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + bNumConfigurations 1 +Device Status: 0x0001 + Self Powered + +Signed-off-by: Dirk Behme +Cc: Lars Melin +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/sierra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -289,6 +289,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist + }, ++ { USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */ + /* AT&T Direct IP LTE modems */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF), + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist diff --git a/queue-3.14/xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch b/queue-3.14/xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch new file mode 100644 index 00000000000..353be6797e0 --- /dev/null +++ b/queue-3.14/xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch @@ -0,0 +1,50 @@ +From 7895086afde2a05fa24a0e410d8e6b75ca7c8fdd Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 3 Aug 2015 16:07:48 +0300 +Subject: xhci: fix off by one error in TRB DMA address boundary check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathias Nyman + +commit 7895086afde2a05fa24a0e410d8e6b75ca7c8fdd upstream. + +We need to check that a TRB is part of the current segment +before calculating its DMA address. + +Previously a ring segment didn't use a full memory page, and every +new ring segment got a new memory page, so the off by one +error in checking the upper bound was never seen. + +Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one +didn't catch the case when a TRB was the first element of the next segment. + +This is triggered if the virtual memory pages for a ring segment are +next to each in increasing order where the ring buffer wraps around and +causes errors like: + +[ 106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1 +[ 106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0 + +The trb-end address is one outside the end-seg address. + +Tested-by: Arkadiusz Miśkiewicz +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -86,7 +86,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct x + return 0; + /* offset in TRBs */ + segment_offset = trb - seg->trbs; +- if (segment_offset > TRBS_PER_SEGMENT) ++ if (segment_offset >= TRBS_PER_SEGMENT) + return 0; + return seg->dma + (segment_offset * sizeof(*trb)); + }