From: Greg Kroah-Hartman Date: Sun, 18 Jun 2017 01:08:57 +0000 (+0800) Subject: 3.18-stable patches X-Git-Tag: v4.11.7~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe842a56fc96166b16f01c60ef9ba17d2a10442a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: can-gs_usb-fix-memory-leak-in-gs_cmd_reset.patch configfs-fix-race-between-create_link-and-configfs_rmdir.patch cpufreq-conservative-allow-down_threshold-to-take-values-from-1-to-10.patch drivers-misc-c2port-c2port-duramar2150.c-checking-for-null-instead-of-is_err.patch iio-proximity-as3935-recalibrate-rco-after-resume.patch mac80211-don-t-look-at-the-pm-bit-of-bar-frames.patch mfd-omap-usb-tll-fix-inverted-bit-use-for-usb-tll-mode.patch pvrusb2-reduce-stack-usage-pvr2_eeprom_analyze.patch serial-efm32-fix-parity-management-in-efm32_uart_console_get_options.patch staging-rtl8188eu-prevent-an-underflow-in-rtw_check_beacon_data.patch usb-core-fix-potential-memory-leak-in-error-path-during-hcd-creation.patch usb-gadget-dummy_hcd-fix-hub-descriptor-removable-fields.patch usb-hub-fix-ss-max-number-of-ports.patch usb-r8a66597-hcd-decrease-timeout.patch usb-r8a66597-hcd-select-a-different-endpoint-on-timeout.patch vb2-fix-an-off-by-one-error-in-vb2_plane_vaddr.patch x86-mm-32-set-the-__vmalloc_start_set-flag-in-initmem_init.patch --- diff --git a/queue-3.18/can-gs_usb-fix-memory-leak-in-gs_cmd_reset.patch b/queue-3.18/can-gs_usb-fix-memory-leak-in-gs_cmd_reset.patch new file mode 100644 index 00000000000..a71eb81d7a6 --- /dev/null +++ b/queue-3.18/can-gs_usb-fix-memory-leak-in-gs_cmd_reset.patch @@ -0,0 +1,31 @@ +From 5cda3ee5138e91ac369ed9d0b55eab0dab077686 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sun, 4 Jun 2017 14:03:42 +0200 +Subject: can: gs_usb: fix memory leak in gs_cmd_reset() + +From: Marc Kleine-Budde + +commit 5cda3ee5138e91ac369ed9d0b55eab0dab077686 upstream. + +This patch adds the missing kfree() in gs_cmd_reset() to free the +memory that is not used anymore after usb_control_msg(). + +Cc: Maximilian Schneider +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/gs_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -246,6 +246,8 @@ static int gs_cmd_reset(struct gs_usb *g + sizeof(*dm), + 1000); + ++ kfree(dm); ++ + return rc; + } + diff --git a/queue-3.18/configfs-fix-race-between-create_link-and-configfs_rmdir.patch b/queue-3.18/configfs-fix-race-between-create_link-and-configfs_rmdir.patch new file mode 100644 index 00000000000..911aea1e213 --- /dev/null +++ b/queue-3.18/configfs-fix-race-between-create_link-and-configfs_rmdir.patch @@ -0,0 +1,88 @@ +From ba80aa909c99802c428682c352b0ee0baac0acd3 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 8 Jun 2017 04:51:54 +0000 +Subject: configfs: Fix race between create_link and configfs_rmdir + +From: Nicholas Bellinger + +commit ba80aa909c99802c428682c352b0ee0baac0acd3 upstream. + +This patch closes a long standing race in configfs between +the creation of a new symlink in create_link(), while the +symlink target's config_item is being concurrently removed +via configfs_rmdir(). + +This can happen because the symlink target's reference +is obtained by config_item_get() in create_link() before +the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep() +during configfs_rmdir() shutdown is actually checked.. + +This originally manifested itself on ppc64 on v4.8.y under +heavy load using ibmvscsi target ports with Novalink API: + +[ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added +[ 7879.893760] ------------[ cut here ]------------ +[ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs] +[ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12 +[ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000 +[ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870 +[ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22) +[ 7879.893815] MSR: 8000000000029033 CR: 28222242 XER: 00000000 +[ 7879.893820] CFAR: d000000002c664bc SOFTE: 1 + GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820 + GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000 + GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80 + GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40 + GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940 + GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000 + GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490 + GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940 +[ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs] +[ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs] +[ 7879.893842] Call Trace: +[ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs] +[ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460 +[ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490 +[ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170 +[ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390 +[ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec +[ 7879.893856] Instruction dump: +[ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000 +[ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000 +[ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]--- + +To close this race, go ahead and obtain the symlink's target +config_item reference only after the existing CONFIGFS_USET_DROPPING +check succeeds. + +This way, if configfs_rmdir() wins create_link() will return -ENONET, +and if create_link() wins configfs_rmdir() will return -EBUSY. + +Reported-by: Bryant G. Ly +Tested-by: Bryant G. Ly +Signed-off-by: Nicholas Bellinger +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + fs/configfs/symlink.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/configfs/symlink.c ++++ b/fs/configfs/symlink.c +@@ -83,14 +83,13 @@ static int create_link(struct config_ite + ret = -ENOMEM; + sl = kmalloc(sizeof(struct configfs_symlink), GFP_KERNEL); + if (sl) { +- sl->sl_target = config_item_get(item); + spin_lock(&configfs_dirent_lock); + if (target_sd->s_type & CONFIGFS_USET_DROPPING) { + spin_unlock(&configfs_dirent_lock); +- config_item_put(item); + kfree(sl); + return -ENOENT; + } ++ sl->sl_target = config_item_get(item); + list_add(&sl->sl_list, &target_sd->s_links); + spin_unlock(&configfs_dirent_lock); + ret = configfs_create_link(sl, parent_item->ci_dentry, diff --git a/queue-3.18/cpufreq-conservative-allow-down_threshold-to-take-values-from-1-to-10.patch b/queue-3.18/cpufreq-conservative-allow-down_threshold-to-take-values-from-1-to-10.patch new file mode 100644 index 00000000000..d272abefca3 --- /dev/null +++ b/queue-3.18/cpufreq-conservative-allow-down_threshold-to-take-values-from-1-to-10.patch @@ -0,0 +1,46 @@ +From b8e11f7d2791bd9320be1c6e772a60b2aa093e45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tomasz=20Wilczy=C5=84ski?= +Date: Sun, 11 Jun 2017 17:28:39 +0900 +Subject: cpufreq: conservative: Allow down_threshold to take values from 1 to 10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Wilczyński + +commit b8e11f7d2791bd9320be1c6e772a60b2aa093e45 upstream. + +Commit 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency +decrease checking) removed the 10 point substraction when comparing the +load against down_threshold but did not remove the related limit for the +down_threshold value. As a result, down_threshold lower than 11 is not +allowed even though values from 1 to 10 do work correctly too. The +comment ("cannot be lower than 11 otherwise freq will not fall") also +does not apply after removing the substraction. + +For this reason, allow down_threshold to take any value from 1 to 99 +and fix the related comment. + +Fixes: 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency decrease checking) +Signed-off-by: Tomasz Wilczyński +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq_conservative.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cpufreq_conservative.c ++++ b/drivers/cpufreq/cpufreq_conservative.c +@@ -204,8 +204,8 @@ static ssize_t store_down_threshold(stru + int ret; + ret = sscanf(buf, "%u", &input); + +- /* cannot be lower than 11 otherwise freq will not fall */ +- if (ret != 1 || input < 11 || input > 100 || ++ /* cannot be lower than 1 otherwise freq will not fall */ ++ if (ret != 1 || input < 1 || input > 100 || + input >= cs_tuners->up_threshold) + return -EINVAL; + diff --git a/queue-3.18/drivers-misc-c2port-c2port-duramar2150.c-checking-for-null-instead-of-is_err.patch b/queue-3.18/drivers-misc-c2port-c2port-duramar2150.c-checking-for-null-instead-of-is_err.patch new file mode 100644 index 00000000000..8046da9e6ed --- /dev/null +++ b/queue-3.18/drivers-misc-c2port-c2port-duramar2150.c-checking-for-null-instead-of-is_err.patch @@ -0,0 +1,37 @@ +From 8128a31eaadbcdfa37774bbd28f3f00bac69996a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 8 May 2017 15:55:17 -0700 +Subject: drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() + +From: Dan Carpenter + +commit 8128a31eaadbcdfa37774bbd28f3f00bac69996a upstream. + +c2port_device_register() never returns NULL, it uses error pointers. + +Link: http://lkml.kernel.org/r/20170412083321.GC3250@mwanda +Fixes: 65131cd52b9e ("c2port: add c2port support for Eurotech Duramar 2150") +Signed-off-by: Dan Carpenter +Acked-by: Rodolfo Giometti +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/c2port/c2port-duramar2150.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/c2port/c2port-duramar2150.c ++++ b/drivers/misc/c2port/c2port-duramar2150.c +@@ -129,8 +129,8 @@ static int __init duramar2150_c2port_ini + + duramar2150_c2port_dev = c2port_device_register("uc", + &duramar2150_c2port_ops, NULL); +- if (!duramar2150_c2port_dev) { +- ret = -ENODEV; ++ if (IS_ERR(duramar2150_c2port_dev)) { ++ ret = PTR_ERR(duramar2150_c2port_dev); + goto free_region; + } + diff --git a/queue-3.18/iio-proximity-as3935-recalibrate-rco-after-resume.patch b/queue-3.18/iio-proximity-as3935-recalibrate-rco-after-resume.patch new file mode 100644 index 00000000000..c730a3a9862 --- /dev/null +++ b/queue-3.18/iio-proximity-as3935-recalibrate-rco-after-resume.patch @@ -0,0 +1,53 @@ +From 6272c0de13abf1480f701d38288f28a11b4301c4 Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Fri, 14 Apr 2017 16:38:19 -0700 +Subject: iio: proximity: as3935: recalibrate RCO after resume + +From: Matt Ranostay + +commit 6272c0de13abf1480f701d38288f28a11b4301c4 upstream. + +According to the datasheet the RCO must be recalibrated +on every power-on-reset. Also remove mutex locking in the +calibration function since callers other than the probe +function (which doesn't need it) will have a lock. + +Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support") +Cc: George McCollister +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -256,8 +256,6 @@ static irqreturn_t as3935_interrupt_hand + + static void calibrate_as3935(struct as3935_state *st) + { +- mutex_lock(&st->lock); +- + /* mask disturber interrupt bit */ + as3935_write(st, AS3935_INT, BIT(5)); + +@@ -267,8 +265,6 @@ static void calibrate_as3935(struct as39 + + mdelay(2); + as3935_write(st, AS3935_TUNE_CAP, (st->tune_cap / TUNE_CAP_DIV)); +- +- mutex_unlock(&st->lock); + } + + #ifdef CONFIG_PM_SLEEP +@@ -305,6 +301,8 @@ static int as3935_resume(struct spi_devi + val &= ~AS3935_AFE_PWR_BIT; + ret = as3935_write(st, AS3935_AFE_GAIN, val); + ++ calibrate_as3935(st); ++ + err_resume: + mutex_unlock(&st->lock); + diff --git a/queue-3.18/mac80211-don-t-look-at-the-pm-bit-of-bar-frames.patch b/queue-3.18/mac80211-don-t-look-at-the-pm-bit-of-bar-frames.patch new file mode 100644 index 00000000000..eb2a93bc26b --- /dev/null +++ b/queue-3.18/mac80211-don-t-look-at-the-pm-bit-of-bar-frames.patch @@ -0,0 +1,41 @@ +From 769dc04db3ed8484798aceb015b94deacc2ba557 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 8 Jun 2017 14:00:49 +0300 +Subject: mac80211: don't look at the PM bit of BAR frames + +From: Emmanuel Grumbach + +commit 769dc04db3ed8484798aceb015b94deacc2ba557 upstream. + +When a peer sends a BAR frame with PM bit clear, we should +not modify its PM state as madated by the spec in +802.11-20012 10.2.1.2. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1319,12 +1319,16 @@ ieee80211_rx_h_sta_process(struct ieee80 + */ + if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) && + !ieee80211_has_morefrags(hdr->frame_control) && ++ !ieee80211_is_back_req(hdr->frame_control) && + !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && + (rx->sdata->vif.type == NL80211_IFTYPE_AP || + rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && +- /* PM bit is only checked in frames where it isn't reserved, ++ /* ++ * PM bit is only checked in frames where it isn't reserved, + * in AP mode it's reserved in non-bufferable management frames + * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field) ++ * BAR frames should be ignored as specified in ++ * IEEE 802.11-2012 10.2.1.2. + */ + (!ieee80211_is_mgmt(hdr->frame_control) || + ieee80211_is_bufferable_mmpdu(hdr->frame_control))) { diff --git a/queue-3.18/mfd-omap-usb-tll-fix-inverted-bit-use-for-usb-tll-mode.patch b/queue-3.18/mfd-omap-usb-tll-fix-inverted-bit-use-for-usb-tll-mode.patch new file mode 100644 index 00000000000..a90c243ab0b --- /dev/null +++ b/queue-3.18/mfd-omap-usb-tll-fix-inverted-bit-use-for-usb-tll-mode.patch @@ -0,0 +1,40 @@ +From 8b8a84c54aff4256d592dc18346c65ecf6811b45 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Sat, 15 Apr 2017 10:05:08 -0700 +Subject: mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode + +From: Tony Lindgren + +commit 8b8a84c54aff4256d592dc18346c65ecf6811b45 upstream. + +Commit 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver") +added support for USB TLL, but uses OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF +bit the wrong way. The comments in the code are correct, but the inverted +use of OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF causes the register to be +enabled instead of disabled unlike what the comments say. + +Without this change the Wrigley 3G LTE modem on droid 4 EHCI bus can +be only pinged few times before it stops responding. + +Fixes: 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver") +Signed-off-by: Tony Lindgren +Acked-by: Roger Quadros +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/omap-usb-tll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/omap-usb-tll.c ++++ b/drivers/mfd/omap-usb-tll.c +@@ -376,8 +376,8 @@ int omap_tll_init(struct usbhs_omap_plat + * and use SDR Mode + */ + reg &= ~(OMAP_TLL_CHANNEL_CONF_UTMIAUTOIDLE +- | OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF + | OMAP_TLL_CHANNEL_CONF_ULPIDDRMODE); ++ reg |= OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF; + } else if (pdata->port_mode[i] == + OMAP_EHCI_PORT_MODE_HSIC) { + /* diff --git a/queue-3.18/pvrusb2-reduce-stack-usage-pvr2_eeprom_analyze.patch b/queue-3.18/pvrusb2-reduce-stack-usage-pvr2_eeprom_analyze.patch new file mode 100644 index 00000000000..5cd60630bf1 --- /dev/null +++ b/queue-3.18/pvrusb2-reduce-stack-usage-pvr2_eeprom_analyze.patch @@ -0,0 +1,57 @@ +From 6830733d53a4517588e56227b9c8538633f0c496 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 2 Feb 2017 12:53:04 -0200 +Subject: [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() + +From: Arnd Bergmann + +commit 6830733d53a4517588e56227b9c8538633f0c496 upstream. + +The driver uses a relatively large data structure on the stack, which +showed up on my radar as we get a warning with the "latent entropy" +GCC plugin: + +drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=] + +The warning is usually hidden as we raise the warning limit to 2048 +when the plugin is enabled, but I'd like to lower that again in the +future, and making this function smaller helps to do that without +build regressions. + +Further analysis shows that putting an 'i2c_client' structure on +the stack is not really supported, as the embedded 'struct device' +is not initialized here, and we are only saved by the fact that +the function that is called here does not use the pointer at all. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") + +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c +@@ -123,15 +123,10 @@ int pvr2_eeprom_analyze(struct pvr2_hdw + memset(&tvdata,0,sizeof(tvdata)); + + eeprom = pvr2_eeprom_fetch(hdw); +- if (!eeprom) return -EINVAL; ++ if (!eeprom) ++ return -EINVAL; + +- { +- struct i2c_client fake_client; +- /* Newer version expects a useless client interface */ +- fake_client.addr = hdw->eeprom_addr; +- fake_client.adapter = &hdw->i2c_adap; +- tveeprom_hauppauge_analog(&fake_client,&tvdata,eeprom); +- } ++ tveeprom_hauppauge_analog(NULL, &tvdata, eeprom); + + trace_eeprom("eeprom assumed v4l tveeprom module"); + trace_eeprom("eeprom direct call results:"); diff --git a/queue-3.18/serial-efm32-fix-parity-management-in-efm32_uart_console_get_options.patch b/queue-3.18/serial-efm32-fix-parity-management-in-efm32_uart_console_get_options.patch new file mode 100644 index 00000000000..307d76ae3fa --- /dev/null +++ b/queue-3.18/serial-efm32-fix-parity-management-in-efm32_uart_console_get_options.patch @@ -0,0 +1,56 @@ +From be40597a1bc173bf9dadccdf5388b956f620ae8f Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 12 May 2017 16:35:45 +0200 +Subject: serial: efm32: Fix parity management in 'efm32_uart_console_get_options()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +commit be40597a1bc173bf9dadccdf5388b956f620ae8f upstream. + +UARTn_FRAME_PARITY_ODD is 0x0300 +UARTn_FRAME_PARITY_EVEN is 0x0200 +So if the UART is configured for EVEN parity, it would be reported as ODD. +Fix it by correctly testing if the 2 bits are set. + +Fixes: 3afbd89c9639 ("serial/efm32: add new driver") +Signed-off-by: Christophe JAILLET +Acked-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/efm32-uart.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/efm32-uart.c ++++ b/drivers/tty/serial/efm32-uart.c +@@ -27,6 +27,7 @@ + #define UARTn_FRAME 0x04 + #define UARTn_FRAME_DATABITS__MASK 0x000f + #define UARTn_FRAME_DATABITS(n) ((n) - 3) ++#define UARTn_FRAME_PARITY__MASK 0x0300 + #define UARTn_FRAME_PARITY_NONE 0x0000 + #define UARTn_FRAME_PARITY_EVEN 0x0200 + #define UARTn_FRAME_PARITY_ODD 0x0300 +@@ -572,12 +573,16 @@ static void efm32_uart_console_get_optio + 16 * (4 + (clkdiv >> 6))); + + frame = efm32_uart_read32(efm_port, UARTn_FRAME); +- if (frame & UARTn_FRAME_PARITY_ODD) ++ switch (frame & UARTn_FRAME_PARITY__MASK) { ++ case UARTn_FRAME_PARITY_ODD: + *parity = 'o'; +- else if (frame & UARTn_FRAME_PARITY_EVEN) ++ break; ++ case UARTn_FRAME_PARITY_EVEN: + *parity = 'e'; +- else ++ break; ++ default: + *parity = 'n'; ++ } + + *bits = (frame & UARTn_FRAME_DATABITS__MASK) - + UARTn_FRAME_DATABITS(4) + 4; diff --git a/queue-3.18/staging-rtl8188eu-prevent-an-underflow-in-rtw_check_beacon_data.patch b/queue-3.18/staging-rtl8188eu-prevent-an-underflow-in-rtw_check_beacon_data.patch new file mode 100644 index 00000000000..d6d815c9e10 --- /dev/null +++ b/queue-3.18/staging-rtl8188eu-prevent-an-underflow-in-rtw_check_beacon_data.patch @@ -0,0 +1,30 @@ +From 784047eb2d3405a35087af70cba46170c5576b25 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 22 Apr 2017 13:47:23 +0300 +Subject: staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() + +From: Dan Carpenter + +commit 784047eb2d3405a35087af70cba46170c5576b25 upstream. + +The "len" could be as low as -14 so we should check for negatives. + +Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/core/rtw_ap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_ap.c ++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c +@@ -873,7 +873,7 @@ int rtw_check_beacon_data(struct adapter + return _FAIL; + + +- if (len > MAX_IE_SZ) ++ if (len < 0 || len > MAX_IE_SZ) + return _FAIL; + + pbss_network->IELength = len; diff --git a/queue-3.18/usb-core-fix-potential-memory-leak-in-error-path-during-hcd-creation.patch b/queue-3.18/usb-core-fix-potential-memory-leak-in-error-path-during-hcd-creation.patch new file mode 100644 index 00000000000..e9f8c0d4be1 --- /dev/null +++ b/queue-3.18/usb-core-fix-potential-memory-leak-in-error-path-during-hcd-creation.patch @@ -0,0 +1,32 @@ +From 1a744d2eb76aaafb997fda004ae3ae62a1538f85 Mon Sep 17 00:00:00 2001 +From: Anton Bondarenko +Date: Sun, 7 May 2017 01:53:46 +0200 +Subject: usb: core: fix potential memory leak in error path during hcd creation + +From: Anton Bondarenko + +commit 1a744d2eb76aaafb997fda004ae3ae62a1538f85 upstream. + +Free memory allocated for address0_mutex if allocation of bandwidth_mutex +failed. + +Fixes: feb26ac31a2a ("usb: core: hub: hub_port_init lock controller instead of bus") + +Signed-off-by: Anton Bondarenko +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2461,6 +2461,7 @@ struct usb_hcd *usb_create_shared_hcd(co + hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex), + GFP_KERNEL); + if (!hcd->bandwidth_mutex) { ++ kfree(hcd->address0_mutex); + kfree(hcd); + dev_dbg(dev, "hcd bandwidth mutex alloc failed\n"); + return NULL; diff --git a/queue-3.18/usb-gadget-dummy_hcd-fix-hub-descriptor-removable-fields.patch b/queue-3.18/usb-gadget-dummy_hcd-fix-hub-descriptor-removable-fields.patch new file mode 100644 index 00000000000..dffefd95e34 --- /dev/null +++ b/queue-3.18/usb-gadget-dummy_hcd-fix-hub-descriptor-removable-fields.patch @@ -0,0 +1,51 @@ +From d81182ce30dbd497a1e7047d7fda2af040347790 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:25 +0200 +Subject: USB: gadget: dummy_hcd: fix hub-descriptor removable fields + +From: Johan Hovold + +commit d81182ce30dbd497a1e7047d7fda2af040347790 upstream. + +Flag the first and only port as removable while also leaving the +remaining bits (including the reserved bit zero) unset in accordance +with the specifications: + + "Within a byte, if no port exists for a given location, the bit + field representing the port characteristics shall be 0." + +Also add a comment marking the legacy PortPwrCtrlMask field. + +Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Tatyana Brokhman +Signed-off-by: Johan Hovold +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -1935,7 +1935,7 @@ ss_hub_descriptor(struct usb_hub_descrip + desc->wHubCharacteristics = cpu_to_le16(0x0001); + desc->bNbrPorts = 1; + desc->u.ss.bHubHdrDecLat = 0x04; /* Worst case: 0.4 micro sec*/ +- desc->u.ss.DeviceRemovable = 0xffff; ++ desc->u.ss.DeviceRemovable = 0; + } + + static inline void hub_descriptor(struct usb_hub_descriptor *desc) +@@ -1945,8 +1945,8 @@ static inline void hub_descriptor(struct + desc->bDescLength = 9; + desc->wHubCharacteristics = cpu_to_le16(0x0001); + desc->bNbrPorts = 1; +- desc->u.hs.DeviceRemovable[0] = 0xff; +- desc->u.hs.DeviceRemovable[1] = 0xff; ++ desc->u.hs.DeviceRemovable[0] = 0; ++ desc->u.hs.DeviceRemovable[1] = 0xff; /* PortPwrCtrlMask */ + } + + static int dummy_hub_control( diff --git a/queue-3.18/usb-hub-fix-ss-max-number-of-ports.patch b/queue-3.18/usb-hub-fix-ss-max-number-of-ports.patch new file mode 100644 index 00000000000..f2f6faade5b --- /dev/null +++ b/queue-3.18/usb-hub-fix-ss-max-number-of-ports.patch @@ -0,0 +1,55 @@ +From 93491ced3c87c94b12220dbac0527e1356702179 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:29 +0200 +Subject: USB: hub: fix SS max number of ports + +From: Johan Hovold + +commit 93491ced3c87c94b12220dbac0527e1356702179 upstream. + +Add define for the maximum number of ports on a SuperSpeed hub as per +USB 3.1 spec Table 10-5, and use it when verifying the retrieved hub +descriptor. + +This specifically avoids benign attempts to update the DeviceRemovable +mask for non-existing ports (should we get that far). + +Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes") +Acked-by: Alan Stern +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 8 +++++++- + include/uapi/linux/usb/ch11.h | 3 +++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1346,7 +1346,13 @@ static int hub_configure(struct usb_hub + if (ret < 0) { + message = "can't read hub descriptor"; + goto fail; +- } else if (hub->descriptor->bNbrPorts > USB_MAXCHILDREN) { ++ } ++ ++ maxchild = USB_MAXCHILDREN; ++ if (hub_is_superspeed(hdev)) ++ maxchild = min_t(unsigned, maxchild, USB_SS_MAXPORTS); ++ ++ if (hub->descriptor->bNbrPorts > maxchild) { + message = "hub has too many ports!"; + ret = -ENODEV; + goto fail; +--- a/include/uapi/linux/usb/ch11.h ++++ b/include/uapi/linux/usb/ch11.h +@@ -22,6 +22,9 @@ + */ + #define USB_MAXCHILDREN 31 + ++/* See USB 3.1 spec Table 10-5 */ ++#define USB_SS_MAXPORTS 15 ++ + /* + * Hub request types + */ diff --git a/queue-3.18/usb-r8a66597-hcd-decrease-timeout.patch b/queue-3.18/usb-r8a66597-hcd-decrease-timeout.patch new file mode 100644 index 00000000000..49886d8fac2 --- /dev/null +++ b/queue-3.18/usb-r8a66597-hcd-decrease-timeout.patch @@ -0,0 +1,32 @@ +From dd14a3e9b92ac6f0918054f9e3477438760a4fa6 Mon Sep 17 00:00:00 2001 +From: Chris Brandt +Date: Thu, 27 Apr 2017 12:12:49 -0700 +Subject: usb: r8a66597-hcd: decrease timeout + +From: Chris Brandt + +commit dd14a3e9b92ac6f0918054f9e3477438760a4fa6 upstream. + +The timeout for BULK packets was 300ms which is a long time if other +endpoints or devices are waiting for their turn. Changing it to 50ms +greatly increased the overall performance for multi-endpoint devices. + +Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659") +Signed-off-by: Chris Brandt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/r8a66597-hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1269,7 +1269,7 @@ static void set_td_timer(struct r8a66597 + time = 30; + break; + default: +- time = 300; ++ time = 50; + break; + } + diff --git a/queue-3.18/usb-r8a66597-hcd-select-a-different-endpoint-on-timeout.patch b/queue-3.18/usb-r8a66597-hcd-select-a-different-endpoint-on-timeout.patch new file mode 100644 index 00000000000..39eda60b955 --- /dev/null +++ b/queue-3.18/usb-r8a66597-hcd-select-a-different-endpoint-on-timeout.patch @@ -0,0 +1,45 @@ +From 1f873d857b6c2fefb4dada952674aa01bcfb92bd Mon Sep 17 00:00:00 2001 +From: Chris Brandt +Date: Thu, 27 Apr 2017 12:12:02 -0700 +Subject: usb: r8a66597-hcd: select a different endpoint on timeout + +From: Chris Brandt + +commit 1f873d857b6c2fefb4dada952674aa01bcfb92bd upstream. + +If multiple endpoints on a single device have pending IN URBs and one +endpoint times out due to NAKs (perfectly legal), select a different +endpoint URB to try. +The existing code only checked to see another device address has pending +URBs and ignores other IN endpoints on the current device address. This +leads to endpoints never getting serviced if one endpoint is using NAK as +a flow control method. + +Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659") +Signed-off-by: Chris Brandt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/r8a66597-hcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1785,6 +1785,7 @@ static void r8a66597_td_timer(unsigned l + pipe = td->pipe; + pipe_stop(r8a66597, pipe); + ++ /* Select a different address or endpoint */ + new_td = td; + do { + list_move_tail(&new_td->queue, +@@ -1794,7 +1795,8 @@ static void r8a66597_td_timer(unsigned l + new_td = td; + break; + } +- } while (td != new_td && td->address == new_td->address); ++ } while (td != new_td && td->address == new_td->address && ++ td->pipe->info.epnum == new_td->pipe->info.epnum); + + start_transfer(r8a66597, new_td); + diff --git a/queue-3.18/vb2-fix-an-off-by-one-error-in-vb2_plane_vaddr.patch b/queue-3.18/vb2-fix-an-off-by-one-error-in-vb2_plane_vaddr.patch new file mode 100644 index 00000000000..ca58c283bd8 --- /dev/null +++ b/queue-3.18/vb2-fix-an-off-by-one-error-in-vb2_plane_vaddr.patch @@ -0,0 +1,35 @@ +From 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 28 Apr 2017 01:51:40 -0300 +Subject: [media] vb2: Fix an off by one error in 'vb2_plane_vaddr' + +From: Christophe JAILLET + +commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream. + +We should ensure that 'plane_no' is '< vb->num_planes' as done in +'vb2_plane_cookie' just a few lines below. + +Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework") + +Signed-off-by: Christophe JAILLET +Reviewed-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf2-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1120,7 +1120,7 @@ EXPORT_SYMBOL_GPL(vb2_create_bufs); + */ + void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no) + { +- if (plane_no > vb->num_planes || !vb->planes[plane_no].mem_priv) ++ if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv) + return NULL; + + return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv); diff --git a/queue-3.18/x86-mm-32-set-the-__vmalloc_start_set-flag-in-initmem_init.patch b/queue-3.18/x86-mm-32-set-the-__vmalloc_start_set-flag-in-initmem_init.patch new file mode 100644 index 00000000000..8ff66e5d4c0 --- /dev/null +++ b/queue-3.18/x86-mm-32-set-the-__vmalloc_start_set-flag-in-initmem_init.patch @@ -0,0 +1,42 @@ +From 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 8 May 2017 14:23:16 -0700 +Subject: x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init() + +From: Laura Abbott + +commit 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a upstream. + +'__vmalloc_start_set' currently only gets set in initmem_init() when +!CONFIG_NEED_MULTIPLE_NODES. This breaks detection of vmalloc address +with virt_addr_valid() with CONFIG_NEED_MULTIPLE_NODES=y, causing +a kernel crash: + + [mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78! + +Set '__vmalloc_start_set' appropriately for that case as well. + +Reported-by: kbuild test robot +Signed-off-by: Laura Abbott +Reviewed-by: Kees Cook +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: dc16ecf7fd1f ("x86-32: use specific __vmalloc_start_set flag in __virt_addr_valid") +Link: http://lkml.kernel.org/r/1494278596-30373-1-git-send-email-labbott@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/numa_32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/mm/numa_32.c ++++ b/arch/x86/mm/numa_32.c +@@ -100,5 +100,6 @@ void __init initmem_init(void) + printk(KERN_DEBUG "High memory starts at vaddr %08lx\n", + (ulong) pfn_to_kaddr(highstart_pfn)); + ++ __vmalloc_start_set = true; + setup_bootmem_allocator(); + }