In case if we're releasing the last tty reference the following
call sequence is possible

tty_driver_kref_put
  destruct_tty_driver
    kfree(driver);

where @driver is used in next module_put call, which leads to

 | [ 285.964007] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
 | [ 285.964007] Workqueue: events release_one_tty
 | [ 285.964007] task: ffff8800cc7ea5f0 ti: ffff8800cb800000 task.ti: ffff8800cb800000
 | [ 285.964007] RIP: 0010:[<ffffffff810aeaf5>] [<ffffffff810aeaf5>] module_put+0x24/0xf4
 | [ 285.964007] RSP: 0018:ffff8800cb801d48 EFLAGS: 00010213
 | [ 285.964007] RAX: ffff8800cb801fd8 RBX: ffff8800ca3429d0 RCX: ffff8800cb1db400
 | [ 285.964007] RDX: 0000000000000000 RSI: ffffffff817349c1 RDI: 0000000000000001
 | [ 285.964007] RBP: ffff8800cb801d60 R08: ffff8800cd632b40 R09: 0000000000000000
 | [ 285.964007] R10: 00000000ffffffff R11: ffff88011f40a000 R12: 6b6b6b6b6b6b6b6b
 | [ 285.964007] R13: ffff8800ca342520 R14: 0000000000000000 R15: ffff88011f5d8200
 | [ 285.964007] FS: 0000000000000000(0000) GS:ffff88011f400000(0000) knlGS:0000000000000000
 | [ 285.964007] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
 | [ 285.964007] CR2: 00007faf5229d090 CR3: 0000000001c0b000 CR4: 00000000000006f0
 | [ 285.964007] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 | [ 285.964007] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 | [ 285.964007] Stack:
 | [ 285.964007] ffff8800ca3429d0 ffff8800ca342a30 ffff8800ca342520 ffff8800cb801d88
 | [ 285.964007] ffffffff8146554a ffff8800cc77cc78 ffff8800ca3429d0 ffff88011f5d3800
 | [ 285.964007] ffff8800cb801e08 ffffffff810683c1 ffffffff810682ff 0000000000000046
 | [ 285.964007] Call Trace:
 | [ 285.964007] [<ffffffff8146554a>] release_one_tty+0x54/0xa3
 | [ 285.964007] [<ffffffff810683c1>] process_one_work+0x223/0x404
 | [ 285.964007] [<ffffffff810682ff>] ? process_one_work+0x161/0x404
 | [ 285.964007] [<ffffffff81068971>] worker_thread+0x136/0x205
 | [ 285.964007] [<ffffffff8106883b>] ? rescuer_thread+0x26a/0x26a
 | [ 285.964007] [<ffffffff8106e5bf>] kthread+0xa2/0xaa
 | [ 285.964007] [<ffffffff810a4586>] ? trace_hardirqs_on_caller+0x16/0x1eb
 | [ 285.964007] [<ffffffff8106e51d>] ? __kthread_parkme+0x65/0x65
 | [ 285.964007] [<ffffffff8173f59c>] ret_from_fork+0x7c/0xb0
 | [ 285.964007] [<ffffffff8106e51d>] ? __kthread_parkme+0x65/0x65
 | [ 285.964007] Code: 09 00 5b 41 5c 5d c3 0f 1f 44 00 00 55 48 85 ff 48 89 e5 41 55 41 54 49 89 fc 53 0f 84 d3 00
 | 00 00 bf 01 00 00 00 e8 d0 a1 fc ff <49> 8b 84 24 50 02 00 00 65 48 ff 40 08 4c 8b 6d 08 0f 1f 44 00

so simply keep a local reference to the module owner and
use it later.

CC: Pavel Emelyanov <xemul@parallels.com>
CC: Jiri Slaby <jslaby@suse.cz>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Frank reports that after continuing in kgdb the RX stale event
doesn't occur until after the RX fifo is filled up with exactly
the amount of characters programmed for the RX watermark (in this
case it's 48). To read a single character from the uartdm
hardware we force a stale event so that any characters in the RX
packing buffer are flushed into the RX fifo immediately instead
of waiting for a stale timeout or for the fifo to fill. Forcing
that stale event asserts the stale interrupt but we never clear
that interrupt via UART_CR_CMD_RESET_STALE_INT in the polling
functions. So when kgdb continues the stale interrupt is left
pending in the hardware and we don't timeout with a stale event,
like we usually would if a user typed one character on the
console, until the reset stale interrupt and stale event commands
are sent. Frank could get things working again by running
handle_rx_dm(). By putting enough characters into the fifo he
could trigger a watermark interrupt, and thus cause
handle_rx_dm() to run finally resetting the stale interrupt
and enabling the stale event so that single characters would
cause timeouts again.

The fix is to just do what the interrupt routine was doing all
along and clear the stale interrupt and enable the event again.
Doing this also smooths over any differences in the fifo behavior
between v1.3 and v1.4 hardware allowing us to skip forcing the
uart into single character mode.
Reviewed-by: NFrank Rowand <frank.rowand@sonymobile.com>
Tested-by: NFrank Rowand <frank.rowand@sonymobile.com>
Fixes: f7e54d7a "msm_serial: Add support for poll_{get,put}_char()"
Signed-off-by: NStephen Boyd <sboyd@codeaurora.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The prefix suggests the number should be printed in hex, so use
the %x specifier to do that.

Found by using regex suggested by Joe Perches.
Signed-off-by: NHans Wennborg <hans@hanshq.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

CLPS711X serial driver uses the system wide registers to control the
modem signals. Now gpio-syscon driver can be used for this purposes.
mctrl_gpio helpers allow us to create GPIO bindings for any of modem/tty
control signals that extends the functionality of the driver.
This patch makes such change.

This change does not break any current DT bindings, since DT support
for this platform is not introduced yet.
Signed-off-by: NAlexander Shiyan <shc_work@mail.ru>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

printk replaced with corresponding dev_* .
fixed two broken user-visible strings used by the corresponding printk.
the null check for uport->dev and port->dev is removed as dev_* will check for
null while printing.
printing of dev_name(uport->dev) and dev_name(port->dev) also removed as those
are being printed by dev_* .
Signed-off-by: NSudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: NMatthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make the of_device_id arrays const, as it is handled as const by all OF
functions.
Signed-off-by: NTobias Klauser <tklauser@distanz.ch>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

fixed below checkpatch.pl warning:

WARNING: void function return statements are not generally useful
Signed-off-by: NKiran Padwal <kiran.padwal@smartplayin.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

fixed below checkpatch.pl warning:

WARNING: else is not generally useful after a break or return
Signed-off-by: NKiran Padwal <kiran.padwal@smartplayin.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

fixed below checkpatch.pl warning:

WARNING: Prefer [subsystem eg: netdev]_err([subsystem]dev, ... then dev_err(dev, ... then pr_err(...  to printk(KERN_ERR ...

WARNING: Prefer [subsystem eg: netdev]_info([subsystem]dev, ... then dev_info(dev, ... then pr_info(...  to printk(KERN_INFO ...
Signed-off-by: NKiran Padwal <kiran.padwal@smartplayin.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch fixes below checkpatch.pl warning and it remove extra blank lines:

WARNING: Missing a blank line after declarations
Signed-off-by: NKiran Padwal <kiran.padwal@smartplayin.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

fixed below checkpatch.pl warning:

WARNING: braces {} are not necessary for any arm of this statement
Signed-off-by: NKiran Padwal <kiran.padwal@smartplayin.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch lets you set the RS485 cappabilites of the device through
TIOCSRS485 and TIOCGRS485 as defined on Documentation/serial/serial-rs485.txt

In order to probe the device, the PNP id and the device id is used.
Signed-off-by: NRicardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch allow the users of the 8250 infrastructure to define a
handler for RS485 configration.

If no handler is defined the 8250 driver will work as usual.
Signed-off-by: NRicardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Acked-by: NAlan Cox <alan@linux.intel.com>
--
v2:Change suggested by Alan "One Thousand Gnomes":
- Move rs485 structure further down on the uart_8250_port structure

 drivers/tty/serial/8250/8250_core.c | 39 +++++++++++++++++++++++++++++++++++++
 include/linux/serial_8250.h         |  3 +++
 2 files changed, 42 insertions(+)
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The Digi Neo cards are supported by the jsm driver.  Remove support
for these cards from dgnc.
Signed-off-by: NBill Pemberton <wfp5p@worldbroken.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add device ids for additional Neo cards.  The ids come from the dgnc
driver.
Signed-off-by: NBill Pemberton <wfp5p@worldbroken.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix tx/rx mixup, which broke transmit-only transfers.

Introduced by commit 4240305f7cbdc7782aa8bc40cc702775d9ac0839
("spi: sh-msiof: Fix leaking of unused DMA descriptors").
Reported-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be>
Acked-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: NMark Brown <broonie@linaro.org>

The rtc-s5m driver used to support devices without irq specified in the
past.  Re-add this support.

The patch fixes boot for Insignal's Exynos4412 based Origen board.

Error messages before the patch:

  ...
  Unable to handle kernel NULL pointer dereference at virtual address 00000094
  pgd = c0004000
  [00000094] *pgd=00000000
  Internal error: Oops: 5 [#1] PREEMPT SMP ARM
  Modules linked in:
  CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.16.0-next-20140804-00008-ga59480f-dirty #701
  task: ea80f000 ti: ea882000 task.ti: ea882000
  PC is at regmap_irq_get_virq+0x0/0x28
  LR is at s5m_rtc_probe+0xdc/0x310
  pc : [<c02574fc>]    lr : [<c02de75c>]    psr: 80000153
  sp : ea883e48  ip : 00000000  fp : 00000000
  r10: 0000000c  r9 : c05de7ac  r8 : eaabc600
  r7 : eaa6b4d0  r6 : c0439e8c  r5 : eaabc610  r4 : eab30e50
  r3 : 00000000  r2 : 00000000  r1 : 0000000c  r0 : 00000000
  Flags: Nzcv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
  Control: 10c5387d  Table: 4000404a  DAC: 00000015
  Process swapper/0 (pid: 1, stack limit = 0xea882240)
  Backtrace:
    regmap_irq_get_virq
    s5m_rtc_probe
    platform_drv_probe
    driver_probe_device
    __driver_attach
    bus_for_each_dev
    bus_add_driver
    driver_register
    do_one_initcall
    kernel_init_freeable
    kernel_init
  ---[ end trace a954d7f019122700 ]---
  Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
  ...
Signed-off-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Reviewed-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>
Tested-by: NKrzysztof Kozlowski <k.kozlowski@samsung.com>
Acked-by: NKyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Since we allocate a temporary buffer in zram_bvec_read to handle partial
page operations in commit 924bd88d ("Staging: zram: allow partial
page operations"), our ->failed_reads value may be incorrect as we do
not increase its value when failing to allocate the temporary buffer.

Let's fix this issue and correct the annotation of failed_reads.
Signed-off-by: NChao Yu <chao2.yu@samsung.com>
Acked-by: NMinchan Kim <minchan@kernel.org>
Cc: Nitin Gupta <ngupta@vflare.org>
Acked-by: NJerome Marchand <jmarchan@redhat.com>
Acked-by: NSergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Now IOAPIC driver dynamically allocates IRQ numbers for IOAPIC pins.
We need to keep IRQ assignment for PCI devices during runtime power
management, otherwise it may cause failure of device wakeups.

Commit 3eec5952 "x86, irq, PCI: Keep IRQ assignment for PCI
devices during suspend/hibernation" has fixed the issue for suspend/
hibernation, we also need the same fix for runtime device sleep too.

Fix: https://bugzilla.kernel.org/show_bug.cgi?id=83271Reported-and-Tested-by: NEmanueL Czirai <amanual@openmailbox.org>
Signed-off-by: NJiang Liu <jiang.liu@linux.intel.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: EmanueL Czirai <amanual@openmailbox.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Grant Likely <grant.likely@linaro.org>
Link: http://lkml.kernel.org/r/1409304383-18806-1-git-send-email-jiang.liu@linux.intel.comSigned-off-by: NThomas Gleixner <tglx@linutronix.de>

If our client is requesting a clock that is above the maximum clock
then the following division will result in 0:
  rs->max_freq / rs->speed

We'll then program 0 into the SPI_BAUDR register.  The Rockchip TRM
says: "If the value is 0, the serial output clock (sclk_out) is
disabled."

It's much better to end up with the fastest possible clock rather than
a clock that is off, so enforce a minimum value.
Signed-off-by: NDoug Anderson <dianders@chromium.org>
Signed-off-by: NMark Brown <broonie@kernel.org>

The DM crypt target accesses memory beyond allocated space resulting in
a crash on 32 bit x86 systems.

This bug is very old (it dates back to 2.6.25 commit 3a7f6c99 "dm
crypt: use async crypto").  However, this bug was masked by the fact
that kmalloc rounds the size up to the next power of two.  This bug
wasn't exposed until 3.17-rc1 commit 298a9fa0 ("dm crypt: use per-bio
data").  By switching to using per-bio data there was no longer any
padding beyond the end of a dm-crypt allocated memory block.

To minimize allocation overhead dm-crypt puts several structures into one
block allocated with kmalloc.  The block holds struct ablkcipher_request,
cipher-specific scratch pad (crypto_ablkcipher_reqsize(any_tfm(cc))),
struct dm_crypt_request and an initialization vector.

The variable dmreq_start is set to offset of struct dm_crypt_request
within this memory block.  dm-crypt allocates the block with this size:
cc->dmreq_start + sizeof(struct dm_crypt_request) + cc->iv_size.

When accessing the initialization vector, dm-crypt uses the function
iv_of_dmreq, which performs this calculation: ALIGN((unsigned long)(dmreq
+ 1), crypto_ablkcipher_alignmask(any_tfm(cc)) + 1).

dm-crypt allocated "cc->iv_size" bytes beyond the end of dm_crypt_request
structure.  However, when dm-crypt accesses the initialization vector, it
takes a pointer to the end of dm_crypt_request, aligns it, and then uses
it as the initialization vector.  If the end of dm_crypt_request is not
aligned on a crypto_ablkcipher_alignmask(any_tfm(cc)) boundary the
alignment causes the initialization vector to point beyond the allocated
space.

Fix this bug by calculating the variable iv_size_padding and adding it
to the allocated size.

Also correct the alignment of dm_crypt_request.  struct dm_crypt_request
is specific to dm-crypt (it isn't used by the crypto subsystem at all),
so it is aligned on __alignof__(struct dm_crypt_request).

Also align per_bio_data_size on ARCH_KMALLOC_MINALIGN, so that it is
aligned as if the block was allocated with kmalloc.
Reported-by: NKrzysztof Kolasa <kkolasa@winsoft.pl>
Tested-by: NMilan Broz <gmazyland@gmail.com>
Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
Signed-off-by: NMike Snitzer <snitzer@redhat.com>

Commit 43fef47f (mfd: twl4030-power: Add a configuration to turn
off oscillator during off-idle) added support for configuring the PMIC
to cut off resources during deeper idle states to save power.

This however caused regression for n900 display power that needed the
PMIC configuration to be disabled with commit d937678a (ARM: dts:
Revert enabling of twl configuration for n900).

Turns out the root cause of the problem is that we must use
TWL4030_RESCONFIG_UNDEF instead of DEV_GRP_NULL to avoid disabling
regulators that may have been enabled before the init function
for twl4030-power.c runs. With TWL4030_RESCONFIG_UNDEF we let the
regulator framework control the regulators like it should. Here we
need to only configure the sys_clken and sys_off_mode triggers for
the regulators that cannot be done by the regulator framework as
it's not running at that point.

This allows us to enable the PMIC configuration for n900.

Fixes: 43fef47f (mfd: twl4030-power: Add a configuration to turn off oscillator during off-idle)

Cc: stable@vger.kernel.org # v3.16
Signed-off-by: NTony Lindgren <tony@atomide.com>
Tested-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NLee Jones <lee.jones@linaro.org>

kerneldoc doesn't know how to parse variables, so don't let it try.
Signed-off-by: NThierry Reding <treding@nvidia.com>
Signed-off-by: NSumit Semwal <sumit.semwal@linaro.org>

This avoid reading past the end of the list for certain modes
Signed-off-by: NY.C. Chen <yc_chen@aspeedtech.com>
Reviewed-by: NEgbert Eich <eich@freedesktop.org>
Signed-off-by: NDave Airlie <airlied@redhat.com>

Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument
bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before
using it in the following division.

Note that DIV_ROUND_UP() is defined as:
        #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))

..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX.
Reported-by: NTommi Rantala <tt.rantala@gmail.com>
Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
Reviewed-by: NRob Clark <robdclark@gmail.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

commit bdd405d2 ("usb: hub: Prevent hub autosuspend if
usbcore.autosuspend is -1") causes a build error if CONFIG_PM_RUNTIME is
disabled.  Fix that by doing a simple #ifdef guard around it.
Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
Cc: Roger Quadros <rogerq@ti.com>
Cc: Michael Welling <mwelling@emacinc.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Since this is a platform driver and can be probed at any time we can't
annotate funtions in the probe path as __init, the code can't safely be
discarded at the end of kernel init.
Signed-off-by: NMark Brown <broonie@linaro.org>
Acked-by: NViresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>

This is pretty much the same as Intel Baytrail, only the CPU ID is
different. Add the new ID to the supported CPU list.
Signed-off-by: NMika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: NViresh Kumar <viresh.kumar@linaro.org>
Acked-by: NDirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>

On larger systems intel_pstate currently spams the boot up
log with its "Intel pstate controlling ..." message for each CPU.
It's the only subsystem that prints a message for each
CPU.

Turn the message into a pr_debug.
Signed-off-by: NAndi Kleen <ak@linux.intel.com>
Acked-by: NDirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>

This reverts commit 03936890.

Vivek writes:
	We not longer need this patch, since we have planned to remove
	the usb-phy drivers for samsung [1], we have completely deleted
	the support for the the same from ohci-exynos and ehci-exynos
	drivers too [2].  Sorry for the confusion, but this patch can be
	dropped and instead we can pick the patches in [2].

	[1] http://www.mail-archive.com/linux-samsung-soc@vger.kernel.org/msg35774.html
	[2] https://www.mail-archive.com/linux-samsung-soc@vger.kernel.org/msg35695.html
	    https://www.mail-archive.com/linux-samsung-soc@vger.kernel.org/msg35696.html

Cc: Sachin Kamat <sachin.kamat@samsung.com>
Cc: Vivek Gautam <gautam.vivek@samsung.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Jingoo Han <jg1.han@samsung.com>
Cc: Sachin Kamat <sachin.kamat@samsung.com>
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

If we assign a Radeon device to a virtual machine, we can no longer
assume a fixed hardware topology, like the GPU having a parent device.
This patch simply adds a few pci_is_root_bus() tests to avoid passing
a NULL pointer to PCI access functions, allowing the radeon driver to
work in a QEMU 440FX machine with an assigned HD8570 on the emulated
PCI root bus.
Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>

This is a bit bigger hammer then I would like to use for this, but for now
it will have to make do. I'm working on getting my hands on one of these so
that I can try to get streams to work (with a quirk flag if necessary) and
then we can re-enable them.

For now this at least makes uas capable disk enclosures work again by forcing
fallback to the usb-storage driver.

https://bugzilla.kernel.org/show_bug.cgi?id=79511

Cc: stable@vger.kernel.org # 3.15
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Acked-by: NMathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure to verify the number of ports requested by subdriver to avoid
writing beyond the end of fixed-size array in interface data.

The current usb-serial implementation is limited to eight ports per
interface but failed to verify that the number of ports requested by a
subdriver (which could have been determined from device descriptors) did
not exceed this limit.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <johan@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure to verify the maximum number of endpoints per type to avoid
writing beyond the end of a stack-allocated array.

The current usb-serial implementation is limited to eight ports per
interface but failed to verify that the number of endpoints of a certain
type reported by a device did not exceed this limit.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <johan@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The obvious fix after the commit d9c73bb8 "spi: dw: add support for gpio
controlled chip select". This patch fixes the issue by using locally defined
temporary variable.

Fixes: d9c73bb8 (spi: dw: add support for gpio controlled chip select)
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: NMark Brown <broonie@linaro.org>
Cc: <stable@vger.kernel.org>

The commit 04f421e7 "spi: dw: use managed resources" changes drivers to use
managed functions, but seems wasn't properly tested in PCI case. The regs field
of struct dw_spi left uninitialized. Thus, kernel crashes when tries to access
to the SPI controller registers. This patch fixes the issue.

Fixes: 04f421e7 (spi: dw: use managed resources)
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: NMark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org

Commit af040ffc ("ARM: make it easier to check the CPU part number
correctly") changed ARM_CPU_PART_X masks, and the way they are returned and
checked against. Usage of read_cpuid_part_number() is now deprecated, and
calling places updated accordingly. This actually broke cpuidle-big_little
initialization, as bl_idle_driver_init() performs a check using an hardcoded
mask on cpu_id.

Create an interface to perform the check (that is now even easier to read).
Define also a proper mask (ARM_CPU_PART_MASK) that makes this kind of checks
cleaner and helps preventing bugs in the future. Update usage accordingly.
Signed-off-by: NJuri Lelli <juri.lelli@arm.com>
Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: NRussell King <rmk+kernel@arm.linux.org.uk>

The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that raw_data
that we hold in picolcd_pending structure are always kept within proper
bounds.

Cc: stable@vger.kernel.org
Reported-by: NSteven Vittitoe <scvitti@google.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

The report passed to us from transport driver could potentially be
arbitrarily large, therefore we better sanity-check it so that
magicmouse_emit_touch() gets only valid values of raw_id.

Cc: stable@vger.kernel.org
Reported-by: NSteven Vittitoe <scvitti@google.com>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>