12 Jan, 2017
40 commits
-
commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.
The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.Signed-off-by: Eva Rachel Retuya
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen
Signed-off-by: Jonathan Cameron
Signed-off-by: Greg Kroah-Hartman -
commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream.
The credentials handling was pushed to the write handlers
but error handling wasn't done properly.
Move write callbacks to completion queue to destroy them
and to notify a blocked writer about the failureFixes: 136698e535cd1 (mei: push credentials inside the irq write handler)
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
commit 5026c9cb0744a9cd40242743ca91a5d712f468c6 upstream.
Adjust function name in KDoc.
Fixes: d49dc5e76fc9 (mei: bus: use mei_cldev_ prefix for the API functions)
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
commit 967b274e02e18c9fbb4d19b96a89bd0afbc77b7a upstream.
Parameter renaming to fop_type was not reflected in KDoc
Fixes: 3030dc0564594 (mei: add wrapper for queuing control commands)
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
Signed-off-by: Greg Kroah-Hartman -
commit e35d6d7c4e6532a89732cf4bace0e910ee684c88 upstream.
Bind to the interface, but do not register any ports, after having
downloaded the firmware. The device will still disconnect and
re-enumerate, but this way we avoid an error messages from being logged
as part of the process:io_ti: probe of 1-1.3:1.0 failed with error -5
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 1f5ecaf985c46889278f51fcb7bc143f60f4eb14 upstream.
'buf' is malloced in dibusb_rc_query() and should be freed before
leaving from the error handling cases, otherwise it will cause
memory leak.Fixes: ff1c123545d7 ("[media] dibusb: handle error code on RC query")
Signed-off-by: Wei Yongjun
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
commit 0cff18cbab4f55581d9da86e4286655d9723d7d2 upstream.
The 2 USB host ports are directly tied to the 2 USB hosts in the SoC.
The 2 host pairs were already enabled, but the USB PHY wasn't.
VBUS on the 2 ports are always on.Enable the USB PHY.
Fixes: 04c85ecad32a ("ARM: dts: sun7i: Add dts file for Bananapi M1 Plus
board")
Signed-off-by: Chen-Yu Tsai
Signed-off-by: Maxime Ripard
Signed-off-by: Greg Kroah-Hartman -
commit 4d75a171b67ffc3f4dadbd654c9d281091300eb2 upstream.
The ohci/ehci hardware pin number should be 640/641, correct them.
Fixes: commit aa8d3e74f54d ("arm64: dts: Add initial dts for Hisilicon Hip06 D03 board")
Signed-off-by: Kefeng Wang
Signed-off-by: Wei Xu
Signed-off-by: Greg Kroah-Hartman -
commit 015105b12183556771e111e93f5266851e7c5582 upstream.
Make sure to drop the references taken by of_parse_phandle() and
bus_find_device() before returning from am335x_get_phy_control().Note that there is no guarantee that the devres-managed struct
phy_control will be valid for the lifetime of the sibling phy device
regardless of this change.Fixes: 3bb869c8b3f1 ("usb: phy: Add AM335x PHY driver")
Acked-by: Bin Liu
Signed-off-by: Johan Hovold
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit dc8ee9dbdba509fb58e23ba79f2e6059fe5d8b3b upstream.
The parent clock of the HSUSB clock is the HP clock, not the MP clock.
Fixes: c7bab9f929e51761 ("ARM: shmobile: r8a7794: Add USB clocks to device tree")
Signed-off-by: Geert Uytterhoeven
Acked-by: Yoshihiro Shimoda
Signed-off-by: Simon Horman
Signed-off-by: Greg Kroah-Hartman -
commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream.
For isoc endpoint descriptor, the wMaxPacketSize is not real max packet
size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation),
it may contain the number of packet, so the real max packet should be
ep->desc->wMaxPacketSize && 0x7ff.Cc: Felipe F. Tonello
Cc: Felipe Balbi
Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe
endianness and new usb_ep_aligna")
Signed-off-by: Peter Chen
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit 03274445c01562d5352ea522431ab8c6175e2bbf upstream.
Pass a task state as second argument to percpu_ida_alloc().
Fixes: commit 71e7ae8e1fb2 ("usb-gadget/tcm: Conversion to percpu_ida tag pre-allocation")
Signed-off-by: Bart Van Assche
Cc: Nicholas Bellinger
Cc: Andrzej Pietrasiewicz
Cc: Sebastian Andrzej Siewior
Cc: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit 3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c upstream.
Function klsi_105_open() calls usb_control_msg() (to "enable read") and
checks its return value. When the return value is unexpected, it only
assigns the error code to the return variable retval, but does not
terminate the exception path. This patch fixes the bug by inserting
"goto err_generic_close;" when the call to usb_control_msg() fails.Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pan Bian
[johan: rebase on prerequisite fix and amend commit message]
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.
The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway. Kill it here, but there is no behavior change by
this patch, obviously.Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit 5563bb5743cb09bde0d0f4660a5e5b19c26903bf upstream.
The function bfin_fifo_offset is defined but not used:
drivers/usb/musb/blackfin.c:36:12: warning: ‘bfin_fifo_offset’ defined
but not used [-Wunused-function]
static u32 bfin_fifo_offset(u8 epnum)
^~~~~~~~~~~~~~~~Adding bfin_fifo_offset to bfin_ops fixes this warning and allows musb
core to call this function instead of default_fifo_offset.Fixes: cc92f6818f6e ("usb: musb: Populate new IO functions for blackfin")
Signed-off-by: Jérémy Lefaure
Signed-off-by: Bin Liu
Signed-off-by: Greg Kroah-Hartman -
commit 7b01738112608ce47083178ae2b9ebadf02d32cc upstream.
This fixes a regression which was introduced by commit f1bddbb, by
reverting a small fragment of commit 855ed04.If the following conditions were met, usb_gadget_probe_driver() returned
0, although the call was unsuccessful:
1. A particular UDC was specified by thge gadget driver (using member
"udc_name" of struct usb_gadget_driver).
2. The UDC with this name is available.
3. Another gadget driver is already bound to this gadget.
4. The gadget driver has the "match_existing_only" flag set.
In this case, the return code variable "ret" is set to 0, the return
code of a strcmp() call (to check for the second condition).This also fixes an oops which could occur in the following scenario:
1. Two usb gadget instances were configured using configfs.
2. The first gadget configuration was bound to a UDC (using the configfs
attribute "UDC").
3. It was tried to bind the second gadget configuration to the same UDC
in the same way. This operation was then wrongly reported as being
successful.
4. The second gadget configuration's "UDC" attribute is cleared, to
unbind the (not really bound) second gadget configuration from the UDC.] __list_del_entry+0x29/0xc0
PGD 41b4c5067
PUD 41a598067
PMD 0Oops: 0000 [#1] SMP
Modules linked in: cdc_acm usb_f_fs usb_f_serial
usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper
ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw
uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel
videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm
videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth
snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev
media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm
snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core
lpc_ich fat
efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev
intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core
tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq
hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas
usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel
i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci
drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core
fjes button [last unloaded: net2280]
CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77
Extreme3, BIOS P1.50 07/11/2013
task: ffff880419ce4040 task.stack: ffffc90002ed4000
RIP: 0010:[] []
__list_del_entry+0x29/0xc0
RSP: 0018:ffffc90002ed7d68 EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200
RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30
RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68
R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001
FS: 00007fe4e49b8700(0000) GS:ffff88042f340000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0
Stack:
ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0
ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0
ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8
Call Trace:
[] list_del+0xd/0x30
[] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core]
[] unregister_gadget+0x27/0x60 [libcomposite]
[] ? mutex_lock+0x1a/0x30
[] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite]
[] configfs_write_file+0xa0/0x100 [configfs]
[] __vfs_write+0x37/0x160
[] ? __fd_install+0x30/0xd0
[] ? _raw_spin_unlock+0xe/0x10
[] vfs_write+0xb8/0x1b0
[] SyS_write+0x58/0xc0
[] ? __close_fd+0x94/0xc0
[] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89
e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a 8b
02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
RIP [] __list_del_entry+0x29/0xc0
RSP
CR2: 0000000000000000
---[ end trace 99fc090ab3ff6cbc ]---Fixes: f1bddbb ("usb: gadget: Fix binding to UDC via configfs interface")
Signed-off-by: Felix Hädicke
Tested-by: Krzysztof Opasiak
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream.
If CONFIG_PM=n:
drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called
drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was hereTo fix this, move hub_port_disable() after
hub_usb3_port_prepare_disable(), and adjust forward declarations.Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices")
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Greg Kroah-Hartman -
commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.
When unloading omap2430, we can get the following splat:
WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[] (free_irq) from []
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[] (musbhs_dma_controller_destroy [musb_hdrc]) from
[] (musb_remove+0xf0/0x12c [musb_hdrc])
[] (musb_remove [musb_hdrc]) from []
(platform_drv_remove+0x24/0x3c)
...This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren
[b-liu@ti.com: added Fixes tag]
Signed-off-by: Bin Liu
Signed-off-by: Greg Kroah-Hartman -
commit 9418ee15f718939aa7e650fd586d73765eb21f20 upstream.
DCFG.DEVSPD == 0x3 is not valid and we need to set
DCFG.DEVSPD to 0x1 for full speed mode. Same goes for
DSTS.CONNECTSPD.Old databooks had 0x3 for full speed in 48MHz mode for
USB1.1 transceivers which was never supported. Newer databooks
don't mention 0x3 at all.Cc: John Youn
Signed-off-by: Roger Quadros
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit 51c1685d956221576e165dd88a20063b169bae5a upstream.
usb_get_dr_mode() expects the device-property to be spelled
"dr_mode" not "dr-mode".Spelling it properly fixes the following warning showing up in dmesg:
[ 8704.500545] dwc3 dwc3.2.auto: Configuration mismatch. dr_mode forced to gadgetSigned-off-by: Hans de Goede
Signed-off-by: Greg Kroah-Hartman -
commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream.
Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
the new ID to the supported Devices.Signed-off-by: Heikki Krogerus
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
commit 1c111b6c3844a142e03bcfc2fa17bfbdea08e9dc upstream.
Current abort operation has race.
xhci_handle_command_timeout()
xhci_abort_cmd_ring()
xhci_write_64(CMD_RING_ABORT)
xhci_handshake(5s)
do {
check CMD_RING_RUNNING
udelay(1)
...
COMP_CMD_ABORT event
COMP_CMD_STOP event
xhci_handle_stopped_cmd_ring()
restart cmd_ring
CMD_RING_RUNNING become 1 again
} while ()
return -ETIMEDOUT
xhci_write_64(CMD_RING_ABORT)
/* can abort random command */To do abort operation correctly, we have to wait both of COMP_CMD_STOP
event and negation of CMD_RING_RUNNING.But like above, while timeout handler is waiting negation of
CMD_RING_RUNNING, event handler can restart cmd_ring. So timeout
handler never be notice negation of CMD_RING_RUNNING, and retry of
CMD_RING_ABORT can abort random command (BTW, I guess retry of
CMD_RING_ABORT was workaround of this race).To fix this race, this moves xhci_handle_stopped_cmd_ring() to
xhci_abort_cmd_ring(). And timeout handler waits COMP_CMD_STOP event.At this point, timeout handler is owner of cmd_ring, and safely
restart cmd_ring by using xhci_handle_stopped_cmd_ring().[FWIW, as bonus, this way would be easily extend to add CMD_RING_PAUSE
operation][locks edited as patch is rebased on other locking fixes -Mathias]
Signed-off-by: OGAWA Hirofumi
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman -
commit cb4d5ce588c5ff68e0fdd30370a0e6bc2c0a736b upstream.
This is preparation to fix abort operation race (See "xhci: Fix race
related to abort operation"). To make timeout sleepable, use
delayed_work instead of timer.[change a newly added pending timer fix to pending work -Mathias]
Signed-off-by: OGAWA Hirofumi
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman -
commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.
We normally use the passed in gfp flags for allocations, it's just these
two which were missed.Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman
Signed-off-by: Dan Carpenter
Acked-by: Sebastian Andrzej Siewior
Signed-off-by: Greg Kroah-Hartman -
commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream.
A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.
Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.
The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:Unable to handle kernel paging request at virtual address 6b6b6be7
...
[] (mos7715_interrupt_callback [mos7720]) from [] (__usb_hcd_giveback_urb+0x80/0x140)
[] (__usb_hcd_giveback_urb) from [] (usb_hcd_giveback_urb+0x50/0x138)
[] (usb_hcd_giveback_urb) from [] (musb_giveback+0xc8/0x1cc)Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.
Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[] (mos7720_open [mos7720]) from [] (serial_port_activate+0x68/0x98 [usbserial])
[] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8)
[] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial])
[] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc)Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at mos7840_open+0x88/0x8dc [mos7840]Note that we continue to treat the interrupt-in endpoint as optional for
now.Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.
Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.
Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at cyberjack_open+0x40/0x9c [cyberjack]Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at oti6858_open+0x30/0x1d0 [oti6858]Note that a missing interrupt-in endpoint would have caused open() to
fail.Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.
Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream.
Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:Unable to handle kernel NULL pointer dereference at virtual address 00000030
..
[] (ti_open [ti_usb_3410_5052]) from [] (serial_port_activate+0x68/0x98 [usbserial])Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.
Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.
Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at iuu_open+0x78/0x59c [iuu_phoenix]Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
check")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 2330d0a853da260d8a9834a70df448032b9ff623 upstream.
Cancel the heartbeat work on driver unbind in order to avoid I/O after
disconnect in case the port is held open.Note that the cancel in release() is still needed to stop the heartbeat
after late probe errors.Fixes: 26c78daade0f ("USB: io_ti: Add heartbeat to keep idle EP/416 ports from disconnecting")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream.
In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[] (edge_open [io_ti]) from [] (serial_port_activate+0x68/0x98 [usbserial])
[] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8)
[] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial])
[] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc)Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream.
Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[] (edge_open [io_ti]) from [] (serial_port_activate+0x68/0x98 [usbserial])
[] (serial_port_activate [usbserial]) from [] (tty_port_open+0x9c/0xe8)
[] (tty_port_open) from [] (serial_open+0x48/0x6c [usbserial])
[] (serial_open [usbserial]) from [] (tty_open+0xcc/0x5cc)Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman -
commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman