28 Jan, 2015

40 commits

  • Greg Kroah-Hartman
     
  • commit 78051e3b7e35722ad3f31dd611f1b34770bddab8 upstream.

    If L0 has disabled EPT, don't advertise unrestricted
    mode at all since it depends on EPT to run real mode code.

    Fixes: 92fbc7b195b824e201d9f06f2b93105f72384d65
    Reviewed-by: Jan Kiszka
    Signed-off-by: Bandan Das
    Signed-off-by: Paolo Bonzini
    Signed-off-by: Greg Kroah-Hartman

    Bandan Das
     
  • commit 7f1241ed1a06b4846ad7a2a57eb088b757e58e16 upstream.

    pps_{lock,unlock}() call intel_display_power_{get,put}() outside
    pps_mutes to avoid deadlocks with the power_domain mutex. In theory
    during aux transfers we should usually have the relevant power domain
    references already held by some higher level code, so this should not
    result in much overhead (exception being userspace i2c-dev access).
    However thanks to the check_power_well() calls in
    intel_display_power_{get/put}() we end up doing a few Punit reads for
    each aux transfer. Obviously doing this for each byte transferred via
    i2c-over-aux is not a good idea.

    I can't think of a good way to keep check_power_well() while eliminating
    the overhead, so let's just remove check_power_well() entirely.

    Fixes a driver init time regression introduced by:
    commit 773538e86081d146e0020435d614f4b96996c1f9
    Author: Ville Syrjälä
    Date: Thu Sep 4 14:54:56 2014 +0300

    drm/i915: Reset power sequencer pipe tracking when disp2d is off

    Credit goes to Jani for figuring this out.

    v2: Add the regression note in the commit message.

    Cc: Egbert Eich
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86201
    Tested-by: Wendy Wang
    Signed-off-by: Ville Syrjälä
    [Jani: s/intel_runtime_pm.c/intel_pm.c/g and wiggle for 3.18]
    Signed-off-by: Jani Nikula
    Signed-off-by: Greg Kroah-Hartman

    Ville Syrjälä
     
  • commit 46243860806bdc2756f3ce8ac86b4d7c616bcd6c upstream.

    While looking at hch's recent conversion to drop the MSG_*_TAG
    definitions, I noticed a long standing bug in vhost-scsi where
    the VIRTIO_SCSI_S_* attribute definitions where incorrectly
    being passed directly into target_submit_cmd_map_sgls().

    This patch adds the missing virtio-scsi to TCM/SAM task attribute
    conversion.

    Cc: Christoph Hellwig
    Cc: Michael S. Tsirkin
    Cc: Paolo Bonzini
    Signed-off-by: Nicholas Bellinger
    Signed-off-by: Greg Kroah-Hartman

    Nicholas Bellinger
     
  • commit 046ba64285a4389ae5e9a7dfa253c6bff3d7c341 upstream.

    This patch drops the arbitrary maximum I/O size limit in sbc_parse_cdb(),
    which currently for fabric_max_sectors is hardcoded to 8192 (4 MB for 512
    byte sector devices), and for hw_max_sectors is a backend driver dependent
    value.

    This limit is problematic because Linux initiators have only recently
    started to honor block limits MAXIMUM TRANSFER LENGTH, and other non-Linux
    based initiators (eg: MSFT Fibre Channel) can also generate I/Os larger
    than 4 MB in size.

    Currently when this happens, the following message will appear on the
    target resulting in I/Os being returned with non recoverable status:

    SCSI OP 28h with too big sectors 16384 exceeds fabric_max_sectors: 8192

    Instead, drop both [fabric,hw]_max_sector checks in sbc_parse_cdb(),
    and convert the existing hw_max_sectors into a purely informational
    attribute used to represent the granuality that backend driver and/or
    subsystem code is splitting I/Os upon.

    Also, update FILEIO with an explicit FD_MAX_BYTES check in fd_execute_rw()
    to deal with the one special iovec limitiation case.

    v2 changes:
    - Drop hw_max_sectors check in sbc_parse_cdb()

    Reported-by: Lance Gropper
    Reported-by: Stefan Priebe
    Cc: Christoph Hellwig
    Cc: Martin K. Petersen
    Cc: Roland Dreier
    Signed-off-by: Nicholas Bellinger
    Signed-off-by: Greg Kroah-Hartman

    Nicholas Bellinger
     
  • commit 06bed7d18c2c07b3e3eeadf4bd357f6e806618cc upstream.

    This commit fixes a race whereby nlmclnt_init() first starts the lockd
    daemon, and then calls nlm_bind_host() with the expectation that
    nlmsvc_timeout has already been initialised. Unfortunately, there is no
    no synchronisation between lockd() and lockd_up() to guarantee that this
    is the case.

    Fix is to move the initialisation of nlmsvc_timeout into lockd_create_svc

    Fixes: 9a1b6bf818e74 ("LOCKD: Don't call utsname()->nodename...")
    Cc: Bruce Fields
    Cc: stable@vger.kernel.org # 3.10.x
    Signed-off-by: Trond Myklebust
    Signed-off-by: Greg Kroah-Hartman

    Trond Myklebust
     
  • commit a16c5f99a28c9945165c46da27fff8e6f26f8736 upstream.

    scripts/Makefile.clean treats absolute path specially, but
    $(objtree)/debian is no longer an absolute path since 7e1c0477 (kbuild:
    Use relative path for $(objtree). Work around this by checking if the
    path starts with $(objtree)/.

    Reported-and-tested-by: Sedat Dilek
    Fixes: 7e1c0477 (kbuild: Use relative path for $(objtree)
    Signed-off-by: Michal Marek
    Signed-off-by: Greg Kroah-Hartman

    Michal Marek
     
  • commit b485342bd79af363c77ef1a421c4a0aef2de9812 upstream.

    Commit a074335a370e ("x86, um: Mark system call tables readonly") was
    supposed to mark the sys_call_table in UML as RO by adding the const,
    but it doesn't have the desired effect as it's nevertheless being placed
    into the data section since __cacheline_aligned enforces sys_call_table
    being placed into .data..cacheline_aligned instead. We need to use
    the ____cacheline_aligned version instead to fix this issue.

    Before:

    $ nm -v arch/x86/um/sys_call_table_64.o | grep -1 "sys_call_table"
    U sys_writev
    0000000000000000 D sys_call_table
    0000000000000000 D syscall_table_size

    After:

    $ nm -v arch/x86/um/sys_call_table_64.o | grep -1 "sys_call_table"
    U sys_writev
    0000000000000000 R sys_call_table
    0000000000000000 D syscall_table_size

    Fixes: a074335a370e ("x86, um: Mark system call tables readonly")
    Cc: H. Peter Anvin
    Cc: Andrew Morton
    Signed-off-by: Daniel Borkmann
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Daniel Borkmann
     
  • commit f911d731054ab3d82ee72a16b889e17ca3a2332a upstream.

    futex_atomic_cmpxchg_inatomic() does not work on UML because
    it triggers a copy_from_user() in kernel context.
    On UML copy_from_user() can only be used if the kernel was called
    by a real user space process such that UML can use ptrace()
    to fetch the value.

    Reported-by: Miklos Szeredi
    Suggested-by: Geert Uytterhoeven
    Signed-off-by: Richard Weinberger
    Tested-by: Daniel Walter
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     
  • commit b5c8afe5be51078a979d86ae5ae78c4ac948063d upstream.

    "origPtr" is used as an offset into the bd->dbuf[] array. That array is
    allocated in start_bunzip() and has "bd->dbufSize" number of elements so
    the test here should be >= instead of >.

    Later we check "origPtr" again before using it as an offset so I don't
    know if this bug can be triggered in real life.

    Fixes: bc22c17e12c1 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression')
    Signed-off-by: Dan Carpenter
    Cc: Alain Knaff
    Cc: Yinghai Lu
    Cc: "H. Peter Anvin"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    Dan Carpenter
     
  • commit 2eacc608b3bf3519fc353c558454873f4589146d upstream.

    The ad7991/ad7995/ad7999 does not have a configuration register like the
    other devices that can be written and read. The configuration is written as
    part of the conversion sequence.

    Fixes: 0f7ddcc1bff1 ("iio:adc:ad799x: Write default config on probe and reset alert status on probe")
    Signed-off-by: Lars-Peter Clausen
    Tested-by: Mike Looijmans
    Signed-off-by: Jonathan Cameron
    Signed-off-by: Greg Kroah-Hartman

    Lars-Peter Clausen
     
  • commit 69d2626f97b7f017ee4416b7dc071e9499c2c944 upstream.

    64KiB is allocated for qspi dtb partition which is not
    sufficient, so updating the partition table size to 512KiB
    for device tree partition.

    This also aligns the QSPI partition definitions between
    kernel and U-Boot.

    Fixes: dc2dd5b8 ("ARM: dts: dra7: Add qspi device")

    Signed-off-by: Mugunthan V N
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Mugunthan V N
     
  • commit b0ddb319db3d7a1943445f0de0a45c07a7f3457a upstream.

    The sh73a0 INTC can't mask interrupts properly most likely due to a
    hardware bug. Set the .control_parent flag to delegate masking to the
    parent interrupt controller, like was already done for irqpin1.

    Without this, accessing the three-axis digital accelerometer ADXL345
    on kzm9g through /dev/input/event1 causes an interrupt storm, which
    requires a power-cycle to recover from.

    This was inspired by a patch for arch/arm/boot/dts/sh73a0.dtsi from
    Laurent Pinchart .

    Signed-off-by: Geert Uytterhoeven
    Fixes: 341eb5465f67437a ("ARM: shmobile: INTC External IRQ pin driver on sh73a0")
    Signed-off-by: Simon Horman
    Signed-off-by: Greg Kroah-Hartman

    Geert Uytterhoeven
     
  • commit 5adba7c2daaecccf377e7ed5a2996caedd5384f1 upstream.

    There's no card detection for the eMMC, so this patch adds the missing
    broken-cd property. This patch also sets bus width as 8 to add
    MMC_CAP_8_BIT_DATA in the Host capabilities.

    Fixes: 3047086dfd56 ("ARM: dts: berlin: enable SD card reader and eMMC for the BG2Q DMP")
    Signed-off-by: Jisheng Zhang
    Signed-off-by: Sebastian Hesselbarth
    Signed-off-by: Greg Kroah-Hartman

    Jisheng Zhang
     
  • commit c4cf0935a2d8fe6d186bf4253ea3c4b4a8a8a710 upstream.

    Correct returning IRQ_HANDLED unconditionally in the irq handler.
    Return IRQ_NONE for some interrupt which we do not expect to be
    handled in this handler. This prevents kernel stalling with back
    to back spurious interrupts.

    Fixes: 2722e56de6 ("OMAP4: l3: Introduce l3-interconnect error handling driver")
    Acked-by: Nishanth Menon
    Signed-off-by: Keerthy
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Keerthy
     
  • commit 61b43d4e919e8fa5e10c77ee32ba328da07e0264 upstream.

    On certain SoCs such as AM437x SoC, L3_noc error registers are
    maintained in power domain such as per domain which looses context as part
    of low power state such as RTC+DDR mode. On these platforms when we
    mask interrupts which we cannot handle, the source of these interrupts
    still remain on resume, however, the flag mux registers now contain
    their reset value (unmasked) - this breaks the system with infinite
    interrupts since we do not these interrupts to take place ever again.

    To handle this: restore the masking of interrupts which we have
    already recorded in the system as ones we cannot handle.

    Fixes: 2100b595b7 ("bus: omap_l3_noc: ignore masked out unclearable targets")
    Acked-by: Nishanth Menon
    Signed-off-by: Keerthy
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Keerthy
     
  • commit 999f934de195a1506089b52c77429fdba25da688 upstream.

    If the boot loader enables HYP mode on the boot CPU, the secondary CPU
    also needs to call into the ROM to switch to HYP mode before booting.
    The firmwares on the omap5 and dra7xx unfortunately do not take care
    of this, so it has to be handled by the kernel.

    This patch is based on "[PATCH 2/2] ARM: OMAP5: Add HYP mode entry support
    for secondary CPUs" by Santosh Shilimkar ,
    except this version does not require a compile time CONFIG to control
    if it should enable HYP mode or not, it simply does it based on the mode
    of the boot CPU, so it works whether the CPU boots in SVC or HYP mode,
    and should even work as a guest kernel inside kvm if qemu decides to
    support emulating the omap5 or dra7xx.

    Signed-off-by: Len Sorensen
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Lennart Sorensen
     
  • commit 572b24e6d85d98cdc552f07e9fb9870d9460d81b upstream.

    The switch statement of the possible list of SYSCLK1 frequencies is
    missing a 0 in 4 out of the 7 frequencies.

    Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter")
    Signed-off-by: Len Sorensen
    Reviewed-by: Lokesh Vutla
    Acked-by: Nishanth Menon
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Lennart Sorensen
     
  • commit 81ef447950bf0955aca46f4a7617d8ce435cf0ce upstream.

    The post dividers do not work on i.MX6Q rev T0 1.0 so they must be fixed
    to 1. As the table index was wrong, a divider a of 4 could still be
    requested which implied the clock not to be set properly. This is the
    root cause of the HDMI not working at high resolution on rev T0 1.0 of
    the SoC.

    Signed-off-by: Gary Bisson
    Cc:
    Signed-off-by: Shawn Guo
    Signed-off-by: Greg Kroah-Hartman

    Gary Bisson
     
  • commit d2a10a1727b3948019128e83162f22c65859f1fd upstream.

    Drop unnecessary semicolon after closing curly bracket.

    Signed-off-by: Dmitry Voytik
    Signed-off-by: Shawn Guo
    Signed-off-by: Greg Kroah-Hartman

    Dmitry Voytik
     
  • commit 7a9f0604bd56936b2b18f49824e0e392dc7878c3 upstream.

    GPIO2_5 is the reset GPIO for the USB3317 ULPI PHY. Instead of modelling it as
    a regulator, the correct approach is to use the 'reset_gpios' property of the
    "usb-nop-xceiv" node.

    GPIO1_7 is the reset GPIO for the USB2517 USB hub. As we currently don't have
    dt bindings to describe a HUB reset, let's keep using the regulator approach.

    Rename the regulator to 'reg_hub_reset' to better describe its function and bind
    it with the USB host1 port instead.

    USB host support has been introduced by commit 9bf206a9d13be3 ("ARM: dts:
    imx51-babbage: Add USB Host1 support"), which landed in 3.16 and it seems that
    USB has only been functional due to previous bootloader initialization.

    With this patch applied we can get USB host to work without relying on the
    bootloader.

    Signed-off-by: Fabio Estevam
    Signed-off-by: Shawn Guo
    Signed-off-by: Greg Kroah-Hartman

    Fabio Estevam
     
  • commit 7a87e9cbc3a2f0ff0955815335e08c9862359130 upstream.

    From Documentation/devicetree/bindings/clock/imx25-clock.txt:

    cspi1_ipg 78
    cspi2_ipg 79
    cspi3_ipg 80

    , so fix the SPI1 clocks accordingly to avoid a kernel hang when trying to
    access SPI1.

    Signed-off-by: Fabio Estevam
    Signed-off-by: Shawn Guo
    Signed-off-by: Greg Kroah-Hartman

    Fabio Estevam
     
  • commit 7c168ed898931f6c3314d696e63cf993378ca192 upstream.

    The default qspi2_clk_sel field of register CCM_CS2CDR contains '110' which is
    marked as 'reserved', so we can't rely on the default value.

    Provide a proper parent for QSPI clocks to avoid a kernel oops:

    [ 1.037920] Division by zero in kernel.
    [ 1.041807] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.18.0-rc7-next-20141204-00002-g5aa23e1 #2143
    [ 1.050967] Hardware name: Freescale i.MX6 SoloX (Device Tree)
    [ 1.056853] Backtrace:
    [ 1.059360] [] (dump_backtrace) from [] (show_stack+0x18/0x1c)
    [ 1.066982] r6:00000000 r5:00000000 r4:00000000 r3:00000000
    [ 1.072754] [] (show_stack) from [] (dump_stack+0x88/0xa4)
    [ 1.080038] [] (dump_stack) from [] (__div0+0x18/0x20)
    [ 1.086958] r5:be018500 r4:be017c00
    [ 1.090600] [] (__div0) from [] (Ldiv0+0x8/0x10)
    [ 1.097012] [] (clk_divider_set_rate) from [] (clk_change_rate+0x14c/0x17c)
    [ 1.105759] r7:00000000 r6:00000000 r5:be018500 r4:00000000
    [ 1.111516] [] (clk_change_rate) from [] (clk_set_rate+0x94/0x98)
    [ 1.119391] r8:be7e0368 r7:00000000 r6:be11a000 r5:be018500 r4:00000000 r3:00000000
    [ 1.127290] [] (clk_set_rate) from [] (fsl_qspi_probe+0x23c/0x75c)
    [ 1.135260] r5:be11a010 r4:be350010
    [ 1.138900] [] (fsl_qspi_probe) from [] (platform_drv_probe+0x50/0xac)

    Signed-off-by: Fabio Estevam
    Signed-off-by: Shawn Guo
    Signed-off-by: Greg Kroah-Hartman

    Fabio Estevam
     
  • commit 40d1746d2eeec5e05956d749cca6364573b472b6 upstream.

    CONFIG_GENERIC_CPUFREQ_CPU0 disappeared with commit bbcf071969b20f
    ("cpufreq: cpu0: rename driver and internals to 'cpufreq_dt'")

    Use the renamed CONFIG_CPUFREQ_DT generic driver. It looks like with
    v3.18-rc1, commit bbcf071969b20f and fdc509b15eb3eb came in via
    different trees causing the resultant v3.18-rc1 to be non-functional for
    cpufreq as default supported with omap2plus_defconfig.

    Fixes: fdc509b15eb3eb ("ARM: omap2plus_defconfig: Add cpufreq to defconfig")
    Signed-off-by: Nishanth Menon
    Acked-by: Viresh Kumar
    Signed-off-by: Tony Lindgren
    Signed-off-by: Greg Kroah-Hartman

    Nishanth Menon
     
  • commit 9333caeaeae4f831054e0e127a6ed3948b604d3e upstream.

    When KBC is in active multiplexing mode the touchpad on this laptop does
    not work.

    Reported-by: Bilal Koc
    Signed-off-by: Dmitry Torokhov
    Signed-off-by: Greg Kroah-Hartman

    Dmitry Torokhov
     
  • commit 148e9a711e034e06310a8c36b64957934ebe30f2 upstream.

    On some laptops, keyboard needs to be reset in order to successfully detect
    touchpad (e.g., some Gigabyte laptop models with Elantech touchpads).
    Without resettin keyboard touchpad pretends to be completely dead.

    Based on the original patch by Mateusz Jończyk this version has been
    expanded to include DMI based detection & application of the fix
    automatically on the affected models of laptops. This has been confirmed to
    fix problem by three users already on three different models of laptops.

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=81331
    Signed-off-by: Srihari Vijayaraghavan
    Acked-by: Mateusz Jończyk
    Tested-by: Srihari Vijayaraghavan
    Tested by: Zakariya Dehlawi
    Tested-by: Guillaum Bouchard
    Signed-off-by: Dmitry Torokhov
    Signed-off-by: Greg Kroah-Hartman

    Srihari Vijayaraghavan
     
  • commit 810aa0918b2b032684c8cad13f73d6ba37ad11c0 upstream.

    This change allows the driver to recognize newer Elantech touchpads.

    Signed-off-by: Yi ju Hong
    Signed-off-by: Dmitry Torokhov
    Signed-off-by: Greg Kroah-Hartman

    Sam hung
     
  • commit 5e7e6e0c9b47a45576c38b4a72d67927a5e049f7 upstream.

    Recent Leaf firmware versions (>= 3.1.557) do not allow to send
    commands for non-existing channels. If a command is sent for a
    non-existing channel, the firmware crashes.

    Reported-by: Christopher Storah
    Signed-off-by: Olivier Sobrie
    Signed-off-by: Ahmed S. Darwish
    Signed-off-by: Marc Kleine-Budde
    Signed-off-by: Greg Kroah-Hartman

    Ahmed S. Darwish
     
  • commit 889b77f7fd2bcc922493d73a4c51d8a851505815 upstream.

    Flooding the Kvaser CAN to USB dongle with multiple reads and
    writes in very high frequency (*), closing the CAN channel while
    all the transmissions are on (#), opening the device again (@),
    then sending a small number of packets would make the driver
    enter an almost infinite loop of:

    [....]
    [15959.853988] kvaser_usb 4-3:1.0 can0: cannot find free context
    [15959.853990] kvaser_usb 4-3:1.0 can0: cannot find free context
    [15959.853991] kvaser_usb 4-3:1.0 can0: cannot find free context
    [15959.853993] kvaser_usb 4-3:1.0 can0: cannot find free context
    [15959.853994] kvaser_usb 4-3:1.0 can0: cannot find free context
    [15959.853995] kvaser_usb 4-3:1.0 can0: cannot find free context
    [....]

    _dragging the whole system down_ in the process due to the
    excessive logging output.

    Initially, this has caused random panics in the kernel due to a
    buggy error recovery path. That got fixed in an earlier commit.(%)
    This patch aims at solving the root cause. -->

    16 tx URBs and contexts are allocated per CAN channel per USB
    device. Such URBs are protected by:

    a) A simple atomic counter, up to a value of MAX_TX_URBS (16)
    b) A flag in each URB context, stating if it's free
    c) The fact that ndo_start_xmit calls are themselves protected
    by the networking layers higher above

    After grabbing one of the tx URBs, if the driver noticed that all
    of them are now taken, it stops the netif transmission queue.
    Such queue is worken up again only if an acknowedgment was received
    from the firmware on one of our earlier-sent frames.

    Meanwhile, upon channel close (#), the driver sends a CMD_STOP_CHIP
    to the firmware, effectively closing all further communication. In
    the high traffic case, the atomic counter remains at MAX_TX_URBS,
    and all the URB contexts remain marked as active. While opening
    the channel again (@), it cannot send any further frames since no
    more free tx URB contexts are available.

    Reset all tx URB contexts upon CAN channel close.

    (*) 50 parallel instances of `cangen0 -g 0 -ix`
    (#) `ifconfig can0 down`
    (@) `ifconfig can0 up`
    (%) "can: kvaser_usb: Don't free packets when tight on URBs"

    Signed-off-by: Ahmed S. Darwish
    Signed-off-by: Marc Kleine-Budde
    Signed-off-by: Greg Kroah-Hartman

    Ahmed S. Darwish
     
  • commit b442723fcec445fb0ae1104888dd22cd285e0a91 upstream.

    Flooding the Kvaser CAN to USB dongle with multiple reads and
    writes in high frequency caused seemingly-random panics in the
    kernel.

    On further inspection, it seems the driver erroneously freed the
    to-be-transmitted packet upon getting tight on URBs and returning
    NETDEV_TX_BUSY, leading to invalid memory writes and double frees
    at a later point in time.

    Note:

    Finding no more URBs/transmit-contexts and returning NETDEV_TX_BUSY
    is a driver bug in and out of itself: it means that our start/stop
    queue flow control is broken.

    This patch only fixes the (buggy) error handling code; the root
    cause shall be fixed in a later commit.

    Acked-by: Olivier Sobrie
    Signed-off-by: Ahmed S. Darwish
    Signed-off-by: Marc Kleine-Budde
    Signed-off-by: Greg Kroah-Hartman

    Ahmed S. Darwish
     
  • commit 68693b8ea4e284c46bff919ac62bd9ccdfdbb6ba upstream.

    since the split of host+gadget mode in commit 74c2e9360058 ("usb: musb:
    factor out hcd initalization") we leak the usb_hcd struct. We call now
    musb_host_cleanup() which does basically usb_remove_hcd() and also sets
    the hcd variable to NULL. Doing so makes the finall call to
    musb_host_free() basically a nop and the usb_hcd remains around for ever
    without anowner.
    This patch drops that NULL assignment for that reason.

    Fixes: 74c2e9360058 ("usb: musb: factor out hcd initalization")
    Cc: Daniel Mack
    Signed-off-by: Sebastian Andrzej Siewior
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Sebastian Andrzej Siewior
     
  • commit 6d89252a998a695ecb0348fc2d717dc33d90cae9 upstream.

    Commit c3ee9b76aa93 (EHCI: improved logic for isochronous scheduling)
    introduced the idea of using ehci->last_iso_frame as the origin (or
    base) for the circular calculations involved in modifying the
    isochronous schedule. However, the new code it added used
    ehci->last_iso_frame before the value was properly initialized. This
    patch rectifies the mistake by moving the initialization lines earlier
    in iso_stream_schedule().

    This fixes Bugzilla #72891.

    Signed-off-by: Alan Stern
    Fixes: c3ee9b76aa93
    Reported-by: Joe Bryant
    Tested-by: Joe Bryant
    Tested-by: Martin Long
    Signed-off-by: Greg Kroah-Hartman

    Alan Stern
     
  • commit 32a4bf2e81ec378e5925d4e069e0677a6c86a6ad upstream.

    Use tty kref to release the fake tty in usb_console_setup to avoid use
    after free if the underlying serial driver has acquired a reference.

    Note that using the tty destructor release_one_tty requires some more
    state to be initialised.

    Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
    Signed-off-by: Johan Hovold
    Signed-off-by: Greg Kroah-Hartman

    Johan Hovold
     
  • commit d269d4434c72ed0da3a9b1230c30da82c4918c63 upstream.

    The USB console currently allocates a temporary fake tty which is used
    to pass terminal settings to the underlying serial driver.

    The tty struct is not fully initialised, something which can lead to a
    lockdep warning (or worse) if a serial driver tries to acquire a
    line-discipline reference:

    usbserial: USB Serial support registered for pl2303
    pl2303 1-2.1:1.0: pl2303 converter detected
    usb 1-2.1: pl2303 converter now attached to ttyUSB0
    INFO: trying to register non-static key.
    the code is fine but needs lockdep annotation.
    turning off the locking correctness validator.
    CPU: 0 PID: 68 Comm: udevd Tainted: G W 3.18.0-rc5 #10
    [] (unwind_backtrace) from [] (show_stack+0x20/0x24)
    [] (show_stack) from [] (dump_stack+0x24/0x28)
    [] (dump_stack) from [] (__lock_acquire+0x1e50/0x2004)
    [] (__lock_acquire) from [] (lock_acquire+0xe4/0x18c)
    [] (lock_acquire) from [] (ldsem_down_read_trylock+0x78/0x90)
    [] (ldsem_down_read_trylock) from [] (tty_ldisc_ref+0x24/0x58)
    [] (tty_ldisc_ref) from [] (usb_serial_handle_dcd_change+0x48/0xe8)
    [] (usb_serial_handle_dcd_change) from [] (pl2303_read_int_callback+0x210/0x220 [pl2303])
    [] (pl2303_read_int_callback [pl2303]) from [] (__usb_hcd_giveback_urb+0x80/0x140)
    [] (__usb_hcd_giveback_urb) from [] (usb_giveback_urb_bh+0x98/0xd4)
    [] (usb_giveback_urb_bh) from [] (tasklet_hi_action+0x9c/0x108)
    [] (tasklet_hi_action) from [] (__do_softirq+0x148/0x42c)
    [] (__do_softirq) from [] (irq_exit+0xd8/0x114)
    [] (irq_exit) from [] (__handle_domain_irq+0x84/0xdc)
    [] (__handle_domain_irq) from [] (omap_intc_handle_irq+0xd8/0xe0)
    [] (omap_intc_handle_irq) from [] (__irq_svc+0x44/0x7c)
    Exception stack(0xdf4e7f08 to 0xdf4e7f50)
    7f00: debc0b80 df4e7f5c 00000000 00000000 debc0b80 be8da96c
    7f20: 00000000 00000128 c000fc84 df4e6000 00000000 df4e7f94 00000004 df4e7f50
    7f40: c038ebc0 c038d74c 600f0013 ffffffff
    [] (__irq_svc) from [] (___sys_sendmsg.part.29+0x0/0x2e0)
    [] (___sys_sendmsg.part.29) from [] (SyS_sendmsg+0x18/0x1c)
    [] (SyS_sendmsg) from [] (ret_fast_syscall+0x0/0x48)
    console [ttyUSB0] enabled

    Fixes: 36697529b5bb ("tty: Replace ldisc locking with ldisc_sem")
    Signed-off-by: Johan Hovold
    Signed-off-by: Greg Kroah-Hartman

    Johan Hovold
     
  • commit 5fb694f96e7c19e66b1c55124b98812e32e3efa5 upstream.

    When unloading the module 'g_hid.ko', the urb request will be dequeued and the
    completion routine will be excuted. If there is no urb packet, the urb request
    will not be added to the endpoint queue and the completion routine pointer in
    urb request is NULL.

    Accessing to this NULL function pointer will cause the Oops issue reported
    below.

    Add the code to check if the urb request is in the endpoint queue
    or not. If the urb request is not in the endpoint queue, a negative
    error code will be returned.

    Here is the Oops log:

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = dedf0000
    [00000000] *pgd=3ede5831, *pte=00000000, *ppte=00000000
    Internal error: Oops: 80000007 [#1] ARM
    Modules linked in: g_hid(-) usb_f_hid libcomposite
    CPU: 0 PID: 923 Comm: rmmod Not tainted 3.18.0+ #2
    Hardware name: Atmel SAMA5 (Device Tree)
    task: df6b1100 ti: dedf6000 task.ti: dedf6000
    PC is at 0x0
    LR is at usb_gadget_giveback_request+0xc/0x10
    pc : [] lr : [] psr: 60000093
    sp : dedf7eb0 ip : df572634 fp : 00000000
    r10: 00000000 r9 : df52e210 r8 : 60000013
    r7 : df6a9858 r6 : df52e210 r5 : df6a9858 r4 : df572600
    r3 : 00000000 r2 : ffffff98 r1 : df572600 r0 : df6a9868
    Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
    Control: 10c53c7d Table: 3edf0059 DAC: 00000015
    Process rmmod (pid: 923, stack limit = 0xdedf6230)
    Stack: (0xdedf7eb0 to 0xdedf8000)
    7ea0: 00000000 c02adbbc df572580 deced608
    7ec0: df572600 df6a9868 df572634 c02aed3c df577c00 c01b8608 00000000 df6be27c
    7ee0: 00200200 00100100 bf0162f4 c000e544 dedf6000 00000000 00000000 bf010c00
    7f00: bf0162cc bf00159c 00000000 df572980 df52e218 00000001 df5729b8 bf0031d0
    [..]
    [] (usb_gadget_giveback_request) from [] (request_complete+0x64/0x88)
    [] (request_complete) from [] (usba_ep_dequeue+0x70/0x128)
    [] (usba_ep_dequeue) from [] (hidg_unbind+0x50/0x7c [usb_f_hid])
    [] (hidg_unbind [usb_f_hid]) from [] (remove_config.isra.6+0x98/0x9c [libcomposite])
    [] (remove_config.isra.6 [libcomposite]) from [] (__composite_unbind+0x34/0x98 [libcomposite])
    [] (__composite_unbind [libcomposite]) from [] (usb_gadget_remove_driver+0x50/0x78)
    [] (usb_gadget_remove_driver) from [] (usb_gadget_unregister_driver+0x64/0x94)
    [] (usb_gadget_unregister_driver) from [] (hidg_cleanup+0x10/0x34 [g_hid])
    [] (hidg_cleanup [g_hid]) from [] (SyS_delete_module+0x118/0x19c)
    [] (SyS_delete_module) from [] (ret_fast_syscall+0x0/0x30)
    Code: bad PC value

    Signed-off-by: Songjun Wu
    [nicolas.ferre@atmel.com: reworked the commit message]
    Signed-off-by: Nicolas Ferre
    Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver")
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Songjun Wu
     
  • commit 6785a1034461c2d2c205215f63a50a740896e55b upstream.

    When receive data, the RXRDY in status register set by hardware
    after a new packet has been stored in the endpoint FIFO. When it
    is copied from FIFO, this bit is cleared which make the FIFO can
    be accessed again.

    In the receive_data() function, this bit RXRDY has been cleared.
    So, after the receive_data() function return, this bit should
    not be cleared again, or else it may cause the accessing FIFO
    corrupt, which will make the data loss.

    Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver)
    Acked-by: Nicolas Ferre
    Signed-off-by: Bo Shen
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Bo Shen
     
  • commit f40afdddeb6c54ffd1e2920a5e93e363d6748db6 upstream.

    According to the datasheet, when transfer using DMA, the control
    setting for IN packet only need END_BUF_EN, END_BUF_IE, CH_EN,
    while for OUT packet, need more two bits END_TR_EN and END_TR_IE
    to be configured.

    Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver)
    Acked-by: Nicolas Ferre
    Signed-off-by: Bo Shen
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Bo Shen
     
  • commit b44be2462dbe3e23f0aedff64de52a1e8e47a1cd upstream.

    Commit 3b74c73f8d6f053f422e85fce955b61fb181cfe7 switched over to memdup_user()
    in ep_write() function and removed kfree (kbuf).
    memdup_user() function allocates memory which is never freed.

    Fixes: 3b74c73 (usb: gadget: inode: switch over to memdup_user())
    Signed-off-by: Mario Schuknecht
    Signed-off-by: Felipe Balbi
    Signed-off-by: Greg Kroah-Hartman

    Mario Schuknecht
     
  • commit b5122236bba8d7ef62153da5b55cc65d0944c61e upstream.

    Fix null-pointer dereference during probe if the interface-status
    completion handler is called before the individual ports have been set
    up.

    Fixes: f79b2d0fe81e ("USB: keyspan: fix NULL-pointer dereferences and
    memory leaks")
    Reported-by: Richard
    Tested-by: Richard
    Signed-off-by: Johan Hovold
    Signed-off-by: Greg Kroah-Hartman

    Johan Hovold
     
  • commit d80c0d14183516f184a5ac88e11008ee4c7d2a2e upstream.

    As has been discussed in the thread starting with
    https://lkml.kernel.org/g/549748e9.d+SiJzqu50f1r4lSAL043YSc@arcor.de
    Sierra Wireless MC73xx devices with USB VID/PID 0x1199:0x68c0 require the
    option_send_setup() code to be used on the USB interface for the AT port
    to make unsolicited response codes work correctly. Move these devices from
    the qcserial driver where they have been added by commit
    70a3615fc07c2330ed7c1e922f3c44f4a67c0762 ("usb: qcserial: add Sierra Wireless
    MC73xx") to the option driver and add a MC73xx-specific blacklist
    to ensure that
    1. the sendsetup code is not used for the DIAG/DM and NMEA interfaces
    2. the option driver does not attach to the QMI/network interfaces

    Signed-off-by: Reinhard Speyerer
    Signed-off-by: Johan Hovold
    Signed-off-by: Greg Kroah-Hartman

    Reinhard Speyerer