aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-01-04USB: serial: pl2303: fix NULL-deref at openJohan Hovold1-0/+8
Fix NULL-pointer dereference in open() should a type-0 or type-1 device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at pl2303_open+0x38/0xec [pl2303] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: oti6858: fix NULL-deref at openJohan Hovold1-0/+16
Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at oti6858_open+0x30/0x1d0 [oti6858] Note that a missing interrupt-in endpoint would have caused open() to fail. Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42 cable)") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: omninet: fix NULL-derefs at open and disconnectJohan Hovold1-0/+13
Fix NULL-pointer dereferences at open() and disconnect() should the device lack the expected bulk-out endpoints: Unable to handle kernel NULL pointer dereference at virtual address 000000b4 ... [c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264) [<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c) [<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4) [<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet]) [<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial]) Unable to handle kernel NULL pointer dereference at virtual address 00000234 ... [<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial]) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7840: fix misleading interrupt-URB commentJohan Hovold1-3/+1
The interrupt URB is killed at final port close since commit 0de9a7024e7a ("USB: overhaul of mos7840 driver"). Fixes: 0de9a7024e7a ("USB: overhaul of mos7840 driver") Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7840: remove unused write URBJohan Hovold1-8/+0
Remove code to manage a write URB that was never allocated. Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7840: fix NULL-deref at openJohan Hovold1-0/+12
Fix NULL-pointer dereference in open() should the device lack the expected endpoints: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at mos7840_open+0x88/0x8dc [mos7840] Note that we continue to treat the interrupt-in endpoint as optional for now. Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7720: remove obsolete port initialisationJohan Hovold1-5/+0
Since commit b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715"), the interrupt urb is no longer submitted at first port open and the endpoint-address initialisation at port-probe is no longer used. Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7720: fix parallel probeJohan Hovold1-23/+7
A static usb-serial-driver structure that is used to initialise the interrupt URB was modified during probe depending on the currently probed device type, something which could break a parallel probe of a device of a different type. Fix this up by overriding the default completion callback for MCS7715 devices in attach() instead. We may want to use two usb-serial driver instances for the two types later. Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7720: fix parport use-after-free on probe errorsJohan Hovold1-10/+8
Do not submit the interrupt URB until after the parport has been successfully registered to avoid another use-after-free in the completion handler when accessing the freed parport private data in case of a racing completion. Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7720: fix use-after-free on probe errorsJohan Hovold1-1/+5
The interrupt URB was submitted on probe but never stopped on probe errors. This can lead to use-after-free issues in the completion handler when accessing the freed usb-serial struct: Unable to handle kernel paging request at virtual address 6b6b6be7 ... [<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140) [<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138) [<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc) Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: mos7720: fix NULL-deref at openJohan Hovold1-0/+5
Fix NULL-pointer dereference at port open if a device lacks the expected bulk in and out endpoints. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial]) [<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: kobil_sct: fix NULL-deref in writeJohan Hovold1-0/+12
Fix NULL-pointer dereference in write() should the device lack the expected interrupt-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000054 ... PC is at kobil_write+0x144/0x2a0 [kobil_sct] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: keyspan_pda: verify endpoints at probeJohan Hovold1-0/+14
Check for the expected endpoints in attach() and fail loudly if not present. Note that failing to do this appears to be benign since da280e348866 ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a NULL-pointer dereference in write() by never marking a non-existent write-urb as free. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> # < v3.3 Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: iuu_phoenix: fix NULL-deref at openJohan Hovold1-0/+11
Fix NULL-pointer dereference at open should the device lack a bulk-in or bulk-out endpoint: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at iuu_open+0x78/0x59c [iuu_phoenix] Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints check") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: io_ti: bind to interface after fw downloadJohan Hovold1-2/+1
Bind to the interface, but do not register any ports, after having downloaded the firmware. The device will still disconnect and re-enumerate, but this way we avoid an error messages from being logged as part of the process: io_ti: probe of 1-1.3:1.0 failed with error -5 Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: io_ti: fix I/O after disconnectJohan Hovold1-0/+3
Cancel the heartbeat work on driver unbind in order to avoid I/O after disconnect in case the port is held open. Note that the cancel in release() is still needed to stop the heartbeat after late probe errors. Fixes: 26c78daade0f ("USB: io_ti: Add heartbeat to keep idle EP/416 ports from disconnecting") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: io_ti: fix another NULL-deref at openJohan Hovold1-3/+6
In case a device is left in "boot-mode" we must not register any port devices in order to avoid a NULL-pointer dereference on open due to missing endpoints. This could be used by a malicious device to trigger an OOPS: Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial]) [<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: io_ti: fix NULL-deref at openJohan Hovold1-0/+7
Fix NULL-pointer dereference when clearing halt at open should a malicious device lack the expected endpoints when in download mode. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... [<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial]) [<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8) [<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial]) [<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc) Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: io_edgeport: fix NULL-deref at openJohan Hovold1-0/+5
Fix NULL-pointer dereference when initialising URBs at open should a non-EPIC device lack a bulk-in or interrupt-in endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000028 ... PC is at edge_open+0x24c/0x3e8 [io_edgeport] Note that the EPIC-device probe path has the required sanity checks so this makes those checks partially redundant. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: garmin_gps: fix memory leak on failed URB submitJohan Hovold1-0/+1
Make sure to free the URB transfer buffer in case submission fails (e.g. due to a disconnect). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-04USB: serial: cyberjack: fix NULL-deref at openJohan Hovold1-0/+10
Fix NULL-pointer dereference when clearing halt at open should the device lack a bulk-out endpoint. Unable to handle kernel NULL pointer dereference at virtual address 00000030 ... PC is at cyberjack_open+0x40/0x9c [cyberjack] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <[email protected]> Signed-off-by: Johan Hovold <[email protected]>
2017-01-03xfs: fix max_retries _show and _store functionsCarlos Maiolino1-2/+2
max_retries _show and _store functions should test against cfg->max_retries, not cfg->retry_timeout Signed-off-by: Carlos Maiolino <[email protected]> Reviewed-by: Eric Sandeen <[email protected]> Signed-off-by: Darrick J. Wong <[email protected]>
2017-01-03xfs: update MAINTAINERSDarrick J. Wong1-2/+2
I am taking over as XFS maintainer from Dave Chinner[1], so update contact information and git tree pointers. [1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.html Signed-off-by: Darrick J. Wong <[email protected]>
2017-01-03xfs: fix crash and data corruption due to removal of busy COW extentsChristoph Hellwig1-1/+2
There is a race window between write_cache_pages calling clear_page_dirty_for_io and XFS calling set_page_writeback, in which the mapping for an inode is tagged neither as dirty, nor as writeback. If the COW shrinker hits in exactly that window we'll remove the delayed COW extents and writepages trying to write it back, which in release kernels will manifest as corruption of the bmap btree, and in debug kernels will trip the ASSERT about now calling xfs_bmapi_write with the COWFORK flag for holes. A complex customer load manages to hit this window fairly reliably, probably by always having COW writeback in flight while the cow shrinker runs. This patch adds another check for having the I_DIRTY_PAGES flag set, which is still set during this race window. While this fixes the problem I'm still not overly happy about the way the COW shrinker works as it still seems a bit fragile. Signed-off-by: Christoph Hellwig <[email protected]> Signed-off-by: Darrick J. Wong <[email protected]>
2017-01-03xfs: use the actual AG length when reserving blocksDarrick J. Wong6-12/+34
We need to use the actual AG length when making per-AG reservations, since we could otherwise end up reserving more blocks out of the last AG than there are actual blocks. Complained-about-by: Brian Foster <[email protected]> Signed-off-by: Darrick J. Wong <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]>
2017-01-03xfs: fix double-cleanup when CUI recovery failsDarrick J. Wong1-1/+2
Dan Carpenter reported a double-free of rcur if _defer_finish fails while we're recovering CUI items. Fix the error recovery to prevent this. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Darrick J. Wong <[email protected]>
2017-01-03net: vrf: Add missing Rx countersDavid Ahern1-0/+3
The move from rx-handler to L3 receive handler inadvertantly dropped the rx counters. Restore them. Fixes: 74b20582ac38 ("net: l3mdev: Add hook in ip and ipv6") Reported-by: Dinesh Dutt <[email protected]> Signed-off-by: David Ahern <[email protected]> Signed-off-by: David S. Miller <[email protected]>
2017-01-03block: fix up io_poll documentationJeff Moyer1-3/+3
/sys/block/<dev>/queue/io_poll is a boolean. Fix the docs. Signed-off-by: Jeff Moyer <[email protected]> Signed-off-by: Jens Axboe <[email protected]>
2017-01-03audit: Fix sleep in atomicJan Kara1-4/+14
Audit tree code was happily adding new notification marks while holding spinlocks. Since fsnotify_add_mark() acquires group->mark_mutex this can lead to sleeping while holding a spinlock, deadlocks due to lock inversion, and probably other fun. Fix the problem by acquiring group->mark_mutex earlier. CC: Paul Moore <[email protected]> Signed-off-by: Jan Kara <[email protected]> Signed-off-by: Paul Moore <[email protected]>
2017-01-03gcc-plugins: update gcc-common.h for gcc-7Kees Cook1-0/+85
This updates gcc-common.h from Emese Revfy for gcc 7. This fixes issues seen by Kugan and Arnd. Build tested with gcc 5.4 and 7 snapshot. Cc: [email protected] Signed-off-by: Kees Cook <[email protected]>
2017-01-03latent_entropy: fix ARM build error on earlier gccKees Cook1-2/+2
This fixes build errors seen on gcc-4.9.3 or gcc-5.3.1 for an ARM: arm-soc/init/initramfs.c: In function 'error': arm-soc/init/initramfs.c:50:1: error: unrecognizable insn: } ^ (insn 26 25 27 5 (set (reg:SI 111 [ local_entropy.243 ]) (rotatert:SI (reg:SI 116 [ local_entropy.243 ]) (const_int -30 [0xffffffffffffffe2]))) -1 (nil)) Patch from PaX Team <[email protected]> Reported-by: Arnd Bergmann <[email protected]> Reported-by: Brad Spengler <[email protected]> Cc: [email protected] Signed-off-by: Kees Cook <[email protected]>
2017-01-03Merge branch 'parisc-4.10-2' of ↵Linus Torvalds3-5/+21
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc updates from Helge Deller: - limit usage of processor-internal cr16 clocksource to UP systems only - segfault info lines in syslog were too long, split those up - drop own TIF_RESTORE_SIGMASK flag and switch to generic code * 'parisc-4.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Add line-break when printing segfault info parisc: Drop TIF_RESTORE_SIGMASK and switch to generic code parisc: Mark cr16 clocksource unstable on SMP systems
2017-01-03Xen: ARM: Zero reserved fields of xatp before making hypervisor callJiandi An1-3/+5
Ensure all reserved fields of xatp are zero before making hypervisor call to XEN in xen_map_device_mmio(). xenmem_add_to_physmap_one() in XEN fails the mapping request if extra.res reserved field in xatp is not zero for XENMAPSPACE_dev_mmio request. Signed-off-by: Jiandi An <[email protected]> Reviewed-by: Stefano Stabellini <[email protected]>
2017-01-03MAINTAINERS: extend PSCI entry to cover the newly add PSCI checker codeSudeep Holla1-1/+1
This patch extends the file entry for PSCI so that the newly added PSCI checker module code is also covered. Cc: Mark Rutland <[email protected]> Cc: Lorenzo Pieralisi <[email protected]> Signed-off-by: Sudeep Holla <[email protected]> Signed-off-by: Lorenzo Pieralisi <[email protected]>
2017-01-03drivers: psci: annotate timer on stack to silence odebug messagesSudeep Holla1-2/+2
When DEBUG_OBJECTS config is enabled, we get the below odebug warnings: ODEBUG: object is on stack, but not annotated WARNING: CPU: 3 PID: 1304 at kernel/lib/debugobjects.c:300 __debug_object_init+0x1f0/0x458 CPU: 3 PID: 1304 Comm: psci_suspend_te Tainted: G W 4.9.0-06564-gf80f3f199260 #284 task: ffffe9e1b55a1600 task.stack: ffffe9e1b51c0000 PC is at __debug_object_init+0x1f0/0x458 LR is at __debug_object_init+0x1ec/0x458 Call trace: __debug_object_init+0x1f0/0x458 debug_object_activate+0x150/0x260 mod_timer+0xb4/0x4c0 suspend_test_thread+0x1cc/0x3c0 kthread+0x110/0x140 ret_from_fork+0x10/0x40 This patch annotates the timer on the stack using setup_timer_on_stack function to remove the above warnings. Cc: Kevin Brodsky <[email protected]> Cc: Mark Rutland <[email protected]> Cc: Lorenzo Pieralisi <[email protected]> Signed-off-by: Sudeep Holla <[email protected]> Signed-off-by: Lorenzo Pieralisi <[email protected]>
2017-01-03ARM64: defconfig: enable DRM_MESON as moduleKevin Hilman1-0/+1
Signed-off-by: Kevin Hilman <[email protected]>
2017-01-03ARM64: dts: meson-gx: Add Graphic Controller nodesNeil Armstrong8-0/+92
Add Video Processing Unit and CVBS Output nodes, and enable CVBS on selected boards. Reviewed-by: Laurent Pinchart <[email protected]> Signed-off-by: Neil Armstrong <[email protected]> Signed-off-by: Kevin Hilman <[email protected]>
2017-01-03ARM64: dts: meson-gxl: fix GPIO includeKevin Hilman1-1/+1
Signed-off-by: Kevin Hilman <[email protected]>
2017-01-03usb: host: xhci: handle COMP_STOP from SETUP phase tooFelipe Balbi1-12/+21
Stop Endpoint command can come at any point and we have no control of that. We should make sure to handle COMP_STOP on SETUP phase as well, otherwise urb->actual_length might be set to negative values in some occasions such as below: urb->length = 4; build_control_transfer_td_for(urb, ep); stop_endpoint(ep); COMP_STOP: [...] urb->actual_length = urb->length - trb->length; trb->length is 8 for SETUP stage (8 control request bytes), so actual_length would be set to -4 in this case. While doing that, also make sure to use TRB_TYPE field of the actual TRB instead of matching pointers to figure out in which stage of the control transfer we got our completion event. Cc: <[email protected]> Signed-off-by: Felipe Balbi <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo LakeWan Ahmad Zainie1-1/+2
Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK. Adding its PCI ID to quirk. Cc: <[email protected]> Signed-off-by: Wan Ahmad Zainie <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03xhci: Fix race related to abort operationOGAWA Hirofumi3-80/+90
Current abort operation has race. xhci_handle_command_timeout() xhci_abort_cmd_ring() xhci_write_64(CMD_RING_ABORT) xhci_handshake(5s) do { check CMD_RING_RUNNING udelay(1) ... COMP_CMD_ABORT event COMP_CMD_STOP event xhci_handle_stopped_cmd_ring() restart cmd_ring CMD_RING_RUNNING become 1 again } while () return -ETIMEDOUT xhci_write_64(CMD_RING_ABORT) /* can abort random command */ To do abort operation correctly, we have to wait both of COMP_CMD_STOP event and negation of CMD_RING_RUNNING. But like above, while timeout handler is waiting negation of CMD_RING_RUNNING, event handler can restart cmd_ring. So timeout handler never be notice negation of CMD_RING_RUNNING, and retry of CMD_RING_ABORT can abort random command (BTW, I guess retry of CMD_RING_ABORT was workaround of this race). To fix this race, this moves xhci_handle_stopped_cmd_ring() to xhci_abort_cmd_ring(). And timeout handler waits COMP_CMD_STOP event. At this point, timeout handler is owner of cmd_ring, and safely restart cmd_ring by using xhci_handle_stopped_cmd_ring(). [FWIW, as bonus, this way would be easily extend to add CMD_RING_PAUSE operation] [locks edited as patch is rebased on other locking fixes -Mathias] Signed-off-by: OGAWA Hirofumi <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03xhci: Use delayed_work instead of timer for command timeoutOGAWA Hirofumi3-16/+21
This is preparation to fix abort operation race (See "xhci: Fix race related to abort operation"). To make timeout sleepable, use delayed_work instead of timer. [change a newly added pending timer fix to pending work -Mathias] Signed-off-by: OGAWA Hirofumi <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: xhci: hold lock over xhci_abort_cmd_ring()Lu Baolu1-4/+9
In command timer function, xhci_handle_command_timeout(), xhci->lock is unlocked before call into xhci_abort_cmd_ring(). This might cause race between the timer function and the event handler. The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the command register and polling it until the setting takes effect. A stop command ring event might be handled between writing the abort bit and polling for it. The event handler will restart the command ring, which causes the failure of polling, and we ever believed that we failed to stop it. As a bonus, this also fixes some issues of calling functions without locking in xhci_handle_command_timeout(). Cc: <[email protected]> # 3.7+ Signed-off-by: Lu Baolu <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03xhci: Handle command completion and timeout raceMathias Nyman1-1/+5
If we get a command completion event at the same time as the command timeout work starts on another cpu we might end up aborting the wrong command. If the command completion takes the xhci lock before the timeout work, it will handle the command, pick the next command, mark it as current_cmd, and re-queue the timeout work. When the timeout work finally gets the lock It will start aborting the wrong command. This case can be resolved by checking if the timeout work is pending inside the timeout function itself. A new timeout work can only be pending if the command completed and a new command was queued. If there are no more commands pending then command completion will set the current_cmd to NULL, which is already handled in the timeout work. Cc: <[email protected]> Reported-by: Baolin Wang <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: host: xhci: Fix possible wild pointer when handling abort commandBaolin Wang1-1/+4
When current command was supposed to be aborted, host will free the command in handle_cmd_completion() function. But it might be still referenced by xhci->current_cmd, which need to set NULL. Cc: <[email protected]> Signed-off-by: Baolin Wang <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: xhci: fix possible wild pointerLu Baolu1-5/+11
handle_cmd_completion() frees a command structure which might be still referenced by xhci->current_cmd. This might cause problem when xhci->current_cmd is accessed after that. A real-life case could be like this. The host takes a very long time to respond to a command, and the command timer is fired at the same time when the command completion event arrives. The command completion handler frees xhci->current_cmd before the timer function can grab xhci->lock. Afterward, timer function grabs the lock and go ahead with checking and setting members of xhci->current_cmd. Cc: <[email protected]> # v3.16+ Signed-off-by: Lu Baolu <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: return error code when platform_get_irq failsPan Bian1-1/+3
In function xhci_mtk_probe(), variable ret takes the return value. Its value should be negative on failures. However, when the call to function platform_get_irq() fails, it does not set the error code, and 0 will be returned. 0 indicates no error. As a result, the callers of function xhci_mtk_probe() will not be able to detect the error. This patch fixes the bug by assigning the return value of platform_get_irq() to variable ret if it fails. CC: <[email protected]> Signed-off-by: Pan Bian <[email protected]> Reviewed-by: Matthias Brugger <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03usb: xhci: fix return value of xhci_setup_device()Lu Baolu1-1/+3
xhci_setup_device() should return failure with correct error number when xhci host has died, removed or halted. During usb device enumeration, if usb host is not accessible (died, removed or halted), the hc_driver->address_device() should return a corresponding error code to usb core. But current xhci driver just returns success. This misleads usb core to continue the enumeration by reading the device descriptor, which will result in failure, and users will get a misleading message like "device descriptor read/8, error -110". Cc: <[email protected]> # v4.3+ Signed-off-by: Lu Baolu <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03xhci: free xhci virtual devices with leaf nodes firstMathias Nyman1-2/+36
the tt_info provided by a HS hub might be in use to by a child device Make sure we free the devices in the correct order. This is needed in special cases such as when xhci controller is reset when resuming from hibernate, and all virt_devices are freed. Also free the virt_devices starting from max slot_id as children more commonly have higher slot_id than parent. CC: <[email protected]> Reported-by: Guenter Roeck <[email protected]> Tested-by: Guenter Roeck <[email protected]> Signed-off-by: Mathias Nyman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
2017-01-03staging: octeon: Call SET_NETDEV_DEV()Florian Fainelli1-0/+2
The Octeon driver calls into PHYLIB which now checks for net_device->dev.parent, so make sure we do set it before calling into any MDIO/PHYLIB related function. Fixes: ec988ad78ed6 ("phy: Don't increment MDIO bus refcount unless it's a different owner") Reported-by: Aaro Koskinen <[email protected]> Cc: stable <[email protected]> # 4.9+ Signed-off-by: Florian Fainelli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>