1. 25 Jul, 2013 1 commit
    • Sarah Sharp's avatar
      xhci: Avoid NULL pointer deref when host dies. · 203a8661
      Sarah Sharp authored
      When the host controller fails to respond to an Enable Slot command, and
      the host fails to respond to the register write to abort the command
      ring, the xHCI driver will assume the host is dead, and call
      usb_hc_died().
      
      The USB device's slot_id is still set to zero, and the pointer stored at
      xhci->devs[0] will always be NULL.  The call to xhci_check_args in
      xhci_free_dev should have caught the NULL virt_dev pointer.
      
      However, xhci_free_dev is designed to free the xhci_virt_device
      structures, even if the host is dead, so that we don't leak kernel
      memory.  xhci_free_dev checks the return value from the generic
      xhci_check_args function.  If the return value is -ENODEV, it carries on
      trying to free the virtual device.
      
      The issue is that xhci_check_args looks at the host controller state
      before it looks at the xhci_virt_device pointer.  It will return -ENIVAL
      because the host is dead, and xhci_free_dev will ignore the return
      value, and happily dereference the NULL xhci_virt_device pointer.
      
      The fix is to make sure that xhci_check_args checks the xhci_virt_device
      pointer before it checks the host state.
      
      See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for
      further details.  This patch doesn't solve the underlying issue, but
      will ensure we don't see any more NULL pointer dereferences because of
      the issue.
      
      This patch should be backported to kernels as old as 3.1, that
      contain the commit 7bd89b40 "xhci: Don't
      submit commands or URBs to halted hosts."
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Reported-by: default avatarVincent Thiele <vincentthiele@gmail.com>
      Cc: stable@vger.kernel.org
      203a8661
  2. 23 Jul, 2013 2 commits
    • Bjørn Mork's avatar
      usb: option: add TP-LINK MA260 · 94190301
      Bjørn Mork authored
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94190301
    • Alexandr \"Sky\" Ivanov's avatar
      USB: option: add D-Link DWM-152/C1 and DWM-156/C1 · ca247635
      Alexandr \"Sky\" Ivanov authored
      Adding support for D-Link DWM-152/C1 and DWM-156/C1 devices.
      
      DWM-152/C1:
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  6 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=07d1 ProdID=3e01 Rev= 0.00
      S:  Product=USB Configuration
      S:  SerialNumber=1234567890ABCDEF
      C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      
      DWM-156/C1:
      T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  8 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=07d1 ProdID=3e02 Rev= 0.00
      S:  Product=DataCard Device
      S:  SerialNumber=1234567890ABCDEF
      C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
      I:* If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
      Signed-off-by: default avatarAlexandr Ivanov <alexandr.sky@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca247635
  3. 22 Jul, 2013 7 commits
  4. 16 Jul, 2013 3 commits
    • Alan Stern's avatar
      USB: global suspend and remote wakeup don't mix · e583d9db
      Alan Stern authored
      The hub driver was recently changed to use "global" suspend for system
      suspend transitions on non-SuperSpeed buses.  This means that we don't
      suspend devices individually by setting the suspend feature on the
      upstream hub port; instead devices all go into suspend automatically
      when the root hub stops transmitting packets.  The idea was to save
      time and to avoid certain kinds of wakeup races.
      
      Now it turns out that many hubs are buggy; they don't relay wakeup
      requests from a downstream port to their upstream port if the
      downstream port's suspend feature is not set (depending on the speed
      of the downstream port, whether or not the hub is enabled for remote
      wakeup, and possibly other factors).
      
      We can't have hubs dropping wakeup requests.  Therefore this patch
      goes partway back to the old policy: It sets the suspend feature for a
      port if the device attached to that port or any of its descendants is
      enabled for wakeup.  People will still be able to benefit from the
      time savings if they don't care about wakeup and leave it disabled on
      all their devices.
      
      In order to accomplish this, the patch adds a new field to the usb_hub
      structure: wakeup_enabled_descendants is a count of how many devices
      below a suspended hub are enabled for remote wakeup.  A corresponding
      new subroutine determines the number of wakeup-enabled devices at or
      below an arbitrary suspended USB device.
      
      This should be applied to the 3.10 stable kernel.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: default avatarToralf Förster <toralf.foerster@gmx.de>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e583d9db
    • Alan Stern's avatar
      USB: move the definition of USB_MAXCHILDREN · 36ff66db
      Alan Stern authored
      The USB_MAXCHILDREN symbol is used in include/uapi/linux/usb/ch11.h, a
      user-mode header, even though it is defined in include/linux/usb.h,
      which is kernel-only.  This causes compile-time errors when user
      programs try to #include linux/usb/ch11.h.
      
      This patch fixes the problem by moving the definition of USB_MAXCHILDREN
      into ch11.h.  It also gets rid of unneeded parentheses.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36ff66db
    • Greg Kroah-Hartman's avatar
      Merge tag 'fixes-for-v3.11-rc1' of... · 39c24270
      Greg Kroah-Hartman authored
      Merge tag 'fixes-for-v3.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
      
      Felipe writes:
      
      usb: fixes for v3.11-rc1
      
      Quite a few changes going on here. They have been
      boot tested on OMAP5 and compile tested on ARM and x86
      with different defconfigs.
      
      Many gadget drivers got a depends on HAS_DMA in order
      to prevent build failures on !HAS_DMA architectures.
      
      DWC3 learned how to allow a gadget driver to be modprobed
      after an unsuccessful modprobe of another gadget driver. It
      also got a fix to a wrong bit mask in dwc3_event_type, and
      learns to return proper error codes from failed usb3_phy
      initialization.
      
      RNDIS function driver can now be built with configfs.
      
      at91_udc now knows that we need to prepare the clock
      before enabling it.
      
      renesas_usbhs now lets gadget drivers be modprobed
      multiple times.
      
      phy-omap-usb3 got a fix for the DPLL settings.
      
      mv_u3d_core now passes the correct cookie to free_irq().
      
      fotg210-udc got Section mismatch fixes.
      Signed-of-by: default avatarFelipe Balbi <balbi@ti.com>
      39c24270
  5. 15 Jul, 2013 16 commits
  6. 14 Jul, 2013 11 commits
    • Linus Torvalds's avatar
      Linux 3.11-rc1 · ad81f054
      Linus Torvalds authored
      ad81f054
    • Linus Torvalds's avatar
      Merge branch 'slab/for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux · 54be8200
      Linus Torvalds authored
      Pull slab update from Pekka Enberg:
       "Highlights:
      
        - Fix for boot-time problems on some architectures due to
          init_lock_keys() not respecting kmalloc_caches boundaries
          (Christoph Lameter)
      
        - CONFIG_SLUB_CPU_PARTIAL requested by RT folks (Joonsoo Kim)
      
        - Fix for excessive slab freelist draining (Wanpeng Li)
      
        - SLUB and SLOB cleanups and fixes (various people)"
      
      I ended up editing the branch, and this avoids two commits at the end
      that were immediately reverted, and I instead just applied the oneliner
      fix in between myself.
      
      * 'slab/for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux
        slub: Check for page NULL before doing the node_match check
        mm/slab: Give s_next and s_stop slab-specific names
        slob: Check for NULL pointer before calling ctor()
        slub: Make cpu partial slab support configurable
        slab: add kmalloc() to kernel API documentation
        slab: fix init_lock_keys
        slob: use DIV_ROUND_UP where possible
        slub: do not put a slab to cpu partial list when cpu_partial is 0
        mm/slub: Use node_nr_slabs and node_nr_objs in get_slabinfo
        mm/slub: Drop unnecessary nr_partials
        mm/slab: Fix /proc/slabinfo unwriteable for slab
        mm/slab: Sharing s_next and s_stop between slab and slub
        mm/slab: Fix drain freelist excessively
        slob: Rework #ifdeffery in slab.h
        mm, slab: moved kmem_cache_alloc_node comment to correct place
      54be8200
    • Steven Rostedt's avatar
      slub: Check for page NULL before doing the node_match check · c25f195e
      Steven Rostedt authored
      In the -rt kernel (mrg), we hit the following dump:
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff811573f1>] kmem_cache_alloc_node+0x51/0x180
      PGD a2d39067 PUD b1641067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: sunrpc cpufreq_ondemand ipv6 tg3 joydev sg serio_raw pcspkr k8temp amd64_edac_mod edac_core i2c_piix4 e100 mii shpchp ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom sata_svw ata_generic pata_acpi pata_serverworks radeon ttm drm_kms_helper drm hwmon i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
      CPU 3
      Pid: 20878, comm: hackbench Not tainted 3.6.11-rt25.14.el6rt.x86_64 #1 empty empty/Tyan Transport GT24-B3992
      RIP: 0010:[<ffffffff811573f1>]  [<ffffffff811573f1>] kmem_cache_alloc_node+0x51/0x180
      RSP: 0018:ffff8800a9b17d70  EFLAGS: 00010213
      RAX: 0000000000000000 RBX: 0000000001200011 RCX: ffff8800a06d8000
      RDX: 0000000004d92a03 RSI: 00000000000000d0 RDI: ffff88013b805500
      RBP: ffff8800a9b17dc0 R08: ffff88023fd14d10 R09: ffffffff81041cbd
      R10: 00007f4e3f06e9d0 R11: 0000000000000246 R12: ffff88013b805500
      R13: ffff8801ff46af40 R14: 0000000000000001 R15: 0000000000000000
      FS:  00007f4e3f06e700(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000000 CR3: 00000000a2d3a000 CR4: 00000000000007e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process hackbench (pid: 20878, threadinfo ffff8800a9b16000, task ffff8800a06d8000)
      Stack:
       ffff8800a9b17da0 ffffffff81202e08 ffff8800a9b17de0 000000d001200011
       0000000001200011 0000000001200011 0000000000000000 0000000000000000
       00007f4e3f06e9d0 0000000000000000 ffff8800a9b17e60 ffffffff81041cbd
      Call Trace:
       [<ffffffff81202e08>] ? current_has_perm+0x68/0x80
       [<ffffffff81041cbd>] copy_process+0xdd/0x15b0
       [<ffffffff810a2125>] ? rt_up_read+0x25/0x30
       [<ffffffff8104369a>] do_fork+0x5a/0x360
       [<ffffffff8107c66b>] ? migrate_enable+0xeb/0x220
       [<ffffffff8100b068>] sys_clone+0x28/0x30
       [<ffffffff81527423>] stub_clone+0x13/0x20
       [<ffffffff81527152>] ? system_call_fastpath+0x16/0x1b
      Code: 89 fc 89 75 cc 41 89 d6 4d 8b 04 24 65 4c 03 04 25 48 ae 00 00 49 8b 50 08 4d 8b 28 49 8b 40 10 4d 85 ed 74 12 41 83 fe ff 74 27 <48> 8b 00 48 c1 e8 3a 41 39 c6 74 1b 8b 75 cc 4c 89 c9 44 89 f2
      RIP  [<ffffffff811573f1>] kmem_cache_alloc_node+0x51/0x180
       RSP <ffff8800a9b17d70>
      CR2: 0000000000000000
      ---[ end trace 0000000000000002 ]---
      
      Now, this uses SLUB pretty much unmodified, but as it is the -rt kernel
      with CONFIG_PREEMPT_RT set, spinlocks are mutexes, although they do
      disable migration. But the SLUB code is relatively lockless, and the
      spin_locks there are raw_spin_locks (not converted to mutexes), thus I
      believe this bug can happen in mainline without -rt features. The -rt
      patch is just good at triggering mainline bugs ;-)
      
      Anyway, looking at where this crashed, it seems that the page variable
      can be NULL when passed to the node_match() function (which does not
      check if it is NULL). When this happens we get the above panic.
      
      As page is only used in slab_alloc() to check if the node matches, if
      it's NULL I'm assuming that we can say it doesn't and call the
      __slab_alloc() code. Is this a correct assumption?
      Acked-by: default avatarChristoph Lameter <cl@linux.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarPekka Enberg <penberg@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c25f195e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 41d9884c
      Linus Torvalds authored
      Pull more vfs stuff from Al Viro:
       "O_TMPFILE ABI changes, Oleg's fput() series, misc cleanups, including
        making simple_lookup() usable for filesystems with non-NULL s_d_op,
        which allows us to get rid of quite a bit of ugliness"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        sunrpc: now we can just set ->s_d_op
        cgroup: we can use simple_lookup() now
        efivarfs: we can use simple_lookup() now
        make simple_lookup() usable for filesystems that set ->s_d_op
        configfs: don't open-code d_alloc_name()
        __rpc_lookup_create_exclusive: pass string instead of qstr
        rpc_create_*_dir: don't bother with qstr
        llist: llist_add() can use llist_add_batch()
        llist: fix/simplify llist_add() and llist_add_batch()
        fput: turn "list_head delayed_fput_list" into llist_head
        fs/file_table.c:fput(): add comment
        Safer ABI for O_TMPFILE
      41d9884c
    • Al Viro's avatar
      sunrpc: now we can just set ->s_d_op · dae3794f
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      dae3794f
    • Al Viro's avatar
      cgroup: we can use simple_lookup() now · 786e1448
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      786e1448
    • Al Viro's avatar
      efivarfs: we can use simple_lookup() now · 6e8cd2cb
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6e8cd2cb
    • Al Viro's avatar
    • Al Viro's avatar
      configfs: don't open-code d_alloc_name() · ec193cf5
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ec193cf5
    • Al Viro's avatar
      __rpc_lookup_create_exclusive: pass string instead of qstr · d3db90b0
      Al Viro authored
      ... and use d_hash_and_lookup() instead of open-coding it, for fsck sake...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d3db90b0
    • Al Viro's avatar
      rpc_create_*_dir: don't bother with qstr · a95e691f
      Al Viro authored
      just pass the name
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a95e691f