- 01 Jun, 2012 40 commits
-
-
Shinya Kuribayashi authored
commit 934ccec4 upstream. In commit c2344f13 (USB: gpio_vbus: add delayed vbus_session calls, 2009-01-24), usb_gadget_vbus_connect() and ...disconnect() were extracted from the interrupt handler, so to allow vbus_session handlers to deal with msleep() calls. This patch takes the approach one step further. USB2.0 specification (7.1.7.3 Connect and Disconnect Signaling) says that the USB system software (shall) provide a debounce interval with a minimum duration of 100 ms, which ensures that the electrical and mechanical connection is stable before software attempts to reset the attached device. Signed-off-by:
Shinya Kuribayashi <shinya.kuribayashi.px@renesas.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Russ Dill authored
commit 3aa2ae74 upstream. 'ARM: OMAP3: USB: Fix the EHCI ULPI PHY reset issue' (1fcb57d0) created a regression with Beagleboard xM if booting the kernel after running 'usb start' under u-boot. Finishing the reset before calling 'usb_add_hcd' fixes the regression. This is most likely due to usb_add_hcd calling the driver's reset and init functions which expect the hardware to be up and running. Signed-off-by:
Russ Dill <Russ.Dill@ti.com> Acked-by:
Felipe Balbi <balbi@ti.com> Signed-off-by:
-
Hauke Mehrtens authored
commit 8377c94f upstream. The update_device callback is not needed and the function used here is from the pci ehci driver. Without this patch we get a compile error if ehci-platform is compiled without ehci-pci. Signed-off-by:
Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by:
-
Paul Zimmerman authored
commit 6a23ccd2 upstream. bMaxPacketSize0 field for super speed is a power of 2, not a count. The size itself is always 512. Max packet size for a super speed bulk endpoint is 1024, so allocate the urb size in halt_simple() accordingly. Signed-off-by:
Paul Zimmerman <paulz@synopsys.com> Acked-by:
-
Matthias Fend authored
commit eb9c5836 upstream. The out functions should only handle actual available data instead of the complete buffer. Otherwise for example the ep0_consume function will report ghost events since it tries to decode the complete buffer - which may contain partly invalid data. Signed-off-by:
Matthias Fend <matthias.fend@wolfvision.net> Acked-by:
Michal Nazarewicz <mina86@mina86.com> Signed-off-by:
-
Alan Stern authored
commit df767b71 upstream. This patch (as1553) adds an unusual_dev entrie for the Yarvik PMP400 MP4 music player. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Reported-by:
Jesse Feddema <jdfeddema@gmail.com> Tested-by:
-
Alan Stern authored
commit 5cbe61c5 upstream. This patch (as1550) fixes a bug in the usb-serial core that affects the ftdi_sio driver and most likely others as well. The core implements suspend and resume routines, but it doesn't store pointers to those routines in the usb_driver structures that it registers, even though it does set those drivers' supports_autosuspend flag. The end result is that when one of these devices is autosuspended, we try to call through a NULL pointer. The patch fixes the problem by setting the suspend and resume method pointers to the appropriate routines in the USB serial core, along with the supports_autosuspend field, in each driver as it is registered. This should be back-ported to all the stable kernels that have the new usb_serial_register_drivers() interface. Signed-off-by:
Frank Schäfer <schaefer.frank@gmx.net> Signed-off-by:
-
Éric Piel authored
commit b69cc672 upstream. This adds VID/PID for the PI E-861. Without it, I had to do: modprobe -q ftdi-sio product=0x1008 vendor=0x1a72 http://www.physikinstrumente.com/en/products/prdetail.php?sortnr=900610Signed-off-by:
Éric Piel <piel@delmic.com> Signed-off-by:
-
Alan Cox authored
commit 1e66cded upstream. This is legitimate but because we don't clear the drv->state pointer in the unregister code causes a bogus BUG(). Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=42880Signed-off-by:
Alan Cox <alan@linux.intel.com> Signed-off-by:
-
Arnaud Patard authored
commit aaa10eb1 upstream. The rules used to make 8250_pci "ignore" the PCH uarts are lacking pci subids entries, preventing it to match and thus is breaking serial port support for theses systems. This has been tested on a nanoETXexpress-TT, which has a specifici uart clock. Tested-by:
Erwan Velu <Erwan.Velu@zodiacaerospace.com> [stable@: please apply to 3.0-stable, 3.2-stable and 3.3-stable] Signed-off-by:
Arnaud Patard <apatard@hupstream.com> Signed-off-by:
-
Christian Melki authored
commit f9a9111b upstream. We noticed that we were loosing data at speed less than 2400 baud. It turned out our (TI16750 compatible) uart with 64 byte outgoing fifo was truncated to 16 byte (bit 5 sets fifo len) when modifying the fcr reg. The input code still fills the buffer with 64 bytes if I remember correctly and thus data is lost. Our fix was to remove whiping of the fcr content and just add the TRIGGER_1 which we want for latency. I can't see why this would not work on less than 2400 always, for all uarts ... Otherwise one would have to make sure the filling of the fifo re-checks the current state of available fifo size (urrk). Signed-off-by:
Christian Melki <christian.melki@ericsson.se> Signed-off-by:
-
Lothar Waßmann authored
commit 8b979f7c upstream. This patch fixes a problem reported here: http://article.gmane.org/gmane.linux.ports.arm.kernel/155242/match=auartSigned-off-by:
Lothar Waßmann <LW@KARO-electronics.de> Signed-off-by:
-
Shaohua Li authored
commit b5e1b8ce upstream. A flush request is usually issued in transaction commit code path, so using GFP_KERNEL to allocate memory for flush request bio falls into the classic deadlock issue. This is suitable for any -stable kernel to which it applies as it avoids a possible deadlock. Signed-off-by:
Shaohua Li <shli@fusionio.com> Signed-off-by:
NeilBrown <neilb@suse.de> Signed-off-by:
-
Mel Gorman authored
commit 05f144a0 upstream. Dave Jones' system call fuzz testing tool "trinity" triggered the following bug error with slab debugging enabled ============================================================================= BUG numa_policy (Not tainted): Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880146498250-0xffff880146498250. First byte 0x6a instead of 0x6b INFO: Allocated in mpol_new+0xa3/0x140 age=46310 cpu=6 pid=32154 __slab_alloc+0x3d3/0x445 kmem_cache_alloc+0x29d/0x2b0 mpol_new+0xa3/0x140 sys_mbind+0x142/0x620 system_call_fastpath+0x16/0x1b INFO: Freed in __mpol_put+0x27/0x30 age=46268 cpu=6 pid=32154 __slab_free+0x2e/0x1de kmem_cache_free+0x25a/0x260 __mpol_put+0x27/0x30 remove_vma+0x68/0x90 exit_mmap+0x118/0x140 mmput+0x73/0x110 exit_mm+0x108/0x130 do_exit+0x162/0xb90 do_group_exit+0x4f/0xc0 sys_exit_group+0x17/0x20 system_call_fastpath+0x16/0x1b INFO: Slab 0xffffea0005192600 objects=27 used=27 fp=0x (null) flags=0x20000000004080 INFO: Object 0xffff880146498250 @offset=592 fp=0xffff88014649b9d0 This implied a reference counting bug and the problem happened during mbind(). mbind() applies a new memory policy to a range and uses mbind_range() to merge existing VMAs or split them as necessary. In the event of splits, mpol_dup() will allocate a new struct mempolicy and maintain existing reference counts whose rules are documented in Documentation/vm/numa_memory_policy.txt . The problem occurs with shared memory policies. The vm_op->set_policy increments the reference count if necessary and split_vma() and vma_merge() have already handled the existing reference counts. However, policy_vma() screws it up by replacing an existing vma->vm_policy with one that potentially has the wrong reference count leading to a premature free. This patch removes the damage caused by policy_vma(). With this patch applied Dave's trinity tool runs an mbind test for 5 minutes without error. /proc/slabinfo reported that there are no numa_policy or shared_policy_node objects allocated after the test completed and the shared memory region was deleted. Signed-off-by:
Mel Gorman <mgorman@suse.de> Cc: Dave Jones <davej@redhat.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Stephen Wilson <wilsons@start.ca> Cc: Christoph Lameter <cl@linux.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Tejun Heo authored
commit 544ecf31 upstream. worker_enter_idle() has WARN_ON_ONCE() which triggers if nr_running isn't zero when every worker is idle. This can trigger spuriously while a cpu is going down due to the way trustee sets %WORKER_ROGUE and zaps nr_running. It first sets %WORKER_ROGUE on all workers without updating nr_running, releases gcwq->lock, schedules, regrabs gcwq->lock and then zaps nr_running. If the last running worker enters idle inbetween, it would see stale nr_running which hasn't been zapped yet and trigger the WARN_ON_ONCE(). Fix it by performing the sanity check iff the trustee is idle. Signed-off-by:
Tejun Heo <tj@kernel.org> Reported-by:
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Signed-off-by:
-
Bjørn Mork authored
commit 6286d85e upstream. Prevents dereferencing an invalid struct usb_interface pointer. Always delete entry from device list whether or not the rest of the device state cleanup is postponed. The device list uses desc->intf as key, and wdm_open will dereference this key while searching for a matching device. A device should not appear in the list unless probe() has succeeded and disconnect() has not finished. Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Bjørn Mork authored
commit 6b0b79d3 upstream. We cannot dereference a removed USB interface for dev_printk. Use pr_debug instead where necessary. Flush errors are expected if device is unplugged and are therefore best ingored at this point. Move the kill_urbs() call in wdm_release with dev_dbg() for the non disconnect, as we know it has already been called if WDM_DISCONNECTING is set. This does not actually fix anything, but keeps the code more consistent. Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by:
-
Bjørn Mork authored
commit 616b6937 upstream. Else the poll will be restarted indefinitely in a tight loop, preventing final device cleanup. Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by:
-
Oliver Neukum authored
commit 2f338c8a upstream. cleanup() is not called if the last close() comes after disconnect(). That leads to a memory leak. Rectified by checking for an earlier disconnect() in release() Signed-off-by:
Oliver Neukum <oneukum@suse.de> Signed-off-by:
-
Oliver Neukum authored
commit 24a85bae upstream. wdm_flush() returns unsanitized USB error codes. They must be cleaned up to before being anded to user space Signed-off-by:
-
Kees Cook authored
commit 591bfc6b upstream. The HOWTO document needed updating for the new kernel versioning. The git URI for -next was updated as well. Signed-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
-
Anton Vorontsov authored
commit 484dd30e upstream. This is a longstanding bug, almost unnoticeable when calling persistent_ram_write() for small buffers. But when called for large data buffers, the write routine behaves incorrectly, as the size may never update: instead of clamping the size to the maximum buffer size, buffer_size_add_clamp() returns an error (which is never checked by the write routine, btw). To fix this, we now use buffer_size_add() that actually clamps the size to the max value. Also remove buffer_size_add_clamp(), it is no longer needed. Signed-off-by:
Anton Vorontsov <anton.vorontsov@linaro.org> Acked-by:
Colin Cross <ccross@android.com> Signed-off-by:
-
Richard Weinberger authored
commit f15b9000 upstream. UML uses the _PAGE_NEWPAGE flag to mark pages which are not jet installed on the host side using mmap(). pte_same() has to ignore this flag, otherwise unuse_pte_range() is unable to unuse the page because two identical page tables entries with different _PAGE_NEWPAGE flags would not match and swapoff() would never return. Analyzed-by:
Hugh Dickins <hughd@google.com> Signed-off-by:
Richard Weinberger <richard@nod.at> Signed-off-by:
-
Richard Weinberger authored
commit 2b76ebaa upstream. The current __swp_type() function uses a too small bitshift. Using more than one swap files causes bad pages because the type bits clash with other page flags. Analyzed-by:
-
Jonathan Nieder authored
commit 44d27f7d upstream. On big-endian systems (e.g., Apple PowerBook), trying to use a logitech wireless mouse with the Logitech Unifying Receiver does not work with v3.2 and later kernels. The device doesn't show up in /dev/input. Older kernels work fine. That is because the new hid-logitech-dj driver claims the device. The device arrival notification appears: 20 00 41 02 00 00 00 00 00 00 00 00 00 00 00 and we read the report_types bitfield (02 00 00 00) to find out what kind of device it is. Unfortunately the driver only reads the first 8 bits and treats that value as a 32-bit little-endian number, so on a powerpc the report type seems to be 0x02000000 and is not recognized. Even on little-endian machines, connecting a media center remote control (report type 00 01 00 00) with this driver loaded would presumably fail for the same reason. Fix both problems by using get_unaligned_le32() to read all four bytes, which is a little clearer anyway. After this change, the wireless mouse works on Hugo's PowerBook again. Based on a patch by Nestor Lopez Casado. Addresses http://bugs.debian.org/671292Reported-by:
Hugo Osvaldo Barrera <hugo@osvaldobarrera.com.ar> Inspired-by:
Nestor Lopez Casado <nlopezcasad@logitech.com> Signed-off-by:
Jonathan Nieder <jrnieder@gmail.com> Signed-off-by:
Jiri Kosina <jkosina@suse.cz> Signed-off-by:
-
Oliver Neukum authored
commit 8815bb09 upstream. On some HCDs usb_unlink_urb() can directly call the completion handler. That limits the spinlocks that can be taken in the handler to locks not held while calling usb_unlink_urb() To prevent a race with resubmission, this patch exposes usbcore's infrastructure for blocking submission, uses it and so drops the lock without causing a race in usbhid. Signed-off-by:
-
David Herrmann authored
commit 74b89e8a upstream. We incorrectly parse incoming IR data. The extra byte contains the upper bits and not the lower bits of the x/y coordinates. User-space expects absolute position data from us so this patch does not break existing applications. On the contrary, it extends the virtual view and fixes garbage reports for margin areas of the virtual screen. Reported-by:
Peter Bukovsky <bukovsky.peter@gmail.com> Signed-off-by:
David Herrmann <dh.herrmann@googlemail.com> Signed-off-by:
-
Robert Richter authored
commit 5bcdf5e4 upstream. This update is for newer family 15h cpu models from 0x02 to 0x1f. Signed-off-by:
Robert Richter <robert.richter@amd.com> Acked-by:
Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Link: http://lkml.kernel.org/r/1337337642-1621-1-git-send-email-robert.richter@amd.comSigned-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
Julia Lawall authored
commit abae41e6 upstream. aux_free is freed on all other exits from the function. By removing the return, we can benefit from the vfree already at the end of the function. Signed-off-by:
Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by:
-
Yishai Hadas authored
commit c4870eb8 upstream. Commit bc3e53f6 ("mm: distinguish between mlocked and pinned pages") introduced a separate counter for pinned pages and used it in the IB stack. However, in ib_umem_get() the pinned counter is incremented, but ib_umem_release() wrongly decrements the locked counter. Fix this. Signed-off-by:
Yishai Hadas <yishaih@mellanox.com> Reviewed-by:
Christoph Lameter <cl@linux.com> Signed-off-by:
Roland Dreier <roland@purestorage.com> Signed-off-by:
-
Laurent Pinchart authored
commit 72c04af9 upstream. When using the MERAM the LCDC line size needs to be programmed with a MERAM-specific value different than the real frame buffer pitch. Fix it. Reported-by:
Guennadi Liakhovetski <g.liakhovetski@gmx.de> Signed-off-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by:
Florian Tobias Schandinat <FlorianSchandinat@gmx.de> Signed-off-by:
-
Eric Paris authored
commit 154c50ca upstream. We reset the bool names and values array to NULL, but do not reset the number of entries in these arrays to 0. If we error out and then get back into this function we will walk these NULL pointers based on the belief that they are non-zero length. Signed-off-by:
Eric Paris <eparis@redhat.com> Signed-off-by:
-
David Howells authored
commit 45de6767 upstream. Use the 32-bit compat keyctl() syscall wrapper on Sparc64 for Sparc32 binary compatibility. Without this, keyctl(KEYCTL_INSTANTIATE_IOV) is liable to malfunction as it uses an iovec array read from userspace - though the kernel should survive this as it checks pointers and sizes anyway. I think all the other keyctl() function should just work, provided (a) the top 32-bits of each 64-bit argument register are cleared prior to invoking the syscall routine, and the 32-bit address space is right at the 0-end of the 64-bit address space. Most of the arguments are 32-bit anyway, and so for those clearing is not required. Signed-off-by: David Howells <dhowells@redhat.com cc: "David S. Miller" <davem@davemloft.net> cc: sparclinux@vger.kernel.org Signed-off-by:
-
Thomas Gleixner authored
commit 9cd75e13 upstream. commit 771dae81 (powerpc/cpuidle: Add cpu_idle_wait() to allow switching of idle routines) implemented cpu_idle_wait() for powerpc. The changelog says: "The equivalent routine for x86 is in arch/x86/kernel/process.c but the powerpc implementation is different.": Unfortunately the changelog is completely useless as it does not tell _WHY_ it is different. Aside of being different the implementation is patently wrong. The rescheduling IPI is async. That means that there is no guarantee, that the other cores have executed the IPI when cpu_idle_wait() returns. But that's the whole purpose of this function: to guarantee that no CPU uses the old idle handler anymore. Use the smp_functional_call() based implementation, which fulfils the requirements. [ This code is going to replaced by a core version to remove all the pointless copies in arch/*, but this one should go to stable ] Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Acked-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Link: http://lkml.kernel.org/r/20120507175651.980164748@linutronix.deSigned-off-by:
-
Steve Wise authored
commit 14b92228 upstream. Log a warning and drop the abort message. Otherwise we will do a bogus wake_up() and crash. Signed-off-by:
Steve Wise <swise@opengridcomputing.com> Signed-off-by:
-
Steve Wise authored
commit bd61baaf upstream. Function import_ep() is incorrectly using ep->dst instead of the dst ptr passed in. This causes a crash when accepting new rdma connections becase ep->dst is not initialized yet. Signed-off-by:
-
Steve Wise authored
commit 0f1dcfae upstream. This fixes a race where an ingress abort fails to wake up the thread blocked in rdma_init() causing the app to hang. Signed-off-by:
-
Dan Williams authored
commit fc25f79a upstream. OEM parameters [1] are parsed from the platform option-rom / efi driver. By default the driver was validating the parameters for the dual-controller case, but in single-controller case only the first set of parameters may be valid. Limit the validation to the number of actual controllers detected otherwise the driver may fail to parse the valid parameters leading to driver-load or runtime failures. [1] the platform specific set of phy address, configuration,and analog tuning values Reported-by:
Dave Jiang <dave.jiang@intel.com> Tested-by:
Dan Williams <dan.j.williams@intel.com> Signed-off-by:
-
nagalakshmi.nandigama@lsi.com authored
commit e42fafc2 upstream. The ioc->pfacts member in the IOC structure is getting set to zero following a call to _base_get_ioc_facts due to the memset in that routine. So if the ioc->pfacts was read after a host reset, there would be a NULL pointer dereference. The routine _base_get_ioc_facts is called from context of host reset. The problem in _base_get_ioc_facts is the size of Mpi2IOCFactsReply is 64, whereas the sizeof "struct mpt2sas_facts" is 60, so there is a four byte overflow resulting from the memset. Also, there is memset in _base_get_port_facts using the incorrect structure, it should be "struct mpt2sas_port_facts" instead of Mpi2PortFactsReply. Signed-off-by:
Nagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com> Signed-off-by:
James Bottomley <JBottomley@Parallels.com> Signed-off-by:
-
Heiko Carstens authored
commit d5e50a51 upstream. When setting the current task state to TASK_UNINTERRUPTIBLE this can race with a different cpu. The other cpu could set the task state after it inspected it (while it was still TASK_RUNNING) to TASK_RUNNING which would change the state from TASK_UNINTERRUPTIBLE to TASK_RUNNING again. This race was always present in the pfault interrupt code but didn't cause anything harmful before commit f2db2e6c "[S390] pfault: cpu hotplug vs missing completion interrupts" which relied on the fact that after setting the task state to TASK_UNINTERRUPTIBLE the task would really sleep. Since this is not necessarily the case the result may be a list corruption of the pfault_list or, as observed, a use-after-free bug while trying to access the task_struct of a task which terminated itself already. To fix this, we need to get a reference of the affected task when receiving the initial pfault interrupt and add special handling if we receive yet another initial pfault interrupt when the task is already enqueued in the pfault list. Signed-off-by:
Heiko Carstens <heiko.carstens@de.ibm.com> Reviewed-by:
Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by:
-
