From 9d02b42614149ebccf12c9c580601ed01bd83070 Mon Sep 17 00:00:00 2001 From: Michal Sojka Date: Tue, 15 Mar 2011 16:41:47 +0100 Subject: USB: Do not pass negative length to snoop_urb() When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg until unhandled kernel paging request occurs. Signed-off-by: Michal Sojka Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/devio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index a7131ad630f..37518dfdeb9 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -802,7 +802,7 @@ static int proc_control(struct dev_state *ps, void __user *arg) tbuf, ctrl.wLength, tmo); usb_lock_device(dev); snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, - tbuf, i); + tbuf, max(i, 0)); if ((i > 0) && ctrl.wLength) { if (copy_to_user(ctrl.data, tbuf, i)) { free_page((unsigned long)tbuf); -- cgit v1.2.3-70-g09d2 From b5a3b3d985493c173925907adfebf3edab236fe7 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Wed, 16 Mar 2011 10:57:15 -0400 Subject: ehci-hcd: Bug fix: don't set a QH's Halt bit This patch (as1453) fixes a long-standing bug in the ehci-hcd driver. There is no need to set the Halt bit in the overlay region for an unlinked or blocked QH. Contrary to what the comment says, setting the Halt bit does not cause the QH to be patched later; that decision (made in qh_refresh()) depends only on whether the QH is currently pointing to a valid qTD. Likewise, setting the Halt bit does not prevent completions from activating the QH while it is "stopped"; they are prevented by the fact that qh_completions() temporarily changes qh->qh_state to QH_STATE_COMPLETING. On the other hand, there are circumstances in which the QH will be reactivated _without_ being patched; this happens after an URB beyond the head of the queue is unlinked. Setting the Halt bit will then cause the hardware to see the QH with both the Active and Halt bits set, an invalid combination that will prevent the queue from advancing and may even crash some controllers. Apparently the only reason this hasn't been reported before is that unlinking URBs from the middle of a running queue is quite uncommon. However Test 17, recently added to the usbtest driver, does exactly this, and it confirms the presence of the bug. In short, there is no reason to set the Halt bit for an unlinked or blocked QH, and there is a very good reason not to set it. Therefore the code that sets it is removed. Signed-off-by: Alan Stern Tested-by: Andiry Xu CC: David Brownell CC: Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/ehci-q.c | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'drivers/usb') diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c index fe99895fb09..98ded66e8d3 100644 --- a/drivers/usb/host/ehci-q.c +++ b/drivers/usb/host/ehci-q.c @@ -315,7 +315,6 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh) int stopped; unsigned count = 0; u8 state; - const __le32 halt = HALT_BIT(ehci); struct ehci_qh_hw *hw = qh->hw; if (unlikely (list_empty (&qh->qtd_list))) @@ -422,7 +421,6 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh) && !(qtd->hw_alt_next & EHCI_LIST_END(ehci))) { stopped = 1; - goto halt; } /* stop scanning when we reach qtds the hc is using */ @@ -456,16 +454,6 @@ qh_completions (struct ehci_hcd *ehci, struct ehci_qh *qh) */ ehci_clear_tt_buffer(ehci, qh, urb, token); } - - /* force halt for unlinked or blocked qh, so we'll - * patch the qh later and so that completions can't - * activate it while we "know" it's stopped. - */ - if ((halt & hw->hw_token) == 0) { -halt: - hw->hw_token |= halt; - wmb (); - } } /* unless we already know the urb's status, collect qtd status -- cgit v1.2.3-70-g09d2 From 5f1e8ce75c19b0433aba6e0ea28937f1ee5d849e Mon Sep 17 00:00:00 2001 From: Hema HK Date: Thu, 17 Mar 2011 16:11:58 +0530 Subject: usb: musb: Fix for merge issue There was conflict while merging 2 patches. Enabling vbus code is wrongly moved to error check if loop. This is a fix to resolve the merge issue. Signed-off-by: Hema HK Cc: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/musb_gadget.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers/usb') diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c index 5c7b321d395..98519c5d8b5 100644 --- a/drivers/usb/musb/musb_gadget.c +++ b/drivers/usb/musb/musb_gadget.c @@ -1880,12 +1880,12 @@ int usb_gadget_probe_driver(struct usb_gadget_driver *driver, if (retval < 0) { DBG(1, "add_hcd failed, %d\n", retval); goto err2; - - if ((musb->xceiv->last_event == USB_EVENT_ID) - && musb->xceiv->set_vbus) - otg_set_vbus(musb->xceiv, 1); } + if ((musb->xceiv->last_event == USB_EVENT_ID) + && musb->xceiv->set_vbus) + otg_set_vbus(musb->xceiv, 1); + hcd->self.uses_pio_for_control = 1; if (musb->xceiv->last_event == USB_EVENT_NONE) -- cgit v1.2.3-70-g09d2 From 417ddf86c8c499fada439b8ee89bb4c6f282ed6c Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Tue, 22 Mar 2011 14:43:37 -0400 Subject: usb: musb: blackfin: fix typo in platform driver name The modularization of the Blackfin driver set the name to "musb-blackfin" in all the boards, but "musb-bfin" in the driver itself. Since the driver file name uses "blackfin", change the driver to "musb-blackfin". This is also easier as it's only one file to change. Cc: stable@kernel.org Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/blackfin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/musb/blackfin.c b/drivers/usb/musb/blackfin.c index 9d49d1cd7ce..5da9ef8ff31 100644 --- a/drivers/usb/musb/blackfin.c +++ b/drivers/usb/musb/blackfin.c @@ -548,7 +548,7 @@ static struct dev_pm_ops bfin_pm_ops = { static struct platform_driver bfin_driver = { .remove = __exit_p(bfin_remove), .driver = { - .name = "musb-bfin", + .name = "musb-blackfin", .pm = DEV_PM_OPS, }, }; -- cgit v1.2.3-70-g09d2 From 8f7e7b87ec7c3202941ef2770bacd353ab93368b Mon Sep 17 00:00:00 2001 From: Bob Liu Date: Mon, 21 Mar 2011 14:06:31 -0400 Subject: usb: musb: blackfin: fix typo in new dev_pm_ops struct Cc: stable@kernel.org Signed-off-by: Bob Liu Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/blackfin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/musb/blackfin.c b/drivers/usb/musb/blackfin.c index 5da9ef8ff31..7843333b619 100644 --- a/drivers/usb/musb/blackfin.c +++ b/drivers/usb/musb/blackfin.c @@ -540,7 +540,7 @@ static struct dev_pm_ops bfin_pm_ops = { .resume = bfin_resume, }; -#define DEV_PM_OPS &bfin_pm_op, +#define DEV_PM_OPS &bfin_pm_ops #else #define DEV_PM_OPS NULL #endif -- cgit v1.2.3-70-g09d2 From 45567c28d29a8766a67c53f898d502aef71b7ef0 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Mon, 21 Mar 2011 14:06:32 -0400 Subject: usb: musb: blackfin: fix typo in new bfin_musb_vbus_status func The common code has a "get" in the middle, but each implementation does not have it. Cc: stable@kernel.org Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/blackfin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/musb/blackfin.c b/drivers/usb/musb/blackfin.c index 7843333b619..52312e8af21 100644 --- a/drivers/usb/musb/blackfin.c +++ b/drivers/usb/musb/blackfin.c @@ -322,7 +322,7 @@ static void bfin_musb_try_idle(struct musb *musb, unsigned long timeout) mod_timer(&musb_conn_timer, jiffies + TIMER_DELAY); } -static int bfin_musb_get_vbus_status(struct musb *musb) +static int bfin_musb_vbus_status(struct musb *musb) { return 0; } -- cgit v1.2.3-70-g09d2 From adaa3c6342b249548ea830fe8e02aa5b45be8688 Mon Sep 17 00:00:00 2001 From: Peter Holik Date: Fri, 18 Mar 2011 18:47:44 +0100 Subject: USB: uss720 fixup refcount position My testprog do a lot of bitbang - after hours i got following warning and my machine lockups: WARNING: at /build/buildd/linux-2.6.38/lib/kref.c:34 After debugging uss720 driver i discovered that the completion callback was called before usb_submit_urb returns. The callback frees the request structure that is krefed on return by usb_submit_urb. Signed-off-by: Peter Holik Acked-by: Thomas Sailer Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/uss720.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'drivers/usb') diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c index f7a20573803..8b1d94a7691 100644 --- a/drivers/usb/misc/uss720.c +++ b/drivers/usb/misc/uss720.c @@ -177,12 +177,11 @@ static struct uss720_async_request *submit_async_request(struct parport_uss720_p spin_lock_irqsave(&priv->asynclock, flags); list_add_tail(&rq->asynclist, &priv->asynclist); spin_unlock_irqrestore(&priv->asynclock, flags); + kref_get(&rq->ref_count); ret = usb_submit_urb(rq->urb, mem_flags); - if (!ret) { - kref_get(&rq->ref_count); + if (!ret) return rq; - } - kref_put(&rq->ref_count, destroy_async); + destroy_async(&rq->ref_count); err("submit_async_request submit_urb failed with %d", ret); return NULL; } -- cgit v1.2.3-70-g09d2 From 97ac01d8f1b8d1c9e5af32c2813ba771835961f9 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Fri, 18 Mar 2011 12:44:17 +0100 Subject: usb: wwan: fix compilation without CONFIG_PM_RUNTIME The pm usage counter must be accessed with the proper wrappers to allow compilation under all configurations. Signed-off-by: Oliver Neukum Reported-by: Eric Dumazet Reported-by: Tao Ma Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/usb_wwan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'drivers/usb') diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c index a65ddd54386..e4fad5e643d 100644 --- a/drivers/usb/serial/usb_wwan.c +++ b/drivers/usb/serial/usb_wwan.c @@ -698,8 +698,7 @@ static void play_delayed(struct usb_serial_port *port) /* we have to throw away the rest */ do { unbusy_queued_urb(urb, portdata); - //extremely dirty - atomic_dec(&port->serial->interface->dev.power.usage_count); + usb_autopm_put_interface_no_suspend(port->serial->interface); } while ((urb = usb_get_from_anchor(&portdata->delayed))); break; } -- cgit v1.2.3-70-g09d2 From 878b753e32ca765cd346a5d3038d630178ec78ff Mon Sep 17 00:00:00 2001 From: Robert Lukassen Date: Wed, 16 Mar 2011 12:13:34 +0100 Subject: USB: Fix 'bad dma' problem on WDM device disconnect In the WDM class driver a disconnect event leads to calls to usb_free_coherent to put back two USB DMA buffers allocated earlier. The call to usb_free_coherent uses a different size parameter (desc->wMaxCommand) than the corresponding call to usb_alloc_coherent (desc->bMaxPacketSize0). When a disconnect event occurs, this leads to 'bad dma' complaints from usb core because the USB DMA buffer is being pushed back to the 'buffer-2048' pool from which it has not been allocated. This patch against the most recent linux-2.6 kernel ensures that the parameters used by usb_alloc_coherent & usb_free_coherent calls in cdc-wdm.c match. Signed-off-by: Robert Lukassen Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-wdm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 47085e5879a..a97c018dd41 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -281,7 +281,7 @@ static void cleanup(struct wdm_device *desc) desc->sbuf, desc->validity->transfer_dma); usb_free_coherent(interface_to_usbdev(desc->intf), - desc->wMaxCommand, + desc->bMaxPacketSize0, desc->inbuf, desc->response->transfer_dma); kfree(desc->orq); -- cgit v1.2.3-70-g09d2 From 23b80550e2aa61d0ba3af98b831b9195be0db9ee Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 22 Mar 2011 11:12:09 +0100 Subject: USB: cdc-acm: fix memory corruption / panic Prevent read urbs from being resubmitted from tasklet after port close. The receive tasklet was not disabled on port close, which could lead to corruption of receive lists on consecutive port open. In particular, read urbs could be re-submitted before port open, added to free list in open, and then added a second time to the free list in the completion handler. cdc-acm.c: Entering acm_tty_open. cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0 cdc-acm.c: Entering acm_rx_tasklet cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64 cdc-acm.c: set line: 115200 0 0 8 cdc-acm.c: acm_control_msg: rq: 0x20 val: 0x0 len: 0x7 result: 7 cdc-acm.c: acm_tty_close cdc-acm.c: acm_port_down cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x0 len: 0x0 result: 0 cdc-acm.c: acm_ctrl_irq - urb shutting down with status: -2 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50 cdc-acm.c: Entering acm_read_bulk with status -2 cdc_acm 4-1:1.1: Aborting, acm not ready cdc-acm.c: Entering acm_read_bulk with status -2 cdc_acm 4-1:1.1: Aborting, acm not ready cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da400, rcv 0xf57fbbe8, buf 0xf57fbd28 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da480, rcv 0xf57fbbd4, buf 0xf57fbd14 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da900, rcv 0xf57fbbc0, buf 0xf57fbd00 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da980, rcv 0xf57fbbac, buf 0xf57fbcec cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa00, rcv 0xf57fbb98, buf 0xf57fbcd8 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa80, rcv 0xf57fbb84, buf 0xf57fbcc4 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab00, rcv 0xf57fbb70, buf 0xf57fbcb0 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab80, rcv 0xf57fbb5c, buf 0xf57fbc9c cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac00, rcv 0xf57fbb48, buf 0xf57fbc88 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac80, rcv 0xf57fbb34, buf 0xf57fbc74 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad00, rcv 0xf57fbb20, buf 0xf57fbc60 cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad80, rcv 0xf57fbb0c, buf 0xf57fbc4c cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da880, rcv 0xf57fbaf8, buf 0xf57fbc38 cdc-acm.c: Entering acm_tty_open. cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0 cdc-acm.c: Entering acm_rx_tasklet cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64 cdc-acm.c: Entering acm_tty_write to write 3 bytes, cdc-acm.c: Get 3 bytes... cdc-acm.c: acm_write_start susp_count: 0 cdc-acm.c: Entering acm_read_bulk with status 0 ------------[ cut here ]------------ WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120() Hardware name: Vostro 1520 list_del corruption. next->prev should be f57fbc10, but was f57fbaf8 Modules linked in: cdc_acm Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.37+ #39 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? list_del+0x10c/0x120 [] ? list_del+0x10c/0x120 [] warn_slowpath_fmt+0x33/0x40 [] list_del+0x10c/0x120 [] acm_rx_tasklet+0xef/0x3e0 [cdc_acm] [] ? net_rps_action_and_irq_enable+0x6d/0x80 [] tasklet_action+0xe6/0x140 [] __do_softirq+0xaf/0x210 [] ? __do_softirq+0x0/0x210 [] ? run_ksoftirqd+0x8a/0x1c0 [] ? run_ksoftirqd+0x0/0x1c0 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 ---[ end trace efd9a11434f0082e ]--- ------------[ cut here ]------------ WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120() Hardware name: Vostro 1520 list_del corruption. next->prev should be f57fbd50, but was f57fbdb0 Modules linked in: cdc_acm Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? list_del+0x10c/0x120 [] ? list_del+0x10c/0x120 [] warn_slowpath_fmt+0x33/0x40 [] list_del+0x10c/0x120 [] acm_rx_tasklet+0x106/0x3e0 [cdc_acm] [] ? net_rps_action_and_irq_enable+0x6d/0x80 [] tasklet_action+0xe6/0x140 [] __do_softirq+0xaf/0x210 [] ? __do_softirq+0x0/0x210 [] ? run_ksoftirqd+0x8a/0x1c0 [] ? run_ksoftirqd+0x0/0x1c0 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 ---[ end trace efd9a11434f0082f ]--- cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50 cdc-acm.c: disconnected from network cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c cdc-acm.c: Entering acm_rx_tasklet ------------[ cut here ]------------ WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:48 list_del+0xd5/0x120() Hardware name: Vostro 1520 list_del corruption, next is LIST_POISON1 (00100100) Modules linked in: cdc_acm Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? list_del+0xd5/0x120 [] ? list_del+0xd5/0x120 [] warn_slowpath_fmt+0x33/0x40 [] list_del+0xd5/0x120 [] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] [] ? trace_hardirqs_on+0xb/0x10 [] ? tasklet_action+0x60/0x140 [] tasklet_action+0xe6/0x140 [] __do_softirq+0xaf/0x210 [] ? __do_softirq+0x0/0x210 [] ? run_ksoftirqd+0x8a/0x1c0 [] ? run_ksoftirqd+0x0/0x1c0 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 ---[ end trace efd9a11434f00830 ]--- BUG: unable to handle kernel paging request at 00200200 IP: [] list_del+0x1d/0x120 *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0/tty/ttyACM0/uevent Modules linked in: cdc_acm Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 0T816J/Vostro 1520 EIP: 0060:[] EFLAGS: 00010046 CPU: 0 EIP is at list_del+0x1d/0x120 EAX: f57fbd3c EBX: f57fb800 ECX: ffff8000 EDX: 00200200 ESI: f57fbe90 EDI: f57fbd3c EBP: f600bf54 ESP: f600bf3c DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process ksoftirqd/0 (pid: 3, ti=f600a000 task=f60791c0 task.ti=f6082000) Stack: c1527e84 00000030 c1527e54 00100100 f57fb800 f57fbd3c f600bf98 f8051fac f8053104 f8052b94 f600bf6c c106dbab f600bf80 00000286 f60791c0 c1042b30 f57fbda8 f57f5800 f57fbdb0 f57fbd80 f57fbe7c c1656b04 00000000 f600bfb0 Call Trace: [] ? acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] [] ? trace_hardirqs_on+0xb/0x10 [] ? tasklet_action+0x60/0x140 [] ? tasklet_action+0xe6/0x140 [] ? __do_softirq+0xaf/0x210 [] ? __do_softirq+0x0/0x210 [] ? run_ksoftirqd+0x8a/0x1c0 [] ? run_ksoftirqd+0x0/0x1c0 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 Code: ff 48 14 e9 57 ff ff ff 90 90 90 90 90 90 55 89 e5 83 ec 18 81 38 00 01 10 00 0f 84 9c 00 00 00 8b 50 04 81 fa 00 02 20 00 74 33 <8b> 12 39 d0 75 5c 8b 10 8b 4a 04 39 c8 0f 85 b5 00 00 00 8b 48 EIP: [] list_del+0x1d/0x120 SS:ESP 0068:f600bf3c CR2: 0000000000200200 ---[ end trace efd9a11434f00831 ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 3, comm: ksoftirqd/0 Tainted: G D W 2.6.37+ #39 Call Trace: [] ? printk+0x1d/0x24 [] panic+0x66/0x15c [] oops_end+0x8f/0x90 [] no_context+0xc6/0x160 [] __bad_area_nosemaphore+0x98/0x140 [] ? release_console_sem+0x1d8/0x210 [] bad_area_nosemaphore+0x17/0x20 [] do_page_fault+0x279/0x420 [] ? show_trace+0x1f/0x30 [] ? printk+0x1d/0x24 [] ? do_page_fault+0x0/0x420 [] error_code+0x5f/0x64 [] ? select_task_rq_fair+0x37b/0x6a0 [] ? do_page_fault+0x0/0x420 [] ? list_del+0x1d/0x120 [] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm] [] ? trace_hardirqs_on+0xb/0x10 [] ? tasklet_action+0x60/0x140 [] tasklet_action+0xe6/0x140 [] __do_softirq+0xaf/0x210 [] ? __do_softirq+0x0/0x210 [] ? run_ksoftirqd+0x8a/0x1c0 [] ? run_ksoftirqd+0x0/0x1c0 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 panic occurred, switching back to text console ------------[ cut here ]------------ Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/usb') diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index f492a7f2b6e..00d809dfe84 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -646,8 +646,10 @@ static void acm_port_down(struct acm *acm) usb_kill_urb(acm->ctrlurb); for (i = 0; i < ACM_NW; i++) usb_kill_urb(acm->wb[i].urb); + tasklet_disable(&acm->urb_task); for (i = 0; i < nr; i++) usb_kill_urb(acm->ru[i].urb); + tasklet_enable(&acm->urb_task); acm->control->needs_remote_wakeup = 0; usb_autopm_put_interface(acm->control); } -- cgit v1.2.3-70-g09d2 From 15e5bee33ffc11d0e5c6f819a65e7881c5c407be Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 22 Mar 2011 11:12:10 +0100 Subject: USB: cdc-acm: fix potential null-pointer dereference Must check return value of tty_port_tty_get. Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/usb') diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index 00d809dfe84..17563714896 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -533,6 +533,8 @@ static void acm_softint(struct work_struct *work) if (!ACM_READY(acm)) return; tty = tty_port_tty_get(&acm->port); + if (!tty) + return; tty_wakeup(tty); tty_kref_put(tty); } -- cgit v1.2.3-70-g09d2 From 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 22 Mar 2011 11:12:11 +0100 Subject: USB: cdc-acm: fix potential null-pointer dereference on disconnect Fix potential null-pointer exception on disconnect introduced by commit 11ea859d64b69a747d6b060b9ed1520eab1161fe (USB: additional power savings for cdc-acm devices that support remote wakeup). Only access acm->dev after making sure it is non-null in control urb completion handler. Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-acm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index 17563714896..e057e538146 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -297,6 +297,8 @@ static void acm_ctrl_irq(struct urb *urb) if (!ACM_READY(acm)) goto exit; + usb_mark_last_busy(acm->dev); + data = (unsigned char *)(dr + 1); switch (dr->bNotificationType) { case USB_CDC_NOTIFY_NETWORK_CONNECTION: @@ -336,7 +338,6 @@ static void acm_ctrl_irq(struct urb *urb) break; } exit: - usb_mark_last_busy(acm->dev); retval = usb_submit_urb(urb, GFP_ATOMIC); if (retval) dev_err(&urb->dev->dev, "%s - usb_submit_urb failed with " -- cgit v1.2.3-70-g09d2