stub_shutdown_connection() and vhci_shutdown_connection() use
task_is_dead() before kthread_stop(). This buys nothing and wrong.
kthread_stop() is fine even if this thread is dead. However, if it
is dead nothing protects this task_struct, we shouldn't touch this
memory.
Change the code to do the necessary get_task_struct/put_task_struct.
This patch assumes that
- xxx_shutdown_connection() is always called, so we can't
leak the task_struct.
- kthread_stop_put() can't be called twice on the same task.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Tobias Klauser <tklauser@distanz.ch>
Cc: Matt Mooney <mfm@muteddisk.com>,
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In drivers/staging/rtl8192e/rtl8192e/rtl_core.c the follwing printk-message can be found:
printk(KERN_ERR "rtl8193e: Unable to allocate space "
This is quite obviously just a typo, all other similar messages use
"rtl8192e" and the string "rtl8193e" does not occur anywhere else in the
source of the driver.
Signed-off-by: Axel Koellhofer <AxelKoellhofer@web.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
i2c client data set is of type struct indio_dev pointer and hence the
pointer returned from i2c_get_clientdata() should be assigned to
an object of type struct indio_dev and not to an object of type
struct ak8975_data.
Also in ak8975_probe() client data should be set first
before calling ak8975_setup() as it references the client data.
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
CC: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Not sure what triggered the change in behavior, but seems to
result in recursively acquiring a mutex and hanging on boot. But
omap_drm_init() seems a much more sane place to register the
driver for the DMM sub-device.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I already fixed the other similar for loop in this file. I'm not sure
how I missed this one. We use seg_no+1 inside the loop so we can't go
right up to the end of the loop.
Also if we don't break out of the loop then we end up past the end of
the array, but with this fix we end up on the last element.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Added Rupesh Gujare to MAINTAINERS file and contact in TODO file
for ozwpan driver.
Signed-off-by: Chris Kelly <ckelly@ozmodevices.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Avoid "Bad LUN" and "Bad target number" message by setting the supported
max_lun and max_id for the scsi host
Signed-off-by: wwang <wei_wang@realsil.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
rtsx_transport.c (rtsx_transfer_sglist_adma_partial):
pointer struct scatterlist *sg, which is mapped in dma_map_sg,
is used as an iterator in later transfer operation. It is corrupted and
passed to dma_unmap_sg, thus causing fatal unmap of some erroneous address.
Fix it by duplicating *sg_ptr for iterating.
Signed-off-by: wwang <wei_wang@realsil.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We need to check the we don't copy too much memory. This comes from a
copy_from_user() in the ioctl.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If, in drivers/staging/media/as102/as102_fw.c::as102_fw_upload(), the call
cmd_buf = kzalloc(MAX_FW_PKT_SIZE, GFP_KERNEL);
should fail and return NULL so that we jump to the 'error:' label,
then we'll end up calling 'release_firmware(firmware);' with
'firmware' still uninitialized - not good.
The easy fix is to just initialize 'firmware' to NULL when we declare
it, since release_firmware() deals gracefully with being passed NULL
pointers.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The just-merged ramster staging driver was dependent on a cleanup patch in
cleancache, so was marked CONFIG_BROKEN until that patch could be
merged. That cleancache patch is now merged (and the correct SHA of the
cleancache patch is 3167760f83 rather than
the one shown in the comment removed in the patch below).
So remove the CONFIG_BROKEN now and the comment that is no longer true...
Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
One of our errors wasn't negative as intended. Fix this.
(Found by Hillf Danton)
While we are at it turn user causable messages down to dev_dbg level in the
ioctl paths.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: gadget: eliminate NULL pointer dereference (bugfix)
This patch fixes a bug which causes NULL pointer dereference in
ffs_ep0_ioctl. The bug happens when the FunctionFS is not bound (either
has not been bound yet or has been bound and then unbound) and can be
reproduced with running the following commands:
$ insmod g_ffs.ko
$ mount -t functionfs func /dev/usbgadget
$ ./null
where null.c is:
#include <fcntl.h>
#include <linux/usb/functionfs.h>
int main(void)
{
int fd = open("/dev/usbgadget/ep0", O_RDWR);
ioctl(fd, FUNCTIONFS_CLEAR_HALT);
return 0;
}
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: stable@vger.kernel.org
Signed-off-by: Felipe Balbi <balbi@ti.com>
This patch removes the non-required spinlock acquire/release calls on
'queue->irqlock' from 'uvc_queue_next_buffer' routine.
This routine is called from 'video->encode' function (which translates to
either 'uvc_video_encode_bulk' or 'uvc_video_encode_isoc') in 'uvc_video.c'.
As, the 'video->encode' routines are called with 'queue->irqlock' already held,
so acquiring a 'queue->irqlock' again in 'uvc_queue_next_buffer' routine causes
a spin lock recursion.
Signed-off-by: Bhupesh Sharma <bhupesh.sharma@st.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
It is crucial to assign each req->context value to struct rndis.
The problem happens for multi function gadget (g_multi) when multiple
functions are calling common usb_composite_dev control request.
It might happen that *_setup method from one usb function will
alter some fields of this common request issued by other USB
function.
Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
pm_runtime_get_sync returns a signed integer. In case of errors
it returns a negative value. This patch fixes the error check
by making it signed instead of unsigned thus preventing register
access if get_sync_fails. Also passes the error cause to the
debug message.
Cc: stable@vger.kernel.org
Cc: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Shubhrajyoti D <shubhrajyoti@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
During modprobe of gadget driver, pullup is called after
udc_start. In order to make the exit path symmetric when
removing a gadget driver, call pullup before ->udc_stop.
This is needed to avoid issues with PM where udc_stop
disables the module completely (put IP in reset state,
cut functional and interface clocks, and so on), which
prevents us from accessing the IP's address space,
thus creating the possibility of an abort exception
when we try to access IP's address space after clocks
are off.
Cc: stable@vger.kernel.org
Signed-off-by: Partha Basak <p-basak2@ti.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
pm_runtime_enable is being called after omap2430_musb_init. Hence
pm_runtime_get_sync in omap2430_musb_init does not have any effect (does
not enable clocks) resulting in a crash during register access. It is
fixed here.
Cc: stable@vger.kernel.org # v3.0, v3.1, v3.2, v3.3
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
musb can be suspended at the time some other driver wants to do ulpi
transfers using usb_phy_io_* functions, and that can cause data abort,
as it happened with isp1704_charger:
http://article.gmane.org/gmane.linux.kernel/1226122
Add pm_runtime to ulpi functions to rectify this. This also adds io_dev
to usb_phy so that pm_runtime_* functions can be used.
Cc: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Control transfers with data expected from device to host will use usb_rcvctrlpipe()
for urb->pipe so for such urbs 'is_in' will be set causing control urb to fall
into the first "if" condition in musb_cleanup_urb().
Fixed by adding logic to check for non control endpoints.
Signed-off-by: Ajay Kumar Gupta <ajay.gupta@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Array should be freed together with event buffers, since it was
allocated dynamically.
Signed-off-by: Anton Tikhomirov <av.tikhomirov@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
DMA address register shouldn't be updated manually if transfer size
requires multiple packets.
Signed-off-by: Anton Tikhomirov <av.tikhomirov@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Writing to TxFIFO relates only to Slave mode and leads to
TxFIFO corruption in DMA mode.
Signed-off-by: Anton Tikhomirov <av.tikhomirov@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
According to documentation, TX FIFO_number index starts from 1.
For IN endpoint FIFO 0 we use GNPTXFSIZ register for programming
the size and memory start address.
Signed-off-by: Anton Tikhomirov <av.tikhomirov@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
- For Control Read transfer, the ACK handshake on an IN transaction
may be corrupted, so the device may not receive the ACK for data
stage, the complete irq will not occur at this situation.
Therefore, we need to move prime status stage from complete irq
routine to the place where the data stage has just primed, or the
host will never get ACK for status stage.
The above issue has been described at USB2.0 spec chapter 8.5.3.3.
- After adding prime status stage just after prime the data stage,
there is a potential problem when the status dTD is added before the data stage
has primed by hardware. The reason is the device's dTD descriptor has NO direction bit,
if data stage (IN) prime hasn't finished, the status stage(OUT)
dTD will be added at data stage dTD's Next dTD Pointer, so when the data stage
transfer has finished, the status dTD will be primed as IN by hardware,
then the host will never receive ACK from the device side for status stage.
- Delete below code at fsl_ep_queue:
/* Update ep0 state */
if ((ep_index(ep) == 0))
udc->ep0_state = DATA_STATE_XMIT;
the udc->ep0_state will be updated again after udc->driver->setup
finishes.
It is tested at i.mx51 bbg board with g_mass_storage, g_ether, g_serial.
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
When runtime_pm was originally added, it was done in rather confusing
way: omap2430_musb_init() (called from musb_init_controller) would do
runtime_pm_get_sync() and musb_init_controller() itself would do
runtime_pm_put to balance it out. This is not only confusing but also
wrong if non-omap2430 glue layer is used.
This confusion resulted in commit 772aed45b6 "usb: musb: fix
pm_runtime mismatch", that removed runtime_pm_put() from
musb_init_controller as that looked unbalanced, and also happened to
fix unrelated isp1704_charger crash. However this broke runtime PM
functionality (musb is now always powered, even without gadget active).
Avoid these confusing runtime pm dependences by making
musb_init_controller() and omap2430_musb_init() do their own runtime
get/put pairs; also cover error paths. Remove unneeded runtime_pm_put
in omap2430_remove too. isp1704_charger crash that motivated
772aed45b6 will be fixed by following patch.
Cc: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
This change prevents runtime suspend and resume actual execution, if
omap2430 controller driver is loaded after musb-hdrc, and therefore the
controller isn't initialized properly.
The problem is reproducible with 3.1.y and 3.2 kernels.
Kernel configuration of musb:
% cat .config | egrep 'MUSB|GADGET'
CONFIG_USB_MUSB_HDRC=y
# CONFIG_USB_MUSB_TUSB6010 is not set
CONFIG_USB_MUSB_OMAP2PLUS=m
# CONFIG_USB_MUSB_AM35X is not set
CONFIG_MUSB_PIO_ONLY=y
CONFIG_USB_GADGET=y
# CONFIG_USB_GADGET_DEBUG is not set
# CONFIG_USB_GADGET_DEBUG_FILES is not set
# CONFIG_USB_GADGET_DEBUG_FS is not set
CONFIG_USB_GADGET_VBUS_DRAW=2
CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2
CONFIG_USB_GADGET_MUSB_HDRC=m
CONFIG_USB_GADGET_DUALSPEED=y
CONFIG_USB_GADGETFS=m
# CONFIG_USB_MIDI_GADGET is not set
Fixes the following oops on module unloading:
Unable to handle kernel NULL pointer dereference at virtual address 00000220
----8<----
[<bf162088>] (omap2430_runtime_resume+0x24/0x54 [omap2430]) from [<c0302e34>] (pm_generic_runtime_resume+0x3c/0x50)
[<c0302e34>] (pm_generic_runtime_resume+0x3c/0x50) from [<c0031a24>] (_od_runtime_resume+0x28/0x2c)
[<c0031a24>] (_od_runtime_resume+0x28/0x2c) from [<c0306cb0>] (__rpm_callback+0x60/0xa0)
[<c0306cb0>] (__rpm_callback+0x60/0xa0) from [<c0307f2c>] (rpm_resume+0x3fc/0x6e4)
[<c0307f2c>] (rpm_resume+0x3fc/0x6e4) from [<c030851c>] (__pm_runtime_resume+0x5c/0x90)
[<c030851c>] (__pm_runtime_resume+0x5c/0x90) from [<c02fd0dc>] (__device_release_driver+0x2c/0xd0)
[<c02fd0dc>] (__device_release_driver+0x2c/0xd0) from [<c02fda18>] (driver_detach+0xe8/0xf4)
[<c02fda18>] (driver_detach+0xe8/0xf4) from [<c02fcf88>] (bus_remove_driver+0xa0/0x104)
[<c02fcf88>] (bus_remove_driver+0xa0/0x104) from [<c02fde54>] (driver_unregister+0x60/0x80)
[<c02fde54>] (driver_unregister+0x60/0x80) from [<c02ff2d4>] (platform_driver_unregister+0x1c/0x20)
[<c02ff2d4>] (platform_driver_unregister+0x1c/0x20) from [<bf162928>] (omap2430_exit+0x14/0x1c [omap2430])
[<bf162928>] (omap2430_exit+0x14/0x1c [omap2430]) from [<c007d8bc>] (sys_delete_module+0x1f4/0x264)
[<c007d8bc>] (sys_delete_module+0x1f4/0x264) from [<c000f000>] (ret_fast_syscall+0x0/0x30)
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@nokia.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org # 3.1
Signed-off-by: Felipe Balbi <balbi@ti.com>
Without this default case returning an error,
thus replying with a stall, we would fail
USB30CV TD 9.11 Bad Feature test case.
Cc: stable@vger.kernel.org
Signed-off-by: Gerard Cauvy <g-cauvy1@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Direct usage of the asm include has long been deprecated by the
introduction of gpiolib.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Commit "ISDN: i4l, remove cvs crap" removed definition of
isdn_tty_revision, but there is still a user. So this causes linking
errors. This was hidden from my radar because the variable was not
declared in any header. Instead isdn_common.c declares it locally.
So remove this variable also from isdn_common.c, because there is
really no way to find out the version. Git commit or tag is...
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Both drivers need to depend upon HAS_IOMEM, otherwise we
get a build failure on platforms like S390.
All the driver specific config options need to depend upon
the drivers themselves.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch makes the code easier to read.
Also add checking the case when no desc id is matched. This is required because
if no desc id is matched, the poiner info is pointed to twl_of_match[i].data
which may be not NULL. Checking info is NULL or not latter does not catch the
error.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
regmap_config.reg_stride is introduced. All extant register addresses
are a multiple of this value. Users of serial-oriented regmap busses will
typically set this to 1. Users of the MMIO regmap bus will typically set
this based on the value size of their registers, in bytes, so 4 for a
32-bit register.
Throughout the regmap code, actual register addresses are used. Wherever
the register address is used to index some array of values, the address
is divided by the stride to determine the index, or vice-versa. Error-
checking is added to all entry-points for register address data to ensure
that register addresses actually satisfy the specified stride. The MMIO
bus ensures that the specified stride is large enough for the register
size.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
