From: Greg Kroah-Hartman Date: Thu, 1 Aug 2013 03:31:29 +0000 (+0800) Subject: 3.0-stable patches X-Git-Tag: v3.0.89~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b55080cc1bdc7feb40a7ee497ff2ad9ee338238;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch libata-make-it-clear-that-sata_inic162x-is-experimental.patch powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch scsi-qla2xxx-properly-set-the-tagging-for-commands.patch scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch xhci-avoid-null-pointer-deref-when-host-dies.patch xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch --- diff --git a/queue-3.0/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch b/queue-3.0/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch new file mode 100644 index 00000000000..65311c36f4b --- /dev/null +++ b/queue-3.0/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch @@ -0,0 +1,36 @@ +From d19f503e22316a84c39bc19445e0e4fdd49b3532 Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Wed, 10 Jul 2013 10:47:13 -0600 +Subject: ACPI / memhotplug: Fix a stale pointer in error path + +From: Toshi Kani + +commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream. + +device->driver_data needs to be cleared when releasing its data, +mem_device, in an error path of acpi_memory_device_add(). + +The function evaluates the _CRS of memory device objects, and fails +when it gets an unexpected resource or cannot allocate memory. A +kernel crash or data corruption may occur when the kernel accesses +the stale pointer. + +Signed-off-by: Toshi Kani +Reviewed-by: Yasuaki Ishimatsu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_memhotplug.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpi_memhotplug.c ++++ b/drivers/acpi/acpi_memhotplug.c +@@ -421,6 +421,7 @@ static int acpi_memory_device_add(struct + /* Get the range from the _CRS */ + result = acpi_memory_get_device_resources(mem_device); + if (result) { ++ device->driver_data = NULL; + kfree(mem_device); + return result; + } diff --git a/queue-3.0/libata-make-it-clear-that-sata_inic162x-is-experimental.patch b/queue-3.0/libata-make-it-clear-that-sata_inic162x-is-experimental.patch new file mode 100644 index 00000000000..1b17cf21d98 --- /dev/null +++ b/queue-3.0/libata-make-it-clear-that-sata_inic162x-is-experimental.patch @@ -0,0 +1,70 @@ +From bb9696192826a7d9279caf872e95b41bc26c7eff Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 22 Jul 2013 16:53:36 -0400 +Subject: libata: make it clear that sata_inic162x is experimental + +From: Tejun Heo + +commit bb9696192826a7d9279caf872e95b41bc26c7eff upstream. + +sata_inic162x never reached a state where it's reliable enough for +production use and data corruption is a relatively common occurrence. +Make the driver generate warning about the issues and mark the Kconfig +option as experimental. + +If the situation doesn't improve, we'd be better off making it depend +on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel +message draws any attention. + +Signed-off-by: Tejun Heo +Reported-by: Martin Braure de Calignon +Reported-by: Ben Hutchings +Reported-by: risc4all@yahoo.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/Kconfig | 2 +- + drivers/ata/sata_inic162x.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -93,7 +93,7 @@ config SATA_FSL + If unsure, say N. + + config SATA_INIC162X +- tristate "Initio 162x SATA support" ++ tristate "Initio 162x SATA support (Very Experimental)" + depends on PCI + help + This option enables support for Initio 162x Serial ATA. +--- a/drivers/ata/sata_inic162x.c ++++ b/drivers/ata/sata_inic162x.c +@@ -6,6 +6,18 @@ + * + * This file is released under GPL v2. + * ++ * **** WARNING **** ++ * ++ * This driver never worked properly and unfortunately data corruption is ++ * relatively common. There isn't anyone working on the driver and there's ++ * no support from the vendor. Do not use this driver in any production ++ * environment. ++ * ++ * http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=60565 ++ * ++ * ***************** ++ * + * This controller is eccentric and easily locks up if something isn't + * right. Documentation is available at initio's website but it only + * documents registers (not programming model). +@@ -810,6 +822,8 @@ static int inic_init_one(struct pci_dev + if (!printed_version++) + dev_printk(KERN_DEBUG, &pdev->dev, "version " DRV_VERSION "\n"); + ++ dev_alert(&pdev->dev, "inic162x support is broken with common data corruption issues and will be disabled by default, contact linux-ide@vger.kernel.org if in production use\n"); ++ + /* alloc host */ + host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS); + hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL); diff --git a/queue-3.0/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch b/queue-3.0/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch new file mode 100644 index 00000000000..41c83ede342 --- /dev/null +++ b/queue-3.0/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch @@ -0,0 +1,75 @@ +From 0e0ed6406e61434d3f38fb58aa8464ec4722b77e Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Mon, 15 Jul 2013 14:04:50 +1000 +Subject: powerpc/modules: Module CRC relocation fix causes perf issues + +From: Anton Blanchard + +commit 0e0ed6406e61434d3f38fb58aa8464ec4722b77e upstream. + +Module CRCs are implemented as absolute symbols that get resolved by +a linker script. We build an intermediate .o that contains an +unresolved symbol for each CRC. genksysms parses this .o, calculates +the CRCs and writes a linker script that "resolves" the symbols to +the calculated CRC. + +Unfortunately the ppc64 relocatable kernel sees these CRCs as symbols +that need relocating and relocates them at boot. Commit d4703aef +(module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y) +added a hook to reverse the bogus relocations. Part of this patch +created a symbol at 0x0: + +# head -2 /proc/kallsyms +0000000000000000 T reloc_start +c000000000000000 T .__start + +This reloc_start symbol is causing lots of confusion to perf. It +thinks reloc_start is a massive function that stretches from 0x0 to +0xc000000000000000 and we get various cryptic errors out of perf, +including: + +problem incrementing symbol count, skipping event + +This patch removes the reloc_start linker script label and instead +defines it as PHYSICAL_START. We also need to wrap it with +CONFIG_PPC64 because the ppc32 kernel can set a non zero +PHYSICAL_START at compile time and we wouldn't want to subtract +it from the CRCs in that case. + +Signed-off-by: Anton Blanchard +Acked-by: Rusty Russell +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/module.h | 5 ++--- + arch/powerpc/kernel/vmlinux.lds.S | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/module.h ++++ b/arch/powerpc/include/asm/module.h +@@ -87,10 +87,9 @@ struct exception_table_entry; + void sort_ex_table(struct exception_table_entry *start, + struct exception_table_entry *finish); + +-#ifdef CONFIG_MODVERSIONS ++#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64) + #define ARCH_RELOCATES_KCRCTAB +- +-extern const unsigned long reloc_start[]; ++#define reloc_start PHYSICAL_START + #endif + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_MODULE_H */ +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4; + #endif + SECTIONS + { +- . = 0; +- reloc_start = .; +- + . = KERNELBASE; + + /* diff --git a/queue-3.0/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch b/queue-3.0/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch new file mode 100644 index 00000000000..1d5330857ac --- /dev/null +++ b/queue-3.0/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch @@ -0,0 +1,62 @@ +From c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Fri, 12 Jul 2013 14:47:51 -0400 +Subject: SCSI: qla2xxx: Properly set the tagging for commands. + +From: Saurav Kashyap + +commit c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 upstream. + +This fixes a regression where Xyratex controllers and disks were lost by the +driver: + +https://bugzilla.kernel.org/show_bug.cgi?id=59601 + +Reported-by: Jack Hill +Signed-off-by: Saurav Kashyap +Signed-off-by: Giridhar Malavali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -422,6 +422,8 @@ qla2x00_start_scsi(srb_t *sp) + __constant_cpu_to_le16(CF_SIMPLE_TAG); + break; + } ++ } else { ++ cmd_pkt->control_flags = __constant_cpu_to_le16(CF_SIMPLE_TAG); + } + + /* Load SCSI command packet. */ +@@ -1099,11 +1101,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp + fcp_cmnd->task_attribute = TSK_ORDERED; + break; + default: +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + break; + } + } else { +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + } + + cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status iocb */ +@@ -1305,7 +1307,12 @@ qla24xx_start_scsi(srb_t *sp) + case ORDERED_QUEUE_TAG: + cmd_pkt->task = TSK_ORDERED; + break; ++ default: ++ cmd_pkt->task = TSK_SIMPLE; ++ break; + } ++ } else { ++ cmd_pkt->task = TSK_SIMPLE; + } + + /* Load SCSI command packet. */ diff --git a/queue-3.0/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch b/queue-3.0/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch new file mode 100644 index 00000000000..c2b99653c91 --- /dev/null +++ b/queue-3.0/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch @@ -0,0 +1,74 @@ +From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Fri, 2 Nov 2012 09:38:34 -0400 +Subject: SCSI: sd: fix crash when UA received on DIF enabled device + +From: "Ewan D. Milne" + +commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream. + +sd_prep_fn will allocate a larger CDB for the command via mempool_alloc +for devices using DIF type 2 protection. This CDB was being freed +in sd_done, which results in a kernel crash if the command is retried +due to a UNIT ATTENTION. This change moves the code to free the larger +CDB into sd_unprep_fn instead, which is invoked after the request is +complete. + +It is no longer necessary to call scsi_print_command separately for +this case as the ->cmnd will no longer be NULL in the normal code path. + +Also removed conditional test for DIF type 2 when freeing the larger +CDB because the protection_type could have been changed via sysfs while +the command was executing. + +Signed-off-by: Ewan D. Milne +Acked-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -641,10 +641,17 @@ static int scsi_setup_flush_cmnd(struct + + static void sd_unprep_fn(struct request_queue *q, struct request *rq) + { ++ struct scsi_cmnd *SCpnt = rq->special; ++ + if (rq->cmd_flags & REQ_DISCARD) { + free_page((unsigned long)rq->buffer); + rq->buffer = NULL; + } ++ if (SCpnt->cmnd != rq->cmd) { ++ mempool_free(SCpnt->cmnd, sd_cdb_pool); ++ SCpnt->cmnd = NULL; ++ SCpnt->cmd_len = 0; ++ } + } + + /** +@@ -1451,21 +1458,6 @@ static int sd_done(struct scsi_cmnd *SCp + if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt)) + sd_dif_complete(SCpnt, good_bytes); + +- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type) +- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) { +- +- /* We have to print a failed command here as the +- * extended CDB gets freed before scsi_io_completion() +- * is called. +- */ +- if (result) +- scsi_print_command(SCpnt); +- +- mempool_free(SCpnt->cmnd, sd_cdb_pool); +- SCpnt->cmnd = NULL; +- SCpnt->cmd_len = 0; +- } +- + return good_bytes; + } + diff --git a/queue-3.0/series b/queue-3.0/series index acc52a56b55..87ccad84941 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -1,2 +1,14 @@ usb-storage-add-microvault-flash-drive-to-unusual_devs.patch asoc-max98088-fix-element-type-of-the-register-cache.patch +scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch +scsi-qla2xxx-properly-set-the-tagging-for-commands.patch +tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch +xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch +xhci-avoid-null-pointer-deref-when-host-dies.patch +usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch +usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch +usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch +staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch +libata-make-it-clear-that-sata_inic162x-is-experimental.patch +powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch +acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch diff --git a/queue-3.0/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch b/queue-3.0/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch new file mode 100644 index 00000000000..4032db9bc38 --- /dev/null +++ b/queue-3.0/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch @@ -0,0 +1,57 @@ +From 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 8 Jul 2013 13:36:19 +0100 +Subject: staging: comedi: COMEDI_CANCEL ioctl should wake up read/write + +From: Ian Abbott + +commit 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b upstream. + +Comedi devices can do blocking read() or write() (or poll()) if an +asynchronous command has been set up, blocking for data (for read()) or +buffer space (for write()). Various events associated with the +asynchronous command will wake up the blocked reader or writer (or +poller). It is also possible to force the asynchronous command to +terminate by issuing a `COMEDI_CANCEL` ioctl. That shuts down the +asynchronous command, but does not currently wake up the blocked reader +or writer (or poller). If the blocked task could be woken up, it would +see that the command is no longer active and return. The caller of the +`COMEDI_CANCEL` ioctl could attempt to wake up the blocked task by +sending a signal, but that's a nasty workaround. + +Change `do_cancel_ioctl()` to wake up the wait queue after it returns +from `do_cancel()`. `do_cancel()` can propagate an error return value +from the low-level comedi driver's cancel routine, but it always shuts +the command down regardless, so `do_cancel_ioctl()` can wake up he wait +queue regardless of the return value from `do_cancel()`. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1370,6 +1370,7 @@ static int do_cancel_ioctl(struct comedi + void *file) + { + struct comedi_subdevice *s; ++ int ret; + + if (arg >= dev->n_subdevices) + return -EINVAL; +@@ -1386,7 +1387,11 @@ static int do_cancel_ioctl(struct comedi + if (s->busy != file) + return -EBUSY; + +- return do_cancel(dev, s); ++ ret = do_cancel(dev, s); ++ if (comedi_get_subdevice_runflags(s) & SRF_USER) ++ wake_up_interruptible(&s->async->wait_head); ++ ++ return ret; + } + + /* diff --git a/queue-3.0/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch b/queue-3.0/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch new file mode 100644 index 00000000000..875fcdde72f --- /dev/null +++ b/queue-3.0/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch @@ -0,0 +1,33 @@ +From jovi.zhangwei@huawei.com Thu Aug 1 10:53:20 2013 +From: "zhangwei(Jovi)" +Date: Mon, 29 Jul 2013 09:33:58 +0800 +Subject: tracing: Fix irqs-off tag display in syscall tracing +To: Greg KH +Cc: Ben Hutchings , Steven Rostedt , +Message-ID: <51F5C686.4020608@huawei.com> + +From: "zhangwei(Jovi)" + +commit 11034ae9c20f4057a6127fc965906417978e69b2 upstream + +Initialization of variable irq_flags and pc was missed when backport +11034ae9c to linux-3.0.y and linux-3.4.y, my fault. + +Signed-off-by: zhangwei(Jovi) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_syscalls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -357,6 +357,9 @@ void ftrace_syscall_exit(void *ignore, s + if (!sys_data) + return; + ++ local_save_flags(irq_flags); ++ pc = preempt_count(); ++ + event = trace_current_buffer_lock_reserve(&buffer, + sys_data->exit_event->event.type, sizeof(*entry), + irq_flags, pc); diff --git a/queue-3.0/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch b/queue-3.0/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch new file mode 100644 index 00000000000..2959a4c645c --- /dev/null +++ b/queue-3.0/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch @@ -0,0 +1,39 @@ +From 2c7b871b9102c497ba8f972aa5d38532f05b654d Mon Sep 17 00:00:00 2001 +From: William Gulland +Date: Thu, 27 Jun 2013 16:10:20 -0700 +Subject: usb: Clear both buffers when clearing a control transfer TT buffer. + +From: William Gulland + +commit 2c7b871b9102c497ba8f972aa5d38532f05b654d upstream. + +Control transfers have both IN and OUT (or SETUP) packets, so when +clearing TT buffers for a control transfer it's necessary to send +two HUB_CLEAR_TT_BUFFER requests to the hub. + +Signed-off-by: William Gulland +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -463,6 +463,15 @@ resubmit: + static inline int + hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt) + { ++ /* Need to clear both directions for control ep */ ++ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) == ++ USB_ENDPOINT_XFER_CONTROL) { ++ int status = usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), ++ HUB_CLEAR_TT_BUFFER, USB_RT_PORT, ++ devinfo ^ 0x8000, tt, NULL, 0, 1000); ++ if (status) ++ return status; ++ } + return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), + HUB_CLEAR_TT_BUFFER, USB_RT_PORT, devinfo, + tt, NULL, 0, 1000); diff --git a/queue-3.0/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch b/queue-3.0/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch new file mode 100644 index 00000000000..056b790fc55 --- /dev/null +++ b/queue-3.0/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch @@ -0,0 +1,26 @@ +From 58fc90db8261b571c026bb8bf23aad48a7233118 Mon Sep 17 00:00:00 2001 +From: Jóhann B. Guðmundsson +Date: Thu, 4 Jul 2013 21:47:52 +0000 +Subject: USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga + +From: Jóhann B. Guðmundsson + +commit 58fc90db8261b571c026bb8bf23aad48a7233118 upstream. + +Signed-off-by: Jóhann B. Guðmundsson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/sisusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3247,6 +3247,7 @@ static const struct usb_device_id sisusb + { USB_DEVICE(0x0711, 0x0903) }, + { USB_DEVICE(0x0711, 0x0918) }, + { USB_DEVICE(0x0711, 0x0920) }, ++ { USB_DEVICE(0x0711, 0x0950) }, + { USB_DEVICE(0x182d, 0x021c) }, + { USB_DEVICE(0x182d, 0x0269) }, + { } diff --git a/queue-3.0/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch b/queue-3.0/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch new file mode 100644 index 00000000000..7cb1c5d0cb1 --- /dev/null +++ b/queue-3.0/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch @@ -0,0 +1,35 @@ +From 1fad56424f5ad3ce4973505a357212b2e2282b3f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 28 Jun 2013 12:24:26 +0200 +Subject: USB: ti_usb_3410_5052: fix dynamic-id matching + +From: Johan Hovold + +commit 1fad56424f5ad3ce4973505a357212b2e2282b3f upstream. + +The driver failed to take the dynamic ids into account when determining +the device type and therefore all devices were detected as 2-port +devices when using the dynamic-id interface. + +Match on the usb-serial-driver field instead of doing redundant id-table +searches. + +Reported-by: Anders Hammarquist +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ti_usb_3410_5052.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -409,7 +409,7 @@ static int ti_startup(struct usb_serial + usb_set_serial_data(serial, tdev); + + /* determine device type */ +- if (usb_match_id(serial->interface, ti_id_table_3410)) ++ if (serial->type == &ti_1port_device) + tdev->td_is_3410 = 1; + dbg("%s - device type is %s", __func__, + tdev->td_is_3410 ? "3410" : "5052"); diff --git a/queue-3.0/xhci-avoid-null-pointer-deref-when-host-dies.patch b/queue-3.0/xhci-avoid-null-pointer-deref-when-host-dies.patch new file mode 100644 index 00000000000..8a124545c7d --- /dev/null +++ b/queue-3.0/xhci-avoid-null-pointer-deref-when-host-dies.patch @@ -0,0 +1,71 @@ +From 203a86613fb3bf2767335659513fa98563a3eb71 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Wed, 24 Jul 2013 10:27:13 -0700 +Subject: xhci: Avoid NULL pointer deref when host dies. + +From: Sarah Sharp + +commit 203a86613fb3bf2767335659513fa98563a3eb71 upstream. + +When the host controller fails to respond to an Enable Slot command, and +the host fails to respond to the register write to abort the command +ring, the xHCI driver will assume the host is dead, and call +usb_hc_died(). + +The USB device's slot_id is still set to zero, and the pointer stored at +xhci->devs[0] will always be NULL. The call to xhci_check_args in +xhci_free_dev should have caught the NULL virt_dev pointer. + +However, xhci_free_dev is designed to free the xhci_virt_device +structures, even if the host is dead, so that we don't leak kernel +memory. xhci_free_dev checks the return value from the generic +xhci_check_args function. If the return value is -ENODEV, it carries on +trying to free the virtual device. + +The issue is that xhci_check_args looks at the host controller state +before it looks at the xhci_virt_device pointer. It will return -ENIVAL +because the host is dead, and xhci_free_dev will ignore the return +value, and happily dereference the NULL xhci_virt_device pointer. + +The fix is to make sure that xhci_check_args checks the xhci_virt_device +pointer before it checks the host state. + +See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for +further details. This patch doesn't solve the underlying issue, but +will ensure we don't see any more NULL pointer dereferences because of +the issue. + +This patch should be backported to kernels as old as 3.1, that +contain the commit 7bd89b4017f46a9b92853940fd9771319acb578a "xhci: Don't +submit commands or URBs to halted hosts." + +Signed-off-by: Sarah Sharp +Reported-by: Vincent Thiele +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -956,9 +956,6 @@ static int xhci_check_args(struct usb_hc + } + + xhci = hcd_to_xhci(hcd); +- if (xhci->xhc_state & XHCI_STATE_HALTED) +- return -ENODEV; +- + if (check_virt_dev) { + if (!udev->slot_id || !xhci->devs + || !xhci->devs[udev->slot_id]) { +@@ -975,6 +972,9 @@ static int xhci_check_args(struct usb_hc + } + } + ++ if (xhci->xhc_state & XHCI_STATE_HALTED) ++ return -ENODEV; ++ + return 1; + } + diff --git a/queue-3.0/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch b/queue-3.0/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch new file mode 100644 index 00000000000..c4effa6fb9a --- /dev/null +++ b/queue-3.0/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch @@ -0,0 +1,37 @@ +From d66eaf9f89502971fddcb0de550b01fa6f409d83 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Sun, 21 Jul 2013 15:36:19 +0200 +Subject: xhci: fix null pointer dereference on ring_doorbell_for_active_rings + +From: Oleksij Rempel + +commit d66eaf9f89502971fddcb0de550b01fa6f409d83 upstream. + +in some cases where device is attched to xhci port and do not responding, +for example ath9k_htc with stalled firmware, kernel will +crash on ring_doorbell_for_active_rings. +This patch check if pointer exist before it is used. + +This patch should be backported to kernels as old as 2.6.35, that +contain the commit e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 "USB: xhci: +Correct assumptions about number of rings per endpoint" + +Signed-off-by: Oleksij Rempel +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -465,7 +465,7 @@ static void ring_doorbell_for_active_rin + + /* A ring has pending URBs if its TD list is not empty */ + if (!(ep->ep_state & EP_HAS_STREAMS)) { +- if (!(list_empty(&ep->ring->td_list))) ++ if (ep->ring && !(list_empty(&ep->ring->td_list))) + xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0); + return; + }