From: Greg Kroah-Hartman Date: Wed, 12 Apr 2017 13:33:57 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.10.11~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1bad7bf2c32e54f2bd7ff7c0b5365c72ee70661d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: i2c-bcm2835-fix-hang-for-writing-messages-larger-than-16-bytes.patch mips-introduce-irq_stack.patch mips-only-change-28-to-thread_info-if-coming-from-user-mode.patch mips-stack-unwinding-while-on-irq-stack.patch mtd-bcm47xxpart-fix-parsing-first-block-after-aligned-trx.patch rt2x00-fix-incorrect-usage-of-config_rt2x00_lib_usb.patch rt2x00usb-do-not-anchor-rx-and-tx-urb-s.patch rt2x00usb-fix-anchor-initialization.patch --- diff --git a/queue-4.9/i2c-bcm2835-fix-hang-for-writing-messages-larger-than-16-bytes.patch b/queue-4.9/i2c-bcm2835-fix-hang-for-writing-messages-larger-than-16-bytes.patch new file mode 100644 index 00000000000..ec94461c481 --- /dev/null +++ b/queue-4.9/i2c-bcm2835-fix-hang-for-writing-messages-larger-than-16-bytes.patch @@ -0,0 +1,97 @@ +From e2474541032db65d02bf88b6a8c2f954654b443f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Mon, 3 Oct 2016 22:06:08 +0200 +Subject: i2c: bcm2835: Fix hang for writing messages larger than 16 bytes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Noralf Trønnes + +commit e2474541032db65d02bf88b6a8c2f954654b443f upstream. + +Writing messages larger than the FIFO size results in a hang, rendering +the machine unusable. This is because the RXD status flag is set on the +first interrupt which results in bcm2835_drain_rxfifo() stealing bytes +from the buffer. The controller continues to trigger interrupts waiting +for the missing bytes, but bcm2835_fill_txfifo() has none to give. +In this situation wait_for_completion_timeout() apparently is unable to +stop the madness. + +The BCM2835 ARM Peripherals datasheet has this to say about the flags: + TXD: is set when the FIFO has space for at least one byte of data. + RXD: is set when the FIFO contains at least one byte of data. + TXW: is set during a write transfer and the FIFO is less than full. + RXR: is set during a read transfer and the FIFO is or more full. + +Implementing the logic from the downstream i2c-bcm2708 driver solved +the hang problem. + +Signed-off-by: Noralf Trønnes +Reviewed-by: Eric Anholt +Reviewed-by: Martin Sperl +Signed-off-by: Wolfram Sang +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-bcm2835.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -64,6 +64,7 @@ struct bcm2835_i2c_dev { + int irq; + struct i2c_adapter adapter; + struct completion completion; ++ struct i2c_msg *curr_msg; + u32 msg_err; + u8 *msg_buf; + size_t msg_buf_remaining; +@@ -126,14 +127,13 @@ static irqreturn_t bcm2835_i2c_isr(int t + return IRQ_HANDLED; + } + +- if (val & BCM2835_I2C_S_RXD) { +- bcm2835_drain_rxfifo(i2c_dev); +- if (!(val & BCM2835_I2C_S_DONE)) +- return IRQ_HANDLED; +- } +- + if (val & BCM2835_I2C_S_DONE) { +- if (i2c_dev->msg_buf_remaining) ++ if (i2c_dev->curr_msg->flags & I2C_M_RD) { ++ bcm2835_drain_rxfifo(i2c_dev); ++ val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S); ++ } ++ ++ if ((val & BCM2835_I2C_S_RXD) || i2c_dev->msg_buf_remaining) + i2c_dev->msg_err = BCM2835_I2C_S_LEN; + else + i2c_dev->msg_err = 0; +@@ -141,11 +141,16 @@ static irqreturn_t bcm2835_i2c_isr(int t + return IRQ_HANDLED; + } + +- if (val & BCM2835_I2C_S_TXD) { ++ if (val & BCM2835_I2C_S_TXW) { + bcm2835_fill_txfifo(i2c_dev); + return IRQ_HANDLED; + } + ++ if (val & BCM2835_I2C_S_RXR) { ++ bcm2835_drain_rxfifo(i2c_dev); ++ return IRQ_HANDLED; ++ } ++ + return IRQ_NONE; + } + +@@ -155,6 +160,7 @@ static int bcm2835_i2c_xfer_msg(struct b + u32 c; + unsigned long time_left; + ++ i2c_dev->curr_msg = msg; + i2c_dev->msg_buf = msg->buf; + i2c_dev->msg_buf_remaining = msg->len; + reinit_completion(&i2c_dev->completion); diff --git a/queue-4.9/mips-introduce-irq_stack.patch b/queue-4.9/mips-introduce-irq_stack.patch new file mode 100644 index 00000000000..edba749079a --- /dev/null +++ b/queue-4.9/mips-introduce-irq_stack.patch @@ -0,0 +1,95 @@ +From fe8bd18ffea5327344d4ec2bf11f47951212abd0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Mon, 19 Dec 2016 14:20:56 +0000 +Subject: MIPS: Introduce irq_stack + +From: Matt Redfearn + +commit fe8bd18ffea5327344d4ec2bf11f47951212abd0 upstream. + +Allocate a per-cpu irq stack for use within interrupt handlers. + +Also add a utility function on_irq_stack to determine if a given stack +pointer is within the irq stack for that cpu. + +Signed-off-by: Matt Redfearn +Acked-by: Jason A. Donenfeld +Cc: Thomas Gleixner +Cc: Paolo Bonzini +Cc: Chris Metcalf +Cc: Petr Mladek +Cc: James Hogan +Cc: Paul Burton +Cc: Aaron Tomlin +Cc: Andrew Morton +Cc: linux-kernel@vger.kernel.org +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14740/ +Signed-off-by: Ralf Baechle +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/irq.h | 12 ++++++++++++ + arch/mips/kernel/asm-offsets.c | 1 + + arch/mips/kernel/irq.c | 11 +++++++++++ + 3 files changed, 24 insertions(+) + +--- a/arch/mips/include/asm/irq.h ++++ b/arch/mips/include/asm/irq.h +@@ -17,6 +17,18 @@ + + #include + ++#define IRQ_STACK_SIZE THREAD_SIZE ++ ++extern void *irq_stack[NR_CPUS]; ++ ++static inline bool on_irq_stack(int cpu, unsigned long sp) ++{ ++ unsigned long low = (unsigned long)irq_stack[cpu]; ++ unsigned long high = low + IRQ_STACK_SIZE; ++ ++ return (low <= sp && sp <= high); ++} ++ + #ifdef CONFIG_I8259 + static inline int irq_canonicalize(int irq) + { +--- a/arch/mips/kernel/asm-offsets.c ++++ b/arch/mips/kernel/asm-offsets.c +@@ -102,6 +102,7 @@ void output_thread_info_defines(void) + OFFSET(TI_REGS, thread_info, regs); + DEFINE(_THREAD_SIZE, THREAD_SIZE); + DEFINE(_THREAD_MASK, THREAD_MASK); ++ DEFINE(_IRQ_STACK_SIZE, IRQ_STACK_SIZE); + BLANK(); + } + +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -25,6 +25,8 @@ + #include + #include + ++void *irq_stack[NR_CPUS]; ++ + /* + * 'what should we do if we get a hw irq event on an illegal vector'. + * each architecture has to answer this themselves. +@@ -58,6 +60,15 @@ void __init init_IRQ(void) + clear_c0_status(ST0_IM); + + arch_init_irq(); ++ ++ for_each_possible_cpu(i) { ++ int irq_pages = IRQ_STACK_SIZE / PAGE_SIZE; ++ void *s = (void *)__get_free_pages(GFP_KERNEL, irq_pages); ++ ++ irq_stack[i] = s; ++ pr_debug("CPU%d IRQ stack at 0x%p - 0x%p\n", i, ++ irq_stack[i], irq_stack[i] + IRQ_STACK_SIZE); ++ } + } + + #ifdef CONFIG_DEBUG_STACKOVERFLOW diff --git a/queue-4.9/mips-only-change-28-to-thread_info-if-coming-from-user-mode.patch b/queue-4.9/mips-only-change-28-to-thread_info-if-coming-from-user-mode.patch new file mode 100644 index 00000000000..574539b1a13 --- /dev/null +++ b/queue-4.9/mips-only-change-28-to-thread_info-if-coming-from-user-mode.patch @@ -0,0 +1,64 @@ +From 510d86362a27577f5ee23f46cfb354ad49731e61 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Mon, 19 Dec 2016 14:20:58 +0000 +Subject: MIPS: Only change $28 to thread_info if coming from user mode + +From: Matt Redfearn + +commit 510d86362a27577f5ee23f46cfb354ad49731e61 upstream. + +The SAVE_SOME macro is used to save the execution context on all +exceptions. +If an exception occurs while executing user code, the stack is switched +to the kernel's stack for the current task, and register $28 is switched +to point to the current_thread_info, which is at the bottom of the stack +region. +If the exception occurs while executing kernel code, the stack is left, +and this change ensures that register $28 is not updated. This is the +correct behaviour when the kernel can be executing on the separate irq +stack, because the thread_info will not be at the base of it. + +With this change, register $28 is only switched to it's kernel +conventional usage of the currrent thread info pointer at the point at +which execution enters kernel space. Doing it on every exception was +redundant, but OK without an IRQ stack, but will be erroneous once that +is introduced. + +Signed-off-by: Matt Redfearn +Acked-by: Jason A. Donenfeld +Cc: Thomas Gleixner +Cc: James Hogan +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/14742/ +Signed-off-by: Ralf Baechle +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/stackframe.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/mips/include/asm/stackframe.h ++++ b/arch/mips/include/asm/stackframe.h +@@ -216,12 +216,19 @@ + LONG_S $25, PT_R25(sp) + LONG_S $28, PT_R28(sp) + LONG_S $31, PT_R31(sp) ++ ++ /* Set thread_info if we're coming from user mode */ ++ mfc0 k0, CP0_STATUS ++ sll k0, 3 /* extract cu0 bit */ ++ bltz k0, 9f ++ + ori $28, sp, _THREAD_MASK + xori $28, _THREAD_MASK + #ifdef CONFIG_CPU_CAVIUM_OCTEON + .set mips64 + pref 0, 0($28) /* Prefetch the current pointer */ + #endif ++9: + .set pop + .endm + diff --git a/queue-4.9/mips-stack-unwinding-while-on-irq-stack.patch b/queue-4.9/mips-stack-unwinding-while-on-irq-stack.patch new file mode 100644 index 00000000000..868cf18b4b6 --- /dev/null +++ b/queue-4.9/mips-stack-unwinding-while-on-irq-stack.patch @@ -0,0 +1,66 @@ +From d42d8d106b0275b027c1e8992c42aecf933436ea Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Mon, 19 Dec 2016 14:20:57 +0000 +Subject: MIPS: Stack unwinding while on IRQ stack + +From: Matt Redfearn + +commit d42d8d106b0275b027c1e8992c42aecf933436ea upstream. + +Within unwind stack, check if the stack pointer being unwound is within +the CPU's irq_stack and if so use that page rather than the task's stack +page. + +Signed-off-by: Matt Redfearn +Acked-by: Jason A. Donenfeld +Cc: Thomas Gleixner +Cc: Adam Buchbinder +Cc: Maciej W. Rozycki +Cc: Marcin Nowakowski +Cc: Chris Metcalf +Cc: James Hogan +Cc: Paul Burton +Cc: Jiri Slaby +Cc: Andrew Morton +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/14741/ +Signed-off-by: Ralf Baechle +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -556,7 +557,19 @@ EXPORT_SYMBOL(unwind_stack_by_address); + unsigned long unwind_stack(struct task_struct *task, unsigned long *sp, + unsigned long pc, unsigned long *ra) + { +- unsigned long stack_page = (unsigned long)task_stack_page(task); ++ unsigned long stack_page = 0; ++ int cpu; ++ ++ for_each_possible_cpu(cpu) { ++ if (on_irq_stack(cpu, *sp)) { ++ stack_page = (unsigned long)irq_stack[cpu]; ++ break; ++ } ++ } ++ ++ if (!stack_page) ++ stack_page = (unsigned long)task_stack_page(task); ++ + return unwind_stack_by_address(stack_page, sp, pc, ra); + } + #endif diff --git a/queue-4.9/mtd-bcm47xxpart-fix-parsing-first-block-after-aligned-trx.patch b/queue-4.9/mtd-bcm47xxpart-fix-parsing-first-block-after-aligned-trx.patch new file mode 100644 index 00000000000..f89260cd2a6 --- /dev/null +++ b/queue-4.9/mtd-bcm47xxpart-fix-parsing-first-block-after-aligned-trx.patch @@ -0,0 +1,47 @@ +From bd5d21310133921021d78995ad6346f908483124 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Sun, 20 Nov 2016 16:09:30 +0100 +Subject: mtd: bcm47xxpart: fix parsing first block after aligned TRX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit bd5d21310133921021d78995ad6346f908483124 upstream. + +After parsing TRX we should skip to the first block placed behind it. +Our code was working only with TRX with length not aligned to the +blocksize. In other cases (length aligned) it was missing the block +places right after TRX. + +This fixes calculation and simplifies the comment. + +Signed-off-by: Rafał Miłecki +Signed-off-by: Brian Norris +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/bcm47xxpart.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/bcm47xxpart.c ++++ b/drivers/mtd/bcm47xxpart.c +@@ -229,12 +229,10 @@ static int bcm47xxpart_parse(struct mtd_ + + last_trx_part = curr_part - 1; + +- /* +- * We have whole TRX scanned, skip to the next part. Use +- * roundown (not roundup), as the loop will increase +- * offset in next step. +- */ +- offset = rounddown(offset + trx->length, blocksize); ++ /* Jump to the end of TRX */ ++ offset = roundup(offset + trx->length, blocksize); ++ /* Next loop iteration will increase the offset */ ++ offset -= blocksize; + continue; + } + diff --git a/queue-4.9/rt2x00-fix-incorrect-usage-of-config_rt2x00_lib_usb.patch b/queue-4.9/rt2x00-fix-incorrect-usage-of-config_rt2x00_lib_usb.patch new file mode 100644 index 00000000000..c038c9983ae --- /dev/null +++ b/queue-4.9/rt2x00-fix-incorrect-usage-of-config_rt2x00_lib_usb.patch @@ -0,0 +1,35 @@ +From a083c8fd277b4122c804f18ec8c84165f345c71c Mon Sep 17 00:00:00 2001 +From: Vishal Thanki +Date: Wed, 16 Nov 2016 17:01:54 +0100 +Subject: rt2x00: Fix incorrect usage of CONFIG_RT2X00_LIB_USB + +From: Vishal Thanki + +commit a083c8fd277b4122c804f18ec8c84165f345c71c upstream. + +In device removal routine, usage of "#ifdef CONFIG_RT2X00_LIB_USB" +will not cover the case when it is configured as module. This will +omit the entire if-block which does cleanup of URBs and cancellation +of pending work. Changing the #ifdef to #if IS_ENABLED() to fix it. + +Signed-off-by: Vishal Thanki +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +@@ -1422,7 +1422,7 @@ void rt2x00lib_remove_dev(struct rt2x00_ + cancel_work_sync(&rt2x00dev->intf_work); + cancel_delayed_work_sync(&rt2x00dev->autowakeup_work); + cancel_work_sync(&rt2x00dev->sleep_work); +-#ifdef CONFIG_RT2X00_LIB_USB ++#if IS_ENABLED(CONFIG_RT2X00_LIB_USB) + if (rt2x00_is_usb(rt2x00dev)) { + usb_kill_anchored_urbs(rt2x00dev->anchor); + hrtimer_cancel(&rt2x00dev->txstatus_timer); diff --git a/queue-4.9/rt2x00usb-do-not-anchor-rx-and-tx-urb-s.patch b/queue-4.9/rt2x00usb-do-not-anchor-rx-and-tx-urb-s.patch new file mode 100644 index 00000000000..ddf21494269 --- /dev/null +++ b/queue-4.9/rt2x00usb-do-not-anchor-rx-and-tx-urb-s.patch @@ -0,0 +1,63 @@ +From 93c7018ec16bb83399dd4db61c361a6d6aba0d5a Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 8 Feb 2017 12:18:09 +0100 +Subject: rt2x00usb: do not anchor rx and tx urb's + +From: Stanislaw Gruszka + +commit 93c7018ec16bb83399dd4db61c361a6d6aba0d5a upstream. + +We might kill TX or RX urb during rt2x00usb_flush_entry(), what can +cause anchor list corruption like shown below: + +[ 2074.035633] WARNING: CPU: 2 PID: 14480 at lib/list_debug.c:33 __list_add+0xac/0xc0 +[ 2074.035634] list_add corruption. prev->next should be next (ffff88020f362c28), but was dead000000000100. (prev=ffff8801d161bb70). + +[ 2074.035670] Call Trace: +[ 2074.035672] [] dump_stack+0x63/0x8c +[ 2074.035674] [] __warn+0xd1/0xf0 +[ 2074.035676] [] warn_slowpath_fmt+0x5f/0x80 +[ 2074.035678] [] ? rt2x00usb_register_write_lock+0x3d/0x60 [rt2800usb] +[ 2074.035679] [] __list_add+0xac/0xc0 +[ 2074.035681] [] usb_anchor_urb+0x4c/0xa0 +[ 2074.035683] [] rt2x00usb_kick_rx_entry+0xaf/0x100 [rt2x00usb] +[ 2074.035684] [] rt2x00usb_clear_entry+0x22/0x30 [rt2x00usb] + +To fix do not anchor TX and RX urb's, it is not needed as during +shutdown we kill those urbs in rt2x00usb_free_entries(). + +Cc: Vishal Thanki +Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB") +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -319,10 +319,8 @@ static bool rt2x00usb_kick_tx_entry(stru + entry->skb->data, length, + rt2x00usb_interrupt_txdone, entry); + +- usb_anchor_urb(entry_priv->urb, rt2x00dev->anchor); + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- usb_unanchor_urb(entry_priv->urb); + if (status == -ENODEV) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); +@@ -410,10 +408,8 @@ static bool rt2x00usb_kick_rx_entry(stru + entry->skb->data, entry->skb->len, + rt2x00usb_interrupt_rxdone, entry); + +- usb_anchor_urb(entry_priv->urb, rt2x00dev->anchor); + status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); + if (status) { +- usb_unanchor_urb(entry_priv->urb); + if (status == -ENODEV) + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + set_bit(ENTRY_DATA_IO_FAILED, &entry->flags); diff --git a/queue-4.9/rt2x00usb-fix-anchor-initialization.patch b/queue-4.9/rt2x00usb-fix-anchor-initialization.patch new file mode 100644 index 00000000000..bde6331e02c --- /dev/null +++ b/queue-4.9/rt2x00usb-fix-anchor-initialization.patch @@ -0,0 +1,77 @@ +From 0488a6121dfe6cbd44de15ea3627913b7549a1e9 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 8 Feb 2017 12:18:10 +0100 +Subject: rt2x00usb: fix anchor initialization + +From: Stanislaw Gruszka + +commit 0488a6121dfe6cbd44de15ea3627913b7549a1e9 upstream. + +If device fail to initialize we can OOPS in rt2x00lib_remove_dev(), due +to using uninitialized usb_anchor structure: + +[ 855.435820] ieee80211 phy3: rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x1000 with error -19 +[ 855.435826] ieee80211 phy3: rt2800_probe_rt: Error - Invalid RT chipset 0x0000, rev 0000 detected +[ 855.435829] ieee80211 phy3: rt2x00lib_probe_dev: Error - Failed to allocate device +[ 855.435845] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +[ 855.435900] IP: _raw_spin_lock_irq+0xd/0x30 +[ 855.435926] PGD 0 +[ 855.435953] Oops: 0002 [#1] SMP + +[ 855.437011] Call Trace: +[ 855.437029] ? usb_kill_anchored_urbs+0x27/0xc0 +[ 855.437061] rt2x00lib_remove_dev+0x190/0x1c0 [rt2x00lib] +[ 855.437097] rt2x00lib_probe_dev+0x246/0x7a0 [rt2x00lib] +[ 855.437149] ? ieee80211_roc_setup+0x9e/0xd0 [mac80211] +[ 855.437183] ? __kmalloc+0x1af/0x1f0 +[ 855.437207] ? rt2x00usb_probe+0x13d/0xc50 [rt2x00usb] +[ 855.437240] rt2x00usb_probe+0x155/0xc50 [rt2x00usb] +[ 855.437273] rt2800usb_probe+0x15/0x20 [rt2800usb] +[ 855.437304] usb_probe_interface+0x159/0x2d0 +[ 855.437333] driver_probe_device+0x2bb/0x460 + +Patch changes initialization sequence to fix the problem. + +Cc: Vishal Thanki +Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB") +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Cc: Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -824,10 +824,6 @@ int rt2x00usb_probe(struct usb_interface + if (retval) + goto exit_free_device; + +- retval = rt2x00lib_probe_dev(rt2x00dev); +- if (retval) +- goto exit_free_reg; +- + rt2x00dev->anchor = devm_kmalloc(&usb_dev->dev, + sizeof(struct usb_anchor), + GFP_KERNEL); +@@ -835,10 +831,17 @@ int rt2x00usb_probe(struct usb_interface + retval = -ENOMEM; + goto exit_free_reg; + } +- + init_usb_anchor(rt2x00dev->anchor); ++ ++ retval = rt2x00lib_probe_dev(rt2x00dev); ++ if (retval) ++ goto exit_free_anchor; ++ + return 0; + ++exit_free_anchor: ++ usb_kill_anchored_urbs(rt2x00dev->anchor); ++ + exit_free_reg: + rt2x00usb_free_reg(rt2x00dev); + diff --git a/queue-4.9/series b/queue-4.9/series index 01e8b567b38..541cd5cf0e4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,11 @@ drm-i915-avoid-rcu_barrier-from-reclaim-paths-shrinker.patch orangefs-fix-memory-leak-of-string-new-on-exit-path.patch orangefs-dan-carpenter-influenced-cleanups.patch orangefs-fix-buffer-size-mis-match-between-kernel-space-and-user-space.patch +i2c-bcm2835-fix-hang-for-writing-messages-larger-than-16-bytes.patch +rt2x00usb-fix-anchor-initialization.patch +rt2x00usb-do-not-anchor-rx-and-tx-urb-s.patch +rt2x00-fix-incorrect-usage-of-config_rt2x00_lib_usb.patch +mtd-bcm47xxpart-fix-parsing-first-block-after-aligned-trx.patch +mips-introduce-irq_stack.patch +mips-stack-unwinding-while-on-irq-stack.patch +mips-only-change-28-to-thread_info-if-coming-from-user-mode.patch