From: Greg Kroah-Hartman Date: Tue, 16 May 2017 10:37:00 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.54~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4bad4efa74189a339adbf145d32cff3f0b15b207;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch target-fileio-fix-zero-length-read-and-write-handling.patch usb-host-xhci-print-correct-command-ring-address.patch usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch usb-misc-add-missing-continue-in-switch.patch usb-misc-legousbtower-fix-buffers-on-stack.patch usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index e69de29bb2d..72a304988ea 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -0,0 +1,12 @@ +target-fileio-fix-zero-length-read-and-write-handling.patch +usb-host-xhci-print-correct-command-ring-address.patch +usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch +usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch +staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch +staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch +staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch +staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch +staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch +usb-misc-add-missing-continue-in-switch.patch +usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch +usb-misc-legousbtower-fix-buffers-on-stack.patch diff --git a/queue-3.18/staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch b/queue-3.18/staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch new file mode 100644 index 00000000000..a2837f4b136 --- /dev/null +++ b/queue-3.18/staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch @@ -0,0 +1,34 @@ +From 8ec04a491825e08068e92bed0bba7821893b6433 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 17 Feb 2017 11:09:09 +0000 +Subject: staging: comedi: jr3_pci: cope with jiffies wraparound + +From: Ian Abbott + +commit 8ec04a491825e08068e92bed0bba7821893b6433 upstream. + +The timer expiry routine `jr3_pci_poll_dev()` checks for expiry by +checking whether the absolute value of `jiffies` (stored in local +variable `now`) is greater than the expected expiry time in jiffy units. +This will fail when `jiffies` wraps around. Also, it seems to make +sense to handle the expiry one jiffy earlier than the current test. Use +`time_after_eq()` to check for expiry. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/jr3_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/jr3_pci.c ++++ b/drivers/staging/comedi/drivers/jr3_pci.c +@@ -611,7 +611,7 @@ static void jr3_pci_poll_dev(unsigned lo + s = &dev->subdevices[i]; + spriv = s->private; + +- if (now > spriv->next_time_min) { ++ if (time_after_eq(now, spriv->next_time_min)) { + struct jr3_pci_poll_delay sub_delay; + + sub_delay = jr3_pci_poll_subdevice(s); diff --git a/queue-3.18/staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch b/queue-3.18/staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..4f00f0c834c --- /dev/null +++ b/queue-3.18/staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,51 @@ +From 45292be0b3db0b7f8286683b376e2d9f949d11f9 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 17 Feb 2017 11:09:08 +0000 +Subject: staging: comedi: jr3_pci: fix possible null pointer dereference + +From: Ian Abbott + +commit 45292be0b3db0b7f8286683b376e2d9f949d11f9 upstream. + +For some reason, the driver does not consider allocation of the +subdevice private data to be a fatal error when attaching the COMEDI +device. It tests the subdevice private data pointer for validity at +certain points, but omits some crucial tests. In particular, +`jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and +initialize the subdevice private data, but the same function +subsequently dereferences the pointer to access the `next_time_min` and +`next_time_max` members without checking it first. The other missing +test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will +crash before it gets that far. + +Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon +as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`. The +COMEDI core will subsequently call `jr3_pci_detach()` to clean up. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/jr3_pci.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/staging/comedi/drivers/jr3_pci.c ++++ b/drivers/staging/comedi/drivers/jr3_pci.c +@@ -729,11 +729,12 @@ static int jr3_pci_auto_attach(struct co + s->insn_read = jr3_pci_ai_insn_read; + + spriv = jr3_pci_alloc_spriv(dev, s); +- if (spriv) { +- /* Channel specific range and maxdata */ +- s->range_table_list = spriv->range_table_list; +- s->maxdata_list = spriv->maxdata_list; +- } ++ if (!spriv) ++ return -ENOMEM; ++ ++ /* Channel specific range and maxdata */ ++ s->range_table_list = spriv->range_table_list; ++ s->maxdata_list = spriv->maxdata_list; + } + + /* Reset DSP card */ diff --git a/queue-3.18/staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch b/queue-3.18/staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch new file mode 100644 index 00000000000..8e9f64e50e7 --- /dev/null +++ b/queue-3.18/staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch @@ -0,0 +1,40 @@ +From b58f45c8fc301fe83ee28cad3e64686c19e78f1c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Apr 2017 12:23:04 +0200 +Subject: staging: gdm724x: gdm_mux: fix use-after-free on module unload + +From: Johan Hovold + +commit b58f45c8fc301fe83ee28cad3e64686c19e78f1c upstream. + +Make sure to deregister the USB driver before releasing the tty driver +to avoid use-after-free in the USB disconnect callback where the tty +devices are deregistered. + +Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") +Cc: Won Kang +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/gdm724x/gdm_mux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/staging/gdm724x/gdm_mux.c ++++ b/drivers/staging/gdm724x/gdm_mux.c +@@ -674,14 +674,13 @@ static int __init gdm_usb_mux_init(void) + + static void __exit gdm_usb_mux_exit(void) + { +- unregister_lte_tty_driver(); +- + if (mux_rx_wq) { + flush_workqueue(mux_rx_wq); + destroy_workqueue(mux_rx_wq); + } + + usb_deregister(&gdm_mux_driver); ++ unregister_lte_tty_driver(); + } + + module_init(gdm_usb_mux_init); diff --git a/queue-3.18/staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch b/queue-3.18/staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch new file mode 100644 index 00000000000..016e0364d56 --- /dev/null +++ b/queue-3.18/staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch @@ -0,0 +1,54 @@ +From 05c0cf88bec588a7cb34de569acd871ceef26760 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Sat, 22 Apr 2017 11:14:58 +0100 +Subject: staging: vt6656: use off stack for in buffer USB transfers. + +From: Malcolm Priestley + +commit 05c0cf88bec588a7cb34de569acd871ceef26760 upstream. + +Since 4.9 mandated USB buffers to be heap allocated. This causes +the driver to fail. + +Create buffer for USB transfers. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/usbpipe.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/staging/vt6656/usbpipe.c ++++ b/drivers/staging/vt6656/usbpipe.c +@@ -78,15 +78,28 @@ int vnt_control_in(struct vnt_private *p + u16 index, u16 length, u8 *buffer) + { + int status; ++ u8 *usb_buffer; + + if (test_bit(DEVICE_FLAGS_DISCONNECTED, &priv->flags)) + return STATUS_FAILURE; + + mutex_lock(&priv->usb_lock); + ++ usb_buffer = kmalloc(length, GFP_KERNEL); ++ if (!usb_buffer) { ++ mutex_unlock(&priv->usb_lock); ++ return -ENOMEM; ++ } ++ + status = usb_control_msg(priv->usb, +- usb_rcvctrlpipe(priv->usb, 0), request, 0xc0, value, +- index, buffer, length, USB_CTL_WAIT); ++ usb_rcvctrlpipe(priv->usb, 0), ++ request, 0xc0, value, ++ index, usb_buffer, length, USB_CTL_WAIT); ++ ++ if (status == length) ++ memcpy(buffer, usb_buffer, length); ++ ++ kfree(usb_buffer); + + mutex_unlock(&priv->usb_lock); + diff --git a/queue-3.18/staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch b/queue-3.18/staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch new file mode 100644 index 00000000000..dce28658354 --- /dev/null +++ b/queue-3.18/staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch @@ -0,0 +1,52 @@ +From 12ecd24ef93277e4e5feaf27b0b18f2d3828bc5e Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Sat, 22 Apr 2017 11:14:57 +0100 +Subject: staging: vt6656: use off stack for out buffer USB transfers. + +From: Malcolm Priestley + +commit 12ecd24ef93277e4e5feaf27b0b18f2d3828bc5e upstream. + +Since 4.9 mandated USB buffers be heap allocated this causes the driver +to fail. + +Since there is a wide range of buffer sizes use kmemdup to create +allocated buffer. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/usbpipe.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/staging/vt6656/usbpipe.c ++++ b/drivers/staging/vt6656/usbpipe.c +@@ -50,15 +50,25 @@ int vnt_control_out(struct vnt_private * + u16 index, u16 length, u8 *buffer) + { + int status = 0; ++ u8 *usb_buffer; + + if (test_bit(DEVICE_FLAGS_DISCONNECTED, &priv->flags)) + return STATUS_FAILURE; + + mutex_lock(&priv->usb_lock); + ++ usb_buffer = kmemdup(buffer, length, GFP_KERNEL); ++ if (!usb_buffer) { ++ mutex_unlock(&priv->usb_lock); ++ return -ENOMEM; ++ } ++ + status = usb_control_msg(priv->usb, +- usb_sndctrlpipe(priv->usb, 0), request, 0x40, value, +- index, buffer, length, USB_CTL_WAIT); ++ usb_sndctrlpipe(priv->usb, 0), ++ request, 0x40, value, ++ index, usb_buffer, length, USB_CTL_WAIT); ++ ++ kfree(usb_buffer); + + mutex_unlock(&priv->usb_lock); + diff --git a/queue-3.18/target-fileio-fix-zero-length-read-and-write-handling.patch b/queue-3.18/target-fileio-fix-zero-length-read-and-write-handling.patch new file mode 100644 index 00000000000..4a73cc7df31 --- /dev/null +++ b/queue-3.18/target-fileio-fix-zero-length-read-and-write-handling.patch @@ -0,0 +1,50 @@ +From 59ac9c078141b8fd0186c0b18660a1b2c24e724e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 4 May 2017 15:50:47 -0700 +Subject: target/fileio: Fix zero-length READ and WRITE handling + +From: Bart Van Assche + +commit 59ac9c078141b8fd0186c0b18660a1b2c24e724e upstream. + +This patch fixes zero-length READ and WRITE handling in target/FILEIO, +which was broken a long time back by: + +Since: + + commit d81cb44726f050d7cf1be4afd9cb45d153b52066 + Author: Paolo Bonzini + Date: Mon Sep 17 16:36:11 2012 -0700 + + target: go through normal processing for all zero-length commands + +which moved zero-length READ and WRITE completion out of target-core, +to doing submission into backend driver code. + +To address this, go ahead and invoke target_complete_cmd() for any +non negative return value in fd_do_rw(). + +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Cc: Andy Grover +Cc: David Disseldorp +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_file.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -760,8 +760,7 @@ fd_execute_rw(struct se_cmd *cmd, struct + return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + } + +- if (ret) +- target_complete_cmd(cmd, SAM_STAT_GOOD); ++ target_complete_cmd(cmd, SAM_STAT_GOOD); + return 0; + } + diff --git a/queue-3.18/usb-host-xhci-print-correct-command-ring-address.patch b/queue-3.18/usb-host-xhci-print-correct-command-ring-address.patch new file mode 100644 index 00000000000..25178ba3f02 --- /dev/null +++ b/queue-3.18/usb-host-xhci-print-correct-command-ring-address.patch @@ -0,0 +1,30 @@ +From 6fc091fb0459ade939a795bfdcaf645385b951d4 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Wed, 19 Apr 2017 16:55:52 +0300 +Subject: usb: host: xhci: print correct command ring address + +From: Peter Chen + +commit 6fc091fb0459ade939a795bfdcaf645385b951d4 upstream. + +Print correct command ring address using 'val_64'. + +Signed-off-by: Peter Chen +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2428,7 +2428,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, + (xhci->cmd_ring->first_seg->dma & (u64) ~CMD_RING_RSVD_BITS) | + xhci->cmd_ring->cycle_state; + xhci_dbg_trace(xhci, trace_xhci_dbg_init, +- "// Setting command ring address to 0x%x", val); ++ "// Setting command ring address to 0x%016llx", val_64); + xhci_write_64(xhci, val_64, &xhci->op_regs->cmd_ring); + xhci_dbg_cmd_ptrs(xhci); + diff --git a/queue-3.18/usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch b/queue-3.18/usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch new file mode 100644 index 00000000000..7e71a77fc01 --- /dev/null +++ b/queue-3.18/usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch @@ -0,0 +1,103 @@ +From f5cccf49428447dfbc9edb7a04bb8fc316269781 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Mon, 20 Mar 2017 14:30:50 -0700 +Subject: usb: hub: Do not attempt to autosuspend disconnected devices + +From: Guenter Roeck + +commit f5cccf49428447dfbc9edb7a04bb8fc316269781 upstream. + +While running a bind/unbind stress test with the dwc3 usb driver on rk3399, +the following crash was observed. + +Unable to handle kernel NULL pointer dereference at virtual address 00000218 +pgd = ffffffc00165f000 +[00000218] *pgd=000000000174f003, *pud=000000000174f003, + *pmd=0000000001750003, *pte=00e8000001751713 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac +ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm +xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth +ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev +snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async +ppp_generic slhc tun +CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507 +Hardware name: Google Kevin (DT) +Workqueue: pm pm_runtime_work +task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000 +PC is at autosuspend_check+0x74/0x174 +LR is at autosuspend_check+0x70/0x174 +... +Call trace: +[] autosuspend_check+0x74/0x174 +[] usb_runtime_idle+0x20/0x40 +[] __rpm_callback+0x48/0x7c +[] rpm_idle+0x1e8/0x498 +[] pm_runtime_work+0x88/0xcc +[] process_one_work+0x390/0x6b8 +[] worker_thread+0x480/0x610 +[] kthread+0x164/0x178 +[] ret_from_fork+0x10/0x40 + +Source: + +(gdb) l *0xffffffc00080dcc0 +0xffffffc00080dcc0 is in autosuspend_check +(drivers/usb/core/driver.c:1778). +1773 /* We don't need to check interfaces that are +1774 * disabled for runtime PM. Either they are unbound +1775 * or else their drivers don't support autosuspend +1776 * and so they are permanently active. +1777 */ +1778 if (intf->dev.power.disable_depth) +1779 continue; +1780 if (atomic_read(&intf->dev.power.usage_count) > 0) +1781 return -EBUSY; +1782 w |= intf->needs_remote_wakeup; + +Code analysis shows that intf is set to NULL in usb_disable_device() prior +to setting actconfig to NULL. At the same time, usb_runtime_idle() does not +lock the usb device, and neither does any of the functions in the +traceback. This means that there is no protection against a race condition +where usb_disable_device() is removing dev->actconfig->interface[] pointers +while those are being accessed from autosuspend_check(). + +To solve the problem, synchronize and validate device state between +autosuspend_check() and usb_disconnect(). + +Acked-by: Alan Stern +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 3 +++ + drivers/usb/core/hub.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1757,6 +1757,9 @@ static int autosuspend_check(struct usb_ + int w, i; + struct usb_interface *intf; + ++ if (udev->state == USB_STATE_NOTATTACHED) ++ return -ENODEV; ++ + /* Fail if autosuspend is disabled, or any interfaces are in use, or + * any interface drivers require remote wakeup but it isn't available. + */ +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2100,6 +2100,12 @@ void usb_disconnect(struct usb_device ** + dev_info(&udev->dev, "USB disconnect, device number %d\n", + udev->devnum); + ++ /* ++ * Ensure that the pm runtime code knows that the USB device ++ * is in the process of being disconnected. ++ */ ++ pm_runtime_barrier(&udev->dev); ++ + usb_lock_device(udev); + + hub_disconnect_children(udev); diff --git a/queue-3.18/usb-misc-add-missing-continue-in-switch.patch b/queue-3.18/usb-misc-add-missing-continue-in-switch.patch new file mode 100644 index 00000000000..a8841b92263 --- /dev/null +++ b/queue-3.18/usb-misc-add-missing-continue-in-switch.patch @@ -0,0 +1,30 @@ +From 2c930e3d0aed1505e86e0928d323df5027817740 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 3 Apr 2017 22:48:40 -0500 +Subject: usb: misc: add missing continue in switch + +From: Gustavo A. R. Silva + +commit 2c930e3d0aed1505e86e0928d323df5027817740 upstream. + +Add missing continue in switch. + +Addresses-Coverity-ID: 1248733 +Signed-off-by: Gustavo A. R. Silva +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/usbtest.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/usbtest.c ++++ b/drivers/usb/misc/usbtest.c +@@ -133,6 +133,7 @@ get_endpoints(struct usbtest_dev *dev, s + case USB_ENDPOINT_XFER_INT: + if (dev->info->intr) + goto try_intr; ++ continue; + case USB_ENDPOINT_XFER_ISOC: + if (dev->info->iso) + goto try_iso; diff --git a/queue-3.18/usb-misc-legousbtower-fix-buffers-on-stack.patch b/queue-3.18/usb-misc-legousbtower-fix-buffers-on-stack.patch new file mode 100644 index 00000000000..1aee5fd876c --- /dev/null +++ b/queue-3.18/usb-misc-legousbtower-fix-buffers-on-stack.patch @@ -0,0 +1,115 @@ +From 942a48730faf149ccbf3e12ac718aee120bb3529 Mon Sep 17 00:00:00 2001 +From: Maksim Salau +Date: Tue, 25 Apr 2017 22:49:21 +0300 +Subject: usb: misc: legousbtower: Fix buffers on stack + +From: Maksim Salau + +commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream. + +Allocate buffers on HEAP instead of STACK for local structures +that are to be received using usb_control_msg(). + +Signed-off-by: Maksim Salau +Tested-by: Alfredo Rafael Vicente Boix ; +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +--- a/drivers/usb/misc/legousbtower.c ++++ b/drivers/usb/misc/legousbtower.c +@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino + int subminor; + int retval = 0; + struct usb_interface *interface; +- struct tower_reset_reply reset_reply; ++ struct tower_reset_reply *reset_reply; + int result; + ++ reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL); ++ ++ if (!reset_reply) { ++ retval = -ENOMEM; ++ goto exit; ++ } ++ + nonseekable_open(inode, file); + subminor = iminor(inode); + +@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino + USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE, + 0, + 0, +- &reset_reply, +- sizeof(reset_reply), ++ reset_reply, ++ sizeof(*reset_reply), + 1000); + if (result < 0) { + dev_err(&dev->udev->dev, +@@ -406,6 +413,7 @@ unlock_exit: + mutex_unlock(&dev->lock); + + exit: ++ kfree(reset_reply); + return retval; + } + +@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter + struct lego_usb_tower *dev = NULL; + struct usb_host_interface *iface_desc; + struct usb_endpoint_descriptor* endpoint; +- struct tower_get_version_reply get_version_reply; ++ struct tower_get_version_reply *get_version_reply = NULL; + int i; + int retval = -ENOMEM; + int result; +@@ -916,6 +924,13 @@ static int tower_probe (struct usb_inter + "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE), + USB_MAJOR, dev->minor); + ++ get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL); ++ ++ if (!get_version_reply) { ++ retval = -ENOMEM; ++ goto error; ++ } ++ + /* get the firmware version and log it */ + result = usb_control_msg (udev, + usb_rcvctrlpipe(udev, 0), +@@ -923,24 +938,26 @@ static int tower_probe (struct usb_inter + USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE, + 0, + 0, +- &get_version_reply, +- sizeof(get_version_reply), ++ get_version_reply, ++ sizeof(*get_version_reply), + 1000); + if (result < 0) { + dev_err(idev, "LEGO USB Tower get version control request failed\n"); + retval = result; + goto error; + } +- dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d " +- "build %d\n", get_version_reply.major, +- get_version_reply.minor, +- le16_to_cpu(get_version_reply.build_no)); ++ dev_info(&interface->dev, ++ "LEGO USB Tower firmware version is %d.%d build %d\n", ++ get_version_reply->major, ++ get_version_reply->minor, ++ le16_to_cpu(get_version_reply->build_no)); + + + exit: + return retval; + + error: ++ kfree(get_version_reply); + tower_delete(dev); + return retval; + } diff --git a/queue-3.18/usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch b/queue-3.18/usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch new file mode 100644 index 00000000000..f3d5881bfb4 --- /dev/null +++ b/queue-3.18/usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch @@ -0,0 +1,60 @@ +From 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb Mon Sep 17 00:00:00 2001 +From: Ajay Kaher +Date: Tue, 28 Mar 2017 08:09:32 -0400 +Subject: USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously + +From: Ajay Kaher + +commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream. + +There is race condition when two USB class drivers try to call +init_usb_class at the same time and leads to crash. +code path: probe->usb_register_dev->init_usb_class + +To solve this, mutex locking has been added in init_usb_class() and +destroy_usb_class(). + +As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class() +because usb_class can never be NULL there. + +Signed-off-by: Ajay Kaher +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/file.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/file.c ++++ b/drivers/usb/core/file.c +@@ -26,6 +26,7 @@ + #define MAX_USB_MINORS 256 + static const struct file_operations *usb_minors[MAX_USB_MINORS]; + static DECLARE_RWSEM(minor_rwsem); ++static DEFINE_MUTEX(init_usb_class_mutex); + + static int usb_open(struct inode *inode, struct file *file) + { +@@ -108,8 +109,9 @@ static void release_usb_class(struct kre + + static void destroy_usb_class(void) + { +- if (usb_class) +- kref_put(&usb_class->kref, release_usb_class); ++ mutex_lock(&init_usb_class_mutex); ++ kref_put(&usb_class->kref, release_usb_class); ++ mutex_unlock(&init_usb_class_mutex); + } + + int usb_major_init(void) +@@ -171,7 +173,10 @@ int usb_register_dev(struct usb_interfac + if (intf->minor >= 0) + return -EADDRINUSE; + ++ mutex_lock(&init_usb_class_mutex); + retval = init_usb_class(); ++ mutex_unlock(&init_usb_class_mutex); ++ + if (retval) + return retval; + diff --git a/queue-3.18/usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch b/queue-3.18/usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch new file mode 100644 index 00000000000..ffb2f32f54c --- /dev/null +++ b/queue-3.18/usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch @@ -0,0 +1,51 @@ +From 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Tue, 18 Apr 2017 20:07:56 +0200 +Subject: USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit + +From: Marek Vasut + +commit 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b upstream. + +This development kit has an FT4232 on it with a custom USB VID/PID. +The FT4232 provides four UARTs, but only two are used. The UART 0 +is used by the FlashPro5 programmer and UART 2 is connected to the +SmartFusion2 CortexM3 SoC UART port. + +Note that the USB VID is registered to Actel according to Linux USB +VID database, but that was acquired by Microsemi. + +Signed-off-by: Marek Vasut +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -873,6 +873,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID, + USB_CLASS_VENDOR_SPEC, + USB_SUBCLASS_VENDOR_SPEC, 0x00) }, ++ { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) }, + { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) }, + { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -867,6 +867,12 @@ + #define FIC_VID 0x1457 + #define FIC_NEO1973_DEBUG_PID 0x5118 + ++/* ++ * Actel / Microsemi ++ */ ++#define ACTEL_VID 0x1514 ++#define MICROSEMI_ARROW_SF2PLUS_BOARD_PID 0x2008 ++ + /* Olimex */ + #define OLIMEX_VID 0x15BA + #define OLIMEX_ARM_USB_OCD_PID 0x0003