From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 11 Nov 2014 23:48:50 +0000 (+0900)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.60~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba50f044f527426ec28677dac9ecd6606f168074;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	usb-gadget-f_fs-remove-redundant-ffs_data_get.patch
	usb-gadget-udc-core-fix-kernel-oops-with-soft-connect.patch
---

diff --git a/queue-3.14/series b/queue-3.14/series
index 0bda802b1ce..a1395e1c214 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -185,3 +185,5 @@ mm-remove-false-warn_on-from-pagecache_isize_extended.patch
 crypto-algif-avoid-excessive-use-of-socket-buffer-in-skcipher.patch
 usb-dwc3-gadget-fix-set_halt-bug-with-pending-transfers.patch
 usb-gadget-function-acm-make-f_acm-pass-usb20cv-chapter9.patch
+usb-gadget-udc-core-fix-kernel-oops-with-soft-connect.patch
+usb-gadget-f_fs-remove-redundant-ffs_data_get.patch
diff --git a/queue-3.14/usb-gadget-f_fs-remove-redundant-ffs_data_get.patch b/queue-3.14/usb-gadget-f_fs-remove-redundant-ffs_data_get.patch
new file mode 100644
index 00000000000..cec2db90c03
--- /dev/null
+++ b/queue-3.14/usb-gadget-f_fs-remove-redundant-ffs_data_get.patch
@@ -0,0 +1,53 @@
+From balbi@ti.com  Wed Nov 12 08:47:28 2014
+From: Felipe Balbi <balbi@ti.com>
+Date: Mon, 10 Nov 2014 09:19:57 -0600
+Subject: [PATCH backport v2] usb: gadget: f_fs: remove redundant ffs_data_get()
+To: Greg KH <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>, Robert Baldyga <r.baldyga@samsung.com>, Felipe Balbi <balbi@ti.com>
+Message-ID: <1415632797-28618-1-git-send-email-balbi@ti.com>
+
+
+From: Robert Baldyga <r.baldyga@samsung.com>
+
+[ Upstream commit a3058a5d82e296daaca07411c3738a9ddd79f302 ]
+
+During FunctionFS bind, ffs_data_get() function was called twice
+(in functionfs_bind() and in ffs_do_functionfs_bind()), while on unbind
+ffs_data_put() was called once (in functionfs_unbind() function).
+In result refcount never reached value 0, and ffs memory resources has
+been never released.
+
+Since ffs_data_get() call in ffs_do_functionfs_bind() is redundant
+and not neccessary, we remove it to have equal number of gets ans puts,
+and free allocated memory after refcount reach 0.
+
+Fixes: 5920cda (usb: gadget: FunctionFS: convert to new function
+	interface with backward compatibility)
+Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/f_fs.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
+index 5bcf7d0..afd0a15 100644
+--- a/drivers/usb/gadget/f_fs.c
++++ b/drivers/usb/gadget/f_fs.c
+@@ -1995,8 +1995,6 @@ static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
+ 	func->conf = c;
+ 	func->gadget = c->cdev->gadget;
+ 
+-	ffs_data_get(func->ffs);
+-
+ 	/*
+ 	 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
+ 	 * configurations are bound in sequence with list_for_each_entry,
+-- 
+2.1.0.GIT
+
+--
+To unsubscribe from this list: send the line "unsubscribe stable" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+
diff --git a/queue-3.14/usb-gadget-udc-core-fix-kernel-oops-with-soft-connect.patch b/queue-3.14/usb-gadget-udc-core-fix-kernel-oops-with-soft-connect.patch
new file mode 100644
index 00000000000..4f59ac81cd0
--- /dev/null
+++ b/queue-3.14/usb-gadget-udc-core-fix-kernel-oops-with-soft-connect.patch
@@ -0,0 +1,79 @@
+From balbi@ti.com  Wed Nov 12 08:46:47 2014
+From: Felipe Balbi <balbi@ti.com>
+Date: Mon, 10 Nov 2014 09:06:20 -0600
+Subject: usb: gadget: udc: core: fix kernel oops with soft-connect
+To: Greg KH <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>, Felipe Balbi <balbi@ti.com>
+Message-ID: <1415631980-27790-1-git-send-email-balbi@ti.com>
+
+From: Felipe Balbi <balbi@ti.com>
+
+[ Upstream commit bfa6b18c680450c17512c741ed1d818695747621 ]
+
+Currently, there's no guarantee that udc->driver
+will be valid when using soft_connect sysfs
+interface. In fact, we can very easily trigger
+a NULL pointer dereference by trying to disconnect
+when a gadget driver isn't loaded.
+
+Fix this bug:
+
+~# echo disconnect > soft_connect
+[   33.685743] Unable to handle kernel NULL pointer dereference at virtual address 00000014
+[   33.694221] pgd = ed0cc000
+[   33.697174] [00000014] *pgd=ae351831, *pte=00000000, *ppte=00000000
+[   33.703766] Internal error: Oops: 17 [#1] SMP ARM
+[   33.708697] Modules linked in: xhci_plat_hcd xhci_hcd snd_soc_davinci_mcasp snd_soc_tlv320aic3x snd_soc_edma snd_soc_omap snd_soc_evm snd_soc_core dwc3 snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd lis3lv02d_i2c matrix_keypad lis3lv02d dwc3_omap input_polldev soundcore
+[   33.734372] CPU: 0 PID: 1457 Comm: bash Not tainted 3.17.0-09740-ga93416e-dirty #345
+[   33.742457] task: ee71ce00 ti: ee68a000 task.ti: ee68a000
+[   33.748116] PC is at usb_udc_softconn_store+0xa4/0xec
+[   33.753416] LR is at mark_held_locks+0x78/0x90
+[   33.758057] pc : [<c04df128>]    lr : [<c00896a4>]    psr: 20000013
+[   33.758057] sp : ee68bec8  ip : c0c00008  fp : ee68bee4
+[   33.770050] r10: ee6b394c  r9 : ee68bf80  r8 : ee6062c0
+[   33.775508] r7 : 00000000  r6 : ee6062c0  r5 : 0000000b  r4 : ee739408
+[   33.782346] r3 : 00000000  r2 : 00000000  r1 : ee71d390  r0 : ee664170
+[   33.789168] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
+[   33.796636] Control: 10c5387d  Table: ad0cc059  DAC: 00000015
+[   33.802638] Process bash (pid: 1457, stack limit = 0xee68a248)
+[   33.808740] Stack: (0xee68bec8 to 0xee68c000)
+[   33.813299] bec0:                   0000000b c0411284 ee6062c0 00000000 ee68bef4 ee68bee8
+[   33.821862] bee0: c04112ac c04df090 ee68bf14 ee68bef8 c01c2868 c0411290 0000000b ee6b3940
+[   33.830419] bf00: 00000000 00000000 ee68bf4c ee68bf18 c01c1a24 c01c2818 00000000 00000000
+[   33.838990] bf20: ee61b940 ee2f47c0 0000000b 000ce408 ee68bf80 c000f304 ee68a000 00000000
+[   33.847544] bf40: ee68bf7c ee68bf50 c0152dd8 c01c1960 ee68bf7c c0170af8 ee68bf7c ee2f47c0
+[   33.856099] bf60: ee2f47c0 000ce408 0000000b c000f304 ee68bfa4 ee68bf80 c0153330 c0152d34
+[   33.864653] bf80: 00000000 00000000 0000000b 000ce408 b6e7fb50 00000004 00000000 ee68bfa8
+[   33.873204] bfa0: c000f080 c01532e8 0000000b 000ce408 00000001 000ce408 0000000b 00000000
+[   33.881763] bfc0: 0000000b 000ce408 b6e7fb50 00000004 0000000b 00000000 000c5758 00000000
+[   33.890319] bfe0: 00000000 bec2c924 b6de422d b6e1d226 40000030 00000001 75716d2f 00657565
+[   33.898890] [<c04df128>] (usb_udc_softconn_store) from [<c04112ac>] (dev_attr_store+0x28/0x34)
+[   33.907920] [<c04112ac>] (dev_attr_store) from [<c01c2868>] (sysfs_kf_write+0x5c/0x60)
+[   33.916200] [<c01c2868>] (sysfs_kf_write) from [<c01c1a24>] (kernfs_fop_write+0xd0/0x194)
+[   33.924773] [<c01c1a24>] (kernfs_fop_write) from [<c0152dd8>] (vfs_write+0xb0/0x1bc)
+[   33.932874] [<c0152dd8>] (vfs_write) from [<c0153330>] (SyS_write+0x54/0xb0)
+[   33.940247] [<c0153330>] (SyS_write) from [<c000f080>] (ret_fast_syscall+0x0/0x48)
+[   33.948160] Code: e1a01007 e12fff33 e5140004 e5143008 (e5933014)
+[   33.954625] ---[ end trace f849bead94eab7ea ]---
+
+Fixes: 2ccea03 (usb: gadget: introduce UDC Class)
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc-core.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/udc-core.c
++++ b/drivers/usb/gadget/udc-core.c
+@@ -456,6 +456,11 @@ static ssize_t usb_udc_softconn_store(st
+ {
+ 	struct usb_udc		*udc = container_of(dev, struct usb_udc, dev);
+ 
++	if (!udc->driver) {
++		dev_err(dev, "soft-connect without a gadget driver\n");
++		return -EOPNOTSUPP;
++	}
++
+ 	if (sysfs_streq(buf, "connect")) {
+ 		usb_gadget_udc_start(udc->gadget, udc->driver);
+ 		usb_gadget_connect(udc->gadget);