the pwc driver has a disconnect method that waits for user space to
close the device. This opens up an opportunity for a DoS attack,
blocking the USB subsystem and making khubd's task busy wait in
kernel space. This patch shifts freeing resources to close if an opened
device is disconnected.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
CC: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as964) was suggested by Steffen Koepf. It makes
usb_get_descriptor() retry on all errors other than ETIMEDOUT, instead
of only on EPIPE. This helps with some devices.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
it seems like you overdid it a bit in your quest to clean up the
use of urb->status. In this driver you read it the first thing, which
means that you are in a race against URB completion you'll
usually lose, returning -EINPROGRESS. This kills the driver.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch enables support for HTC Smartphones. The original patch is at
https://bugs.gentoo.org/show_bug.cgi?id=187522. Original author is Mike Doty
<kingtaco@gentoo.org>.
Signed-off-by: Christian Heim <phreak@gentoo.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
this device has been reported to break with autosuspend.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Some versions of GCC recently grew annoying warnings about constants.
This gets rid of that warning from the OHCI driver.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as961) fixes a couple of bugs in the disconnect pathway of
usb-storage.
The first problem, which apparently has been around for a while
although nobody noticed it, shows up when an aborted command is still
pending when a disconnect occurs. The SCSI error-handler will
continue to wait in command_abort() until the us->notify completion is
signalled. Thus quiesce_and_remove_host() needs to signal it.
The second problem was introduced recently along with autosuspend
support. Since usb_stor_scan_thread() now calls
usb_autopm_put_interface() before exiting, we can't simply leave the
scanning thread running after a disconnect; we must wait until the
thread exits. This is solved by adding a new struct completion to the
private data structure. Fortuitously, it allows the removal of the
rather clunky mechanism used in the past to insure that all threads
have finished before the module is unloaded.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Some devices have a bug which causes them to send a 1-byte reply to
Get-Device-Status requests instead of 2 bytes as required by the
spec. This doesn't play well with autosuspend, since we look for a
valid status reply to make sure the device is still present when it
resumes. Without both bytes, we assume the device has been
disconnected.
Lack of the second byte shouldn't matter much, since the spec requires
it always to be equal to 0. Hence this patch (as959) causes
finish_port_resume() to accept a 1-byte reply as valid.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The oti6858 usb serial driver should use kernel_termios_to_user_termios/
user_termios_to_kernel_termios to avoid segfaults because the kernel
uses a structure differing from that of user space with a different
size.
Signed-off-by: Thomas Viehmann <tv@beamnet.de>
CC: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as958) removes an unneeded and unwanted #define line from
dummy_hcd.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If, in em28xx_usb_probe() the memory allocation
dev->alt_max_pkt_size = kmalloc(32*
dev->num_alt,GFP_KERNEL);
fails, then we'll bail out and return -ENOMEM.
The problem is that in that case we don't free the storage allocated
to 'dev', thus causing a memory leak.
This patch fixes the leak by freeing 'dev' before we return -ENOMEM.
This fixes Coverity bug #647.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The attached (mostly trivial) patches adds support for the Evolution
Scorpion Robots.
Evolution Robotics supplies a patch against 2.6.8 with their
software. My patch is based on their work, so I don't know if I can
sign it off, or if you need some Evolution people to do this (which
might be hard).
The patch adds device ID's for some robots which is trivial.
From: Søren Hauberg <hauberg@gmail.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Søren
It appears that one reason the "iConnect"-labeled multi-card reader was
on sale for only $5 is that it doesn't handle suspend/resume correctly.
Other than that, it was a good deal for a highspeed MMC/SD bridge.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Currently when registration fails we're left with a stray reference to
release_mem_region(), this leads to the following case:
r8a66597_hcd r8a66597_hcd: irq 13, io base 0x18040000
drivers/usb/host/r8a66597-hcd.c: register access fail.
r8a66597_hcd r8a66597_hcd: startup error -6
r8a66597_hcd r8a66597_hcd: USB bus 1 deregistered
drivers/usb/host/r8a66597-hcd.c: Failed to add hcd
Trying to free nonexistent resource <0000000018040000-0000000018040000>
This fixes it up.
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Previous boards were likely seeing USB_ARCH_HAS_HCD selected by way
of PCMCIA or PCI, though none of those are required for hcd support
on SH. Enable support unconditionally.
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dell Wireless Broadband ExpressCards are rebrands of Novatel's cards.
Add all of their known PCI IDs to date along with their mapping to the exact
Novatel model to the Option driver which already claims to support them.
Signed-off-by: Faidon Liambotis <paravoid@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
I noticed this warning with CONFING_PM=n
...
drivers/usb/host/u132-hcd.c:1525: warning: 'port_power' defined but not used
...
Signed-off-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Fix typo in safe_serial.c to match the actual CONFIG variable.
Signed-off-by: Robert P. J. Day <rpjday@mindspring.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch makes the File Storage Gadget stall the control endpoint
when a MSC class request is made with wValue != 0. This change makes
some MSC compliance test warnings disappear.
Signed-off-by: Luis Lloret <luislloret@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch contains two fixes submitted by Ondrej Palkovsky:
- the 'ACK' packet is sent after the transfer of the USB packet is
completed, i.e. in the write_callback function. Because the close
function sends the 'abort' command, a parameter is added that allows
the caller of garmin_write_bulk to specify, if the 'ack' should be
propagated to the serial link or dimissed.
This fixes the problem with gpsbabel, it has sent several packets that
were acknowledged before they were sent to the GPS and GpsBabel closed
the device - thus effectively cancelled all outstanding requests in the
queue.
- removed the APP_RESP_SEEN and APP_REQ_SEEN flags and changed
them into counters. It evades USB reset of the gps on every device close.
Signed-off-by: Hermann Kneissel <hermann.kneissel@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch (as950) fixes a bug in the cdc-acm driver. It doesn't keep
track of which interface (control or data) the sysfs attributes get
registered for, and as a result, during disconnect it will sometimes
attempt to remove the attributes from the wrong interface. The
left-over attributes can cause a crash later on, particularly if the driver
module has been unloaded.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Oliver Neukum <oneukum@suse.de>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
git commit b2bbb20b37 added direct
support for PXA GPIO D+ pullup as alternative to the older udc_command
ops method. This was done by introduction of the pxa2xx_udc_mach_info
member "gpio_pullup" which, if initialized, is now used in (almost)
all places where udc_command used to be called.
This patch fixes two places where checks for availability of D+ pullup
control still only honor udc_command.
Signed-off-by: Uli Luckas <u.luckas@road.de>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* git://git.kernel.org/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog:
[WATCHDOG] Add support for 1533 bridge to alim1535_wdt
[WATCHDOG] Add a 00-INDEX file to Documentation/watchdog/
[WATCHDOG] Eurotechwdt.c - clean-up comments
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC32]: Revert f642b26380.
[SPARC64]: Need to clobber global reg vars in switch_to().
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[IRDA] irda_nl_get_mode: always results in failure
[PPP]: Fix output buffer size in ppp_decompress_frame().
[IRDA]: Avoid a label defined but not used warning in irda_init()
[IPV6]: Fix kernel panic while send SCTP data with IP fragments
[SNAP]: Check packet length before reading
[DCCP]: Allocation in atomic context
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] Change atomic_read/set to inline functions with barrier semantics.
[S390] kprobes: fix instruction length calculation
[S390] hypfs: inode corruption due to missing locking
[S390] disassembler: fix b2 opcodes like srst, bsg, and others
[S390] vmur: fix reference counting for vmur device structure
[S390] vmur: fix diag14 exceptions with addresses > 2GB.
[S390] qdio: Refresh buffer states for IQDIO Asynchronous output queue
[S390] qdio: fix EQBS handling on CCQ96
[S390] cio: change confusing message in cmf.
[S390] cio: dont forget to set last slot to NULL in ccw_uevent().
Touching vmalloc memory in the middle of a lazy mode update can generate
a kernel PDE update, which must be flushed immediately. The fix is to
leave lazy mode when doing a vmalloc sync.
Signed-off-by: Zachary Amsden <zach@vmware.com>
Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
After doing some tests this seems to be the best variant for s390 and
should be correct as well. With gcc 4.2.1 we get the following kernel
image sizes using the default configuration:
atomic_t type volatile, atomic_read/set defines 5311824 bytes
atomic_t type int, atomic_read/set defines 5270864 bytes
atomic_t type int, atomic_read/set inline asm 5279056 bytes
atomic_t type int, atomic_read/set inline barrier 5270864 bytes
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Placing a kprobe on "bc" instruction (s390/s390x) can cause an oops.
The instruction length is encoded into the first two bits of the s390
instruction. Kprobe is incorrectly computing the instruction length.
The instruction length is used for determining what type of "fix-up" is
needed for conditional branch instruction. The problem can bee seen by
placing a kprobe on a "bc" instruction that will not branch. The
results is that Kprobe incorrectly computes the new instruction
pointer (psw.addr) after single stepping the instruction. The problem
is corrected with this patch.
Signed-off-by: David Wilder <dwilder@us.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
hypfs removes the whole hypfs directory tree and creates a new one, when a
process triggers an update by writing to the "update" attribute. When removing
and creating files, it is necessary to lock the inode of the parent directory
where the files live. Currently hypfs does not lock the parent inode, which
can lead to inode corruption. This patch:
* Introduces correct locking
* Fixes i_nlink reference counting for inodes, when creating directories
* Adds info printk, when hypfs filesystem has been mounted
Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
The instruction table for b2 opcodes was missing an opfrag value
for the cpya instruction. All instructions specified after cpya
were not considered by the disassembler. The fix is simple and
obvious - add the opfrag field to the cpya instruction.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
When a vmur device is removed due to a detach of the device, currently the
ur device structure is freed. Unfortunately it can happen, that there is
still a user of the device structure, when the character device is open
during the detach process. To fix this, reference counting for the vmur
structure is introduced.
In addition to that, the online, offline, probe and remove functions are
serialized now using a global mutex.
Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
There are several s390 diagnose calls, which must be executed below the
2GB memory boundary. In order to enforce this, those diagnoses must be
compiled into the kernel. Currently diag 14 can be called within the
vmur kernel module from addresses above 2GB. This leads to specification
exceptions. This patch moves diag10, diag14 and diag210 into the new
diag.c file.
Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Hipersocket Multicast queue works asynchronously. When sending buffers,
the buffer state change may happen delayed. The tasklet for checking
changes in the outbound queue excluded IQDIO async queues from this
process. This created either a hang situation when the queue ran full,
or presented a hang situation a interface close time.
The tasklet processing is changed to include IQDIO async queues when
requesting buffer state refresh.
Signed-off-by: Klaus D. Wacker <kdwacker@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
QDIO returned from EQBS instruction in any case after return code
CCQ=96 was issued regardless whether buffer states for at least one
buffer were extracted or not.
This caused FCP devices to hang when running under z/VM and having
QIOASSASIST=ON and having high I/O rates.
In order to fix this qdio return code processing of EQBS instruction
after CCQ=96 is changed that buffers are returned and if no buffers
where extracted the instruction is repeated at once.
Signed-off-by: Klaus D. Wacker <kdwacker@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
cmf currently prints a message that more than 4096 channels are not
allowed in basic mode - however, this can only be enforced if cmf was
a module (which is no longer possible). It makes much more sense to
not check the specified number of channels and just print a message if
the block for basic mode could not be allocated (which may happen for
any number of specified channels).
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
It seems an extraneous trailing ';' has slipped in to the error handling for a
name registration failure causing the error path to trigger unconditionally.
Signed-off-by: Andy Whitcroft <apw@shadowen.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch addresses the issue with "osize too small" errors in mppe
encryption. The patch fixes the issue with wrong output buffer size
being passed to ppp decompression routine.
--------------------
As pointed out by Suresh Mahalingam, the issue addressed by
ppp-fix-osize-too-small-errors-when-decoding patch is not fully resolved yet.
The size of allocated output buffer is correct, however it size passed to
ppp->rcomp->decompress in ppp_generic.c if wrong. The patch fixes that.
--------------------
Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Easily avoidable compiler warnings bug me.
Building irmod without CONFIG_SYSCTL currently results in :
net/irda/irmod.c:132: warning: label 'out_err_2' defined but not used
But that can easily be avoided by simply moving the label inside
the existing "#ifdef CONFIG_SYSCTL" one line above it.
This patch moves the label and buys us one less warning with no
ill effects.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The snap_rcv code reads 5 bytes so we should make sure that
we have 5 bytes in the head before proceeding.
Based on diagnosis and fix by Evgeniy Polyakov, reported by
Alan J. Wylie.
Patch also kills the skb->sk assignment before kfree_skb
since it's redundant.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gerd Hoffmann pointed out that my patch from yesterday can lead
to a null pointer dereference if the kernel is booted with no
console, and no earlyprintk defined. This fixes that issue.
Signed-off-by: Robin Getz <rgetz@blackfin.uclinux.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The initial user manuals for MPC8544/8533 had some issues with properly
documenting the device IDs for MPC8544/8533. These processors are almost
identical and both show up on the reference boards.
Fix up the quirks for PCIe support to handle MPC8533/E.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>