Skip to content

K
Kernel

openeuler / Kernel
1 年多 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
切换分支/标签
  1. 25 1月, 2015 1 次提交
  3. 10 1月, 2015 4 次提交
    • S
      usb: gadget: udc: atmel: fix possible oops when unloading module · 5fb694f9
      Songjun Wu 提交于 
      When unloading the module 'g_hid.ko', the urb request will be dequeued and the
completion routine will be excuted. If there is no urb packet, the urb request
will not be added to the endpoint queue and the completion routine pointer in
urb request is NULL.

Accessing to this NULL function pointer will cause the Oops issue reported
below.

Add the code to check if the urb request is in the endpoint queue
or not. If the urb request is not in the endpoint queue, a negative
error code will be returned.

Here is the Oops log:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = dedf0000
[00000000] *pgd=3ede5831, *pte=00000000, *ppte=00000000
Internal error: Oops: 80000007 [#1] ARM
Modules linked in: g_hid(-) usb_f_hid libcomposite
CPU: 0 PID: 923 Comm: rmmod Not tainted 3.18.0+ #2
Hardware name: Atmel SAMA5 (Device Tree)
task: df6b1100 ti: dedf6000 task.ti: dedf6000
PC is at 0x0
LR is at usb_gadget_giveback_request+0xc/0x10
pc : [<00000000>]    lr : [<c02ace88>]    psr: 60000093
sp : dedf7eb0  ip : df572634  fp : 00000000
r10: 00000000  r9 : df52e210  r8 : 60000013
r7 : df6a9858  r6 : df52e210  r5 : df6a9858  r4 : df572600
r3 : 00000000  r2 : ffffff98  r1 : df572600  r0 : df6a9868
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c53c7d  Table: 3edf0059  DAC: 00000015
Process rmmod (pid: 923, stack limit = 0xdedf6230)
Stack: (0xdedf7eb0 to 0xdedf8000)
7ea0:                                     00000000 c02adbbc df572580 deced608
7ec0: df572600 df6a9868 df572634 c02aed3c df577c00 c01b8608 00000000 df6be27c
7ee0: 00200200 00100100 bf0162f4 c000e544 dedf6000 00000000 00000000 bf010c00
7f00: bf0162cc bf00159c 00000000 df572980 df52e218 00000001 df5729b8 bf0031d0
[..]
[<c02ace88>] (usb_gadget_giveback_request) from [<c02adbbc>] (request_complete+0x64/0x88)
[<c02adbbc>] (request_complete) from [<c02aed3c>] (usba_ep_dequeue+0x70/0x128)
[<c02aed3c>] (usba_ep_dequeue) from [<bf010c00>] (hidg_unbind+0x50/0x7c [usb_f_hid])
[<bf010c00>] (hidg_unbind [usb_f_hid]) from [<bf00159c>] (remove_config.isra.6+0x98/0x9c [libcomposite])
[<bf00159c>] (remove_config.isra.6 [libcomposite]) from [<bf0031d0>] (__composite_unbind+0x34/0x98 [libcomposite])
[<bf0031d0>] (__composite_unbind [libcomposite]) from [<c02acee0>] (usb_gadget_remove_driver+0x50/0x78)
[<c02acee0>] (usb_gadget_remove_driver) from [<c02ad570>] (usb_gadget_unregister_driver+0x64/0x94)
[<c02ad570>] (usb_gadget_unregister_driver) from [<bf0160c0>] (hidg_cleanup+0x10/0x34 [g_hid])
[<bf0160c0>] (hidg_cleanup [g_hid]) from [<c0056748>] (SyS_delete_module+0x118/0x19c)
[<c0056748>] (SyS_delete_module) from [<c000e3c0>] (ret_fast_syscall+0x0/0x30)
Code: bad PC value
Signed-off-by: NSongjun Wu <songjun.wu@atmel.com>
[nicolas.ferre@atmel.com: reworked the commit message]
Signed-off-by: NNicolas Ferre <nicolas.ferre@atmel.com>
Fixes: 914a3f3b ("USB: add atmel_usba_udc driver")
Cc: <stable@vger.kernel.org> # 2.6.x-ish
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      5fb694f9
    • D
      usb: gadget: gadgetfs: fix an oops in ep_write() · 42d6cfa0
      Dan Carpenter 提交于 
      We try to free an ERR_PTR on this error path.

Fixes: b44be246 ('usb: gadget: gadgetfs: Free memory allocated by memdup_user()')
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      42d6cfa0
    • W
      usb: gadget: udc: bdc: drop owner assignment from platform_drivers · f1161256
      Wolfram Sang 提交于 
      This platform_driver does not need to set an owner, it will be populated by the
driver core.
Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1161256
    • J
      usb: gadget: udc: avoid dereference before NULL check in ep_queue · f26d29e3
      John W. Linville 提交于 
      Coverity: CID 1260069
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Cc: Felipe Balbi <balbi@ti.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f26d29e3
  5. 23 12月, 2014 5 次提交
    • B
      usb: gadget: udc: atmel: fix possible IN hang issue · 6785a103
      Bo Shen 提交于 
      When receive data, the RXRDY in status register set by hardware
after a new packet has been stored in the endpoint FIFO. When it
is copied from FIFO, this bit is cleared which make the FIFO can
be accessed again.

In the receive_data() function, this bit RXRDY has been cleared.
So, after the receive_data() function return, this bit should
not be cleared again, or else it may cause the accessing FIFO
corrupt, which will make the data loss.

Fixes: 914a3f3b (USB: add atmel_usba_udc driver)
Cc: <stable@vger.kernel.org> # 2.6.24+
Acked-by: NNicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: NBo Shen <voice.shen@atmel.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      6785a103
    • B
      usb: gadget: udc: atmel: change setting for DMA · f40afddd
      Bo Shen 提交于 
      According to the datasheet, when transfer using DMA, the control
setting for IN packet only need END_BUF_EN, END_BUF_IE, CH_EN,
while for OUT packet, need more two bits END_TR_EN and END_TR_IE
to be configured.

Fixes: 914a3f3b (USB: add atmel_usba_udc driver)
Cc: <stable@vger.kernel.org> # 2.6.24+
Acked-by: NNicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: NBo Shen <voice.shen@atmel.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      f40afddd
    • M
      usb: gadget: gadgetfs: Free memory allocated by memdup_user() · b44be246
      Mario Schuknecht 提交于 
      Commit 3b74c73f switched over to memdup_user()
in ep_write() function and removed kfree (kbuf).
memdup_user() function allocates memory which is never freed.

Fixes: 3b74c73f (usb: gadget: inode: switch over to memdup_user())
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: NMario Schuknecht <mario.schuknecht@dresearch-fe.de>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      b44be246
    • J
      usb: gadget: fix misspelling of current function in string · c9b3bde0
      Julia Lawall 提交于 
      Replace a misspelled function name by %s and then __func__.

This was done using Coccinelle, including the use of Levenshtein distance,
as proposed by Rasmus Villemoes.
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      c9b3bde0
    • P
      usb: gadget: f_uac1: access freed memory at f_audio_free_inst · 4fde6204
      Peter Chen 提交于 
      At f_audio_free_inst, it tries to access struct gaudio *card which is
freed at f_audio_free, it causes below oops if the audio device is not
there (do unload module may trigger the same problem). The gaudio_cleanup
is related to function, so it is better move to f_audio_free.

root@freescale ~$ modprobe g_audio
[  751.968931] g_audio gadget: unable to open sound control device file: /dev/snd/controlC0
[  751.977134] g_audio gadget: we need at least one control device
[  751.988633] Unable to handle kernel paging request at virtual address 455f448e
[  751.995963] pgd = bd42c000
[  751.998681] [455f448e] *pgd=00000000
[  752.002383] Internal error: Oops: 5 [#1] SMP ARM
[  752.007008] Modules linked in: usb_f_uac1 g_audio(+) usb_f_mass_storage libcomposite configfs [last unloaded: g_mass_storage]
[  752.018427] CPU: 0 PID: 692 Comm: modprobe Not tainted 3.18.0-rc4-00345-g842f57ba #10
[  752.026176] task: bdb3ba80 ti: bd41a000 task.ti: bd41a000
[  752.031590] PC is at filp_close+0xc/0x84
[  752.035530] LR is at gaudio_cleanup+0x28/0x54 [usb_f_uac1]
[  752.041023] pc : [<800ec94c>]    lr : [<7f03c63c>]    psr: 20000013
[  752.041023] sp : bd41bcc8  ip : bd41bce8  fp : bd41bce4
[  752.052504] r10: 7f036234  r9 : 7f036220  r8 : 7f036500
[  752.057732] r7 : bd456480  r6 : 7f036500  r5 : 7f03626c  r4 : bd441000
[  752.064264] r3 : 7f03b3dc  r2 : 7f03cab0  r1 : 00000000  r0 : 455f4456
[  752.070798] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  752.077938] Control: 10c5387d  Table: bd42c04a  DAC: 00000015
[  752.083688] Process modprobe (pid: 692, stack limit = 0xbd41a240)
[  752.089786] Stack: (0xbd41bcc8 to 0xbd41c000)
[  752.094152] bcc0:                   7f03b3dc bd441000 7f03626c 7f036500 bd41bcfc bd41bce8
[  752.102337] bce0: 7f03c63c 800ec94c 7f03b3dc bdaa6b00 bd41bd14 bd41bd00 7f03b3f4 7f03c620
[  752.110521] bd00: 7f03b3dc 7f03cbd4 bd41bd2c bd41bd18 7f00f88c 7f03b3e8 00000000 fffffffe
[  752.118705] bd20: bd41bd5c bd41bd30 7f0380d8 7f00f874 7f038000 bd456480 7f036364 be392240
[  752.126889] bd40: 00000000 7f00f620 7f00f638 bd41a008 bd41bd94 bd41bd60 7f00f6d4 7f03800c
[  752.135073] bd60: 00000001 00000000 8047438c be3a4000 7f036364 7f036364 7f00db28 7f00f620
[  752.143257] bd80: 7f00f638 bd41a008 bd41bdb4 bd41bd98 804742ac 7f00f644 00000000 809adde0
[  752.151442] bda0: 7f036364 7f036364 bd41bdcc bd41bdb8 804743c8 80474284 7f03633c 7f036200
[  752.159626] bdc0: bd41bdf4 bd41bdd0 7f00d5b4 8047435c bd41a000 80974060 7f038158 00000000
[  752.167811] bde0: 80974060 bdaa9940 bd41be04 bd41bdf8 7f03816c 7f00d518 bd41be8c bd41be08
[  752.175995] be00: 80008a5c 7f038164 be001f00 7f0363c4 bd41bf48 00000000 bd41be54 bd41be28
[  752.184179] be20: 800e9498 800e8e74 00000002 00000003 bd4129c0 c0a07000 00000001 7f0363c4
[  752.192363] be40: bd41bf48 00000000 bd41be74 bd41be58 800de780 800e9320 bd41a000 7f0363d0
[  752.200547] be60: 00000000 bd41a000 7f0363d0 00000000 bd41beec 7f0363c4 bd41bf48 00000000
[  752.208731] be80: bd41bf44 bd41be90 80093e54 800089e0 ffff8000 00007fff 80091390 0000065f
[  752.216915] bea0: 00000000 c0a0834c bd41bf7c 00000086 bd41bf50 00000000 7f03651c 00000086
[  752.225099] bec0: bd41a010 00c28758 800ddcc4 800ddae0 000000d2 bd412a00 bd41bf24 00000000
[  752.233283] bee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  752.241467] bf00: 00000000 00000000 00000000 00000000 00000000 00000000 bd41bf44 000025b0
[  752.249651] bf20: 00c28a08 00c28758 00000080 8000edc4 bd41a000 00000000 bd41bfa4 bd41bf48
[  752.257835] bf40: 800943e4 800932ec c0a07000 000025b0 c0a07f8c c0a07ea4 c0a08e5c 0000051c
[  752.266019] bf60: 0000088c 00000000 00000000 00000000 00000018 00000019 00000010 0000000b
[  752.274203] bf80: 00000009 00000000 00000000 000025b0 00000000 00c28758 00000000 bd41bfa8
[  752.282387] bfa0: 8000ec00 8009430c 000025b0 00000000 00c28a08 000025b0 00c28758 00c28980
[  752.290571] bfc0: 000025b0 00000000 00c28758 00000080 000a6a78 00000007 00c28718 00c28980
[  752.298756] bfe0: 7ebc1af0 7ebc1ae0 0001a32c 76e9c490 60000010 00c28a08 22013510 ecebffff
[  752.306933] Backtrace:
[  752.309414] [<800ec940>] (filp_close) from [<7f03c63c>] (gaudio_cleanup+0x28/0x54 [usb_f_uac1])
[  752.318115]  r6:7f036500 r5:7f03626c r4:bd441000 r3:7f03b3dc
[  752.323851] [<7f03c614>] (gaudio_cleanup [usb_f_uac1]) from [<7f03b3f4>] (f_audio_free_inst+0x18/0x68 [usb_f_uac1])
[  752.334288]  r4:bdaa6b00 r3:7f03b3dc
[  752.337931] [<7f03b3dc>] (f_audio_free_inst [usb_f_uac1]) from [<7f00f88c>] (usb_put_function_instance+0x24/0x30 [libcomposite])
[  752.349498]  r4:7f03cbd4 r3:7f03b3dc
[  752.353127] [<7f00f868>] (usb_put_function_instance [libcomposite]) from [<7f0380d8>] (audio_bind+0xd8/0xfc [g_audio])
[  752.363824]  r4:fffffffe r3:00000000
[  752.367456] [<7f038000>] (audio_bind [g_audio]) from [<7f00f6d4>] (composite_bind+0x9c/0x1e8 [libcomposite])
[  752.377284]  r10:bd41a008 r9:7f00f638 r8:7f00f620 r7:00000000 r6:be392240 r5:7f036364
[  752.385193]  r4:bd456480 r3:7f038000
[  752.388825] [<7f00f638>] (composite_bind [libcomposite]) from [<804742ac>] (udc_bind_to_driver+0x34/0xd8)
[  752.398394]  r10:bd41a008 r9:7f00f638 r8:7f00f620 r7:7f00db28 r6:7f036364 r5:7f036364
[  752.406302]  r4:be3a4000
[  752.408860] [<80474278>] (udc_bind_to_driver) from [<804743c8>] (usb_gadget_probe_driver+0x78/0xa8)
[  752.417908]  r6:7f036364 r5:7f036364 r4:809adde0 r3:00000000
[  752.423649] [<80474350>] (usb_gadget_probe_driver) from [<7f00d5b4>] (usb_composite_probe+0xa8/0xd4 [libcomposite])
[  752.434086]  r5:7f036200 r4:7f03633c
[  752.437713] [<7f00d50c>] (usb_composite_probe [libcomposite]) from [<7f03816c>] (audio_driver_init+0x14/0x1c [g_audio])
[  752.448498]  r9:bdaa9940 r8:80974060 r7:00000000 r6:7f038158 r5:80974060 r4:bd41a000
[  752.456330] [<7f038158>] (audio_driver_init [g_audio]) from [<80008a5c>] (do_one_initcall+0x88/0x1d4)
[  752.465564] [<800089d4>] (do_one_initcall) from [<80093e54>] (load_module+0xb74/0x1020)
[  752.473571]  r10:00000000 r9:bd41bf48 r8:7f0363c4 r7:bd41beec r6:00000000 r5:7f0363d0
[  752.481478]  r4:bd41a000
[  752.484037] [<800932e0>] (load_module) from [<800943e4>] (SyS_init_module+0xe4/0xf8)
[  752.491781]  r10:00000000 r9:bd41a000 r8:8000edc4 r7:00000080 r6:00c28758 r5:00c28a08
[  752.499689]  r4:000025b0
[  752.502252] [<80094300>] (SyS_init_module) from [<8000ec00>] (ret_fast_syscall+0x0/0x48)
[  752.510345]  r6:00c28758 r5:00000000 r4:000025b0
[  752.515013] Code: 808475b4 e1a0c00d e92dd878 e24cb004 (e5904038)
[  752.521223] ---[ end trace 70babe34de4ab99b ]---
Segmentation fault
Signed-off-by: NPeter Chen <peter.chen@freescale.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      4fde6204
  7. 04 12月, 2014 1 次提交
  9. 03 12月, 2014 1 次提交
  11. 25 11月, 2014 3 次提交
  13. 24 11月, 2014 1 次提交
  15. 21 11月, 2014 6 次提交
  17. 20 11月, 2014 1 次提交
  19. 18 11月, 2014 3 次提交
  21. 12 11月, 2014 3 次提交
  23. 11 11月, 2014 11 次提交