- 02 6月, 2016 35 次提交
-
-
由 Andrew Goodbody 提交于
shared_fifo endpoints would only get a previous tx state cleared out, the rx state was only cleared for non shared_fifo endpoints Change this so that the rx state is cleared for all endpoints. This addresses an issue that resulted in rx packets being dropped silently. Signed-off-by: NAndrew Goodbody <andrew.goodbody@cambrionix.com> Cc: stable@vger.kernel.org Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Bin Liu 提交于
Incorrect cppi dma channel is referenced in musb_rx_dma_iso_cppi41(), which causes kernel NULL pointer reference oops later when calling cppi41_dma_channel_program(). Fixes: 069a3fd1 (usb: musb: Remove ifdefs for musb_host_rx in musb_host.c part1) Cc: <stable@vger.kernel.org> # v4.2+ Reported-by: NMatwey V. Kornilov <matwey@sai.msu.ru> Acked-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Bin Liu 提交于
If the session bit was not set in the backup of devctl register, restoring devctl would clear the session bit. Therefor, only restore devctl register when the session bit was set in the backup. This solves the device enumeration failure in otg mode exposed by commit 56f487c7 (PM / Runtime: Update last_busy in rpm_resume). Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
We need to check the state for the PHY with delayed_work as otherwise MUSB will get confused and idles immediately. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
There's no longer any need for custom initcall level for musb. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
With the pull up being handled with delayed work, we can now finally remove pm_runtime_set_irq_safe that blocks the MUSB glue from idling. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
With PM runtime behaving, these are all now unnecessary. Doing pm_runtime_get(musb->controller) will keep the parent glue layer also active. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
At least on n900 we have phy-twl4030-usb only generating cable interrupts, and then have a separate USB PHY. In order for musb to know the real cable status, we need to clear any cached state until musb is ready. Otherwise the cable status interrupts will get just ignored if the status does not change from the initial state. To do this, let's add a return value to musb_mailbox(), and reset cached linkstat to MUSB_UNKNOWN on error. Sorry to cause a bit of churn here, I should have added that already last time patching musb_mailbox(). Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
At least 2430 glue layer pulls d+ high on start up even if there are no gadgets configured. This is bad at least for anything using a separate battery charger chip as it can confuse the charger detection. Let's fix the issue by removing the bogus glue layer code tinkering with the SESSION bit. As pointed out Bin Liu <b-liu@ti.com> and Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>, the SESSION bit just starts host mode if ID pin is grounded, and starts the srp is ID pin is floating. So without the ID pin changing, it's unable to force musb mode to anything. And just for starting a host mode, things work fine without this code. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
This is no longer needed with PM runtime at least for 2430 glue. We can now rely only on PM runtime and cable detection. The other glue layers can probably remove try_idle too, but that needs to be tested for each platform before doing it. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
This simplifies things and allows idling both MUSB and PHY when nothing is configured. Let's just return early from PM runtime if musb is not yet initialized. Let's also warn if PHY is not configured. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
We may have drivers loaded but no configured gadgets and MUSB may be in host mode. If gadgets are configured during host mode, PM runtime will get confused. Disable PM runtime from gadget state, and do it based on the cable and last state. Note that we may get multiple cable events, so we need to keep track of the power state. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
We have MUSB setting pm_runtime_irq_safe with the following commits: 30a70b02 ("usb: musb: fix obex in g_nokia.ko causing kernel panic") 3e43a072 ("usb: musb: core: add pm_runtime_irq_safe()") Let's fix things to use delayed work so we can remove the pm_runtime_irq_safe. Note that we may want to set this up in a generic way in the gadget framework eventually. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
The conditional use of PM runtime does not work properly for musb gadget. On cable disconnect we may not get any USB_EVENT_NONE leaving the PM runtime call unpaired. Let's fix the issue by making sure the PM runtime calls are paired within the functions. The glue layer will take care of the rest. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
Let's not tinker with the PM runtime of musb core from the omap2430 wrapper. This allows us to initialize PM runtime for musb core later on instead of doing it in stages. And omap2430 wrapper has no need to for accessing musb core at this point. Note that this does not remove all the PM runtime calls from the glue layer, those will get removed in a later patch. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
Let's make the PM runtime use the standard autosuspend calls. Commit 5de85b9d ("PM / runtime: Re-init runtime PM states at probe error and driver unbind") means we must pair use_autosuspend with dont_use_autosuspend and then use put_sync to properly idle the device. Note that we'll be removing the PM runtime calls from the glue layer to the MUSB core in the next patch. And we can also remove the pointless FIXME comment now. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
We have remove() already calling shutdown(), so let's drop it and move the code to remove(). No code changes, we'll drop the the FIXME in the following patch with more clean-up. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tony Lindgren 提交于
Looks like at least 2430 glue won't idle reliably with the 200 ms autosuspend delay. This causes deeper idle states being blocked for the whole SoC when disconnecting OTG A cable. Increasing the delay to 500 ms seems to idle both MUSB and the PHY reliably. This is probably because of time needed by the hardware based negotiation between MUSB and the PHY. Signed-off-by: NTony Lindgren <tony@atomide.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
When the board is powering attached usb devices via the otg port sometimes / on some devices it takes slightly too long for the Vbus detection code in phy-sun4i-usb.c to signal that Vbus is high after enabling Vbus and the musb hardware signals a MUSB_INTR_VBUSERROR interrupt. This commit sets the otg state to A_WAIT_VRISE upon enabling Vbus making musb_stage0_irq() ignore the first VBUSERR_RETRY_COUNT VBUSERROR interrupts, fixing connection issues in these cases. Signed-off-by: NHans de Goede <hdegoede@redhat.com> [b-liu@ti.com: revise subject prefix] Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
Move the mode handling to the platform_set_mode callback. Signed-off-by: NHans de Goede <hdegoede@redhat.com> [b-liu@ti.com: revise subject prefix] Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Sergei Shtylyov 提交于
Now that the DMA engine check was moved to musb_tx_dma_porgram(), both musb_tx_dma_set_mode_cppi_tusb() and musb_tx_dma_set_mode_mentor() always return 0, so we can make both these functions *void*. Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com> [b-liu@ti.com: revise subject prefix] Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Sergei Shtylyov 提交于
Commit 754fe4a9 ("usb: musb: Remove ifdefs for TX DMA for musb_host.c") looks incomplete: the DMA engine checks are done outside the Mentor/UX500 handler but inside the CPPI/TUSB handler. Move the checks out of the CPPI/ TUSB handler into its caller, musb_tx_dma_program(). Signed-off-by: NSergei Shtylyov <sergei.shtylyov@cogentembedded.com> [b-liu@ti.com: revise subject prefix] Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Bin Liu 提交于
urb->status is set when endpoint csr RXSTALL, H_ERROR, DATAERROR or INCOMPRX bit is set. Those bits mean a broken pipe, so don't start next urb when any of these bits is set by checking urb->status. To minimize the risk of regression, only do so for RX, until we have a test case to understand the behavior of TX. The patch fixes system freeze issue caused by repeatedly invoking RX ISR while removing a usb uart device connected to a hub, in which case the hub has no chance to report the disconnect event due to the kernel is busy in processing the RX interrupt flooding. Fix checkpatch complaint (qh != NULL) as while. Reported-by: NMax Uvarov <muvarov@gmail.com> Tested-by: NYegor Yefremov <yegorslists@googlemail.com> Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Bin Liu 提交于
The MUSB Programming Guide states that the driver should clear RXCSR bit2 when the controller sets the bit. Signed-off-by: NBin Liu <b-liu@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
I got one of these cards for testing uas with, it seems that with streams it dma-s all over the place, corrupting memory. On my first tests it managed to dma over the BIOS of the motherboard somehow and completely bricked it. Tests on another motherboard show that it does work with streams disabled. Cc: stable@vger.kernel.org Signed-off-by: NHans de Goede <hdegoede@redhat.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Alan Stern 提交于
Several people have reported that UBSAN doesn't like the pointer arithmetic in ehci_hub_control(): u32 __iomem *status_reg = &ehci->regs->port_status[ (wIndex & 0xff) - 1]; u32 __iomem *hostpc_reg = &ehci->regs->hostpc[(wIndex & 0xff) - 1]; If wIndex is 0 (and it often is), these calculations underflow and UBSAN complains. According to the C standard, pointer computations leading to locations outside the bounds of an array object (other than 1 position past the end) are undefined. In this case, the compiler would be justified in concluding the wIndex can never be 0 and then optimizing away the tests for !wIndex that occur later in the subroutine. (Although, since ehci->regs->port_status and ehci->regs->hostpc are both 0-length arrays and are thus GCC extensions to the C standard, it's not clear what the compiler is really allowed to do.) At any rate, we can avoid all these difficulties, at the cost of making the code slightly longer, by not decrementing the index when it is equal to 0. The runtime effect is minimal, and anyway ehci_hub_control() is not on a hot path. Signed-off-by: NAlan Stern <stern@rowland.harvard.edu> Reported-by: NValdis Kletnieks <Valdis.Kletnieks@vt.edu> Reported-by: NMeelis Roos <mroos@linux.ee> Reported-by: NMartin_MOKREJÅ <mmokrejs@gmail.com> Reported-by: N"Navin P.S" <navinp1912@gmail.com> CC: Andrey Ryabinin <ryabinin.a.a@gmail.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
Commit 198de51d ("USB: uas: Limit qdepth at the scsi-host level") removed the scsi_change_queue_depth() call from uas_slave_configure() assuming that the slave would inherit the host's queue_depth, which that commit sets to the same value. This is incorrect, without the scsi_change_queue_depth() call the slave's queue_depth defaults to 1, introducing a performance regression. This commit restores the call, fixing the performance regression. Cc: stable@vger.kernel.org Fixes: 198de51d ("USB: uas: Limit qdepth at the scsi-host level") Reported-by: NTom Yan <tom.ty89@gmail.com> Signed-off-by: NHans de Goede <hdegoede@redhat.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Tom Yan 提交于
Commit 198de51d ("USB: uas: Limit qdepth at the scsi-host level") made qdepth limit set in host template (`.can_queue = MAX_CMNDS`) redundant. Removing it to avoid confusion. Signed-off-by: NTom Yan <tom.ty89@gmail.com> Acked-by: NHans de Goede <hdegoede@redhat.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
The Acer C120 LED Projector is a USB-3 connected pico projector which takes both its power and video data from USB-3. In combination with some hubs this device does not play well with lpm, so disable lpm for it. Signed-off-by: NHans de Goede <hdegoede@redhat.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Hans de Goede 提交于
Properly sort all the entries by vendor id. Signed-off-by: NHans de Goede <hdegoede@redhat.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Mathias Nyman 提交于
commit b1c127ae ("usb: host: xhci: plat: make use of new methods in xhci_plat_priv") sets xhci->quirks before calling xhci_gen_setup(), which will overwrite them. Don't overwite the quirks, just add the new ones Fixes: b1c127ae ("usb: host: xhci: plat: make use of new methods in xhci_plat_priv") Reported-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Cc: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Thomas Petazzoni 提交于
On some platforms, the clocks might be registered by a platform driver. When this is the case, the clock platform driver may very well be probed after xhci-plat, in which case the first probe() invocation of xhci-plat will receive -EPROBE_DEFER as the return value of devm_clk_get(). The current code handles that as a normal error, and simply assumes that this means that the system doesn't have a clock for the XHCI controller, and continues probing without calling clk_prepare_enable(). Unfortunately, this doesn't work on systems where the XHCI controller does have a clock, but that clock is provided by another platform driver. In order to fix this situation, we handle the -EPROBE_DEFER error condition specially, and abort the XHCI controller probe(). It will be retried later automatically, the clock will be available, devm_clk_get() will succeed, and the probe() will continue with the clock prepared and enabled as expected. In practice, such issue is seen on the ARM64 Marvell 7K/8K platform, where the clocks are registered by a platform driver. Cc: <stable@vger.kernel.org> Signed-off-by: NThomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Mathias Nyman 提交于
If commands timeout we mark them for abortion, then stop the command ring, and turn the commands to no-ops and finally restart the command ring. If the host is working properly the no-op commands will finish and pending completions are called. If we notice the host is failing, driver clears the command ring and completes, deletes and frees all pending commands. There are two separate cases reported where host is believed to work properly but is not. In the first case we successfully stop the ring but no abort or stop command ring event is ever sent and host locks up. The second case is if a host is removed, command times out and driver believes the ring is stopped, and assumes it will be restarted, but actually ends up timing out on the same command forever. If one of the pending commands has the xhci->mutex held it will block xhci_stop() in the remove codepath which otherwise would cleanup pending commands. Add a check that clears all pending commands in case host is removed, or we are stuck timing out on the same command. Also restart the command timeout timer when stopping the command ring to ensure we recive an ring stop/abort event. Cc: stable <stable@vger.kernel.org> Tested-by: NJoe Lawrence <joe.lawrence@stratus.com> Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Gabriel Krisman Bertazi 提交于
Under stress occasions some TI devices might not return early when reading the status register during the quirk invocation of xhci_irq made by usb_hcd_pci_remove. This means that instead of returning, we end up handling this interruption in the middle of a shutdown. Since xhci->event_ring has already been freed in xhci_mem_cleanup, we end up accessing freed memory, causing the Oops below. commit 8c24d6d7 ("usb: xhci: stop everything on the first call to xhci_stop") is the one that changed the instant in which we clean up the event queue when stopping a device. Before, we didn't call xhci_mem_cleanup at the first time xhci_stop is executed (for the shared HCD), instead, we only did it after the invocation for the primary HCD, much later at the removal path. The code flow for this oops looks like this: xhci_pci_remove() usb_remove_hcd(xhci->shared) xhci_stop(xhci->shared) xhci_halt() xhci_mem_cleanup(xhci); // Free the event_queue usb_hcd_pci_remove(primary) xhci_irq() // Access the event_queue if STS_EINT is set. Crash. xhci_stop() xhci_halt() // return early The fix modifies xhci_stop to only cleanup the xhci data when releasing the primary HCD. This way, we still have the event_queue configured when invoking xhci_irq. We still halt the device on the first call to xhci_stop, though. I could reproduce this issue several times on the mainline kernel by doing a bind-unbind stress test with a specific storage gadget attached. I also ran the same test over-night with my patch applied and didn't observe the issue anymore. [ 113.334124] Unable to handle kernel paging request for data at address 0x00000028 [ 113.335514] Faulting instruction address: 0xd00000000d4f767c [ 113.336839] Oops: Kernel access of bad area, sig: 11 [#1] [ 113.338214] SMP NR_CPUS=1024 NUMA PowerNV [c000000efe47ba90] c000000000720850 usb_hcd_irq+0x50/0x80 [c000000efe47bac0] c00000000073d328 usb_hcd_pci_remove+0x68/0x1f0 [c000000efe47bb00] d00000000daf0128 xhci_pci_remove+0x78/0xb0 [xhci_pci] [c000000efe47bb30] c00000000055cf70 pci_device_remove+0x70/0x110 [c000000efe47bb70] c00000000061c6bc __device_release_driver+0xbc/0x190 [c000000efe47bba0] c00000000061c7d0 device_release_driver+0x40/0x70 [c000000efe47bbd0] c000000000619510 unbind_store+0x120/0x150 [c000000efe47bc20] c0000000006183c4 drv_attr_store+0x64/0xa0 [c000000efe47bc60] c00000000039f1d0 sysfs_kf_write+0x80/0xb0 [c000000efe47bca0] c00000000039e14c kernfs_fop_write+0x18c/0x1f0 [c000000efe47bcf0] c0000000002e962c __vfs_write+0x6c/0x190 [c000000efe47bd90] c0000000002eab40 vfs_write+0xc0/0x200 [c000000efe47bde0] c0000000002ec85c SyS_write+0x6c/0x110 [c000000efe47be30] c000000000009260 system_call+0x38/0x108 Signed-off-by: NGabriel Krisman Bertazi <krisman@linux.vnet.ibm.com> Cc: Roger Quadros <rogerq@ti.com> Cc: joel@jms.id.au Cc: stable@vger.kernel.org Reviewed-by: NRoger Quadros <rogerq@ti.com> Cc: <stable@vger.kernel.org> #v4.3+ Tested-by: NJoel Stanley <joel@jms.id.au> Signed-off-by: NMathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Greg Kroah-Hartman 提交于
Merge tag 'fixes-for-v4.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: Here's the first set of fixes for v4.7-rc cycle. Nothing extra fancy this time around. Patches range from MS OS Descriptor usage fixes, to Clear Stall EP command fix on dwc3, to some f_fs fixes and out of bounds accesses on renesas driver.
-
- 01 6月, 2016 1 次提交
-
-
由 John Youn 提交于
As of core revision 2.60a the recommended programming model is to set the ClearPendIN bit when issuing a Clear Stall EP command for IN endpoints. This is to prevent an issue where some (non-compliant) hosts may not send ACK TPs for pending IN transfers due to a mishandled error condition. Synopsys STAR 9000614252. Signed-off-by: NJohn Youn <johnyoun@synopsys.com> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
-
- 31 5月, 2016 4 次提交
-
-
由 Peter Griffin 提交于
Set USB3_FORCE_VBUSVALID when configured for USB_DR_MODE_PERIPHERAL mode, as it is required to have a working setup. This worked on the internal driver by relying on the reset value of the syscfg register as the bits aren't explicity cleared and set like the upstream driver. Also add a comment about what setting this bit means. Signed-off-by: NPeter Griffin <peter.griffin@linaro.org> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
-
由 William Wu 提交于
In OS descriptors handling, if ctrl->bRequestType is USB_RECIP_DEVICE and w_index != 0x4 or (w_value >> 8) is true, it will not assign a valid value to req->length, but use the default value(-EOPNOTSUPP), and queue an OS desc request with the invalid req->length. It always happens on the platforms which use os_desc (for example: rk3366, rk3399), and cause kernel panic as follows (use dwc3 driver): Unable to handle kernel paging request at virtual address ffffffc0f7e00000 Internal error: Oops: 96000146 [#1] PREEMPT SMP PC is at __dma_clean_range+0x18/0x30 LR is at __swiotlb_map_page+0x50/0x64 Call trace: [<ffffffc0000930f8>] __dma_clean_range+0x18/0x30 [<ffffffc00062214c>] usb_gadget_map_request+0x134/0x1b0 [<ffffffc0005c289c>] __dwc3_ep0_do_control_data+0x110/0x14c [<ffffffc0005c2d38>] __dwc3_gadget_ep0_queue+0x198/0x1b8 [<ffffffc0005c2e18>] dwc3_gadget_ep0_queue+0xc0/0xe8 [<ffffffc00061cfec>] composite_ep0_queue.constprop.14+0x34/0x98 [<ffffffc00061dfb0>] composite_setup+0xf60/0x100c [<ffffffc0006204dc>] android_setup+0xd8/0x138 [<ffffffc0005c29a4>] dwc3_ep0_delegate_req+0x34/0x50 [<ffffffc0005c3534>] dwc3_ep0_interrupt+0x5dc/0xb58 [<ffffffc0005c0c3c>] dwc3_thread_interrupt+0x15c/0xa24 With this patch, the gadget driver will not queue a request and return immediately if req->length is invalid. And the usb controller driver can handle the unsupport request correctly. Signed-off-by: NWilliam Wu <william.wu@rock-chips.com> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
-
由 Jim Lin 提交于
If c->cdev->use_os_string flag is not set, don't need to invoke ffs_do_os_descs() in _ffs_func_bind. So uninitialized ext_compat_id pointer won't be accessed by __ffs_func_bind_do_os_desc to cause kernel panic. Signed-off-by: NJim Lin <jilin@nvidia.com> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
-
由 Heinrich Schuchardt 提交于
Commit dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") introduced a possible out of bounds memory access: If tpg is not found in function usbg_drop_tpg, tpg_instances[TPG_INSTANCES] is accessed. Fixes: dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility") Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
-