1. 17 5月, 2011 1 次提交
    • S
      xhci: Fix memory leak in ring cache deallocation. · 30f89ca0
      Sarah Sharp 提交于
      When an endpoint ring is freed, it is either cached in a per-device ring
      cache, or simply freed if the ring cache is full.  If the ring was added
      to the cache, then virt_dev->num_rings_cached is incremented.  The cache
      is designed to hold up to 31 endpoint rings, in array indexes 0 to 30.
      When the device is freed (when the slot was disabled),
      xhci_free_virt_device() is called, it would free the cached rings in
      array indexes 0 to virt_dev->num_rings_cached.
      
      Unfortunately, the original code in xhci_free_or_cache_endpoint_ring()
      would put the first entry into the ring cache in array index 1, instead of
      array index 0.  This was caused by the second assignment to rings_cached:
      
      	rings_cached = virt_dev->num_rings_cached;
      	if (rings_cached < XHCI_MAX_RINGS_CACHED) {
      		virt_dev->num_rings_cached++;
      		rings_cached = virt_dev->num_rings_cached;
      		virt_dev->ring_cache[rings_cached] =
      			virt_dev->eps[ep_index].ring;
      
      This meant that when the device was freed, cached rings with indexes 0 to
      N would be freed, and the last cached ring in index N+1 would not be
      freed.  When the driver was unloaded, this caused interesting messages
      like:
      
      xhci_hcd 0000:06:00.0: dma_pool_destroy xHCI ring segments, ffff880063040000 busy
      
      This should be queued to stable kernels back to 2.6.33.
      Signed-off-by: NSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable@kernel.org
      30f89ca0
  2. 14 5月, 2011 9 次提交
  3. 13 5月, 2011 11 次提交
  4. 12 5月, 2011 4 次提交
    • S
      xhci: Fix bug in control transfer cancellation. · 3abeca99
      Sarah Sharp 提交于
      When the xHCI driver attempts to cancel a transfer, it issues a Stop
      Endpoint command and waits for the host controller to indicate which TRB
      it was in the middle of processing.  The host will put an event TRB with
      completion code COMP_STOP on the event ring if it stops on a control
      transfer TRB (or other types of transfer TRBs).  The ring handling code
      is supposed to set ep->stopped_trb to the TRB that the host stopped on
      when this happens.
      
      Unfortunately, there is a long-standing bug in the control transfer
      completion code.  It doesn't actually check to see if COMP_STOP is set
      before attempting to process the transfer based on which part of the
      control TD completed.  So when we get an event on the data phase of the
      control TRB with COMP_STOP set, it thinks it's a normal completion of
      the transfer and doesn't set ep->stopped_td or ep->stopped_trb.
      
      When the ring handling code goes on to process the completion of the Stop
      Endpoint command, it sees that ep->stopped_trb is not a part of the TD
      it's trying to cancel.  It thinks the hardware has its enqueue pointer
      somewhere further up in the ring, and thinks it's safe to turn the control
      TRBs into no-op TRBs.  Since the hardware was in the middle of the control
      TRBs to be cancelled, the proper software behavior is to issue a Set TR
      dequeue pointer command.
      
      It turns out that the NEC host controllers can handle active TRBs being
      set to no-op TRBs after a stop endpoint command, but other host
      controllers have issues with this out-of-spec software behavior.  Fix this
      behavior.
      
      This patch should be backported to kernels as far back as 2.6.31, but it
      may be a bit challenging, since process_ctrl_td() was introduced in some
      refactoring done in 2.6.36, and some endian-safe patches added in 2.6.40
      that touch the same lines.
      Signed-off-by: NSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: stable@kernel.org
      3abeca99
    • K
      usb: renesas_usbhs: fixup error processing on probe/remove · 97f93227
      Kuninori Morimoto 提交于
      The error processing order was wrong.
      This patch modify it.
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      97f93227
    • K
      usb: renesas_usbhs: fixup fifo disable · c786e09c
      Kuninori Morimoto 提交于
      It was necessary to check pipe condition after disable fifo.
      Current driver checked it in a wrong place.
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      c786e09c
    • E
      USB: cdc_acm: Fix oops when Droids MuIn LCD is connected · fd5054c1
      Erik Slagter 提交于
      The Droids MuIn LCD operates like a serial remote terminal.
      Data received are displayed directly on the LCD. This patch
      fixes the kernel null pointer oops when it is plugged in.
      
      Add NO_DATA_INTERFACE quirk to tell the driver that "control"
      and "data" interfaces are not separated for this device, which
      prevents dereferencing a null pointer in the device probe code.
      Signed-off-by: NErik Slagter <erik@slagter.name>
      Signed-off-by: NMaxin B. John <maxin.john@gmail.com>
      Tested-by: NErik Slagter <erik@slagter.name>
      Cc: stable <stable@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      fd5054c1
  5. 11 5月, 2011 12 次提交
  6. 10 5月, 2011 3 次提交