Destroy serial_minors IDR on module exit, reclaiming the allocated memory.

This was detected by the following semantic patch (written by Luis
Rodriguez <mcgrof@suse.com>)

<SmPL>
@ defines_module_init @
declarer name module_init, module_exit;
declarer name DEFINE_IDR;
identifier init;
@@

module_init(init);

@ defines_module_exit @
identifier exit;
@@

module_exit(exit);

@ declares_idr depends on defines_module_init && defines_module_exit @
identifier idr;
@@

DEFINE_IDR(idr);

@ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
identifier declares_idr.idr, defines_module_exit.exit;
@@

exit(void)
{
 ...
 idr_destroy(&idr);
 ...
}

@ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
identifier declares_idr.idr, defines_module_exit.exit;
@@

exit(void)
{
 ...
 +idr_destroy(&idr);
}
</SmPL>
Signed-off-by: NJohannes Thumshirn <jthumshirn@suse.de>
Cc: stable <stable@vger.kernel.org>	# v3.11
Signed-off-by: NJohan Hovold <johan@kernel.org>

Fix attribute-creation race with userspace by using the port device
groups field to create the port attributes.

Also use %u when printing the port number, which is unsigned, even
though we do not currently support more than 128 ports per device.
Reported-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NJohan Hovold <johan@kernel.org>
Acked-by: NGreg Kroah-Hartman <greg@kroah.com>

This reverts commit 5083fd7b.

A bulk-out size smaller than the end-point size is indeed valid. The
offending commit broke the usb-debug driver for EHCI debug devices,
which use 8-byte buffers.

Fixes: 5083fd7b ("USB: serial: make bulk_out_size a lower limit")
Reported-by: N"Li, Elvin" <elvin.li@intel.com>
Cc: stable <stable@vger.kernel.org>	# v3.15
Signed-off-by: NJohan Hovold <johan@kernel.org>

Make sure to verify the number of ports requested by subdriver to avoid
writing beyond the end of fixed-size array in interface data.

The current usb-serial implementation is limited to eight ports per
interface but failed to verify that the number of ports requested by a
subdriver (which could have been determined from device descriptors) did
not exceed this limit.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <johan@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure to verify the maximum number of endpoints per type to avoid
writing beyond the end of a stack-allocated array.

The current usb-serial implementation is limited to eight ports per
interface but failed to verify that the number of endpoints of a certain
type reported by a device did not exceed this limit.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <johan@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The only way a port pointer may be NULL is if probe() failed, and in
that case neither disconnect(), resume(), or reset_resume() will be
called.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix driver new_id sysfs-attribute removal deadlock by making sure to
not hold any locks that the attribute operations grab when removing the
attribute.

Specifically, usb_serial_deregister holds the table mutex when
deregistering the driver, which includes removing the new_id attribute.
This can lead to a deadlock as writing to new_id increments the
attribute's active count before trying to grab the same mutex in
usb_serial_probe.

The deadlock can easily be triggered by inserting a sleep in
usb_serial_deregister and writing the id of an unbound device to new_id
during module unload.

As the table mutex (in this case) is used to prevent subdriver unload
during probe, it should be sufficient to only hold the lock while
manipulating the usb-serial driver list during deregister. A racing
probe will then either fail to find a matching subdriver or fail to get
the corresponding module reference.

Since v3.15-rc1 this also triggers the following lockdep warning:

======================================================
[ INFO: possible circular locking dependency detected ]
3.15.0-rc2 #123 Tainted: G        W
-------------------------------------------------------
modprobe/190 is trying to acquire lock:
 (s_active#4){++++.+}, at: [<c0167aa0>] kernfs_remove_by_name_ns+0x4c/0x94

but task is already holding lock:
 (table_lock){+.+.+.}, at: [<bf004d84>] usb_serial_deregister+0x3c/0x78 [usbserial]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (table_lock){+.+.+.}:
       [<c0075f84>] __lock_acquire+0x1694/0x1ce4
       [<c0076de8>] lock_acquire+0xb4/0x154
       [<c03af3cc>] _raw_spin_lock+0x4c/0x5c
       [<c02bbc24>] usb_store_new_id+0x14c/0x1ac
       [<bf007eb4>] new_id_store+0x68/0x70 [usbserial]
       [<c025f568>] drv_attr_store+0x30/0x3c
       [<c01690e0>] sysfs_kf_write+0x5c/0x60
       [<c01682c0>] kernfs_fop_write+0xd4/0x194
       [<c010881c>] vfs_write+0xbc/0x198
       [<c0108e4c>] SyS_write+0x4c/0xa0
       [<c000f880>] ret_fast_syscall+0x0/0x48

-> #0 (s_active#4){++++.+}:
       [<c03a7a28>] print_circular_bug+0x68/0x2f8
       [<c0076218>] __lock_acquire+0x1928/0x1ce4
       [<c0076de8>] lock_acquire+0xb4/0x154
       [<c0166b70>] __kernfs_remove+0x254/0x310
       [<c0167aa0>] kernfs_remove_by_name_ns+0x4c/0x94
       [<c0169fb8>] remove_files.isra.1+0x48/0x84
       [<c016a2fc>] sysfs_remove_group+0x58/0xac
       [<c016a414>] sysfs_remove_groups+0x34/0x44
       [<c02623b8>] driver_remove_groups+0x1c/0x20
       [<c0260e9c>] bus_remove_driver+0x3c/0xe4
       [<c026235c>] driver_unregister+0x38/0x58
       [<bf007fb4>] usb_serial_bus_deregister+0x84/0x88 [usbserial]
       [<bf004db4>] usb_serial_deregister+0x6c/0x78 [usbserial]
       [<bf005330>] usb_serial_deregister_drivers+0x2c/0x4c [usbserial]
       [<bf016618>] usb_serial_module_exit+0x14/0x1c [sierra]
       [<c009d6cc>] SyS_delete_module+0x184/0x210
       [<c000f880>] ret_fast_syscall+0x0/0x48

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(table_lock);
                               lock(s_active#4);
                               lock(table_lock);
  lock(s_active#4);

 *** DEADLOCK ***

1 lock held by modprobe/190:
 #0:  (table_lock){+.+.+.}, at: [<bf004d84>] usb_serial_deregister+0x3c/0x78 [usbserial]

stack backtrace:
CPU: 0 PID: 190 Comm: modprobe Tainted: G        W     3.15.0-rc2 #123
[<c0015e10>] (unwind_backtrace) from [<c0013728>] (show_stack+0x20/0x24)
[<c0013728>] (show_stack) from [<c03a9a54>] (dump_stack+0x24/0x28)
[<c03a9a54>] (dump_stack) from [<c03a7cac>] (print_circular_bug+0x2ec/0x2f8)
[<c03a7cac>] (print_circular_bug) from [<c0076218>] (__lock_acquire+0x1928/0x1ce4)
[<c0076218>] (__lock_acquire) from [<c0076de8>] (lock_acquire+0xb4/0x154)
[<c0076de8>] (lock_acquire) from [<c0166b70>] (__kernfs_remove+0x254/0x310)
[<c0166b70>] (__kernfs_remove) from [<c0167aa0>] (kernfs_remove_by_name_ns+0x4c/0x94)
[<c0167aa0>] (kernfs_remove_by_name_ns) from [<c0169fb8>] (remove_files.isra.1+0x48/0x84)
[<c0169fb8>] (remove_files.isra.1) from [<c016a2fc>] (sysfs_remove_group+0x58/0xac)
[<c016a2fc>] (sysfs_remove_group) from [<c016a414>] (sysfs_remove_groups+0x34/0x44)
[<c016a414>] (sysfs_remove_groups) from [<c02623b8>] (driver_remove_groups+0x1c/0x20)
[<c02623b8>] (driver_remove_groups) from [<c0260e9c>] (bus_remove_driver+0x3c/0xe4)
[<c0260e9c>] (bus_remove_driver) from [<c026235c>] (driver_unregister+0x38/0x58)
[<c026235c>] (driver_unregister) from [<bf007fb4>] (usb_serial_bus_deregister+0x84/0x88 [usbserial])
[<bf007fb4>] (usb_serial_bus_deregister [usbserial]) from [<bf004db4>] (usb_serial_deregister+0x6c/0x78 [usbserial])
[<bf004db4>] (usb_serial_deregister [usbserial]) from [<bf005330>] (usb_serial_deregister_drivers+0x2c/0x4c [usbserial])
[<bf005330>] (usb_serial_deregister_drivers [usbserial]) from [<bf016618>] (usb_serial_module_exit+0x14/0x1c [sierra])
[<bf016618>] (usb_serial_module_exit [sierra]) from [<c009d6cc>] (SyS_delete_module+0x184/0x210)
[<c009d6cc>] (SyS_delete_module) from [<c000f880>] (ret_fast_syscall+0x0/0x48)
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add missing newlines to dev_<level> messages.

Also make some messages less verbose where appropriate.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <greg@kroah.com>

Add missing braces to conditional branches and one loop in usb-serial
core and generic implementation.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <greg@kroah.com>

Drivers are allowed to override the default bulk-out buffer size
(endpoint maximum packet size) in order to increase throughput, but it
does not make much sense to allow buffers smaller than the default.

Note that this is already how bulk_in_size is defined.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <greg@kroah.com>

Remove redundant ioctl debugging from subdrivers. The ioctl request code
has already been logged by usb-serial core.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Since commit 957dacae ("TTY: fix DTR not being dropped on hang up")
dtr_rts is no longer called for uninitialised ports (e.g. after
a disconnect), which removes the need to grab the disconnect mutex.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We had the limit of 255 USB to serial devices on one system for almost
15 years, with no complaints.  But now it's time to move on from these
tiny "baby" systems, and bump the number up to 512, which should last
us a few more years:
	"512 is a nice number" -- Tobias Winter

Note, this is still a static value, and uses up tty core memory with
this many tty devices allocated.  Converting the driver to use
TTY_DRIVER_DYNAMIC_DEV is the next thing to do in order to remove this
limitation.
Reported-by: NTobias Winter <tobias@linuxdingsda.de>
Tested-by: NTobias Winter <tobias@linuxdingsda.de>
Reviewed-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This moves the allocation of minor device numbers from a static array to
be dynamic, using the idr interface.  This means that you could
potentially get "gaps" in a minor number range for a single USB serial
device with multiple ports, but all should still work properly.

We remove the 'minor' field from the usb_serial structure, as it no
longer makes any sense for it (use the field in the usb_serial_port
structure if you really want to know this number), and take the fact
that we were overloading a number in this field to determine if we had
initialized the minor numbers or not, and just use a flag variable
instead.

Note, we still have the limitation of 255 USB to serial devices in the
system, as that is all we are registering with the TTY layer at this
point in time.
Tested-by: NTobias Winter <tobias@linuxdingsda.de>
Reviewed-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The usb_serial_port structure had the number field, which was the minor
number for the port, which almost no one really cared about.  They
really wanted the number of the port within the device, which you had to
subtract from the minor of the parent usb_serial_device structure.  To
clean this up, provide the real minor number of the port, and the number
of the port within the serial device separately, as these numbers might
not be related in the future.

Bonus is that this cleans up a lot of logic in the drivers, and saves
lines overall.
Tested-by: NTobias Winter <tobias@linuxdingsda.de>
Reviewed-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

--
 drivers/staging/serqt_usb2/serqt_usb2.c |   21 +++--------
 drivers/usb/serial/ark3116.c            |    2 -
 drivers/usb/serial/bus.c                |    6 +--
 drivers/usb/serial/console.c            |    2 -
 drivers/usb/serial/cp210x.c             |    2 -
 drivers/usb/serial/cypress_m8.c         |    4 +-
 drivers/usb/serial/digi_acceleport.c    |    6 ---
 drivers/usb/serial/f81232.c             |    5 +-
 drivers/usb/serial/garmin_gps.c         |    6 +--
 drivers/usb/serial/io_edgeport.c        |   58 ++++++++++++--------------------
 drivers/usb/serial/io_ti.c              |   21 ++++-------
 drivers/usb/serial/keyspan.c            |   29 +++++++---------
 drivers/usb/serial/metro-usb.c          |    4 +-
 drivers/usb/serial/mos7720.c            |   37 +++++++++-----------
 drivers/usb/serial/mos7840.c            |   52 +++++++++-------------------
 drivers/usb/serial/opticon.c            |    2 -
 drivers/usb/serial/pl2303.c             |    2 -
 drivers/usb/serial/quatech2.c           |    7 +--
 drivers/usb/serial/sierra.c             |    2 -
 drivers/usb/serial/ti_usb_3410_5052.c   |   10 ++---
 drivers/usb/serial/usb-serial.c         |    7 ++-
 drivers/usb/serial/usb_wwan.c           |    2 -
 drivers/usb/serial/whiteheat.c          |   20 +++++------
 include/linux/usb/serial.h              |    6 ++-
 24 files changed, 133 insertions(+), 180 deletions(-)

Fix regression introduced by commit 143d9d96 ("USB: serial: add
tiocmiwait subdriver operation") which made the ioctl operation return
ENODEV rather than ENOIOCTLCMD when a subdriver TIOCMIWAIT
implementation is missing.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

No need to grab disconnect mutex in chars_in_buffer now that no
sub-driver is or should be querying hardware buffers anymore. (They
should use wait_until_sent.)
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add generic wait_until_sent implementation which polls for empty
hardware buffers using the new port-operation tx_empty.

The generic implementation will be used for all sub-drivers that
implement tx_empty but does not define wait_until_sent.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add wait_until_sent operation which can be used to wait for hardware
buffers to drain.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit eba0e3c3.

When merged together (usb-linus and usb-next), this fix isn't needed and
causes a build error.  Revert the commit to solve the build issue.
Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
Cc: Ming Lei <tom.leiming@gmail.com>
Cc: Johan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Johan's 'fix use-after-free in TIOCMIWAIT' patchset[1] introduces
one bug which can cause kernel hang when opening port.

This patch initialized the 'port->delta_msr_wait' waitqueue head
to fix the bug which is introduced in 3.9-rc4.

[1], http://marc.info/?l=linux-usb&m=136368139627876&w=2

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NMing Lei <tom.leiming@gmail.com>
Acked-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Update copyright information.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure processes waiting for modem-status changes are woken up at
disconnect.

This is needed for custom subdriver TIOCMIWAIT-implementations which do
not yet handle hangup.

Even though processes on the tty-port wait queue are woken up at hangup
the wake-up call in usb-serial disconnect is still needed if a woken-up
process may go back to sleep (e.g. due to an incomplete
TIOCMIWAIT-implementation). If a disconnect occurs after a hangup, any
process waiting for changes will not be woken up a second time by the
tty-layer as the port will then have been disassociated from the tty.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add tiocmiwait operation to struct usb_serial_driver.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Use usb_poison_urb to reliably kill all urbs on disconnect and suspend.

This way there will be no question that the urbs cannot be resubmitted
by buggy subdrivers.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Rename port_release so that all usb_serial_port functions have a common
prefix.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

We should not call kill_traffic (and usb_kill_urb) once disconnect
returns. Any pending urbs are killed at disconnect and new submissions
are prevented by usb_unbind_interface (and usb_disable_interface).
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Most USB serial drivers are, and should be, using as much of the generic
implementation as possible.

Rename the fixup_generic function to a more descriptive name.
Reword the related debug message in a more neutral tone (and remember to
add the missing newline).
Finally, move the operations initialisation to after the initial sanity
checks.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Remove empty generic release implementation and make the release
callback non-mandatory (like attach, probe and disconnect).
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Remove the now empty generic disconnect callback and make the disconnect
callback non-mandatory.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Failed allocations already get an OOM message and a stack dump.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Remove redundant port number from debug output (already printed as part
of device name).
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Remove redundant comments and fix some minor coding style issues.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Rename the tty-port callbacks using a common prefix to more clearly
separate them from the tty and usb driver callbacks.

Rename serial_down to serial_port_shutdown to match the callback name.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

If suspend callback fails in system sleep context, usb core will
ignore the failure and let system sleep go ahead further, so
this patch comments on the case and requires that serial->type->suspend()
MUST return 0 in system sleep context.
Acked-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NMing Lei <ming.lei@canonical.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure the interface is not released before our serial device.

Note that drivers are still not allowed to access the interface in
any way that may interfere with another driver that may have gotten
bound to the same interface after disconnect returns.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

It allows for cleaning up on a considerable amount of places. They did
port_get, wakeup, kref_put. Now the only thing needed is to call
tty_port_tty_wakeup which does exactly that.

One exception is ifx6x60 where tty_wakeup was open-coded. We now call
tty_wakeup properly there.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The tty port ops shutdown() routine is not called for console ports;
remove extra check.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Acked-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Make sure serial-driver dtr_rts is called with disc_mutex held after
checking the disconnected flag.

Due to a bug in the tty layer, dtr_rts may get called after a device has
been disconnected and the tty-device unregistered. Some drivers have had
individual checks for disconnect to make sure the disconnected interface
was not accessed, but this should really be handled in usb-serial core
(at least until the long-standing tty-bug has been fixed).

Note that the problem has been made more acute with commit 0998d063
("device-core: Ensure drvdata = NULL when no driver is bound") as the
port data is now also NULL when dtr_rts is called resulting in further
oopses.
Reported-by: NChris Ruehl <chris.ruehl@gtsys.com.hk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Grab disconnect mutex in chars_in_buffer before checking disconnected
flag or calling driver specific function.

This allows subdrivers to query any hardware buffer status without
having to handle the locking themselves.
Signed-off-by: NJohan Hovold <jhovold@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>