tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/usb-2.6

* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/usb-2.6:
USB: ftdio_sio: New IPlus device ID
USB: add new device id to option driver
USB: fix race leading to use after free in io_edgeport
USB: usblcd doesn't limit memory consumption during write
USB: memory leak in iowarrior.c
USB: ti serial driver sleeps with spinlock held
USB: g_file_storage: call allow_signal()

Linus Torvalds 9a08e732 b9e3614f

+40 -21
unified split
+5 -7
drivers/usb/gadget/file_storage.c
··· 686 int thread_wakeup_needed; 687 struct completion thread_notifier; 688 struct task_struct *thread_task; 689 - sigset_t thread_signal_mask; 690 691 int cmnd_size; 692 u8 cmnd[MAX_COMMAND_SIZE]; ··· 3276 /* Clear the existing signals. Anything but SIGUSR1 is converted 3277 * into a high-priority EXIT exception. */ 3278 for (;;) { 3279 - sig = dequeue_signal_lock(current, &fsg->thread_signal_mask, 3280 - &info); 3281 if (!sig) 3282 break; 3283 if (sig != SIGUSR1) { ··· 3429 3430 /* Allow the thread to be killed by a signal, but set the signal mask 3431 * to block everything but INT, TERM, KILL, and USR1. */ 3432 - siginitsetinv(&fsg->thread_signal_mask, sigmask(SIGINT) | 3433 - sigmask(SIGTERM) | sigmask(SIGKILL) | 3434 - sigmask(SIGUSR1)); 3435 - sigprocmask(SIG_SETMASK, &fsg->thread_signal_mask, NULL); 3436 3437 /* Arrange for userspace references to be interpreted as kernel 3438 * pointers. That way we can pass a kernel pointer to a routine
··· 686 int thread_wakeup_needed; 687 struct completion thread_notifier; 688 struct task_struct *thread_task; 689 690 int cmnd_size; 691 u8 cmnd[MAX_COMMAND_SIZE]; ··· 3277 /* Clear the existing signals. Anything but SIGUSR1 is converted 3278 * into a high-priority EXIT exception. */ 3279 for (;;) { 3280 + sig = dequeue_signal_lock(current, &current->blocked, &info); 3281 if (!sig) 3282 break; 3283 if (sig != SIGUSR1) { ··· 3431 3432 /* Allow the thread to be killed by a signal, but set the signal mask 3433 * to block everything but INT, TERM, KILL, and USR1. */ 3434 + allow_signal(SIGINT); 3435 + allow_signal(SIGTERM); 3436 + allow_signal(SIGKILL); 3437 + allow_signal(SIGUSR1); 3438 3439 /* Arrange for userspace references to be interpreted as kernel 3440 * pointers. That way we can pass a kernel pointer to a routine
+4 -3
drivers/usb/misc/iowarrior.c
··· 495 496 /* verify that the device wasn't unplugged */ 497 if (!dev->present) { 498 - mutex_unlock(&dev->mutex); 499 - return -ENODEV; 500 } 501 502 dbg("%s - minor %d, cmd 0x%.4x, arg %ld", __func__, dev->minor, cmd, ··· 579 retval = -ENOTTY; 580 break; 581 } 582 - 583 /* unlock the device */ 584 mutex_unlock(&dev->mutex); 585 return retval; 586 } 587
··· 495 496 /* verify that the device wasn't unplugged */ 497 if (!dev->present) { 498 + retval = -ENODEV; 499 + goto error_out; 500 } 501 502 dbg("%s - minor %d, cmd 0x%.4x, arg %ld", __func__, dev->minor, cmd, ··· 579 retval = -ENOTTY; 580 break; 581 } 582 + error_out: 583 /* unlock the device */ 584 mutex_unlock(&dev->mutex); 585 + kfree(buffer); 586 return retval; 587 } 588
+18 -4
drivers/usb/misc/usblcd.c
··· 42 size_t bulk_in_size; /* the size of the receive buffer */ 43 __u8 bulk_in_endpointAddr; /* the address of the bulk in endpoint */ 44 __u8 bulk_out_endpointAddr; /* the address of the bulk out endpoint */ 45 - struct kref kref; 46 }; 47 #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref) 48 49 static struct usb_driver lcd_driver; 50 static DEFINE_MUTEX(usb_lcd_open_mutex); ··· 190 /* free up our allocated buffer */ 191 usb_buffer_free(urb->dev, urb->transfer_buffer_length, 192 urb->transfer_buffer, urb->transfer_dma); 193 } 194 195 static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos) 196 { 197 struct usb_lcd *dev; 198 - int retval = 0; 199 struct urb *urb = NULL; 200 char *buf = NULL; 201 ··· 206 if (count == 0) 207 goto exit; 208 209 /* create a urb, and a buffer for it, and copy the data to the urb */ 210 urb = usb_alloc_urb(0, GFP_KERNEL); 211 - if (!urb) 212 - return -ENOMEM; 213 214 buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma); 215 if (!buf) { ··· 250 error: 251 usb_buffer_free(dev->udev, count, buf, urb->transfer_dma); 252 usb_free_urb(urb); 253 return retval; 254 } 255 ··· 290 goto error; 291 } 292 kref_init(&dev->kref); 293 294 dev->udev = usb_get_dev(interface_to_usbdev(interface)); 295 dev->interface = interface;
··· 42 size_t bulk_in_size; /* the size of the receive buffer */ 43 __u8 bulk_in_endpointAddr; /* the address of the bulk in endpoint */ 44 __u8 bulk_out_endpointAddr; /* the address of the bulk out endpoint */ 45 + struct kref kref; 46 + struct semaphore limit_sem; /* to stop writes at full throttle from 47 + * using up all RAM */ 48 }; 49 #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref) 50 + 51 + #define USB_LCD_CONCURRENT_WRITES 5 52 53 static struct usb_driver lcd_driver; 54 static DEFINE_MUTEX(usb_lcd_open_mutex); ··· 186 /* free up our allocated buffer */ 187 usb_buffer_free(urb->dev, urb->transfer_buffer_length, 188 urb->transfer_buffer, urb->transfer_dma); 189 + up(&dev->limit_sem); 190 } 191 192 static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos) 193 { 194 struct usb_lcd *dev; 195 + int retval = 0, r; 196 struct urb *urb = NULL; 197 char *buf = NULL; 198 ··· 201 if (count == 0) 202 goto exit; 203 204 + r = down_interruptible(&dev->limit_sem); 205 + if (r < 0) 206 + return -EINTR; 207 + 208 /* create a urb, and a buffer for it, and copy the data to the urb */ 209 urb = usb_alloc_urb(0, GFP_KERNEL); 210 + if (!urb) { 211 + retval = -ENOMEM; 212 + goto err_no_buf; 213 + } 214 215 buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma); 216 if (!buf) { ··· 239 error: 240 usb_buffer_free(dev->udev, count, buf, urb->transfer_dma); 241 usb_free_urb(urb); 242 + err_no_buf: 243 + up(&dev->limit_sem); 244 return retval; 245 } 246 ··· 277 goto error; 278 } 279 kref_init(&dev->kref); 280 + sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES); 281 282 dev->udev = usb_get_dev(interface_to_usbdev(interface)); 283 dev->interface = interface;
+1
drivers/usb/serial/ftdi_sio.c
··· 317 { USB_DEVICE(FTDI_VID, FTDI_ACTZWAVE_PID) }, 318 { USB_DEVICE(FTDI_VID, FTDI_IRTRANS_PID) }, 319 { USB_DEVICE(FTDI_VID, FTDI_IPLUS_PID) }, 320 { USB_DEVICE(FTDI_VID, FTDI_DMX4ALL) }, 321 { USB_DEVICE(FTDI_VID, FTDI_SIO_PID) }, 322 { USB_DEVICE(FTDI_VID, FTDI_8U232AM_PID) },
··· 317 { USB_DEVICE(FTDI_VID, FTDI_ACTZWAVE_PID) }, 318 { USB_DEVICE(FTDI_VID, FTDI_IRTRANS_PID) }, 319 { USB_DEVICE(FTDI_VID, FTDI_IPLUS_PID) }, 320 + { USB_DEVICE(FTDI_VID, FTDI_IPLUS2_PID) }, 321 { USB_DEVICE(FTDI_VID, FTDI_DMX4ALL) }, 322 { USB_DEVICE(FTDI_VID, FTDI_SIO_PID) }, 323 { USB_DEVICE(FTDI_VID, FTDI_8U232AM_PID) },
+1
drivers/usb/serial/ftdi_sio.h
··· 56 57 /* iPlus device */ 58 #define FTDI_IPLUS_PID 0xD070 /* Product Id */ 59 60 /* DMX4ALL DMX Interfaces */ 61 #define FTDI_DMX4ALL 0xC850
··· 56 57 /* iPlus device */ 58 #define FTDI_IPLUS_PID 0xD070 /* Product Id */ 59 + #define FTDI_IPLUS2_PID 0xD071 /* Product Id */ 60 61 /* DMX4ALL DMX Interfaces */ 62 #define FTDI_DMX4ALL 0xC850
+2 -2
drivers/usb/serial/io_edgeport.c
··· 3046 } 3047 /* free up our endpoint stuff */ 3048 if (edge_serial->is_epic) { 3049 - usb_unlink_urb(edge_serial->interrupt_read_urb); 3050 usb_free_urb(edge_serial->interrupt_read_urb); 3051 kfree(edge_serial->interrupt_in_buffer); 3052 3053 - usb_unlink_urb(edge_serial->read_urb); 3054 usb_free_urb(edge_serial->read_urb); 3055 kfree(edge_serial->bulk_in_buffer); 3056 }
··· 3046 } 3047 /* free up our endpoint stuff */ 3048 if (edge_serial->is_epic) { 3049 + usb_kill_urb(edge_serial->interrupt_read_urb); 3050 usb_free_urb(edge_serial->interrupt_read_urb); 3051 kfree(edge_serial->interrupt_in_buffer); 3052 3053 + usb_kill_urb(edge_serial->read_urb); 3054 usb_free_urb(edge_serial->read_urb); 3055 kfree(edge_serial->bulk_in_buffer); 3056 }
+4 -2
drivers/usb/serial/option.c
··· 111 #define NOVATELWIRELESS_VENDOR_ID 0x1410 112 113 #define ANYDATA_VENDOR_ID 0x16d5 114 - #define ANYDATA_PRODUCT_ID 0x6501 115 116 #define BANDRICH_VENDOR_ID 0x1A8D 117 #define BANDRICH_PRODUCT_C100_1 0x1002 ··· 170 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2110) }, /* Novatel Merlin ES620 / Merlin ES720 / Ovation U720 */ 171 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2130) }, /* Novatel Merlin ES620 SM Bus */ 172 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2410) }, /* Novatel EU740 */ 173 - { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ID) }, 174 { USB_DEVICE(BANDRICH_VENDOR_ID, BANDRICH_PRODUCT_C100_1) }, 175 { USB_DEVICE(BANDRICH_VENDOR_ID, BANDRICH_PRODUCT_C100_2) }, 176 { USB_DEVICE(DELL_VENDOR_ID, 0x8118) }, /* Dell Wireless 5510 Mobile Broadband HSDPA ExpressCard */
··· 111 #define NOVATELWIRELESS_VENDOR_ID 0x1410 112 113 #define ANYDATA_VENDOR_ID 0x16d5 114 + #define ANYDATA_PRODUCT_ADU_E100A 0x6501 115 + #define ANYDATA_PRODUCT_ADU_500A 0x6502 116 117 #define BANDRICH_VENDOR_ID 0x1A8D 118 #define BANDRICH_PRODUCT_C100_1 0x1002 ··· 169 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2110) }, /* Novatel Merlin ES620 / Merlin ES720 / Ovation U720 */ 170 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2130) }, /* Novatel Merlin ES620 SM Bus */ 171 { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, 0x2410) }, /* Novatel EU740 */ 172 + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, 173 + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) }, 174 { USB_DEVICE(BANDRICH_VENDOR_ID, BANDRICH_PRODUCT_C100_1) }, 175 { USB_DEVICE(BANDRICH_VENDOR_ID, BANDRICH_PRODUCT_C100_2) }, 176 { USB_DEVICE(DELL_VENDOR_ID, 0x8118) }, /* Dell Wireless 5510 Mobile Broadband HSDPA ExpressCard */
+5 -3
drivers/usb/serial/ti_usb_3410_5052.c
··· 1555 spin_lock_irqsave(&tport->tp_lock, flags); 1556 1557 if (tport->tp_read_urb_state == TI_READ_URB_STOPPED) { 1558 urb = tport->tp_port->read_urb; 1559 urb->complete = ti_bulk_in_callback; 1560 urb->context = tport; 1561 urb->dev = tport->tp_port->serial->dev; 1562 status = usb_submit_urb(urb, GFP_KERNEL); 1563 } 1564 - tport->tp_read_urb_state = TI_READ_URB_RUNNING; 1565 - 1566 - spin_unlock_irqrestore(&tport->tp_lock, flags); 1567 1568 return status; 1569 }
··· 1555 spin_lock_irqsave(&tport->tp_lock, flags); 1556 1557 if (tport->tp_read_urb_state == TI_READ_URB_STOPPED) { 1558 + tport->tp_read_urb_state = TI_READ_URB_RUNNING; 1559 urb = tport->tp_port->read_urb; 1560 + spin_unlock_irqrestore(&tport->tp_lock, flags); 1561 urb->complete = ti_bulk_in_callback; 1562 urb->context = tport; 1563 urb->dev = tport->tp_port->serial->dev; 1564 status = usb_submit_urb(urb, GFP_KERNEL); 1565 + } else { 1566 + tport->tp_read_urb_state = TI_READ_URB_RUNNING; 1567 + spin_unlock_irqrestore(&tport->tp_lock, flags); 1568 } 1569 1570 return status; 1571 }