tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'fixes-for-v4.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for-v4.2-rc2
The first set of fixes for this -rc cycle. Most importantly
we have a NULL pointer dereference fix on DWC3, a fix to a
really old bug on musb_start() and another NULL pointer
dereference fix on MXS phy driver.
Signed-off-by: Felipe Balbi <balbi@ti.com>
+114
-114
+15
-40
drivers/usb/dwc2/core.c
+15
-40
drivers/usb/dwc2/core.c
···
72
72
dev_dbg(hsotg->dev, "%s\n", __func__);
73
73
74
74
/* Backup Host regs */
75
-
hr = hsotg->hr_backup;
76
-
if (!hr) {
77
-
hr = devm_kzalloc(hsotg->dev, sizeof(*hr), GFP_KERNEL);
78
-
if (!hr) {
79
-
dev_err(hsotg->dev, "%s: can't allocate host regs\n",
80
-
__func__);
81
-
return -ENOMEM;
82
-
}
83
-
84
-
hsotg->hr_backup = hr;
85
-
}
75
+
hr = &hsotg->hr_backup;
86
76
hr->hcfg = readl(hsotg->regs + HCFG);
87
77
hr->haintmsk = readl(hsotg->regs + HAINTMSK);
88
78
for (i = 0; i < hsotg->core_params->host_channels; ++i)
···
80
90
81
91
hr->hprt0 = readl(hsotg->regs + HPRT0);
82
92
hr->hfir = readl(hsotg->regs + HFIR);
93
+
hr->valid = true;
83
94
84
95
return 0;
85
96
}
···
100
109
dev_dbg(hsotg->dev, "%s\n", __func__);
101
110
102
111
/* Restore host regs */
103
-
hr = hsotg->hr_backup;
104
-
if (!hr) {
112
+
hr = &hsotg->hr_backup;
113
+
if (!hr->valid) {
105
114
dev_err(hsotg->dev, "%s: no host registers to restore\n",
106
115
__func__);
107
116
return -EINVAL;
108
117
}
118
+
hr->valid = false;
109
119
110
120
writel(hr->hcfg, hsotg->regs + HCFG);
111
121
writel(hr->haintmsk, hsotg->regs + HAINTMSK);
···
144
152
dev_dbg(hsotg->dev, "%s\n", __func__);
145
153
146
154
/* Backup dev regs */
147
-
dr = hsotg->dr_backup;
148
-
if (!dr) {
149
-
dr = devm_kzalloc(hsotg->dev, sizeof(*dr), GFP_KERNEL);
150
-
if (!dr) {
151
-
dev_err(hsotg->dev, "%s: can't allocate device regs\n",
152
-
__func__);
153
-
return -ENOMEM;
154
-
}
155
-
156
-
hsotg->dr_backup = dr;
157
-
}
155
+
dr = &hsotg->dr_backup;
158
156
159
157
dr->dcfg = readl(hsotg->regs + DCFG);
160
158
dr->dctl = readl(hsotg->regs + DCTL);
···
177
195
dr->doeptsiz[i] = readl(hsotg->regs + DOEPTSIZ(i));
178
196
dr->doepdma[i] = readl(hsotg->regs + DOEPDMA(i));
179
197
}
180
-
198
+
dr->valid = true;
181
199
return 0;
182
200
}
183
201
···
197
215
dev_dbg(hsotg->dev, "%s\n", __func__);
198
216
199
217
/* Restore dev regs */
200
-
dr = hsotg->dr_backup;
201
-
if (!dr) {
218
+
dr = &hsotg->dr_backup;
219
+
if (!dr->valid) {
202
220
dev_err(hsotg->dev, "%s: no device registers to restore\n",
203
221
__func__);
204
222
return -EINVAL;
205
223
}
224
+
dr->valid = false;
206
225
207
226
writel(dr->dcfg, hsotg->regs + DCFG);
208
227
writel(dr->dctl, hsotg->regs + DCTL);
···
251
268
int i;
252
269
253
270
/* Backup global regs */
254
-
gr = hsotg->gr_backup;
255
-
if (!gr) {
256
-
gr = devm_kzalloc(hsotg->dev, sizeof(*gr), GFP_KERNEL);
257
-
if (!gr) {
258
-
dev_err(hsotg->dev, "%s: can't allocate global regs\n",
259
-
__func__);
260
-
return -ENOMEM;
261
-
}
262
-
263
-
hsotg->gr_backup = gr;
264
-
}
271
+
gr = &hsotg->gr_backup;
265
272
266
273
gr->gotgctl = readl(hsotg->regs + GOTGCTL);
267
274
gr->gintmsk = readl(hsotg->regs + GINTMSK);
···
264
291
for (i = 0; i < MAX_EPS_CHANNELS; i++)
265
292
gr->dtxfsiz[i] = readl(hsotg->regs + DPTXFSIZN(i));
266
293
294
+
gr->valid = true;
267
295
return 0;
268
296
}
269
297
···
283
309
dev_dbg(hsotg->dev, "%s\n", __func__);
284
310
285
311
/* Restore global regs */
286
-
gr = hsotg->gr_backup;
287
-
if (!gr) {
312
+
gr = &hsotg->gr_backup;
313
+
if (!gr->valid) {
288
314
dev_err(hsotg->dev, "%s: no global registers to restore\n",
289
315
__func__);
290
316
return -EINVAL;
291
317
}
318
+
gr->valid = false;
292
319
293
320
writel(0xffffffff, hsotg->regs + GINTSTS);
294
321
writel(gr->gotgctl, hsotg->regs + GOTGCTL);
+6
-3
drivers/usb/dwc2/core.h
+6
-3
drivers/usb/dwc2/core.h
···
492
492
u32 gdfifocfg;
493
493
u32 dtxfsiz[MAX_EPS_CHANNELS];
494
494
u32 gpwrdn;
495
+
bool valid;
495
496
};
496
497
497
498
/**
···
522
521
u32 doepctl[MAX_EPS_CHANNELS];
523
522
u32 doeptsiz[MAX_EPS_CHANNELS];
524
523
u32 doepdma[MAX_EPS_CHANNELS];
524
+
bool valid;
525
525
};
526
526
527
527
/**
···
540
538
u32 hcintmsk[MAX_EPS_CHANNELS];
541
539
u32 hprt0;
542
540
u32 hfir;
541
+
bool valid;
543
542
};
544
543
545
544
/**
···
708
705
struct work_struct wf_otg;
709
706
struct timer_list wkp_timer;
710
707
enum dwc2_lx_state lx_state;
711
-
struct dwc2_gregs_backup *gr_backup;
712
-
struct dwc2_dregs_backup *dr_backup;
713
-
struct dwc2_hregs_backup *hr_backup;
708
+
struct dwc2_gregs_backup gr_backup;
709
+
struct dwc2_dregs_backup dr_backup;
710
+
struct dwc2_hregs_backup hr_backup;
714
711
715
712
struct dentry *debug_root;
716
713
struct debugfs_regset32 *regset;
+43
-14
drivers/usb/dwc2/hcd.c
+43
-14
drivers/usb/dwc2/hcd.c
···
359
359
360
360
/* Caller must hold driver lock */
361
361
static int dwc2_hcd_urb_enqueue(struct dwc2_hsotg *hsotg,
362
-
struct dwc2_hcd_urb *urb, void **ep_handle,
363
-
gfp_t mem_flags)
362
+
struct dwc2_hcd_urb *urb, struct dwc2_qh *qh,
363
+
struct dwc2_qtd *qtd)
364
364
{
365
-
struct dwc2_qtd *qtd;
366
365
u32 intr_mask;
367
366
int retval;
368
367
int dev_speed;
···
385
386
return -ENODEV;
386
387
}
387
388
388
-
qtd = kzalloc(sizeof(*qtd), mem_flags);
389
389
if (!qtd)
390
-
return -ENOMEM;
390
+
return -EINVAL;
391
391
392
392
dwc2_hcd_qtd_init(qtd, urb);
393
-
retval = dwc2_hcd_qtd_add(hsotg, qtd, (struct dwc2_qh **)ep_handle,
394
-
mem_flags);
393
+
retval = dwc2_hcd_qtd_add(hsotg, qtd, qh);
395
394
if (retval) {
396
395
dev_err(hsotg->dev,
397
396
"DWC OTG HCD URB Enqueue failed adding QTD. Error status %d\n",
398
397
retval);
399
-
kfree(qtd);
400
398
return retval;
401
399
}
402
400
···
2441
2445
u32 tflags = 0;
2442
2446
void *buf;
2443
2447
unsigned long flags;
2448
+
struct dwc2_qh *qh;
2449
+
bool qh_allocated = false;
2450
+
struct dwc2_qtd *qtd;
2444
2451
2445
2452
if (dbg_urb(urb)) {
2446
2453
dev_vdbg(hsotg->dev, "DWC OTG HCD URB Enqueue\n");
···
2522
2523
urb->iso_frame_desc[i].length);
2523
2524
2524
2525
urb->hcpriv = dwc2_urb;
2526
+
qh = (struct dwc2_qh *) ep->hcpriv;
2527
+
/* Create QH for the endpoint if it doesn't exist */
2528
+
if (!qh) {
2529
+
qh = dwc2_hcd_qh_create(hsotg, dwc2_urb, mem_flags);
2530
+
if (!qh) {
2531
+
retval = -ENOMEM;
2532
+
goto fail0;
2533
+
}
2534
+
ep->hcpriv = qh;
2535
+
qh_allocated = true;
2536
+
}
2537
+
2538
+
qtd = kzalloc(sizeof(*qtd), mem_flags);
2539
+
if (!qtd) {
2540
+
retval = -ENOMEM;
2541
+
goto fail1;
2542
+
}
2525
2543
2526
2544
spin_lock_irqsave(&hsotg->lock, flags);
2527
2545
retval = usb_hcd_link_urb_to_ep(hcd, urb);
2528
2546
if (retval)
2529
-
goto fail1;
2530
-
2531
-
retval = dwc2_hcd_urb_enqueue(hsotg, dwc2_urb, &ep->hcpriv, mem_flags);
2532
-
if (retval)
2533
2547
goto fail2;
2548
+
2549
+
retval = dwc2_hcd_urb_enqueue(hsotg, dwc2_urb, qh, qtd);
2550
+
if (retval)
2551
+
goto fail3;
2534
2552
2535
2553
if (alloc_bandwidth) {
2536
2554
dwc2_allocate_bus_bandwidth(hcd,
···
2559
2543
2560
2544
return 0;
2561
2545
2562
-
fail2:
2546
+
fail3:
2563
2547
dwc2_urb->priv = NULL;
2564
2548
usb_hcd_unlink_urb_from_ep(hcd, urb);
2565
-
fail1:
2549
+
fail2:
2566
2550
spin_unlock_irqrestore(&hsotg->lock, flags);
2567
2551
urb->hcpriv = NULL;
2552
+
kfree(qtd);
2553
+
fail1:
2554
+
if (qh_allocated) {
2555
+
struct dwc2_qtd *qtd2, *qtd2_tmp;
2556
+
2557
+
ep->hcpriv = NULL;
2558
+
dwc2_hcd_qh_unlink(hsotg, qh);
2559
+
/* Free each QTD in the QH's QTD list */
2560
+
list_for_each_entry_safe(qtd2, qtd2_tmp, &qh->qtd_list,
2561
+
qtd_list_entry)
2562
+
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd2, qh);
2563
+
dwc2_hcd_qh_free(hsotg, qh);
2564
+
}
2568
2565
fail0:
2569
2566
kfree(dwc2_urb);
2570
2567
+4
-1
drivers/usb/dwc2/hcd.h
+4
-1
drivers/usb/dwc2/hcd.h
···
463
463
/* Schedule Queue Functions */
464
464
/* Implemented in hcd_queue.c */
465
465
extern void dwc2_hcd_init_usecs(struct dwc2_hsotg *hsotg);
466
+
extern struct dwc2_qh *dwc2_hcd_qh_create(struct dwc2_hsotg *hsotg,
467
+
struct dwc2_hcd_urb *urb,
468
+
gfp_t mem_flags);
466
469
extern void dwc2_hcd_qh_free(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh);
467
470
extern int dwc2_hcd_qh_add(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh);
468
471
extern void dwc2_hcd_qh_unlink(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh);
···
474
471
475
472
extern void dwc2_hcd_qtd_init(struct dwc2_qtd *qtd, struct dwc2_hcd_urb *urb);
476
473
extern int dwc2_hcd_qtd_add(struct dwc2_hsotg *hsotg, struct dwc2_qtd *qtd,
477
-
struct dwc2_qh **qh, gfp_t mem_flags);
474
+
struct dwc2_qh *qh);
478
475
479
476
/* Unlinks and frees a QTD */
480
477
static inline void dwc2_hcd_qtd_unlink_and_free(struct dwc2_hsotg *hsotg,
+12
-37
drivers/usb/dwc2/hcd_queue.c
+12
-37
drivers/usb/dwc2/hcd_queue.c
···
191
191
*
192
192
* Return: Pointer to the newly allocated QH, or NULL on error
193
193
*/
194
-
static struct dwc2_qh *dwc2_hcd_qh_create(struct dwc2_hsotg *hsotg,
194
+
struct dwc2_qh *dwc2_hcd_qh_create(struct dwc2_hsotg *hsotg,
195
195
struct dwc2_hcd_urb *urb,
196
196
gfp_t mem_flags)
197
197
{
···
767
767
*
768
768
* @hsotg: The DWC HCD structure
769
769
* @qtd: The QTD to add
770
-
* @qh: Out parameter to return queue head
771
-
* @atomic_alloc: Flag to do atomic alloc if needed
770
+
* @qh: Queue head to add qtd to
772
771
*
773
772
* Return: 0 if successful, negative error code otherwise
774
773
*
775
-
* Finds the correct QH to place the QTD into. If it does not find a QH, it
776
-
* will create a new QH. If the QH to which the QTD is added is not currently
777
-
* scheduled, it is placed into the proper schedule based on its EP type.
774
+
* If the QH to which the QTD is added is not currently scheduled, it is placed
775
+
* into the proper schedule based on its EP type.
778
776
*/
779
777
int dwc2_hcd_qtd_add(struct dwc2_hsotg *hsotg, struct dwc2_qtd *qtd,
780
-
struct dwc2_qh **qh, gfp_t mem_flags)
778
+
struct dwc2_qh *qh)
781
779
{
782
-
struct dwc2_hcd_urb *urb = qtd->urb;
783
-
int allocated = 0;
784
780
int retval;
785
781
786
-
/*
787
-
* Get the QH which holds the QTD-list to insert to. Create QH if it
788
-
* doesn't exist.
789
-
*/
790
-
if (*qh == NULL) {
791
-
*qh = dwc2_hcd_qh_create(hsotg, urb, mem_flags);
792
-
if (*qh == NULL)
793
-
return -ENOMEM;
794
-
allocated = 1;
782
+
if (unlikely(!qh)) {
783
+
dev_err(hsotg->dev, "%s: Invalid QH\n", __func__);
784
+
retval = -EINVAL;
785
+
goto fail;
795
786
}
796
787
797
-
retval = dwc2_hcd_qh_add(hsotg, *qh);
788
+
retval = dwc2_hcd_qh_add(hsotg, qh);
798
789
if (retval)
799
790
goto fail;
800
791
801
-
qtd->qh = *qh;
802
-
list_add_tail(&qtd->qtd_list_entry, &(*qh)->qtd_list);
792
+
qtd->qh = qh;
793
+
list_add_tail(&qtd->qtd_list_entry, &qh->qtd_list);
803
794
804
795
return 0;
805
-
806
796
fail:
807
-
if (allocated) {
808
-
struct dwc2_qtd *qtd2, *qtd2_tmp;
809
-
struct dwc2_qh *qh_tmp = *qh;
810
-
811
-
*qh = NULL;
812
-
dwc2_hcd_qh_unlink(hsotg, qh_tmp);
813
-
814
-
/* Free each QTD in the QH's QTD list */
815
-
list_for_each_entry_safe(qtd2, qtd2_tmp, &qh_tmp->qtd_list,
816
-
qtd_list_entry)
817
-
dwc2_hcd_qtd_unlink_and_free(hsotg, qtd2, qh_tmp);
818
-
819
-
dwc2_hcd_qh_free(hsotg, qh_tmp);
820
-
}
821
-
822
797
return retval;
823
798
}
+4
-2
drivers/usb/dwc3/core.c
+4
-2
drivers/usb/dwc3/core.c
···
446
446
/* Select the HS PHY interface */
447
447
switch (DWC3_GHWPARAMS3_HSPHY_IFC(dwc->hwparams.hwparams3)) {
448
448
case DWC3_GHWPARAMS3_HSPHY_IFC_UTMI_ULPI:
449
-
if (!strncmp(dwc->hsphy_interface, "utmi", 4)) {
449
+
if (dwc->hsphy_interface &&
450
+
!strncmp(dwc->hsphy_interface, "utmi", 4)) {
450
451
reg &= ~DWC3_GUSB2PHYCFG_ULPI_UTMI;
451
452
break;
452
-
} else if (!strncmp(dwc->hsphy_interface, "ulpi", 4)) {
453
+
} else if (dwc->hsphy_interface &&
454
+
!strncmp(dwc->hsphy_interface, "ulpi", 4)) {
453
455
reg |= DWC3_GUSB2PHYCFG_ULPI_UTMI;
454
456
dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
455
457
} else {
+7
-4
drivers/usb/gadget/composite.c
+7
-4
drivers/usb/gadget/composite.c
···
1758
1758
* take such requests too, if that's ever needed: to work
1759
1759
* in config 0, etc.
1760
1760
*/
1761
-
list_for_each_entry(f, &cdev->config->functions, list)
1762
-
if (f->req_match && f->req_match(f, ctrl))
1763
-
goto try_fun_setup;
1764
-
f = NULL;
1761
+
if (cdev->config) {
1762
+
list_for_each_entry(f, &cdev->config->functions, list)
1763
+
if (f->req_match && f->req_match(f, ctrl))
1764
+
goto try_fun_setup;
1765
+
f = NULL;
1766
+
}
1767
+
1765
1768
switch (ctrl->bRequestType & USB_RECIP_MASK) {
1766
1769
case USB_RECIP_INTERFACE:
1767
1770
if (!cdev->config || intf >= MAX_CONFIG_INTERFACES)
+4
-2
drivers/usb/gadget/function/f_fs.c
+4
-2
drivers/usb/gadget/function/f_fs.c
···
924
924
925
925
kiocb->private = p;
926
926
927
-
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
927
+
if (p->aio)
928
+
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
928
929
929
930
res = ffs_epfile_io(kiocb->ki_filp, p);
930
931
if (res == -EIOCBQUEUED)
···
969
968
970
969
kiocb->private = p;
971
970
972
-
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
971
+
if (p->aio)
972
+
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
973
973
974
974
res = ffs_epfile_io(kiocb->ki_filp, p);
975
975
if (res == -EIOCBQUEUED)
+13
-3
drivers/usb/gadget/function/f_mass_storage.c
+13
-3
drivers/usb/gadget/function/f_mass_storage.c
···
2786
2786
return -EINVAL;
2787
2787
}
2788
2788
2789
-
curlun = kcalloc(nluns, sizeof(*curlun), GFP_KERNEL);
2789
+
curlun = kcalloc(FSG_MAX_LUNS, sizeof(*curlun), GFP_KERNEL);
2790
2790
if (unlikely(!curlun))
2791
2791
return -ENOMEM;
2792
2792
···
2795
2795
2796
2796
common->luns = curlun;
2797
2797
common->nluns = nluns;
2798
-
2799
-
pr_info("Number of LUNs=%d\n", common->nluns);
2800
2798
2801
2799
return 0;
2802
2800
}
···
3561
3563
struct fsg_opts *opts = fsg_opts_from_func_inst(fi);
3562
3564
struct fsg_common *common = opts->common;
3563
3565
struct fsg_dev *fsg;
3566
+
unsigned nluns, i;
3564
3567
3565
3568
fsg = kzalloc(sizeof(*fsg), GFP_KERNEL);
3566
3569
if (unlikely(!fsg))
3567
3570
return ERR_PTR(-ENOMEM);
3568
3571
3569
3572
mutex_lock(&opts->lock);
3573
+
if (!opts->refcnt) {
3574
+
for (nluns = i = 0; i < FSG_MAX_LUNS; ++i)
3575
+
if (common->luns[i])
3576
+
nluns = i + 1;
3577
+
if (!nluns)
3578
+
pr_warn("No LUNS defined, continuing anyway\n");
3579
+
else
3580
+
common->nluns = nluns;
3581
+
pr_info("Number of LUNs=%u\n", common->nluns);
3582
+
}
3570
3583
opts->refcnt++;
3571
3584
mutex_unlock(&opts->lock);
3585
+
3572
3586
fsg->function.name = FSG_DRIVER_DESC;
3573
3587
fsg->function.bind = fsg_bind;
3574
3588
fsg->function.unbind = fsg_unbind;
+1
-3
drivers/usb/gadget/function/f_midi.c
+1
-3
drivers/usb/gadget/function/f_midi.c
···
1145
1145
if (opts->id && !midi->id) {
1146
1146
status = -ENOMEM;
1147
1147
mutex_unlock(&opts->lock);
1148
-
goto kstrdup_fail;
1148
+
goto setup_fail;
1149
1149
}
1150
1150
midi->in_ports = opts->in_ports;
1151
1151
midi->out_ports = opts->out_ports;
···
1164
1164
1165
1165
return &midi->func;
1166
1166
1167
-
kstrdup_fail:
1168
-
f_midi_unregister_card(midi);
1169
1167
setup_fail:
1170
1168
for (--i; i >= 0; i--)
1171
1169
kfree(midi->in_port[i]);
+1
-2
drivers/usb/gadget/udc/fotg210-udc.c
+1
-2
drivers/usb/gadget/udc/fotg210-udc.c
···
1171
1171
udc_name, fotg210);
1172
1172
if (ret < 0) {
1173
1173
pr_err("request_irq error (%d)\n", ret);
1174
-
goto err_irq;
1174
+
goto err_req;
1175
1175
}
1176
1176
1177
1177
ret = usb_add_gadget_udc(&pdev->dev, &fotg210->gadget);
···
1183
1183
return 0;
1184
1184
1185
1185
err_add_udc:
1186
-
err_irq:
1187
1186
free_irq(ires->start, fotg210);
1188
1187
1189
1188
err_req:
+1
-3
drivers/usb/musb/musb_virthub.c
+1
-3
drivers/usb/musb/musb_virthub.c