Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.
The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.
Fixes CVE-2015-5257.
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Don't check if timer is running with a timer_pending() before
deleting it with del_timer_sync(), this defies the whole point of
the sync part and can cause a possible race.
Instead we just want to make sure the timer is initialized early enough
before we have a chance to delete it.
Cc: <stable@vger.kernel.org>
Reported-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Some changes between xhci 0.96 and xhci 1.0 specifications forced us to
check the hci version in code, some of these checks were implemented as
hci_version == 1.0, which will not work with new xhci 1.1 controllers.
xhci 1.1 behaves similar to xhci 1.0 in these cases, so change these
checks to hci_version >= 1.0
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xhci_stop will be called twice, once for the shared hcd
and again for the primary hcd.
We stop the XHCI controller in any case so clean up
everything on the first call else we can timeout
waiting for pending requests to complete.
Cc: <stable@vger.kernel.org>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bits 1:0 of the bmAttributes are used for the burst multiplier.
The rest of the bits used to be reserved (zero), but USB3.1 takes bit 7
into use.
Use the existing USB_SS_MULT() macro instead to make sure the mult value
and hence max packet calculations are correct for USB3.1 devices.
Note that burst multiplier in bmAttributes is zero based and that
the USB_SS_MULT() macro adds one.
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Felipe writes:
usb: fixes for v4.3-rc3
Here's the second pull request for current -rc cycle.
A few fixes on dummy_hcd which have been around for
longer than they should be.
MUSB got a couple fixes, the most important of which
is a fix to DMA channel teardown on AM335x devices.
And DWC3 got a minor fix for when using RT-enabled
kernels.
Using spin_lock() in hard irq handler is pointless
and causes a BUG() in RT (real-time) configuration
so get rid of it.
The reason it's pointless is because the driver is
basically accessing register which is, anyways,
atomic.
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
After a few iterations of start/stop UVC camera streaming, the streaming
stops.
This patch adds 250us delay in the cppi channel abort path to let cppi
drain properly.
Using 50us delay seems to be too aggressive, some webcams are still
broken. 250us is the original value used in TI 3.2 kernel.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
The I2C core always reports the MODALIAS uevent as "i2c:<client name"
regardless if the device was registered using OF or platform code so
So the driver needs to export the I2C table and this be built into
the module or udev won't have the necessary information to auto load
the module when the device is added.
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Remove unneeded NULL test.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@ expression x; @@
-if (x != NULL)
\(kmem_cache_destroy\|mempool_destroy\|dma_pool_destroy\)(x);
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Felipe Balbi <balbi@ti.com>
dummy_timer uses transfer() to update transfer limit. However,
limit passed to dummy_timer changes depending on transfer type,
so the actual limit is overwritten.
This can cause unpredictably slow / fast bulk transfers when
coupled with control / interrupt transfers.
Fix by returning actual amount of data sent in transfer() and
substracting from total.
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
transfer() schedules a rescan for transfers larger than
maxpacket, which is wrong for transfers that are multiples
of maxpacket.
Rewrite to fix and clarify packet multiple / remainder
transfer logic.
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
We already know at this point that to_host is false.
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
currently, when a zlp flag is set and an urb/usb_request
buffer is filled without a short packet, transfer() leaves
its status at -EINPROGRESS and does not rescan for short
packet.
In a scenario where ep.maxpacket bytes are copied,
URB_ZERO_PACKET is set, urb buffer is filled and usb_request
buffer is not, transfer() returns with an urb with
-EINPROGRESS status, which dummy_hcd treats as incomplete
transfer.
Check for zlp and rescan appropriately.
Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Fix the regression caused by commit ad78c91860 ("usb: musb: dsps: just
start polling already") which causes polling the ID pin status even in
device-only mode.
Fixes: ad78c91860 ("usb: musb: dsps: just start polling already")
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
The recently added endpoint capabilities flags verification breaks Atmel
USBA because the endpoint configuration was only added when the driver
is bound using the legacy pdata interface.
Convert endpoint configuration to new capabilities model when driver is
bound to a device tree as well.
Signed-off-by: Sylvain Rochet <sylvain.rochet@finsecur.com>
Fixes: 47bef38651 ("usb: gadget: atmel_usba_udc: add ep capabilities support")
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Due to having hardware tx buffers less than 512 bytes in size, streaming
must be enabled on the Zynq for the udc to work at all. Add platform data
specific to the Zynq udc, which does not set the CI_HDRC_DISABLE_STREAMING
flag.
Based on a patch by the same name from the Xilinx vendor tree.
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Johan Hovold
Mathias Nyman
Roger Quadros
Tomer Barletz
Greg Kroah-Hartman
Bin Liu
Javier Martinez Canillas
Julia Lawall
Igor Kotrasinski
Sylvain Rochet
Li Jun
Nathan Sullivan