Andiry's xHCI bus suspend patch introduced the possibly of a host
controller replaying old commands on the command ring, if the host
successfully restores the registers after a resume.
After a resume from suspend, the xHCI driver must restore the registers,
including the command ring pointer. I had suggested that Andiry set the
command ring pointer to the current command ring dequeue pointer, so that
the driver wouldn't have to zero the command ring.
Unfortunately, setting the command ring pointer to the current dequeue
pointer won't work because the register assumes the pointer is 64-byte
aligned, and TRBs on the command ring are 16-byte aligned. The lower
seven bits will always be masked off, leading to the written pointer being
up to 3 TRBs behind the intended pointer.
Here's a log excerpt. On init, the xHCI driver places a vendor-specific
command on the command ring:
[ 215.750958] xhci_hcd 0000:01:00.0: Vendor specific event TRB type = 48
[ 215.750960] xhci_hcd 0000:01:00.0: NEC firmware version 30.25
[ 215.750962] xhci_hcd 0000:01:00.0: Command ring deq = 0x3781e010 (DMA)
When we resume, the command ring dequeue pointer to be written should have
been 0x3781e010. Instead, it's 0x3781e000:
[ 235.557846] xhci_hcd 0000:01:00.0: // Setting command ring address to 0x3781e001
[ 235.557848] xhci_hcd 0000:01:00.0: `MEM_WRITE_DWORD(3'b000, 64'hffffc900100bc038, 64'h3781e001, 4'hf);
[ 235.557850] xhci_hcd 0000:01:00.0: `MEM_WRITE_DWORD(3'b000, 32'hffffc900100bc020, 32'h204, 4'hf);
[ 235.557866] usb usb9: root hub lost power or was reset
(I can't see the results of this bug because the xHCI restore always fails
on this box, and the xHCI driver re-allocates everything.)
The fix is to zero the command ring and put the software and hardware
enqueue and dequeue pointer back to the beginning of the ring. We do this
before the system suspends, to be paranoid and prevent the BIOS from
starting the host without clearing the command ring pointer, which might
cause the host to muck with stale memory. (The pointer isn't required to
be in the suspend power well, but it could be.) The command ring pointer
is set again after the host resumes.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Tested-by: Andiry Xu <andiry.xu@amd.com>
* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (28 commits)
Revert "USB: xhci: Use GFP_ATOMIC under spin_lock"
USB: ohci-jz4740: Fix spelling in MODULE_ALIAS
UWB: Return UWB_RSV_ALLOC_NOT_FOUND rather than crashing on NULL dereference if kzalloc fails
usb: core: fix information leak to userland
usb: misc: iowarrior: fix information leak to userland
usb: misc: sisusbvga: fix information leak to userland
usb: subtle increased memory usage in u_serial
USB: option: fix when the driver is loaded incorrectly for some Huawei devices.
USB: xhci: Use GFP_ATOMIC under spin_lock
usb: gadget: goku_udc: add registered flag bit, fixing build
USB: ehci/mxc: compile fix
USB: Fix FSL USB driver on non Open Firmware systems
USB: the development of the usb tree is now in git
usb: musb: fail unaligned DMA transfers on v1.8 and above
USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
usb.h: fix ioctl kernel-doc info
usb: musb: gadget: kill duplicate code in musb_gadget_queue()
usb: musb: Fix handling of spurious SESSREQ
usb: musb: fix kernel oops when loading musb_hdrc module for the 2nd time
USB: musb: blackfin: push clkin value to platform resources
...
USB2.0 spec 9.6.6 says: For all endpoints, bit 10..0 specify the maximum
packet size(in bytes).
So the wMaxPacketSize mask should be 0x7ff rather than 0x3ff.
This patch should be queued for the stable tree. The bug in
xhci_endpoint_init() was present as far back as 2.6.31, and the bug in
xhci_get_max_esit_payload() was present when the function was introduced
in 2.6.34.
Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Andiry Xu <andiry.xu@amd.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@kernel.org
Jiri Slaby reports spinlock is held while calling kmalloc(GFP_KERNEL)
and request_irq() in xhci_resume().
Release the spinlock when setup interrupt.
Reported-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andiry Xu <andiry.xu@amd.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
If the xHCI host controller shares an interrupt line with another device,
the xHCI driver needs to check if the interrupt was generated by its
hardware. Unfortunately, the user will see a ton of "Spurious interrupt."
lines if the other hardware interrupts often. Lawrence found his dmesg
output cluttered with this output when the xHCI host shared an interrupt
with his i915 hardware.
Remove the warning, as sharing an interrupt is a normal thing.
This should be applied to the 2.6.36 stable tree.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Lawrence Rust <lvr@softsystem.co.uk>
Cc: stable@kernel.org
This reverts commit ef821ae70f.
The correct thing to do is to drop the spinlock, not change
the GFP flag here.
Thanks to Sarah for pointing out I shouldn't have taken this patch in
the first place.
Cc: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: David Sterba <dsterba@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized. It leads to leaking of contents of
kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized. It leads to
leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Structure sisusb_info is copied to userland with "sisusb_reserved" field
uninitialized. It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
OK, the USB gadget serial driver actually has a couple of problems. On
gs_open(), it always allocates and queues an additional QUEUE_SIZE (16)
worth of requests, so with a loop like this:
i=1 ; while echo $i > /dev/ttyGS0 ; do let i++ ; done
eventually we run into OOM (Out of Memory).
Technically, it is not a leak as everything gets freed up when the USB
connection is broken, but not on gs_close().
With a USB device/gadget controller driver that has limited resources
(e.g., Marvell has a this MAX_XDS_FOR_TR_CALLS of 64 for transmit and
receive), so even after 4
stty -F /dev/ttyGS0
we cannot transmit anymore. We can still receive (not necessarily
reliably) as now we have 16 * 4 = 64 descriptors/buffers ready, but the
device is otherwise not usable.
Signed-off-by: Jim Sung <jsung@syncadence.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
When huawei datacard with PID 0x14AC is insterted into Linux system, the
present kernel will load the "option" driver to all the interfaces. But
actually, some interfaces run as other function and do not need "option"
driver.
In this path, we modify the id_tables, when the PID is 0x14ac ,VID is
0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is
0xff, it does need "option" driver.
Signed-off-by: ma rui <m00150988@huawei.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
coccinelle check scripts/coccinelle/locks/call_kern.cocci found that
in drivers/usb/host/xhci.c an allocation with GFP_KERNEL is done
with locks held:
xhci_resume
spin_lock_irq(xhci->lock)
xhci_setup_msix
kmalloc(GFP_KERNEL)
Change it to GFP_ATOMIC.
Signed-off-by: David Sterba <dsterba@suse.cz>
CC: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The commit below cleaned up error handling, in part by introducing a
registered flag bit. This however was not added to the device
structure leding to build failures:
commit 319feaabb6
Author: Dan Carpenter <error27@gmail.com>
Date: Tue Oct 5 18:55:34 2010 +0200
usb: gadget: goku_udc: Fix error path
Add the missing registered flag bit.
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit
65fd427 (USB: ehci tdi : let's tdi_reset set host mode)
broke the build using ARM's mx51_defconfig:
CC drivers/usb/host/ehci-hcd.o
In file included from drivers/usb/host/ehci-hcd.c:1166:
drivers/usb/host/ehci-mxc.c: In function 'ehci_mxc_drv_probe':
drivers/usb/host/ehci-mxc.c:192: error: 'ehci' undeclared (first use in this function)
drivers/usb/host/ehci-mxc.c:192: error: (Each undeclared identifier is reported only once
drivers/usb/host/ehci-mxc.c:192: error: for each function it appears in.)
drivers/usb/host/ehci-mxc.c:117: warning: unused variable 'temp'
make[3]: *** [drivers/usb/host/ehci-hcd.o] Error 1
make[2]: *** [drivers/usb/host/ehci-hcd.o] Error 2
make[1]: *** [sub-make] Error 2
make: *** [all] Error 2
Fix it together with the warning about the unused variable and use
msleep instead of mdelay as requested by Alan Stern.
Cc: Dinh Nguyen <Dinh.Nguyen@freescale.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Nguyen Dinh-R00091 <R00091@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit 126512e3f2 added support for FSL's USB
controller on powerpc. In this commit the Open Firmware code was selected
and compiled unconditionally.
This breaks on ARM systems from FSL which use the same driver (.i.e. the i.MX
series), because ARM don't have OF support (yet). This patch fixes the problem
by only selecting the OF code on systems with Open Firmware support.
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Compile-Tested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
REQ_HARDBARRIER is dead now, so remove the leftovers. What's left
at this point is:
- various checks inside the block layer.
- sanity checks in bio based drivers.
- now unused bio_empty_barrier helper.
- Xen blockfront use of BLKIF_OP_WRITE_BARRIER - it's dead for a while,
but Xen really needs to sort out it's barrier situaton.
- setting of ordered tags in uas - dead code copied from old scsi
drivers.
- scsi different retry for barriers - it's dead and should have been
removed when flushes were converted to FS requests.
- blktrace handling of barriers - removed. Someone who knows blktrace
better should add support for REQ_FLUSH and REQ_FUA, though.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Greg Kroah-Hartman
Sarah Sharp
Linus Torvalds
Andiry Xu
Stefan Weil
Vasiliy Kulikov
Jim Sung
ma rui
David Sterba
Andy Whitcroft
Uwe Kleine-König
Marc Kleine-Budde
Christoph Hellwig