- 02 Jul, 2014 40 commits
-
-
Paul Bolle authored
commit 77c2f02e upstream. Commit 193ab2a6 ("usb: gadget: allow multiple gadgets to be built") apparently required that checks for CONFIG_USB_GADGET_OMAP would be replaced with checks for CONFIG_USB_OMAP. Do so now for the remaining checks for CONFIG_USB_GADGET_OMAP, even though these checks have basically been broken since v3.1. And, since we're touching this code, use the IS_ENABLED() macro, so things will now (hopefully) also work if USB_OMAP is modular. Fixes: 193ab2a6 ("usb: gadget: allow multiple gadgets to be built") Signed-off-by:
Paul Bolle <pebolle@tiscali.nl> Signed-off-by:
Tony Lindgren <tony@atomide.com> Signed-off-by:
Jiri Slaby <jslaby@suse.cz>
-
Felipe Balbi authored
commit 687ef981 upstream. so it seems like DWC3 IP doesn't clear stalls automatically when we disable an endpoint, because of that, we _must_ make sure stalls are cleared before clearing the proper bit in DALEPENA register. Reported-by:
Johannes Stezenbach <js@sig21.net> Signed-off-by:
Felipe Balbi <balbi@ti.com> Signed-off-by:
-
Paul Bolle authored
commit d30f2065 upstream. Commit 193ab2a6 ("usb: gadget: allow multiple gadgets to be built") basically renamed the Kconfig symbol USB_GADGET_PXA25X to USB_PXA25X. It did not rename the related macros in use at that time. Commit c0a39151 ("ARM: pxa: fix inconsistent CONFIG_USB_PXA27X") did so for all but one macro. Rename that last macro too now. Fixes: 193ab2a6 ("usb: gadget: allow multiple gadgets to be built") Signed-off-by:
-
Alan Stern authored
commit 32b36eea upstream. In usbtest, tests 5 - 8 use the scatter-gather library in usbcore without any sort of timeout. If there's a problem in the gadget or host controller being tested, the test can hang. This patch adds a 10-second timeout to the tests, so that they will fail gracefully with an ETIMEDOUT error instead of hanging. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Reported-by:
Huang Rui <ray.huang@amd.com> Tested-by:
-
Huang Rui authored
commit e4d58f5d upstream. TEST 12 and TEST 24 unlinks the URB write request for N times. When host and gadget both initialize pattern 1 (mod 63) data series to transfer, the gadget side will complain the wrong data which is not expected. Because in host side, usbtest doesn't fill the data buffer as mod 63 and this patch fixed it. [20285.488974] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.489181] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active [20285.489423] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb50800 length 512 last [20285.489727] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000 [20285.490055] dwc3 dwc3.0.auto: Command Complete --> 0 [20285.490281] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.490492] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Active [20285.490713] dwc3 dwc3.0.auto: ep1out-bulk: endpoint busy [20285.490909] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Complete [20285.491117] dwc3 dwc3.0.auto: request ffff8800aa6cb480 from ep1out-bulk completed 512/512 ===> 0 [20285.491431] zero gadget: bad OUT byte, buf[1] = 0 [20285.491605] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Set Stall' params 00000000 00000000 00000000 [20285.491915] dwc3 dwc3.0.auto: Command Complete --> 0 [20285.492099] dwc3 dwc3.0.auto: queing request ffff8800aa6cb480 to ep1out-bulk length 512 [20285.492387] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready [20285.492595] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active [20285.492830] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb51000 length 512 last [20285.493135] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000 [20285.493465] dwc3 dwc3.0.auto: Command Complete --> 0 Signed-off-by:
-
Dan Carpenter authored
commit 8bab797c upstream. This is a static checker fix. The "dev" variable is always NULL after the while statement so we would be dereferencing a NULL pointer here. Fixes: 819a3eba ('[PATCH] applicom: fix error handling') Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
commit 9dbd79ae upstream. The ->SupportedRates[] array has NDIS_802_11_LENGTH_RATES_EX (16) elements. Since "ie_len" comes from then network and can go up to 255 then it means we should add a range check to prevent memory corruption. Fixes: d6846af6 ('staging: r8188eu: Add files for new driver - part 7') Signed-off-by:
-
Paul Bolle authored
commit d3921a03 upstream. Commit d0f47ff1 ("ASoC: OMAP: Build config cleanup for McBSP") removed the Kconfig symbol OMAP_MCBSP. It left two checks for CONFIG_OMAP_MCBSP untouched. Convert these to checks for CONFIG_SND_OMAP_SOC_MCBSP. That must be correct, since that re-enables calls to functions that are all found in sound/soc/omap/mcbsp.c. And that file is built only if CONFIG_SND_OMAP_SOC_MCBSP is defined. Fixes: d0f47ff1 ("ASoC: OMAP: Build config cleanup for McBSP") Signed-off-by:
-
Krzysztof Kozlowski authored
commit d5653f2b upstream. Fix NULL pointer exceptions when platform data is not supplied. Trace of one exception: Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = c0004000 [00000008] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM Modules linked in: CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.14.0-12045-gead5dd4687a6-dirty #1628 task: eea80000 ti: eea88000 task.ti: eea88000 PC is at max77693_muic_probe+0x27c/0x528 LR is at regmap_write+0x50/0x60 pc : [<c041d1c8>] lr : [<c02eba60>] psr: 20000113 sp : eea89e38 ip : 00000000 fp : c098a834 r10: ee1a5a10 r9 : 00000005 r8 : c098a83c r7 : 0000000a r6 : c098a774 r5 : 00000005 r4 : eeb006d0 r3 : c0697bd8 r2 : 00000000 r1 : 00000001 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5387d Table: 4000404a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xeea88240) Stack: (0xeea89e38 to 0xeea8a000) 9e20: c08499fc eeb006d0 9e40: 00000000 00000000 c0915f98 00000001 00000000 ee1a5a10 c098a730 c09a88b8 9e60: 00000000 c098a730 c0915f98 00000000 00000000 c02d6aa0 c02d6a88 ee1a5a10 9e80: c0a712c8 c02d54e4 00001204 c0628b00 ee1a5a10 c098a730 ee1a5a44 00000000 9ea0: eea88000 c02d57b4 00000000 c098a730 c02d5728 c02d3a24 ee813e5c eeb9d534 9ec0: c098a730 ee22f700 c097c720 c02d4b14 c08174ec c098a730 00000006 c098a730 9ee0: 00000006 c092fd30 c09b8500 c02d5df8 00000000 c093cbb8 00000006 c0008928 9f00: 000000c3 ef7fc785 00000000 ef7fc794 00000000 c08af968 00000072 eea89f30 9f20: ef7fc85e c065f198 000000c3 c003e87c 00000003 00000000 c092fd3c 00000000 9f40: c08af618 c0826d58 00000006 00000006 c0956f58 c093cbb8 00000006 c092fd30 9f60: c09b8500 000000c3 c092fd3c c08e8510 00000000 c08e8bb0 00000006 00000006 9f80: c08e8510 c0c0c0c0 00000000 c0628fac 00000000 00000000 00000000 00000000 9fa0: 00000000 c0628fb4 00000000 c000f038 00000000 00000000 00000000 00000000 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0 [<c041d1c8>] (max77693_muic_probe) from [<c02d6aa0>] (platform_drv_probe+0x18/0x48) [<c02d6aa0>] (platform_drv_probe) from [<c02d54e4>] (driver_probe_device+0x140/0x384) [<c02d54e4>] (driver_probe_device) from [<c02d57b4>] (__driver_attach+0x8c/0x90) [<c02d57b4>] (__driver_attach) from [<c02d3a24>] (bus_for_each_dev+0x54/0x88) [<c02d3a24>] (bus_for_each_dev) from [<c02d4b14>] (bus_add_driver+0xe8/0x204) [<c02d4b14>] (bus_add_driver) from [<c02d5df8>] (driver_register+0x78/0xf4) [<c02d5df8>] (driver_register) from [<c0008928>] (do_one_initcall+0xc4/0x174) [<c0008928>] (do_one_initcall) from [<c08e8bb0>] (kernel_init_freeable+0xfc/0x1c8) [<c08e8bb0>] (kernel_init_freeable) from [<c0628fb4>] (kernel_init+0x8/0xec) [<c0628fb4>] (kernel_init) from [<c000f038>] (ret_from_fork+0x14/0x3c) Code: caffffe7 e59d200c e3550001 b3a05001 (e5923008) ---[ end trace 85db969ce011bde7 ]--- Signed-off-by:
Krzysztof Kozlowski <k.kozlowski@samsung.com> Fixes: 190d7cfcSigned-off-by:
Chanwoo Choi <cw00.choi@samsung.com> Signed-off-by:
-
Krzysztof Kozlowski authored
commit dfee4111 upstream. Fix NULL pointer exception when platform data is not supplied. The driver dereferenced pdata pointer where it could be NULL. Signed-off-by:
-
Johan Hovold authored
commit 6954cc1f upstream. Fix null-pointer dereference at probe when the mdio platform device is missing (e.g. when it has been disabled in DT). Signed-off-by:
Johan Hovold <jhovold@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Ursula Braun authored
commit f5738e2e upstream. When sending data through IUCV a MESSAGE COMPLETE interrupt signals that sent data memory can be freed or reused again. With commit f9c41a62 "af_iucv: fix recvmsg by replacing skb_pull() function" the MESSAGE COMPLETE callback iucv_callback_txdone() identifies the wrong skb as being confirmed, which leads to data corruption. This patch fixes the skb mapping logic in iucv_callback_txdone(). Signed-off-by:
Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by:
Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by:
-
Stephane Grosjean authored
commit 0b5a958c upstream. As remarked by Christopher R. Baker in his post at http://marc.info/?l=linux-can&m=139707295706465&w=2 there's a possibility for an use after free condition at device removal. This simplified patch introduces an additional variable to prevent the issue. Thanks for catching this. Reported-by:
Christopher R. Baker <cbaker@rec.ri.cmu.edu> Signed-off-by:
Stephane Grosjean <s.grosjean@peak-system.com> Signed-off-by:
Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by:
-
Roger Quadros authored
commit e5e47465 upstream. Without a timetout some tests e.g. test_halt() can remain stuck forever. Signed-off-by:
Roger Quadros <rogerq@ti.com> Reviewed-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Aleksander Morgado authored
commit 0ce5fb58 upstream. A set of new VID/PIDs retrieved from the out-of-tree GobiNet/GobiSerial Sierra Wireless drivers. Signed-off-by:
Aleksander Morgado <aleksander@aleksander.es> Link: http://marc.info/?l=linux-usb&m=140136310027293&w=2 Cc: <stable@vger.kernel.org> # backport in link above Signed-off-by:
-
Aleksander Morgado authored
commit ff1fcd50 upstream. Signed-off-by:
-
Bjørn Mork authored
commit 8bc7a069 upstream. All the "non Gobi" Qualcomm based devices handled by this driver share a common standard Sierra Wireless specific layout. Adding code specifically for this layout allow us to reduce the number of match entries per device from three to one. This change will result in a penalty wrt stable backports, but simplifies new Sierra device addtitions in the long term. Signed-off-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Bjørn Mork authored
commit d712ca91 upstream. Preparing for more supported standard device layouts. Keeping the matching macros unchanged to avoid breaking stable backporting of new device additions. Signed-off-by:
-
Bjørn Mork authored
commit ce1b0661 upstream. Use a consistent style for all multiline comments. Signed-off-by:
-
Tomas Winkler authored
commit b04ada92 upstream We cleared H_RST for H_CSR on spurious interrupt generated when ME_RDY while cleared and not while ME_RDY is set. The spurious interrupt is not delivered on all platforms in this case the driver may fail to initialize. Cc: stable@vger.kernel.org #3.12 Signed-off-by:
Tomas Winkler <tomas.winkler@intel.com> Signed-off-by:
Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by:
-
Tomas Winkler authored
commit c40765d9 upstream. According the spec the host should read H_CSR again after asserting reset H_RST to ensure that reset was read by the firmware Cc: stable@vger.kernel.org #3.12 Signed-off-by:
-
Quentin Casasnovas authored
commit 74073c9d upstream. On bo reservation failure, we end up leaking fpriv. v2 (chk): rebased and added missing free on vm failure as well Fixes: 5e386b57 ("drm/radeon: fix missing bo reservation") Cc: stable@vger.kernel.org Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by:
Quentin Casasnovas <quentin.casasnovas@oracle.com> Signed-off-by:
Christian König <christian.koenig@amd.com> Signed-off-by:
-
Tom Gundersen authored
commit 21bdd17b upstream. Commit 78551277: "Input: i8042 - add PNP modaliases" had a bug, where the second call to MODULE_DEVICE_TABLE() overrode the first resulting in not all the modaliases being exposed. This fixes the problem by including the name of the device_id table in the __mod_*_device_table alias, allowing us to export several device_id tables per module. Suggested-by:
Kay Sievers <kay@vrfy.org> Acked-by:
Tom Gundersen <teg@jklm.no> Signed-off-by:
Rusty Russell <rusty@rustcorp.com.au> Signed-off-by:
-
Aaron Lu authored
commit 545ef368 upstream. With commit 2c62333a "ACPI / video: Quirk initial backlight level 0" we do not need to have the following systems in DMI table, so remove them. HP Pavilion m4, HP 1000 Notebook PC, HP Pavilion g6 Notebook PC, HP Pavilion dm4, Fujitsu E753, HP Folio 13-2000. With this change, the use_bios_initial_backlight module parameter is no longer needed and thus removed. Signed-off-by:
Aaron Lu <aaron.lu@intel.com> Tested-by: Alex Hung <alex.hung@canonical.com> # for HP 1000 Notebook PC Tested-by: Gustavo Maciel Dias Vieira <gustavo@sagui.org> # for HP Pavilion dm4 Signed-off-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by:
-
Anton Blanchard authored
commit 7505258c upstream. I noticed KVM is broken when KVM in-kernel XICS emulation (CONFIG_KVM_XICS) is disabled. The problem was introduced in 48eaef05 (KVM: PPC: Book3S HV: use xics_wake_cpu only when defined). It used CONFIG_KVM_XICS to wrap xics_wake_cpu, where CONFIG_PPC_ICP_NATIVE should have been used. Signed-off-by:
Anton Blanchard <anton@samba.org> Cc: stable@vger.kernel.org Signed-off-by:
Paul Mackerras <paulus@samba.org> Acked-by:
Scott Wood <scottwood@freescale.com> Signed-off-by:
-
Anssi Hannula authored
commit 94908a39 upstream. Channel map positions FLH, FCH, FRH duplicate positions TFL, TFC, TFR. Both are the speakers above the front speakers (CEA uses "high" and USB audio uses "top" nomenclature). Since the USB audio code has used the TFx positions since v3.8 (04324ccc, "ALSA: usb-audio: add channel map support") but the HDMI code only just started using FxH in a5b7d510 ("ALSA: hda - hdmi: Fix channel maps with less common speakers") which is not yet in any released kernel, standardize on TFx instead. Signed-off-by:
Anssi Hannula <anssi.hannula@iki.fi> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Lars-Peter Clausen authored
commit 883a1d49 upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by:
Lars-Peter Clausen <lars@metafoo.de> Acked-by:
Jaroslav Kysela <perex@perex.cz> Signed-off-by:
-
Lars-Peter Clausen authored
commit ac902c11 upstream. Each control gets automatically assigned its numids when the control is created. The allocation is done by incrementing the numid by the amount of allocated numids per allocation. This means that excessive creation and destruction of controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to eventually overflow. Currently when this happens for the control that caused the overflow kctl->id.numid + kctl->count will also over flow causing it to be smaller than kctl->id.numid. Most of the code assumes that this is something that can not happen, so we need to make sure that it won't happen Signed-off-by:
-
Lars-Peter Clausen authored
commit fd9f26e4 upstream. A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by:
-
Lars-Peter Clausen authored
commit 82262a46 upstream. There are two issues with the current implementation for replacing user controls. The first is that the code does not check if the control is actually a user control and neither does it check if the control is owned by the process that tries to remove it. That allows userspace applications to remove arbitrary controls, which can cause a user after free if a for example a driver does not expect a control to be removed from under its feed. The second issue is that on one hand when a control is replaced the user_ctl_count limit is not checked and on the other hand the user_ctl_count is increased (even though the number of user controls does not change). This allows userspace, once the user_ctl_count limit as been reached, to repeatedly replace a control until user_ctl_count overflows. Once that happens new controls can be added effectively bypassing the user_ctl_count limit. Both issues can be fixed by instead of open-coding the removal of the control that is to be replaced to use snd_ctl_remove_user_ctl(). This function does proper permission checks as well as decrements user_ctl_count after the control has been removed. Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at beginning of the function if the control already exists is removed. This is not a problem though since the check is quite useless, because the lock that is protecting the control list is released between the check and before adding the new control to the list, which means that it is possible that a different control with the same settings is added to the list after the check. Luckily there is another check that is done while holding the lock in snd_ctl_add(), so we'll rely on that to make sure that the same control is not added twice. Signed-off-by:
-
Lars-Peter Clausen authored
commit 07f4d9d7 upstream. The user-control put and get handlers as well as the tlv do not protect against concurrent access from multiple threads. Since the state of the control is not updated atomically it is possible that either two write operations or a write and a read operation race against each other. Both can lead to arbitrary memory disclosure. This patch introduces a new lock that protects user-controls from concurrent access. Since applications typically access controls sequentially than in parallel a single lock per card should be fine. Signed-off-by:
-
David Henningsson authored
commit 2041d564 upstream. According to the bug reporter (Данило Шеган), the external mic starts to work and has proper jack detection if only pin 0x19 is marked properly as an external headset mic. AlsaInfo at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1328587/+attachment/4128991/+files/AlsaInfo.txt BugLink: https://bugs.launchpad.net/bugs/1328587Signed-off-by:
David Henningsson <david.henningsson@canonical.com> Signed-off-by:
-
Kailang Yang authored
commit b6c5fbad upstream. New codec support for ALC891. Signed-off-by:
Kailang Yang <kailang@realtek.com> Signed-off-by:
-
Wang, Xiaoming authored
commit 2bd0ae46 upstream. Cancel the optimization of compiler for struct snd_compr_avail which size will be 0x1c in 32bit kernel while 0x20 in 64bit kernel under the optimizer. That will make compaction between 32bit and 64bit. So add packed to fix the size of struct snd_compr_avail to 0x1c for all platform. Signed-off-by:
Zhang Dongxing <dongxing.zhang@intel.com> Signed-off-by:
xiaoming wang <xiaoming.wang@intel.com> Acked-by:
Vinod Koul <vinod.koul@intel.com> Signed-off-by:
-
Greg Kroah-Hartman authored
commit 206204a1 upstream. Given some pathologically compressed data, lz4 could possibly decide to wrap a few internal variables, causing unknown things to happen. Catch this before the wrapping happens and abort the decompression. Reported-by:
"Don A. Bailey" <donb@securitymouse.com> Signed-off-by:
-
Greg Kroah-Hartman authored
commit 206a81c1 upstream. The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen. Reported-by:
-
Peter Meerwald authored
commit 8ba42fb7 upstream. i2c_smbus_read_word_data() does host endian conversion already, no need for le16_to_cpu() Signed-off-by:
Peter Meerwald <pmeerw@pmeerw.net> Signed-off-by:
Jonathan Cameron <jic23@kernel.org> Signed-off-by:
-
Dan Carpenter authored
commit 4f3bcd87 upstream. at91_adc_get_trigger_value_by_name() was returning -ENOMEM truncated to a positive u8 and that doesn't work. I've changed it to int and refactored it to preserve the error code. Signed-off-by:
Alexandre Belloni <alexandre.belloni@free-electrons.com> Tested-by:
-
Mario Schuknecht authored
commit c404618c upstream. Consider high byte of proximity min and max treshold in function 'tsl2x7x_chip_on'. So far, the high byte was not set. Signed-off-by:
Mario Schuknecht <mario.schuknecht@dresearch-fe.de> Signed-off-by:
-
Peter Ujfalusi authored
commit e6c111fa upstream. For some unknown reason the parameters for snd_soc_test_bits() were in wrong order: It was: snd_soc_test_bits(codec, val, mask, reg); /* WRONG!!! */ while it should be: snd_soc_test_bits(codec, reg, mask, val); Signed-off-by:
Peter Ujfalusi <peter.ujfalusi@ti.com> Signed-off-by:
Mark Brown <broonie@linaro.org> Signed-off-by:
-
