From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Grazvydas Ignotas <notasas@gmail.com>,
Felipe Balbi <balbi@ti.com>
Subject: [ 37/61] usb: musb_gadget: fix crash caused by dangling pointer
Date: Wed, 20 Jun 2012 10:30:57 -0700 [thread overview]
Message-ID: <20120620173024.099461098@linuxfoundation.org> (raw)
In-Reply-To: <20120620173033.GA5634@kroah.com>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Grazvydas Ignotas <notasas@gmail.com>
commit 08f75bf14fadaa81fe362d5acda9b77b113dd0a2 upstream.
usb_ep_ops.disable must clear external copy of the endpoint descriptor,
otherwise musb crashes after loading/unloading several gadget modules
in a row:
Unable to handle kernel paging request at virtual address bf013730
pgd = c0004000
[bf013730] *pgd=8f26d811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1]
Modules linked in: g_cdc [last unloaded: g_file_storage]
CPU: 0 Not tainted (3.2.17 #647)
PC is at musb_gadget_enable+0x4c/0x24c
LR is at _raw_spin_lock_irqsave+0x4c/0x58
[<c027c030>] (musb_gadget_enable+0x4c/0x24c) from [<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc])
[<bf01b760>] (gether_connect+0x3c/0x19c [g_cdc]) from [<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc])
[<bf01ba1c>] (ecm_set_alt+0x15c/0x180 [g_cdc]) from [<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc])
[<bf01ecd4>] (composite_setup+0x85c/0xac4 [g_cdc]) from [<c027b744>] (musb_g_ep0_irq+0x844/0x924)
[<c027b744>] (musb_g_ep0_irq+0x844/0x924) from [<c027a97c>] (musb_interrupt+0x79c/0x864)
[<c027a97c>] (musb_interrupt+0x79c/0x864) from [<c027aaa8>] (generic_interrupt+0x64/0x7c)
[<c027aaa8>] (generic_interrupt+0x64/0x7c) from [<c00797cc>] (handle_irq_event_percpu+0x28/0x178)
...
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/musb_gadget.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -1232,6 +1232,7 @@ static int musb_gadget_disable(struct us
}
musb_ep->desc = NULL;
+ musb_ep->end_point.desc = NULL;
/* abort all pending DMA and requests */
nuke(musb_ep, -ESHUTDOWN);
next prev parent reply other threads:[~2012-06-20 17:30 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 17:30 [ 00/61] 3.4.4-stable review Greg KH
2012-06-20 17:30 ` [ 01/61] ARM i.MX53: Fix PLL4 base address Greg KH
2012-06-20 17:30 ` [ 02/61] ARM: imx6: exit coherency when shutting down a cpu Greg KH
2012-06-20 17:30 ` [ 03/61] ARM i.MX imx21ads: Fix overlapping static i/o mappings Greg KH
2012-06-20 17:30 ` [ 04/61] Revert "drm/i915/dp: Use auxch precharge value of 5 everywhere" Greg KH
2012-06-20 18:51 ` Adam Jackson
2012-06-20 19:01 ` Greg KH
2012-06-21 11:48 ` Wouter M. Koolen
2012-06-20 17:30 ` [ 05/61] drm/radeon: add some additional 6xx/7xx/EG register init Greg KH
2012-06-20 17:30 ` [ 06/61] drm via: initialize object_idr Greg KH
2012-06-20 17:30 ` [ 07/61] drm/udl: only bind to the video devices on the hub Greg KH
2012-06-20 17:30 ` [ 08/61] drm sis: initialize object_idr Greg KH
2012-06-20 17:30 ` [ 09/61] xen/hvc: Collapse error logic Greg KH
2012-06-20 17:30 ` [ 10/61] xen/hvc: Fix error cases around HVM_PARAM_CONSOLE_PFN Greg KH
2012-06-20 17:30 ` [ 11/61] xen/hvc: Check HVM_PARAM_CONSOLE_[EVTCHN|PFN] for correctness Greg KH
2012-06-20 17:30 ` [ 12/61] xen/setup: filter APERFMPERF cpuid feature out Greg KH
2012-06-20 17:30 ` [ 13/61] NFSv4.1: Fix a request leak on the back channel Greg KH
2012-06-20 17:30 ` [ 14/61] NFSv4: Fix unnecessary delegation returns in nfs4_do_open Greg KH
2012-06-20 17:30 ` [ 15/61] nfsd4: BUG_ON(!is_spin_locked()) no good on UP kernels Greg KH
2012-06-20 17:30 ` [ 16/61] tracing: Have tracing_off() actually turn tracing off Greg KH
2012-06-20 17:30 ` [ 17/61] rpc_pipefs: allow rpc_purge_list to take a NULL waitq pointer Greg KH
2012-06-20 17:30 ` [ 18/61] SCSI: mpt2sas: Fix unsafe using smp_processor_id() in preemptible Greg KH
2012-06-20 17:30 ` [ 19/61] swap: fix shmem swapping when more than 8 areas Greg KH
2012-06-20 17:30 ` [ 20/61] USB: option: Add Vodafone/Huawei K5005 support Greg KH
2012-06-20 17:30 ` [ 21/61] USB: option: Updated Huawei K4605 has better id Greg KH
2012-06-20 17:30 ` [ 22/61] USB: option: add more YUGA device ids Greg KH
2012-06-20 17:30 ` [ 23/61] USB: option: fix memory leak Greg KH
2012-06-20 17:30 ` [ 24/61] USB: option: fix port-data abuse Greg KH
2012-06-20 17:30 ` [ 25/61] kdump: Execute kmsg_dump(KMSG_DUMP_PANIC) after smp_send_stop() Greg KH
2012-06-20 17:30 ` [ 26/61] hfsplus: fix overflow in sector calculations in hfsplus_submit_bio Greg KH
2012-06-20 17:30 ` [ 27/61] hfsplus: fix bless ioctl when used with hardlinks Greg KH
2012-06-20 17:30 ` [ 28/61] Make hard_irq_disable() actually hard-disable interrupts Greg KH
2012-06-20 17:30 ` [ 29/61] xhci: Fix invalid loop check in xhci_free_tt_info() Greg KH
2012-06-20 17:30 ` [ 30/61] xhci: Dont free endpoints in xhci_mem_cleanup() Greg KH
2012-06-20 17:30 ` [ 31/61] xHCI: Increase the timeout for controller save/restore state operation Greg KH
2012-06-20 17:30 ` [ 32/61] usb-storage: Add 090c:1000 to unusal-devs Greg KH
2012-06-20 17:30 ` [ 33/61] USB: mos7840: Fix compilation of usb serial driver Greg KH
2012-06-20 17:30 ` [ 34/61] USB: qcserial: Add Sierra Wireless device IDs Greg KH
2012-06-20 17:30 ` [ 35/61] USB: mct_u232: Fix incorrect TIOCMSET return Greg KH
2012-06-20 17:30 ` [ 36/61] usb: musb: davinci: Fix build breakage Greg KH
2012-06-20 17:30 ` Greg KH [this message]
2012-06-20 17:30 ` [ 38/61] USB: fix PS3 EHCI systems Greg KH
2012-06-20 17:30 ` [ 39/61] USB: serial: cp210x: add Optris MS Pro usb id Greg KH
2012-06-20 17:31 ` [ 40/61] USB: ftdi-sio: Add support for RT Systems USB-RTS01 serial adapter Greg KH
2012-06-20 17:31 ` [ 41/61] USB: add NO_D3_DURING_SLEEP flag and revert 151b61284776be2 Greg KH
2012-06-20 17:31 ` [ 42/61] USB: cdc-wdm: Add Vodafone/Huawei K5005 support Greg KH
2012-06-20 17:31 ` [ 43/61] usb: cdc-acm: fix devices not unthrottled on open Greg KH
2012-06-20 17:31 ` [ 44/61] USB: serial: sierra: Add support for Sierra Wireless AirCard 320U modem Greg KH
2012-06-20 17:31 ` [ 45/61] USB: serial: Enforce USB driver and USB serial driver match Greg KH
2012-06-20 17:31 ` [ 46/61] USB: fix gathering of interface associations Greg KH
2012-06-20 17:31 ` [ 47/61] ASoC: wm8904: Fix GPIO and MICBIAS initialisation for regmap conversion Greg KH
2012-06-20 17:31 ` [ 48/61] hwrng: atmel-rng - fix data valid check Greg KH
2012-06-20 17:31 ` [ 49/61] edac: avoid mce decoding crash after edac driver unloaded Greg KH
2012-06-20 17:31 ` [ 50/61] edac: fix the error about memory type detection on SandyBridge Greg KH
2012-06-20 17:31 ` [ 51/61] 9p: BUG before corrupting memory Greg KH
2012-06-20 17:31 ` [ 52/61] remoteproc/omap: fix dev_err typo Greg KH
2012-06-20 17:31 ` [ 53/61] remoteproc: fix print format warnings Greg KH
2012-06-20 17:31 ` [ 54/61] remoteproc: fix missing fault indication in error-path Greg KH
2012-06-20 17:31 ` [ 55/61] e1000e: Disable ASPM L1 on 82574 Greg KH
2012-06-20 17:31 ` [ 56/61] e1000e: Remove special case for 82573/82574 ASPM L1 disablement Greg KH
2012-06-20 17:31 ` [ 57/61] ntp: Correct TAI offset during leap second Greg KH
2012-06-20 17:31 ` [ 58/61] iwlwifi: fix the Transmit Frame Descriptor rings Greg KH
2012-06-20 17:31 ` [ 59/61] iwlwifi: use correct supported firmware for 6035 and 6000g2 Greg KH
2012-06-20 17:31 ` [ 60/61] iwlwifi: fix TX power antenna access Greg KH
2012-06-20 17:31 ` [ 61/61] target: Return error to initiator if SET TARGET PORT GROUPS emulation fails Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120620173024.099461098@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=balbi@ti.com \
--cc=linux-kernel@vger.kernel.org \
--cc=notasas@gmail.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).