<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/usb/gadget/function, branch v4.16</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()</title>
<updated>2018-03-05T08:42:53+00:00</updated>
<author>
<name>Xinyong</name>
<email>xinyong.fang@linux.alibaba.com</email>
</author>
<published>2018-03-02T11:20:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1a087f032111a88e826877449dfb93ceb22b78b9'/>
<id>1a087f032111a88e826877449dfb93ceb22b78b9</id>
<content type='text'>
When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0
Read of size 4 by task umount/4650
====================================================
BUG kmalloc-512 (Tainted: P        W  O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
    alloc_debug_processing+0x1ac/0x1e8
    ___slab_alloc.constprop.63+0x640/0x648
    __slab_alloc.isra.57.constprop.62+0x24/0x34
    kmem_cache_alloc_trace+0x1a8/0x2bc
    ffs_fs_mount+0x194/0x844
    mount_fs+0x6c/0x1d0
    vfs_kern_mount+0x50/0x1b4
    do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
    free_debug_processing+0x22c/0x434
    __slab_free+0x2d8/0x3a0
    kfree+0x254/0x264
    ffs_data_put+0x25c/0x320
    ffs_data_closed+0x124/0x15c
    ffs_fs_kill_sb+0xb8/0x110
    deactivate_locked_super+0x6c/0x98
    deactivate_super+0xb0/0xbc
INFO: Object 0xffffffc057938600 @offset=1536 fp=0x          (null)
......
Call trace:
[&lt;ffffff900808cf5c&gt;] dump_backtrace+0x0/0x250
[&lt;ffffff900808d3a0&gt;] show_stack+0x14/0x1c
[&lt;ffffff90084a8c04&gt;] dump_stack+0xa0/0xc8
[&lt;ffffff900826c2b4&gt;] print_trailer+0x158/0x260
[&lt;ffffff900826d9d8&gt;] object_err+0x3c/0x40
[&lt;ffffff90082745f0&gt;] kasan_report_error+0x2a8/0x754
[&lt;ffffff9008274f84&gt;] kasan_report+0x5c/0x60
[&lt;ffffff9008273208&gt;] __asan_load4+0x70/0x88
[&lt;ffffff90084cd81c&gt;] refcount_dec_and_test+0x14/0xe0
[&lt;ffffff9008d98f9c&gt;] ffs_data_put+0x80/0x320
[&lt;ffffff9008d9d904&gt;] ffs_fs_kill_sb+0xc8/0x110
[&lt;ffffff90082852a0&gt;] deactivate_locked_super+0x6c/0x98
[&lt;ffffff900828537c&gt;] deactivate_super+0xb0/0xbc
[&lt;ffffff90082af0c0&gt;] cleanup_mnt+0x64/0xec
[&lt;ffffff90082af1b0&gt;] __cleanup_mnt+0x10/0x18
[&lt;ffffff90080d9e68&gt;] task_work_run+0xcc/0x124
[&lt;ffffff900808c8c0&gt;] do_notify_resume+0x60/0x70
[&lt;ffffff90080866e4&gt;] work_pending+0x10/0x14

Cc: stable@vger.kernel.org
Signed-off-by: Xinyong &lt;xinyong.fang@linux.alibaba.com&gt;

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Use config_ep_by_speed()</title>
<updated>2018-02-12T08:52:54+00:00</updated>
<author>
<name>Jack Pham</name>
<email>jackp@codeaurora.org</email>
</author>
<published>2018-01-25T07:58:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=675272d092e4a5570bace92593776f7348daf4c5'/>
<id>675272d092e4a5570bace92593776f7348daf4c5</id>
<content type='text'>
In commit 2bfa0719ac2a ("usb: gadget: function: f_fs: pass
companion descriptor along") there is a pointer arithmetic
bug where the comp_desc is obtained as follows:

 comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
	       USB_DT_ENDPOINT_SIZE);

Since ds is a pointer to usb_endpoint_descriptor, adding
7 to it ends up going out of bounds (7 * sizeof(struct
usb_endpoint_descriptor), which is actually 7*9 bytes) past
the SS descriptor. As a result the maxburst value will be
read incorrectly, and the UDC driver will also get a garbage
comp_desc (assuming it uses it).

Since Felipe wrote, "Eventually, f_fs.c should be converted
to use config_ep_by_speed() like all other functions, though",
let's finally do it. This allows the other usb_ep fields to
be properly populated, such as maxpacket and mult. It also
eliminates the awkward speed-based descriptor lookup since
config_ep_by_speed() does that already using the ones found
in struct usb_function.

Fixes: 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along")
Cc: stable@vger.kernel.org
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In commit 2bfa0719ac2a ("usb: gadget: function: f_fs: pass
companion descriptor along") there is a pointer arithmetic
bug where the comp_desc is obtained as follows:

 comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
	       USB_DT_ENDPOINT_SIZE);

Since ds is a pointer to usb_endpoint_descriptor, adding
7 to it ends up going out of bounds (7 * sizeof(struct
usb_endpoint_descriptor), which is actually 7*9 bytes) past
the SS descriptor. As a result the maxburst value will be
read incorrectly, and the UDC driver will also get a garbage
comp_desc (assuming it uses it).

Since Felipe wrote, "Eventually, f_fs.c should be converted
to use config_ep_by_speed() like all other functions, though",
let's finally do it. This allows the other usb_ep fields to
be properly populated, such as maxpacket and mult. It also
eliminates the awkward speed-based descriptor lookup since
config_ep_by_speed() does that already using the ones found
in struct usb_function.

Fixes: 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along")
Cc: stable@vger.kernel.org
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Process all descriptors during bind</title>
<updated>2018-02-12T08:52:37+00:00</updated>
<author>
<name>Jack Pham</name>
<email>jackp@codeaurora.org</email>
</author>
<published>2018-01-24T08:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6cf439e0d37463e42784271179c8a308fd7493c6'/>
<id>6cf439e0d37463e42784271179c8a308fd7493c6</id>
<content type='text'>
During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
During _ffs_func_bind(), the received descriptors are evaluated
to prepare for binding with the gadget in order to allocate
endpoints and optionally set up OS descriptors. However, the
high- and super-speed descriptors are only parsed based on
whether the gadget_is_dualspeed() and gadget_is_superspeed()
calls are true, respectively.

This is a problem in case a userspace program always provides
all of the {full,high,super,OS} descriptors when configuring a
function. Then, for example if a gadget device is not capable
of SuperSpeed, the call to ffs_do_descs() for the SS descriptors
is skipped, resulting in an incorrect offset calculation for
the vla_ptr when moving on to the OS descriptors that follow.
This causes ffs_do_os_descs() to fail as it is now looking at
the SS descriptors' offset within the raw_descs buffer instead.

_ffs_func_bind() should evaluate the descriptors unconditionally,
so remove the checks for gadget speed.

Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support")
Cc: stable@vger.kernel.org
Co-Developed-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Mayank Rana &lt;mrana@codeaurora.org&gt;
Signed-off-by: Jack Pham &lt;jackp@codeaurora.org&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_uac2: fix bFirstInterface in composite gadget</title>
<updated>2018-02-12T08:48:59+00:00</updated>
<author>
<name>John Keeping</name>
<email>john@metanate.com</email>
</author>
<published>2018-01-12T18:43:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8813a59ed892305b5ac1b5b901740b1ad4b5fefa'/>
<id>8813a59ed892305b5ac1b5b901740b1ad4b5fefa</id>
<content type='text'>
If there are multiple functions associated with a configuration, then
the UAC2 interfaces may not start at zero.  Set the correct first
interface number in the association descriptor so that the audio
interfaces are enumerated correctly in this case.

Reviewed-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If there are multiple functions associated with a configuration, then
the UAC2 interfaces may not start at zero.  Set the correct first
interface number in the association descriptor so that the audio
interfaces are enumerated correctly in this case.

Reviewed-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: John Keeping &lt;john@metanate.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vfs: do bulk POLL* -&gt; EPOLL* replacement</title>
<updated>2018-02-11T22:34:03+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-02-11T22:34:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a9a08845e9acbd224e4ee466f5c1275ed50054e8'/>
<id>a9a08845e9acbd224e4ee466f5c1275ed50054e8</id>
<content type='text'>
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\&lt;POLL$V\&gt;\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.

Scripted-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\&lt;POLL$V\&gt;\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.

Scripted-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'usb-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb</title>
<updated>2018-02-01T17:40:49+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-02-01T17:40:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e4ee8b85b7657d9c769b727038faabdc2e6a3412'/>
<id>e4ee8b85b7657d9c769b727038faabdc2e6a3412</id>
<content type='text'>
Pull USB/PHY updates from Greg KH:
 "Here is the big USB and PHY driver update for 4.16-rc1.

  Along with the normally expected XHCI, MUSB, and Gadget driver
  patches, there are some PHY driver fixes, license cleanups, sysfs
  attribute cleanups, usbip changes, and a raft of other smaller fixes
  and additions.

  Full details are in the shortlog.

  All of these have been in the linux-next tree for a long time with no
  reported issues"

* tag 'usb-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (137 commits)
  USB: serial: pl2303: new device id for Chilitag
  USB: misc: fix up some remaining DEVICE_ATTR() usages
  USB: musb: fix up one odd DEVICE_ATTR() usage
  USB: atm: fix up some remaining DEVICE_ATTR() usage
  USB: move many drivers to use DEVICE_ATTR_WO
  USB: move many drivers to use DEVICE_ATTR_RO
  USB: move many drivers to use DEVICE_ATTR_RW
  USB: misc: chaoskey: Use true and false for boolean values
  USB: storage: remove old wording about how to submit a change
  USB: storage: remove invalid URL from drivers
  usb: ehci-omap: don't complain on -EPROBE_DEFER when no PHY found
  usbip: list: don't list devices attached to vhci_hcd
  usbip: prevent bind loops on devices attached to vhci_hcd
  USB: serial: remove redundant initializations of 'mos_parport'
  usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc()
  usb: gadget: compress return logic into one line
  usbip: vhci_hcd: update 'status' file header and format
  USB: serial: simple: add Motorola Tetra driver
  CDC-ACM: apply quirk for card reader
  usb: option: Add support for FS040U modem
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull USB/PHY updates from Greg KH:
 "Here is the big USB and PHY driver update for 4.16-rc1.

  Along with the normally expected XHCI, MUSB, and Gadget driver
  patches, there are some PHY driver fixes, license cleanups, sysfs
  attribute cleanups, usbip changes, and a raft of other smaller fixes
  and additions.

  Full details are in the shortlog.

  All of these have been in the linux-next tree for a long time with no
  reported issues"

* tag 'usb-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (137 commits)
  USB: serial: pl2303: new device id for Chilitag
  USB: misc: fix up some remaining DEVICE_ATTR() usages
  USB: musb: fix up one odd DEVICE_ATTR() usage
  USB: atm: fix up some remaining DEVICE_ATTR() usage
  USB: move many drivers to use DEVICE_ATTR_WO
  USB: move many drivers to use DEVICE_ATTR_RO
  USB: move many drivers to use DEVICE_ATTR_RW
  USB: misc: chaoskey: Use true and false for boolean values
  USB: storage: remove old wording about how to submit a change
  USB: storage: remove invalid URL from drivers
  usb: ehci-omap: don't complain on -EPROBE_DEFER when no PHY found
  usbip: list: don't list devices attached to vhci_hcd
  usbip: prevent bind loops on devices attached to vhci_hcd
  USB: serial: remove redundant initializations of 'mos_parport'
  usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc()
  usb: gadget: compress return logic into one line
  usbip: vhci_hcd: update 'status' file header and format
  USB: serial: simple: add Motorola Tetra driver
  CDC-ACM: apply quirk for card reader
  usb: option: Add support for FS040U modem
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs</title>
<updated>2018-01-31T01:58:07+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-01-31T01:58:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=168fe32a072a4b8dc81a3aebf0e5e588d38e2955'/>
<id>168fe32a072a4b8dc81a3aebf0e5e588d38e2955</id>
<content type='text'>
Pull poll annotations from Al Viro:
 "This introduces a __bitwise type for POLL### bitmap, and propagates
  the annotations through the tree. Most of that stuff is as simple as
  'make -&gt;poll() instances return __poll_t and do the same to local
  variables used to hold the future return value'.

  Some of the obvious brainos found in process are fixed (e.g. POLLIN
  misspelled as POLL_IN). At that point the amount of sparse warnings is
  low and most of them are for genuine bugs - e.g. -&gt;poll() instance
  deciding to return -EINVAL instead of a bitmap. I hadn't touched those
  in this series - it's large enough as it is.

  Another problem it has caught was eventpoll() ABI mess; select.c and
  eventpoll.c assumed that corresponding POLL### and EPOLL### were
  equal. That's true for some, but not all of them - EPOLL### are
  arch-independent, but POLL### are not.

  The last commit in this series separates userland POLL### values from
  the (now arch-independent) kernel-side ones, converting between them
  in the few places where they are copied to/from userland. AFAICS, this
  is the least disruptive fix preserving poll(2) ABI and making epoll()
  work on all architectures.

  As it is, it's simply broken on sparc - try to give it EPOLLWRNORM and
  it will trigger only on what would've triggered EPOLLWRBAND on other
  architectures. EPOLLWRBAND and EPOLLRDHUP, OTOH, are never triggered
  at all on sparc. With this patch they should work consistently on all
  architectures"

* 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (37 commits)
  make kernel-side POLL... arch-independent
  eventpoll: no need to mask the result of epi_item_poll() again
  eventpoll: constify struct epoll_event pointers
  debugging printk in sg_poll() uses %x to print POLL... bitmap
  annotate poll(2) guts
  9p: untangle -&gt;poll() mess
  -&gt;si_band gets POLL... bitmap stored into a user-visible long field
  ring_buffer_poll_wait() return value used as return value of -&gt;poll()
  the rest of drivers/*: annotate -&gt;poll() instances
  media: annotate -&gt;poll() instances
  fs: annotate -&gt;poll() instances
  ipc, kernel, mm: annotate -&gt;poll() instances
  net: annotate -&gt;poll() instances
  apparmor: annotate -&gt;poll() instances
  tomoyo: annotate -&gt;poll() instances
  sound: annotate -&gt;poll() instances
  acpi: annotate -&gt;poll() instances
  crypto: annotate -&gt;poll() instances
  block: annotate -&gt;poll() instances
  x86: annotate -&gt;poll() instances
  ...
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull poll annotations from Al Viro:
 "This introduces a __bitwise type for POLL### bitmap, and propagates
  the annotations through the tree. Most of that stuff is as simple as
  'make -&gt;poll() instances return __poll_t and do the same to local
  variables used to hold the future return value'.

  Some of the obvious brainos found in process are fixed (e.g. POLLIN
  misspelled as POLL_IN). At that point the amount of sparse warnings is
  low and most of them are for genuine bugs - e.g. -&gt;poll() instance
  deciding to return -EINVAL instead of a bitmap. I hadn't touched those
  in this series - it's large enough as it is.

  Another problem it has caught was eventpoll() ABI mess; select.c and
  eventpoll.c assumed that corresponding POLL### and EPOLL### were
  equal. That's true for some, but not all of them - EPOLL### are
  arch-independent, but POLL### are not.

  The last commit in this series separates userland POLL### values from
  the (now arch-independent) kernel-side ones, converting between them
  in the few places where they are copied to/from userland. AFAICS, this
  is the least disruptive fix preserving poll(2) ABI and making epoll()
  work on all architectures.

  As it is, it's simply broken on sparc - try to give it EPOLLWRNORM and
  it will trigger only on what would've triggered EPOLLWRBAND on other
  architectures. EPOLLWRBAND and EPOLLRDHUP, OTOH, are never triggered
  at all on sparc. With this patch they should work consistently on all
  architectures"

* 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (37 commits)
  make kernel-side POLL... arch-independent
  eventpoll: no need to mask the result of epi_item_poll() again
  eventpoll: constify struct epoll_event pointers
  debugging printk in sg_poll() uses %x to print POLL... bitmap
  annotate poll(2) guts
  9p: untangle -&gt;poll() mess
  -&gt;si_band gets POLL... bitmap stored into a user-visible long field
  ring_buffer_poll_wait() return value used as return value of -&gt;poll()
  the rest of drivers/*: annotate -&gt;poll() instances
  media: annotate -&gt;poll() instances
  fs: annotate -&gt;poll() instances
  ipc, kernel, mm: annotate -&gt;poll() instances
  net: annotate -&gt;poll() instances
  apparmor: annotate -&gt;poll() instances
  tomoyo: annotate -&gt;poll() instances
  sound: annotate -&gt;poll() instances
  acpi: annotate -&gt;poll() instances
  crypto: annotate -&gt;poll() instances
  block: annotate -&gt;poll() instances
  x86: annotate -&gt;poll() instances
  ...
</pre>
</div>
</content>
</entry>
<entry>
<title>usb/gadget/NCM: Replace tasklet with softirq hrtimer</title>
<updated>2018-01-16T08:51:23+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2017-12-21T10:42:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b1a31a5f5f27ff8aba42b545a1c721941f735107'/>
<id>b1a31a5f5f27ff8aba42b545a1c721941f735107</id>
<content type='text'>
The tx_tasklet tasklet is used in invoke the hrtimer (task_timer) in
softirq context. This can be also achieved without the tasklet but
with HRTIMER_MODE_SOFT as hrtimer mode.

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Anna-Maria Gleixner &lt;anna-maria@linutronix.de&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: keescook@chromium.org
Cc: linux-usb@vger.kernel.org
Link: http://lkml.kernel.org/r/20171221104205.7269-36-anna-maria@linutronix.de
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The tx_tasklet tasklet is used in invoke the hrtimer (task_timer) in
softirq context. This can be also achieved without the tasklet but
with HRTIMER_MODE_SOFT as hrtimer mode.

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Anna-Maria Gleixner &lt;anna-maria@linutronix.de&gt;
Acked-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Cc: Christoph Hellwig &lt;hch@lst.de&gt;
Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;
Cc: keescook@chromium.org
Cc: linux-usb@vger.kernel.org
Link: http://lkml.kernel.org/r/20171221104205.7269-36-anna-maria@linutronix.de
Signed-off-by: Ingo Molnar &lt;mingo@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: f_fs: Prevent gadget unbind if it is already unbound</title>
<updated>2018-01-09T15:18:50+00:00</updated>
<author>
<name>Hemant Kumar</name>
<email>hemantk@codeaurora.org</email>
</author>
<published>2018-01-09T07:00:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ce5bf9a50daf2d9078b505aca1cea22e88ecb94a'/>
<id>ce5bf9a50daf2d9078b505aca1cea22e88ecb94a</id>
<content type='text'>
Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.

This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.

Reviewed-at: https://android-review.googlesource.com/#/c/582632/

Cc: Felipe Balbi &lt;balbi@kernel.org&gt;
Cc: Greg KH &lt;gregkh@linux-foundation.org&gt;
Cc: Michal Nazarewicz &lt;mina86@mina86.com&gt;
Cc: John Stultz &lt;john.stultz@linaro.org&gt;
Cc: Dmitry Shmidt &lt;dimitrysh@google.com&gt;
Cc: Badhri &lt;badhri@google.com&gt;
Cc: Android Kernel Team &lt;kernel-team@android.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Hemant Kumar &lt;hemantk@codeaurora.org&gt;
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: ffs: Make sparse happier</title>
<updated>2017-12-11T10:36:50+00:00</updated>
<author>
<name>Vincent Pelletier</name>
<email>plr.vincent@gmail.com</email>
</author>
<published>2017-11-28T15:20:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c40619bb1bb7d46916eb101378163ed3d065ba8c'/>
<id>c40619bb1bb7d46916eb101378163ed3d065ba8c</id>
<content type='text'>
Silences the following warnings:
drivers/usb/gadget/function/f_fs.c:1253:37: warning: incorrect type in argument 1 (different address spaces)
drivers/usb/gadget/function/f_fs.c:1253:37:    expected void [noderef] &lt;asn:1&gt;*to
drivers/usb/gadget/function/f_fs.c:1253:37:    got void *&lt;noident&gt;
drivers/usb/gadget/function/f_fs.c:2322:23: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:2876:38: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:272:12: warning: context imbalance in '__ffs_ep0_queue_wait' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:450:17: warning: context imbalance in 'ffs_ep0_write' - different lock contexts for basic block
drivers/usb/gadget/function/f_fs.c:490:24: warning: context imbalance in '__ffs_ep0_read_events' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:496:16: warning: context imbalance in 'ffs_ep0_read' - different lock contexts for basic block

Also, add an "unlocks spinlock" comment for consistency with existing ones.
No behaviour change is intended.

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Silences the following warnings:
drivers/usb/gadget/function/f_fs.c:1253:37: warning: incorrect type in argument 1 (different address spaces)
drivers/usb/gadget/function/f_fs.c:1253:37:    expected void [noderef] &lt;asn:1&gt;*to
drivers/usb/gadget/function/f_fs.c:1253:37:    got void *&lt;noident&gt;
drivers/usb/gadget/function/f_fs.c:2322:23: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:2876:38: warning: cast to restricted __le32
drivers/usb/gadget/function/f_fs.c:272:12: warning: context imbalance in '__ffs_ep0_queue_wait' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:450:17: warning: context imbalance in 'ffs_ep0_write' - different lock contexts for basic block
drivers/usb/gadget/function/f_fs.c:490:24: warning: context imbalance in '__ffs_ep0_read_events' - unexpected unlock
drivers/usb/gadget/function/f_fs.c:496:16: warning: context imbalance in 'ffs_ep0_read' - different lock contexts for basic block

Also, add an "unlocks spinlock" comment for consistency with existing ones.
No behaviour change is intended.

Signed-off-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
