2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Commit Graph

82 Commits

Author SHA1 Message Date
John Keeping
addfc5823d usb: gadget: ffs: handle I/O completion in-order
By submitting completed transfers to the system workqueue there is no
guarantee that completion events will be queued up in the correct order,
as in multi-processor systems there is a thread running for each
processor and the work items are not bound to a particular core.

This means that several completions are in the queue at the same time,
they may be processed in parallel and complete out of order, resulting
in data appearing corrupt when read by userspace.

Create a single-threaded workqueue for FunctionFS so that data completed
requests is passed to userspace in the order in which they complete.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-09-28 12:37:24 +03:00
Jerry Zhang
cdff9f8ee1 usb: gadget: f_fs: Pass along set_halt errors.
Users can apply i/o in the wrong direction on an
endpoint to stall it. In case there is an error
that does not allow the endpoint to be stalled,
we want the user to know.

An operation to stall the endpoint will return
EBADMSG if successful, EAGAIN if there are still
queued requests, and other errors depending on
the underlying implementation.

Also remove the conditional since it is always true.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-08-15 14:18:59 +03:00
Greg Kroah-Hartman
24040a5837 usb: changes for v4.13 merge window
This time around we have a total of 57 non-merge commits. A list of
 most important changes follows:
 
 - Improvements to dwc3 tracing interface
 - Initial dual-role support for dwc3
 - Improvements to how we handle DMA resources in dwc3
 - A new f_uac1 implementation which much more flexible
 - Removal of AVR32 bits
 - Improvements to f_mass_storage driver
 -----BEGIN PGP SIGNATURE-----
 
 iQJRBAABCAA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAllHcK0dHGZlbGlwZS5i
 YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQbRQQ//as9W89twbmwOqaSU
 pXlbR/gmmEjD6POLWM2GuG3jH8oD3pQq7ZxH22YEFx8Z4wN7vPJ67JJkyoSfhAui
 ppnp6AbSPiNolZRb5nTnASnq0cJiTE/rbSM5s1wpe+Qa3ZoQgTHhipnL1/qf8SgR
 PN1wgUTGeXxiIA00iOYTG2pjM+OvFO5UpqFJCfh4vuEjcdBWvHDXTUwga5G+qwIa
 pgNECcmUsXmHimp6jE+qLUhRYOqvTEC+lc9nzZj4MCru3PDEhZYuOah0XrepiNKU
 NB49DVMtDwaGXrKPwa6rNWD8JZF0CAsShvO6V/2p1peInJZUuIrEjXYRUlkPQt9G
 yLzxBS+asLCBauzxBFNPrR2BFfJ2uyUCLHYiKP2UbRfWCBFo84MDJCUWACL1aKCH
 YLeM1Q7Urxp5suirr2UmwBJdUxXNTncEXsKrtGcrNndKt/Uq8/DxcrbZ2/6ANTDT
 wdzm8gSSjtQaFLRc5KgAqrX/ClfEDgQwfgq0DXn9cKxZ9E9xID45s71feKEoBI42
 6S/oAopSuBsEmTsPTy0WLR8MTJG3MoJAdr/mHau11Tl0k9qr9KKnHbdUjji9CF6E
 aGcV40nKqp9Bd4bcbCNB6NsJUB+zcN7t0bjTsPZQH3XOCSS+fF7oJ6+SIxhsKAFT
 rHRl6RhLOIP0vZ0UIsDzeDttCVM=
 =v6a5
 -----END PGP SIGNATURE-----

Merge tag 'usb-for-v4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-testing

Felipe writes:

usb: changes for v4.13 merge window

This time around we have a total of 57 non-merge commits. A list of
most important changes follows:

- Improvements to dwc3 tracing interface
- Initial dual-role support for dwc3
- Improvements to how we handle DMA resources in dwc3
- A new f_uac1 implementation which much more flexible
- Removal of AVR32 bits
- Improvements to f_mass_storage driver
2017-06-20 11:39:34 +08:00
Jerry Zhang
e16828cf94 usb: gadget: function: f_fs: Move epfile waitqueue to ffs_data.
There were individual waitqueues for each epfile but eps_enable
would iterate through all of them, resulting in essentially the
same wakeup time.

The waitqueue represents the function being enabled, so a central
waitqueue in ffs_data makes more sense and is less redundant.

Also use wake_up_interruptible to reflect use of
wait_event_interruptible.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-06-02 11:22:31 +03:00
Jerry Zhang
222155de45 usb: gadget: function: f_fs: Let ffs_epfile_ioctl wait for enable.
This allows users to make an ioctl call as the first action on a
connection. Ex, some functions might want to get endpoint size
before making any i/os.

Previously, calling ioctls before read/write would depending on the
timing of endpoints being enabled.

ESHUTDOWN is now a possible return value and ENODEV is not, so change
docs accordingly.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-06-02 11:22:31 +03:00
William Wu
b7f73850bb usb: gadget: f_fs: avoid out of bounds access on comp_desc
Companion descriptor is only used for SuperSpeed endpoints,
if the endpoints are HighSpeed or FullSpeed, the Companion
descriptor will not allocated, so we can only access it if
gadget is SuperSpeed.

I can reproduce this issue on Rockchip platform rk3368 SoC
which supports USB 2.0, and use functionfs for ADB. Kernel
build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
the following BUG:

==================================================================
BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
Read of size 1 by task swapper/0/0
============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
alloc_debug_processing+0x128/0x17c
___slab_alloc.constprop.58+0x50c/0x610
__slab_alloc.isra.55.constprop.57+0x24/0x34
__kmalloc+0xe0/0x250
ffs_func_bind+0x52c/0x99c
usb_add_function+0xd8/0x1d4
configfs_composite_bind+0x48c/0x570
udc_bind_to_driver+0x6c/0x170
usb_udc_attach_driver+0xa4/0xd0
gadget_dev_desc_UDC_store+0xcc/0x118
configfs_write_file+0x1a0/0x1f8
__vfs_write+0x64/0x174
vfs_write+0xe4/0x200
SyS_write+0x68/0xc8
el0_svc_naked+0x24/0x28
INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
...
Call trace:
[<ffffff900808aab4>] dump_backtrace+0x0/0x230
[<ffffff900808acf8>] show_stack+0x14/0x1c
[<ffffff90084ad420>] dump_stack+0xa0/0xc8
[<ffffff90082157cc>] print_trailer+0x188/0x198
[<ffffff9008215948>] object_err+0x3c/0x4c
[<ffffff900821b5ac>] kasan_report+0x324/0x4dc
[<ffffff900821aa38>] __asan_load1+0x24/0x50
[<ffffff90089eb750>] ffs_func_set_alt+0x224/0x3a0
[<ffffff90089d3760>] composite_setup+0xdcc/0x1ac8
[<ffffff90089d7394>] android_setup+0x124/0x1a0
[<ffffff90089acd18>] _setup+0x54/0x74
[<ffffff90089b6b98>] handle_ep0+0x3288/0x4390
[<ffffff90089b9b44>] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
[<ffffff90089be85c>] dwc_otg_pcd_handle_intr+0x1ec/0x298
[<ffffff90089ad680>] dwc_otg_pcd_irq+0x10/0x20
[<ffffff9008116328>] handle_irq_event_percpu+0x124/0x3ac
[<ffffff9008116610>] handle_irq_event+0x60/0xa0
[<ffffff900811af30>] handle_fasteoi_irq+0x10c/0x1d4
[<ffffff9008115568>] generic_handle_irq+0x30/0x40
[<ffffff90081159b4>] __handle_domain_irq+0xac/0xdc
[<ffffff9008080e9c>] gic_handle_irq+0x64/0xa4
...
Memory state around the buggy address:
  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
 >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: William Wu <william.wu@rock-chips.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-05-16 14:11:04 +03:00
Greg Kroah-Hartman
ba7756d082 usb: changes for v4.12
With 51 non-merge commits, this is one of the smallest USB Gadget pull
 requests. Apart from your expected set of non-critical fixes, and
 other miscellaneous items, we have most of the changes in dwc3 (52.5%)
 with all other UDCs following with 34.8%.
 
 As for the actual changes, the most important of them are all the
 recent changes to reduce memory footprint of dwc3, bare minimum
 dual-role support on dwc3 and reworked endpoint count and
 initialization routines.
 -----BEGIN PGP SIGNATURE-----
 
 iQJRBAABCAA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAljsjRwdHGZlbGlwZS5i
 YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQaPZA/9H6GgNlvdGWPweJ0r
 g86iBmio/Qn334SOCAJDrdw4ULSTSQR8nQHGWuETE2pQ2uYA/dbBWvjkx8Pujs+u
 Ye2ig/iYchvHhY7cIWBG6A/iwvBClZF+yTv4ruh3i99BOGeAtGSyFS3HftQZLkGs
 360CritNs+fSJsU6jnCE2+808evbkRiMaEfiBpiqXF2wvjMonWUMUlHaTBTHzDnk
 k2/NJSzDINr4HaALalJxVpEetC500LDkQ531O5s7V6NIareCIBOh2li9xZJur38h
 728BbCIiwPrdfLI2gGJLUOJq5vf5fJPT6DMJDN4hsu7gXcl2GiIc3nqlcxBB8P9R
 kurWgjVd8aIGS7qqZzfDBH7I5UgFbJZbtVXy6UhSRILF+hzAb/l95pZUOyTwUnbj
 ew3ALD2H7XolJT9jLG/q1CaQQMjudVnhLF2s1Ota8dsBeOShH6yfS6hGGQ8L1j8x
 kXe3dl4HEj9s7gT0S+tVN+kt6bLGZ013CjCbuZgG9JLRkswyn780KTgL4pbjHiAE
 KNGlCGUPRh3AiDLSbQ4IRU/J/0MVFs51k8aPn6PWpUqU8nc1QNEfczqrlAGPvkqU
 nE77OktC1UCTrId7F8kllTEglOrR4CVXuT2N7rYzwgM2jmfHLzb0DaJ+a/ZdsUfI
 DjuY8jNbuGnvZRRiVQU5ynva5BU=
 =wYOI
 -----END PGP SIGNATURE-----

Merge tag 'usb-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next

Felipe writes:

usb: changes for v4.12

With 51 non-merge commits, this is one of the smallest USB Gadget pull
requests. Apart from your expected set of non-critical fixes, and
other miscellaneous items, we have most of the changes in dwc3 (52.5%)
with all other UDCs following with 34.8%.

As for the actual changes, the most important of them are all the
recent changes to reduce memory footprint of dwc3, bare minimum
dual-role support on dwc3 and reworked endpoint count and
initialization routines.
2017-04-11 16:47:26 +02:00
Michal Nazarewicz
ea920bb42d usb: gadget: f_fs: simplify ffs_dev name handling
Currently ffs_dev::name can be either allocated by the client of
the ffs_dev structure or by the f_fs.c core itself.  The former
is used by g_ffs while the latter happens with configfs.

Historically, g_ffs did not need to allocate separate buffer for
the name so what is now f_fs.c core never cared about freeing
that space.  With configfs the name needs to be copied since the
memory is not guaranteed to be availeble after ffs_set_inst_name
finishes.

The complication is therefore here to avoid allocations in the
g_ffs case but it complicates the code inproportinally to
benefits it provides.  In particular, g_ffs is considered
‘legacy’ so optimising for its sake is unlikely to be worth the
effort.

With that observation in mind, simplify the code by unifying the
code paths in g_ffs and configfs paths.  Furthermore, instead of
allocating a new buffer for the name, simply embed it in the
ffs_dev structure.  This further makes the memory management
less convoluted and error-prone.

The configfs interface for functionfs imposed a limit of 40
characters for the name so this results in a 41-byte buffer
added to the structure.  (For short names this may lead to
wasted memory but the actual amount is not immediately obvious
and depends on pointer size and which slab buckets the structure
and name would fall into).

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-04-11 10:58:22 +03:00
Elena Reshetova
43938613c6 drivers, usb: convert ffs_data.ref from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-03-17 13:32:59 +09:00
Janusz Dziedzic
3ba534df81 Revert "usb: gadget: f_fs: Fix ExtCompat descriptor validation"
This reverts commit ac670a3a650b899fc020b81f63e810d06015b865.

This introduce bug we already fixed in
commit 53642399aa ("usb: gadget: f_fs: Fix wrong check on reserved1 wof OS_DESC_EXT_COMPAT")

Next FFS (adb) SS enumeration fail with Windows OS.

Signed-off-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-03-06 16:55:04 +02:00
Felipe Balbi
2bfa0719ac usb: gadget: function: f_fs: pass companion descriptor along
If we're dealing with SuperSpeed endpoints, we need
to make sure to pass along the companion descriptor
and initialize fields needed by the Gadget
API. Eventually, f_fs.c should be converted to use
config_ep_by_speed() like all other functions,
though.

Cc: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-03-06 10:09:37 +02:00
Ingo Molnar
174cd4b1e5 sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h>
Fix up affected files that include this signal functionality via sched.h.

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-03-02 08:42:32 +01:00
Linus Torvalds
8ff546b801 USB/PHY patches for 4.11-rc1
Here is the big USB and PHY driver updates for 4.11-rc1.
 
 Nothing major, just the normal amount of churn in the usb gadget and dwc
 and xhci controllers, new device ids, new phy drivers, a new usb-serial
 driver, and a few other minor changes in different USB drivers.
 
 All have been in linux-next for a long time with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWK2lrg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ykh7ACffotTJvB/gwpuSIWh6qhA8KQ9mH8AnjlxMafv
 b5b3vfOXJ8/N0Go25VwI
 =7fqN
 -----END PGP SIGNATURE-----

Merge tag 'usb-4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB/PHY updates from Greg KH:
 "Here is the big USB and PHY driver updates for 4.11-rc1.

  Nothing major, just the normal amount of churn in the usb gadget and
  dwc and xhci controllers, new device ids, new phy drivers, a new
  usb-serial driver, and a few other minor changes in different USB
  drivers.

  All have been in linux-next for a long time with no reported issues"

* tag 'usb-4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (265 commits)
  usb: cdc-wdm: remove logically dead code
  USB: serial: keyspan: drop header file
  USB: serial: io_edgeport: drop io-tables header file
  usb: musb: add code comment for clarification
  usb: misc: add USB251xB/xBi Hi-Speed Hub Controller Driver
  usb: misc: usbtest: remove redundant check on retval < 0
  USB: serial: upd78f0730: sort device ids
  USB: serial: upd78f0730: add ID for EVAL-ADXL362Z
  ohci-hub: fix typo in dbg_port macro
  usb: musb: dsps: Manage CPPI 4.1 DMA interrupt in DSPS
  usb: musb: tusb6010: Clean up tusb_omap_dma structure
  usb: musb: cppi_dma: Clean up cppi41_dma_controller structure
  usb: musb: cppi_dma: Clean up cppi structure
  usb: musb: cppi41: Detect aborted transfers in cppi41_dma_callback()
  usb: musb: dma: Add a DMA completion platform callback
  drivers: usb: usbip: Add missing break statement to switch
  usb: mtu3: remove redundant dev_err call in get_ssusb_rscs()
  USB: serial: mos7840: fix another NULL-deref at open
  USB: serial: console: clean up sanity checks
  USB: serial: console: fix uninitialised spinlock
  ...
2017-02-22 11:15:59 -08:00
Linus Torvalds
42e1b14b6e Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking updates from Ingo Molnar:
 "The main changes in this cycle were:

   - Implement wraparound-safe refcount_t and kref_t types based on
     generic atomic primitives (Peter Zijlstra)

   - Improve and fix the ww_mutex code (Nicolai Hähnle)

   - Add self-tests to the ww_mutex code (Chris Wilson)

   - Optimize percpu-rwsems with the 'rcuwait' mechanism (Davidlohr
     Bueso)

   - Micro-optimize the current-task logic all around the core kernel
     (Davidlohr Bueso)

   - Tidy up after recent optimizations: remove stale code and APIs,
     clean up the code (Waiman Long)

   - ... plus misc fixes, updates and cleanups"

* 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (50 commits)
  fork: Fix task_struct alignment
  locking/spinlock/debug: Remove spinlock lockup detection code
  lockdep: Fix incorrect condition to print bug msgs for MAX_LOCKDEP_CHAIN_HLOCKS
  lkdtm: Convert to refcount_t testing
  kref: Implement 'struct kref' using refcount_t
  refcount_t: Introduce a special purpose refcount type
  sched/wake_q: Clarify queue reinit comment
  sched/wait, rcuwait: Fix typo in comment
  locking/mutex: Fix lockdep_assert_held() fail
  locking/rtmutex: Flip unlikely() branch to likely() in __rt_mutex_slowlock()
  locking/rwsem: Reinit wake_q after use
  locking/rwsem: Remove unnecessary atomic_long_t casts
  jump_labels: Move header guard #endif down where it belongs
  locking/atomic, kref: Implement kref_put_lock()
  locking/ww_mutex: Turn off __must_check for now
  locking/atomic, kref: Avoid more abuse
  locking/atomic, kref: Use kref_get_unless_zero() more
  locking/atomic, kref: Kill kref_sub()
  locking/atomic, kref: Add kref_read()
  locking/atomic, kref: Add KREF_INIT()
  ...
2017-02-20 13:23:30 -08:00
Greg Kroah-Hartman
7bddba7750 Merge 4.10-rc7 into usb-next
We want the USB fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-02-06 09:32:06 +01:00
Greg Kroah-Hartman
bc46e23c34 USB: changes for v4.11
Here's the big pull request for the Gadget
 API. Again the majority of changes sit in dwc2
 driver. Most important changes contain a workaround
 for GOTGCTL being wrong, a sleep-inside-spinlock fix
 and the big series of cleanups on dwc2.
 
 One important thing on dwc3 is that we don't anymore
 need gadget drivers to cope with unaligned OUT
 transfers for us. We have support for appending one
 extra chained TRB to align transfer ourselves.
 
 Apart from these, the usual set of typos,
 non-critical fixes, etc.
 -----BEGIN PGP SIGNATURE-----
 
 iQJRBAABCAA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAliKBd0dHGZlbGlwZS5i
 YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQb1Yw//XEI0VeUdsRM/JKK5
 4BBoFCCUXT7jZMyzm7x9G7/4Tz3Xn9I9elAbZ7A3ctpLQXVO0KUAc5S3MRmq1ghj
 8h18ZrOLqWG6gG+0eOtzSQLJ91+ULV+nyV6jS+RJyio7AMKy6XW0hRHQQs8ggcqg
 A/hZKVI/GdvnoSSLVNoWFxTiVC7Pu62IsWJV6BJuWubEze7u97xfBIt3qB9h2R8q
 ARfy29LYZulgrRYZ2DAtrKNFC8yKdIiKxWcmI47FHcNXtnQ6yAu7VqFcKWlH9Jvb
 NY/YAzv30leOXHrwHVXCM/Urh7SK6FJIIdgoDMpCWoy1CK2pHXkJCndt/NuM721h
 DYaopfNBJLtjvYDsvtnGXo3DC6+hBd3oYEz+gogGS/5gocr2ChnRK8Qc5T8eXYnC
 OBIVKeHcsx9wMxYwwxk2axWjflfbSRjPnpZHibgkvdrwGVY+Hcwf5GyixvTdqQJM
 dMrZcIPqtPJAg7OBPoH0LEViT14+lc8f5n6D0T/NezLxeeZvbcWQ5p17LpNal5oi
 S+4kmtNWR7nXKSdICvc00Ap+Iqu91eB4c1MfvP6HSLq7wpjs5QhWtDvM7++ygjL1
 7m3ExmXUx+j29M64WM9KTNlXZFkQ8XB5PzmcXueQkz9fd2u8JJhBqGHdVWFHOv9y
 4YGdaSpeqsui9bFoIdbjn0EO3+g=
 =gk8j
 -----END PGP SIGNATURE-----

Merge tag 'usb-for-v4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next

Felipe writes:

USB: changes for v4.11

Here's the big pull request for the Gadget
API. Again the majority of changes sit in dwc2
driver. Most important changes contain a workaround
for GOTGCTL being wrong, a sleep-inside-spinlock fix
and the big series of cleanups on dwc2.

One important thing on dwc3 is that we don't anymore
need gadget drivers to cope with unaligned OUT
transfers for us. We have support for appending one
extra chained TRB to align transfer ourselves.

Apart from these, the usual set of typos,
non-critical fixes, etc.
2017-01-26 15:36:28 +01:00
Vincent Pelletier
83e526f2a2 usb: gadget: f_fs: Assorted buffer overflow checks.
OS descriptor head, when flagged as provided, is accessed without
checking if it fits in provided buffer. Verify length before access.
Also, there are other places where buffer length it checked
after accessing offsets which are potentially past the end. Check
buffer length before as well to fail cleanly.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-01-25 12:03:52 +01:00
Vincent Pelletier
41dc9ac163 usb: gadget: f_fs: Accept up to 30 endpoints.
It is allowed by the USB specification to enabled same-address, opposite-
direction endpoints simultaneously, which means 30 non-zero endpoints
are allowed. So double eps_addrmap length to 30.
The original code only accepted 14 descriptors out of a likely intended 15
(as there are 15 endpoint addresses, ignoring direction), because the first
eps_addrmap entry is unused (it is a placeholder for endpoint zero). So
increase eps_addrmap length by one to 31.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-24 11:04:23 +02:00
Vincent Pelletier
f199a80cfe usb: gadger: f_fs: Do not copy past descriptor end.
Endpoint descriptors come in 2 sizes, struct usb_endpoint_descriptor being
the largest. Use bLength to stop on endpoint descriptor boundary, and not
2 bytes too far.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-24 11:04:23 +02:00
Peter Zijlstra
2c935bc572 locking/atomic, kref: Add kref_read()
Since we need to change the implementation, stop exposing internals.

Provide kref_read() to read the current reference count; typically
used for debug messages.

Kills two anti-patterns:

	atomic_read(&kref->refcount)
	kref->refcount.counter

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-14 11:37:18 +01:00
Vincent Pelletier
08f37148b6 usb: gadget: f_fs: Fix iterations on endpoints.
When zero endpoints are declared for a function, there is no endpoint
to disable, enable or free, so replace do...while loops with while loops.
Change pre-decrement to post-decrement to iterate the same number of times
when there are endpoints to process.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-12 10:00:30 +02:00
Baolin Wang
b3ce3ce02d usb: gadget: f_fs: Fix possibe deadlock
When system try to close /dev/usb-ffs/adb/ep0 on one core, at the same
time another core try to attach new UDC, which will cause deadlock as
below scenario. Thus we should release ffs lock before issuing
unregister_gadget_item().

[   52.642225] c1 ======================================================
[   52.642228] c1 [ INFO: possible circular locking dependency detected ]
[   52.642236] c1 4.4.6+ #1 Tainted: G        W  O
[   52.642241] c1 -------------------------------------------------------
[   52.642245] c1 usb ffs open/2808 is trying to acquire lock:
[   52.642270] c0  (udc_lock){+.+.+.}, at: [<ffffffc00065aeec>]
		usb_gadget_unregister_driver+0x3c/0xc8
[   52.642272] c1  but task is already holding lock:
[   52.642283] c0  (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
		ffs_data_clear+0x30/0x140
[   52.642285] c1 which lock already depends on the new lock.
[   52.642287] c1
               the existing dependency chain (in reverse order) is:
[   52.642295] c0
	       -> #1 (ffs_lock){+.+.+.}:
[   52.642307] c0        [<ffffffc00012340c>] __lock_acquire+0x20f0/0x2238
[   52.642314] c0        [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642322] c0        [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642328] c0        [<ffffffc00066f7bc>] ffs_func_bind+0x504/0x6e8
[   52.642334] c0        [<ffffffc000654004>] usb_add_function+0x84/0x184
[   52.642340] c0        [<ffffffc000658ca4>] configfs_composite_bind+0x264/0x39c
[   52.642346] c0        [<ffffffc00065b348>] udc_bind_to_driver+0x58/0x11c
[   52.642352] c0        [<ffffffc00065b49c>] usb_udc_attach_driver+0x90/0xc8
[   52.642358] c0        [<ffffffc0006598e0>] gadget_dev_desc_UDC_store+0xd4/0x128
[   52.642369] c0        [<ffffffc0002c14e8>] configfs_write_file+0xd0/0x13c
[   52.642376] c0        [<ffffffc00023c054>] vfs_write+0xb8/0x214
[   52.642381] c0        [<ffffffc00023cad4>] SyS_write+0x54/0xb0
[   52.642388] c0        [<ffffffc000085ff0>] el0_svc_naked+0x24/0x28
[   52.642395] c0
              -> #0 (udc_lock){+.+.+.}:
[   52.642401] c0        [<ffffffc00011e3d0>] print_circular_bug+0x84/0x2e4
[   52.642407] c0        [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[   52.642412] c0        [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642420] c0        [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642427] c0        [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642432] c0        [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[   52.642439] c0        [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[   52.642444] c0        [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[   52.642450] c0        [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[   52.642454] c0        [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[   52.642460] c0        [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[   52.642466] c0        [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[   52.642473] c0        [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[   52.642482] c0        [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[   52.642487] c0        [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[   52.642494] c0        [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[   52.642501] c0        [<ffffffc00008a8f0>] do_signal+0x154/0x518
[   52.642507] c0        [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[   52.642512] c0        [<ffffffc000085ee8>] work_pending+0x1c/0x20
[   52.642514] c1
              other info that might help us debug this:
[   52.642517] c1  Possible unsafe locking scenario:
[   52.642518] c1        CPU0                    CPU1
[   52.642520] c1        ----                    ----
[   52.642525] c0   lock(ffs_lock);
[   52.642529] c0                                lock(udc_lock);
[   52.642533] c0                                lock(ffs_lock);
[   52.642537] c0   lock(udc_lock);
[   52.642539] c1
                      *** DEADLOCK ***
[   52.642543] c1 1 lock held by usb ffs open/2808:
[   52.642555] c0  #0:  (ffs_lock){+.+.+.}, at: [<ffffffc00066b244>]
		ffs_data_clear+0x30/0x140
[   52.642557] c1 stack backtrace:
[   52.642563] c1 CPU: 1 PID: 2808 Comm: usb ffs open Tainted: G
[   52.642565] c1 Hardware name: Spreadtrum SP9860g Board (DT)
[   52.642568] c1 Call trace:
[   52.642573] c1 [<ffffffc00008b430>] dump_backtrace+0x0/0x170
[   52.642577] c1 [<ffffffc00008b5c0>] show_stack+0x20/0x28
[   52.642583] c1 [<ffffffc000422694>] dump_stack+0xa8/0xe0
[   52.642587] c1 [<ffffffc00011e548>] print_circular_bug+0x1fc/0x2e4
[   52.642591] c1 [<ffffffc000123454>] __lock_acquire+0x2138/0x2238
[   52.642595] c1 [<ffffffc000123b54>] lock_acquire+0xe4/0x298
[   52.642599] c1 [<ffffffc000aaf6e8>] mutex_lock_nested+0x7c/0x3cc
[   52.642604] c1 [<ffffffc00065aeec>] usb_gadget_unregister_driver+0x3c/0xc8
[   52.642608] c1 [<ffffffc00065995c>] unregister_gadget_item+0x28/0x44
[   52.642613] c1 [<ffffffc00066b34c>] ffs_data_clear+0x138/0x140
[   52.642618] c1 [<ffffffc00066b374>] ffs_data_reset+0x20/0x6c
[   52.642621] c1 [<ffffffc00066efd0>] ffs_data_closed+0xac/0x12c
[   52.642625] c1 [<ffffffc00066f070>] ffs_ep0_release+0x20/0x2c
[   52.642629] c1 [<ffffffc00023dbe4>] __fput+0xb0/0x1f4
[   52.642633] c1 [<ffffffc00023dd9c>] ____fput+0x20/0x2c
[   52.642636] c1 [<ffffffc0000ee944>] task_work_run+0xb4/0xe8
[   52.642640] c1 [<ffffffc0000cd45c>] do_exit+0x360/0xb9c
[   52.642644] c1 [<ffffffc0000cf228>] do_group_exit+0x4c/0xb0
[   52.642647] c1 [<ffffffc0000dd3c8>] get_signal+0x380/0x89c
[   52.642651] c1 [<ffffffc00008a8f0>] do_signal+0x154/0x518
[   52.642656] c1 [<ffffffc00008af00>] do_notify_resume+0x70/0x78
[   52.642659] c1 [<ffffffc000085ee8>] work_pending+0x1c/0x20

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Vincent Pelletier
354bc45bf3 usb: gadget: f_fs: Fix ExtCompat descriptor validation
Reserved1 is documented as expected to be set to 0, but this test fails
when it it set to 0. Reverse the condition.

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Vincent Pelletier
96a420d2d3 usb: gadget: f_fs: Document eventfd effect on descriptor format.
When FUNCTIONFS_EVENTFD flag is set, __ffs_data_got_descs reads a 32bits,
little-endian value right after the fixed structure header, and passes it
to eventfd_ctx_fdget. Document this.

Also, rephrase a comment to be affirmative about the role of string
descriptor at index 0. Ref: USB 2.0 spec paragraph "9.6.7 String", and
also checked to still be current in USB 3.0 spec paragraph "9.6.9 String".

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-01-02 10:55:28 +02:00
Linus Torvalds
9a19a6db37 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs updates from Al Viro:

 - more ->d_init() stuff (work.dcache)

 - pathname resolution cleanups (work.namei)

 - a few missing iov_iter primitives - copy_from_iter_full() and
   friends. Either copy the full requested amount, advance the iterator
   and return true, or fail, return false and do _not_ advance the
   iterator. Quite a few open-coded callers converted (and became more
   readable and harder to fuck up that way) (work.iov_iter)

 - several assorted patches, the big one being logfs removal

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  logfs: remove from tree
  vfs: fix put_compat_statfs64() does not handle errors
  namei: fold should_follow_link() with the step into not-followed link
  namei: pass both WALK_GET and WALK_MORE to should_follow_link()
  namei: invert WALK_PUT logics
  namei: shift interpretation of LOOKUP_FOLLOW inside should_follow_link()
  namei: saner calling conventions for mountpoint_last()
  namei.c: get rid of user_path_parent()
  switch getfrag callbacks to ..._full() primitives
  make skb_add_data,{_nocache}() and skb_copy_to_page_nocache() advance only on success
  [iov_iter] new primitives - copy_from_iter_full() and friends
  don't open-code file_inode()
  ceph: switch to use of ->d_init()
  ceph: unify dentry_operations instances
  lustre: switch to use of ->d_init()
2016-12-16 10:24:44 -08:00
Al Viro
cbbd26b8b1 [iov_iter] new primitives - copy_from_iter_full() and friends
copy_from_iter_full(), copy_from_iter_full_nocache() and
csum_and_copy_from_iter_full() - counterparts of copy_from_iter()
et.al., advancing iterator only in case of successful full copy
and returning whether it had been successful or not.

Convert some obvious users.  *NOTE* - do not blindly assume that
something is a good candidate for those unless you are sure that
not advancing iov_iter in failure case is the right thing in
this case.  Anything that does short read/short write kind of
stuff (or is in a loop, etc.) is unlikely to be a good one.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-12-05 14:33:36 -05:00
Greg Kroah-Hartman
0edbf9e552 Merge 4.9-rc7 into usb-next
We want the USB fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-11-28 08:34:10 +01:00
Felix Hädicke
05e78c6933 usb: gadget: f_fs: fix wrong parenthesis in ffs_func_req_match()
Properly check the return code of ffs_func_revmap_intf() and
ffs_func_revmap_ep() for a non-negative value.

Instead of checking the return code, the comparison was performed for the last
parameter of the function calls, because of wrong parenthesis.

This also fixes the following static checker warning:
drivers/usb/gadget/function/f_fs.c:3152 ffs_func_req_match()
warn: always true condition '(((creq->wIndex)) >= 0) => (0-u16max >= 0)'

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-11-18 13:50:37 +02:00
Daniel Wagner
5bdcde90d7 usb: gadget: f_fs: use complete() instead complete_all()
There is only one waiter for the completion, therefore there
is no need to use complete_all(). Let's make that clear by
using complete() instead of complete_all().

The usage pattern of the completion is:

waiter context                          waker context
  reinit_completion()
  usb_esp_queue()
  wait_for_completion_interruptible()

					ffs_ep0_complete()
					  complete()

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-11-03 10:38:38 +02:00
Michal Nazarewicz
a9e6f83c2d usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable
ffs_func_eps_disable is called from atomic context so it cannot sleep
thus cannot grab a mutex.  Change the handling of epfile->read_buffer
to use non-sleeping synchronisation method.

Reported-by: Chen Yu <chenyu56@huawei.com>
Signed-off-by: Michał Nazarewicz <mina86@mina86.com>
Fixes: 9353afbbfa ("buffer data from ‘oversized’ OUT requests")
Tested-by: John Stultz <john.stultz@linaro.org>
Tested-by: Chen Yu <chenyu56@huawei.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-10-17 12:34:25 +03:00
Michal Nazarewicz
454915dde0 usb: gadget: f_fs: edit epfile->ep under lock
epfile->ep is protected by ffs->eps_lock (not epfile->mutex) so clear it
while holding the spin lock.

Tested-by: John Stultz <john.stultz@linaro.org>
Tested-by: Chen Yu <chenyu56@huawei.com>
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-10-17 12:34:08 +03:00
Linus Torvalds
101105b171 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull more vfs updates from Al Viro:
 ">rename2() work from Miklos + current_time() from Deepa"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  fs: Replace current_fs_time() with current_time()
  fs: Replace CURRENT_TIME_SEC with current_time() for inode timestamps
  fs: Replace CURRENT_TIME with current_time() for inode timestamps
  fs: proc: Delete inode time initializations in proc_alloc_inode()
  vfs: Add current_time() api
  vfs: add note about i_op->rename changes to porting
  fs: rename "rename2" i_op to "rename"
  vfs: remove unused i_op->rename
  fs: make remaining filesystems use .rename2
  libfs: support RENAME_NOREPLACE in simple_rename()
  fs: support RENAME_NOREPLACE for local filesystems
  ncpfs: fix unused variable warning
2016-10-10 20:16:43 -07:00
Deepa Dinamani
078cd8279e fs: Replace CURRENT_TIME with current_time() for inode timestamps
CURRENT_TIME macro is not appropriate for filesystems as it
doesn't use the right granularity for filesystem timestamps.
Use current_time() instead.

CURRENT_TIME is also not y2038 safe.

This is also in preparation for the patch that transitions
vfs timestamps to use 64 bit time and hence make them
y2038 safe. As part of the effort current_time() will be
extended to do range checks. Hence, it is necessary for all
file system timestamps to use current_time(). Also,
current_time() will be transitioned along with vfs to be
y2038 safe.

Note that whenever a single call to current_time() is used
to change timestamps in different inodes, it is because they
share the same time granularity.

Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Felipe Balbi <balbi@kernel.org>
Acked-by: Steven Whitehouse <swhiteho@redhat.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Acked-by: David Sterba <dsterba@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2016-09-27 21:06:21 -04:00
Jim Baxter
3262ad8243 usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference
The struct ffs_data::private_data has a pointer to
ffs_dev stored in it during the ffs_fs_mount() function
however it is not cleared when the ffs_dev is freed
later which causes the ffs_closed function to crash
with "Unable to handle kernel NULL pointer dereference"
error when using the data in ffs_data::private_data.

This clears this pointer during the ffs_free_dev clean
up function.

Signed-off-by: Jim Baxter <jim_baxter@mentor.com>
Signed-off-by: Jiada Wang <jiada_wang@mentor.com>
Signed-off-by: Harish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-09-08 13:53:01 +03:00
Felix Hädicke
4368c28ae7 usb: gadget: f_fs: handle control requests in config 0
Introduces a new FunctionFS descriptor flag named
FUNCTIONFS_CONFIG0_SETUP.

When this flag is enabled, FunctionFS userspace drivers can process
non-standard control requests in configuration 0.

Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-08-25 12:13:17 +03:00
Felix Hädicke
1a00b457a5 usb: gadget: composite: let USB functions process ctrl reqs in cfg0
It can sometimes be necessary for gadget drivers to process non-standard
control requests, which host devices can send without having sent
USB_REQ_SET_CONFIGURATION.

Therefore, the req_match() usb_function method is enhanced with the new
parameter "config0". When a USB configuration is active, this parameter
is false. When a non-core control request is processed in
composite_setup(), without an active configuration, req_match() of the
USB functions of all available configurations which implement this
function, is called with config0=true. Then the control request gets
processed by the first usb_function instance whose req_match() returns
true.

Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-08-25 12:13:17 +03:00
Felix Hädicke
54dfce6d07 usb: gadget: f_fs: handle control requests not directed to interface or endpoint
Introduces a new FunctionFS descriptor flag named
FUNCTIONFS_ALL_CTRL_RECIP. When this flag is enabled, control requests,
which are not explicitly directed to an interface or endpoint, can be
handled.

This allows FunctionFS userspace drivers to process non-standard
control requests.

Signed-off-by: Felix Hädicke <felixhaedicke@web.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-08-25 12:13:17 +03:00
Dan Carpenter
44963d649d usb: gadget: f_fs: check for allocation failure
Return -ENOMEM if kmalloc() fails.

Fixes: 9353afbbfa ('usb: gadget: f_fs: buffer data from ‘oversized’ OUT requests')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-06-29 11:13:33 +03:00
Michal Nazarewicz
9353afbbfa usb: gadget: f_fs: buffer data from ‘oversized’ OUT requests
f_fs rounds up read(2) requests to a multiple of a max packet size
which means that host may provide more data than user has space for.
So far, the excess data has been silently ignored.

This introduces a buffer for a tail of such requests so that they are
returned on next read instead of being ignored.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-06-21 11:11:31 +03:00
Michal Nazarewicz
c662a31be7 usb: gadget: f_fs: printk error when excess data is dropped on read
Add a pr_err when host sent more data then the size of the buffer user
space gave us.  This may happen on UDCs which require OUT requests to
be aligned to max packet size.  The patch includes a description of the
situation.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-06-21 11:11:23 +03:00
Michal Nazarewicz
872ce51195 usb: gadget: fix unused-but-set-variale warnings
Those are enabled with W=1 make option.

The patch leaves of some type-limits warnings which are caused by
generic macros used in a way where they produce always-false
conditions.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-06-21 11:04:09 +03:00
Jim Lin
c6010c8b4d usb: gadget: f_fs: Fix kernel panic if use_os_string not set
If c->cdev->use_os_string flag is not set,
don't need to invoke ffs_do_os_descs() in _ffs_func_bind.
So uninitialized ext_compat_id pointer won't be accessed by
__ffs_func_bind_do_os_desc to cause kernel panic.

Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-05-31 11:24:30 +03:00
Jim Lin
53642399aa usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT
Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field
of OS_DESC_EXT_COMPAT and return -EINVAL if it's 1.
But MS OS 1.0 Descriptors
http://msdn.microsoft.com/en-us/library/windows/hardware/gg463179.aspx
defines that field to be 1.

Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-05-31 11:13:02 +03:00
Dan Carpenter
0015f91560 usb: f_fs: off by one bug in _ffs_func_bind()
This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.

I've cleaned up the loop a little as well.

Fixes: ddf8abd259 ('USB: f_fs: the FunctionFS driver')
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-05-31 11:12:53 +03:00
Greg Kroah-Hartman
ce15bda101 usb: changes for v4.7 merge window
Here's the big USB Gadget pull request. This time
 not as large as usual with only 57 non-merge
 commits.
 
 The most important part here is, again, all the work
 on dwc3. This time around we're treating all
 endpoints (except for control endpoint) exactly the
 same. They all have the same amount of TRBs on the
 ring, they all treat the ring as an actual ring with
 a link TRB pointing to the head, etc.
 
 We're also helping the host side burst (on
 SuperSpeed GEN1 or GEN2 at least) for as long as
 possible until the endpoint returns NRDY.
 
 Other than this big TRB ring rework on dwc3, we also
 have a dwc3-omap DMA initialization fix, some extra
 debugfs files to aid in some odd debug sessions and
 a complete removal of our FIFO resizing logic.
 
 We have a new quirk for some dwc3 P3 quirk in some
 implementations.
 
 The rest is basically non-critical fixes and the
 usual cleanups.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXIek2AAoJEIaOsuA1yqRE2+cP/iZzzRshn6atj4b0BaRzyk6k
 acK6YNs8pBgJMt9FaVWhDOlCfa/8hg5W+6Z5Ovpx4WPyJdZbYkoxJ0ZJGKYjYZ/y
 U8hUxpTJ2s2wZKXRKchzT90hQvNlHdg3u2okP2GK0Oa17/idcQf2w1+0Cscm/dqN
 Ur5HgukLe31/MrcPr49OuLkahSPfHUQlOn8i4AZyBTh9L8ouzKDCvzUt2ABoCRLE
 wPcMegJhks7FQ5fksXtLsfqhqAoHpYHlsZQcH35iV8wPdtSueAtZ8tS6t445XbX9
 vEsFq1ovpBMYfl/dwV6RBZiQTjZiGWaIdjOZMUcpbD03yXE2IC6l+mtE/wuhlnHu
 J0Rr4YmfS4g++J1+380NQGoreOBZ2u7pujQ4TAy399zsLD8LR3zOQK5IErILSfpO
 m6p3ElkGuAyHJKmo4CysSspXnnNGBp/fuTkYdPM9IJRJCe0YwnF/zsQd0OrNZ/Pm
 39f6woE2aBQaEzdn+3Nya9B2IWYi6SIheQXPg0HETX/hujZHJv1x758VO6+c7aeq
 nlhRlxSe8u8DKryBG43+F+myHaIz1p0Y2O3MzIlvRv0yw87QevJ4pAWptdMITaMh
 YpgSjDPw5y2z91AhK/Fv+AXswKaoWBc6EEzBirW6hQWllSp+7qWloA6vYXkdHDr7
 QajUBeXzNgXF8JfIos5H
 =7szP
 -----END PGP SIGNATURE-----

Merge tag 'usb-for-v4.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next

Felipe writes:

usb: changes for v4.7 merge window

Here's the big USB Gadget pull request. This time
not as large as usual with only 57 non-merge
commits.

The most important part here is, again, all the work
on dwc3. This time around we're treating all
endpoints (except for control endpoint) exactly the
same. They all have the same amount of TRBs on the
ring, they all treat the ring as an actual ring with
a link TRB pointing to the head, etc.

We're also helping the host side burst (on
SuperSpeed GEN1 or GEN2 at least) for as long as
possible until the endpoint returns NRDY.

Other than this big TRB ring rework on dwc3, we also
have a dwc3-omap DMA initialization fix, some extra
debugfs files to aid in some odd debug sessions and
a complete removal of our FIFO resizing logic.

We have a new quirk for some dwc3 P3 quirk in some
implementations.

The rest is basically non-critical fixes and the
usual cleanups.
2016-04-28 09:32:39 -07:00
Lars-Peter Clausen
38740a5b87 usb: gadget: f_fs: Fix use-after-free
When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.

Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.

Fixes: 2e4c7553cd ("usb: gadget: f_fs: add aio support")
Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-04-20 10:38:06 +03:00
Lars-Peter Clausen
332a5b446b usb: gadget: f_fs: Fix EFAULT generation for async read operations
In the current implementation functionfs generates a EFAULT for async read
operations if the read buffer size is larger than the URB data size. Since
a application does not necessarily know how much data the host side is
going to send it typically supplies a buffer larger than the actual data,
which will then result in a EFAULT error.

This behaviour was introduced while refactoring the code to use iov_iter
interface in commit c993c39b86 ("gadget/function/f_fs.c: use put iov_iter
into io_data"). The original code took the minimum over the URB size and
the user buffer size and then attempted to copy that many bytes using
copy_to_user(). If copy_to_user() could not copy all data a EFAULT error
was generated. Restore the original behaviour by only generating a EFAULT
error when the number of bytes copied is not the size of the URB and the
target buffer has not been fully filled.

Commit 342f39a6c8 ("usb: gadget: f_fs: fix check in read operation")
already fixed the same problem for the synchronous read path.

Fixes: c993c39b86 ("gadget/function/f_fs.c: use put iov_iter into io_data")
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-04-19 11:11:56 +03:00
Kirill A. Shutemov
09cbfeaf1a mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.

This promise never materialized.  And unlikely will.

We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE.  And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.

Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.

Let's stop pretending that pages in page cache are special.  They are
not.

The changes are pretty straight-forward:

 - <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;

 - <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;

 - PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};

 - page_cache_get() -> get_page();

 - page_cache_release() -> put_page();

This patch contains automated changes generated with coccinelle using
script below.  For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.

The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.

There are few places in the code where coccinelle didn't reach.  I'll
fix them manually in a separate patch.  Comments and documentation also
will be addressed with the separate patch.

virtual patch

@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E

@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E

@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT

@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE

@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK

@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)

@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)

@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-04 10:41:08 -07:00
Du, Changbin
ef15088440 usb: f_fs: avoid race condition with ffs_epfile_io_complete
ffs_epfile_io and ffs_epfile_io_complete runs in different context, but
there is no synchronization between them.

consider the following scenario:
1) ffs_epfile_io interrupted by sigal while
wait_for_completion_interruptible
2) then ffs_epfile_io set ret to -EINTR
3) just before or during usb_ep_dequeue, the request completed
4) ffs_epfile_io return with -EINTR

In this case, ffs_epfile_io tell caller no transfer success but actually
it may has been done. This break the caller's pipe.

Below script can help test it (adbd is the process which lies on f_fs).
while true
do
   pkill -19 adbd #SIGSTOP
   pkill -18 adbd #SIGCONT
   sleep 0.1
done

To avoid this, just dequeue the request first. After usb_ep_dequeue, the
request must be done or canceled.

With this change, we can ensure no race condition in f_fs driver. But
actually I found some of the udc driver has analogical issue in its
dequeue implementation. For example,
1) the dequeue function hold the controller's lock.
2) before driver request controller  to stop transfer, a request
   completed.
3) the controller trigger a interrupt, but its irq handler need wait
   dequeue function to release the lock.
4) dequeue function give back the request with negative status, and
   release lock.
5) irq handler get lock but the request has already been given back.

So, the dequeue implementation should take care of this case. IMO, it
can be done as below steps to dequeue a already started request,
1) request controller to stop transfer on the given ep. HW know the
   actual transfer status.
2) after hw stop transfer, driver scan if there are any completed one.
3) if found, process it with real status. if no, the request can
   canceled.

Signed-off-by: "Du, Changbin" <changbin.du@intel.com>
[mina86@mina86.com: rebased on top of refactoring commits]
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>

Signed-off-by: Felipe Balbi <balbi@kernel.org>
2016-03-04 15:14:32 +02:00
Michal Nazarewicz
ae76e13477 usb: f_fs: refactor ffs_epfile_io
Eliminate one of the return paths by using a ‘goto error_mutex’ and
rearrange some if-bodies which results in reduction of the indention level
and thus hopefully makes the function easier to read and reason about.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
2016-03-04 15:14:32 +02:00