There are several inconsistencies in the error handling code.
1. If clk_get() fails, it goes to clk_put().
2. If pdata->phy_init() fails, it does not disable u3d->clk.
3. In case of failure after stopping u3d, it does pdata->phy_deinit()
   and clk_disable(u3d->clk) twice.
4. It ignores failures in clk_enable().

Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Check fifo configuration values against device tree values for endpoint fifo
in auto configuration mode (fifo_mode=0).
Signed-off-by: NCristian Birsan <cristian.birsan@microchip.com>
Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Currently the of glue code in fsl-mph-dr-of will create the platform
device fsl-usb2-udc. As this driver should also be probed by this name,
this patch adds it to the devtypes list.
Signed-off-by: NMichael Grzeschik <m.grzeschik@pengutronix.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch splits the amd5536udc driver into two -- one that does
pci device registration and the other file that does the rest of
the driver tasks like the gadget/ep ops etc for Synopsys UDC.

This way of splitting helps in exporting core driver symbols which
can be used by any other platform/pci driver that is written for
the same Synopsys USB device controller.

The current patch also includes a change in the Kconfig and Makefile.
A new config option USB_SNP_CORE will be selected automatically when
any one of the platform or pci driver for the same UDC is selected.

Main changes:
- amd5536udc_pci.c: PCI device registration is moved to this file.

- amd5536udc.c:
  This file does rest of the core UDC fucntionality.
  9 symbols are exported so as to be used by amd5536udc_pci.c.
  Module parameter definitions are moved to header file.

- amd5536udc.h:
  Function declarations, module parameters definitions and few common
  header file includes are added to this file

- Kconfig:
  New USB_SNP_CORE option is added which will be auto selected when
  any pci or platform driver config option for the UDC is chosen.

- Makefile:
  Compiles the core and pci files separately.
Signed-off-by: NRaviteja Garimella <raviteja.garimella@broadcom.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch adds support for usb role swap via sysfs "role".

For example:
 1) Connect a usb cable using 2 Salvator-X boards.
  - For A-Device, the cable is connected to CN11 (USB3.0 ch0).
  - For B-Device, the cable is connected to CN9 (USB2.0 ch0).
 2) On A-Device, you input the following command:
  # echo peripheral > /sys/devices/platform/soc/ee020000.usb/role
 3) On B-Device, you input the following command:
  # echo host > /sys/devices/platform/soc/ee080200.usb-phy/role

Then, the A-Device acts as a peripheral and the B-Device acts as
a host. Please note that A-Device must input the following command
if you want the board to act as a host again.
 # echo host > /sys/devices/platform/soc/ee020000.usb/role
Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Minor code cleanup based on feedback received on mailinglist.
Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: NCristian Birsan <cristian.birsan@microchip.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch adds extcon support to see VBUS/ID signal states.
Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This usb 3.0 peripheral controller has a register (USB_OTG_STA) to monitor
the USB ID signal. So, this patch adds the ID signal monitoring to change
the mode to host (A-Host) or peripheral (B-Peripheral).
This patch also removes hardcoded setting as B-Peripheral mode.
Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This fixes the commit: 1cd8fd28 ("usb: gadget: dummy_hcd: add
SuperSpeed support").

In the case of ClearPortFeature and USB_PORT_FEAT_POWER, simply clear
the right bit regardless of what the wValue is.
Acked-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NYuyang Du <yuyang.du@intel.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Remove unnecessary variable and update function prototype.
Acked-by: NMichal Nazarewicz <mina86@mina86.com>
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Rewrite udc_free_dma_chain() function to avoid use of pointer after free.

Addresses-Coverity-ID: 1091172
Acked-by: NMichal Nazarewicz <mina86@mina86.com>
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Functions udc_enable() and udc_disable() have a duplicated prototype.
Remove it.
Acked-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: NPetr Cvek <petr.cvek@tul.cz>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Rearrange statements in mv_ep_enable function so that it’s obvious
what the switch does and how zlt, ios and mult variables are
initialised.  Most notably, this gets rid of an implicit fall-through
so people don’t have to wonder whether it was intenional or not.

Addresses-Coverity-ID: 201385
Reported-by: NGustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Remove pointer dereference after free.

Addresses-Coverity-ID: 1091173
Acked-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req->td->dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep->dma->dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp & DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req->td->dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 < x < 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: NRaz Manor <Raz.Manor@valens.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

A call usb_put_phy(udc->transceiver) must be tested for a valid pointer.
Use an already existing test for usb_unregister_notifier call.
Acked-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Reported-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: NPetr Cvek <petr.cvek@tul.cz>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The debug output now contains the wrong variable, as seen from the compiler
warning:

drivers/usb/gadget/udc/atmel_usba_udc.c: In function 'usba_ep_enable':
drivers/usb/gadget/udc/atmel_usba_udc.c:632:550: error: 'ept_cfg' may be used uninitialized in this function [-Werror=maybe-uninitialized]
  DBG(DBG_ERR, "%s: EPT_CFG = 0x%lx (maxpacket = %lu)\n",

This changes the debug output the same way as the other code.

Fixes: 741d2558 ("usb: gadget: udc: atmel: Update endpoint allocation scheme")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NAlexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

When the user does device unbind and rebind test, the kernel will
show below dump due to usb_gadget memory region is dirty after unbind.
Clear usb_gadget region for every new probe.

root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind
[  102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong.
[  102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298
[  102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree)
[  102.545717] Backtrace:
[  102.548225] [<c010d090>] (dump_backtrace) from [<c010d338>] (show_stack+0x18/0x1c)
[  102.555822]  r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418
[  102.561512] [<c010d320>] (show_stack) from [<c040c2a4>] (dump_stack+0xb4/0xe8)
[  102.568764] [<c040c1f0>] (dump_stack) from [<c040e6d4>] (kobject_init+0x80/0x9c)
[  102.576187]  r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060
[  102.584036]  r4:eddd78b0 r3:00000000
[  102.587641] [<c040e654>] (kobject_init) from [<c05359a4>] (device_initialize+0x28/0xf8)
[  102.595665]  r5:eebc4800 r4:eddd78a8
[  102.599268] [<c053597c>] (device_initialize) from [<c05382ac>] (device_register+0x14/0x20)
[  102.607556]  r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8
[  102.613256] [<c0538298>] (device_register) from [<c0668ef4>] (usb_add_gadget_udc_release+0x8c/0x1ec)
[  102.622410]  r5:eebc4800 r4:eddd7860
[  102.626015] [<c0668e68>] (usb_add_gadget_udc_release) from [<c0669068>] (usb_add_gadget_udc+0x14/0x18)
[  102.635351]  r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818
[  102.643198]  r4:eddd785c r3:eddd7b24
[  102.646834] [<c0669054>] (usb_add_gadget_udc) from [<bf003428>] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd])
[  102.656458] [<bf0032b8>] (dummy_udc_probe [dummy_hcd]) from [<c053d114>] (platform_drv_probe+0x54/0xb8)
[  102.665881]  r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10
[  102.673727]  r4:eeaf8c10
[  102.676293] [<c053d0c0>] (platform_drv_probe) from [<c053b160>] (driver_probe_device+0x264/0x474)
[  102.685186]  r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10
[  102.690876] [<c053aefc>] (driver_probe_device) from [<c05397c4>] (bind_store+0xb8/0x14c)
[  102.698994]  r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668
[  102.706840]  r4:eeaf8c10
[  102.709402] [<c053970c>] (bind_store) from [<c0538ca8>] (drv_attr_store+0x28/0x34)
[  102.716998]  r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c
[  102.724776] [<c0538c80>] (drv_attr_store) from [<c029c930>] (sysfs_kf_write+0x50/0x54)
[  102.732711]  r5:c0538c80 r4:0000000c
[  102.736313] [<c029c8e0>] (sysfs_kf_write) from [<c029be84>] (kernfs_fop_write+0x100/0x214)
[  102.744599]  r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000
[  102.750287] [<c029bd84>] (kernfs_fop_write) from [<c0222dd8>] (__vfs_write+0x34/0x120)
[  102.758231]  r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84
[  102.766077]  r4:ee223780
[  102.768638] [<c0222da4>] (__vfs_write) from [<c0224678>] (vfs_write+0xa8/0x170)
[  102.775974]  r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c
[  102.783743] [<c02245d0>] (vfs_write) from [<c0225498>] (SyS_write+0x4c/0xa8)
[  102.790818]  r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780
[  102.798595] [<c022544c>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)
[  102.806188]  r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c

Fixes: 90fccb52 ("usb: gadget: Gadget directory cleanup - group UDC drivers")
Cc: stable <stable@vger.kernel.org>
Acked-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NPeter Chen <peter.chen@nxp.com>
Tested-by: NXiaolong Ye <xiaolong.ye@intel.com>
Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Fix typos and add the following to the scripts/spelling.txt:

  followings||following

While we are here, add a missing colon in the boilerplate in DT binding
documents.  The "you SoC" in allwinner,sunxi-pinctrl.txt was fixed as
well.

I reworded "as the followings:" to "as follows:" for
drivers/usb/gadget/udc/renesas_usb3.c.

Link: http://lkml.kernel.org/r/1481573103-11329-32-git-send-email-yamada.masahiro@socionext.comSigned-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fix typos and add the following to the scripts/spelling.txt:

  intialization||initialization

The "inintialization" in drivers/acpi/spcr.c is a different pattern but
I fixed it as well in this commit.

Link: http://lkml.kernel.org/r/1481573103-11329-16-git-send-email-yamada.masahiro@socionext.comSigned-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Commit 304f7e5e ("usb: gadget: Refactor request completion")
removed check if req->req.complete is non-NULL, resulting in a NULL
pointer derefence and a kernel panic.
This patch adds an empty complete function instead of re-introducing
the req->req.complete check.

Fixes: 304f7e5e ("usb: gadget: Refactor request completion")
Signed-off-by: NMagnus Lilja <lilja.magnus@gmail.com>
Cc: <stable@vger.kernel.org> # 3.18+
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Declare usb_ep_ops structures as const as they are only stored in the
ops field of an usb_ep structure. This field is of type const, so
usb_ep_ops structures having this property can be made const too.
Done using Coccinelle( A smaller version of the script)

@r disable optional_qualifier@
identifier i;
position p;
@@
static struct usb_ep_ops i@p={...};

@ok@
identifier r.i;
position p;
struct mv_ep a;
struct mv_u3d_ep b;
struct omap_ep c;

@@
(
a.ep.ops=&i@p;
|
b.ep.ops=&i@p;
|
c.ep.ops=&i@p;

)

@bad@
position p!={r.p,ok.p};
identifier r.i;
@@
i@p

@depends on !bad disable optional_qualifier@
identifier r.i;
@@
+const
struct usb_ep_ops i;

File size details before and after applying  the patch.
First line of every .o file shows the file size before patching and
second line shows the file size after patching.

  text	   data	    bss	    dec	    hex	filename

   7782	    384	      8	   8174	   1fee	usb/gadget/udc/fotg210-udc.o
   7878	    296	      8	   8182	   1ff6	usb/gadget/udc/fotg210-udc.o

  17866	    992	     40	  18898	   49d2	usb/gadget/udc/fsl_udc_core.o
  17954	    896	     40	  18890	   49ca	usb/gadget/udc/fsl_udc_core.o

   9646	    288	      8	   9942	   26d6	usb/gadget/udc/fusb300_udc.o
   9742	    192	      8	   9942	   26d6	usb/gadget/udc/fusb300_udc.o

  12752	    416	      8	  13176	   3378	drivers/usb/gadget/udc/goku_udc.o
  12832	    328	      8	  13168	   3370	drivers/usb/gadget/udc/goku_udc.o

  16541	   1696	      8	  18245	   4745	drivers/usb/gadget/udc/gr_udc.o
  16637	   1600	      8	  18245	   4745	drivers/usb/gadget/udc/gr_udc.o

  15798	    288	     16	  16102	   3ee6	drivers/usb/gadget/udc/m66592-udc.o
  15894	    192	     16	  16102	   3ee6	drivers/usb/gadget/udc/m66592-udc.o

  17751	   3808	     16	  21575	   5447	usb/gadget/udc/mv_u3d_core.o
  17839	   3712	     16	  21567	   543f	usb/gadget/udc/mv_u3d_core.o

  17348	   1112	     24	  18484	   4834	usb/gadget/udc/mv_udc_core.o
  17436	   1016	     24	  18476	   482c	usb/gadget/udc/mv_udc_core.o

  25990	   2620	     13	  28623	   6fcf	drivers/usb/gadget/udc/net2272.o
  26086	   2524	     13	  28623	   6fcf	drivers/usb/gadget/udc/net2272.o

  18409	   7312	      8	  25729	   6481	drivers/usb/gadget/udc/pxa27x_udc.o
  18505	   7208	      8	  25721	   6479	drivers/usb/gadget/udc/pxa27x_udc.o

  18644	    288	     16	  18948	   4a04	usb/gadget/udc/r8a66597-udc.o
  18740	    192	     16	  18948	   4a04	usb/gadget/udc/r8a66597-udc.o

Files: drivers/usb/gadget/udc/{s3c-hsudc.o/omap_udc.o/fsl_qe_udc.o} did
not complie.
Signed-off-by: NBhumika Goyal <bhumirks@gmail.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch updates the usb endpoint allocation scheme for atmel usba
driver to make sure all endpoints are allocated in order. This
requirement comes from the datasheet of the controller.

The allocation scheme is decided by fifo_mode parameter. For fifo_mode =
0 the driver tries to autoconfigure the endpoints fifo size. All other
modes contain fixed configurations optimized for different purposes. The
idea is somehow similar with the approach used on musb driver.
Signed-off-by: NCristian Birsan <cristian.birsan@microchip.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Declare usb_gadget_ops structures as const as they are only stored in
the ops field of a usb_gadget structure. This field is of type const, so
usb_gadget_ops structures having this property can be declared const
too.
Done using Coccinelle:

@r1 disable optional_qualifier@
identifier i;
position p;
@@
static struct usb_gadget_ops i@p={...};

@ok1@
identifier r1.i;
position p;
struct fotg210_udc fotg210;
@@
fotg210.gadget.ops=&i@p

@bad@
position p!={r1.p,ok1.p};
identifier r1.i;
@@
i@p

@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
+const
struct usb_gadget_ops i;

File size before:
   text	   data	    bss	    dec	    hex	filename
   7559	    384	      8	   7951	   1f0f	usb/gadget/udc/fotg210-udc.o

File size after:
   text	   data	    bss	    dec	    hex	filename
   7655	    288	      8	   7951	   1f0f	usb/gadget/udc/fotg210-udc.o
Signed-off-by: NBhumika Goyal <bhumirks@gmail.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Since:

commit 855ed04a ("usb: gadget: udc-core: independent registration
of gadgets and gadget drivers")

if we load gadget module but there is no free udc available
then it will be stored on a pending gadgets list.

$ modprobe g_zero.ko
$ modprobe g_ether.ko
[] udc-core: couldn't find an available UDC - added [g_ether] to list
of pending drivers

We scan this list each time when new UDC appears in system.
But we can get a free UDC each time after gadget unbind.
This commit add scanning of that list directly after unbinding
gadget from udc.

Thanks to this, when we unload first gadget:

$ rmmod g_zero.ko

gadget which is pending is automatically
attached to that UDC (if name matches).

Fixes: 855ed04a  ("usb: gadget: udc-core: independent registration of gadgets and gadget drivers")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NKrzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Declare usb_gadget_ops structures as const as they are only stored in
the ops field of a usb_gadget structure. This field is of type const, so
usb_gadget_ops structures having this property can be declared const
too.
Done using Coccinelle:

@r1 disable optional_qualifier@
identifier i;
position p;
@@
static struct usb_gadget_ops i@p={...};

@ok1@
identifier r1.i;
position p;
struct fotg210_udc fotg210;
@@
fotg210.gadget.ops=&i@p

@bad@
position p!={r1.p,ok1.p};
identifier r1.i;
@@
i@p

@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
+const
struct usb_gadget_ops i;

File size before:
   text	   data	    bss	    dec	    hex	filename
   7559	    384	      8	   7951	   1f0f	usb/gadget/udc/fotg210-udc.o

File size after:
   text	   data	    bss	    dec	    hex	filename
   7655	    288	      8	   7951	   1f0f	usb/gadget/udc/fotg210-udc.o
Signed-off-by: NBhumika Goyal <bhumirks@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Commit bbe097f0 ("usb: gadget: udc: atmel: fix endpoint name")
introduced a memory leak when unbinding the driver. The endpoint names
would not be freed. Solve that by including the name as a string in struct
usba_ep so it is freed when the endpoint is.
Signed-off-by: NAlexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This fixes a regression which was introduced by commit f1bddbb3, by
reverting a small fragment of commit 855ed04a.

If the following conditions were met, usb_gadget_probe_driver() returned
0, although the call was unsuccessful:
1. A particular UDC was specified by thge gadget driver (using member
"udc_name" of struct usb_gadget_driver).
2. The UDC with this name is available.
3. Another gadget driver is already bound to this gadget.
4. The gadget driver has the "match_existing_only" flag set.
In this case, the return code variable "ret" is set to 0, the return
code of a strcmp() call (to check for the second condition).

This also fixes an oops which could occur in the following scenario:
1. Two usb gadget instances were configured using configfs.
2. The first gadget configuration was bound to a UDC (using the configfs
attribute "UDC").
3. It was tried to bind the second gadget configuration to the same UDC
in the same way. This operation was then wrongly reported as being
successful.
4. The second gadget configuration's "UDC" attribute is cleared, to
unbind the (not really bound) second gadget configuration from the UDC.

<BUG: unable to handle kernel NULL pointer dereference
at           (null)
IP: [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
PGD 41b4c5067
PUD 41a598067
PMD 0

Oops: 0000 [#1] SMP
Modules linked in: cdc_acm usb_f_fs usb_f_serial
usb_f_acm u_serial libcomposite configfs dummy_hcd bnep intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper
ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic serio_raw
uvcvideo videobuf2_vmalloc btusb snd_usb_audio snd_hda_intel
videobuf2_memops btrtl snd_hda_codec snd_hda_core snd_usbmidi_lib btbcm
videobuf2_v4l2 btintel snd_hwdep videobuf2_core snd_seq_midi bluetooth
snd_seq_midi_event videodev xpad efi_pstore snd_pcm_oss rfkill joydev
media crc16 ff_memless snd_mixer_oss snd_rawmidi nls_ascii snd_pcm
snd_seq snd_seq_device nls_cp437 mei_me snd_timer vfat sg udc_core
lpc_ich fat
efivars mfd_core mei snd soundcore battery nuvoton_cir rc_core evdev
intel_smartconnect ie31200_edac edac_core shpchp tpm_tis tpm_tis_core
tpm parport_pc ppdev lp parport efivarfs autofs4 btrfs xor raid6_pq
hid_logitech_hidpp hid_logitech_dj hid_generic usbhid hid uas
usb_storage sr_mod cdrom sd_mod ahci libahci nouveau i915 crc32c_intel
i2c_algo_bit psmouse ttm xhci_pci libata scsi_mod ehci_pci
drm_kms_helper xhci_hcd ehci_hcd r8169 mii usbcore drm nvme nvme_core
fjes button [last unloaded: net2280]
CPU: 5 PID: 829 Comm: bash Not tainted 4.9.0-rc7 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z77
Extreme3, BIOS P1.50 07/11/2013
task: ffff880419ce4040 task.stack: ffffc90002ed4000
RIP: 0010:[<ffffffff94f5e5e9>]  [<ffffffff94f5e5e9>]
__list_del_entry+0x29/0xc0
RSP: 0018:ffffc90002ed7d68  EFLAGS: 00010207
RAX: 0000000000000000 RBX: ffff88041787ec30 RCX: dead000000000200
RDX: 0000000000000000 RSI: ffff880417482002 RDI: ffff88041787ec30
RBP: ffffc90002ed7d68 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: ffff880419ce4040 R12: ffff88041787eb68
R13: ffff88041787eaa8 R14: ffff88041560a2c0 R15: 0000000000000001
FS:  00007fe4e49b8700(0000) GS:ffff88042f340000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000041b4c4000 CR4: 00000000001406e0
Stack:
ffffc90002ed7d80 ffffffff94f5e68d ffffffffc0ae5ef0 ffffc90002ed7da0
ffffffffc0ae22aa ffff88041787e800 ffff88041787e800 ffffc90002ed7dc0
ffffffffc0d7a727 ffffffff952273fa ffff88041aba5760 ffffc90002ed7df8
Call Trace:
[<ffffffff94f5e68d>] list_del+0xd/0x30
[<ffffffffc0ae22aa>] usb_gadget_unregister_driver+0xaa/0xc0 [udc_core]
[<ffffffffc0d7a727>] unregister_gadget+0x27/0x60 [libcomposite]
[<ffffffff952273fa>] ? mutex_lock+0x1a/0x30
[<ffffffffc0d7a9b8>] gadget_dev_desc_UDC_store+0x88/0xe0 [libcomposite]
[<ffffffffc0af8aa0>] configfs_write_file+0xa0/0x100 [configfs]
[<ffffffff94e10d27>] __vfs_write+0x37/0x160
[<ffffffff94e31430>] ? __fd_install+0x30/0xd0
[<ffffffff95229dae>] ? _raw_spin_unlock+0xe/0x10
[<ffffffff94e11458>] vfs_write+0xb8/0x1b0
[<ffffffff94e128f8>] SyS_write+0x58/0xc0
[<ffffffff94e31594>] ? __close_fd+0x94/0xc0
[<ffffffff9522a0fb>] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 66 90 55 48 8b 07 48 b9 00 01 00 00 00 00 ad de 48 8b 57 08 48 89
e5 48 39 c8 74 29 48 b9 00 02 00 00 00 00 ad de 48 39 ca 74 3a <4c> 8b
02 4c 39 c7 75 52 4c 8b 40 08 4c 39 c7 75 66 48 89 50 08
RIP  [<ffffffff94f5e5e9>] __list_del_entry+0x29/0xc0
RSP <ffffc90002ed7d68>
CR2: 0000000000000000
---[ end trace 99fc090ab3ff6cbc ]---

Fixes: f1bddbb3 ("usb: gadget: Fix binding to UDC via configfs
interface")
Signed-off-by: NFelix Hädicke <felixhaedicke@web.de>
Tested-by: NKrzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Reported-by: NAndrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The patch improves readability of mv_u3d_start_queue()
by rearranging its code with two semantic modifications:
- assignment zero to ep->processing if usb_gadget_map_request() fails;
- propagation of error code from mv_u3d_req_to_trb() instead of
  hardcoded -ENOMEM.
Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

mv_u3d_req_to_trb() does not check for dma mapping errors.

Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Use the more common logging mechanism.

Miscellanea:

o Realign multiline statements
o Coalesce format
Acked-by: NRobert Jarzmik <robert.jarzmik@free.fr>
Acked-by: NNicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.

Cc: Li Yang <leoli@freescale.com>
Cc: <linuxppc-dev@lists.ozlabs.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.

Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: <linux-usb@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.

Cc: Ashwini Pahuja <ashwini.linux@gmail.com>
Cc: <linux-usb@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Now that usb_endpoint_maxp() only returns the lowest
11 bits from wMaxPacketSize, we can remove the &
operation from this driver.
Acked-by: NNicolas Ferre <nicolas.ferre@atmel.com>
Cc: <linux-usb@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>