To simplify the configfs interface and remove boilerplate code that also
causes binary bloat.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Reviewed-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Acked-by: NFelipe Balbi <balbi@ti.com>
Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>

Since ep->driver_data is not used for endpoint claiming, neither for
enabled/disabled state storing, we can reduce number of places where
we read or modify it's value, as now it has no particular meaning for
function or framework logic.

In case of f_printer we only need to store in ep->driver_data pointer to
struct printer_dev, as it's used in rx_complete() and tx_complete()
callbacks. All other uses of ep->driver_data are now meaningless and can
be safely removed.
Signed-off-by: NRobert Baldyga <r.baldyga@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Function printer_func_disable() has called spinlock on printer_dev->lock,
and it'll call function chain of

    printer_reset_interface()
        |
	+---dwc3_gadget_ep_disable()
	        |
                +---__dwc3_gadget_ep_disable()
                        |
                        +---dwc3_remove_requests()
                                |
                                +---dwc3_gadget_giveback()
                                        |
                                        +---rx_complete()

in the protected block.

However, rx_complete() in f_printer.c calls spinlock on printer_dev->lock
again, which will cause system hang.

The following steps can reproduce this hang:

1. Build the test program from Documentation/usb/gadget_printer.txt as
   g_printer
2. Plug in the USB device to a host(such as Ubuntu).
3. on the USB device system run:
   #modprobe g_printer.ko
   #./g_printer -read_data

4. Unplug the USB device from the host

   The system will hang later.

In order to avoid this deadlock, moving the spinlock from
printer_func_disable() into printer_reset_interface() and excluding the block
of calling dwc3_gadget_ep_disable(), in which the critical resource will be
protected by its spinlock in rx_complete().

This commit will fix the system hang with the following calltrace:

INFO: rcu_preempt detected stalls on CPUs/tasks: { 3} (detected by 0, t=21006 jiffies, g=524, c=523, q=2)
sending NMI to all CPUs:
NMI backtrace for cpu 3
CPU: 3 PID: 718 Comm: irq/22-dwc3 Not tainted 3.10.38-ltsi-WR6.0.0.11_standard #2
Hardware name: Intel Corp. VALLEYVIEW B3 PLATFORM/NOTEBOOK, BIOS BYTICRB1.86C.0092.R32.1410021707 10/02/2014
task: f44f4c20 ti: f40f6000 task.ti: f40f6000
EIP: 0060:[<c1824955>] EFLAGS: 00000097 CPU: 3
EIP is at _raw_spin_lock_irqsave+0x35/0x40
EAX: 00000076 EBX: f80fad00 ECX: 00000076 EDX: 00000075
ESI: 00000096 EDI: ffffff94 EBP: f40f7e20 ESP: f40f7e18
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: b77ac000 CR3: 01c30000 CR4: 001007f0
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
Stack:
 f474a720 f80fad00 f40f7e3c f80f93cc c135d486 00000000 f474a720 f468fb00
 f4bea894 f40f7e54 f7e35f19 ffffff00 f468fb00 f468fb24 00000086 f40f7e64
 f7e36577 f468fb00 f4bea810 f40f7e74 f7e365a8 f468fb00 f4bea894 f40f7e9c
Call Trace:
 [<f80f93cc>] rx_complete+0x1c/0xb0 [g_printer]
 [<c135d486>] ? vsnprintf+0x166/0x390
 [<f7e35f19>] dwc3_gadget_giveback+0xc9/0xf0 [dwc3]
 [<f7e36577>] dwc3_remove_requests+0x57/0x70 [dwc3]
 [<f7e365a8>] __dwc3_gadget_ep_disable+0x18/0x60 [dwc3]
 [<f7e366e9>] dwc3_gadget_ep_disable+0x89/0xf0 [dwc3]
 [<f80f9031>] printer_reset_interface+0x31/0x50 [g_printer]
 [<f80f9270>] printer_func_disable+0x20/0x30 [g_printer]
 [<f80e6d8b>] composite_disconnect+0x4b/0x90 [libcomposite]
 [<f7e39a8b>] dwc3_disconnect_gadget+0x38/0x43 [dwc3]
 [<f7e39ad4>] dwc3_gadget_disconnect_interrupt+0x3e/0x5a [dwc3]
 [<f7e373b8>] dwc3_thread_interrupt+0x5c8/0x610 [dwc3]
 [<c10ac518>] irq_thread_fn+0x18/0x30
 [<c10ac800>] irq_thread+0x100/0x130
 [<c10ac500>] ? irq_finalize_oneshot.part.29+0xb0/0xb0
 [<c10ac650>] ? wake_threads_waitq+0x40/0x40
 [<c10ac700>] ? irq_thread_dtor+0xb0/0xb0
 [<c1057224>] kthread+0x94/0xa0
 [<c182b337>] ret_from_kernel_thread+0x1b/0x28
 [<c1057190>] ? kthread_create_on_node+0xc0/0xc0
Signed-off-by: NFupan Li <fupan.li@windriver.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

There is a predefined maximum number of printer instances, currently 4.
A chrdev region is allocated accordingly, but with configfs the user
can create as many printer function directories as they like. To make the
number of printer  instances consistent with the number of allocated
minors, the limit is enforced at directory creation time.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

USB_DIR_OUT happens to be zero, so the result of bitwise and is always 0.
Consequently, break will never happen in the SOFT_RESET case.
This patch uses a compatible condition with a non-zero USB_DIR_IN,
which might or might not evaluate to zero.
Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

There was a missing goto so we free "opts" and then dereference it.

Fixes: ee1cd515 ('usb: gadget: printer: add configfs support')
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

"num" is a u16 so it can't go higher than 65535.  kstrtou16() has a
range check built in so this is already handled.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Add support for configfs interface so that f_printer can be used as a
component of usb gadgets composed with it.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

There are no old interface users left, so it can be removed.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

In order to add configfs support, a usb function must be converted to use
the new interface. This patch converts the function to the new interface
and provides backward compatiblity layer, which can be removed after
all its users are converted to use the new interface.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The legacy printer gadget now contains both a reusable printer function
and legacy gadget proper implementations interwoven, but logically
separate. This patch factors out a reusable f_printer.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

With all the obstacles removed it is possible to allow more than one
instance of the printer function. Since the function requires allocating
character device region, a maximum number of allowed instances is defined.
Such an approach is used in f_acm and in f_hid.
With multiple instances it does not make sense to depend on a
lock_printer_io member of a dynamically allocated (and destroyed) struct
printer_dev to clean up after all instances of the printer function.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Verify that a given usb_ctrlrequest is meant for printer function.
The following parts of the request are tested:

- bmRequestType:Data transfer direction
- bmRequestType:Type
- bmRequestType:Recipient
- bRequest
- wValue for bRequest 1 and 2
- wLength

Additionally, the request is considered meant for this function
iff the decoded interface number matches dev->interface.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Avoid using magic numbers.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

5 uses of container_of() in the same context justify wrapping it
in a static inline function.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The printer_dev can be recovered from printer_func_unbind() function's
parameters.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The mutex is a legacy after semi-automatic Big Kernel Lock removal.
printer_open() does its own locking, so no need to duplicate it.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Call gprinter_setup() from gadget's bind instead of module's init.
Call gprinter_cleaup() corerspondingly. This detaches printer function's
logic from legacy printer gadget's implementation.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Factor out gprinter_setup() and gprinter_cleanup() so that it is
easy to change the place they are called from.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

In order to factor out a reusable f_printer, the function's code should
not use file global variables related to legacy printer gadget's
implementation.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Avoid using magic numbers.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

In order to factor out a reusable f_printer.c, the code related to the
function should be placed in functions related to the function.

printer_cfg_unbind() becomes empty, so it is removed.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Conversion to the new function interface requires splitting a
<something>_bind_config() function into two parts: allocation of
container_of struct usb_function and invocation of usb_add_function().
This patch moves the latter to the end of the f_printer_bind_config()
in order to enable conversion to the new interface.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

In order to factor out a reusable f_printer.c, the code related to the
function should be placed in functions related to the function.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Follow the convention of distributing source code between
<something>_do_config() and <something>_bind_config().
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Legacy gadgets, before converting them to the new function framework,
used to use the name <something>_do_config() for usb_add_config()'s
callback.

This patch changes the name so that it is easier to follow
the convention.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The pdev member of struct printer_dev is not used outside
printer_bind_config(), so it can just as well be a local variable there.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

If cdev_add() in printer_bind_config() fails, care is taken to
reverse the effects of initializations completed until the fail
happens. But if printer_req_alloc() fails, it is just one of the
two lists that is cleaned up while the effects of cdev_add()
and device_create() are not reverted.

This patch changes error handling so that at least as much cleanup is done
as when a failure happens before printer_req_alloc() invocations.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Whenever the "goto fail" branch is taken, the effect of usb_add_function()
should be reverted.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

struct printer_dev contains 3 list heads: tx_reqs, rx_reqs and rx_buffers.
There is just one instance of this structure in the driver and it is
file static, and as such initialized with all zeros.

If device_create() or cdev_add() fails then "goto fail" branch is taken,
which results in printer_cfg_unbind() call. The latter checks if
tx_reqs, rx_reqs and rx_buffers lists are empty. The check for emptiness
is in fact a check whether the "next" member of struct list_head points
to the head of the list. But the heads of the lists in question have
not been initialized yet and, as mentioned above, contain all zeros,
so list_empty() returns false and respective "while" loop body starts
executing. Here, container_of() just subtracts the offset of a struct
usb_request member from an address of this same member, which results in
a value somewhere near 0 or 0xfff...ff. And the argument to list_del()
dereferences such a pointer which causes a disaster.

This patch moves respective INIT_LIST_HEAD() invocations to a point before
"goto fail" branch can be taken.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The unbind() method is optional is usb_composite_driver.
In this particular driver the method does nothing so it can be removed.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Function-specific setup requests should be handled in such a way, that
apart from filling in the data buffer, the requests are also actually
enqueued: if function-specific setup is called from composte_setup(),
the "usb_ep_queue()" block of code in composite_setup() is skipped.

The printer function lacks this part and it results in e.g. get device id
requests failing: the host expects some response, the device prepares it
but does not equeue it for sending to the host, so the host finally asserts
timeout.

This patch adds enqueueing the prepared responses.

Cc: <stable@vger.kernel.org> # v3.4+
Fixes: 2e87edf4: "usb: gadget: make g_printer use composite"
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

drivers/usb/gadget/legacy/printer.c:222:34: sparse: symbol 'ss_ep_in_comp_desc' was not declared. Should it be static?
drivers/usb/gadget/legacy/printer.c:234:34: sparse: symbol 'ss_ep_out_comp_desc' was not declared. Should it be static?
Signed-off-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Add SS descriptors to support the capabilities provided by USB3 controller
drivers; unit tests run using a PLX 3380 [max transfer speed measured of 1Gbps]

This driver shall fallback to lower operating modes when the higher ones are
not available.
Signed-off-by: NJorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The drivers/usb/gadget directory contains many files.
Files which are related can be distributed into separate directories.
This patch moves the legacy gadgets (i.e. those not using configfs)
into a separate directory.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

We need to use gadget_is_otg to check if the gadget is really
otg support at runtime, other composite gadget drivers have already
followed this method.
Signed-off-by: NPeter Chen <peter.chen@freescale.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

When read data from g_printer, we see a Segmentation fault. eg:

Unable to handle kernel paging request at virtual address bf048000 pgd
= cf038000 [bf048000] *pgd=8e8cf811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM Modules linked in: bluetooth
rfcomm g_printer
CPU: 0    Not tainted  (3.4.43-WR5.0.1.9_standard #1)
PC is at __copy_to_user_std+0x310/0x3a8 LR is at 0x4c808010
pc : [<c036e990>]    lr : [<4c808010>]    psr: 20000013
sp : cf883ea8  ip : 80801018  fp : cf883f24
r10: bf04706c  r9 : 18a21205  r8 : 21953888
r7 : 201588aa  r6 : 5109aa16  r5 : 0705aaa2  r4 : 5140aa8a
r3 : 0000004c  r2 : 00000fdc  r1 : bf048000  r0 : bef5fc3c
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 8f038019  DAC: 00000015 Process
g_printer_test. (pid: 661, stack limit = 0xcf8822e8)
Stack: (0xcf883ea8 to 0xcf884000)
3ea0:                   bf047068 00001fff bef5ecb9 cf882000 00001fff bef5ecb9
3ec0: 00001fff 00000000 cf2e8724 bf044d3c 80000013 80000013 00000001
bf04706c
3ee0: cf883f24 cf883ef0 c012e5ac c0324388 c007c8ac c0046298 00008180
cf29b900
3f00: 00002000 bef5ecb8 cf883f68 00000003 cf882000 cf29b900 cf883f54
cf883f28
3f20: c012ea08 bf044b0c c000eb88 00000000 cf883f7c 00000000 00000000
00002000
3f40: bef5ecb8 00000003 cf883fa4 cf883f58 c012eae8 c012e960 00000001
bef60cb8
3f60: 000000a8 c000eb88 00000000 00000000 cf883fa4 00000000 c014329c
00000000
3f80: 000000d4 41af63f0 00000003 c000eb88 cf882000 00000000 00000000
cf883fa8
3fa0: c000e920 c012eaa4 00000000 000000d4 00000003 bef5ecb8 00002000
bef5ecb8
3fc0: 00000000 000000d4 41af63f0 00000003 b6f534c0 00000000 419f9000
00000000
3fe0: 00000000 bef5ecac 000086d9 41a986bc 60000010 00000003 0109608a
0088828a
Code: f5d1f07c e8b100f0 e1a03c2e e2522020 (e8b15300) ---[ end trace
97e2618e250e3377 ]--- Segmentation fault

The root cause is the dev->rx_buffers list has been broken.
When we call printer_read(), the following call tree is triggered:

printer_read()
	|
	+---setup_rx_reqs(req)
	|	|
	|	+---usb_ep_queue(req)
	|	|	|
	|	|	+---...
	|	|		|
	|	|		+---rx_complete(req).
	|	|
	|	+---add the req to dev->rx_reqs_active
	|
	+---while(!list_empty(&dev->rx_buffers)))

The route happens when we don't use DMA or fail to start DMA in USB
driver. We can see: in the case, in rx_complete() it will add the req
to dev->rx_buffers. meanwhile we see that we will also add the req to
dev->rx_reqs_active after usb_ep_queue() return, so this adding will
break the dev->rx_buffers out.

After, when we call list_empty() to check dev->rx_buffers in while(),
due to can't check correctly dev->rx_buffers, so the Segmentation fault
occurs when copy_to_user() is called.
Signed-off-by: Nwenlin.kang <wenlin.kang@windriver.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

The problem occurs in follow path.

printer_read()
	|
	+---setup_rx_reqs()
		|
		+---usb_ep_queue()
			|
			+---...
				|
				+---rx_complete()

Although it is clear from code, we can't get it normally.
only when we enable some spin_lock debug config option, we can find it.
eg:
BUG: spinlock lockup on CPU#0, g_printer_test_/584
 lock: bf05e158, .magic: dead4ead, .owner: g_printer_test_/584, .owner_cpu: 0
[<c0016e1c>] (unwind_backtrace+0x0/0x104) from [<c067aef8>] (dump_stack+0x20/0x24)
[<c067aef8>] (dump_stack+0x20/0x24) from [<c0680bec>] (spin_dump+0x8c/0x94)
[<c0680bec>] (spin_dump+0x8c/0x94) from [<c039071c>] (do_raw_spin_lock+0x128/0x154)
[<c039071c>] (do_raw_spin_lock+0x128/0x154) from [<c0685618>] (_raw_spin_lock_irqsave+0x64/0x70)
[<c0685618>] (_raw_spin_lock_irqsave+0x64/0x70) from [<bf05b4e8>] (rx_complete+0x54/0x10c [g_printer])
[<bf05b4e8>] (rx_complete+0x54/0x10c [g_printer]) from [<c0480478>] (musb_g_giveback+0x78/0x88)
[<c0480478>] (musb_g_giveback+0x78/0x88) from [<c048060c>] (rxstate+0xa0/0x10c)
[<c048060c>] (rxstate+0xa0/0x10c) from [<c0480d50>] (musb_ep_restart+0x44/0x70)
[<c0480d50>] (musb_ep_restart+0x44/0x70) from [<c0480fe4>] (musb_gadget_queue+0xe8/0xf8)
[<c0480fe4>] (musb_gadget_queue+0xe8/0xf8) from [<bf05b2b0>] (setup_rx_reqs+0xa4/0x178 [g_printer])
[<bf05b2b0>] (setup_rx_reqs+0xa4/0x178 [g_printer]) from [<bf05bb58>] (printer_read+0x9c/0x3f4 [g_printer])
[<bf05bb58>] (printer_read+0x9c/0x3f4 [g_printer]) from [<c01387f0>] (vfs_read+0xb4/0x144)
[<c01387f0>] (vfs_read+0xb4/0x144) from [<c01388d0>] (sys_read+0x50/0x124)
[<c01388d0>] (sys_read+0x50/0x124) from [<c000e900>] (ret_fast_syscall+0x0/0x3c)

The root cause is that we use the same lock two time in a path, so to avoid
the deadlock, we need to unlock in setup_rx_reqs(), and only unlock.
Signed-off-by: Nwenlin.kang <wenlin.kang@windriver.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Set the return variable to an error code as done elsewhere in the function.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
(
if@p1 (\(ret < 0\|ret != 0\))
 { ... return ret; }
|
ret@p1 = 0
)
... when != ret = e1
    when != &ret
*if(...)
{
  ... when != ret = e2
      when forall
 return ret;
}

// </smpl>
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NFelipe Balbi <balbi@ti.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>