ffs_func_eps_disable is called from atomic context so it cannot sleep
thus cannot grab a mutex.  Change the handling of epfile->read_buffer
to use non-sleeping synchronisation method.
Reported-by: NChen Yu <chenyu56@huawei.com>
Signed-off-by: NMichał Nazarewicz <mina86@mina86.com>
Fixes: 9353afbb ("buffer data from ‘oversized’ OUT requests")
Tested-by: NJohn Stultz <john.stultz@linaro.org>
Tested-by: NChen Yu <chenyu56@huawei.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

epfile->ep is protected by ffs->eps_lock (not epfile->mutex) so clear it
while holding the spin lock.
Tested-by: NJohn Stultz <john.stultz@linaro.org>
Tested-by: NChen Yu <chenyu56@huawei.com>
Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

If we don't guarantee that we will always get an
interrupt at least when we're queueing our very last
request, we could fall into situation where we queue
every request with 'no_interrupt' set. This will
cause the link to get stuck.

The behavior above has been triggered with g_ether
and dwc3.

Cc: <stable@vger.kernel.org>
Reported-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

CURRENT_TIME macro is not appropriate for filesystems as it
doesn't use the right granularity for filesystem timestamps.
Use current_time() instead.

CURRENT_TIME is also not y2038 safe.

This is also in preparation for the patch that transitions
vfs timestamps to use 64 bit time and hence make them
y2038 safe. As part of the effort current_time() will be
extended to do range checks. Hence, it is necessary for all
file system timestamps to use current_time(). Also,
current_time() will be transitioned along with vfs to be
y2038 safe.

Note that whenever a single call to current_time() is used
to change timestamps in different inodes, it is because they
share the same time granularity.
Signed-off-by: NDeepa Dinamani <deepa.kernel@gmail.com>
Reviewed-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NFelipe Balbi <balbi@kernel.org>
Acked-by: NSteven Whitehouse <swhiteho@redhat.com>
Acked-by: NRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Acked-by: NDavid Sterba <dsterba@suse.com>
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

This reverts commit c9ffc787 as it was
reported to be broken.

Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Jim Baxter <jim_baxter@mentor.com>
Cc: Harish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This commit incorporates findings from
https://lkml.org/lkml/2016/4/25/594

The function has been modified to make sure we hold
the dev lock when accessing the net device pointer.
Acked-by: NJim Baxter <jim_baxter@mentor.com>
Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

dev->port_usb is checked for null pointer previously, so dev->port_usb
might be null during no zlp check, fix it by adding null pointer check.
Acked-by: NJim Baxter <jim_baxter@mentor.com>
Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

the if statement in lb_modinit is unnecessary so we can totally
remove the variable ret and just return the return value from
the call to usb_function_register.
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The struct ffs_data::private_data has a pointer to
ffs_dev stored in it during the ffs_fs_mount() function
however it is not cleared when the ffs_dev is freed
later which causes the ffs_closed function to crash
with "Unable to handle kernel NULL pointer dereference"
error when using the data in ffs_data::private_data.

This clears this pointer during the ffs_free_dev clean
up function.
Signed-off-by: NJim Baxter <jim_baxter@mentor.com>
Signed-off-by: NJiada Wang <jiada_wang@mentor.com>
Signed-off-by: NHarish Jenny K N <harish_kandiga@mentor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

An earlier fix partially fixed the null pointer dereference on skb->len
by moving the assignment of len after the check on skb being non-null,
however it failed to remove the erroneous dereference when assigning len.
Correctly fix this by removing the initialisation of len as was
originally intended.

Fixes: 70237dc8 ("usb: gadget: function: f_eem: socket buffer may be NULL")
Acked-by: NPeter Chen <peter.chen@nxp.com>
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Some UVC commands require additional data (non zero uvc->event_length).
Add usb_ep_queue() call, so uvc_function_ep0_complete() can be called
and send received data to the userspace.
Signed-off-by: NPetr Cvek <petr.cvek@tul.cz>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch adds to support no_skb_reserve function to improve
performance for some platforms. About the detail, please refer to
the commit log of "quirk_avoids_skb_reserve" in
include/linux/usb/gadget.h.
Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This patch adds a flag "no_skb_reserve" in struct eth_dev.
So, if a peripheral driver sets the quirk_avoids_skb_reserve flag,
upper network gadget drivers (e.g. f_ncm.c) can avoid skb_reserve()
calling using the flag as well.
Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Use gadget's framework allocation function instead of directly calling
usb_ep_alloc_request().
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

We should always use free_ep_req() when allocating requests with
alloc_ep_req().
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The default_length parameter of alloc_ep_req was not really necessary
and gadget drivers would almost always create an inline function to pass
the same value to len and default_len.

This patch removes that parameter and updates all calls to alloc_ep_req() to
use the new API.
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Introduces a new FunctionFS descriptor flag named
FUNCTIONFS_CONFIG0_SETUP.

When this flag is enabled, FunctionFS userspace drivers can process
non-standard control requests in configuration 0.
Signed-off-by: NFelix Hädicke <felixhaedicke@web.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

It can sometimes be necessary for gadget drivers to process non-standard
control requests, which host devices can send without having sent
USB_REQ_SET_CONFIGURATION.

Therefore, the req_match() usb_function method is enhanced with the new
parameter "config0". When a USB configuration is active, this parameter
is false. When a non-core control request is processed in
composite_setup(), without an active configuration, req_match() of the
USB functions of all available configurations which implement this
function, is called with config0=true. Then the control request gets
processed by the first usb_function instance whose req_match() returns
true.
Signed-off-by: NFelix Hädicke <felixhaedicke@web.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Introduces a new FunctionFS descriptor flag named
FUNCTIONFS_ALL_CTRL_RECIP. When this flag is enabled, control requests,
which are not explicitly directed to an interface or endpoint, can be
handled.

This allows FunctionFS userspace drivers to process non-standard
control requests.
Signed-off-by: NFelix Hädicke <felixhaedicke@web.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Even if the /dev/hidg* chardev is automatically created, one
has to guess which one belongs to which function. In the case
of multiple HID functions, or maybe even multiple peripherals,
this becomes difficult.

Add the dev (with major and minor number) to configfs to allow
looking up (or even creating) the right device node for each
function. This file is read-only.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This change makes sure that the ALSA buffers are cleaned if an endpoint
becomes disabled.

Before this change, if the internal ALSA buffer did overflow, the MIDI
function would stop sending MIDI to the host.
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

This refactor results in a cleaner state machine code and promotes
consistency, readability, and maintanability of this driver.

This refactor state machine was well tested and it is currently running in
production code and devices.
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

512 is the value used by wMaxPacketSize, as specified by the USB Spec. This
makes sure this driver uses, by default, the most optimal value for IN and OUT
endpoint requests.
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

The new version of alloc_ep_req() already aligns the buffer size to
wMaxPacketSize on OUT endpoints.
Signed-off-by: NFelipe F. Tonello <eu@felipetonello.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Introduce an attribute "inquiry_string" to the lun.

In some environments, e. g. BIOS boot menus, the inquiry string
is the only information about devices presented to the user. The
default string depends on the "cdrom" bit of the first lun as
well as the kernel version and allows no further customization.
So without access to the client it is not obvious which gadget is
active at a given point and what any of the available luns might
contain.

If "inquiry_string" is ignored or set to the empty string, the
old behavior is preserved.
Signed-off-by: NPhilipp Gesang <philipp.gesang@intra2net.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Patch enables SuperSpeed for NCM gadget.

Tested with USB3380 and measured TCP throughput with two Intel PCs:
  udc to host: 920 Mbit/s
  host to udc: 550 Mbit/s
Signed-off-by: NJussi Kivilinna <jussi.kivilinna@haltian.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

When usb gadget is set gadget serial function, it will be crash in below
situation.

It will clean the 'port->port_usb' pointer in gserial_disconnect() function
when usb link is inactive, but it will release lock for disabling the endpoints
in this function. Druing the lock release period, it maybe complete one request
to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb'
pointer had been set NULL, thus it will be crash in gs_start_tx() function.

This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function
to avoid this situation.
Signed-off-by: NBaolin Wang <baolin.wang@linaro.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer
check at .wrap API.
Signed-off-by: NPeter Chen <peter.chen@nxp.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer
check at .wrap API.
Signed-off-by: NPeter Chen <peter.chen@nxp.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

When rndis data transfer is in progress, some Windows7 Host PC is not
sending the GET_ENCAPSULATED_RESPONSE command for receiving the response
for the previous SEND_ENCAPSULATED_COMMAND processed.

The rndis function driver appends each response for the
SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted,
the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset.
As the rndis response queue is not freed, the previous response is sent
as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host
block any more Rndis transfers.

Hence free the rndis response queue as a part of this soft-reset so that
the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the
response command.
Signed-off-by: NRajkumar Raghupathy <raghup@codeaurora.org>
Signed-off-by: NXerox Lin <xerox_lin@htc.com>
[AmitP: Cherry-picked this patch and folded other relevant
        fixes from Android common kernel android-4.4]
Signed-off-by: NAmit Pundir <amit.pundir@linaro.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

If this memory allocation fail, we will return 0, which means success.
Return -ENOMEM instead.
Reviewed-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

dev->port_usb is checked for null pointer at above code, so dev->port_usb
might be null, fix it by adding null pointer check.
Signed-off-by: NPeter Chen <peter.chen@nxp.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Make this a proper typed array. Drop the old allocate context code since
that is no longer used.

Note that the memops functions now get a struct device pointer instead of
the struct device ** that was there initially (actually a void pointer to
a struct containing only a struct device pointer).

This code is now a lot cleaner.
Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: NLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Sakari Ailus <sakari.ailus@iki.fi>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Return -ENOMEM if kmalloc() fails.

Fixes: 9353afbb ('usb: gadget: f_fs: buffer data from ‘oversized’ OUT requests')
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

f_fs rounds up read(2) requests to a multiple of a max packet size
which means that host may provide more data than user has space for.
So far, the excess data has been silently ignored.

This introduces a buffer for a tail of such requests so that they are
returned on next read instead of being ignored.
Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Add a pr_err when host sent more data then the size of the buffer user
space gave us.  This may happen on UDCs which require OUT requests to
be aligned to max packet size.  The patch includes a description of the
situation.
Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Those are enabled with W=1 make option.

The patch leaves of some type-limits warnings which are caused by
generic macros used in a way where they produce always-false
conditions.
Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

valid range for storage buffers is encoded in
Kconfig already. Instead of checking again, let's
drop fsg_num_buffers_validate() altogether.
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

If c->cdev->use_os_string flag is not set,
don't need to invoke ffs_do_os_descs() in _ffs_func_bind.
So uninitialized ext_compat_id pointer won't be accessed by
__ffs_func_bind_do_os_desc to cause kernel panic.
Signed-off-by: NJim Lin <jilin@nvidia.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>

Commit dc8c46a5 ("usb: gadget: f_tcm: convert to new function
interface with backward compatibility") introduced a possible out
of bounds memory access:

If tpg is not found in function usbg_drop_tpg,
tpg_instances[TPG_INSTANCES] is accessed.

Fixes: dc8c46a5 ("usb: gadget: f_tcm: convert to new function interface with backward compatibility")
Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>