<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/usb/gadget, branch v4.1</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>usb: gadget: f_fs: fix check in read operation</title>
<updated>2015-05-26T15:20:57+00:00</updated>
<author>
<name>Rui Miguel Silva</name>
<email>rui.silva@linaro.org</email>
</author>
<published>2015-05-20T13:53:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=342f39a6c8d34d638a87b7d5f2156adc4db2585c'/>
<id>342f39a6c8d34d638a87b7d5f2156adc4db2585c</id>
<content type='text'>
when copying to iter the size can be different then the iov count,
the check for full iov is wrong and make any read on request which
is not the exactly size of iov to return -EFAULT.

So, just check the success of the copy.

Signed-off-by: Rui Miguel Silva &lt;rui.silva@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
when copying to iter the size can be different then the iov count,
the check for full iov is wrong and make any read on request which
is not the exactly size of iov to return -EFAULT.

So, just check the success of the copy.

Signed-off-by: Rui Miguel Silva &lt;rui.silva@linaro.org&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_uac1: check return code from config_ep_by_speed</title>
<updated>2015-05-26T15:15:09+00:00</updated>
<author>
<name>Michael Trimarchi</name>
<email>michael@amarulasolutions.com</email>
</author>
<published>2015-05-18T15:28:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ca4de53c522f261e84efb659a07435bd1a5a8828'/>
<id>ca4de53c522f261e84efb659a07435bd1a5a8828</id>
<content type='text'>
Not checking config_ep_by_speed could lead to a kernel
NULL pointer dereference error in usb_ep_enable

Cc: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Michael Trimarchi &lt;michael@amarulasolutions.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Not checking config_ep_by_speed could lead to a kernel
NULL pointer dereference error in usb_ep_enable

Cc: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Michael Trimarchi &lt;michael@amarulasolutions.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: ffs: fix: Always call ffs_closed() in ffs_data_clear()</title>
<updated>2015-05-26T15:15:09+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>k.opasiak@samsung.com</email>
</author>
<published>2015-05-22T15:25:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=49a79d8b0a5f8239b8424a3eb730006faada0ad8'/>
<id>49a79d8b0a5f8239b8424a3eb730006faada0ad8</id>
<content type='text'>
Originally FFS_FL_CALL_CLOSED_CALLBACK flag has been used to
indicate if we should call ffs_closed_callback().

Commit 4b187fceec3c ("usb: gadget: FunctionFS: add devices
management code") changed its semantic to indicate if we should
call ffs_closed() function which does a little bit more.

This situation leads to:

[  122.362269] ------------[ cut here ]------------
[  122.362287] WARNING: CPU: 2 PID: 2384 at drivers/usb/gadget/function/f_fs.c:3417 ffs_ep0_write+0x730/0x810 [usb_f_fs]()
[  122.362292] Modules linked in:
[  122.362555] CPU: 2 PID: 2384 Comm: adbd Tainted: G        W       4.1.0-0.rc4.git0.1.1.fc22.i686 #1
[  122.362561] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/25/2014
[  122.362567]  c0d1f947 415badfa 00000000 d1029e64 c0a86e54 00000000 d1029e94 c045b937
[  122.362584]  c0c37f94 00000002 00000950 f9b313d4 00000d59 f9b2ebf0 f9b2ebf0 fffffff0
[  122.362600]  00000003 deb53d00 d1029ea4 c045ba42 00000009 00000000 d1029f08 f9b2ebf0
[  122.362617] Call Trace:
[  122.362633]  [&lt;c0a86e54&gt;] dump_stack+0x41/0x52
[  122.362645]  [&lt;c045b937&gt;] warn_slowpath_common+0x87/0xc0
[  122.362658]  [&lt;f9b2ebf0&gt;] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362668]  [&lt;f9b2ebf0&gt;] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362678]  [&lt;c045ba42&gt;] warn_slowpath_null+0x22/0x30
[  122.362689]  [&lt;f9b2ebf0&gt;] ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362702]  [&lt;f9b2e4c0&gt;] ? ffs_ep0_read+0x380/0x380 [usb_f_fs]
[  122.362712]  [&lt;c05a1c1f&gt;] __vfs_write+0x2f/0x100
[  122.362722]  [&lt;c05a42f2&gt;] ? __sb_start_write+0x52/0x110
[  122.362731]  [&lt;c05a2534&gt;] vfs_write+0x94/0x1b0
[  122.362740]  [&lt;c0a8a1c0&gt;] ? mutex_lock+0x10/0x30
[  122.362749]  [&lt;c05a2f41&gt;] SyS_write+0x51/0xb0
[  122.362759]  [&lt;c0a8c71f&gt;] sysenter_do_call+0x12/0x12
[  122.362766] ---[ end trace 0673d3467cecf8db ]---

in some cases (reproduction path below). This commit get back
semantic of that flag and ensures that ffs_closed() is called
always when needed but ffs_closed_callback() is called only
if this flag is set.

Reproduction path:
Compile kernel without any UDC driver or bound some gadget
to existing one and then:

$ modprobe g_ffs
$ mount none -t functionfs mount_point
$ ffs-example mount_point

This will fail with -ENODEV as there is no udc.

$ ffs-example mount_point

This will fail with -EBUSY because ffs_data has not been
properly cleaned up.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Originally FFS_FL_CALL_CLOSED_CALLBACK flag has been used to
indicate if we should call ffs_closed_callback().

Commit 4b187fceec3c ("usb: gadget: FunctionFS: add devices
management code") changed its semantic to indicate if we should
call ffs_closed() function which does a little bit more.

This situation leads to:

[  122.362269] ------------[ cut here ]------------
[  122.362287] WARNING: CPU: 2 PID: 2384 at drivers/usb/gadget/function/f_fs.c:3417 ffs_ep0_write+0x730/0x810 [usb_f_fs]()
[  122.362292] Modules linked in:
[  122.362555] CPU: 2 PID: 2384 Comm: adbd Tainted: G        W       4.1.0-0.rc4.git0.1.1.fc22.i686 #1
[  122.362561] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/25/2014
[  122.362567]  c0d1f947 415badfa 00000000 d1029e64 c0a86e54 00000000 d1029e94 c045b937
[  122.362584]  c0c37f94 00000002 00000950 f9b313d4 00000d59 f9b2ebf0 f9b2ebf0 fffffff0
[  122.362600]  00000003 deb53d00 d1029ea4 c045ba42 00000009 00000000 d1029f08 f9b2ebf0
[  122.362617] Call Trace:
[  122.362633]  [&lt;c0a86e54&gt;] dump_stack+0x41/0x52
[  122.362645]  [&lt;c045b937&gt;] warn_slowpath_common+0x87/0xc0
[  122.362658]  [&lt;f9b2ebf0&gt;] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362668]  [&lt;f9b2ebf0&gt;] ? ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362678]  [&lt;c045ba42&gt;] warn_slowpath_null+0x22/0x30
[  122.362689]  [&lt;f9b2ebf0&gt;] ffs_ep0_write+0x730/0x810 [usb_f_fs]
[  122.362702]  [&lt;f9b2e4c0&gt;] ? ffs_ep0_read+0x380/0x380 [usb_f_fs]
[  122.362712]  [&lt;c05a1c1f&gt;] __vfs_write+0x2f/0x100
[  122.362722]  [&lt;c05a42f2&gt;] ? __sb_start_write+0x52/0x110
[  122.362731]  [&lt;c05a2534&gt;] vfs_write+0x94/0x1b0
[  122.362740]  [&lt;c0a8a1c0&gt;] ? mutex_lock+0x10/0x30
[  122.362749]  [&lt;c05a2f41&gt;] SyS_write+0x51/0xb0
[  122.362759]  [&lt;c0a8c71f&gt;] sysenter_do_call+0x12/0x12
[  122.362766] ---[ end trace 0673d3467cecf8db ]---

in some cases (reproduction path below). This commit get back
semantic of that flag and ensures that ffs_closed() is called
always when needed but ffs_closed_callback() is called only
if this flag is set.

Reproduction path:
Compile kernel without any UDC driver or bound some gadget
to existing one and then:

$ modprobe g_ffs
$ mount none -t functionfs mount_point
$ ffs-example mount_point

This will fail with -ENODEV as there is no udc.

$ ffs-example mount_point

This will fail with -EBUSY because ffs_data has not been
properly cleaned up.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: g_ffs: Fix counting of missing_functions</title>
<updated>2015-05-26T15:15:08+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>k.opasiak@samsung.com</email>
</author>
<published>2015-05-22T15:25:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c41b33c58d11f32e95d06f634ddba0cbf39fc7c6'/>
<id>c41b33c58d11f32e95d06f634ddba0cbf39fc7c6</id>
<content type='text'>
Returning non-zero value from ready callback makes ffs instance
return error from writing strings and enter FFS_CLOSING state.
This means that this this function is not truly ready and
close callback will not be called. This commit fix
ffs_ready_callback() to undo all side effects of this function
in case of error.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Returning non-zero value from ready callback makes ffs instance
return error from writing strings and enter FFS_CLOSING state.
This means that this this function is not truly ready and
close callback will not be called. This commit fix
ffs_ready_callback() to undo all side effects of this function
in case of error.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: s3c2410_udc: correct reversed pullup logic</title>
<updated>2015-05-26T15:15:02+00:00</updated>
<author>
<name>Sergiy Kibrik</name>
<email>sakib@meta.ua</email>
</author>
<published>2015-05-16T13:55:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=10f095801cda5cdf24839e2fe90c08cb85a28da6'/>
<id>10f095801cda5cdf24839e2fe90c08cb85a28da6</id>
<content type='text'>
For some reason the code has always been disabling pullup
when asked to do the opposite. According to surrounding code
and gadget API this seems to be a mistake. This fix allows
UDC to be detected by host controller on recent kernels.

Signed-off-by: Sergiy Kibrik &lt;sakib@meta.ua&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For some reason the code has always been disabling pullup
when asked to do the opposite. According to surrounding code
and gadget API this seems to be a mistake. This fix allows
UDC to be detected by host controller on recent kernels.

Signed-off-by: Sergiy Kibrik &lt;sakib@meta.ua&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: f_midi: fix segfault when reading empty id</title>
<updated>2015-05-14T19:04:57+00:00</updated>
<author>
<name>Pawel Szewczyk</name>
<email>p.szewczyk@samsung.com</email>
</author>
<published>2015-05-14T12:14:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a25a23cc85a28090bf8ab0e750b48e7ab283ba8a'/>
<id>a25a23cc85a28090bf8ab0e750b48e7ab283ba8a</id>
<content type='text'>
When midi function is created, 'id' attribute is initialized with
SNDRV_DEFAULT_STR1, which is NULL pointer. Trying to read this attribute
before filling it ends up with segmentation fault.

This commit fix this issue by preventing null pointer dereference. Now
f_midi_opts_id_show() returns empty string when id is a null pointer.

Reproduction path:

$ mkdir functions/midi.0
$ cat functions/midi.0/id

[   53.130132] Unable to handle kernel NULL pointer dereference at
virtual address 00000000
[   53.132630] pgd = ec6cc000
[   53.135308] [00000000] *pgd=6b759831, *pte=00000000, *ppte=00000000
[   53.141530] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[   53.146904] Modules linked in: usb_f_midi snd_rawmidi libcomposite
[   53.153071] CPU: 1 PID: 2936 Comm: cat Not tainted
3.19.0-00041-gcf4b216 #7
[   53.160010] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[   53.166088] task: ee234c80 ti: ec764000 task.ti: ec764000
[   53.171482] PC is at strlcpy+0x8/0x60
[   53.175128] LR is at f_midi_opts_id_show+0x28/0x3c [usb_f_midi]
[   53.181019] pc : [&lt;c0222a9c&gt;]    lr : [&lt;bf01bed0&gt;]    psr: 60000053
[   53.181019] sp : ec765ef8  ip : 00000141  fp : 00000000
[   53.192474] r10: 00019000  r9 : ed7546c0  r8 : 00010000
[   53.197682] r7 : ec765f80  r6 : eb46a000  r5 : eb46a000  r4 :
ed754734
[   53.204192] r3 : ee234c80  r2 : 00001000  r1 : 00000000  r0 :
eb46a000
[   53.210704] Flags: nZCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM
Segment user
[   53.217907] Control: 10c5387d  Table: 6c6cc04a  DAC: 00000015
[   53.223636] Process cat (pid: 2936, stack limit = 0xec764238)
[   53.229364] Stack: (0xec765ef8 to 0xec766000)
[   53.233706] 5ee0:
ed754734 ed7546c0
[   53.241866] 5f00: eb46a000 bf01bed0 eb753b80 bf01cc44 eb753b98
bf01b0a4 bf01b08c c0125dd0
[   53.250025] 5f20: 00002f19 00000000 ec432e00 bf01cce8 c0530c00
00019000 00010000 ec765f80
[   53.258184] 5f40: 00010000 ec764000 00019000 c00cc4ac ec432e00
c00cc55c 00000017 000081a4
[   53.266343] 5f60: 00000001 00000000 00000000 ec432e00 ec432e00
00010000 00019000 c00cc620
[   53.274502] 5f80: 00000000 00000000 00000000 00010000 ffff1000
00019000 00000003 c000e9a8
[   53.282662] 5fa0: 00000000 c000e7e0 00010000 ffff1000 00000003
00019000 00010000 00019000
[   53.290821] 5fc0: 00010000 ffff1000 00019000 00000003 7fffe000
00000001 00000000 00000000
[   53.298980] 5fe0: 00000000 be8c68d4 0000b995 b6f0e3e6 40000070
00000003 00000000 00000000
[   53.307157] [&lt;c0222a9c&gt;] (strlcpy) from [&lt;bf01bed0&gt;]
(f_midi_opts_id_show+0x28/0x3c [usb_f_midi])
[   53.316006] [&lt;bf01bed0&gt;] (f_midi_opts_id_show [usb_f_midi]) from
[&lt;bf01b0a4&gt;] (f_midi_opts_attr_show+0x18/0x24 )
[   53.327209] [&lt;bf01b0a4&gt;] (f_midi_opts_attr_show [usb_f_midi]) from
[&lt;c0125dd0&gt;] (configfs_read_file+0x9c/0xec)
[   53.337180] [&lt;c0125dd0&gt;] (configfs_read_file) from [&lt;c00cc4ac&gt;]
(__vfs_read+0x18/0x4c)
[   53.345073] [&lt;c00cc4ac&gt;] (__vfs_read) from [&lt;c00cc55c&gt;]
(vfs_read+0x7c/0x100)
[   53.352190] [&lt;c00cc55c&gt;] (vfs_read) from [&lt;c00cc620&gt;]
(SyS_read+0x40/0x8c)
[   53.359056] [&lt;c00cc620&gt;] (SyS_read) from [&lt;c000e7e0&gt;]
(ret_fast_syscall+0x0/0x34)
[   53.366513] Code: ebffe3d3 e8bd8008 e92d4070 e1a05000 (e5d14000)
[   53.372641] ---[ end trace e4f53a4e233d98d0 ]---

Signed-off-by: Pawel Szewczyk &lt;p.szewczyk@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When midi function is created, 'id' attribute is initialized with
SNDRV_DEFAULT_STR1, which is NULL pointer. Trying to read this attribute
before filling it ends up with segmentation fault.

This commit fix this issue by preventing null pointer dereference. Now
f_midi_opts_id_show() returns empty string when id is a null pointer.

Reproduction path:

$ mkdir functions/midi.0
$ cat functions/midi.0/id

[   53.130132] Unable to handle kernel NULL pointer dereference at
virtual address 00000000
[   53.132630] pgd = ec6cc000
[   53.135308] [00000000] *pgd=6b759831, *pte=00000000, *ppte=00000000
[   53.141530] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[   53.146904] Modules linked in: usb_f_midi snd_rawmidi libcomposite
[   53.153071] CPU: 1 PID: 2936 Comm: cat Not tainted
3.19.0-00041-gcf4b216 #7
[   53.160010] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[   53.166088] task: ee234c80 ti: ec764000 task.ti: ec764000
[   53.171482] PC is at strlcpy+0x8/0x60
[   53.175128] LR is at f_midi_opts_id_show+0x28/0x3c [usb_f_midi]
[   53.181019] pc : [&lt;c0222a9c&gt;]    lr : [&lt;bf01bed0&gt;]    psr: 60000053
[   53.181019] sp : ec765ef8  ip : 00000141  fp : 00000000
[   53.192474] r10: 00019000  r9 : ed7546c0  r8 : 00010000
[   53.197682] r7 : ec765f80  r6 : eb46a000  r5 : eb46a000  r4 :
ed754734
[   53.204192] r3 : ee234c80  r2 : 00001000  r1 : 00000000  r0 :
eb46a000
[   53.210704] Flags: nZCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM
Segment user
[   53.217907] Control: 10c5387d  Table: 6c6cc04a  DAC: 00000015
[   53.223636] Process cat (pid: 2936, stack limit = 0xec764238)
[   53.229364] Stack: (0xec765ef8 to 0xec766000)
[   53.233706] 5ee0:
ed754734 ed7546c0
[   53.241866] 5f00: eb46a000 bf01bed0 eb753b80 bf01cc44 eb753b98
bf01b0a4 bf01b08c c0125dd0
[   53.250025] 5f20: 00002f19 00000000 ec432e00 bf01cce8 c0530c00
00019000 00010000 ec765f80
[   53.258184] 5f40: 00010000 ec764000 00019000 c00cc4ac ec432e00
c00cc55c 00000017 000081a4
[   53.266343] 5f60: 00000001 00000000 00000000 ec432e00 ec432e00
00010000 00019000 c00cc620
[   53.274502] 5f80: 00000000 00000000 00000000 00010000 ffff1000
00019000 00000003 c000e9a8
[   53.282662] 5fa0: 00000000 c000e7e0 00010000 ffff1000 00000003
00019000 00010000 00019000
[   53.290821] 5fc0: 00010000 ffff1000 00019000 00000003 7fffe000
00000001 00000000 00000000
[   53.298980] 5fe0: 00000000 be8c68d4 0000b995 b6f0e3e6 40000070
00000003 00000000 00000000
[   53.307157] [&lt;c0222a9c&gt;] (strlcpy) from [&lt;bf01bed0&gt;]
(f_midi_opts_id_show+0x28/0x3c [usb_f_midi])
[   53.316006] [&lt;bf01bed0&gt;] (f_midi_opts_id_show [usb_f_midi]) from
[&lt;bf01b0a4&gt;] (f_midi_opts_attr_show+0x18/0x24 )
[   53.327209] [&lt;bf01b0a4&gt;] (f_midi_opts_attr_show [usb_f_midi]) from
[&lt;c0125dd0&gt;] (configfs_read_file+0x9c/0xec)
[   53.337180] [&lt;c0125dd0&gt;] (configfs_read_file) from [&lt;c00cc4ac&gt;]
(__vfs_read+0x18/0x4c)
[   53.345073] [&lt;c00cc4ac&gt;] (__vfs_read) from [&lt;c00cc55c&gt;]
(vfs_read+0x7c/0x100)
[   53.352190] [&lt;c00cc55c&gt;] (vfs_read) from [&lt;c00cc620&gt;]
(SyS_read+0x40/0x8c)
[   53.359056] [&lt;c00cc620&gt;] (SyS_read) from [&lt;c000e7e0&gt;]
(ret_fast_syscall+0x0/0x34)
[   53.366513] Code: ebffe3d3 e8bd8008 e92d4070 e1a05000 (e5d14000)
[   53.372641] ---[ end trace e4f53a4e233d98d0 ]---

Signed-off-by: Pawel Szewczyk &lt;p.szewczyk@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: remove incorrect __init/__exit annotations</title>
<updated>2015-04-27T19:45:35+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2015-04-10T22:14:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c94e289f195e0e13cf34d27f9338d28221a85751'/>
<id>c94e289f195e0e13cf34d27f9338d28221a85751</id>
<content type='text'>
A recent change introduced a link error for the composite
printer gadget driver:

`printer_unbind' referenced in section `.ref.data' of drivers/built-in.o: defined in discarded section `.exit.text' of drivers/built-in.o

Evidently the unbind function should not be marked __exit here,
because it is called through a callback pointer that is not necessarily
discarded, __composite_unbind() is indeed called from the error path of
composite_bind(), which can never work for a built-in driver.

Looking at the surrounding code, I found the same problem in all other
composite gadget drivers in both the bind and unbind functions, as
well as the udc platform driver 'remove' functions. Those will break
if anyone uses the 'unbind' sysfs attribute to detach a device from a
built-in driver.

This patch removes the incorrect annotations from all the gadget
drivers.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A recent change introduced a link error for the composite
printer gadget driver:

`printer_unbind' referenced in section `.ref.data' of drivers/built-in.o: defined in discarded section `.exit.text' of drivers/built-in.o

Evidently the unbind function should not be marked __exit here,
because it is called through a callback pointer that is not necessarily
discarded, __composite_unbind() is indeed called from the error path of
composite_bind(), which can never work for a built-in driver.

Looking at the surrounding code, I found the same problem in all other
composite gadget drivers in both the bind and unbind functions, as
well as the udc platform driver 'remove' functions. Those will break
if anyone uses the 'unbind' sysfs attribute to detach a device from a
built-in driver.

This patch removes the incorrect annotations from all the gadget
drivers.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: serial: fix re-ordering of tx data</title>
<updated>2015-04-27T19:44:29+00:00</updated>
<author>
<name>Philip Oberstaller</name>
<email>Philip.Oberstaller@septentrio.com</email>
</author>
<published>2015-03-27T16:42:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3e9d3d2efc677b501b12512cab5adb4f32a0673a'/>
<id>3e9d3d2efc677b501b12512cab5adb4f32a0673a</id>
<content type='text'>
When a single thread is sending out data over the gadget serial port,
gs_start_tx() will be called both from the sender context and from the
write completion. Since the port lock is released before the packet is
queued, the order in which the URBs are submitted is not guaranteed.
E.g.

  sending thread                      completion (interrupt)

  gs_write()
    LOCK
                                      gs_write_complete()
                                        LOCK (wait)
    gs_start_tx()
      req1 = list_entry(pool-&gt;next)
      UNLOCK
                                        LOCK (acquired)
                                        gs_start_tx()
                                          req2 = list_entry(pool-&gt;next)
                                          UNLOCK
                                          usb_ep_queue(req2)
      usb_ep_queue(req1)

I.e., req2 is submitted before req1 but it contains the data that
comes after req1.

To reproduce, use SMP with sending thread and completion pinned to
different CPUs, or use PREEMPT_RT, and add the following delay just
before the call to usb_ep_queue():

		if (port-&gt;write_started &gt; 0 &amp;&amp; !list_empty(pool))
			udelay(1000);

To work around this problem, make sure that only one thread is running
through the gs_start_tx() loop with an extra flag write_busy. Since
gs_start_tx() is always called with the port lock held, no further
synchronisation is needed. The original caller will continue through
the loop when the request was successfully submitted.

Signed-off-by: Philip Oberstaller &lt;Philip.Oberstaller@septentrio.com&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a single thread is sending out data over the gadget serial port,
gs_start_tx() will be called both from the sender context and from the
write completion. Since the port lock is released before the packet is
queued, the order in which the URBs are submitted is not guaranteed.
E.g.

  sending thread                      completion (interrupt)

  gs_write()
    LOCK
                                      gs_write_complete()
                                        LOCK (wait)
    gs_start_tx()
      req1 = list_entry(pool-&gt;next)
      UNLOCK
                                        LOCK (acquired)
                                        gs_start_tx()
                                          req2 = list_entry(pool-&gt;next)
                                          UNLOCK
                                          usb_ep_queue(req2)
      usb_ep_queue(req1)

I.e., req2 is submitted before req1 but it contains the data that
comes after req1.

To reproduce, use SMP with sending thread and completion pinned to
different CPUs, or use PREEMPT_RT, and add the following delay just
before the call to usb_ep_queue():

		if (port-&gt;write_started &gt; 0 &amp;&amp; !list_empty(pool))
			udelay(1000);

To work around this problem, make sure that only one thread is running
through the gs_start_tx() loop with an extra flag write_busy. Since
gs_start_tx() is always called with the port lock held, no further
synchronisation is needed. The original caller will continue through
the loop when the request was successfully submitted.

Signed-off-by: Philip Oberstaller &lt;Philip.Oberstaller@septentrio.com&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: hid: Fix static variable usage</title>
<updated>2015-04-27T19:44:23+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>kopasiak90@gmail.com</email>
</author>
<published>2015-03-27T08:35:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f286d487e9283a42a8844659bb5552b3f1bf6a7d'/>
<id>f286d487e9283a42a8844659bb5552b3f1bf6a7d</id>
<content type='text'>
If we have multiple instances of hid function, each of
them may have different report descriptor, also their
length may be different.

Currently we are using static hidg_desc varable which
is being filled in hidg_bind(). Then we send its content
to host in hidg_setup() function. This content may
have been already overwriten if another instance
has executed hidg_bind().

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If we have multiple instances of hid function, each of
them may have different report descriptor, also their
length may be different.

Currently we are using static hidg_desc varable which
is being filled in hidg_bind(). Then we send its content
to host in hidg_setup() function. This content may
have been already overwriten if another instance
has executed hidg_bind().

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: configfs: Fix interfaces array NULL-termination</title>
<updated>2015-04-27T19:44:04+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>k.opasiak@samsung.com</email>
</author>
<published>2015-03-20T14:48:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=903124fe1aa284f61745a9dd4fbfa0184e569fff'/>
<id>903124fe1aa284f61745a9dd4fbfa0184e569fff</id>
<content type='text'>
memset() to 0 interfaces array before reusing
usb_configuration structure.

This commit fix bug:

ln -s functions/acm.1 configs/c.1
ln -s functions/acm.2 configs/c.1
ln -s functions/acm.3 configs/c.1
echo "UDC name" &gt; UDC
echo "" &gt; UDC
rm configs/c.1/acm.*
rmdir functions/*
mkdir functions/ecm.usb0
ln -s functions/ecm.usb0 configs/c.1
echo "UDC name" &gt; UDC

[   82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[   82.229009] pgd = c0004000
[   82.231698] [00000000] *pgd=00000000
[   82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[   82.240638] Modules linked in:
[   82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39
[   82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[   82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000
[   82.261393] PC is at composite_setup+0xe3c/0x1674
[   82.266073] LR is at composite_setup+0xf20/0x1674
[   82.270760] pc : [&lt;c03510d4&gt;]    lr : [&lt;c03511b8&gt;]    psr: 600001d3
[   82.270760] sp : c07c9df0  ip : c0806448  fp : ed8c9c9c
[   82.282216] r10: 00000001  r9 : 00000000  r8 : edaae918
[   82.287425] r7 : ed551cc0  r6 : 00007fff  r5 : 00000000  r4 : ed799634
[   82.293934] r3 : 00000003  r2 : 00010002  r1 : edaae918  r0 : 0000002e
[   82.300446] Flags: nZCv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
[   82.307910] Control: 10c5387d  Table: 6bc1804a  DAC: 00000015
[   82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210)
[   82.319627] Stack: (0xc07c9df0 to 0xc07ca000)
[   82.323969] 9de0:                                     00000000 c06e65f4 00000000 c07c9f68
[   82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3
[   82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50
[   82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0
[   82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444
[   82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010
[   82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000
[   82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000
[   82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac
[   82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000
[   82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057
[   82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c
[   82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
[   82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
[   82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8
[   82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54
[   82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000
[   82.462689] [&lt;c03510d4&gt;] (composite_setup) from [&lt;c0340890&gt;] (s3c_hsotg_complete_setup+0xb4/0x418)
[   82.471626] [&lt;c0340890&gt;] (s3c_hsotg_complete_setup) from [&lt;c0354170&gt;] (usb_gadget_giveback_request+0xc/0x10)
[   82.481429] [&lt;c0354170&gt;] (usb_gadget_giveback_request) from [&lt;c033db4c&gt;] (s3c_hsotg_complete_request+0xcc/0x12c)
[   82.491583] [&lt;c033db4c&gt;] (s3c_hsotg_complete_request) from [&lt;c0341670&gt;] (s3c_hsotg_irq+0x4fc/0x558)
[   82.500614] [&lt;c0341670&gt;] (s3c_hsotg_irq) from [&lt;c005d54c&gt;] (handle_irq_event_percpu+0x50/0x150)
[   82.509291] [&lt;c005d54c&gt;] (handle_irq_event_percpu) from [&lt;c005d688&gt;] (handle_irq_event+0x3c/0x5c)
[   82.518145] [&lt;c005d688&gt;] (handle_irq_event) from [&lt;c006009c&gt;] (handle_fasteoi_irq+0xd4/0x18c)
[   82.526650] [&lt;c006009c&gt;] (handle_fasteoi_irq) from [&lt;c005ce20&gt;] (generic_handle_irq+0x20/0x30)
[   82.535242] [&lt;c005ce20&gt;] (generic_handle_irq) from [&lt;c005cf34&gt;] (__handle_domain_irq+0x6c/0xdc)
[   82.543923] [&lt;c005cf34&gt;] (__handle_domain_irq) from [&lt;c00086b4&gt;] (gic_handle_irq+0x2c/0x6c)
[   82.552256] [&lt;c00086b4&gt;] (gic_handle_irq) from [&lt;c0011fc0&gt;] (__irq_svc+0x40/0x74)
[   82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0)
[   82.564753] 9f60:                   00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
[   82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
[   82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff
[   82.586113] [&lt;c0011fc0&gt;] (__irq_svc) from [&lt;c000f804&gt;] (arch_cpu_idle+0x30/0x3c)
[   82.593491] [&lt;c000f804&gt;] (arch_cpu_idle) from [&lt;c0050e70&gt;] (cpu_startup_entry+0x128/0x1a4)
[   82.601740] [&lt;c0050e70&gt;] (cpu_startup_entry) from [&lt;c0783bd8&gt;] (start_kernel+0x350/0x3bc)
[   82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000)
[   82.615965] ---[ end trace f57d5f599a5f1bfa ]---

Most of kernel code assume that interface array in
struct usb_configuration is NULL terminated.

When gadget is composed with configfs configuration
structure may be reused for different functions set.

This bug happens because purge_configs_funcs() sets
only next_interface_id to 0. Interface array still
contains pointers to already freed interfaces. If in
second try we add less interfaces than earlier we
may access unallocated memory when trying to get
interface descriptors.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # 3.10+
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
memset() to 0 interfaces array before reusing
usb_configuration structure.

This commit fix bug:

ln -s functions/acm.1 configs/c.1
ln -s functions/acm.2 configs/c.1
ln -s functions/acm.3 configs/c.1
echo "UDC name" &gt; UDC
echo "" &gt; UDC
rm configs/c.1/acm.*
rmdir functions/*
mkdir functions/ecm.usb0
ln -s functions/ecm.usb0 configs/c.1
echo "UDC name" &gt; UDC

[   82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[   82.229009] pgd = c0004000
[   82.231698] [00000000] *pgd=00000000
[   82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[   82.240638] Modules linked in:
[   82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39
[   82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[   82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000
[   82.261393] PC is at composite_setup+0xe3c/0x1674
[   82.266073] LR is at composite_setup+0xf20/0x1674
[   82.270760] pc : [&lt;c03510d4&gt;]    lr : [&lt;c03511b8&gt;]    psr: 600001d3
[   82.270760] sp : c07c9df0  ip : c0806448  fp : ed8c9c9c
[   82.282216] r10: 00000001  r9 : 00000000  r8 : edaae918
[   82.287425] r7 : ed551cc0  r6 : 00007fff  r5 : 00000000  r4 : ed799634
[   82.293934] r3 : 00000003  r2 : 00010002  r1 : edaae918  r0 : 0000002e
[   82.300446] Flags: nZCv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment kernel
[   82.307910] Control: 10c5387d  Table: 6bc1804a  DAC: 00000015
[   82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210)
[   82.319627] Stack: (0xc07c9df0 to 0xc07ca000)
[   82.323969] 9de0:                                     00000000 c06e65f4 00000000 c07c9f68
[   82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3
[   82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50
[   82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0
[   82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444
[   82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010
[   82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000
[   82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000
[   82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac
[   82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000
[   82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057
[   82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c
[   82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
[   82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
[   82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8
[   82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54
[   82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000
[   82.462689] [&lt;c03510d4&gt;] (composite_setup) from [&lt;c0340890&gt;] (s3c_hsotg_complete_setup+0xb4/0x418)
[   82.471626] [&lt;c0340890&gt;] (s3c_hsotg_complete_setup) from [&lt;c0354170&gt;] (usb_gadget_giveback_request+0xc/0x10)
[   82.481429] [&lt;c0354170&gt;] (usb_gadget_giveback_request) from [&lt;c033db4c&gt;] (s3c_hsotg_complete_request+0xcc/0x12c)
[   82.491583] [&lt;c033db4c&gt;] (s3c_hsotg_complete_request) from [&lt;c0341670&gt;] (s3c_hsotg_irq+0x4fc/0x558)
[   82.500614] [&lt;c0341670&gt;] (s3c_hsotg_irq) from [&lt;c005d54c&gt;] (handle_irq_event_percpu+0x50/0x150)
[   82.509291] [&lt;c005d54c&gt;] (handle_irq_event_percpu) from [&lt;c005d688&gt;] (handle_irq_event+0x3c/0x5c)
[   82.518145] [&lt;c005d688&gt;] (handle_irq_event) from [&lt;c006009c&gt;] (handle_fasteoi_irq+0xd4/0x18c)
[   82.526650] [&lt;c006009c&gt;] (handle_fasteoi_irq) from [&lt;c005ce20&gt;] (generic_handle_irq+0x20/0x30)
[   82.535242] [&lt;c005ce20&gt;] (generic_handle_irq) from [&lt;c005cf34&gt;] (__handle_domain_irq+0x6c/0xdc)
[   82.543923] [&lt;c005cf34&gt;] (__handle_domain_irq) from [&lt;c00086b4&gt;] (gic_handle_irq+0x2c/0x6c)
[   82.552256] [&lt;c00086b4&gt;] (gic_handle_irq) from [&lt;c0011fc0&gt;] (__irq_svc+0x40/0x74)
[   82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0)
[   82.564753] 9f60:                   00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c
[   82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0
[   82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff
[   82.586113] [&lt;c0011fc0&gt;] (__irq_svc) from [&lt;c000f804&gt;] (arch_cpu_idle+0x30/0x3c)
[   82.593491] [&lt;c000f804&gt;] (arch_cpu_idle) from [&lt;c0050e70&gt;] (cpu_startup_entry+0x128/0x1a4)
[   82.601740] [&lt;c0050e70&gt;] (cpu_startup_entry) from [&lt;c0783bd8&gt;] (start_kernel+0x350/0x3bc)
[   82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000)
[   82.615965] ---[ end trace f57d5f599a5f1bfa ]---

Most of kernel code assume that interface array in
struct usb_configuration is NULL terminated.

When gadget is composed with configfs configuration
structure may be reused for different functions set.

This bug happens because purge_configs_funcs() sets
only next_interface_id to 0. Interface array still
contains pointers to already freed interfaces. If in
second try we add less interfaces than earlier we
may access unallocated memory when trying to get
interface descriptors.

Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # 3.10+
Signed-off-by: Felipe Balbi &lt;balbi@ti.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
