Commit Graph

2870 Commits

Author SHA1 Message Date
Dan Carpenter
2bb2077ee6 usb: gadget: printer: use after free in gprinter_alloc_inst()
There was a missing goto so we free "opts" and then dereference it.

Fixes: ee1cd515e8 ('usb: gadget: printer: add configfs support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-13 10:41:01 -05:00
Dan Carpenter
fdb51e3d97 usb: gadget: printer: delete some dead code
"num" is a u16 so it can't go higher than 65535.  kstrtou16() has a
range check built in so this is already handled.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-13 10:40:57 -05:00
Scott Wood
16d9efa4b3 usb: gadget: serial: %pf is only for function pointers
Use %ps for actual addresses, otherwise you'll get bad output
on arches like ppc64 where %pf expects a function descriptor
(which is not what __builtin_return_address returns).

Reviewed-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Scott Wood <scottwood@freescale.com>
Cc: linux-usb@vger.kernel.org
CC: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-13 10:37:30 -05:00
Peter Chen
005a64307d usb: gadget: lpc32xxx_udc: Fix NULL dereference
udc is then checked for NULL, if NULL, it is then dereferenced as
udc->dev, it is found using Coccinelle.

We simplify the code to fix this problem, and we delete some conditions
at if {} which will never be met.

Reported-by: Tapasweni Pathak <tapaswenipathak@gmail.com>
Reported-by : Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 14:59:10 -05:00
Robert Baldyga
f4e4f8dae3 usb: gadget: f_hid: remove unnecessary usb_ep_dequeue()
Function usb_ep_disable() causes completion of all requests queued
for given endpoint, so there is no need to dequeue them after endpoint
disabling.

Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:38 -05:00
Rasmus Villemoes
fa84acf0f6 usb: gadget: dummy-hcd: Remove utf8 from format string
Not everybody uses a utf8 locale (unfortunately), so let's avoid
non-ascii characters in the kernel log. Replace the 3-byte utf8
sequence with a 3-byte ascii equivalent.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:37 -05:00
Sylvain Rochet
112bf24471 usb: gadget: atmel_usba_udc: Add suspend/resume with wakeup support
This patch add suspend/resume with wakeup support for Atmel USBA.

On suspend: We stay continuously clocked if Vbus signal is not
available. If Vbus signal is available we set the Vbus signal as a wake
up source then we stop the USBA itself and all clocks used by USBA.

On resume: We recover clocks and USBA if we stopped them. If a device is
currently connected at resume time we enable the controller.

Signed-off-by: Sylvain Rochet <sylvain.rochet@finsecur.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:37 -05:00
Sylvain Rochet
a64ef71ddc usb: gadget: atmel_usba_udc: condition clocks to vbus state
If USB PLL is not necessary for other USB drivers (e.g. OHCI and EHCI)
we will reduce power consumption by switching off the USB PLL if no USB
Host is currently connected to this USB Device.

We are using Vbus GPIO signal to detect Host presence. If Vbus signal is
not available then the device stays continuously clocked.

Signed-off-by: Sylvain Rochet <sylvain.rochet@finsecur.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:37 -05:00
Sylvain Rochet
bb0a203c3a usb: gadget: atmel_usba_udc: Request an auto disabled Vbus signal IRQ
Vbus IRQ handler needs a started UDC driver to work because it uses
udc->driver, which is set by the UDC start handler. The previous way
chosen was to return from interrupt if udc->driver is NULL using a
spinlock around the check.

We now request an auto disabled (IRQ_NOAUTOEN) Vbus signal IRQ instead
of an auto enabled IRQ followed by disable_irq(). This way we remove the
very small timeslot of enabled IRQ which existed previously between
request() and disable(). We don't need anymore to check if udc->driver
is NULL in IRQ handler.

Signed-off-by: Sylvain Rochet <sylvain.rochet@finsecur.com>
Suggested-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:36 -05:00
Sylvain Rochet
227ab58cff usb: gadget: atmel_usba_udc: Fixed vbus_prev initial state
If vbus gpio is high at init, we should set vbus_prev to true
accordingly to the current vbus state. Without that, we skip the first
vbus interrupt because the saved vbus state is not consistent.

Signed-off-by: Sylvain Rochet <sylvain.rochet@finsecur.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:36 -05:00
Tal Shorer
fddc26f573 usb: gadget: f_mass_storage: use defined constant instead of numeric value
replace numeric value with TYPE_NO_LUN (defined in <scsi/scsi.h>)

Signed-off-by: Tal Shorer <tal.shorer@gmail.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:35 -05:00
Masanari Iida
06ed0de518 usb: gadget: Fix typo fond in Documentation/Docbook/gadget.xml
This patch fix some spelling typo found in gadget.xml.
It is because this file is generated from comments in sources,
I had to fix comments in the source, instead of xml file itself.

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-11 10:19:35 -05:00
Andrzej Pietrasiewicz
ee1cd515e8 usb: gadget: printer: add configfs support
Add support for configfs interface so that f_printer can be used as a
component of usb gadgets composed with it.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:41 -05:00
Andrzej Pietrasiewicz
a2a8e48a94 usb: gadget: printer: use module_usb_composite_driver helper macro
Substitute some boilerplate code with a dedicated macro.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:41 -05:00
Andrzej Pietrasiewicz
d85dc4824c usb: gadget: f_printer: remove compatibility layer
There are no old interface users left, so it can be removed.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:41 -05:00
Andrzej Pietrasiewicz
69504f808d usb: gadget: printer: convert to new interface of f_printer
The goal is to remove the old function interface, so its (only) user
must be converted to the new interface.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:40 -05:00
Andrzej Pietrasiewicz
b26394bd56 usb: gadget: f_printer: convert to new function interface with backward compatibility
In order to add configfs support, a usb function must be converted to use
the new interface. This patch converts the function to the new interface
and provides backward compatiblity layer, which can be removed after
all its users are converted to use the new interface.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:40 -05:00
Andrzej Pietrasiewicz
b185f01a9a usb: gadget: printer: factor out f_printer
The legacy printer gadget now contains both a reusable printer function
and legacy gadget proper implementations interwoven, but logically
separate. This patch factors out a reusable f_printer.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:40 -05:00
Andrzej Pietrasiewicz
6dd8c2e695 usb: gadget: printer: allocate printer_dev instances dynamically
With all the obstacles removed it is possible to allow more than one
instance of the printer function. Since the function requires allocating
character device region, a maximum number of allowed instances is defined.
Such an approach is used in f_acm and in f_hid.
With multiple instances it does not make sense to depend on a
lock_printer_io member of a dynamically allocated (and destroyed) struct
printer_dev to clean up after all instances of the printer function.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:39 -05:00
Andrzej Pietrasiewicz
636bc0ed27 usb: gadget: printer: add req_match for printer function
Verify that a given usb_ctrlrequest is meant for printer function.
The following parts of the request are tested:

- bmRequestType:Data transfer direction
- bmRequestType:Type
- bmRequestType:Recipient
- bRequest
- wValue for bRequest 1 and 2
- wLength

Additionally, the request is considered meant for this function
iff the decoded interface number matches dev->interface.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:39 -05:00
Andrzej Pietrasiewicz
d7239f4c6d usb: gadget: printer: name class specific requests
Avoid using magic numbers.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:39 -05:00
Andrzej Pietrasiewicz
f563d23090 usb: gadget: composite: add req_match method to usb_function
Non-standard requests can encode the actual interface number in a
non-standard way. For example composite_setup() assumes
that it is w_index && 0xFF, but the printer function encodes the interface
number in a context-dependet way (either w_index or w_index >> 8).
This can lead to such requests being directed to wrong functions.

This patch adds req_match() method to usb_function. Its purpose is to
verify that a given request can be handled by a given function.
If any function within a configuration provides the method and it returns
true, then it is assumed that the right function is found.

If a function uses req_match(), it should try as hard as possible to
determine if the request is meant for it.

If no functions in a configuration provide req_match or none of them
returns true, then fall back to the usual approach.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:39 -05:00
Andrzej Pietrasiewicz
143d53e10e usb: gadget: printer: add container_of helper for printer_dev
5 uses of container_of() in the same context justify wrapping it
in a static inline function.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:38 -05:00
Andrzej Pietrasiewicz
8fe20f661f usb: gadget: printer: don't access file global usb_printer_gadget in function's code
The printer_dev can be recovered from printer_func_unbind() function's
parameters.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:38 -05:00
Andrzej Pietrasiewicz
dec81cf1dc usb: gadget: printer: eliminate file global printer_mutex
The mutex is a legacy after semi-automatic Big Kernel Lock removal.
printer_open() does its own locking, so no need to duplicate it.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:38 -05:00
Andrzej Pietrasiewicz
a844715d2f usb: gadget: printer: call gprinter_setup() from gadget's bind
Call gprinter_setup() from gadget's bind instead of module's init.
Call gprinter_cleaup() corerspondingly. This detaches printer function's
logic from legacy printer gadget's implementation.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:37 -05:00
Andrzej Pietrasiewicz
d82cd82edb usb: gadget: printer: add setup and cleanup functions
Factor out gprinter_setup() and gprinter_cleanup() so that it is
easy to change the place they are called from.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:37 -05:00
Andrzej Pietrasiewicz
5a84e6f608 usb: gadget: printer: don't access file global pnp_string in function's code
In order to factor out a reusable f_printer, the function's code should
not use file global variables related to legacy printer gadget's
implementation.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:37 -05:00
Andrzej Pietrasiewicz
085617a1eb usb: gadget: printer: define pnp string buffer length
Avoid using magic numbers.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:37 -05:00
Andrzej Pietrasiewicz
991cd26249 usb: gadget: printer: move function-related unbind code to function's unbind
In order to factor out a reusable f_printer.c, the code related to the
function should be placed in functions related to the function.

printer_cfg_unbind() becomes empty, so it is removed.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:36 -05:00
Andrzej Pietrasiewicz
cee5cbff8d usb: gadget: printer: call usb_add_function() last
Conversion to the new function interface requires splitting a
<something>_bind_config() function into two parts: allocation of
container_of struct usb_function and invocation of usb_add_function().
This patch moves the latter to the end of the f_printer_bind_config()
in order to enable conversion to the new interface.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:36 -05:00
Andrzej Pietrasiewicz
4504b5a0b2 usb: gadget: printer: move function-related bind code to function's bind
In order to factor out a reusable f_printer.c, the code related to the
function should be placed in functions related to the function.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:36 -05:00
Andrzej Pietrasiewicz
ae2dd0de57 usb: gadget: printer: standardize printer_do_config
Follow the convention of distributing source code between
<something>_do_config() and <something>_bind_config().

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:35 -05:00
Andrzej Pietrasiewicz
406be2ccba usb: gadget: printer: follow the naming convention for usb_add_config callback
Legacy gadgets, before converting them to the new function framework,
used to use the name <something>_do_config() for usb_add_config()'s
callback.

This patch changes the name so that it is easier to follow
the convention.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:35 -05:00
Andrzej Pietrasiewicz
44eccced2b usb: gadget: printer: eliminate pdev member of struct printer_dev
The pdev member of struct printer_dev is not used outside
printer_bind_config(), so it can just as well be a local variable there.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:35 -05:00
Andrzej Pietrasiewicz
44b3165259 usb: gadget: printer: add missing error handling
If cdev_add() in printer_bind_config() fails, care is taken to
reverse the effects of initializations completed until the fail
happens. But if printer_req_alloc() fails, it is just one of the
two lists that is cleaned up while the effects of cdev_add()
and device_create() are not reverted.

This patch changes error handling so that at least as much cleanup is done
as when a failure happens before printer_req_alloc() invocations.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:35 -05:00
Andrzej Pietrasiewicz
f5bda0034f usb: gadget: printer: revert usb_add_function() effect in error recovery
Whenever the "goto fail" branch is taken, the effect of usb_add_function()
should be reverted.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:34 -05:00
Andrzej Pietrasiewicz
c69b818694 usb: gadget: printer: eliminate random pointer dereference
struct printer_dev contains 3 list heads: tx_reqs, rx_reqs and rx_buffers.
There is just one instance of this structure in the driver and it is
file static, and as such initialized with all zeros.

If device_create() or cdev_add() fails then "goto fail" branch is taken,
which results in printer_cfg_unbind() call. The latter checks if
tx_reqs, rx_reqs and rx_buffers lists are empty. The check for emptiness
is in fact a check whether the "next" member of struct list_head points
to the head of the list. But the heads of the lists in question have
not been initialized yet and, as mentioned above, contain all zeros,
so list_empty() returns false and respective "while" loop body starts
executing. Here, container_of() just subtracts the offset of a struct
usb_request member from an address of this same member, which results in
a value somewhere near 0 or 0xfff...ff. And the argument to list_del()
dereferences such a pointer which causes a disaster.

This patch moves respective INIT_LIST_HEAD() invocations to a point before
"goto fail" branch can be taken.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:34 -05:00
Andrzej Pietrasiewicz
050f571264 usb: gadget: printer: remove unused and empty printer_unbind
The unbind() method is optional is usb_composite_driver.
In this particular driver the method does nothing so it can be removed.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:34 -05:00
Andrzej Pietrasiewicz
eb132ccbde usb: gadget: printer: enqueue printer's response for setup request
Function-specific setup requests should be handled in such a way, that
apart from filling in the data buffer, the requests are also actually
enqueued: if function-specific setup is called from composte_setup(),
the "usb_ep_queue()" block of code in composite_setup() is skipped.

The printer function lacks this part and it results in e.g. get device id
requests failing: the host expects some response, the device prepares it
but does not equeue it for sending to the host, so the host finally asserts
timeout.

This patch adds enqueueing the prepared responses.

Cc: <stable@vger.kernel.org> # v3.4+
Fixes: 2e87edf492: "usb: gadget: make g_printer use composite"
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:34 -05:00
Andrzej Pietrasiewicz
232c0102e8 usb: gadget: composite: don't try standard handling for non-standard requests
If a non-standard request is processed and its parameters just happen
to match those of some standard request, the logic of composite_setup()
can be fooled, so don't even try any switch cases, just go to the
proper place where unknown requests are handled.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:33 -05:00
Felipe Balbi
ccf5fb6981 usb: gadget: net2280: silence sparse warning
Silence the following warning:

drivers/usb/gadget/udc/net2280.c:3176:33: warning: context imbalance in
'handle_stat1_irqs' - unexpected unlock

Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:31 -05:00
Mian Yousaf Kaukab
12366ef194 usb: gadget: net2280: don't connect from udc_start
net2280_start can be called with pullup disabled. Don't set
softconnect flag in it. Let net2280_pullup handle the connection part.

Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:31 -05:00
Mian Yousaf Kaukab
9ceafcc2b3 usb: gadget: net2280: print error in ep_ops error paths
Hopefully, these prints will help localize the problems faster.

[ balbi@ti.com: removed 2 unnecessary OOM error messages ]

Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:31 -05:00
Mian Yousaf Kaukab
fb2a85dd93 usb: gadget: net2280: remove fiforegs as it is unused
Remove fiforegs from struct net2280 and net2280_ep as it is unused.
By the way, ep->fiforegs = &dev->fiforegs[i] assignment is incorrect.
It should be ep->fiforegs = &dev->fiforegs[ne[i]], but it doesn't
matter now.

Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:30 -05:00
Mian Yousaf Kaukab
a285f40d80 usb: gadget: net2280: use ep_autoconfig compatible names in advance mode
Each struct usb_ep added for net2280 can be used in either direction.
Whereas, each struct usb_ep for usb3380 has fixed direction. Use
ep_autoconf compatible names so that endpoint with correct direction
can be selected.

Name sequence is due to the logic in usb_reinit_338x() in ne[] and
ep_reg_addr[].

Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:30 -05:00
Joe Perches
25140ce627 usb: gadget: udc: pxa27x_udc: Remove use of seq_printf return value
The seq_printf return value, because it's frequently misused,
will eventually be converted to void.

See: commit 1f33c41c03 ("seq_file: Rename seq_overflow() to
     seq_has_overflowed() and make public")

While there, simplify the error handler logic by returning
immediately and remove the unnecessary labels.

Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-03-10 15:33:16 -05:00
Andrzej Pietrasiewicz
a0456399fb usb: gadget: configfs: don't NUL-terminate (sub)compatible ids
The "Extended Compat ID OS Feature Descriptor Specification" does not
require the (sub)compatible ids to be NUL-terminated, because they
are placed in a fixed-size buffer and only unused parts of it should
contain NULs. If the buffer is fully utilized, there is no place for NULs.

Consequently, the code which uses desc->ext_compat_id never expects the
data contained to be NUL terminated.

If the compatible id is stored after sub-compatible id, and the compatible
id is full length (8 bytes), the (useless) NUL terminator overwrites the
first byte of the sub-compatible id.

If the sub-compatible id is full length (8 bytes), the (useless) NUL
terminator ends up out of the buffer. The situation can happen in the RNDIS
function, where the buffer is a part of struct f_rndis_opts. The next
member of struct f_rndis_opts is a mutex, so its first byte gets
overwritten. The said byte is a part of a mutex'es member which contains
the information on whether the muext is locked or not. This can lead to a
deadlock, because, in a configfs-composed gadget when a function is linked
into a configuration with config_usb_cfg_link(), usb_get_function()
is called, which then calls rndis_alloc(), which tries locking the same
mutex and (wrongly) finds it already locked.

This patch eliminates NUL terminating of the (sub)compatible id.

Cc: <stable@vger.kernel.org> # v3.16+
Fixes: da4243145f: "usb: gadget: configfs: OS Extended Compatibility descriptors support"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-02-23 09:37:27 -06:00
Lad, Prabhakar
1f754ef103 usb: gadget: function: uvc_v4l2.c: fix sparse warnings
this patch fixes following sparse warnings:

uvc_v4l2.c:264:29: warning: symbol 'uvc_v4l2_ioctl_ops' was not declared. Should it be static?
uvc_v4l2.c:355:29: warning: symbol 'uvc_v4l2_fops' was not declared. Should it be static?

Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-02-23 09:23:46 -06:00
Lad, Prabhakar
2b87cd24c3 usb: gadget: gadgetfs: fix sparse warnings
this patch fixes following sparse warnings:

g_ffs.c:136:3: warning: symbol 'gfs_configurations' was not declared. Should it be static?
g_ffs.c:281:16: warning: Using plain integer as NULL pointer

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-02-23 09:23:20 -06:00