shared_fifo endpoints would only get a previous tx state cleared
out, the rx state was only cleared for non shared_fifo endpoints
Change this so that the rx state is cleared for all endpoints.
This addresses an issue that resulted in rx packets being dropped
silently.
Signed-off-by: Andrew Goodbody <andrew.goodbody@cambrionix.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Incorrect cppi dma channel is referenced in musb_rx_dma_iso_cppi41(),
which causes kernel NULL pointer reference oops later when calling
cppi41_dma_channel_program().
Fixes: 069a3fd (usb: musb: Remove ifdefs for musb_host_rx in musb_host.c
part1)
Cc: <stable@vger.kernel.org> # v4.2+
Reported-by: Matwey V. Kornilov <matwey@sai.msu.ru>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If the session bit was not set in the backup of devctl register,
restoring devctl would clear the session bit. Therefor, only restore
devctl register when the session bit was set in the backup.
This solves the device enumeration failure in otg mode exposed by commit
56f487c (PM / Runtime: Update last_busy in rpm_resume).
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We need to check the state for the PHY with delayed_work
as otherwise MUSB will get confused and idles immediately.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There's no longer any need for custom initcall level for
musb.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With the pull up being handled with delayed work, we can
now finally remove pm_runtime_set_irq_safe that blocks the
MUSB glue from idling.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With PM runtime behaving, these are all now unnecessary.
Doing pm_runtime_get(musb->controller) will keep the parent
glue layer also active.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
At least on n900 we have phy-twl4030-usb only generating cable
interrupts, and then have a separate USB PHY.
In order for musb to know the real cable status, we need to
clear any cached state until musb is ready. Otherwise the cable
status interrupts will get just ignored if the status does
not change from the initial state.
To do this, let's add a return value to musb_mailbox(), and
reset cached linkstat to MUSB_UNKNOWN on error. Sorry to cause
a bit of churn here, I should have added that already last time
patching musb_mailbox().
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
At least 2430 glue layer pulls d+ high on start up even if there are
no gadgets configured. This is bad at least for anything using a separate
battery charger chip as it can confuse the charger detection.
Let's fix the issue by removing the bogus glue layer code tinkering
with the SESSION bit. As pointed out Bin Liu <b-liu@ti.com> and
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>, the SESSION
bit just starts host mode if ID pin is grounded, and starts the
srp is ID pin is floating. So without the ID pin changing, it's
unable to force musb mode to anything. And just for starting a
host mode, things work fine without this code.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is no longer needed with PM runtime at least for 2430 glue.
We can now rely only on PM runtime and cable detection.
The other glue layers can probably remove try_idle too, but that
needs to be tested for each platform before doing it.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This simplifies things and allows idling both MUSB and PHY
when nothing is configured. Let's just return early from PM
runtime if musb is not yet initialized.
Let's also warn if PHY is not configured.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We may have drivers loaded but no configured gadgets and MUSB may be in
host mode. If gadgets are configured during host mode, PM runtime will
get confused.
Disable PM runtime from gadget state, and do it based on the cable
and last state.
Note that we may get multiple cable events, so we need to keep track
of the power state.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We have MUSB setting pm_runtime_irq_safe with the following
commits:
30a70b026b ("usb: musb: fix obex in g_nokia.ko causing kernel panic")
3e43a07256 ("usb: musb: core: add pm_runtime_irq_safe()")
Let's fix things to use delayed work so we can remove the
pm_runtime_irq_safe.
Note that we may want to set this up in a generic way in the
gadget framework eventually.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The conditional use of PM runtime does not work properly
for musb gadget. On cable disconnect we may not get any
USB_EVENT_NONE leaving the PM runtime call unpaired.
Let's fix the issue by making sure the PM runtime calls are
paired within the functions. The glue layer will take care
of the rest.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Let's not tinker with the PM runtime of musb core from the omap2430
wrapper. This allows us to initialize PM runtime for musb core later
on instead of doing it in stages. And omap2430 wrapper has no need
to for accessing musb core at this point.
Note that this does not remove all the PM runtime calls from the
glue layer, those will get removed in a later patch.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Let's make the PM runtime use the standard autosuspend calls.
Commit 5de85b9d57 ("PM / runtime: Re-init runtime PM states at probe
error and driver unbind") means we must pair use_autosuspend with
dont_use_autosuspend and then use put_sync to properly idle the
device.
Note that we'll be removing the PM runtime calls from the glue
layer to the MUSB core in the next patch. And we can also remove
the pointless FIXME comment now.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We have remove() already calling shutdown(), so let's drop it
and move the code to remove(). No code changes, we'll drop the
the FIXME in the following patch with more clean-up.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Looks like at least 2430 glue won't idle reliably with the 200 ms
autosuspend delay. This causes deeper idle states being blocked for
the whole SoC when disconnecting OTG A cable.
Increasing the delay to 500 ms seems to idle both MUSB and the PHY
reliably. This is probably because of time needed by the hardware
based negotiation between MUSB and the PHY.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When the board is powering attached usb devices via the otg port
sometimes / on some devices it takes slightly too long for the Vbus
detection code in phy-sun4i-usb.c to signal that Vbus is high after
enabling Vbus and the musb hardware signals a MUSB_INTR_VBUSERROR
interrupt.
This commit sets the otg state to A_WAIT_VRISE upon enabling Vbus
making musb_stage0_irq() ignore the first VBUSERR_RETRY_COUNT
VBUSERROR interrupts, fixing connection issues in these cases.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
[b-liu@ti.com: revise subject prefix]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Move the mode handling to the platform_set_mode callback.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
[b-liu@ti.com: revise subject prefix]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Now that the DMA engine check was moved to musb_tx_dma_porgram(), both
musb_tx_dma_set_mode_cppi_tusb() and musb_tx_dma_set_mode_mentor() always
return 0, so we can make both these functions *void*.
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
[b-liu@ti.com: revise subject prefix]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 754fe4a92c ("usb: musb: Remove ifdefs for TX DMA for musb_host.c")
looks incomplete: the DMA engine checks are done outside the Mentor/UX500
handler but inside the CPPI/TUSB handler. Move the checks out of the CPPI/
TUSB handler into its caller, musb_tx_dma_program().
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
[b-liu@ti.com: revise subject prefix]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
urb->status is set when endpoint csr RXSTALL, H_ERROR, DATAERROR or
INCOMPRX bit is set. Those bits mean a broken pipe, so don't start next
urb when any of these bits is set by checking urb->status.
To minimize the risk of regression, only do so for RX, until we have a
test case to understand the behavior of TX.
The patch fixes system freeze issue caused by repeatedly invoking RX ISR
while removing a usb uart device connected to a hub, in which case the
hub has no chance to report the disconnect event due to the kernel is
busy in processing the RX interrupt flooding.
Fix checkpatch complaint (qh != NULL) as while.
Reported-by: Max Uvarov <muvarov@gmail.com>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The MUSB Programming Guide states that the driver should clear RXCSR
bit2 when the controller sets the bit.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I got one of these cards for testing uas with, it seems that with streams
it dma-s all over the place, corrupting memory. On my first tests it
managed to dma over the BIOS of the motherboard somehow and completely
bricked it.
Tests on another motherboard show that it does work with streams disabled.
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Several people have reported that UBSAN doesn't like the pointer
arithmetic in ehci_hub_control():
u32 __iomem *status_reg = &ehci->regs->port_status[
(wIndex & 0xff) - 1];
u32 __iomem *hostpc_reg = &ehci->regs->hostpc[(wIndex & 0xff) - 1];
If wIndex is 0 (and it often is), these calculations underflow and
UBSAN complains.
According to the C standard, pointer computations leading to locations
outside the bounds of an array object (other than 1 position past the
end) are undefined. In this case, the compiler would be justified in
concluding the wIndex can never be 0 and then optimizing away the
tests for !wIndex that occur later in the subroutine. (Although,
since ehci->regs->port_status and ehci->regs->hostpc are both 0-length
arrays and are thus GCC extensions to the C standard, it's not clear
what the compiler is really allowed to do.)
At any rate, we can avoid all these difficulties, at the cost of
making the code slightly longer, by not decrementing the index when it
is equal to 0. The runtime effect is minimal, and anyway
ehci_hub_control() is not on a hot path.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Reported-by: Meelis Roos <mroos@linux.ee>
Reported-by: Martin_MOKREJÅ <mmokrejs@gmail.com>
Reported-by: "Navin P.S" <navinp1912@gmail.com>
CC: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 198de51dbc ("USB: uas: Limit qdepth at the scsi-host level")
removed the scsi_change_queue_depth() call from uas_slave_configure()
assuming that the slave would inherit the host's queue_depth, which
that commit sets to the same value.
This is incorrect, without the scsi_change_queue_depth() call the slave's
queue_depth defaults to 1, introducing a performance regression.
This commit restores the call, fixing the performance regression.
Cc: stable@vger.kernel.org
Fixes: 198de51dbc ("USB: uas: Limit qdepth at the scsi-host level")
Reported-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 198de51dbc ("USB: uas: Limit qdepth at the scsi-host level") made
qdepth limit set in host template (`.can_queue = MAX_CMNDS`) redundant.
Removing it to avoid confusion.
Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Acer C120 LED Projector is a USB-3 connected pico projector which
takes both its power and video data from USB-3.
In combination with some hubs this device does not play well with
lpm, so disable lpm for it.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Properly sort all the entries by vendor id.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1c127ae99 ("usb: host: xhci: plat: make use of new methods in
xhci_plat_priv") sets xhci->quirks before calling xhci_gen_setup(), which
will overwrite them.
Don't overwite the quirks, just add the new ones
Fixes: b1c127ae99 ("usb: host: xhci: plat: make use of new methods in xhci_plat_priv")
Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On some platforms, the clocks might be registered by a platform
driver. When this is the case, the clock platform driver may very well
be probed after xhci-plat, in which case the first probe() invocation
of xhci-plat will receive -EPROBE_DEFER as the return value of
devm_clk_get().
The current code handles that as a normal error, and simply assumes
that this means that the system doesn't have a clock for the XHCI
controller, and continues probing without calling
clk_prepare_enable(). Unfortunately, this doesn't work on systems
where the XHCI controller does have a clock, but that clock is
provided by another platform driver. In order to fix this situation,
we handle the -EPROBE_DEFER error condition specially, and abort the
XHCI controller probe(). It will be retried later automatically, the
clock will be available, devm_clk_get() will succeed, and the probe()
will continue with the clock prepared and enabled as expected.
In practice, such issue is seen on the ARM64 Marvell 7K/8K platform,
where the clocks are registered by a platform driver.
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If commands timeout we mark them for abortion, then stop the command
ring, and turn the commands to no-ops and finally restart the command
ring.
If the host is working properly the no-op commands will finish and
pending completions are called.
If we notice the host is failing, driver clears the command ring and
completes, deletes and frees all pending commands.
There are two separate cases reported where host is believed to work
properly but is not. In the first case we successfully stop the ring
but no abort or stop command ring event is ever sent and host locks up.
The second case is if a host is removed, command times out and driver
believes the ring is stopped, and assumes it will be restarted, but
actually ends up timing out on the same command forever.
If one of the pending commands has the xhci->mutex held it will block
xhci_stop() in the remove codepath which otherwise would cleanup pending
commands.
Add a check that clears all pending commands in case host is removed,
or we are stuck timing out on the same command. Also restart the
command timeout timer when stopping the command ring to ensure we
recive an ring stop/abort event.
Cc: stable <stable@vger.kernel.org>
Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Under stress occasions some TI devices might not return early when
reading the status register during the quirk invocation of xhci_irq made
by usb_hcd_pci_remove. This means that instead of returning, we end up
handling this interruption in the middle of a shutdown. Since
xhci->event_ring has already been freed in xhci_mem_cleanup, we end up
accessing freed memory, causing the Oops below.
commit 8c24d6d7b0 ("usb: xhci: stop everything on the first call to
xhci_stop") is the one that changed the instant in which we clean up the
event queue when stopping a device. Before, we didn't call
xhci_mem_cleanup at the first time xhci_stop is executed (for the shared
HCD), instead, we only did it after the invocation for the primary HCD,
much later at the removal path. The code flow for this oops looks like
this:
xhci_pci_remove()
usb_remove_hcd(xhci->shared)
xhci_stop(xhci->shared)
xhci_halt()
xhci_mem_cleanup(xhci); // Free the event_queue
usb_hcd_pci_remove(primary)
xhci_irq() // Access the event_queue if STS_EINT is set. Crash.
xhci_stop()
xhci_halt()
// return early
The fix modifies xhci_stop to only cleanup the xhci data when releasing
the primary HCD. This way, we still have the event_queue configured
when invoking xhci_irq. We still halt the device on the first call to
xhci_stop, though.
I could reproduce this issue several times on the mainline kernel by
doing a bind-unbind stress test with a specific storage gadget attached.
I also ran the same test over-night with my patch applied and didn't
observe the issue anymore.
[ 113.334124] Unable to handle kernel paging request for data at address 0x00000028
[ 113.335514] Faulting instruction address: 0xd00000000d4f767c
[ 113.336839] Oops: Kernel access of bad area, sig: 11 [#1]
[ 113.338214] SMP NR_CPUS=1024 NUMA PowerNV
[c000000efe47ba90] c000000000720850 usb_hcd_irq+0x50/0x80
[c000000efe47bac0] c00000000073d328 usb_hcd_pci_remove+0x68/0x1f0
[c000000efe47bb00] d00000000daf0128 xhci_pci_remove+0x78/0xb0
[xhci_pci]
[c000000efe47bb30] c00000000055cf70 pci_device_remove+0x70/0x110
[c000000efe47bb70] c00000000061c6bc __device_release_driver+0xbc/0x190
[c000000efe47bba0] c00000000061c7d0 device_release_driver+0x40/0x70
[c000000efe47bbd0] c000000000619510 unbind_store+0x120/0x150
[c000000efe47bc20] c0000000006183c4 drv_attr_store+0x64/0xa0
[c000000efe47bc60] c00000000039f1d0 sysfs_kf_write+0x80/0xb0
[c000000efe47bca0] c00000000039e14c kernfs_fop_write+0x18c/0x1f0
[c000000efe47bcf0] c0000000002e962c __vfs_write+0x6c/0x190
[c000000efe47bd90] c0000000002eab40 vfs_write+0xc0/0x200
[c000000efe47bde0] c0000000002ec85c SyS_write+0x6c/0x110
[c000000efe47be30] c000000000009260 system_call+0x38/0x108
Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Cc: Roger Quadros <rogerq@ti.com>
Cc: joel@jms.id.au
Cc: stable@vger.kernel.org
Reviewed-by: Roger Quadros <rogerq@ti.com>
Cc: <stable@vger.kernel.org> #v4.3+
Tested-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
cycle. Nothing extra fancy this time around.
Patches range from MS OS Descriptor usage fixes, to
Clear Stall EP command fix on dwc3, to some f_fs
fixes and out of bounds accesses on renesas driver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJXTuNSAAoJEIaOsuA1yqREKBEP/2H5JlAT5r0cb7XPi4dklljf
3KZzDArtChUiCHL+aFUkrUWebm9+2jPsrtC6UzWoW09CK9jmtfmAQqTUGOzMMWmt
gR3Kf42+buWjqA0++taR4B7Z1UJHYdkrMgnkDMKOXg58tbXQ9Q9zXyd0xNsXyCrj
yyb3qvRPMUhidmKzHnnATsK0qmMspxXvg0If989fW62FfhZoohlJRNcNmiwEiZOe
cE6ZT8RN4eh/BzmeP+MJb8l5xweM3qPI9rJZHYSUqNdANFH43dEnclOK4iNSQkGL
QjTDitgY1ZngmvnxPUc+qmtxGSoELFnMAOt2erk7l9E3AOFUtBvkKjWq6fn2CpJ4
OR6qfhSHrCo3ULMxKl1PyCq2CXYhJtLpJnx8TZ9tN4z5Trfa+Vqg8ayFDrU1ZNIt
QPEsz3Qn4p/5zvIkvBnw7Sb6f22d2u/PSr6/zYiXq1a21Bg7YGqILDpLGKiU0j+s
KgMuUUpVCR8SJqseM66hysiCpzZzuuEkNQVbAs4zKpQzxtfU2EJXkPzmRwQuWp/V
b4M4X4NR9VwkSEyRhtWbsz3A9Ot/z4cFw27L7jRjJw49tSFZe0OrRM3xqhrEBXYu
2kX+BjB69lxB0qXBkLW6pZX/sqOe0TIR+HaQu8BDvYSm6/SeZtla8YGVFiUJVAMX
UDaCPmtnb7YdDkg7jhPI
=//Hz
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-v4.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
Here's the first set of fixes for v4.7-rc
cycle. Nothing extra fancy this time around.
Patches range from MS OS Descriptor usage fixes, to
Clear Stall EP command fix on dwc3, to some f_fs
fixes and out of bounds accesses on renesas driver.
As of core revision 2.60a the recommended programming model is to set
the ClearPendIN bit when issuing a Clear Stall EP command for IN
endpoints. This is to prevent an issue where some (non-compliant) hosts
may not send ACK TPs for pending IN transfers due to a mishandled error
condition. Synopsys STAR 9000614252.
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Set USB3_FORCE_VBUSVALID when configured for USB_DR_MODE_PERIPHERAL
mode, as it is required to have a working setup.
This worked on the internal driver by relying on the reset
value of the syscfg register as the bits aren't explicity cleared
and set like the upstream driver.
Also add a comment about what setting this bit means.
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
In OS descriptors handling, if ctrl->bRequestType is
USB_RECIP_DEVICE and w_index != 0x4 or (w_value >> 8)
is true, it will not assign a valid value to req->length,
but use the default value(-EOPNOTSUPP), and queue an
OS desc request with the invalid req->length. It always
happens on the platforms which use os_desc (for example:
rk3366, rk3399), and cause kernel panic as follows
(use dwc3 driver):
Unable to handle kernel paging request at virtual address ffffffc0f7e00000
Internal error: Oops: 96000146 [#1] PREEMPT SMP
PC is at __dma_clean_range+0x18/0x30
LR is at __swiotlb_map_page+0x50/0x64
Call trace:
[<ffffffc0000930f8>] __dma_clean_range+0x18/0x30
[<ffffffc00062214c>] usb_gadget_map_request+0x134/0x1b0
[<ffffffc0005c289c>] __dwc3_ep0_do_control_data+0x110/0x14c
[<ffffffc0005c2d38>] __dwc3_gadget_ep0_queue+0x198/0x1b8
[<ffffffc0005c2e18>] dwc3_gadget_ep0_queue+0xc0/0xe8
[<ffffffc00061cfec>] composite_ep0_queue.constprop.14+0x34/0x98
[<ffffffc00061dfb0>] composite_setup+0xf60/0x100c
[<ffffffc0006204dc>] android_setup+0xd8/0x138
[<ffffffc0005c29a4>] dwc3_ep0_delegate_req+0x34/0x50
[<ffffffc0005c3534>] dwc3_ep0_interrupt+0x5dc/0xb58
[<ffffffc0005c0c3c>] dwc3_thread_interrupt+0x15c/0xa24
With this patch, the gadget driver will not queue
a request and return immediately if req->length is
invalid. And the usb controller driver can handle
the unsupport request correctly.
Signed-off-by: William Wu <william.wu@rock-chips.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
If c->cdev->use_os_string flag is not set,
don't need to invoke ffs_do_os_descs() in _ffs_func_bind.
So uninitialized ext_compat_id pointer won't be accessed by
__ffs_func_bind_do_os_desc to cause kernel panic.
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Commit dc8c46a5ae ("usb: gadget: f_tcm: convert to new function
interface with backward compatibility") introduced a possible out
of bounds memory access:
If tpg is not found in function usbg_drop_tpg,
tpg_instances[TPG_INSTANCES] is accessed.
Fixes: dc8c46a5ae ("usb: gadget: f_tcm: convert to new function interface with backward compatibility")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Function in_rq_cur copies random bytes from the stack.
Zero the memory instead.
Fixes: 132fcb4608 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
A patch that went into Linux-4.4 to fix big-endian mode on a Lantiq
MIPS system unfortunately broke big-endian operation on PowerPC
APM82181 as reported by Christian Lamparter, and likely other
systems.
It actually introduced multiple issues:
- it broke big-endian ARM kernels: any machine that was working
correctly with a little-endian kernel is no longer using byteswaps
on big-endian kernels, which clearly breaks them.
- On PowerPC the same thing must be true: if it was working before,
using big-endian kernels is now broken. Unlike ARM, 32-bit PowerPC
usually uses big-endian kernels, so they are likely all broken.
- The barrier for dwc2_writel is on the wrong side of the __raw_writel(),
so the MMIO no longer synchronizes with DMA operations.
- On architectures that require specific CPU instructions for MMIO
access, using the __raw_ variant may turn this into a pointer
dereference that does not have the same effect as the readl/writel.
This patch is a simple revert for all architectures other than MIPS,
in the hope that we can more easily backport it to fix the regression
on PowerPC and ARM systems without breaking the Lantiq system again.
We should follow this up with a more elaborate change to add runtime
detection of endianness, to make sure it also works on all other
combinations of architectures and implementations of the usb-dwc2
device. That patch however will be fairly large and not appropriate
for backports to stable kernels.
Felipe suggested a different approach, using an endianness switching
register to always put the device into LE mode, but unfortunately
the dwc2 hardware does not provide a generic way to do that. Also,
I see no practical way of addressing the problem more generally by
patching architecture specific code on MIPS.
Fixes: 95c8bc3609 ("usb: dwc2: Use platform endianness when accessing registers")
Acked-by: John Youn <johnyoun@synopsys.com>
Tested-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Current __ffs_data_do_os_desc() of f_fs.c will check reserved1 field
of OS_DESC_EXT_COMPAT and return -EINVAL if it's 1.
But MS OS 1.0 Descriptors
http://msdn.microsoft.com/en-us/library/windows/hardware/gg463179.aspx
defines that field to be 1.
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Device qualifier descriptor is now generated by composite.c
code. So let's fix this old comment by removing parts which
are no longer valid.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This descriptor is never used. Currently device qualifier
descriptor is generated by compossite code so no need to
keep it in function file.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This descriptor is never used. Currently device qualifier
descriptor is generated by compossite code, so no need to
keep it in function file.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
v3.20 doesn't exist, it is actually v4.0.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Add a check in dwc2_hsotg_ep_sethalt() so that it does not halt
isochronous endpoints.
Signed-off-by: Vahram Aharonyan <vahrama@synopsys.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
The gadget API function usb_ep_set_halt() expects the gadget to return
-EAGAIN if the ep is active. Add support for this behavior.
Otherwise this may break mass storage protocol if a STALL is attempted
on the endpoint.
Signed-off-by: Vahram Aharonyan <vahrama@synopsys.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>