This patch fixes the following NULL pointer dereference issue.
Pointer 'request' returned from call to function 'next_request'
at line 748 may be NULL and may be dereferenced at line 792.
============
Code Snippet
============
748: request = next_request(musb_ep);
785: if (dma && (csr & MUSB_RXCSR_DMAENAB)) {
csr &= ~(MUSB_RXCSR_AUTOCLEAR
| MUSB_RXCSR_DMAENAB
| MUSB_RXCSR_DMAMODE);
musb_writew(epio, MUSB_RXCSR,
MUSB_RXCSR_P_WZC_BITS | csr);
792: request->actual += musb_ep->dma->actual_len;
Signed-off-by: Maulik Mankad <x0082077@ti.com>
Cc: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Since a DMA transfer may need to be kicked off several times to complete,
the DMA start must include the length that has already been transferred.
Signed-off-by: Cliff Cai <cliff.cai@analog.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Cc: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
When registering gadget driver, the state of the transceiver
must be set from undefined (no gadget) to b_idle.
Module unload sets the transceiver state to undefined state.
After the first load/unload pair, the reset irq will be lost.
Signed-off-by: Arnaud Mandy <ext-arnaud.2.mandy@nokia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Current musb gadget dma code produces the warning:
drivers/usb/musb/musb_gadget.c: In function 'txstate':
drivers/usb/musb/musb_gadget.c:312: warning: comparison of distinct
pointer types lacks a cast
So switch to min_t(size_t, ...).
Signed-off-by: Cliff Cai <cliff.cai@analog.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit 7723de7e19 (USB: musb_gadget: remove
pointless loop) included uncalled for (and incorrect) optimization that
might cause a kernel oops in txstate() -- undo it.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Fix the following sparse warnings:
drivers/usb/musb/musb_gadget.c:1161:5: warning: symbol 'musb_gadget_set_halt' was not declared. Should it be static?
drivers/usb/musb/musb_gadget.c:1244:5: warning: symbol 'musb_gadget_set_wedge' was not declared. Should it be static?
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Remove the pointless 'do () while (0)' loop from musb_g_tx() -- it
makes this function symmetric to musb_g_rx()...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Implement the driver's set_wedge() method by adding the 'wedged' flag
to the 'struct musb_ep'.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The driver incorrectly cancels the mass-storage device CSW request
(which leads to device reset) due to giving back URB at the head of
endpoint's queue after sending each STALL handshake; stop doing that
and start checking for the queue being non-empty before stalling an
endpoint and disallowing stall in such case in musb_gadget_set_halt()
like the other gadget drivers do.
Moreover, the driver starts Rx request despite of the endpoint being
halted -- fix this by moving the SendStall bit check from musb_g_rx()
to rxstate(). And we also sometimes get into rxstate() with DMA still
active after clearing an endpoint's halt (not clear why), so bail out
in this case, similarly to what txstate() does...
While at it, also do the following changes :
- in musb_gadget_set_halt(), remove pointless Tx FIFO flushing (the
driver does not allow stalling with non-empty Tx FIFO anyway);
- in rxstate(), stop pointlessly zeroing the 'csr' variable;
- in musb_gadget_set_halt(), move the 'done' label to a more proper
place;
- in musb_g_rx(), eliminate the 'done' label completely...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Currently, with Inventra DMA, we use Mode 0 if transfer size is less
than or equal to the endpoint's maxpacket size. This requires that
we explicitly set TXPKTRDY for that transfer.
However the musb_g_tx code will not set TXPKTRDY twice if the last
transfer is exactly equal to maxpacket, even if request->zero is set.
Using Mode 1 will solve this; a better fix might be in musb_g_tx().
Without this change, musb will not correctly send out a ZLP if the
last transfer is the maxpacket size and request->zero is set.
Signed-off-by: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Adjust HNP state machines in MUSB driver so that they handle the
case where the cable is disconnected. The A-side machine was
very wrong (unrecoverable); the B-Side was much less so.
- A_PERIPHERAL ... as usual, the non-observability of the ID
pin through Mentor's registers makes trouble. We can't go
directly to A_WAIT_VFALL to end the session and start the
disconnect processing. We can however sense link suspending,
go to A_WAIT_BCON, and from there use OTG timeouts to finally
trigger that A_WAIT_VFALL transition. (Hoping that nobody
reconnects quickly to that port and notices the wrong state.)
- B_HOST ... actually clear the Host Request (HR) bit as the
messages say, disconnect the peripheral from the root hub,
and don't detour through a suspend state. (In some cases
this would eventually have cleaned up.)
Also adjust the A_SUSPEND transition to respect the A_AIDL_BDIS
timeout, so if HNP doesn't trigger quickly enough the A_WAIT_VFALL
transition happens as it should.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Minor HNP bugfixes, so the initial role switch works:
- A-Device:
* disconnect-during-suspend enters A_PERIPHERAL state
* kill OTG timer after reset as A_PERIPHERAL ...
* ... and also pass that reset to the gadget
* once HNP succeeds, clear the "ignore_disconnect" flag
* from A_PERIPHERAL, disconnect transitions to A_WAIT_BCON
- B-Device:
* kill OTG timer on entry to B_HOST state (HNP succeeded)
* once HNP succeeds, clear "ignore_disconnect" flag
* kick the root hub only _after_ the state is adjusted
Other state transitions are left alone. Notably, exit paths from
the "roles have switched" state ... A_PERIPHERAL handling of that
stays seriously broken.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Let the otg_transceiver in MUSB be managed by an external driver;
don't assume it's integrated. OMAP3 chips need it to be external,
and there may be ways to interact with the transceiver which add
functionality to the system.
Platform init code is responsible for setting up the transeciver,
probably using the NOP transceiver for integrated transceivers.
External ones will use whatever the board init code provided,
such as twl4030 or something more hands-off.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Suppress "parasitic" endpoint interrupts in the DMA mode
when using CPPI DMA driver; they're caused by the MUSB gadget
driver using the DMA request mode 0 instead of the mode 1.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The MUSB code clears TXCSR_DMAMODE incorrectly in several
places, either asserting that TXCSR_DMAENAB is clear (when
sometimes it isn't) or clearing both bits together. Recent
versions of the programmer's guide require DMAENAB to be
cleared first, although some older ones didn't.
Fix this and while at it:
- In musb_gadget::txstate(), stop clearing the AUTOSET
and DMAMODE bits for the CPPI case since they never
get set anyway (the former bit is reserved on DaVinci);
but do clear the DMAENAB bit on the DMA error path.
- In musb_host::musb_ep_program(), remove the duplicate
DMA controller specific code code clearing the TXCSR
previous state, add the code to clear TXCSR DMA bits
on the Inventra DMA error path, to replace such code
(executed late) on the PIO path.
- In musbhsdma::dma_channel_abort()/dma_controller_irq(),
add/use the 'offset' variable to avoid MUSB_EP_OFFSET()
invocations on every RXCSR/TXCSR access.
[dbrownell@users.sourceforge.net: don't introduce CamelCase,
shrink diff]
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
request->actual is an unsigned and we should use the same
variable type for fifo_count otherwise we might lose some
data if request->length >= 64kbytes.
[ dbrownell@users.sourceforge.net: fix compiler warning ]
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This set of patches introduces calls to the following set of functions:
usb_endpoint_dir_in(epd)
usb_endpoint_dir_out(epd)
usb_endpoint_is_bulk_in(epd)
usb_endpoint_is_bulk_out(epd)
usb_endpoint_is_int_in(epd)
usb_endpoint_is_int_out(epd)
usb_endpoint_num(epd)
usb_endpoint_type(epd)
usb_endpoint_xfer_bulk(epd)
usb_endpoint_xfer_control(epd)
usb_endpoint_xfer_int(epd)
usb_endpoint_xfer_isoc(epd)
In some cases, introducing one of these functions is not possible, and it
just replaces an explicit integer value by one of the following constants:
USB_ENDPOINT_XFER_BULK
USB_ENDPOINT_XFER_CONTROL
USB_ENDPOINT_XFER_INT
USB_ENDPOINT_XFER_ISOC
An extract of the semantic patch that makes these changes is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@r1@ struct usb_endpoint_descriptor *epd; @@
- ((epd->bmAttributes & \(USB_ENDPOINT_XFERTYPE_MASK\|3\)) ==
- \(USB_ENDPOINT_XFER_CONTROL\|0\))
+ usb_endpoint_xfer_control(epd)
@r5@ struct usb_endpoint_descriptor *epd; @@
- ((epd->bEndpointAddress & \(USB_ENDPOINT_DIR_MASK\|0x80\)) ==
- \(USB_DIR_IN\|0x80\))
+ usb_endpoint_dir_in(epd)
@inc@
@@
#include <linux/usb.h>
@depends on !inc && (r1||r5)@
@@
+ #include <linux/usb.h>
#include <linux/usb/...>
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If we try to modprobe a second gadget driver before
rmmoding the first one, the reference for the first
gadget driver would get NULLed avoiding usb to change
gadget drivers later.
Cc: David Brownell <david-b@pacbell.net>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch adds support for MUSB and TUSB controllers
integrated into omap2430 and davinci. It also adds support
for external tusb6010 controller.
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Tony Lindgren <tony@atomide.com>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>