OMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4
[zen-stable.git] / drivers / staging / usbip / stub_tx.c
blob023fda305be292a89be270b146da9321d43eeba8
1 /*
2 * Copyright (C) 2003-2008 Takahiro Hirofuchi
4 * This is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
17 * USA.
20 #include <linux/kthread.h>
21 #include <linux/socket.h>
23 #include "usbip_common.h"
24 #include "stub.h"
26 static void stub_free_priv_and_urb(struct stub_priv *priv)
28 struct urb *urb = priv->urb;
30 kfree(urb->setup_packet);
31 kfree(urb->transfer_buffer);
32 list_del(&priv->list);
33 kmem_cache_free(stub_priv_cache, priv);
34 usb_free_urb(urb);
37 /* be in spin_lock_irqsave(&sdev->priv_lock, flags) */
38 void stub_enqueue_ret_unlink(struct stub_device *sdev, __u32 seqnum,
39 __u32 status)
41 struct stub_unlink *unlink;
43 unlink = kzalloc(sizeof(struct stub_unlink), GFP_ATOMIC);
44 if (!unlink) {
45 dev_err(&sdev->interface->dev, "alloc stub_unlink\n");
46 usbip_event_add(&sdev->ud, VDEV_EVENT_ERROR_MALLOC);
47 return;
50 unlink->seqnum = seqnum;
51 unlink->status = status;
53 list_add_tail(&unlink->list, &sdev->unlink_tx);
56 /**
57 * stub_complete - completion handler of a usbip urb
58 * @urb: pointer to the urb completed
60 * When a urb has completed, the USB core driver calls this function mostly in
61 * the interrupt context. To return the result of a urb, the completed urb is
62 * linked to the pending list of returning.
65 void stub_complete(struct urb *urb)
67 struct stub_priv *priv = (struct stub_priv *) urb->context;
68 struct stub_device *sdev = priv->sdev;
69 unsigned long flags;
71 usbip_dbg_stub_tx("complete! status %d\n", urb->status);
73 switch (urb->status) {
74 case 0:
75 /* OK */
76 break;
77 case -ENOENT:
78 dev_info(&urb->dev->dev, "stopped by a call to usb_kill_urb() "
79 "because of cleaning up a virtual connection\n");
80 return;
81 case -ECONNRESET:
82 dev_info(&urb->dev->dev, "unlinked by a call to "
83 "usb_unlink_urb()\n");
84 break;
85 case -EPIPE:
86 dev_info(&urb->dev->dev, "endpoint %d is stalled\n",
87 usb_pipeendpoint(urb->pipe));
88 break;
89 case -ESHUTDOWN:
90 dev_info(&urb->dev->dev, "device removed?\n");
91 break;
92 default:
93 dev_info(&urb->dev->dev, "urb completion with non-zero status "
94 "%d\n", urb->status);
95 break;
98 /* link a urb to the queue of tx. */
99 spin_lock_irqsave(&sdev->priv_lock, flags);
100 if (priv->unlinking) {
101 stub_enqueue_ret_unlink(sdev, priv->seqnum, urb->status);
102 stub_free_priv_and_urb(priv);
103 } else {
104 list_move_tail(&priv->list, &sdev->priv_tx);
106 spin_unlock_irqrestore(&sdev->priv_lock, flags);
108 /* wake up tx_thread */
109 wake_up(&sdev->tx_waitq);
112 static inline void setup_base_pdu(struct usbip_header_basic *base,
113 __u32 command, __u32 seqnum)
115 base->command = command;
116 base->seqnum = seqnum;
117 base->devid = 0;
118 base->ep = 0;
119 base->direction = 0;
122 static void setup_ret_submit_pdu(struct usbip_header *rpdu, struct urb *urb)
124 struct stub_priv *priv = (struct stub_priv *) urb->context;
126 setup_base_pdu(&rpdu->base, USBIP_RET_SUBMIT, priv->seqnum);
127 usbip_pack_pdu(rpdu, urb, USBIP_RET_SUBMIT, 1);
130 static void setup_ret_unlink_pdu(struct usbip_header *rpdu,
131 struct stub_unlink *unlink)
133 setup_base_pdu(&rpdu->base, USBIP_RET_UNLINK, unlink->seqnum);
134 rpdu->u.ret_unlink.status = unlink->status;
137 static struct stub_priv *dequeue_from_priv_tx(struct stub_device *sdev)
139 unsigned long flags;
140 struct stub_priv *priv, *tmp;
142 spin_lock_irqsave(&sdev->priv_lock, flags);
144 list_for_each_entry_safe(priv, tmp, &sdev->priv_tx, list) {
145 list_move_tail(&priv->list, &sdev->priv_free);
146 spin_unlock_irqrestore(&sdev->priv_lock, flags);
147 return priv;
150 spin_unlock_irqrestore(&sdev->priv_lock, flags);
152 return NULL;
155 static int stub_send_ret_submit(struct stub_device *sdev)
157 unsigned long flags;
158 struct stub_priv *priv, *tmp;
160 struct msghdr msg;
161 size_t txsize;
163 size_t total_size = 0;
165 while ((priv = dequeue_from_priv_tx(sdev)) != NULL) {
166 int ret;
167 struct urb *urb = priv->urb;
168 struct usbip_header pdu_header;
169 void *iso_buffer = NULL;
170 struct kvec *iov = NULL;
171 int iovnum = 0;
173 txsize = 0;
174 memset(&pdu_header, 0, sizeof(pdu_header));
175 memset(&msg, 0, sizeof(msg));
177 if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
178 iovnum = 2 + urb->number_of_packets;
179 else
180 iovnum = 2;
182 iov = kzalloc(iovnum * sizeof(struct kvec), GFP_KERNEL);
184 if (!iov) {
185 usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_MALLOC);
186 return -1;
189 iovnum = 0;
191 /* 1. setup usbip_header */
192 setup_ret_submit_pdu(&pdu_header, urb);
193 usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
194 pdu_header.base.seqnum, urb);
195 /*usbip_dump_header(pdu_header);*/
196 usbip_header_correct_endian(&pdu_header, 1);
198 iov[iovnum].iov_base = &pdu_header;
199 iov[iovnum].iov_len = sizeof(pdu_header);
200 iovnum++;
201 txsize += sizeof(pdu_header);
203 /* 2. setup transfer buffer */
204 if (usb_pipein(urb->pipe) &&
205 usb_pipetype(urb->pipe) != PIPE_ISOCHRONOUS &&
206 urb->actual_length > 0) {
207 iov[iovnum].iov_base = urb->transfer_buffer;
208 iov[iovnum].iov_len = urb->actual_length;
209 iovnum++;
210 txsize += urb->actual_length;
211 } else if (usb_pipein(urb->pipe) &&
212 usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
214 * For isochronous packets: actual length is the sum of
215 * the actual length of the individual, packets, but as
216 * the packet offsets are not changed there will be
217 * padding between the packets. To optimally use the
218 * bandwidth the padding is not transmitted.
221 int i;
222 for (i = 0; i < urb->number_of_packets; i++) {
223 iov[iovnum].iov_base = urb->transfer_buffer +
224 urb->iso_frame_desc[i].offset;
225 iov[iovnum].iov_len =
226 urb->iso_frame_desc[i].actual_length;
227 iovnum++;
228 txsize += urb->iso_frame_desc[i].actual_length;
231 if (txsize != sizeof(pdu_header) + urb->actual_length) {
232 dev_err(&sdev->interface->dev,
233 "actual length of urb %d does not "
234 "match iso packet sizes %zu\n",
235 urb->actual_length,
236 txsize-sizeof(pdu_header));
237 kfree(iov);
238 usbip_event_add(&sdev->ud,
239 SDEV_EVENT_ERROR_TCP);
240 return -1;
244 /* 3. setup iso_packet_descriptor */
245 if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) {
246 ssize_t len = 0;
248 iso_buffer = usbip_alloc_iso_desc_pdu(urb, &len);
249 if (!iso_buffer) {
250 usbip_event_add(&sdev->ud,
251 SDEV_EVENT_ERROR_MALLOC);
252 kfree(iov);
253 return -1;
256 iov[iovnum].iov_base = iso_buffer;
257 iov[iovnum].iov_len = len;
258 txsize += len;
259 iovnum++;
262 ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg,
263 iov, iovnum, txsize);
264 if (ret != txsize) {
265 dev_err(&sdev->interface->dev,
266 "sendmsg failed!, retval %d for %zd\n",
267 ret, txsize);
268 kfree(iov);
269 kfree(iso_buffer);
270 usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);
271 return -1;
274 kfree(iov);
275 kfree(iso_buffer);
277 total_size += txsize;
280 spin_lock_irqsave(&sdev->priv_lock, flags);
281 list_for_each_entry_safe(priv, tmp, &sdev->priv_free, list) {
282 stub_free_priv_and_urb(priv);
284 spin_unlock_irqrestore(&sdev->priv_lock, flags);
286 return total_size;
289 static struct stub_unlink *dequeue_from_unlink_tx(struct stub_device *sdev)
291 unsigned long flags;
292 struct stub_unlink *unlink, *tmp;
294 spin_lock_irqsave(&sdev->priv_lock, flags);
296 list_for_each_entry_safe(unlink, tmp, &sdev->unlink_tx, list) {
297 list_move_tail(&unlink->list, &sdev->unlink_free);
298 spin_unlock_irqrestore(&sdev->priv_lock, flags);
299 return unlink;
302 spin_unlock_irqrestore(&sdev->priv_lock, flags);
304 return NULL;
307 static int stub_send_ret_unlink(struct stub_device *sdev)
309 unsigned long flags;
310 struct stub_unlink *unlink, *tmp;
312 struct msghdr msg;
313 struct kvec iov[1];
314 size_t txsize;
316 size_t total_size = 0;
318 while ((unlink = dequeue_from_unlink_tx(sdev)) != NULL) {
319 int ret;
320 struct usbip_header pdu_header;
322 txsize = 0;
323 memset(&pdu_header, 0, sizeof(pdu_header));
324 memset(&msg, 0, sizeof(msg));
325 memset(&iov, 0, sizeof(iov));
327 usbip_dbg_stub_tx("setup ret unlink %lu\n", unlink->seqnum);
329 /* 1. setup usbip_header */
330 setup_ret_unlink_pdu(&pdu_header, unlink);
331 usbip_header_correct_endian(&pdu_header, 1);
333 iov[0].iov_base = &pdu_header;
334 iov[0].iov_len = sizeof(pdu_header);
335 txsize += sizeof(pdu_header);
337 ret = kernel_sendmsg(sdev->ud.tcp_socket, &msg, iov,
338 1, txsize);
339 if (ret != txsize) {
340 dev_err(&sdev->interface->dev,
341 "sendmsg failed!, retval %d for %zd\n",
342 ret, txsize);
343 usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);
344 return -1;
347 usbip_dbg_stub_tx("send txdata\n");
348 total_size += txsize;
351 spin_lock_irqsave(&sdev->priv_lock, flags);
353 list_for_each_entry_safe(unlink, tmp, &sdev->unlink_free, list) {
354 list_del(&unlink->list);
355 kfree(unlink);
358 spin_unlock_irqrestore(&sdev->priv_lock, flags);
360 return total_size;
363 int stub_tx_loop(void *data)
365 struct usbip_device *ud = data;
366 struct stub_device *sdev = container_of(ud, struct stub_device, ud);
368 while (!kthread_should_stop()) {
369 if (usbip_event_happened(ud))
370 break;
373 * send_ret_submit comes earlier than send_ret_unlink. stub_rx
374 * looks at only priv_init queue. If the completion of a URB is
375 * earlier than the receive of CMD_UNLINK, priv is moved to
376 * priv_tx queue and stub_rx does not find the target priv. In
377 * this case, vhci_rx receives the result of the submit request
378 * and then receives the result of the unlink request. The
379 * result of the submit is given back to the usbcore as the
380 * completion of the unlink request. The request of the
381 * unlink is ignored. This is ok because a driver who calls
382 * usb_unlink_urb() understands the unlink was too late by
383 * getting the status of the given-backed URB which has the
384 * status of usb_submit_urb().
386 if (stub_send_ret_submit(sdev) < 0)
387 break;
389 if (stub_send_ret_unlink(sdev) < 0)
390 break;
392 wait_event_interruptible(sdev->tx_waitq,
393 (!list_empty(&sdev->priv_tx) ||
394 !list_empty(&sdev->unlink_tx) ||
395 kthread_should_stop()));
398 return 0;