1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * f_fs.c -- user mode file system API for USB composite function controllers 4 * 5 * Copyright (C) 2010 Samsung Electronics 6 * Author: Michal Nazarewicz <mina86@mina86.com> 7 * 8 * Based on inode.c (GadgetFS) which was: 9 * Copyright (C) 2003-2004 David Brownell 10 * Copyright (C) 2003 Agilent Technologies 11 */ 12 13 14 /* #define DEBUG */ 15 /* #define VERBOSE_DEBUG */ 16 17 #include <linux/blkdev.h> 18 #include <linux/pagemap.h> 19 #include <linux/export.h> 20 #include <linux/hid.h> 21 #include <linux/module.h> 22 #include <linux/sched/signal.h> 23 #include <linux/uio.h> 24 #include <asm/unaligned.h> 25 26 #include <linux/usb/composite.h> 27 #include <linux/usb/functionfs.h> 28 29 #include <linux/aio.h> 30 #include <linux/mmu_context.h> 31 #include <linux/poll.h> 32 #include <linux/eventfd.h> 33 34 #include "u_fs.h" 35 #include "u_f.h" 36 #include "u_os_desc.h" 37 #include "configfs.h" 38 39 #define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */ 40 41 /* Reference counter handling */ 42 static void ffs_data_get(struct ffs_data *ffs); 43 static void ffs_data_put(struct ffs_data *ffs); 44 /* Creates new ffs_data object. */ 45 static struct ffs_data *__must_check ffs_data_new(const char *dev_name) 46 __attribute__((malloc)); 47 48 /* Opened counter handling. */ 49 static void ffs_data_opened(struct ffs_data *ffs); 50 static void ffs_data_closed(struct ffs_data *ffs); 51 52 /* Called with ffs->mutex held; take over ownership of data. */ 53 static int __must_check 54 __ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len); 55 static int __must_check 56 __ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len); 57 58 59 /* The function structure ***************************************************/ 60 61 struct ffs_ep; 62 63 struct ffs_function { 64 struct usb_configuration *conf; 65 struct usb_gadget *gadget; 66 struct ffs_data *ffs; 67 68 struct ffs_ep *eps; 69 u8 eps_revmap[16]; 70 short *interfaces_nums; 71 72 struct usb_function function; 73 }; 74 75 76 static struct ffs_function *ffs_func_from_usb(struct usb_function *f) 77 { 78 return container_of(f, struct ffs_function, function); 79 } 80 81 82 static inline enum ffs_setup_state 83 ffs_setup_state_clear_cancelled(struct ffs_data *ffs) 84 { 85 return (enum ffs_setup_state) 86 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP); 87 } 88 89 90 static void ffs_func_eps_disable(struct ffs_function *func); 91 static int __must_check ffs_func_eps_enable(struct ffs_function *func); 92 93 static int ffs_func_bind(struct usb_configuration *, 94 struct usb_function *); 95 static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned); 96 static void ffs_func_disable(struct usb_function *); 97 static int ffs_func_setup(struct usb_function *, 98 const struct usb_ctrlrequest *); 99 static bool ffs_func_req_match(struct usb_function *, 100 const struct usb_ctrlrequest *, 101 bool config0); 102 static void ffs_func_suspend(struct usb_function *); 103 static void ffs_func_resume(struct usb_function *); 104 105 106 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num); 107 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf); 108 109 110 /* The endpoints structures *************************************************/ 111 112 struct ffs_ep { 113 struct usb_ep *ep; /* P: ffs->eps_lock */ 114 struct usb_request *req; /* P: epfile->mutex */ 115 116 /* [0]: full speed, [1]: high speed, [2]: super speed */ 117 struct usb_endpoint_descriptor *descs[3]; 118 119 u8 num; 120 121 int status; /* P: epfile->mutex */ 122 }; 123 124 struct ffs_epfile { 125 /* Protects ep->ep and ep->req. */ 126 struct mutex mutex; 127 128 struct ffs_data *ffs; 129 struct ffs_ep *ep; /* P: ffs->eps_lock */ 130 131 struct dentry *dentry; 132 133 /* 134 * Buffer for holding data from partial reads which may happen since 135 * we’re rounding user read requests to a multiple of a max packet size. 136 * 137 * The pointer is initialised with NULL value and may be set by 138 * __ffs_epfile_read_data function to point to a temporary buffer. 139 * 140 * In normal operation, calls to __ffs_epfile_read_buffered will consume 141 * data from said buffer and eventually free it. Importantly, while the 142 * function is using the buffer, it sets the pointer to NULL. This is 143 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered 144 * can never run concurrently (they are synchronised by epfile->mutex) 145 * so the latter will not assign a new value to the pointer. 146 * 147 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is 148 * valid) and sets the pointer to READ_BUFFER_DROP value. This special 149 * value is crux of the synchronisation between ffs_func_eps_disable and 150 * __ffs_epfile_read_data. 151 * 152 * Once __ffs_epfile_read_data is about to finish it will try to set the 153 * pointer back to its old value (as described above), but seeing as the 154 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free 155 * the buffer. 156 * 157 * == State transitions == 158 * 159 * • ptr == NULL: (initial state) 160 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP 161 * ◦ __ffs_epfile_read_buffered: nop 162 * ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf 163 * ◦ reading finishes: n/a, not in ‘and reading’ state 164 * • ptr == DROP: 165 * ◦ __ffs_epfile_read_buffer_free: nop 166 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL 167 * ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop 168 * ◦ reading finishes: n/a, not in ‘and reading’ state 169 * • ptr == buf: 170 * ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP 171 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL and reading 172 * ◦ __ffs_epfile_read_data: n/a, __ffs_epfile_read_buffered 173 * is always called first 174 * ◦ reading finishes: n/a, not in ‘and reading’ state 175 * • ptr == NULL and reading: 176 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading 177 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held 178 * ◦ __ffs_epfile_read_data: n/a, mutex is held 179 * ◦ reading finishes and … 180 * … all data read: free buf, go to ptr == NULL 181 * … otherwise: go to ptr == buf and reading 182 * • ptr == DROP and reading: 183 * ◦ __ffs_epfile_read_buffer_free: nop 184 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held 185 * ◦ __ffs_epfile_read_data: n/a, mutex is held 186 * ◦ reading finishes: free buf, go to ptr == DROP 187 */ 188 struct ffs_buffer *read_buffer; 189 #define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN)) 190 191 char name[5]; 192 193 unsigned char in; /* P: ffs->eps_lock */ 194 unsigned char isoc; /* P: ffs->eps_lock */ 195 196 unsigned char _pad; 197 }; 198 199 struct ffs_buffer { 200 size_t length; 201 char *data; 202 char storage[]; 203 }; 204 205 /* ffs_io_data structure ***************************************************/ 206 207 struct ffs_io_data { 208 bool aio; 209 bool read; 210 211 struct kiocb *kiocb; 212 struct iov_iter data; 213 const void *to_free; 214 char *buf; 215 216 struct mm_struct *mm; 217 struct work_struct work; 218 219 struct usb_ep *ep; 220 struct usb_request *req; 221 222 struct ffs_data *ffs; 223 }; 224 225 struct ffs_desc_helper { 226 struct ffs_data *ffs; 227 unsigned interfaces_count; 228 unsigned eps_count; 229 }; 230 231 static int __must_check ffs_epfiles_create(struct ffs_data *ffs); 232 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count); 233 234 static struct dentry * 235 ffs_sb_create_file(struct super_block *sb, const char *name, void *data, 236 const struct file_operations *fops); 237 238 /* Devices management *******************************************************/ 239 240 DEFINE_MUTEX(ffs_lock); 241 EXPORT_SYMBOL_GPL(ffs_lock); 242 243 static struct ffs_dev *_ffs_find_dev(const char *name); 244 static struct ffs_dev *_ffs_alloc_dev(void); 245 static void _ffs_free_dev(struct ffs_dev *dev); 246 static void *ffs_acquire_dev(const char *dev_name); 247 static void ffs_release_dev(struct ffs_data *ffs_data); 248 static int ffs_ready(struct ffs_data *ffs); 249 static void ffs_closed(struct ffs_data *ffs); 250 251 /* Misc helper functions ****************************************************/ 252 253 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock) 254 __attribute__((warn_unused_result, nonnull)); 255 static char *ffs_prepare_buffer(const char __user *buf, size_t len) 256 __attribute__((warn_unused_result, nonnull)); 257 258 259 /* Control file aka ep0 *****************************************************/ 260 261 static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req) 262 { 263 struct ffs_data *ffs = req->context; 264 265 complete(&ffs->ep0req_completion); 266 } 267 268 static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) 269 { 270 struct usb_request *req = ffs->ep0req; 271 int ret; 272 273 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); 274 275 spin_unlock_irq(&ffs->ev.waitq.lock); 276 277 req->buf = data; 278 req->length = len; 279 280 /* 281 * UDC layer requires to provide a buffer even for ZLP, but should 282 * not use it at all. Let's provide some poisoned pointer to catch 283 * possible bug in the driver. 284 */ 285 if (req->buf == NULL) 286 req->buf = (void *)0xDEADBABE; 287 288 reinit_completion(&ffs->ep0req_completion); 289 290 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC); 291 if (unlikely(ret < 0)) 292 return ret; 293 294 ret = wait_for_completion_interruptible(&ffs->ep0req_completion); 295 if (unlikely(ret)) { 296 usb_ep_dequeue(ffs->gadget->ep0, req); 297 return -EINTR; 298 } 299 300 ffs->setup_state = FFS_NO_SETUP; 301 return req->status ? req->status : req->actual; 302 } 303 304 static int __ffs_ep0_stall(struct ffs_data *ffs) 305 { 306 if (ffs->ev.can_stall) { 307 pr_vdebug("ep0 stall\n"); 308 usb_ep_set_halt(ffs->gadget->ep0); 309 ffs->setup_state = FFS_NO_SETUP; 310 return -EL2HLT; 311 } else { 312 pr_debug("bogus ep0 stall!\n"); 313 return -ESRCH; 314 } 315 } 316 317 static ssize_t ffs_ep0_write(struct file *file, const char __user *buf, 318 size_t len, loff_t *ptr) 319 { 320 struct ffs_data *ffs = file->private_data; 321 ssize_t ret; 322 char *data; 323 324 ENTER(); 325 326 /* Fast check if setup was canceled */ 327 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED) 328 return -EIDRM; 329 330 /* Acquire mutex */ 331 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 332 if (unlikely(ret < 0)) 333 return ret; 334 335 /* Check state */ 336 switch (ffs->state) { 337 case FFS_READ_DESCRIPTORS: 338 case FFS_READ_STRINGS: 339 /* Copy data */ 340 if (unlikely(len < 16)) { 341 ret = -EINVAL; 342 break; 343 } 344 345 data = ffs_prepare_buffer(buf, len); 346 if (IS_ERR(data)) { 347 ret = PTR_ERR(data); 348 break; 349 } 350 351 /* Handle data */ 352 if (ffs->state == FFS_READ_DESCRIPTORS) { 353 pr_info("read descriptors\n"); 354 ret = __ffs_data_got_descs(ffs, data, len); 355 if (unlikely(ret < 0)) 356 break; 357 358 ffs->state = FFS_READ_STRINGS; 359 ret = len; 360 } else { 361 pr_info("read strings\n"); 362 ret = __ffs_data_got_strings(ffs, data, len); 363 if (unlikely(ret < 0)) 364 break; 365 366 ret = ffs_epfiles_create(ffs); 367 if (unlikely(ret)) { 368 ffs->state = FFS_CLOSING; 369 break; 370 } 371 372 ffs->state = FFS_ACTIVE; 373 mutex_unlock(&ffs->mutex); 374 375 ret = ffs_ready(ffs); 376 if (unlikely(ret < 0)) { 377 ffs->state = FFS_CLOSING; 378 return ret; 379 } 380 381 return len; 382 } 383 break; 384 385 case FFS_ACTIVE: 386 data = NULL; 387 /* 388 * We're called from user space, we can use _irq 389 * rather then _irqsave 390 */ 391 spin_lock_irq(&ffs->ev.waitq.lock); 392 switch (ffs_setup_state_clear_cancelled(ffs)) { 393 case FFS_SETUP_CANCELLED: 394 ret = -EIDRM; 395 goto done_spin; 396 397 case FFS_NO_SETUP: 398 ret = -ESRCH; 399 goto done_spin; 400 401 case FFS_SETUP_PENDING: 402 break; 403 } 404 405 /* FFS_SETUP_PENDING */ 406 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) { 407 spin_unlock_irq(&ffs->ev.waitq.lock); 408 ret = __ffs_ep0_stall(ffs); 409 break; 410 } 411 412 /* FFS_SETUP_PENDING and not stall */ 413 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength)); 414 415 spin_unlock_irq(&ffs->ev.waitq.lock); 416 417 data = ffs_prepare_buffer(buf, len); 418 if (IS_ERR(data)) { 419 ret = PTR_ERR(data); 420 break; 421 } 422 423 spin_lock_irq(&ffs->ev.waitq.lock); 424 425 /* 426 * We are guaranteed to be still in FFS_ACTIVE state 427 * but the state of setup could have changed from 428 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need 429 * to check for that. If that happened we copied data 430 * from user space in vain but it's unlikely. 431 * 432 * For sure we are not in FFS_NO_SETUP since this is 433 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP 434 * transition can be performed and it's protected by 435 * mutex. 436 */ 437 if (ffs_setup_state_clear_cancelled(ffs) == 438 FFS_SETUP_CANCELLED) { 439 ret = -EIDRM; 440 done_spin: 441 spin_unlock_irq(&ffs->ev.waitq.lock); 442 } else { 443 /* unlocks spinlock */ 444 ret = __ffs_ep0_queue_wait(ffs, data, len); 445 } 446 kfree(data); 447 break; 448 449 default: 450 ret = -EBADFD; 451 break; 452 } 453 454 mutex_unlock(&ffs->mutex); 455 return ret; 456 } 457 458 /* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */ 459 static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf, 460 size_t n) 461 { 462 /* 463 * n cannot be bigger than ffs->ev.count, which cannot be bigger than 464 * size of ffs->ev.types array (which is four) so that's how much space 465 * we reserve. 466 */ 467 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)]; 468 const size_t size = n * sizeof *events; 469 unsigned i = 0; 470 471 memset(events, 0, size); 472 473 do { 474 events[i].type = ffs->ev.types[i]; 475 if (events[i].type == FUNCTIONFS_SETUP) { 476 events[i].u.setup = ffs->ev.setup; 477 ffs->setup_state = FFS_SETUP_PENDING; 478 } 479 } while (++i < n); 480 481 ffs->ev.count -= n; 482 if (ffs->ev.count) 483 memmove(ffs->ev.types, ffs->ev.types + n, 484 ffs->ev.count * sizeof *ffs->ev.types); 485 486 spin_unlock_irq(&ffs->ev.waitq.lock); 487 mutex_unlock(&ffs->mutex); 488 489 return unlikely(copy_to_user(buf, events, size)) ? -EFAULT : size; 490 } 491 492 static ssize_t ffs_ep0_read(struct file *file, char __user *buf, 493 size_t len, loff_t *ptr) 494 { 495 struct ffs_data *ffs = file->private_data; 496 char *data = NULL; 497 size_t n; 498 int ret; 499 500 ENTER(); 501 502 /* Fast check if setup was canceled */ 503 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED) 504 return -EIDRM; 505 506 /* Acquire mutex */ 507 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 508 if (unlikely(ret < 0)) 509 return ret; 510 511 /* Check state */ 512 if (ffs->state != FFS_ACTIVE) { 513 ret = -EBADFD; 514 goto done_mutex; 515 } 516 517 /* 518 * We're called from user space, we can use _irq rather then 519 * _irqsave 520 */ 521 spin_lock_irq(&ffs->ev.waitq.lock); 522 523 switch (ffs_setup_state_clear_cancelled(ffs)) { 524 case FFS_SETUP_CANCELLED: 525 ret = -EIDRM; 526 break; 527 528 case FFS_NO_SETUP: 529 n = len / sizeof(struct usb_functionfs_event); 530 if (unlikely(!n)) { 531 ret = -EINVAL; 532 break; 533 } 534 535 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) { 536 ret = -EAGAIN; 537 break; 538 } 539 540 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq, 541 ffs->ev.count)) { 542 ret = -EINTR; 543 break; 544 } 545 546 return __ffs_ep0_read_events(ffs, buf, 547 min(n, (size_t)ffs->ev.count)); 548 549 case FFS_SETUP_PENDING: 550 if (ffs->ev.setup.bRequestType & USB_DIR_IN) { 551 spin_unlock_irq(&ffs->ev.waitq.lock); 552 ret = __ffs_ep0_stall(ffs); 553 goto done_mutex; 554 } 555 556 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength)); 557 558 spin_unlock_irq(&ffs->ev.waitq.lock); 559 560 if (likely(len)) { 561 data = kmalloc(len, GFP_KERNEL); 562 if (unlikely(!data)) { 563 ret = -ENOMEM; 564 goto done_mutex; 565 } 566 } 567 568 spin_lock_irq(&ffs->ev.waitq.lock); 569 570 /* See ffs_ep0_write() */ 571 if (ffs_setup_state_clear_cancelled(ffs) == 572 FFS_SETUP_CANCELLED) { 573 ret = -EIDRM; 574 break; 575 } 576 577 /* unlocks spinlock */ 578 ret = __ffs_ep0_queue_wait(ffs, data, len); 579 if (likely(ret > 0) && unlikely(copy_to_user(buf, data, len))) 580 ret = -EFAULT; 581 goto done_mutex; 582 583 default: 584 ret = -EBADFD; 585 break; 586 } 587 588 spin_unlock_irq(&ffs->ev.waitq.lock); 589 done_mutex: 590 mutex_unlock(&ffs->mutex); 591 kfree(data); 592 return ret; 593 } 594 595 static int ffs_ep0_open(struct inode *inode, struct file *file) 596 { 597 struct ffs_data *ffs = inode->i_private; 598 599 ENTER(); 600 601 if (unlikely(ffs->state == FFS_CLOSING)) 602 return -EBUSY; 603 604 file->private_data = ffs; 605 ffs_data_opened(ffs); 606 607 return 0; 608 } 609 610 static int ffs_ep0_release(struct inode *inode, struct file *file) 611 { 612 struct ffs_data *ffs = file->private_data; 613 614 ENTER(); 615 616 ffs_data_closed(ffs); 617 618 return 0; 619 } 620 621 static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value) 622 { 623 struct ffs_data *ffs = file->private_data; 624 struct usb_gadget *gadget = ffs->gadget; 625 long ret; 626 627 ENTER(); 628 629 if (code == FUNCTIONFS_INTERFACE_REVMAP) { 630 struct ffs_function *func = ffs->func; 631 ret = func ? ffs_func_revmap_intf(func, value) : -ENODEV; 632 } else if (gadget && gadget->ops->ioctl) { 633 ret = gadget->ops->ioctl(gadget, code, value); 634 } else { 635 ret = -ENOTTY; 636 } 637 638 return ret; 639 } 640 641 static unsigned int ffs_ep0_poll(struct file *file, poll_table *wait) 642 { 643 struct ffs_data *ffs = file->private_data; 644 unsigned int mask = POLLWRNORM; 645 int ret; 646 647 poll_wait(file, &ffs->ev.waitq, wait); 648 649 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 650 if (unlikely(ret < 0)) 651 return mask; 652 653 switch (ffs->state) { 654 case FFS_READ_DESCRIPTORS: 655 case FFS_READ_STRINGS: 656 mask |= POLLOUT; 657 break; 658 659 case FFS_ACTIVE: 660 switch (ffs->setup_state) { 661 case FFS_NO_SETUP: 662 if (ffs->ev.count) 663 mask |= POLLIN; 664 break; 665 666 case FFS_SETUP_PENDING: 667 case FFS_SETUP_CANCELLED: 668 mask |= (POLLIN | POLLOUT); 669 break; 670 } 671 case FFS_CLOSING: 672 break; 673 case FFS_DEACTIVATED: 674 break; 675 } 676 677 mutex_unlock(&ffs->mutex); 678 679 return mask; 680 } 681 682 static const struct file_operations ffs_ep0_operations = { 683 .llseek = no_llseek, 684 685 .open = ffs_ep0_open, 686 .write = ffs_ep0_write, 687 .read = ffs_ep0_read, 688 .release = ffs_ep0_release, 689 .unlocked_ioctl = ffs_ep0_ioctl, 690 .poll = ffs_ep0_poll, 691 }; 692 693 694 /* "Normal" endpoints operations ********************************************/ 695 696 static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req) 697 { 698 ENTER(); 699 if (likely(req->context)) { 700 struct ffs_ep *ep = _ep->driver_data; 701 ep->status = req->status ? req->status : req->actual; 702 complete(req->context); 703 } 704 } 705 706 static ssize_t ffs_copy_to_iter(void *data, int data_len, struct iov_iter *iter) 707 { 708 ssize_t ret = copy_to_iter(data, data_len, iter); 709 if (likely(ret == data_len)) 710 return ret; 711 712 if (unlikely(iov_iter_count(iter))) 713 return -EFAULT; 714 715 /* 716 * Dear user space developer! 717 * 718 * TL;DR: To stop getting below error message in your kernel log, change 719 * user space code using functionfs to align read buffers to a max 720 * packet size. 721 * 722 * Some UDCs (e.g. dwc3) require request sizes to be a multiple of a max 723 * packet size. When unaligned buffer is passed to functionfs, it 724 * internally uses a larger, aligned buffer so that such UDCs are happy. 725 * 726 * Unfortunately, this means that host may send more data than was 727 * requested in read(2) system call. f_fs doesn’t know what to do with 728 * that excess data so it simply drops it. 729 * 730 * Was the buffer aligned in the first place, no such problem would 731 * happen. 732 * 733 * Data may be dropped only in AIO reads. Synchronous reads are handled 734 * by splitting a request into multiple parts. This splitting may still 735 * be a problem though so it’s likely best to align the buffer 736 * regardless of it being AIO or not.. 737 * 738 * This only affects OUT endpoints, i.e. reading data with a read(2), 739 * aio_read(2) etc. system calls. Writing data to an IN endpoint is not 740 * affected. 741 */ 742 pr_err("functionfs read size %d > requested size %zd, dropping excess data. " 743 "Align read buffer size to max packet size to avoid the problem.\n", 744 data_len, ret); 745 746 return ret; 747 } 748 749 static void ffs_user_copy_worker(struct work_struct *work) 750 { 751 struct ffs_io_data *io_data = container_of(work, struct ffs_io_data, 752 work); 753 int ret = io_data->req->status ? io_data->req->status : 754 io_data->req->actual; 755 bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; 756 757 if (io_data->read && ret > 0) { 758 use_mm(io_data->mm); 759 ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); 760 unuse_mm(io_data->mm); 761 } 762 763 io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); 764 765 if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) 766 eventfd_signal(io_data->ffs->ffs_eventfd, 1); 767 768 usb_ep_free_request(io_data->ep, io_data->req); 769 770 if (io_data->read) 771 kfree(io_data->to_free); 772 kfree(io_data->buf); 773 kfree(io_data); 774 } 775 776 static void ffs_epfile_async_io_complete(struct usb_ep *_ep, 777 struct usb_request *req) 778 { 779 struct ffs_io_data *io_data = req->context; 780 struct ffs_data *ffs = io_data->ffs; 781 782 ENTER(); 783 784 INIT_WORK(&io_data->work, ffs_user_copy_worker); 785 queue_work(ffs->io_completion_wq, &io_data->work); 786 } 787 788 static void __ffs_epfile_read_buffer_free(struct ffs_epfile *epfile) 789 { 790 /* 791 * See comment in struct ffs_epfile for full read_buffer pointer 792 * synchronisation story. 793 */ 794 struct ffs_buffer *buf = xchg(&epfile->read_buffer, READ_BUFFER_DROP); 795 if (buf && buf != READ_BUFFER_DROP) 796 kfree(buf); 797 } 798 799 /* Assumes epfile->mutex is held. */ 800 static ssize_t __ffs_epfile_read_buffered(struct ffs_epfile *epfile, 801 struct iov_iter *iter) 802 { 803 /* 804 * Null out epfile->read_buffer so ffs_func_eps_disable does not free 805 * the buffer while we are using it. See comment in struct ffs_epfile 806 * for full read_buffer pointer synchronisation story. 807 */ 808 struct ffs_buffer *buf = xchg(&epfile->read_buffer, NULL); 809 ssize_t ret; 810 if (!buf || buf == READ_BUFFER_DROP) 811 return 0; 812 813 ret = copy_to_iter(buf->data, buf->length, iter); 814 if (buf->length == ret) { 815 kfree(buf); 816 return ret; 817 } 818 819 if (unlikely(iov_iter_count(iter))) { 820 ret = -EFAULT; 821 } else { 822 buf->length -= ret; 823 buf->data += ret; 824 } 825 826 if (cmpxchg(&epfile->read_buffer, NULL, buf)) 827 kfree(buf); 828 829 return ret; 830 } 831 832 /* Assumes epfile->mutex is held. */ 833 static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile, 834 void *data, int data_len, 835 struct iov_iter *iter) 836 { 837 struct ffs_buffer *buf; 838 839 ssize_t ret = copy_to_iter(data, data_len, iter); 840 if (likely(data_len == ret)) 841 return ret; 842 843 if (unlikely(iov_iter_count(iter))) 844 return -EFAULT; 845 846 /* See ffs_copy_to_iter for more context. */ 847 pr_warn("functionfs read size %d > requested size %zd, splitting request into multiple reads.", 848 data_len, ret); 849 850 data_len -= ret; 851 buf = kmalloc(sizeof(*buf) + data_len, GFP_KERNEL); 852 if (!buf) 853 return -ENOMEM; 854 buf->length = data_len; 855 buf->data = buf->storage; 856 memcpy(buf->storage, data + ret, data_len); 857 858 /* 859 * At this point read_buffer is NULL or READ_BUFFER_DROP (if 860 * ffs_func_eps_disable has been called in the meanwhile). See comment 861 * in struct ffs_epfile for full read_buffer pointer synchronisation 862 * story. 863 */ 864 if (unlikely(cmpxchg(&epfile->read_buffer, NULL, buf))) 865 kfree(buf); 866 867 return ret; 868 } 869 870 static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 871 { 872 struct ffs_epfile *epfile = file->private_data; 873 struct usb_request *req; 874 struct ffs_ep *ep; 875 char *data = NULL; 876 ssize_t ret, data_len = -EINVAL; 877 int halt; 878 879 /* Are we still active? */ 880 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) 881 return -ENODEV; 882 883 /* Wait for endpoint to be enabled */ 884 ep = epfile->ep; 885 if (!ep) { 886 if (file->f_flags & O_NONBLOCK) 887 return -EAGAIN; 888 889 ret = wait_event_interruptible( 890 epfile->ffs->wait, (ep = epfile->ep)); 891 if (ret) 892 return -EINTR; 893 } 894 895 /* Do we halt? */ 896 halt = (!io_data->read == !epfile->in); 897 if (halt && epfile->isoc) 898 return -EINVAL; 899 900 /* We will be using request and read_buffer */ 901 ret = ffs_mutex_lock(&epfile->mutex, file->f_flags & O_NONBLOCK); 902 if (unlikely(ret)) 903 goto error; 904 905 /* Allocate & copy */ 906 if (!halt) { 907 struct usb_gadget *gadget; 908 909 /* 910 * Do we have buffered data from previous partial read? Check 911 * that for synchronous case only because we do not have 912 * facility to ‘wake up’ a pending asynchronous read and push 913 * buffered data to it which we would need to make things behave 914 * consistently. 915 */ 916 if (!io_data->aio && io_data->read) { 917 ret = __ffs_epfile_read_buffered(epfile, &io_data->data); 918 if (ret) 919 goto error_mutex; 920 } 921 922 /* 923 * if we _do_ wait above, the epfile->ffs->gadget might be NULL 924 * before the waiting completes, so do not assign to 'gadget' 925 * earlier 926 */ 927 gadget = epfile->ffs->gadget; 928 929 spin_lock_irq(&epfile->ffs->eps_lock); 930 /* In the meantime, endpoint got disabled or changed. */ 931 if (epfile->ep != ep) { 932 ret = -ESHUTDOWN; 933 goto error_lock; 934 } 935 data_len = iov_iter_count(&io_data->data); 936 /* 937 * Controller may require buffer size to be aligned to 938 * maxpacketsize of an out endpoint. 939 */ 940 if (io_data->read) 941 data_len = usb_ep_align_maybe(gadget, ep->ep, data_len); 942 spin_unlock_irq(&epfile->ffs->eps_lock); 943 944 data = kmalloc(data_len, GFP_KERNEL); 945 if (unlikely(!data)) { 946 ret = -ENOMEM; 947 goto error_mutex; 948 } 949 if (!io_data->read && 950 !copy_from_iter_full(data, data_len, &io_data->data)) { 951 ret = -EFAULT; 952 goto error_mutex; 953 } 954 } 955 956 spin_lock_irq(&epfile->ffs->eps_lock); 957 958 if (epfile->ep != ep) { 959 /* In the meantime, endpoint got disabled or changed. */ 960 ret = -ESHUTDOWN; 961 } else if (halt) { 962 ret = usb_ep_set_halt(ep->ep); 963 if (!ret) 964 ret = -EBADMSG; 965 } else if (unlikely(data_len == -EINVAL)) { 966 /* 967 * Sanity Check: even though data_len can't be used 968 * uninitialized at the time I write this comment, some 969 * compilers complain about this situation. 970 * In order to keep the code clean from warnings, data_len is 971 * being initialized to -EINVAL during its declaration, which 972 * means we can't rely on compiler anymore to warn no future 973 * changes won't result in data_len being used uninitialized. 974 * For such reason, we're adding this redundant sanity check 975 * here. 976 */ 977 WARN(1, "%s: data_len == -EINVAL\n", __func__); 978 ret = -EINVAL; 979 } else if (!io_data->aio) { 980 DECLARE_COMPLETION_ONSTACK(done); 981 bool interrupted = false; 982 983 req = ep->req; 984 req->buf = data; 985 req->length = data_len; 986 987 req->context = &done; 988 req->complete = ffs_epfile_io_complete; 989 990 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC); 991 if (unlikely(ret < 0)) 992 goto error_lock; 993 994 spin_unlock_irq(&epfile->ffs->eps_lock); 995 996 if (unlikely(wait_for_completion_interruptible(&done))) { 997 /* 998 * To avoid race condition with ffs_epfile_io_complete, 999 * dequeue the request first then check 1000 * status. usb_ep_dequeue API should guarantee no race 1001 * condition with req->complete callback. 1002 */ 1003 usb_ep_dequeue(ep->ep, req); 1004 interrupted = ep->status < 0; 1005 } 1006 1007 if (interrupted) 1008 ret = -EINTR; 1009 else if (io_data->read && ep->status > 0) 1010 ret = __ffs_epfile_read_data(epfile, data, ep->status, 1011 &io_data->data); 1012 else 1013 ret = ep->status; 1014 goto error_mutex; 1015 } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) { 1016 ret = -ENOMEM; 1017 } else { 1018 req->buf = data; 1019 req->length = data_len; 1020 1021 io_data->buf = data; 1022 io_data->ep = ep->ep; 1023 io_data->req = req; 1024 io_data->ffs = epfile->ffs; 1025 1026 req->context = io_data; 1027 req->complete = ffs_epfile_async_io_complete; 1028 1029 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC); 1030 if (unlikely(ret)) { 1031 usb_ep_free_request(ep->ep, req); 1032 goto error_lock; 1033 } 1034 1035 ret = -EIOCBQUEUED; 1036 /* 1037 * Do not kfree the buffer in this function. It will be freed 1038 * by ffs_user_copy_worker. 1039 */ 1040 data = NULL; 1041 } 1042 1043 error_lock: 1044 spin_unlock_irq(&epfile->ffs->eps_lock); 1045 error_mutex: 1046 mutex_unlock(&epfile->mutex); 1047 error: 1048 kfree(data); 1049 return ret; 1050 } 1051 1052 static int 1053 ffs_epfile_open(struct inode *inode, struct file *file) 1054 { 1055 struct ffs_epfile *epfile = inode->i_private; 1056 1057 ENTER(); 1058 1059 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) 1060 return -ENODEV; 1061 1062 file->private_data = epfile; 1063 ffs_data_opened(epfile->ffs); 1064 1065 return 0; 1066 } 1067 1068 static int ffs_aio_cancel(struct kiocb *kiocb) 1069 { 1070 struct ffs_io_data *io_data = kiocb->private; 1071 struct ffs_epfile *epfile = kiocb->ki_filp->private_data; 1072 int value; 1073 1074 ENTER(); 1075 1076 spin_lock_irq(&epfile->ffs->eps_lock); 1077 1078 if (likely(io_data && io_data->ep && io_data->req)) 1079 value = usb_ep_dequeue(io_data->ep, io_data->req); 1080 else 1081 value = -EINVAL; 1082 1083 spin_unlock_irq(&epfile->ffs->eps_lock); 1084 1085 return value; 1086 } 1087 1088 static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) 1089 { 1090 struct ffs_io_data io_data, *p = &io_data; 1091 ssize_t res; 1092 1093 ENTER(); 1094 1095 if (!is_sync_kiocb(kiocb)) { 1096 p = kmalloc(sizeof(io_data), GFP_KERNEL); 1097 if (unlikely(!p)) 1098 return -ENOMEM; 1099 p->aio = true; 1100 } else { 1101 p->aio = false; 1102 } 1103 1104 p->read = false; 1105 p->kiocb = kiocb; 1106 p->data = *from; 1107 p->mm = current->mm; 1108 1109 kiocb->private = p; 1110 1111 if (p->aio) 1112 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); 1113 1114 res = ffs_epfile_io(kiocb->ki_filp, p); 1115 if (res == -EIOCBQUEUED) 1116 return res; 1117 if (p->aio) 1118 kfree(p); 1119 else 1120 *from = p->data; 1121 return res; 1122 } 1123 1124 static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) 1125 { 1126 struct ffs_io_data io_data, *p = &io_data; 1127 ssize_t res; 1128 1129 ENTER(); 1130 1131 if (!is_sync_kiocb(kiocb)) { 1132 p = kmalloc(sizeof(io_data), GFP_KERNEL); 1133 if (unlikely(!p)) 1134 return -ENOMEM; 1135 p->aio = true; 1136 } else { 1137 p->aio = false; 1138 } 1139 1140 p->read = true; 1141 p->kiocb = kiocb; 1142 if (p->aio) { 1143 p->to_free = dup_iter(&p->data, to, GFP_KERNEL); 1144 if (!p->to_free) { 1145 kfree(p); 1146 return -ENOMEM; 1147 } 1148 } else { 1149 p->data = *to; 1150 p->to_free = NULL; 1151 } 1152 p->mm = current->mm; 1153 1154 kiocb->private = p; 1155 1156 if (p->aio) 1157 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); 1158 1159 res = ffs_epfile_io(kiocb->ki_filp, p); 1160 if (res == -EIOCBQUEUED) 1161 return res; 1162 1163 if (p->aio) { 1164 kfree(p->to_free); 1165 kfree(p); 1166 } else { 1167 *to = p->data; 1168 } 1169 return res; 1170 } 1171 1172 static int 1173 ffs_epfile_release(struct inode *inode, struct file *file) 1174 { 1175 struct ffs_epfile *epfile = inode->i_private; 1176 1177 ENTER(); 1178 1179 __ffs_epfile_read_buffer_free(epfile); 1180 ffs_data_closed(epfile->ffs); 1181 1182 return 0; 1183 } 1184 1185 static long ffs_epfile_ioctl(struct file *file, unsigned code, 1186 unsigned long value) 1187 { 1188 struct ffs_epfile *epfile = file->private_data; 1189 struct ffs_ep *ep; 1190 int ret; 1191 1192 ENTER(); 1193 1194 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) 1195 return -ENODEV; 1196 1197 /* Wait for endpoint to be enabled */ 1198 ep = epfile->ep; 1199 if (!ep) { 1200 if (file->f_flags & O_NONBLOCK) 1201 return -EAGAIN; 1202 1203 ret = wait_event_interruptible( 1204 epfile->ffs->wait, (ep = epfile->ep)); 1205 if (ret) 1206 return -EINTR; 1207 } 1208 1209 spin_lock_irq(&epfile->ffs->eps_lock); 1210 1211 /* In the meantime, endpoint got disabled or changed. */ 1212 if (epfile->ep != ep) { 1213 spin_unlock_irq(&epfile->ffs->eps_lock); 1214 return -ESHUTDOWN; 1215 } 1216 1217 switch (code) { 1218 case FUNCTIONFS_FIFO_STATUS: 1219 ret = usb_ep_fifo_status(epfile->ep->ep); 1220 break; 1221 case FUNCTIONFS_FIFO_FLUSH: 1222 usb_ep_fifo_flush(epfile->ep->ep); 1223 ret = 0; 1224 break; 1225 case FUNCTIONFS_CLEAR_HALT: 1226 ret = usb_ep_clear_halt(epfile->ep->ep); 1227 break; 1228 case FUNCTIONFS_ENDPOINT_REVMAP: 1229 ret = epfile->ep->num; 1230 break; 1231 case FUNCTIONFS_ENDPOINT_DESC: 1232 { 1233 int desc_idx; 1234 struct usb_endpoint_descriptor *desc; 1235 1236 switch (epfile->ffs->gadget->speed) { 1237 case USB_SPEED_SUPER: 1238 desc_idx = 2; 1239 break; 1240 case USB_SPEED_HIGH: 1241 desc_idx = 1; 1242 break; 1243 default: 1244 desc_idx = 0; 1245 } 1246 desc = epfile->ep->descs[desc_idx]; 1247 1248 spin_unlock_irq(&epfile->ffs->eps_lock); 1249 ret = copy_to_user((void *)value, desc, desc->bLength); 1250 if (ret) 1251 ret = -EFAULT; 1252 return ret; 1253 } 1254 default: 1255 ret = -ENOTTY; 1256 } 1257 spin_unlock_irq(&epfile->ffs->eps_lock); 1258 1259 return ret; 1260 } 1261 1262 static const struct file_operations ffs_epfile_operations = { 1263 .llseek = no_llseek, 1264 1265 .open = ffs_epfile_open, 1266 .write_iter = ffs_epfile_write_iter, 1267 .read_iter = ffs_epfile_read_iter, 1268 .release = ffs_epfile_release, 1269 .unlocked_ioctl = ffs_epfile_ioctl, 1270 }; 1271 1272 1273 /* File system and super block operations ***********************************/ 1274 1275 /* 1276 * Mounting the file system creates a controller file, used first for 1277 * function configuration then later for event monitoring. 1278 */ 1279 1280 static struct inode *__must_check 1281 ffs_sb_make_inode(struct super_block *sb, void *data, 1282 const struct file_operations *fops, 1283 const struct inode_operations *iops, 1284 struct ffs_file_perms *perms) 1285 { 1286 struct inode *inode; 1287 1288 ENTER(); 1289 1290 inode = new_inode(sb); 1291 1292 if (likely(inode)) { 1293 struct timespec ts = current_time(inode); 1294 1295 inode->i_ino = get_next_ino(); 1296 inode->i_mode = perms->mode; 1297 inode->i_uid = perms->uid; 1298 inode->i_gid = perms->gid; 1299 inode->i_atime = ts; 1300 inode->i_mtime = ts; 1301 inode->i_ctime = ts; 1302 inode->i_private = data; 1303 if (fops) 1304 inode->i_fop = fops; 1305 if (iops) 1306 inode->i_op = iops; 1307 } 1308 1309 return inode; 1310 } 1311 1312 /* Create "regular" file */ 1313 static struct dentry *ffs_sb_create_file(struct super_block *sb, 1314 const char *name, void *data, 1315 const struct file_operations *fops) 1316 { 1317 struct ffs_data *ffs = sb->s_fs_info; 1318 struct dentry *dentry; 1319 struct inode *inode; 1320 1321 ENTER(); 1322 1323 dentry = d_alloc_name(sb->s_root, name); 1324 if (unlikely(!dentry)) 1325 return NULL; 1326 1327 inode = ffs_sb_make_inode(sb, data, fops, NULL, &ffs->file_perms); 1328 if (unlikely(!inode)) { 1329 dput(dentry); 1330 return NULL; 1331 } 1332 1333 d_add(dentry, inode); 1334 return dentry; 1335 } 1336 1337 /* Super block */ 1338 static const struct super_operations ffs_sb_operations = { 1339 .statfs = simple_statfs, 1340 .drop_inode = generic_delete_inode, 1341 }; 1342 1343 struct ffs_sb_fill_data { 1344 struct ffs_file_perms perms; 1345 umode_t root_mode; 1346 const char *dev_name; 1347 bool no_disconnect; 1348 struct ffs_data *ffs_data; 1349 }; 1350 1351 static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) 1352 { 1353 struct ffs_sb_fill_data *data = _data; 1354 struct inode *inode; 1355 struct ffs_data *ffs = data->ffs_data; 1356 1357 ENTER(); 1358 1359 ffs->sb = sb; 1360 data->ffs_data = NULL; 1361 sb->s_fs_info = ffs; 1362 sb->s_blocksize = PAGE_SIZE; 1363 sb->s_blocksize_bits = PAGE_SHIFT; 1364 sb->s_magic = FUNCTIONFS_MAGIC; 1365 sb->s_op = &ffs_sb_operations; 1366 sb->s_time_gran = 1; 1367 1368 /* Root inode */ 1369 data->perms.mode = data->root_mode; 1370 inode = ffs_sb_make_inode(sb, NULL, 1371 &simple_dir_operations, 1372 &simple_dir_inode_operations, 1373 &data->perms); 1374 sb->s_root = d_make_root(inode); 1375 if (unlikely(!sb->s_root)) 1376 return -ENOMEM; 1377 1378 /* EP0 file */ 1379 if (unlikely(!ffs_sb_create_file(sb, "ep0", ffs, 1380 &ffs_ep0_operations))) 1381 return -ENOMEM; 1382 1383 return 0; 1384 } 1385 1386 static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) 1387 { 1388 ENTER(); 1389 1390 if (!opts || !*opts) 1391 return 0; 1392 1393 for (;;) { 1394 unsigned long value; 1395 char *eq, *comma; 1396 1397 /* Option limit */ 1398 comma = strchr(opts, ','); 1399 if (comma) 1400 *comma = 0; 1401 1402 /* Value limit */ 1403 eq = strchr(opts, '='); 1404 if (unlikely(!eq)) { 1405 pr_err("'=' missing in %s\n", opts); 1406 return -EINVAL; 1407 } 1408 *eq = 0; 1409 1410 /* Parse value */ 1411 if (kstrtoul(eq + 1, 0, &value)) { 1412 pr_err("%s: invalid value: %s\n", opts, eq + 1); 1413 return -EINVAL; 1414 } 1415 1416 /* Interpret option */ 1417 switch (eq - opts) { 1418 case 13: 1419 if (!memcmp(opts, "no_disconnect", 13)) 1420 data->no_disconnect = !!value; 1421 else 1422 goto invalid; 1423 break; 1424 case 5: 1425 if (!memcmp(opts, "rmode", 5)) 1426 data->root_mode = (value & 0555) | S_IFDIR; 1427 else if (!memcmp(opts, "fmode", 5)) 1428 data->perms.mode = (value & 0666) | S_IFREG; 1429 else 1430 goto invalid; 1431 break; 1432 1433 case 4: 1434 if (!memcmp(opts, "mode", 4)) { 1435 data->root_mode = (value & 0555) | S_IFDIR; 1436 data->perms.mode = (value & 0666) | S_IFREG; 1437 } else { 1438 goto invalid; 1439 } 1440 break; 1441 1442 case 3: 1443 if (!memcmp(opts, "uid", 3)) { 1444 data->perms.uid = make_kuid(current_user_ns(), value); 1445 if (!uid_valid(data->perms.uid)) { 1446 pr_err("%s: unmapped value: %lu\n", opts, value); 1447 return -EINVAL; 1448 } 1449 } else if (!memcmp(opts, "gid", 3)) { 1450 data->perms.gid = make_kgid(current_user_ns(), value); 1451 if (!gid_valid(data->perms.gid)) { 1452 pr_err("%s: unmapped value: %lu\n", opts, value); 1453 return -EINVAL; 1454 } 1455 } else { 1456 goto invalid; 1457 } 1458 break; 1459 1460 default: 1461 invalid: 1462 pr_err("%s: invalid option\n", opts); 1463 return -EINVAL; 1464 } 1465 1466 /* Next iteration */ 1467 if (!comma) 1468 break; 1469 opts = comma + 1; 1470 } 1471 1472 return 0; 1473 } 1474 1475 /* "mount -t functionfs dev_name /dev/function" ends up here */ 1476 1477 static struct dentry * 1478 ffs_fs_mount(struct file_system_type *t, int flags, 1479 const char *dev_name, void *opts) 1480 { 1481 struct ffs_sb_fill_data data = { 1482 .perms = { 1483 .mode = S_IFREG | 0600, 1484 .uid = GLOBAL_ROOT_UID, 1485 .gid = GLOBAL_ROOT_GID, 1486 }, 1487 .root_mode = S_IFDIR | 0500, 1488 .no_disconnect = false, 1489 }; 1490 struct dentry *rv; 1491 int ret; 1492 void *ffs_dev; 1493 struct ffs_data *ffs; 1494 1495 ENTER(); 1496 1497 ret = ffs_fs_parse_opts(&data, opts); 1498 if (unlikely(ret < 0)) 1499 return ERR_PTR(ret); 1500 1501 ffs = ffs_data_new(dev_name); 1502 if (unlikely(!ffs)) 1503 return ERR_PTR(-ENOMEM); 1504 ffs->file_perms = data.perms; 1505 ffs->no_disconnect = data.no_disconnect; 1506 1507 ffs->dev_name = kstrdup(dev_name, GFP_KERNEL); 1508 if (unlikely(!ffs->dev_name)) { 1509 ffs_data_put(ffs); 1510 return ERR_PTR(-ENOMEM); 1511 } 1512 1513 ffs_dev = ffs_acquire_dev(dev_name); 1514 if (IS_ERR(ffs_dev)) { 1515 ffs_data_put(ffs); 1516 return ERR_CAST(ffs_dev); 1517 } 1518 ffs->private_data = ffs_dev; 1519 data.ffs_data = ffs; 1520 1521 rv = mount_nodev(t, flags, &data, ffs_sb_fill); 1522 if (IS_ERR(rv) && data.ffs_data) { 1523 ffs_release_dev(data.ffs_data); 1524 ffs_data_put(data.ffs_data); 1525 } 1526 return rv; 1527 } 1528 1529 static void 1530 ffs_fs_kill_sb(struct super_block *sb) 1531 { 1532 ENTER(); 1533 1534 kill_litter_super(sb); 1535 if (sb->s_fs_info) { 1536 ffs_release_dev(sb->s_fs_info); 1537 ffs_data_closed(sb->s_fs_info); 1538 ffs_data_put(sb->s_fs_info); 1539 } 1540 } 1541 1542 static struct file_system_type ffs_fs_type = { 1543 .owner = THIS_MODULE, 1544 .name = "functionfs", 1545 .mount = ffs_fs_mount, 1546 .kill_sb = ffs_fs_kill_sb, 1547 }; 1548 MODULE_ALIAS_FS("functionfs"); 1549 1550 1551 /* Driver's main init/cleanup functions *************************************/ 1552 1553 static int functionfs_init(void) 1554 { 1555 int ret; 1556 1557 ENTER(); 1558 1559 ret = register_filesystem(&ffs_fs_type); 1560 if (likely(!ret)) 1561 pr_info("file system registered\n"); 1562 else 1563 pr_err("failed registering file system (%d)\n", ret); 1564 1565 return ret; 1566 } 1567 1568 static void functionfs_cleanup(void) 1569 { 1570 ENTER(); 1571 1572 pr_info("unloading\n"); 1573 unregister_filesystem(&ffs_fs_type); 1574 } 1575 1576 1577 /* ffs_data and ffs_function construction and destruction code **************/ 1578 1579 static void ffs_data_clear(struct ffs_data *ffs); 1580 static void ffs_data_reset(struct ffs_data *ffs); 1581 1582 static void ffs_data_get(struct ffs_data *ffs) 1583 { 1584 ENTER(); 1585 1586 refcount_inc(&ffs->ref); 1587 } 1588 1589 static void ffs_data_opened(struct ffs_data *ffs) 1590 { 1591 ENTER(); 1592 1593 refcount_inc(&ffs->ref); 1594 if (atomic_add_return(1, &ffs->opened) == 1 && 1595 ffs->state == FFS_DEACTIVATED) { 1596 ffs->state = FFS_CLOSING; 1597 ffs_data_reset(ffs); 1598 } 1599 } 1600 1601 static void ffs_data_put(struct ffs_data *ffs) 1602 { 1603 ENTER(); 1604 1605 if (unlikely(refcount_dec_and_test(&ffs->ref))) { 1606 pr_info("%s(): freeing\n", __func__); 1607 ffs_data_clear(ffs); 1608 BUG_ON(waitqueue_active(&ffs->ev.waitq) || 1609 waitqueue_active(&ffs->ep0req_completion.wait) || 1610 waitqueue_active(&ffs->wait)); 1611 destroy_workqueue(ffs->io_completion_wq); 1612 kfree(ffs->dev_name); 1613 kfree(ffs); 1614 } 1615 } 1616 1617 static void ffs_data_closed(struct ffs_data *ffs) 1618 { 1619 ENTER(); 1620 1621 if (atomic_dec_and_test(&ffs->opened)) { 1622 if (ffs->no_disconnect) { 1623 ffs->state = FFS_DEACTIVATED; 1624 if (ffs->epfiles) { 1625 ffs_epfiles_destroy(ffs->epfiles, 1626 ffs->eps_count); 1627 ffs->epfiles = NULL; 1628 } 1629 if (ffs->setup_state == FFS_SETUP_PENDING) 1630 __ffs_ep0_stall(ffs); 1631 } else { 1632 ffs->state = FFS_CLOSING; 1633 ffs_data_reset(ffs); 1634 } 1635 } 1636 if (atomic_read(&ffs->opened) < 0) { 1637 ffs->state = FFS_CLOSING; 1638 ffs_data_reset(ffs); 1639 } 1640 1641 ffs_data_put(ffs); 1642 } 1643 1644 static struct ffs_data *ffs_data_new(const char *dev_name) 1645 { 1646 struct ffs_data *ffs = kzalloc(sizeof *ffs, GFP_KERNEL); 1647 if (unlikely(!ffs)) 1648 return NULL; 1649 1650 ENTER(); 1651 1652 ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name); 1653 if (!ffs->io_completion_wq) { 1654 kfree(ffs); 1655 return NULL; 1656 } 1657 1658 refcount_set(&ffs->ref, 1); 1659 atomic_set(&ffs->opened, 0); 1660 ffs->state = FFS_READ_DESCRIPTORS; 1661 mutex_init(&ffs->mutex); 1662 spin_lock_init(&ffs->eps_lock); 1663 init_waitqueue_head(&ffs->ev.waitq); 1664 init_waitqueue_head(&ffs->wait); 1665 init_completion(&ffs->ep0req_completion); 1666 1667 /* XXX REVISIT need to update it in some places, or do we? */ 1668 ffs->ev.can_stall = 1; 1669 1670 return ffs; 1671 } 1672 1673 static void ffs_data_clear(struct ffs_data *ffs) 1674 { 1675 ENTER(); 1676 1677 ffs_closed(ffs); 1678 1679 BUG_ON(ffs->gadget); 1680 1681 if (ffs->epfiles) 1682 ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); 1683 1684 if (ffs->ffs_eventfd) 1685 eventfd_ctx_put(ffs->ffs_eventfd); 1686 1687 kfree(ffs->raw_descs_data); 1688 kfree(ffs->raw_strings); 1689 kfree(ffs->stringtabs); 1690 } 1691 1692 static void ffs_data_reset(struct ffs_data *ffs) 1693 { 1694 ENTER(); 1695 1696 ffs_data_clear(ffs); 1697 1698 ffs->epfiles = NULL; 1699 ffs->raw_descs_data = NULL; 1700 ffs->raw_descs = NULL; 1701 ffs->raw_strings = NULL; 1702 ffs->stringtabs = NULL; 1703 1704 ffs->raw_descs_length = 0; 1705 ffs->fs_descs_count = 0; 1706 ffs->hs_descs_count = 0; 1707 ffs->ss_descs_count = 0; 1708 1709 ffs->strings_count = 0; 1710 ffs->interfaces_count = 0; 1711 ffs->eps_count = 0; 1712 1713 ffs->ev.count = 0; 1714 1715 ffs->state = FFS_READ_DESCRIPTORS; 1716 ffs->setup_state = FFS_NO_SETUP; 1717 ffs->flags = 0; 1718 } 1719 1720 1721 static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev) 1722 { 1723 struct usb_gadget_strings **lang; 1724 int first_id; 1725 1726 ENTER(); 1727 1728 if (WARN_ON(ffs->state != FFS_ACTIVE 1729 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags))) 1730 return -EBADFD; 1731 1732 first_id = usb_string_ids_n(cdev, ffs->strings_count); 1733 if (unlikely(first_id < 0)) 1734 return first_id; 1735 1736 ffs->ep0req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL); 1737 if (unlikely(!ffs->ep0req)) 1738 return -ENOMEM; 1739 ffs->ep0req->complete = ffs_ep0_complete; 1740 ffs->ep0req->context = ffs; 1741 1742 lang = ffs->stringtabs; 1743 if (lang) { 1744 for (; *lang; ++lang) { 1745 struct usb_string *str = (*lang)->strings; 1746 int id = first_id; 1747 for (; str->s; ++id, ++str) 1748 str->id = id; 1749 } 1750 } 1751 1752 ffs->gadget = cdev->gadget; 1753 ffs_data_get(ffs); 1754 return 0; 1755 } 1756 1757 static void functionfs_unbind(struct ffs_data *ffs) 1758 { 1759 ENTER(); 1760 1761 if (!WARN_ON(!ffs->gadget)) { 1762 usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); 1763 ffs->ep0req = NULL; 1764 ffs->gadget = NULL; 1765 clear_bit(FFS_FL_BOUND, &ffs->flags); 1766 ffs_data_put(ffs); 1767 } 1768 } 1769 1770 static int ffs_epfiles_create(struct ffs_data *ffs) 1771 { 1772 struct ffs_epfile *epfile, *epfiles; 1773 unsigned i, count; 1774 1775 ENTER(); 1776 1777 count = ffs->eps_count; 1778 epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL); 1779 if (!epfiles) 1780 return -ENOMEM; 1781 1782 epfile = epfiles; 1783 for (i = 1; i <= count; ++i, ++epfile) { 1784 epfile->ffs = ffs; 1785 mutex_init(&epfile->mutex); 1786 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 1787 sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]); 1788 else 1789 sprintf(epfile->name, "ep%u", i); 1790 epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name, 1791 epfile, 1792 &ffs_epfile_operations); 1793 if (unlikely(!epfile->dentry)) { 1794 ffs_epfiles_destroy(epfiles, i - 1); 1795 return -ENOMEM; 1796 } 1797 } 1798 1799 ffs->epfiles = epfiles; 1800 return 0; 1801 } 1802 1803 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) 1804 { 1805 struct ffs_epfile *epfile = epfiles; 1806 1807 ENTER(); 1808 1809 for (; count; --count, ++epfile) { 1810 BUG_ON(mutex_is_locked(&epfile->mutex)); 1811 if (epfile->dentry) { 1812 d_delete(epfile->dentry); 1813 dput(epfile->dentry); 1814 epfile->dentry = NULL; 1815 } 1816 } 1817 1818 kfree(epfiles); 1819 } 1820 1821 static void ffs_func_eps_disable(struct ffs_function *func) 1822 { 1823 struct ffs_ep *ep = func->eps; 1824 struct ffs_epfile *epfile = func->ffs->epfiles; 1825 unsigned count = func->ffs->eps_count; 1826 unsigned long flags; 1827 1828 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1829 while (count--) { 1830 /* pending requests get nuked */ 1831 if (likely(ep->ep)) 1832 usb_ep_disable(ep->ep); 1833 ++ep; 1834 1835 if (epfile) { 1836 epfile->ep = NULL; 1837 __ffs_epfile_read_buffer_free(epfile); 1838 ++epfile; 1839 } 1840 } 1841 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 1842 } 1843 1844 static int ffs_func_eps_enable(struct ffs_function *func) 1845 { 1846 struct ffs_data *ffs = func->ffs; 1847 struct ffs_ep *ep = func->eps; 1848 struct ffs_epfile *epfile = ffs->epfiles; 1849 unsigned count = ffs->eps_count; 1850 unsigned long flags; 1851 int ret = 0; 1852 1853 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1854 while(count--) { 1855 struct usb_endpoint_descriptor *ds; 1856 struct usb_ss_ep_comp_descriptor *comp_desc = NULL; 1857 int needs_comp_desc = false; 1858 int desc_idx; 1859 1860 if (ffs->gadget->speed == USB_SPEED_SUPER) { 1861 desc_idx = 2; 1862 needs_comp_desc = true; 1863 } else if (ffs->gadget->speed == USB_SPEED_HIGH) 1864 desc_idx = 1; 1865 else 1866 desc_idx = 0; 1867 1868 /* fall-back to lower speed if desc missing for current speed */ 1869 do { 1870 ds = ep->descs[desc_idx]; 1871 } while (!ds && --desc_idx >= 0); 1872 1873 if (!ds) { 1874 ret = -EINVAL; 1875 break; 1876 } 1877 1878 ep->ep->driver_data = ep; 1879 ep->ep->desc = ds; 1880 1881 if (needs_comp_desc) { 1882 comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + 1883 USB_DT_ENDPOINT_SIZE); 1884 ep->ep->maxburst = comp_desc->bMaxBurst + 1; 1885 ep->ep->comp_desc = comp_desc; 1886 } 1887 1888 ret = usb_ep_enable(ep->ep); 1889 if (likely(!ret)) { 1890 epfile->ep = ep; 1891 epfile->in = usb_endpoint_dir_in(ds); 1892 epfile->isoc = usb_endpoint_xfer_isoc(ds); 1893 } else { 1894 break; 1895 } 1896 1897 ++ep; 1898 ++epfile; 1899 } 1900 1901 wake_up_interruptible(&ffs->wait); 1902 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 1903 1904 return ret; 1905 } 1906 1907 1908 /* Parsing and building descriptors and strings *****************************/ 1909 1910 /* 1911 * This validates if data pointed by data is a valid USB descriptor as 1912 * well as record how many interfaces, endpoints and strings are 1913 * required by given configuration. Returns address after the 1914 * descriptor or NULL if data is invalid. 1915 */ 1916 1917 enum ffs_entity_type { 1918 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT 1919 }; 1920 1921 enum ffs_os_desc_type { 1922 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP 1923 }; 1924 1925 typedef int (*ffs_entity_callback)(enum ffs_entity_type entity, 1926 u8 *valuep, 1927 struct usb_descriptor_header *desc, 1928 void *priv); 1929 1930 typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity, 1931 struct usb_os_desc_header *h, void *data, 1932 unsigned len, void *priv); 1933 1934 static int __must_check ffs_do_single_desc(char *data, unsigned len, 1935 ffs_entity_callback entity, 1936 void *priv) 1937 { 1938 struct usb_descriptor_header *_ds = (void *)data; 1939 u8 length; 1940 int ret; 1941 1942 ENTER(); 1943 1944 /* At least two bytes are required: length and type */ 1945 if (len < 2) { 1946 pr_vdebug("descriptor too short\n"); 1947 return -EINVAL; 1948 } 1949 1950 /* If we have at least as many bytes as the descriptor takes? */ 1951 length = _ds->bLength; 1952 if (len < length) { 1953 pr_vdebug("descriptor longer then available data\n"); 1954 return -EINVAL; 1955 } 1956 1957 #define __entity_check_INTERFACE(val) 1 1958 #define __entity_check_STRING(val) (val) 1959 #define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK) 1960 #define __entity(type, val) do { \ 1961 pr_vdebug("entity " #type "(%02x)\n", (val)); \ 1962 if (unlikely(!__entity_check_ ##type(val))) { \ 1963 pr_vdebug("invalid entity's value\n"); \ 1964 return -EINVAL; \ 1965 } \ 1966 ret = entity(FFS_ ##type, &val, _ds, priv); \ 1967 if (unlikely(ret < 0)) { \ 1968 pr_debug("entity " #type "(%02x); ret = %d\n", \ 1969 (val), ret); \ 1970 return ret; \ 1971 } \ 1972 } while (0) 1973 1974 /* Parse descriptor depending on type. */ 1975 switch (_ds->bDescriptorType) { 1976 case USB_DT_DEVICE: 1977 case USB_DT_CONFIG: 1978 case USB_DT_STRING: 1979 case USB_DT_DEVICE_QUALIFIER: 1980 /* function can't have any of those */ 1981 pr_vdebug("descriptor reserved for gadget: %d\n", 1982 _ds->bDescriptorType); 1983 return -EINVAL; 1984 1985 case USB_DT_INTERFACE: { 1986 struct usb_interface_descriptor *ds = (void *)_ds; 1987 pr_vdebug("interface descriptor\n"); 1988 if (length != sizeof *ds) 1989 goto inv_length; 1990 1991 __entity(INTERFACE, ds->bInterfaceNumber); 1992 if (ds->iInterface) 1993 __entity(STRING, ds->iInterface); 1994 } 1995 break; 1996 1997 case USB_DT_ENDPOINT: { 1998 struct usb_endpoint_descriptor *ds = (void *)_ds; 1999 pr_vdebug("endpoint descriptor\n"); 2000 if (length != USB_DT_ENDPOINT_SIZE && 2001 length != USB_DT_ENDPOINT_AUDIO_SIZE) 2002 goto inv_length; 2003 __entity(ENDPOINT, ds->bEndpointAddress); 2004 } 2005 break; 2006 2007 case HID_DT_HID: 2008 pr_vdebug("hid descriptor\n"); 2009 if (length != sizeof(struct hid_descriptor)) 2010 goto inv_length; 2011 break; 2012 2013 case USB_DT_OTG: 2014 if (length != sizeof(struct usb_otg_descriptor)) 2015 goto inv_length; 2016 break; 2017 2018 case USB_DT_INTERFACE_ASSOCIATION: { 2019 struct usb_interface_assoc_descriptor *ds = (void *)_ds; 2020 pr_vdebug("interface association descriptor\n"); 2021 if (length != sizeof *ds) 2022 goto inv_length; 2023 if (ds->iFunction) 2024 __entity(STRING, ds->iFunction); 2025 } 2026 break; 2027 2028 case USB_DT_SS_ENDPOINT_COMP: 2029 pr_vdebug("EP SS companion descriptor\n"); 2030 if (length != sizeof(struct usb_ss_ep_comp_descriptor)) 2031 goto inv_length; 2032 break; 2033 2034 case USB_DT_OTHER_SPEED_CONFIG: 2035 case USB_DT_INTERFACE_POWER: 2036 case USB_DT_DEBUG: 2037 case USB_DT_SECURITY: 2038 case USB_DT_CS_RADIO_CONTROL: 2039 /* TODO */ 2040 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType); 2041 return -EINVAL; 2042 2043 default: 2044 /* We should never be here */ 2045 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType); 2046 return -EINVAL; 2047 2048 inv_length: 2049 pr_vdebug("invalid length: %d (descriptor %d)\n", 2050 _ds->bLength, _ds->bDescriptorType); 2051 return -EINVAL; 2052 } 2053 2054 #undef __entity 2055 #undef __entity_check_DESCRIPTOR 2056 #undef __entity_check_INTERFACE 2057 #undef __entity_check_STRING 2058 #undef __entity_check_ENDPOINT 2059 2060 return length; 2061 } 2062 2063 static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len, 2064 ffs_entity_callback entity, void *priv) 2065 { 2066 const unsigned _len = len; 2067 unsigned long num = 0; 2068 2069 ENTER(); 2070 2071 for (;;) { 2072 int ret; 2073 2074 if (num == count) 2075 data = NULL; 2076 2077 /* Record "descriptor" entity */ 2078 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv); 2079 if (unlikely(ret < 0)) { 2080 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n", 2081 num, ret); 2082 return ret; 2083 } 2084 2085 if (!data) 2086 return _len - len; 2087 2088 ret = ffs_do_single_desc(data, len, entity, priv); 2089 if (unlikely(ret < 0)) { 2090 pr_debug("%s returns %d\n", __func__, ret); 2091 return ret; 2092 } 2093 2094 len -= ret; 2095 data += ret; 2096 ++num; 2097 } 2098 } 2099 2100 static int __ffs_data_do_entity(enum ffs_entity_type type, 2101 u8 *valuep, struct usb_descriptor_header *desc, 2102 void *priv) 2103 { 2104 struct ffs_desc_helper *helper = priv; 2105 struct usb_endpoint_descriptor *d; 2106 2107 ENTER(); 2108 2109 switch (type) { 2110 case FFS_DESCRIPTOR: 2111 break; 2112 2113 case FFS_INTERFACE: 2114 /* 2115 * Interfaces are indexed from zero so if we 2116 * encountered interface "n" then there are at least 2117 * "n+1" interfaces. 2118 */ 2119 if (*valuep >= helper->interfaces_count) 2120 helper->interfaces_count = *valuep + 1; 2121 break; 2122 2123 case FFS_STRING: 2124 /* 2125 * Strings are indexed from 1 (0 is reserved 2126 * for languages list) 2127 */ 2128 if (*valuep > helper->ffs->strings_count) 2129 helper->ffs->strings_count = *valuep; 2130 break; 2131 2132 case FFS_ENDPOINT: 2133 d = (void *)desc; 2134 helper->eps_count++; 2135 if (helper->eps_count >= FFS_MAX_EPS_COUNT) 2136 return -EINVAL; 2137 /* Check if descriptors for any speed were already parsed */ 2138 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count) 2139 helper->ffs->eps_addrmap[helper->eps_count] = 2140 d->bEndpointAddress; 2141 else if (helper->ffs->eps_addrmap[helper->eps_count] != 2142 d->bEndpointAddress) 2143 return -EINVAL; 2144 break; 2145 } 2146 2147 return 0; 2148 } 2149 2150 static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type, 2151 struct usb_os_desc_header *desc) 2152 { 2153 u16 bcd_version = le16_to_cpu(desc->bcdVersion); 2154 u16 w_index = le16_to_cpu(desc->wIndex); 2155 2156 if (bcd_version != 1) { 2157 pr_vdebug("unsupported os descriptors version: %d", 2158 bcd_version); 2159 return -EINVAL; 2160 } 2161 switch (w_index) { 2162 case 0x4: 2163 *next_type = FFS_OS_DESC_EXT_COMPAT; 2164 break; 2165 case 0x5: 2166 *next_type = FFS_OS_DESC_EXT_PROP; 2167 break; 2168 default: 2169 pr_vdebug("unsupported os descriptor type: %d", w_index); 2170 return -EINVAL; 2171 } 2172 2173 return sizeof(*desc); 2174 } 2175 2176 /* 2177 * Process all extended compatibility/extended property descriptors 2178 * of a feature descriptor 2179 */ 2180 static int __must_check ffs_do_single_os_desc(char *data, unsigned len, 2181 enum ffs_os_desc_type type, 2182 u16 feature_count, 2183 ffs_os_desc_callback entity, 2184 void *priv, 2185 struct usb_os_desc_header *h) 2186 { 2187 int ret; 2188 const unsigned _len = len; 2189 2190 ENTER(); 2191 2192 /* loop over all ext compat/ext prop descriptors */ 2193 while (feature_count--) { 2194 ret = entity(type, h, data, len, priv); 2195 if (unlikely(ret < 0)) { 2196 pr_debug("bad OS descriptor, type: %d\n", type); 2197 return ret; 2198 } 2199 data += ret; 2200 len -= ret; 2201 } 2202 return _len - len; 2203 } 2204 2205 /* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */ 2206 static int __must_check ffs_do_os_descs(unsigned count, 2207 char *data, unsigned len, 2208 ffs_os_desc_callback entity, void *priv) 2209 { 2210 const unsigned _len = len; 2211 unsigned long num = 0; 2212 2213 ENTER(); 2214 2215 for (num = 0; num < count; ++num) { 2216 int ret; 2217 enum ffs_os_desc_type type; 2218 u16 feature_count; 2219 struct usb_os_desc_header *desc = (void *)data; 2220 2221 if (len < sizeof(*desc)) 2222 return -EINVAL; 2223 2224 /* 2225 * Record "descriptor" entity. 2226 * Process dwLength, bcdVersion, wIndex, get b/wCount. 2227 * Move the data pointer to the beginning of extended 2228 * compatibilities proper or extended properties proper 2229 * portions of the data 2230 */ 2231 if (le32_to_cpu(desc->dwLength) > len) 2232 return -EINVAL; 2233 2234 ret = __ffs_do_os_desc_header(&type, desc); 2235 if (unlikely(ret < 0)) { 2236 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n", 2237 num, ret); 2238 return ret; 2239 } 2240 /* 2241 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??" 2242 */ 2243 feature_count = le16_to_cpu(desc->wCount); 2244 if (type == FFS_OS_DESC_EXT_COMPAT && 2245 (feature_count > 255 || desc->Reserved)) 2246 return -EINVAL; 2247 len -= ret; 2248 data += ret; 2249 2250 /* 2251 * Process all function/property descriptors 2252 * of this Feature Descriptor 2253 */ 2254 ret = ffs_do_single_os_desc(data, len, type, 2255 feature_count, entity, priv, desc); 2256 if (unlikely(ret < 0)) { 2257 pr_debug("%s returns %d\n", __func__, ret); 2258 return ret; 2259 } 2260 2261 len -= ret; 2262 data += ret; 2263 } 2264 return _len - len; 2265 } 2266 2267 /** 2268 * Validate contents of the buffer from userspace related to OS descriptors. 2269 */ 2270 static int __ffs_data_do_os_desc(enum ffs_os_desc_type type, 2271 struct usb_os_desc_header *h, void *data, 2272 unsigned len, void *priv) 2273 { 2274 struct ffs_data *ffs = priv; 2275 u8 length; 2276 2277 ENTER(); 2278 2279 switch (type) { 2280 case FFS_OS_DESC_EXT_COMPAT: { 2281 struct usb_ext_compat_desc *d = data; 2282 int i; 2283 2284 if (len < sizeof(*d) || 2285 d->bFirstInterfaceNumber >= ffs->interfaces_count) 2286 return -EINVAL; 2287 if (d->Reserved1 != 1) { 2288 /* 2289 * According to the spec, Reserved1 must be set to 1 2290 * but older kernels incorrectly rejected non-zero 2291 * values. We fix it here to avoid returning EINVAL 2292 * in response to values we used to accept. 2293 */ 2294 pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n"); 2295 d->Reserved1 = 1; 2296 } 2297 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i) 2298 if (d->Reserved2[i]) 2299 return -EINVAL; 2300 2301 length = sizeof(struct usb_ext_compat_desc); 2302 } 2303 break; 2304 case FFS_OS_DESC_EXT_PROP: { 2305 struct usb_ext_prop_desc *d = data; 2306 u32 type, pdl; 2307 u16 pnl; 2308 2309 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count) 2310 return -EINVAL; 2311 length = le32_to_cpu(d->dwSize); 2312 if (len < length) 2313 return -EINVAL; 2314 type = le32_to_cpu(d->dwPropertyDataType); 2315 if (type < USB_EXT_PROP_UNICODE || 2316 type > USB_EXT_PROP_UNICODE_MULTI) { 2317 pr_vdebug("unsupported os descriptor property type: %d", 2318 type); 2319 return -EINVAL; 2320 } 2321 pnl = le16_to_cpu(d->wPropertyNameLength); 2322 if (length < 14 + pnl) { 2323 pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n", 2324 length, pnl, type); 2325 return -EINVAL; 2326 } 2327 pdl = le32_to_cpu(*(u32 *)((u8 *)data + 10 + pnl)); 2328 if (length != 14 + pnl + pdl) { 2329 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n", 2330 length, pnl, pdl, type); 2331 return -EINVAL; 2332 } 2333 ++ffs->ms_os_descs_ext_prop_count; 2334 /* property name reported to the host as "WCHAR"s */ 2335 ffs->ms_os_descs_ext_prop_name_len += pnl * 2; 2336 ffs->ms_os_descs_ext_prop_data_len += pdl; 2337 } 2338 break; 2339 default: 2340 pr_vdebug("unknown descriptor: %d\n", type); 2341 return -EINVAL; 2342 } 2343 return length; 2344 } 2345 2346 static int __ffs_data_got_descs(struct ffs_data *ffs, 2347 char *const _data, size_t len) 2348 { 2349 char *data = _data, *raw_descs; 2350 unsigned os_descs_count = 0, counts[3], flags; 2351 int ret = -EINVAL, i; 2352 struct ffs_desc_helper helper; 2353 2354 ENTER(); 2355 2356 if (get_unaligned_le32(data + 4) != len) 2357 goto error; 2358 2359 switch (get_unaligned_le32(data)) { 2360 case FUNCTIONFS_DESCRIPTORS_MAGIC: 2361 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC; 2362 data += 8; 2363 len -= 8; 2364 break; 2365 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2: 2366 flags = get_unaligned_le32(data + 8); 2367 ffs->user_flags = flags; 2368 if (flags & ~(FUNCTIONFS_HAS_FS_DESC | 2369 FUNCTIONFS_HAS_HS_DESC | 2370 FUNCTIONFS_HAS_SS_DESC | 2371 FUNCTIONFS_HAS_MS_OS_DESC | 2372 FUNCTIONFS_VIRTUAL_ADDR | 2373 FUNCTIONFS_EVENTFD | 2374 FUNCTIONFS_ALL_CTRL_RECIP | 2375 FUNCTIONFS_CONFIG0_SETUP)) { 2376 ret = -ENOSYS; 2377 goto error; 2378 } 2379 data += 12; 2380 len -= 12; 2381 break; 2382 default: 2383 goto error; 2384 } 2385 2386 if (flags & FUNCTIONFS_EVENTFD) { 2387 if (len < 4) 2388 goto error; 2389 ffs->ffs_eventfd = 2390 eventfd_ctx_fdget((int)get_unaligned_le32(data)); 2391 if (IS_ERR(ffs->ffs_eventfd)) { 2392 ret = PTR_ERR(ffs->ffs_eventfd); 2393 ffs->ffs_eventfd = NULL; 2394 goto error; 2395 } 2396 data += 4; 2397 len -= 4; 2398 } 2399 2400 /* Read fs_count, hs_count and ss_count (if present) */ 2401 for (i = 0; i < 3; ++i) { 2402 if (!(flags & (1 << i))) { 2403 counts[i] = 0; 2404 } else if (len < 4) { 2405 goto error; 2406 } else { 2407 counts[i] = get_unaligned_le32(data); 2408 data += 4; 2409 len -= 4; 2410 } 2411 } 2412 if (flags & (1 << i)) { 2413 if (len < 4) { 2414 goto error; 2415 } 2416 os_descs_count = get_unaligned_le32(data); 2417 data += 4; 2418 len -= 4; 2419 }; 2420 2421 /* Read descriptors */ 2422 raw_descs = data; 2423 helper.ffs = ffs; 2424 for (i = 0; i < 3; ++i) { 2425 if (!counts[i]) 2426 continue; 2427 helper.interfaces_count = 0; 2428 helper.eps_count = 0; 2429 ret = ffs_do_descs(counts[i], data, len, 2430 __ffs_data_do_entity, &helper); 2431 if (ret < 0) 2432 goto error; 2433 if (!ffs->eps_count && !ffs->interfaces_count) { 2434 ffs->eps_count = helper.eps_count; 2435 ffs->interfaces_count = helper.interfaces_count; 2436 } else { 2437 if (ffs->eps_count != helper.eps_count) { 2438 ret = -EINVAL; 2439 goto error; 2440 } 2441 if (ffs->interfaces_count != helper.interfaces_count) { 2442 ret = -EINVAL; 2443 goto error; 2444 } 2445 } 2446 data += ret; 2447 len -= ret; 2448 } 2449 if (os_descs_count) { 2450 ret = ffs_do_os_descs(os_descs_count, data, len, 2451 __ffs_data_do_os_desc, ffs); 2452 if (ret < 0) 2453 goto error; 2454 data += ret; 2455 len -= ret; 2456 } 2457 2458 if (raw_descs == data || len) { 2459 ret = -EINVAL; 2460 goto error; 2461 } 2462 2463 ffs->raw_descs_data = _data; 2464 ffs->raw_descs = raw_descs; 2465 ffs->raw_descs_length = data - raw_descs; 2466 ffs->fs_descs_count = counts[0]; 2467 ffs->hs_descs_count = counts[1]; 2468 ffs->ss_descs_count = counts[2]; 2469 ffs->ms_os_descs_count = os_descs_count; 2470 2471 return 0; 2472 2473 error: 2474 kfree(_data); 2475 return ret; 2476 } 2477 2478 static int __ffs_data_got_strings(struct ffs_data *ffs, 2479 char *const _data, size_t len) 2480 { 2481 u32 str_count, needed_count, lang_count; 2482 struct usb_gadget_strings **stringtabs, *t; 2483 const char *data = _data; 2484 struct usb_string *s; 2485 2486 ENTER(); 2487 2488 if (unlikely(len < 16 || 2489 get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC || 2490 get_unaligned_le32(data + 4) != len)) 2491 goto error; 2492 str_count = get_unaligned_le32(data + 8); 2493 lang_count = get_unaligned_le32(data + 12); 2494 2495 /* if one is zero the other must be zero */ 2496 if (unlikely(!str_count != !lang_count)) 2497 goto error; 2498 2499 /* Do we have at least as many strings as descriptors need? */ 2500 needed_count = ffs->strings_count; 2501 if (unlikely(str_count < needed_count)) 2502 goto error; 2503 2504 /* 2505 * If we don't need any strings just return and free all 2506 * memory. 2507 */ 2508 if (!needed_count) { 2509 kfree(_data); 2510 return 0; 2511 } 2512 2513 /* Allocate everything in one chunk so there's less maintenance. */ 2514 { 2515 unsigned i = 0; 2516 vla_group(d); 2517 vla_item(d, struct usb_gadget_strings *, stringtabs, 2518 lang_count + 1); 2519 vla_item(d, struct usb_gadget_strings, stringtab, lang_count); 2520 vla_item(d, struct usb_string, strings, 2521 lang_count*(needed_count+1)); 2522 2523 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL); 2524 2525 if (unlikely(!vlabuf)) { 2526 kfree(_data); 2527 return -ENOMEM; 2528 } 2529 2530 /* Initialize the VLA pointers */ 2531 stringtabs = vla_ptr(vlabuf, d, stringtabs); 2532 t = vla_ptr(vlabuf, d, stringtab); 2533 i = lang_count; 2534 do { 2535 *stringtabs++ = t++; 2536 } while (--i); 2537 *stringtabs = NULL; 2538 2539 /* stringtabs = vlabuf = d_stringtabs for later kfree */ 2540 stringtabs = vla_ptr(vlabuf, d, stringtabs); 2541 t = vla_ptr(vlabuf, d, stringtab); 2542 s = vla_ptr(vlabuf, d, strings); 2543 } 2544 2545 /* For each language */ 2546 data += 16; 2547 len -= 16; 2548 2549 do { /* lang_count > 0 so we can use do-while */ 2550 unsigned needed = needed_count; 2551 2552 if (unlikely(len < 3)) 2553 goto error_free; 2554 t->language = get_unaligned_le16(data); 2555 t->strings = s; 2556 ++t; 2557 2558 data += 2; 2559 len -= 2; 2560 2561 /* For each string */ 2562 do { /* str_count > 0 so we can use do-while */ 2563 size_t length = strnlen(data, len); 2564 2565 if (unlikely(length == len)) 2566 goto error_free; 2567 2568 /* 2569 * User may provide more strings then we need, 2570 * if that's the case we simply ignore the 2571 * rest 2572 */ 2573 if (likely(needed)) { 2574 /* 2575 * s->id will be set while adding 2576 * function to configuration so for 2577 * now just leave garbage here. 2578 */ 2579 s->s = data; 2580 --needed; 2581 ++s; 2582 } 2583 2584 data += length + 1; 2585 len -= length + 1; 2586 } while (--str_count); 2587 2588 s->id = 0; /* terminator */ 2589 s->s = NULL; 2590 ++s; 2591 2592 } while (--lang_count); 2593 2594 /* Some garbage left? */ 2595 if (unlikely(len)) 2596 goto error_free; 2597 2598 /* Done! */ 2599 ffs->stringtabs = stringtabs; 2600 ffs->raw_strings = _data; 2601 2602 return 0; 2603 2604 error_free: 2605 kfree(stringtabs); 2606 error: 2607 kfree(_data); 2608 return -EINVAL; 2609 } 2610 2611 2612 /* Events handling and management *******************************************/ 2613 2614 static void __ffs_event_add(struct ffs_data *ffs, 2615 enum usb_functionfs_event_type type) 2616 { 2617 enum usb_functionfs_event_type rem_type1, rem_type2 = type; 2618 int neg = 0; 2619 2620 /* 2621 * Abort any unhandled setup 2622 * 2623 * We do not need to worry about some cmpxchg() changing value 2624 * of ffs->setup_state without holding the lock because when 2625 * state is FFS_SETUP_PENDING cmpxchg() in several places in 2626 * the source does nothing. 2627 */ 2628 if (ffs->setup_state == FFS_SETUP_PENDING) 2629 ffs->setup_state = FFS_SETUP_CANCELLED; 2630 2631 /* 2632 * Logic of this function guarantees that there are at most four pending 2633 * evens on ffs->ev.types queue. This is important because the queue 2634 * has space for four elements only and __ffs_ep0_read_events function 2635 * depends on that limit as well. If more event types are added, those 2636 * limits have to be revisited or guaranteed to still hold. 2637 */ 2638 switch (type) { 2639 case FUNCTIONFS_RESUME: 2640 rem_type2 = FUNCTIONFS_SUSPEND; 2641 /* FALL THROUGH */ 2642 case FUNCTIONFS_SUSPEND: 2643 case FUNCTIONFS_SETUP: 2644 rem_type1 = type; 2645 /* Discard all similar events */ 2646 break; 2647 2648 case FUNCTIONFS_BIND: 2649 case FUNCTIONFS_UNBIND: 2650 case FUNCTIONFS_DISABLE: 2651 case FUNCTIONFS_ENABLE: 2652 /* Discard everything other then power management. */ 2653 rem_type1 = FUNCTIONFS_SUSPEND; 2654 rem_type2 = FUNCTIONFS_RESUME; 2655 neg = 1; 2656 break; 2657 2658 default: 2659 WARN(1, "%d: unknown event, this should not happen\n", type); 2660 return; 2661 } 2662 2663 { 2664 u8 *ev = ffs->ev.types, *out = ev; 2665 unsigned n = ffs->ev.count; 2666 for (; n; --n, ++ev) 2667 if ((*ev == rem_type1 || *ev == rem_type2) == neg) 2668 *out++ = *ev; 2669 else 2670 pr_vdebug("purging event %d\n", *ev); 2671 ffs->ev.count = out - ffs->ev.types; 2672 } 2673 2674 pr_vdebug("adding event %d\n", type); 2675 ffs->ev.types[ffs->ev.count++] = type; 2676 wake_up_locked(&ffs->ev.waitq); 2677 if (ffs->ffs_eventfd) 2678 eventfd_signal(ffs->ffs_eventfd, 1); 2679 } 2680 2681 static void ffs_event_add(struct ffs_data *ffs, 2682 enum usb_functionfs_event_type type) 2683 { 2684 unsigned long flags; 2685 spin_lock_irqsave(&ffs->ev.waitq.lock, flags); 2686 __ffs_event_add(ffs, type); 2687 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); 2688 } 2689 2690 /* Bind/unbind USB function hooks *******************************************/ 2691 2692 static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address) 2693 { 2694 int i; 2695 2696 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i) 2697 if (ffs->eps_addrmap[i] == endpoint_address) 2698 return i; 2699 return -ENOENT; 2700 } 2701 2702 static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep, 2703 struct usb_descriptor_header *desc, 2704 void *priv) 2705 { 2706 struct usb_endpoint_descriptor *ds = (void *)desc; 2707 struct ffs_function *func = priv; 2708 struct ffs_ep *ffs_ep; 2709 unsigned ep_desc_id; 2710 int idx; 2711 static const char *speed_names[] = { "full", "high", "super" }; 2712 2713 if (type != FFS_DESCRIPTOR) 2714 return 0; 2715 2716 /* 2717 * If ss_descriptors is not NULL, we are reading super speed 2718 * descriptors; if hs_descriptors is not NULL, we are reading high 2719 * speed descriptors; otherwise, we are reading full speed 2720 * descriptors. 2721 */ 2722 if (func->function.ss_descriptors) { 2723 ep_desc_id = 2; 2724 func->function.ss_descriptors[(long)valuep] = desc; 2725 } else if (func->function.hs_descriptors) { 2726 ep_desc_id = 1; 2727 func->function.hs_descriptors[(long)valuep] = desc; 2728 } else { 2729 ep_desc_id = 0; 2730 func->function.fs_descriptors[(long)valuep] = desc; 2731 } 2732 2733 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT) 2734 return 0; 2735 2736 idx = ffs_ep_addr2idx(func->ffs, ds->bEndpointAddress) - 1; 2737 if (idx < 0) 2738 return idx; 2739 2740 ffs_ep = func->eps + idx; 2741 2742 if (unlikely(ffs_ep->descs[ep_desc_id])) { 2743 pr_err("two %sspeed descriptors for EP %d\n", 2744 speed_names[ep_desc_id], 2745 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); 2746 return -EINVAL; 2747 } 2748 ffs_ep->descs[ep_desc_id] = ds; 2749 2750 ffs_dump_mem(": Original ep desc", ds, ds->bLength); 2751 if (ffs_ep->ep) { 2752 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress; 2753 if (!ds->wMaxPacketSize) 2754 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize; 2755 } else { 2756 struct usb_request *req; 2757 struct usb_ep *ep; 2758 u8 bEndpointAddress; 2759 2760 /* 2761 * We back up bEndpointAddress because autoconfig overwrites 2762 * it with physical endpoint address. 2763 */ 2764 bEndpointAddress = ds->bEndpointAddress; 2765 pr_vdebug("autoconfig\n"); 2766 ep = usb_ep_autoconfig(func->gadget, ds); 2767 if (unlikely(!ep)) 2768 return -ENOTSUPP; 2769 ep->driver_data = func->eps + idx; 2770 2771 req = usb_ep_alloc_request(ep, GFP_KERNEL); 2772 if (unlikely(!req)) 2773 return -ENOMEM; 2774 2775 ffs_ep->ep = ep; 2776 ffs_ep->req = req; 2777 func->eps_revmap[ds->bEndpointAddress & 2778 USB_ENDPOINT_NUMBER_MASK] = idx + 1; 2779 /* 2780 * If we use virtual address mapping, we restore 2781 * original bEndpointAddress value. 2782 */ 2783 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 2784 ds->bEndpointAddress = bEndpointAddress; 2785 } 2786 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength); 2787 2788 return 0; 2789 } 2790 2791 static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep, 2792 struct usb_descriptor_header *desc, 2793 void *priv) 2794 { 2795 struct ffs_function *func = priv; 2796 unsigned idx; 2797 u8 newValue; 2798 2799 switch (type) { 2800 default: 2801 case FFS_DESCRIPTOR: 2802 /* Handled in previous pass by __ffs_func_bind_do_descs() */ 2803 return 0; 2804 2805 case FFS_INTERFACE: 2806 idx = *valuep; 2807 if (func->interfaces_nums[idx] < 0) { 2808 int id = usb_interface_id(func->conf, &func->function); 2809 if (unlikely(id < 0)) 2810 return id; 2811 func->interfaces_nums[idx] = id; 2812 } 2813 newValue = func->interfaces_nums[idx]; 2814 break; 2815 2816 case FFS_STRING: 2817 /* String' IDs are allocated when fsf_data is bound to cdev */ 2818 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id; 2819 break; 2820 2821 case FFS_ENDPOINT: 2822 /* 2823 * USB_DT_ENDPOINT are handled in 2824 * __ffs_func_bind_do_descs(). 2825 */ 2826 if (desc->bDescriptorType == USB_DT_ENDPOINT) 2827 return 0; 2828 2829 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1; 2830 if (unlikely(!func->eps[idx].ep)) 2831 return -EINVAL; 2832 2833 { 2834 struct usb_endpoint_descriptor **descs; 2835 descs = func->eps[idx].descs; 2836 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress; 2837 } 2838 break; 2839 } 2840 2841 pr_vdebug("%02x -> %02x\n", *valuep, newValue); 2842 *valuep = newValue; 2843 return 0; 2844 } 2845 2846 static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type, 2847 struct usb_os_desc_header *h, void *data, 2848 unsigned len, void *priv) 2849 { 2850 struct ffs_function *func = priv; 2851 u8 length = 0; 2852 2853 switch (type) { 2854 case FFS_OS_DESC_EXT_COMPAT: { 2855 struct usb_ext_compat_desc *desc = data; 2856 struct usb_os_desc_table *t; 2857 2858 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber]; 2859 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber]; 2860 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID, 2861 ARRAY_SIZE(desc->CompatibleID) + 2862 ARRAY_SIZE(desc->SubCompatibleID)); 2863 length = sizeof(*desc); 2864 } 2865 break; 2866 case FFS_OS_DESC_EXT_PROP: { 2867 struct usb_ext_prop_desc *desc = data; 2868 struct usb_os_desc_table *t; 2869 struct usb_os_desc_ext_prop *ext_prop; 2870 char *ext_prop_name; 2871 char *ext_prop_data; 2872 2873 t = &func->function.os_desc_table[h->interface]; 2874 t->if_id = func->interfaces_nums[h->interface]; 2875 2876 ext_prop = func->ffs->ms_os_descs_ext_prop_avail; 2877 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop); 2878 2879 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType); 2880 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength); 2881 ext_prop->data_len = le32_to_cpu(*(u32 *) 2882 usb_ext_prop_data_len_ptr(data, ext_prop->name_len)); 2883 length = ext_prop->name_len + ext_prop->data_len + 14; 2884 2885 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail; 2886 func->ffs->ms_os_descs_ext_prop_name_avail += 2887 ext_prop->name_len; 2888 2889 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail; 2890 func->ffs->ms_os_descs_ext_prop_data_avail += 2891 ext_prop->data_len; 2892 memcpy(ext_prop_data, 2893 usb_ext_prop_data_ptr(data, ext_prop->name_len), 2894 ext_prop->data_len); 2895 /* unicode data reported to the host as "WCHAR"s */ 2896 switch (ext_prop->type) { 2897 case USB_EXT_PROP_UNICODE: 2898 case USB_EXT_PROP_UNICODE_ENV: 2899 case USB_EXT_PROP_UNICODE_LINK: 2900 case USB_EXT_PROP_UNICODE_MULTI: 2901 ext_prop->data_len *= 2; 2902 break; 2903 } 2904 ext_prop->data = ext_prop_data; 2905 2906 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data), 2907 ext_prop->name_len); 2908 /* property name reported to the host as "WCHAR"s */ 2909 ext_prop->name_len *= 2; 2910 ext_prop->name = ext_prop_name; 2911 2912 t->os_desc->ext_prop_len += 2913 ext_prop->name_len + ext_prop->data_len + 14; 2914 ++t->os_desc->ext_prop_count; 2915 list_add_tail(&ext_prop->entry, &t->os_desc->ext_prop); 2916 } 2917 break; 2918 default: 2919 pr_vdebug("unknown descriptor: %d\n", type); 2920 } 2921 2922 return length; 2923 } 2924 2925 static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f, 2926 struct usb_configuration *c) 2927 { 2928 struct ffs_function *func = ffs_func_from_usb(f); 2929 struct f_fs_opts *ffs_opts = 2930 container_of(f->fi, struct f_fs_opts, func_inst); 2931 int ret; 2932 2933 ENTER(); 2934 2935 /* 2936 * Legacy gadget triggers binding in functionfs_ready_callback, 2937 * which already uses locking; taking the same lock here would 2938 * cause a deadlock. 2939 * 2940 * Configfs-enabled gadgets however do need ffs_dev_lock. 2941 */ 2942 if (!ffs_opts->no_configfs) 2943 ffs_dev_lock(); 2944 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV; 2945 func->ffs = ffs_opts->dev->ffs_data; 2946 if (!ffs_opts->no_configfs) 2947 ffs_dev_unlock(); 2948 if (ret) 2949 return ERR_PTR(ret); 2950 2951 func->conf = c; 2952 func->gadget = c->cdev->gadget; 2953 2954 /* 2955 * in drivers/usb/gadget/configfs.c:configfs_composite_bind() 2956 * configurations are bound in sequence with list_for_each_entry, 2957 * in each configuration its functions are bound in sequence 2958 * with list_for_each_entry, so we assume no race condition 2959 * with regard to ffs_opts->bound access 2960 */ 2961 if (!ffs_opts->refcnt) { 2962 ret = functionfs_bind(func->ffs, c->cdev); 2963 if (ret) 2964 return ERR_PTR(ret); 2965 } 2966 ffs_opts->refcnt++; 2967 func->function.strings = func->ffs->stringtabs; 2968 2969 return ffs_opts; 2970 } 2971 2972 static int _ffs_func_bind(struct usb_configuration *c, 2973 struct usb_function *f) 2974 { 2975 struct ffs_function *func = ffs_func_from_usb(f); 2976 struct ffs_data *ffs = func->ffs; 2977 2978 const int full = !!func->ffs->fs_descs_count; 2979 const int high = gadget_is_dualspeed(func->gadget) && 2980 func->ffs->hs_descs_count; 2981 const int super = gadget_is_superspeed(func->gadget) && 2982 func->ffs->ss_descs_count; 2983 2984 int fs_len, hs_len, ss_len, ret, i; 2985 struct ffs_ep *eps_ptr; 2986 2987 /* Make it a single chunk, less management later on */ 2988 vla_group(d); 2989 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count); 2990 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs, 2991 full ? ffs->fs_descs_count + 1 : 0); 2992 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs, 2993 high ? ffs->hs_descs_count + 1 : 0); 2994 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs, 2995 super ? ffs->ss_descs_count + 1 : 0); 2996 vla_item_with_sz(d, short, inums, ffs->interfaces_count); 2997 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table, 2998 c->cdev->use_os_string ? ffs->interfaces_count : 0); 2999 vla_item_with_sz(d, char[16], ext_compat, 3000 c->cdev->use_os_string ? ffs->interfaces_count : 0); 3001 vla_item_with_sz(d, struct usb_os_desc, os_desc, 3002 c->cdev->use_os_string ? ffs->interfaces_count : 0); 3003 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop, 3004 ffs->ms_os_descs_ext_prop_count); 3005 vla_item_with_sz(d, char, ext_prop_name, 3006 ffs->ms_os_descs_ext_prop_name_len); 3007 vla_item_with_sz(d, char, ext_prop_data, 3008 ffs->ms_os_descs_ext_prop_data_len); 3009 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length); 3010 char *vlabuf; 3011 3012 ENTER(); 3013 3014 /* Has descriptors only for speeds gadget does not support */ 3015 if (unlikely(!(full | high | super))) 3016 return -ENOTSUPP; 3017 3018 /* Allocate a single chunk, less management later on */ 3019 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL); 3020 if (unlikely(!vlabuf)) 3021 return -ENOMEM; 3022 3023 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop); 3024 ffs->ms_os_descs_ext_prop_name_avail = 3025 vla_ptr(vlabuf, d, ext_prop_name); 3026 ffs->ms_os_descs_ext_prop_data_avail = 3027 vla_ptr(vlabuf, d, ext_prop_data); 3028 3029 /* Copy descriptors */ 3030 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs, 3031 ffs->raw_descs_length); 3032 3033 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz); 3034 eps_ptr = vla_ptr(vlabuf, d, eps); 3035 for (i = 0; i < ffs->eps_count; i++) 3036 eps_ptr[i].num = -1; 3037 3038 /* Save pointers 3039 * d_eps == vlabuf, func->eps used to kfree vlabuf later 3040 */ 3041 func->eps = vla_ptr(vlabuf, d, eps); 3042 func->interfaces_nums = vla_ptr(vlabuf, d, inums); 3043 3044 /* 3045 * Go through all the endpoint descriptors and allocate 3046 * endpoints first, so that later we can rewrite the endpoint 3047 * numbers without worrying that it may be described later on. 3048 */ 3049 if (likely(full)) { 3050 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs); 3051 fs_len = ffs_do_descs(ffs->fs_descs_count, 3052 vla_ptr(vlabuf, d, raw_descs), 3053 d_raw_descs__sz, 3054 __ffs_func_bind_do_descs, func); 3055 if (unlikely(fs_len < 0)) { 3056 ret = fs_len; 3057 goto error; 3058 } 3059 } else { 3060 fs_len = 0; 3061 } 3062 3063 if (likely(high)) { 3064 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs); 3065 hs_len = ffs_do_descs(ffs->hs_descs_count, 3066 vla_ptr(vlabuf, d, raw_descs) + fs_len, 3067 d_raw_descs__sz - fs_len, 3068 __ffs_func_bind_do_descs, func); 3069 if (unlikely(hs_len < 0)) { 3070 ret = hs_len; 3071 goto error; 3072 } 3073 } else { 3074 hs_len = 0; 3075 } 3076 3077 if (likely(super)) { 3078 func->function.ss_descriptors = vla_ptr(vlabuf, d, ss_descs); 3079 ss_len = ffs_do_descs(ffs->ss_descs_count, 3080 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len, 3081 d_raw_descs__sz - fs_len - hs_len, 3082 __ffs_func_bind_do_descs, func); 3083 if (unlikely(ss_len < 0)) { 3084 ret = ss_len; 3085 goto error; 3086 } 3087 } else { 3088 ss_len = 0; 3089 } 3090 3091 /* 3092 * Now handle interface numbers allocation and interface and 3093 * endpoint numbers rewriting. We can do that in one go 3094 * now. 3095 */ 3096 ret = ffs_do_descs(ffs->fs_descs_count + 3097 (high ? ffs->hs_descs_count : 0) + 3098 (super ? ffs->ss_descs_count : 0), 3099 vla_ptr(vlabuf, d, raw_descs), d_raw_descs__sz, 3100 __ffs_func_bind_do_nums, func); 3101 if (unlikely(ret < 0)) 3102 goto error; 3103 3104 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table); 3105 if (c->cdev->use_os_string) { 3106 for (i = 0; i < ffs->interfaces_count; ++i) { 3107 struct usb_os_desc *desc; 3108 3109 desc = func->function.os_desc_table[i].os_desc = 3110 vla_ptr(vlabuf, d, os_desc) + 3111 i * sizeof(struct usb_os_desc); 3112 desc->ext_compat_id = 3113 vla_ptr(vlabuf, d, ext_compat) + i * 16; 3114 INIT_LIST_HEAD(&desc->ext_prop); 3115 } 3116 ret = ffs_do_os_descs(ffs->ms_os_descs_count, 3117 vla_ptr(vlabuf, d, raw_descs) + 3118 fs_len + hs_len + ss_len, 3119 d_raw_descs__sz - fs_len - hs_len - 3120 ss_len, 3121 __ffs_func_bind_do_os_desc, func); 3122 if (unlikely(ret < 0)) 3123 goto error; 3124 } 3125 func->function.os_desc_n = 3126 c->cdev->use_os_string ? ffs->interfaces_count : 0; 3127 3128 /* And we're done */ 3129 ffs_event_add(ffs, FUNCTIONFS_BIND); 3130 return 0; 3131 3132 error: 3133 /* XXX Do we need to release all claimed endpoints here? */ 3134 return ret; 3135 } 3136 3137 static int ffs_func_bind(struct usb_configuration *c, 3138 struct usb_function *f) 3139 { 3140 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c); 3141 struct ffs_function *func = ffs_func_from_usb(f); 3142 int ret; 3143 3144 if (IS_ERR(ffs_opts)) 3145 return PTR_ERR(ffs_opts); 3146 3147 ret = _ffs_func_bind(c, f); 3148 if (ret && !--ffs_opts->refcnt) 3149 functionfs_unbind(func->ffs); 3150 3151 return ret; 3152 } 3153 3154 3155 /* Other USB function hooks *************************************************/ 3156 3157 static void ffs_reset_work(struct work_struct *work) 3158 { 3159 struct ffs_data *ffs = container_of(work, 3160 struct ffs_data, reset_work); 3161 ffs_data_reset(ffs); 3162 } 3163 3164 static int ffs_func_set_alt(struct usb_function *f, 3165 unsigned interface, unsigned alt) 3166 { 3167 struct ffs_function *func = ffs_func_from_usb(f); 3168 struct ffs_data *ffs = func->ffs; 3169 int ret = 0, intf; 3170 3171 if (alt != (unsigned)-1) { 3172 intf = ffs_func_revmap_intf(func, interface); 3173 if (unlikely(intf < 0)) 3174 return intf; 3175 } 3176 3177 if (ffs->func) 3178 ffs_func_eps_disable(ffs->func); 3179 3180 if (ffs->state == FFS_DEACTIVATED) { 3181 ffs->state = FFS_CLOSING; 3182 INIT_WORK(&ffs->reset_work, ffs_reset_work); 3183 schedule_work(&ffs->reset_work); 3184 return -ENODEV; 3185 } 3186 3187 if (ffs->state != FFS_ACTIVE) 3188 return -ENODEV; 3189 3190 if (alt == (unsigned)-1) { 3191 ffs->func = NULL; 3192 ffs_event_add(ffs, FUNCTIONFS_DISABLE); 3193 return 0; 3194 } 3195 3196 ffs->func = func; 3197 ret = ffs_func_eps_enable(func); 3198 if (likely(ret >= 0)) 3199 ffs_event_add(ffs, FUNCTIONFS_ENABLE); 3200 return ret; 3201 } 3202 3203 static void ffs_func_disable(struct usb_function *f) 3204 { 3205 ffs_func_set_alt(f, 0, (unsigned)-1); 3206 } 3207 3208 static int ffs_func_setup(struct usb_function *f, 3209 const struct usb_ctrlrequest *creq) 3210 { 3211 struct ffs_function *func = ffs_func_from_usb(f); 3212 struct ffs_data *ffs = func->ffs; 3213 unsigned long flags; 3214 int ret; 3215 3216 ENTER(); 3217 3218 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType); 3219 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest); 3220 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue)); 3221 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex)); 3222 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength)); 3223 3224 /* 3225 * Most requests directed to interface go through here 3226 * (notable exceptions are set/get interface) so we need to 3227 * handle them. All other either handled by composite or 3228 * passed to usb_configuration->setup() (if one is set). No 3229 * matter, we will handle requests directed to endpoint here 3230 * as well (as it's straightforward). Other request recipient 3231 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP 3232 * is being used. 3233 */ 3234 if (ffs->state != FFS_ACTIVE) 3235 return -ENODEV; 3236 3237 switch (creq->bRequestType & USB_RECIP_MASK) { 3238 case USB_RECIP_INTERFACE: 3239 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex)); 3240 if (unlikely(ret < 0)) 3241 return ret; 3242 break; 3243 3244 case USB_RECIP_ENDPOINT: 3245 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex)); 3246 if (unlikely(ret < 0)) 3247 return ret; 3248 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 3249 ret = func->ffs->eps_addrmap[ret]; 3250 break; 3251 3252 default: 3253 if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP) 3254 ret = le16_to_cpu(creq->wIndex); 3255 else 3256 return -EOPNOTSUPP; 3257 } 3258 3259 spin_lock_irqsave(&ffs->ev.waitq.lock, flags); 3260 ffs->ev.setup = *creq; 3261 ffs->ev.setup.wIndex = cpu_to_le16(ret); 3262 __ffs_event_add(ffs, FUNCTIONFS_SETUP); 3263 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); 3264 3265 return 0; 3266 } 3267 3268 static bool ffs_func_req_match(struct usb_function *f, 3269 const struct usb_ctrlrequest *creq, 3270 bool config0) 3271 { 3272 struct ffs_function *func = ffs_func_from_usb(f); 3273 3274 if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP)) 3275 return false; 3276 3277 switch (creq->bRequestType & USB_RECIP_MASK) { 3278 case USB_RECIP_INTERFACE: 3279 return (ffs_func_revmap_intf(func, 3280 le16_to_cpu(creq->wIndex)) >= 0); 3281 case USB_RECIP_ENDPOINT: 3282 return (ffs_func_revmap_ep(func, 3283 le16_to_cpu(creq->wIndex)) >= 0); 3284 default: 3285 return (bool) (func->ffs->user_flags & 3286 FUNCTIONFS_ALL_CTRL_RECIP); 3287 } 3288 } 3289 3290 static void ffs_func_suspend(struct usb_function *f) 3291 { 3292 ENTER(); 3293 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_SUSPEND); 3294 } 3295 3296 static void ffs_func_resume(struct usb_function *f) 3297 { 3298 ENTER(); 3299 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_RESUME); 3300 } 3301 3302 3303 /* Endpoint and interface numbers reverse mapping ***************************/ 3304 3305 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num) 3306 { 3307 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK]; 3308 return num ? num : -EDOM; 3309 } 3310 3311 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf) 3312 { 3313 short *nums = func->interfaces_nums; 3314 unsigned count = func->ffs->interfaces_count; 3315 3316 for (; count; --count, ++nums) { 3317 if (*nums >= 0 && *nums == intf) 3318 return nums - func->interfaces_nums; 3319 } 3320 3321 return -EDOM; 3322 } 3323 3324 3325 /* Devices management *******************************************************/ 3326 3327 static LIST_HEAD(ffs_devices); 3328 3329 static struct ffs_dev *_ffs_do_find_dev(const char *name) 3330 { 3331 struct ffs_dev *dev; 3332 3333 if (!name) 3334 return NULL; 3335 3336 list_for_each_entry(dev, &ffs_devices, entry) { 3337 if (strcmp(dev->name, name) == 0) 3338 return dev; 3339 } 3340 3341 return NULL; 3342 } 3343 3344 /* 3345 * ffs_lock must be taken by the caller of this function 3346 */ 3347 static struct ffs_dev *_ffs_get_single_dev(void) 3348 { 3349 struct ffs_dev *dev; 3350 3351 if (list_is_singular(&ffs_devices)) { 3352 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry); 3353 if (dev->single) 3354 return dev; 3355 } 3356 3357 return NULL; 3358 } 3359 3360 /* 3361 * ffs_lock must be taken by the caller of this function 3362 */ 3363 static struct ffs_dev *_ffs_find_dev(const char *name) 3364 { 3365 struct ffs_dev *dev; 3366 3367 dev = _ffs_get_single_dev(); 3368 if (dev) 3369 return dev; 3370 3371 return _ffs_do_find_dev(name); 3372 } 3373 3374 /* Configfs support *********************************************************/ 3375 3376 static inline struct f_fs_opts *to_ffs_opts(struct config_item *item) 3377 { 3378 return container_of(to_config_group(item), struct f_fs_opts, 3379 func_inst.group); 3380 } 3381 3382 static void ffs_attr_release(struct config_item *item) 3383 { 3384 struct f_fs_opts *opts = to_ffs_opts(item); 3385 3386 usb_put_function_instance(&opts->func_inst); 3387 } 3388 3389 static struct configfs_item_operations ffs_item_ops = { 3390 .release = ffs_attr_release, 3391 }; 3392 3393 static const struct config_item_type ffs_func_type = { 3394 .ct_item_ops = &ffs_item_ops, 3395 .ct_owner = THIS_MODULE, 3396 }; 3397 3398 3399 /* Function registration interface ******************************************/ 3400 3401 static void ffs_free_inst(struct usb_function_instance *f) 3402 { 3403 struct f_fs_opts *opts; 3404 3405 opts = to_f_fs_opts(f); 3406 ffs_dev_lock(); 3407 _ffs_free_dev(opts->dev); 3408 ffs_dev_unlock(); 3409 kfree(opts); 3410 } 3411 3412 static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name) 3413 { 3414 if (strlen(name) >= FIELD_SIZEOF(struct ffs_dev, name)) 3415 return -ENAMETOOLONG; 3416 return ffs_name_dev(to_f_fs_opts(fi)->dev, name); 3417 } 3418 3419 static struct usb_function_instance *ffs_alloc_inst(void) 3420 { 3421 struct f_fs_opts *opts; 3422 struct ffs_dev *dev; 3423 3424 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3425 if (!opts) 3426 return ERR_PTR(-ENOMEM); 3427 3428 opts->func_inst.set_inst_name = ffs_set_inst_name; 3429 opts->func_inst.free_func_inst = ffs_free_inst; 3430 ffs_dev_lock(); 3431 dev = _ffs_alloc_dev(); 3432 ffs_dev_unlock(); 3433 if (IS_ERR(dev)) { 3434 kfree(opts); 3435 return ERR_CAST(dev); 3436 } 3437 opts->dev = dev; 3438 dev->opts = opts; 3439 3440 config_group_init_type_name(&opts->func_inst.group, "", 3441 &ffs_func_type); 3442 return &opts->func_inst; 3443 } 3444 3445 static void ffs_free(struct usb_function *f) 3446 { 3447 kfree(ffs_func_from_usb(f)); 3448 } 3449 3450 static void ffs_func_unbind(struct usb_configuration *c, 3451 struct usb_function *f) 3452 { 3453 struct ffs_function *func = ffs_func_from_usb(f); 3454 struct ffs_data *ffs = func->ffs; 3455 struct f_fs_opts *opts = 3456 container_of(f->fi, struct f_fs_opts, func_inst); 3457 struct ffs_ep *ep = func->eps; 3458 unsigned count = ffs->eps_count; 3459 unsigned long flags; 3460 3461 ENTER(); 3462 if (ffs->func == func) { 3463 ffs_func_eps_disable(func); 3464 ffs->func = NULL; 3465 } 3466 3467 if (!--opts->refcnt) 3468 functionfs_unbind(ffs); 3469 3470 /* cleanup after autoconfig */ 3471 spin_lock_irqsave(&func->ffs->eps_lock, flags); 3472 while (count--) { 3473 if (ep->ep && ep->req) 3474 usb_ep_free_request(ep->ep, ep->req); 3475 ep->req = NULL; 3476 ++ep; 3477 } 3478 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 3479 kfree(func->eps); 3480 func->eps = NULL; 3481 /* 3482 * eps, descriptors and interfaces_nums are allocated in the 3483 * same chunk so only one free is required. 3484 */ 3485 func->function.fs_descriptors = NULL; 3486 func->function.hs_descriptors = NULL; 3487 func->function.ss_descriptors = NULL; 3488 func->interfaces_nums = NULL; 3489 3490 ffs_event_add(ffs, FUNCTIONFS_UNBIND); 3491 } 3492 3493 static struct usb_function *ffs_alloc(struct usb_function_instance *fi) 3494 { 3495 struct ffs_function *func; 3496 3497 ENTER(); 3498 3499 func = kzalloc(sizeof(*func), GFP_KERNEL); 3500 if (unlikely(!func)) 3501 return ERR_PTR(-ENOMEM); 3502 3503 func->function.name = "Function FS Gadget"; 3504 3505 func->function.bind = ffs_func_bind; 3506 func->function.unbind = ffs_func_unbind; 3507 func->function.set_alt = ffs_func_set_alt; 3508 func->function.disable = ffs_func_disable; 3509 func->function.setup = ffs_func_setup; 3510 func->function.req_match = ffs_func_req_match; 3511 func->function.suspend = ffs_func_suspend; 3512 func->function.resume = ffs_func_resume; 3513 func->function.free_func = ffs_free; 3514 3515 return &func->function; 3516 } 3517 3518 /* 3519 * ffs_lock must be taken by the caller of this function 3520 */ 3521 static struct ffs_dev *_ffs_alloc_dev(void) 3522 { 3523 struct ffs_dev *dev; 3524 int ret; 3525 3526 if (_ffs_get_single_dev()) 3527 return ERR_PTR(-EBUSY); 3528 3529 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 3530 if (!dev) 3531 return ERR_PTR(-ENOMEM); 3532 3533 if (list_empty(&ffs_devices)) { 3534 ret = functionfs_init(); 3535 if (ret) { 3536 kfree(dev); 3537 return ERR_PTR(ret); 3538 } 3539 } 3540 3541 list_add(&dev->entry, &ffs_devices); 3542 3543 return dev; 3544 } 3545 3546 int ffs_name_dev(struct ffs_dev *dev, const char *name) 3547 { 3548 struct ffs_dev *existing; 3549 int ret = 0; 3550 3551 ffs_dev_lock(); 3552 3553 existing = _ffs_do_find_dev(name); 3554 if (!existing) 3555 strlcpy(dev->name, name, ARRAY_SIZE(dev->name)); 3556 else if (existing != dev) 3557 ret = -EBUSY; 3558 3559 ffs_dev_unlock(); 3560 3561 return ret; 3562 } 3563 EXPORT_SYMBOL_GPL(ffs_name_dev); 3564 3565 int ffs_single_dev(struct ffs_dev *dev) 3566 { 3567 int ret; 3568 3569 ret = 0; 3570 ffs_dev_lock(); 3571 3572 if (!list_is_singular(&ffs_devices)) 3573 ret = -EBUSY; 3574 else 3575 dev->single = true; 3576 3577 ffs_dev_unlock(); 3578 return ret; 3579 } 3580 EXPORT_SYMBOL_GPL(ffs_single_dev); 3581 3582 /* 3583 * ffs_lock must be taken by the caller of this function 3584 */ 3585 static void _ffs_free_dev(struct ffs_dev *dev) 3586 { 3587 list_del(&dev->entry); 3588 3589 /* Clear the private_data pointer to stop incorrect dev access */ 3590 if (dev->ffs_data) 3591 dev->ffs_data->private_data = NULL; 3592 3593 kfree(dev); 3594 if (list_empty(&ffs_devices)) 3595 functionfs_cleanup(); 3596 } 3597 3598 static void *ffs_acquire_dev(const char *dev_name) 3599 { 3600 struct ffs_dev *ffs_dev; 3601 3602 ENTER(); 3603 ffs_dev_lock(); 3604 3605 ffs_dev = _ffs_find_dev(dev_name); 3606 if (!ffs_dev) 3607 ffs_dev = ERR_PTR(-ENOENT); 3608 else if (ffs_dev->mounted) 3609 ffs_dev = ERR_PTR(-EBUSY); 3610 else if (ffs_dev->ffs_acquire_dev_callback && 3611 ffs_dev->ffs_acquire_dev_callback(ffs_dev)) 3612 ffs_dev = ERR_PTR(-ENOENT); 3613 else 3614 ffs_dev->mounted = true; 3615 3616 ffs_dev_unlock(); 3617 return ffs_dev; 3618 } 3619 3620 static void ffs_release_dev(struct ffs_data *ffs_data) 3621 { 3622 struct ffs_dev *ffs_dev; 3623 3624 ENTER(); 3625 ffs_dev_lock(); 3626 3627 ffs_dev = ffs_data->private_data; 3628 if (ffs_dev) { 3629 ffs_dev->mounted = false; 3630 3631 if (ffs_dev->ffs_release_dev_callback) 3632 ffs_dev->ffs_release_dev_callback(ffs_dev); 3633 } 3634 3635 ffs_dev_unlock(); 3636 } 3637 3638 static int ffs_ready(struct ffs_data *ffs) 3639 { 3640 struct ffs_dev *ffs_obj; 3641 int ret = 0; 3642 3643 ENTER(); 3644 ffs_dev_lock(); 3645 3646 ffs_obj = ffs->private_data; 3647 if (!ffs_obj) { 3648 ret = -EINVAL; 3649 goto done; 3650 } 3651 if (WARN_ON(ffs_obj->desc_ready)) { 3652 ret = -EBUSY; 3653 goto done; 3654 } 3655 3656 ffs_obj->desc_ready = true; 3657 ffs_obj->ffs_data = ffs; 3658 3659 if (ffs_obj->ffs_ready_callback) { 3660 ret = ffs_obj->ffs_ready_callback(ffs); 3661 if (ret) 3662 goto done; 3663 } 3664 3665 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags); 3666 done: 3667 ffs_dev_unlock(); 3668 return ret; 3669 } 3670 3671 static void ffs_closed(struct ffs_data *ffs) 3672 { 3673 struct ffs_dev *ffs_obj; 3674 struct f_fs_opts *opts; 3675 struct config_item *ci; 3676 3677 ENTER(); 3678 ffs_dev_lock(); 3679 3680 ffs_obj = ffs->private_data; 3681 if (!ffs_obj) 3682 goto done; 3683 3684 ffs_obj->desc_ready = false; 3685 ffs_obj->ffs_data = NULL; 3686 3687 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && 3688 ffs_obj->ffs_closed_callback) 3689 ffs_obj->ffs_closed_callback(ffs); 3690 3691 if (ffs_obj->opts) 3692 opts = ffs_obj->opts; 3693 else 3694 goto done; 3695 3696 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent 3697 || !kref_read(&opts->func_inst.group.cg_item.ci_kref)) 3698 goto done; 3699 3700 ci = opts->func_inst.group.cg_item.ci_parent->ci_parent; 3701 ffs_dev_unlock(); 3702 3703 unregister_gadget_item(ci); 3704 return; 3705 done: 3706 ffs_dev_unlock(); 3707 } 3708 3709 /* Misc helper functions ****************************************************/ 3710 3711 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock) 3712 { 3713 return nonblock 3714 ? likely(mutex_trylock(mutex)) ? 0 : -EAGAIN 3715 : mutex_lock_interruptible(mutex); 3716 } 3717 3718 static char *ffs_prepare_buffer(const char __user *buf, size_t len) 3719 { 3720 char *data; 3721 3722 if (unlikely(!len)) 3723 return NULL; 3724 3725 data = kmalloc(len, GFP_KERNEL); 3726 if (unlikely(!data)) 3727 return ERR_PTR(-ENOMEM); 3728 3729 if (unlikely(copy_from_user(data, buf, len))) { 3730 kfree(data); 3731 return ERR_PTR(-EFAULT); 3732 } 3733 3734 pr_vdebug("Buffer from user space:\n"); 3735 ffs_dump_mem("", data, len); 3736 3737 return data; 3738 } 3739 3740 DECLARE_USB_FUNCTION_INIT(ffs, ffs_alloc_inst, ffs_alloc); 3741 MODULE_LICENSE("GPL"); 3742 MODULE_AUTHOR("Michal Nazarewicz"); 3743