1 /* 2 * inode.c -- user mode filesystem api for usb gadget controllers 3 * 4 * Copyright (C) 2003-2004 David Brownell 5 * Copyright (C) 2003 Agilent Technologies 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 */ 12 13 14 /* #define VERBOSE_DEBUG */ 15 16 #include <linux/init.h> 17 #include <linux/module.h> 18 #include <linux/fs.h> 19 #include <linux/pagemap.h> 20 #include <linux/uts.h> 21 #include <linux/wait.h> 22 #include <linux/compiler.h> 23 #include <asm/uaccess.h> 24 #include <linux/sched.h> 25 #include <linux/slab.h> 26 #include <linux/poll.h> 27 #include <linux/mmu_context.h> 28 #include <linux/aio.h> 29 #include <linux/uio.h> 30 31 #include <linux/device.h> 32 #include <linux/moduleparam.h> 33 34 #include <linux/usb/gadgetfs.h> 35 #include <linux/usb/gadget.h> 36 37 38 /* 39 * The gadgetfs API maps each endpoint to a file descriptor so that you 40 * can use standard synchronous read/write calls for I/O. There's some 41 * O_NONBLOCK and O_ASYNC/FASYNC style i/o support. Example usermode 42 * drivers show how this works in practice. You can also use AIO to 43 * eliminate I/O gaps between requests, to help when streaming data. 44 * 45 * Key parts that must be USB-specific are protocols defining how the 46 * read/write operations relate to the hardware state machines. There 47 * are two types of files. One type is for the device, implementing ep0. 48 * The other type is for each IN or OUT endpoint. In both cases, the 49 * user mode driver must configure the hardware before using it. 50 * 51 * - First, dev_config() is called when /dev/gadget/$CHIP is configured 52 * (by writing configuration and device descriptors). Afterwards it 53 * may serve as a source of device events, used to handle all control 54 * requests other than basic enumeration. 55 * 56 * - Then, after a SET_CONFIGURATION control request, ep_config() is 57 * called when each /dev/gadget/ep* file is configured (by writing 58 * endpoint descriptors). Afterwards these files are used to write() 59 * IN data or to read() OUT data. To halt the endpoint, a "wrong 60 * direction" request is issued (like reading an IN endpoint). 61 * 62 * Unlike "usbfs" the only ioctl()s are for things that are rare, and maybe 63 * not possible on all hardware. For example, precise fault handling with 64 * respect to data left in endpoint fifos after aborted operations; or 65 * selective clearing of endpoint halts, to implement SET_INTERFACE. 66 */ 67 68 #define DRIVER_DESC "USB Gadget filesystem" 69 #define DRIVER_VERSION "24 Aug 2004" 70 71 static const char driver_desc [] = DRIVER_DESC; 72 static const char shortname [] = "gadgetfs"; 73 74 MODULE_DESCRIPTION (DRIVER_DESC); 75 MODULE_AUTHOR ("David Brownell"); 76 MODULE_LICENSE ("GPL"); 77 78 static int ep_open(struct inode *, struct file *); 79 80 81 /*----------------------------------------------------------------------*/ 82 83 #define GADGETFS_MAGIC 0xaee71ee7 84 85 /* /dev/gadget/$CHIP represents ep0 and the whole device */ 86 enum ep0_state { 87 /* DISBLED is the initial state. 88 */ 89 STATE_DEV_DISABLED = 0, 90 91 /* Only one open() of /dev/gadget/$CHIP; only one file tracks 92 * ep0/device i/o modes and binding to the controller. Driver 93 * must always write descriptors to initialize the device, then 94 * the device becomes UNCONNECTED until enumeration. 95 */ 96 STATE_DEV_OPENED, 97 98 /* From then on, ep0 fd is in either of two basic modes: 99 * - (UN)CONNECTED: read usb_gadgetfs_event(s) from it 100 * - SETUP: read/write will transfer control data and succeed; 101 * or if "wrong direction", performs protocol stall 102 */ 103 STATE_DEV_UNCONNECTED, 104 STATE_DEV_CONNECTED, 105 STATE_DEV_SETUP, 106 107 /* UNBOUND means the driver closed ep0, so the device won't be 108 * accessible again (DEV_DISABLED) until all fds are closed. 109 */ 110 STATE_DEV_UNBOUND, 111 }; 112 113 /* enough for the whole queue: most events invalidate others */ 114 #define N_EVENT 5 115 116 struct dev_data { 117 spinlock_t lock; 118 atomic_t count; 119 enum ep0_state state; /* P: lock */ 120 struct usb_gadgetfs_event event [N_EVENT]; 121 unsigned ev_next; 122 struct fasync_struct *fasync; 123 u8 current_config; 124 125 /* drivers reading ep0 MUST handle control requests (SETUP) 126 * reported that way; else the host will time out. 127 */ 128 unsigned usermode_setup : 1, 129 setup_in : 1, 130 setup_can_stall : 1, 131 setup_out_ready : 1, 132 setup_out_error : 1, 133 setup_abort : 1; 134 unsigned setup_wLength; 135 136 /* the rest is basically write-once */ 137 struct usb_config_descriptor *config, *hs_config; 138 struct usb_device_descriptor *dev; 139 struct usb_request *req; 140 struct usb_gadget *gadget; 141 struct list_head epfiles; 142 void *buf; 143 wait_queue_head_t wait; 144 struct super_block *sb; 145 struct dentry *dentry; 146 147 /* except this scratch i/o buffer for ep0 */ 148 u8 rbuf [256]; 149 }; 150 151 static inline void get_dev (struct dev_data *data) 152 { 153 atomic_inc (&data->count); 154 } 155 156 static void put_dev (struct dev_data *data) 157 { 158 if (likely (!atomic_dec_and_test (&data->count))) 159 return; 160 /* needs no more cleanup */ 161 BUG_ON (waitqueue_active (&data->wait)); 162 kfree (data); 163 } 164 165 static struct dev_data *dev_new (void) 166 { 167 struct dev_data *dev; 168 169 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 170 if (!dev) 171 return NULL; 172 dev->state = STATE_DEV_DISABLED; 173 atomic_set (&dev->count, 1); 174 spin_lock_init (&dev->lock); 175 INIT_LIST_HEAD (&dev->epfiles); 176 init_waitqueue_head (&dev->wait); 177 return dev; 178 } 179 180 /*----------------------------------------------------------------------*/ 181 182 /* other /dev/gadget/$ENDPOINT files represent endpoints */ 183 enum ep_state { 184 STATE_EP_DISABLED = 0, 185 STATE_EP_READY, 186 STATE_EP_ENABLED, 187 STATE_EP_UNBOUND, 188 }; 189 190 struct ep_data { 191 struct mutex lock; 192 enum ep_state state; 193 atomic_t count; 194 struct dev_data *dev; 195 /* must hold dev->lock before accessing ep or req */ 196 struct usb_ep *ep; 197 struct usb_request *req; 198 ssize_t status; 199 char name [16]; 200 struct usb_endpoint_descriptor desc, hs_desc; 201 struct list_head epfiles; 202 wait_queue_head_t wait; 203 struct dentry *dentry; 204 }; 205 206 static inline void get_ep (struct ep_data *data) 207 { 208 atomic_inc (&data->count); 209 } 210 211 static void put_ep (struct ep_data *data) 212 { 213 if (likely (!atomic_dec_and_test (&data->count))) 214 return; 215 put_dev (data->dev); 216 /* needs no more cleanup */ 217 BUG_ON (!list_empty (&data->epfiles)); 218 BUG_ON (waitqueue_active (&data->wait)); 219 kfree (data); 220 } 221 222 /*----------------------------------------------------------------------*/ 223 224 /* most "how to use the hardware" policy choices are in userspace: 225 * mapping endpoint roles (which the driver needs) to the capabilities 226 * which the usb controller has. most of those capabilities are exposed 227 * implicitly, starting with the driver name and then endpoint names. 228 */ 229 230 static const char *CHIP; 231 232 /*----------------------------------------------------------------------*/ 233 234 /* NOTE: don't use dev_printk calls before binding to the gadget 235 * at the end of ep0 configuration, or after unbind. 236 */ 237 238 /* too wordy: dev_printk(level , &(d)->gadget->dev , fmt , ## args) */ 239 #define xprintk(d,level,fmt,args...) \ 240 printk(level "%s: " fmt , shortname , ## args) 241 242 #ifdef DEBUG 243 #define DBG(dev,fmt,args...) \ 244 xprintk(dev , KERN_DEBUG , fmt , ## args) 245 #else 246 #define DBG(dev,fmt,args...) \ 247 do { } while (0) 248 #endif /* DEBUG */ 249 250 #ifdef VERBOSE_DEBUG 251 #define VDEBUG DBG 252 #else 253 #define VDEBUG(dev,fmt,args...) \ 254 do { } while (0) 255 #endif /* DEBUG */ 256 257 #define ERROR(dev,fmt,args...) \ 258 xprintk(dev , KERN_ERR , fmt , ## args) 259 #define INFO(dev,fmt,args...) \ 260 xprintk(dev , KERN_INFO , fmt , ## args) 261 262 263 /*----------------------------------------------------------------------*/ 264 265 /* SYNCHRONOUS ENDPOINT OPERATIONS (bulk/intr/iso) 266 * 267 * After opening, configure non-control endpoints. Then use normal 268 * stream read() and write() requests; and maybe ioctl() to get more 269 * precise FIFO status when recovering from cancellation. 270 */ 271 272 static void epio_complete (struct usb_ep *ep, struct usb_request *req) 273 { 274 struct ep_data *epdata = ep->driver_data; 275 276 if (!req->context) 277 return; 278 if (req->status) 279 epdata->status = req->status; 280 else 281 epdata->status = req->actual; 282 complete ((struct completion *)req->context); 283 } 284 285 /* tasklock endpoint, returning when it's connected. 286 * still need dev->lock to use epdata->ep. 287 */ 288 static int 289 get_ready_ep (unsigned f_flags, struct ep_data *epdata, bool is_write) 290 { 291 int val; 292 293 if (f_flags & O_NONBLOCK) { 294 if (!mutex_trylock(&epdata->lock)) 295 goto nonblock; 296 if (epdata->state != STATE_EP_ENABLED && 297 (!is_write || epdata->state != STATE_EP_READY)) { 298 mutex_unlock(&epdata->lock); 299 nonblock: 300 val = -EAGAIN; 301 } else 302 val = 0; 303 return val; 304 } 305 306 val = mutex_lock_interruptible(&epdata->lock); 307 if (val < 0) 308 return val; 309 310 switch (epdata->state) { 311 case STATE_EP_ENABLED: 312 return 0; 313 case STATE_EP_READY: /* not configured yet */ 314 if (is_write) 315 return 0; 316 // FALLTHRU 317 case STATE_EP_UNBOUND: /* clean disconnect */ 318 break; 319 // case STATE_EP_DISABLED: /* "can't happen" */ 320 default: /* error! */ 321 pr_debug ("%s: ep %p not available, state %d\n", 322 shortname, epdata, epdata->state); 323 } 324 mutex_unlock(&epdata->lock); 325 return -ENODEV; 326 } 327 328 static ssize_t 329 ep_io (struct ep_data *epdata, void *buf, unsigned len) 330 { 331 DECLARE_COMPLETION_ONSTACK (done); 332 int value; 333 334 spin_lock_irq (&epdata->dev->lock); 335 if (likely (epdata->ep != NULL)) { 336 struct usb_request *req = epdata->req; 337 338 req->context = &done; 339 req->complete = epio_complete; 340 req->buf = buf; 341 req->length = len; 342 value = usb_ep_queue (epdata->ep, req, GFP_ATOMIC); 343 } else 344 value = -ENODEV; 345 spin_unlock_irq (&epdata->dev->lock); 346 347 if (likely (value == 0)) { 348 value = wait_event_interruptible (done.wait, done.done); 349 if (value != 0) { 350 spin_lock_irq (&epdata->dev->lock); 351 if (likely (epdata->ep != NULL)) { 352 DBG (epdata->dev, "%s i/o interrupted\n", 353 epdata->name); 354 usb_ep_dequeue (epdata->ep, epdata->req); 355 spin_unlock_irq (&epdata->dev->lock); 356 357 wait_event (done.wait, done.done); 358 if (epdata->status == -ECONNRESET) 359 epdata->status = -EINTR; 360 } else { 361 spin_unlock_irq (&epdata->dev->lock); 362 363 DBG (epdata->dev, "endpoint gone\n"); 364 epdata->status = -ENODEV; 365 } 366 } 367 return epdata->status; 368 } 369 return value; 370 } 371 372 static int 373 ep_release (struct inode *inode, struct file *fd) 374 { 375 struct ep_data *data = fd->private_data; 376 int value; 377 378 value = mutex_lock_interruptible(&data->lock); 379 if (value < 0) 380 return value; 381 382 /* clean up if this can be reopened */ 383 if (data->state != STATE_EP_UNBOUND) { 384 data->state = STATE_EP_DISABLED; 385 data->desc.bDescriptorType = 0; 386 data->hs_desc.bDescriptorType = 0; 387 usb_ep_disable(data->ep); 388 } 389 mutex_unlock(&data->lock); 390 put_ep (data); 391 return 0; 392 } 393 394 static long ep_ioctl(struct file *fd, unsigned code, unsigned long value) 395 { 396 struct ep_data *data = fd->private_data; 397 int status; 398 399 if ((status = get_ready_ep (fd->f_flags, data, false)) < 0) 400 return status; 401 402 spin_lock_irq (&data->dev->lock); 403 if (likely (data->ep != NULL)) { 404 switch (code) { 405 case GADGETFS_FIFO_STATUS: 406 status = usb_ep_fifo_status (data->ep); 407 break; 408 case GADGETFS_FIFO_FLUSH: 409 usb_ep_fifo_flush (data->ep); 410 break; 411 case GADGETFS_CLEAR_HALT: 412 status = usb_ep_clear_halt (data->ep); 413 break; 414 default: 415 status = -ENOTTY; 416 } 417 } else 418 status = -ENODEV; 419 spin_unlock_irq (&data->dev->lock); 420 mutex_unlock(&data->lock); 421 return status; 422 } 423 424 /*----------------------------------------------------------------------*/ 425 426 /* ASYNCHRONOUS ENDPOINT I/O OPERATIONS (bulk/intr/iso) */ 427 428 struct kiocb_priv { 429 struct usb_request *req; 430 struct ep_data *epdata; 431 struct kiocb *iocb; 432 struct mm_struct *mm; 433 struct work_struct work; 434 void *buf; 435 struct iov_iter to; 436 const void *to_free; 437 unsigned actual; 438 }; 439 440 static int ep_aio_cancel(struct kiocb *iocb) 441 { 442 struct kiocb_priv *priv = iocb->private; 443 struct ep_data *epdata; 444 int value; 445 446 local_irq_disable(); 447 epdata = priv->epdata; 448 // spin_lock(&epdata->dev->lock); 449 if (likely(epdata && epdata->ep && priv->req)) 450 value = usb_ep_dequeue (epdata->ep, priv->req); 451 else 452 value = -EINVAL; 453 // spin_unlock(&epdata->dev->lock); 454 local_irq_enable(); 455 456 return value; 457 } 458 459 static void ep_user_copy_worker(struct work_struct *work) 460 { 461 struct kiocb_priv *priv = container_of(work, struct kiocb_priv, work); 462 struct mm_struct *mm = priv->mm; 463 struct kiocb *iocb = priv->iocb; 464 size_t ret; 465 466 use_mm(mm); 467 ret = copy_to_iter(priv->buf, priv->actual, &priv->to); 468 unuse_mm(mm); 469 if (!ret) 470 ret = -EFAULT; 471 472 /* completing the iocb can drop the ctx and mm, don't touch mm after */ 473 iocb->ki_complete(iocb, ret, ret); 474 475 kfree(priv->buf); 476 kfree(priv->to_free); 477 kfree(priv); 478 } 479 480 static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) 481 { 482 struct kiocb *iocb = req->context; 483 struct kiocb_priv *priv = iocb->private; 484 struct ep_data *epdata = priv->epdata; 485 486 /* lock against disconnect (and ideally, cancel) */ 487 spin_lock(&epdata->dev->lock); 488 priv->req = NULL; 489 priv->epdata = NULL; 490 491 /* if this was a write or a read returning no data then we 492 * don't need to copy anything to userspace, so we can 493 * complete the aio request immediately. 494 */ 495 if (priv->to_free == NULL || unlikely(req->actual == 0)) { 496 kfree(req->buf); 497 kfree(priv->to_free); 498 kfree(priv); 499 iocb->private = NULL; 500 /* aio_complete() reports bytes-transferred _and_ faults */ 501 502 iocb->ki_complete(iocb, req->actual ? req->actual : req->status, 503 req->status); 504 } else { 505 /* ep_copy_to_user() won't report both; we hide some faults */ 506 if (unlikely(0 != req->status)) 507 DBG(epdata->dev, "%s fault %d len %d\n", 508 ep->name, req->status, req->actual); 509 510 priv->buf = req->buf; 511 priv->actual = req->actual; 512 INIT_WORK(&priv->work, ep_user_copy_worker); 513 schedule_work(&priv->work); 514 } 515 spin_unlock(&epdata->dev->lock); 516 517 usb_ep_free_request(ep, req); 518 put_ep(epdata); 519 } 520 521 static ssize_t ep_aio(struct kiocb *iocb, 522 struct kiocb_priv *priv, 523 struct ep_data *epdata, 524 char *buf, 525 size_t len) 526 { 527 struct usb_request *req; 528 ssize_t value; 529 530 iocb->private = priv; 531 priv->iocb = iocb; 532 533 kiocb_set_cancel_fn(iocb, ep_aio_cancel); 534 get_ep(epdata); 535 priv->epdata = epdata; 536 priv->actual = 0; 537 priv->mm = current->mm; /* mm teardown waits for iocbs in exit_aio() */ 538 539 /* each kiocb is coupled to one usb_request, but we can't 540 * allocate or submit those if the host disconnected. 541 */ 542 spin_lock_irq(&epdata->dev->lock); 543 value = -ENODEV; 544 if (unlikely(epdata->ep)) 545 goto fail; 546 547 req = usb_ep_alloc_request(epdata->ep, GFP_ATOMIC); 548 value = -ENOMEM; 549 if (unlikely(!req)) 550 goto fail; 551 552 priv->req = req; 553 req->buf = buf; 554 req->length = len; 555 req->complete = ep_aio_complete; 556 req->context = iocb; 557 value = usb_ep_queue(epdata->ep, req, GFP_ATOMIC); 558 if (unlikely(0 != value)) { 559 usb_ep_free_request(epdata->ep, req); 560 goto fail; 561 } 562 spin_unlock_irq(&epdata->dev->lock); 563 return -EIOCBQUEUED; 564 565 fail: 566 spin_unlock_irq(&epdata->dev->lock); 567 kfree(priv->to_free); 568 kfree(priv); 569 put_ep(epdata); 570 return value; 571 } 572 573 static ssize_t 574 ep_read_iter(struct kiocb *iocb, struct iov_iter *to) 575 { 576 struct file *file = iocb->ki_filp; 577 struct ep_data *epdata = file->private_data; 578 size_t len = iov_iter_count(to); 579 ssize_t value; 580 char *buf; 581 582 if ((value = get_ready_ep(file->f_flags, epdata, false)) < 0) 583 return value; 584 585 /* halt any endpoint by doing a "wrong direction" i/o call */ 586 if (usb_endpoint_dir_in(&epdata->desc)) { 587 if (usb_endpoint_xfer_isoc(&epdata->desc) || 588 !is_sync_kiocb(iocb)) { 589 mutex_unlock(&epdata->lock); 590 return -EINVAL; 591 } 592 DBG (epdata->dev, "%s halt\n", epdata->name); 593 spin_lock_irq(&epdata->dev->lock); 594 if (likely(epdata->ep != NULL)) 595 usb_ep_set_halt(epdata->ep); 596 spin_unlock_irq(&epdata->dev->lock); 597 mutex_unlock(&epdata->lock); 598 return -EBADMSG; 599 } 600 601 buf = kmalloc(len, GFP_KERNEL); 602 if (unlikely(!buf)) { 603 mutex_unlock(&epdata->lock); 604 return -ENOMEM; 605 } 606 if (is_sync_kiocb(iocb)) { 607 value = ep_io(epdata, buf, len); 608 if (value >= 0 && copy_to_iter(buf, value, to)) 609 value = -EFAULT; 610 } else { 611 struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL); 612 value = -ENOMEM; 613 if (!priv) 614 goto fail; 615 priv->to_free = dup_iter(&priv->to, to, GFP_KERNEL); 616 if (!priv->to_free) { 617 kfree(priv); 618 goto fail; 619 } 620 value = ep_aio(iocb, priv, epdata, buf, len); 621 if (value == -EIOCBQUEUED) 622 buf = NULL; 623 } 624 fail: 625 kfree(buf); 626 mutex_unlock(&epdata->lock); 627 return value; 628 } 629 630 static ssize_t ep_config(struct ep_data *, const char *, size_t); 631 632 static ssize_t 633 ep_write_iter(struct kiocb *iocb, struct iov_iter *from) 634 { 635 struct file *file = iocb->ki_filp; 636 struct ep_data *epdata = file->private_data; 637 size_t len = iov_iter_count(from); 638 bool configured; 639 ssize_t value; 640 char *buf; 641 642 if ((value = get_ready_ep(file->f_flags, epdata, true)) < 0) 643 return value; 644 645 configured = epdata->state == STATE_EP_ENABLED; 646 647 /* halt any endpoint by doing a "wrong direction" i/o call */ 648 if (configured && !usb_endpoint_dir_in(&epdata->desc)) { 649 if (usb_endpoint_xfer_isoc(&epdata->desc) || 650 !is_sync_kiocb(iocb)) { 651 mutex_unlock(&epdata->lock); 652 return -EINVAL; 653 } 654 DBG (epdata->dev, "%s halt\n", epdata->name); 655 spin_lock_irq(&epdata->dev->lock); 656 if (likely(epdata->ep != NULL)) 657 usb_ep_set_halt(epdata->ep); 658 spin_unlock_irq(&epdata->dev->lock); 659 mutex_unlock(&epdata->lock); 660 return -EBADMSG; 661 } 662 663 buf = kmalloc(len, GFP_KERNEL); 664 if (unlikely(!buf)) { 665 mutex_unlock(&epdata->lock); 666 return -ENOMEM; 667 } 668 669 if (unlikely(copy_from_iter(buf, len, from) != len)) { 670 value = -EFAULT; 671 goto out; 672 } 673 674 if (unlikely(!configured)) { 675 value = ep_config(epdata, buf, len); 676 } else if (is_sync_kiocb(iocb)) { 677 value = ep_io(epdata, buf, len); 678 } else { 679 struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL); 680 value = -ENOMEM; 681 if (priv) { 682 value = ep_aio(iocb, priv, epdata, buf, len); 683 if (value == -EIOCBQUEUED) 684 buf = NULL; 685 } 686 } 687 out: 688 kfree(buf); 689 mutex_unlock(&epdata->lock); 690 return value; 691 } 692 693 /*----------------------------------------------------------------------*/ 694 695 /* used after endpoint configuration */ 696 static const struct file_operations ep_io_operations = { 697 .owner = THIS_MODULE, 698 699 .open = ep_open, 700 .release = ep_release, 701 .llseek = no_llseek, 702 .unlocked_ioctl = ep_ioctl, 703 .read_iter = ep_read_iter, 704 .write_iter = ep_write_iter, 705 }; 706 707 /* ENDPOINT INITIALIZATION 708 * 709 * fd = open ("/dev/gadget/$ENDPOINT", O_RDWR) 710 * status = write (fd, descriptors, sizeof descriptors) 711 * 712 * That write establishes the endpoint configuration, configuring 713 * the controller to process bulk, interrupt, or isochronous transfers 714 * at the right maxpacket size, and so on. 715 * 716 * The descriptors are message type 1, identified by a host order u32 717 * at the beginning of what's written. Descriptor order is: full/low 718 * speed descriptor, then optional high speed descriptor. 719 */ 720 static ssize_t 721 ep_config (struct ep_data *data, const char *buf, size_t len) 722 { 723 struct usb_ep *ep; 724 u32 tag; 725 int value, length = len; 726 727 if (data->state != STATE_EP_READY) { 728 value = -EL2HLT; 729 goto fail; 730 } 731 732 value = len; 733 if (len < USB_DT_ENDPOINT_SIZE + 4) 734 goto fail0; 735 736 /* we might need to change message format someday */ 737 memcpy(&tag, buf, 4); 738 if (tag != 1) { 739 DBG(data->dev, "config %s, bad tag %d\n", data->name, tag); 740 goto fail0; 741 } 742 buf += 4; 743 len -= 4; 744 745 /* NOTE: audio endpoint extensions not accepted here; 746 * just don't include the extra bytes. 747 */ 748 749 /* full/low speed descriptor, then high speed */ 750 memcpy(&data->desc, buf, USB_DT_ENDPOINT_SIZE); 751 if (data->desc.bLength != USB_DT_ENDPOINT_SIZE 752 || data->desc.bDescriptorType != USB_DT_ENDPOINT) 753 goto fail0; 754 if (len != USB_DT_ENDPOINT_SIZE) { 755 if (len != 2 * USB_DT_ENDPOINT_SIZE) 756 goto fail0; 757 memcpy(&data->hs_desc, buf + USB_DT_ENDPOINT_SIZE, 758 USB_DT_ENDPOINT_SIZE); 759 if (data->hs_desc.bLength != USB_DT_ENDPOINT_SIZE 760 || data->hs_desc.bDescriptorType 761 != USB_DT_ENDPOINT) { 762 DBG(data->dev, "config %s, bad hs length or type\n", 763 data->name); 764 goto fail0; 765 } 766 } 767 768 spin_lock_irq (&data->dev->lock); 769 if (data->dev->state == STATE_DEV_UNBOUND) { 770 value = -ENOENT; 771 goto gone; 772 } else if ((ep = data->ep) == NULL) { 773 value = -ENODEV; 774 goto gone; 775 } 776 switch (data->dev->gadget->speed) { 777 case USB_SPEED_LOW: 778 case USB_SPEED_FULL: 779 ep->desc = &data->desc; 780 break; 781 case USB_SPEED_HIGH: 782 /* fails if caller didn't provide that descriptor... */ 783 ep->desc = &data->hs_desc; 784 break; 785 default: 786 DBG(data->dev, "unconnected, %s init abandoned\n", 787 data->name); 788 value = -EINVAL; 789 goto gone; 790 } 791 value = usb_ep_enable(ep); 792 if (value == 0) { 793 data->state = STATE_EP_ENABLED; 794 value = length; 795 } 796 gone: 797 spin_unlock_irq (&data->dev->lock); 798 if (value < 0) { 799 fail: 800 data->desc.bDescriptorType = 0; 801 data->hs_desc.bDescriptorType = 0; 802 } 803 return value; 804 fail0: 805 value = -EINVAL; 806 goto fail; 807 } 808 809 static int 810 ep_open (struct inode *inode, struct file *fd) 811 { 812 struct ep_data *data = inode->i_private; 813 int value = -EBUSY; 814 815 if (mutex_lock_interruptible(&data->lock) != 0) 816 return -EINTR; 817 spin_lock_irq (&data->dev->lock); 818 if (data->dev->state == STATE_DEV_UNBOUND) 819 value = -ENOENT; 820 else if (data->state == STATE_EP_DISABLED) { 821 value = 0; 822 data->state = STATE_EP_READY; 823 get_ep (data); 824 fd->private_data = data; 825 VDEBUG (data->dev, "%s ready\n", data->name); 826 } else 827 DBG (data->dev, "%s state %d\n", 828 data->name, data->state); 829 spin_unlock_irq (&data->dev->lock); 830 mutex_unlock(&data->lock); 831 return value; 832 } 833 834 /*----------------------------------------------------------------------*/ 835 836 /* EP0 IMPLEMENTATION can be partly in userspace. 837 * 838 * Drivers that use this facility receive various events, including 839 * control requests the kernel doesn't handle. Drivers that don't 840 * use this facility may be too simple-minded for real applications. 841 */ 842 843 static inline void ep0_readable (struct dev_data *dev) 844 { 845 wake_up (&dev->wait); 846 kill_fasync (&dev->fasync, SIGIO, POLL_IN); 847 } 848 849 static void clean_req (struct usb_ep *ep, struct usb_request *req) 850 { 851 struct dev_data *dev = ep->driver_data; 852 853 if (req->buf != dev->rbuf) { 854 kfree(req->buf); 855 req->buf = dev->rbuf; 856 } 857 req->complete = epio_complete; 858 dev->setup_out_ready = 0; 859 } 860 861 static void ep0_complete (struct usb_ep *ep, struct usb_request *req) 862 { 863 struct dev_data *dev = ep->driver_data; 864 unsigned long flags; 865 int free = 1; 866 867 /* for control OUT, data must still get to userspace */ 868 spin_lock_irqsave(&dev->lock, flags); 869 if (!dev->setup_in) { 870 dev->setup_out_error = (req->status != 0); 871 if (!dev->setup_out_error) 872 free = 0; 873 dev->setup_out_ready = 1; 874 ep0_readable (dev); 875 } 876 877 /* clean up as appropriate */ 878 if (free && req->buf != &dev->rbuf) 879 clean_req (ep, req); 880 req->complete = epio_complete; 881 spin_unlock_irqrestore(&dev->lock, flags); 882 } 883 884 static int setup_req (struct usb_ep *ep, struct usb_request *req, u16 len) 885 { 886 struct dev_data *dev = ep->driver_data; 887 888 if (dev->setup_out_ready) { 889 DBG (dev, "ep0 request busy!\n"); 890 return -EBUSY; 891 } 892 if (len > sizeof (dev->rbuf)) 893 req->buf = kmalloc(len, GFP_ATOMIC); 894 if (req->buf == NULL) { 895 req->buf = dev->rbuf; 896 return -ENOMEM; 897 } 898 req->complete = ep0_complete; 899 req->length = len; 900 req->zero = 0; 901 return 0; 902 } 903 904 static ssize_t 905 ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr) 906 { 907 struct dev_data *dev = fd->private_data; 908 ssize_t retval; 909 enum ep0_state state; 910 911 spin_lock_irq (&dev->lock); 912 if (dev->state <= STATE_DEV_OPENED) { 913 retval = -EINVAL; 914 goto done; 915 } 916 917 /* report fd mode change before acting on it */ 918 if (dev->setup_abort) { 919 dev->setup_abort = 0; 920 retval = -EIDRM; 921 goto done; 922 } 923 924 /* control DATA stage */ 925 if ((state = dev->state) == STATE_DEV_SETUP) { 926 927 if (dev->setup_in) { /* stall IN */ 928 VDEBUG(dev, "ep0in stall\n"); 929 (void) usb_ep_set_halt (dev->gadget->ep0); 930 retval = -EL2HLT; 931 dev->state = STATE_DEV_CONNECTED; 932 933 } else if (len == 0) { /* ack SET_CONFIGURATION etc */ 934 struct usb_ep *ep = dev->gadget->ep0; 935 struct usb_request *req = dev->req; 936 937 if ((retval = setup_req (ep, req, 0)) == 0) 938 retval = usb_ep_queue (ep, req, GFP_ATOMIC); 939 dev->state = STATE_DEV_CONNECTED; 940 941 /* assume that was SET_CONFIGURATION */ 942 if (dev->current_config) { 943 unsigned power; 944 945 if (gadget_is_dualspeed(dev->gadget) 946 && (dev->gadget->speed 947 == USB_SPEED_HIGH)) 948 power = dev->hs_config->bMaxPower; 949 else 950 power = dev->config->bMaxPower; 951 usb_gadget_vbus_draw(dev->gadget, 2 * power); 952 } 953 954 } else { /* collect OUT data */ 955 if ((fd->f_flags & O_NONBLOCK) != 0 956 && !dev->setup_out_ready) { 957 retval = -EAGAIN; 958 goto done; 959 } 960 spin_unlock_irq (&dev->lock); 961 retval = wait_event_interruptible (dev->wait, 962 dev->setup_out_ready != 0); 963 964 /* FIXME state could change from under us */ 965 spin_lock_irq (&dev->lock); 966 if (retval) 967 goto done; 968 969 if (dev->state != STATE_DEV_SETUP) { 970 retval = -ECANCELED; 971 goto done; 972 } 973 dev->state = STATE_DEV_CONNECTED; 974 975 if (dev->setup_out_error) 976 retval = -EIO; 977 else { 978 len = min (len, (size_t)dev->req->actual); 979 // FIXME don't call this with the spinlock held ... 980 if (copy_to_user (buf, dev->req->buf, len)) 981 retval = -EFAULT; 982 else 983 retval = len; 984 clean_req (dev->gadget->ep0, dev->req); 985 /* NOTE userspace can't yet choose to stall */ 986 } 987 } 988 goto done; 989 } 990 991 /* else normal: return event data */ 992 if (len < sizeof dev->event [0]) { 993 retval = -EINVAL; 994 goto done; 995 } 996 len -= len % sizeof (struct usb_gadgetfs_event); 997 dev->usermode_setup = 1; 998 999 scan: 1000 /* return queued events right away */ 1001 if (dev->ev_next != 0) { 1002 unsigned i, n; 1003 1004 n = len / sizeof (struct usb_gadgetfs_event); 1005 if (dev->ev_next < n) 1006 n = dev->ev_next; 1007 1008 /* ep0 i/o has special semantics during STATE_DEV_SETUP */ 1009 for (i = 0; i < n; i++) { 1010 if (dev->event [i].type == GADGETFS_SETUP) { 1011 dev->state = STATE_DEV_SETUP; 1012 n = i + 1; 1013 break; 1014 } 1015 } 1016 spin_unlock_irq (&dev->lock); 1017 len = n * sizeof (struct usb_gadgetfs_event); 1018 if (copy_to_user (buf, &dev->event, len)) 1019 retval = -EFAULT; 1020 else 1021 retval = len; 1022 if (len > 0) { 1023 /* NOTE this doesn't guard against broken drivers; 1024 * concurrent ep0 readers may lose events. 1025 */ 1026 spin_lock_irq (&dev->lock); 1027 if (dev->ev_next > n) { 1028 memmove(&dev->event[0], &dev->event[n], 1029 sizeof (struct usb_gadgetfs_event) 1030 * (dev->ev_next - n)); 1031 } 1032 dev->ev_next -= n; 1033 spin_unlock_irq (&dev->lock); 1034 } 1035 return retval; 1036 } 1037 if (fd->f_flags & O_NONBLOCK) { 1038 retval = -EAGAIN; 1039 goto done; 1040 } 1041 1042 switch (state) { 1043 default: 1044 DBG (dev, "fail %s, state %d\n", __func__, state); 1045 retval = -ESRCH; 1046 break; 1047 case STATE_DEV_UNCONNECTED: 1048 case STATE_DEV_CONNECTED: 1049 spin_unlock_irq (&dev->lock); 1050 DBG (dev, "%s wait\n", __func__); 1051 1052 /* wait for events */ 1053 retval = wait_event_interruptible (dev->wait, 1054 dev->ev_next != 0); 1055 if (retval < 0) 1056 return retval; 1057 spin_lock_irq (&dev->lock); 1058 goto scan; 1059 } 1060 1061 done: 1062 spin_unlock_irq (&dev->lock); 1063 return retval; 1064 } 1065 1066 static struct usb_gadgetfs_event * 1067 next_event (struct dev_data *dev, enum usb_gadgetfs_event_type type) 1068 { 1069 struct usb_gadgetfs_event *event; 1070 unsigned i; 1071 1072 switch (type) { 1073 /* these events purge the queue */ 1074 case GADGETFS_DISCONNECT: 1075 if (dev->state == STATE_DEV_SETUP) 1076 dev->setup_abort = 1; 1077 // FALL THROUGH 1078 case GADGETFS_CONNECT: 1079 dev->ev_next = 0; 1080 break; 1081 case GADGETFS_SETUP: /* previous request timed out */ 1082 case GADGETFS_SUSPEND: /* same effect */ 1083 /* these events can't be repeated */ 1084 for (i = 0; i != dev->ev_next; i++) { 1085 if (dev->event [i].type != type) 1086 continue; 1087 DBG(dev, "discard old event[%d] %d\n", i, type); 1088 dev->ev_next--; 1089 if (i == dev->ev_next) 1090 break; 1091 /* indices start at zero, for simplicity */ 1092 memmove (&dev->event [i], &dev->event [i + 1], 1093 sizeof (struct usb_gadgetfs_event) 1094 * (dev->ev_next - i)); 1095 } 1096 break; 1097 default: 1098 BUG (); 1099 } 1100 VDEBUG(dev, "event[%d] = %d\n", dev->ev_next, type); 1101 event = &dev->event [dev->ev_next++]; 1102 BUG_ON (dev->ev_next > N_EVENT); 1103 memset (event, 0, sizeof *event); 1104 event->type = type; 1105 return event; 1106 } 1107 1108 static ssize_t 1109 ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) 1110 { 1111 struct dev_data *dev = fd->private_data; 1112 ssize_t retval = -ESRCH; 1113 1114 /* report fd mode change before acting on it */ 1115 if (dev->setup_abort) { 1116 dev->setup_abort = 0; 1117 retval = -EIDRM; 1118 1119 /* data and/or status stage for control request */ 1120 } else if (dev->state == STATE_DEV_SETUP) { 1121 1122 /* IN DATA+STATUS caller makes len <= wLength */ 1123 if (dev->setup_in) { 1124 retval = setup_req (dev->gadget->ep0, dev->req, len); 1125 if (retval == 0) { 1126 dev->state = STATE_DEV_CONNECTED; 1127 spin_unlock_irq (&dev->lock); 1128 if (copy_from_user (dev->req->buf, buf, len)) 1129 retval = -EFAULT; 1130 else { 1131 if (len < dev->setup_wLength) 1132 dev->req->zero = 1; 1133 retval = usb_ep_queue ( 1134 dev->gadget->ep0, dev->req, 1135 GFP_KERNEL); 1136 } 1137 if (retval < 0) { 1138 spin_lock_irq (&dev->lock); 1139 clean_req (dev->gadget->ep0, dev->req); 1140 spin_unlock_irq (&dev->lock); 1141 } else 1142 retval = len; 1143 1144 return retval; 1145 } 1146 1147 /* can stall some OUT transfers */ 1148 } else if (dev->setup_can_stall) { 1149 VDEBUG(dev, "ep0out stall\n"); 1150 (void) usb_ep_set_halt (dev->gadget->ep0); 1151 retval = -EL2HLT; 1152 dev->state = STATE_DEV_CONNECTED; 1153 } else { 1154 DBG(dev, "bogus ep0out stall!\n"); 1155 } 1156 } else 1157 DBG (dev, "fail %s, state %d\n", __func__, dev->state); 1158 1159 return retval; 1160 } 1161 1162 static int 1163 ep0_fasync (int f, struct file *fd, int on) 1164 { 1165 struct dev_data *dev = fd->private_data; 1166 // caller must F_SETOWN before signal delivery happens 1167 VDEBUG (dev, "%s %s\n", __func__, on ? "on" : "off"); 1168 return fasync_helper (f, fd, on, &dev->fasync); 1169 } 1170 1171 static struct usb_gadget_driver gadgetfs_driver; 1172 1173 static int 1174 dev_release (struct inode *inode, struct file *fd) 1175 { 1176 struct dev_data *dev = fd->private_data; 1177 1178 /* closing ep0 === shutdown all */ 1179 1180 usb_gadget_unregister_driver (&gadgetfs_driver); 1181 1182 /* at this point "good" hardware has disconnected the 1183 * device from USB; the host won't see it any more. 1184 * alternatively, all host requests will time out. 1185 */ 1186 1187 kfree (dev->buf); 1188 dev->buf = NULL; 1189 1190 /* other endpoints were all decoupled from this device */ 1191 spin_lock_irq(&dev->lock); 1192 dev->state = STATE_DEV_DISABLED; 1193 spin_unlock_irq(&dev->lock); 1194 1195 put_dev (dev); 1196 return 0; 1197 } 1198 1199 static unsigned int 1200 ep0_poll (struct file *fd, poll_table *wait) 1201 { 1202 struct dev_data *dev = fd->private_data; 1203 int mask = 0; 1204 1205 if (dev->state <= STATE_DEV_OPENED) 1206 return DEFAULT_POLLMASK; 1207 1208 poll_wait(fd, &dev->wait, wait); 1209 1210 spin_lock_irq (&dev->lock); 1211 1212 /* report fd mode change before acting on it */ 1213 if (dev->setup_abort) { 1214 dev->setup_abort = 0; 1215 mask = POLLHUP; 1216 goto out; 1217 } 1218 1219 if (dev->state == STATE_DEV_SETUP) { 1220 if (dev->setup_in || dev->setup_can_stall) 1221 mask = POLLOUT; 1222 } else { 1223 if (dev->ev_next != 0) 1224 mask = POLLIN; 1225 } 1226 out: 1227 spin_unlock_irq(&dev->lock); 1228 return mask; 1229 } 1230 1231 static long dev_ioctl (struct file *fd, unsigned code, unsigned long value) 1232 { 1233 struct dev_data *dev = fd->private_data; 1234 struct usb_gadget *gadget = dev->gadget; 1235 long ret = -ENOTTY; 1236 1237 if (gadget->ops->ioctl) 1238 ret = gadget->ops->ioctl (gadget, code, value); 1239 1240 return ret; 1241 } 1242 1243 /*----------------------------------------------------------------------*/ 1244 1245 /* The in-kernel gadget driver handles most ep0 issues, in particular 1246 * enumerating the single configuration (as provided from user space). 1247 * 1248 * Unrecognized ep0 requests may be handled in user space. 1249 */ 1250 1251 static void make_qualifier (struct dev_data *dev) 1252 { 1253 struct usb_qualifier_descriptor qual; 1254 struct usb_device_descriptor *desc; 1255 1256 qual.bLength = sizeof qual; 1257 qual.bDescriptorType = USB_DT_DEVICE_QUALIFIER; 1258 qual.bcdUSB = cpu_to_le16 (0x0200); 1259 1260 desc = dev->dev; 1261 qual.bDeviceClass = desc->bDeviceClass; 1262 qual.bDeviceSubClass = desc->bDeviceSubClass; 1263 qual.bDeviceProtocol = desc->bDeviceProtocol; 1264 1265 /* assumes ep0 uses the same value for both speeds ... */ 1266 qual.bMaxPacketSize0 = dev->gadget->ep0->maxpacket; 1267 1268 qual.bNumConfigurations = 1; 1269 qual.bRESERVED = 0; 1270 1271 memcpy (dev->rbuf, &qual, sizeof qual); 1272 } 1273 1274 static int 1275 config_buf (struct dev_data *dev, u8 type, unsigned index) 1276 { 1277 int len; 1278 int hs = 0; 1279 1280 /* only one configuration */ 1281 if (index > 0) 1282 return -EINVAL; 1283 1284 if (gadget_is_dualspeed(dev->gadget)) { 1285 hs = (dev->gadget->speed == USB_SPEED_HIGH); 1286 if (type == USB_DT_OTHER_SPEED_CONFIG) 1287 hs = !hs; 1288 } 1289 if (hs) { 1290 dev->req->buf = dev->hs_config; 1291 len = le16_to_cpu(dev->hs_config->wTotalLength); 1292 } else { 1293 dev->req->buf = dev->config; 1294 len = le16_to_cpu(dev->config->wTotalLength); 1295 } 1296 ((u8 *)dev->req->buf) [1] = type; 1297 return len; 1298 } 1299 1300 static int 1301 gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) 1302 { 1303 struct dev_data *dev = get_gadget_data (gadget); 1304 struct usb_request *req = dev->req; 1305 int value = -EOPNOTSUPP; 1306 struct usb_gadgetfs_event *event; 1307 u16 w_value = le16_to_cpu(ctrl->wValue); 1308 u16 w_length = le16_to_cpu(ctrl->wLength); 1309 1310 spin_lock (&dev->lock); 1311 dev->setup_abort = 0; 1312 if (dev->state == STATE_DEV_UNCONNECTED) { 1313 if (gadget_is_dualspeed(gadget) 1314 && gadget->speed == USB_SPEED_HIGH 1315 && dev->hs_config == NULL) { 1316 spin_unlock(&dev->lock); 1317 ERROR (dev, "no high speed config??\n"); 1318 return -EINVAL; 1319 } 1320 1321 dev->state = STATE_DEV_CONNECTED; 1322 1323 INFO (dev, "connected\n"); 1324 event = next_event (dev, GADGETFS_CONNECT); 1325 event->u.speed = gadget->speed; 1326 ep0_readable (dev); 1327 1328 /* host may have given up waiting for response. we can miss control 1329 * requests handled lower down (device/endpoint status and features); 1330 * then ep0_{read,write} will report the wrong status. controller 1331 * driver will have aborted pending i/o. 1332 */ 1333 } else if (dev->state == STATE_DEV_SETUP) 1334 dev->setup_abort = 1; 1335 1336 req->buf = dev->rbuf; 1337 req->context = NULL; 1338 value = -EOPNOTSUPP; 1339 switch (ctrl->bRequest) { 1340 1341 case USB_REQ_GET_DESCRIPTOR: 1342 if (ctrl->bRequestType != USB_DIR_IN) 1343 goto unrecognized; 1344 switch (w_value >> 8) { 1345 1346 case USB_DT_DEVICE: 1347 value = min (w_length, (u16) sizeof *dev->dev); 1348 dev->dev->bMaxPacketSize0 = dev->gadget->ep0->maxpacket; 1349 req->buf = dev->dev; 1350 break; 1351 case USB_DT_DEVICE_QUALIFIER: 1352 if (!dev->hs_config) 1353 break; 1354 value = min (w_length, (u16) 1355 sizeof (struct usb_qualifier_descriptor)); 1356 make_qualifier (dev); 1357 break; 1358 case USB_DT_OTHER_SPEED_CONFIG: 1359 // FALLTHROUGH 1360 case USB_DT_CONFIG: 1361 value = config_buf (dev, 1362 w_value >> 8, 1363 w_value & 0xff); 1364 if (value >= 0) 1365 value = min (w_length, (u16) value); 1366 break; 1367 case USB_DT_STRING: 1368 goto unrecognized; 1369 1370 default: // all others are errors 1371 break; 1372 } 1373 break; 1374 1375 /* currently one config, two speeds */ 1376 case USB_REQ_SET_CONFIGURATION: 1377 if (ctrl->bRequestType != 0) 1378 goto unrecognized; 1379 if (0 == (u8) w_value) { 1380 value = 0; 1381 dev->current_config = 0; 1382 usb_gadget_vbus_draw(gadget, 8 /* mA */ ); 1383 // user mode expected to disable endpoints 1384 } else { 1385 u8 config, power; 1386 1387 if (gadget_is_dualspeed(gadget) 1388 && gadget->speed == USB_SPEED_HIGH) { 1389 config = dev->hs_config->bConfigurationValue; 1390 power = dev->hs_config->bMaxPower; 1391 } else { 1392 config = dev->config->bConfigurationValue; 1393 power = dev->config->bMaxPower; 1394 } 1395 1396 if (config == (u8) w_value) { 1397 value = 0; 1398 dev->current_config = config; 1399 usb_gadget_vbus_draw(gadget, 2 * power); 1400 } 1401 } 1402 1403 /* report SET_CONFIGURATION like any other control request, 1404 * except that usermode may not stall this. the next 1405 * request mustn't be allowed start until this finishes: 1406 * endpoints and threads set up, etc. 1407 * 1408 * NOTE: older PXA hardware (before PXA 255: without UDCCFR) 1409 * has bad/racey automagic that prevents synchronizing here. 1410 * even kernel mode drivers often miss them. 1411 */ 1412 if (value == 0) { 1413 INFO (dev, "configuration #%d\n", dev->current_config); 1414 usb_gadget_set_state(gadget, USB_STATE_CONFIGURED); 1415 if (dev->usermode_setup) { 1416 dev->setup_can_stall = 0; 1417 goto delegate; 1418 } 1419 } 1420 break; 1421 1422 #ifndef CONFIG_USB_PXA25X 1423 /* PXA automagically handles this request too */ 1424 case USB_REQ_GET_CONFIGURATION: 1425 if (ctrl->bRequestType != 0x80) 1426 goto unrecognized; 1427 *(u8 *)req->buf = dev->current_config; 1428 value = min (w_length, (u16) 1); 1429 break; 1430 #endif 1431 1432 default: 1433 unrecognized: 1434 VDEBUG (dev, "%s req%02x.%02x v%04x i%04x l%d\n", 1435 dev->usermode_setup ? "delegate" : "fail", 1436 ctrl->bRequestType, ctrl->bRequest, 1437 w_value, le16_to_cpu(ctrl->wIndex), w_length); 1438 1439 /* if there's an ep0 reader, don't stall */ 1440 if (dev->usermode_setup) { 1441 dev->setup_can_stall = 1; 1442 delegate: 1443 dev->setup_in = (ctrl->bRequestType & USB_DIR_IN) 1444 ? 1 : 0; 1445 dev->setup_wLength = w_length; 1446 dev->setup_out_ready = 0; 1447 dev->setup_out_error = 0; 1448 value = 0; 1449 1450 /* read DATA stage for OUT right away */ 1451 if (unlikely (!dev->setup_in && w_length)) { 1452 value = setup_req (gadget->ep0, dev->req, 1453 w_length); 1454 if (value < 0) 1455 break; 1456 value = usb_ep_queue (gadget->ep0, dev->req, 1457 GFP_ATOMIC); 1458 if (value < 0) { 1459 clean_req (gadget->ep0, dev->req); 1460 break; 1461 } 1462 1463 /* we can't currently stall these */ 1464 dev->setup_can_stall = 0; 1465 } 1466 1467 /* state changes when reader collects event */ 1468 event = next_event (dev, GADGETFS_SETUP); 1469 event->u.setup = *ctrl; 1470 ep0_readable (dev); 1471 spin_unlock (&dev->lock); 1472 return 0; 1473 } 1474 } 1475 1476 /* proceed with data transfer and status phases? */ 1477 if (value >= 0 && dev->state != STATE_DEV_SETUP) { 1478 req->length = value; 1479 req->zero = value < w_length; 1480 value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC); 1481 if (value < 0) { 1482 DBG (dev, "ep_queue --> %d\n", value); 1483 req->status = 0; 1484 } 1485 } 1486 1487 /* device stalls when value < 0 */ 1488 spin_unlock (&dev->lock); 1489 return value; 1490 } 1491 1492 static void destroy_ep_files (struct dev_data *dev) 1493 { 1494 DBG (dev, "%s %d\n", __func__, dev->state); 1495 1496 /* dev->state must prevent interference */ 1497 spin_lock_irq (&dev->lock); 1498 while (!list_empty(&dev->epfiles)) { 1499 struct ep_data *ep; 1500 struct inode *parent; 1501 struct dentry *dentry; 1502 1503 /* break link to FS */ 1504 ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles); 1505 list_del_init (&ep->epfiles); 1506 dentry = ep->dentry; 1507 ep->dentry = NULL; 1508 parent = d_inode(dentry->d_parent); 1509 1510 /* break link to controller */ 1511 if (ep->state == STATE_EP_ENABLED) 1512 (void) usb_ep_disable (ep->ep); 1513 ep->state = STATE_EP_UNBOUND; 1514 usb_ep_free_request (ep->ep, ep->req); 1515 ep->ep = NULL; 1516 wake_up (&ep->wait); 1517 put_ep (ep); 1518 1519 spin_unlock_irq (&dev->lock); 1520 1521 /* break link to dcache */ 1522 mutex_lock (&parent->i_mutex); 1523 d_delete (dentry); 1524 dput (dentry); 1525 mutex_unlock (&parent->i_mutex); 1526 1527 spin_lock_irq (&dev->lock); 1528 } 1529 spin_unlock_irq (&dev->lock); 1530 } 1531 1532 1533 static struct dentry * 1534 gadgetfs_create_file (struct super_block *sb, char const *name, 1535 void *data, const struct file_operations *fops); 1536 1537 static int activate_ep_files (struct dev_data *dev) 1538 { 1539 struct usb_ep *ep; 1540 struct ep_data *data; 1541 1542 gadget_for_each_ep (ep, dev->gadget) { 1543 1544 data = kzalloc(sizeof(*data), GFP_KERNEL); 1545 if (!data) 1546 goto enomem0; 1547 data->state = STATE_EP_DISABLED; 1548 mutex_init(&data->lock); 1549 init_waitqueue_head (&data->wait); 1550 1551 strncpy (data->name, ep->name, sizeof (data->name) - 1); 1552 atomic_set (&data->count, 1); 1553 data->dev = dev; 1554 get_dev (dev); 1555 1556 data->ep = ep; 1557 ep->driver_data = data; 1558 1559 data->req = usb_ep_alloc_request (ep, GFP_KERNEL); 1560 if (!data->req) 1561 goto enomem1; 1562 1563 data->dentry = gadgetfs_create_file (dev->sb, data->name, 1564 data, &ep_io_operations); 1565 if (!data->dentry) 1566 goto enomem2; 1567 list_add_tail (&data->epfiles, &dev->epfiles); 1568 } 1569 return 0; 1570 1571 enomem2: 1572 usb_ep_free_request (ep, data->req); 1573 enomem1: 1574 put_dev (dev); 1575 kfree (data); 1576 enomem0: 1577 DBG (dev, "%s enomem\n", __func__); 1578 destroy_ep_files (dev); 1579 return -ENOMEM; 1580 } 1581 1582 static void 1583 gadgetfs_unbind (struct usb_gadget *gadget) 1584 { 1585 struct dev_data *dev = get_gadget_data (gadget); 1586 1587 DBG (dev, "%s\n", __func__); 1588 1589 spin_lock_irq (&dev->lock); 1590 dev->state = STATE_DEV_UNBOUND; 1591 spin_unlock_irq (&dev->lock); 1592 1593 destroy_ep_files (dev); 1594 gadget->ep0->driver_data = NULL; 1595 set_gadget_data (gadget, NULL); 1596 1597 /* we've already been disconnected ... no i/o is active */ 1598 if (dev->req) 1599 usb_ep_free_request (gadget->ep0, dev->req); 1600 DBG (dev, "%s done\n", __func__); 1601 put_dev (dev); 1602 } 1603 1604 static struct dev_data *the_device; 1605 1606 static int gadgetfs_bind(struct usb_gadget *gadget, 1607 struct usb_gadget_driver *driver) 1608 { 1609 struct dev_data *dev = the_device; 1610 1611 if (!dev) 1612 return -ESRCH; 1613 if (0 != strcmp (CHIP, gadget->name)) { 1614 pr_err("%s expected %s controller not %s\n", 1615 shortname, CHIP, gadget->name); 1616 return -ENODEV; 1617 } 1618 1619 set_gadget_data (gadget, dev); 1620 dev->gadget = gadget; 1621 gadget->ep0->driver_data = dev; 1622 1623 /* preallocate control response and buffer */ 1624 dev->req = usb_ep_alloc_request (gadget->ep0, GFP_KERNEL); 1625 if (!dev->req) 1626 goto enomem; 1627 dev->req->context = NULL; 1628 dev->req->complete = epio_complete; 1629 1630 if (activate_ep_files (dev) < 0) 1631 goto enomem; 1632 1633 INFO (dev, "bound to %s driver\n", gadget->name); 1634 spin_lock_irq(&dev->lock); 1635 dev->state = STATE_DEV_UNCONNECTED; 1636 spin_unlock_irq(&dev->lock); 1637 get_dev (dev); 1638 return 0; 1639 1640 enomem: 1641 gadgetfs_unbind (gadget); 1642 return -ENOMEM; 1643 } 1644 1645 static void 1646 gadgetfs_disconnect (struct usb_gadget *gadget) 1647 { 1648 struct dev_data *dev = get_gadget_data (gadget); 1649 unsigned long flags; 1650 1651 spin_lock_irqsave (&dev->lock, flags); 1652 if (dev->state == STATE_DEV_UNCONNECTED) 1653 goto exit; 1654 dev->state = STATE_DEV_UNCONNECTED; 1655 1656 INFO (dev, "disconnected\n"); 1657 next_event (dev, GADGETFS_DISCONNECT); 1658 ep0_readable (dev); 1659 exit: 1660 spin_unlock_irqrestore (&dev->lock, flags); 1661 } 1662 1663 static void 1664 gadgetfs_suspend (struct usb_gadget *gadget) 1665 { 1666 struct dev_data *dev = get_gadget_data (gadget); 1667 1668 INFO (dev, "suspended from state %d\n", dev->state); 1669 spin_lock (&dev->lock); 1670 switch (dev->state) { 1671 case STATE_DEV_SETUP: // VERY odd... host died?? 1672 case STATE_DEV_CONNECTED: 1673 case STATE_DEV_UNCONNECTED: 1674 next_event (dev, GADGETFS_SUSPEND); 1675 ep0_readable (dev); 1676 /* FALLTHROUGH */ 1677 default: 1678 break; 1679 } 1680 spin_unlock (&dev->lock); 1681 } 1682 1683 static struct usb_gadget_driver gadgetfs_driver = { 1684 .function = (char *) driver_desc, 1685 .bind = gadgetfs_bind, 1686 .unbind = gadgetfs_unbind, 1687 .setup = gadgetfs_setup, 1688 .reset = gadgetfs_disconnect, 1689 .disconnect = gadgetfs_disconnect, 1690 .suspend = gadgetfs_suspend, 1691 1692 .driver = { 1693 .name = (char *) shortname, 1694 }, 1695 }; 1696 1697 /*----------------------------------------------------------------------*/ 1698 1699 static void gadgetfs_nop(struct usb_gadget *arg) { } 1700 1701 static int gadgetfs_probe(struct usb_gadget *gadget, 1702 struct usb_gadget_driver *driver) 1703 { 1704 CHIP = gadget->name; 1705 return -EISNAM; 1706 } 1707 1708 static struct usb_gadget_driver probe_driver = { 1709 .max_speed = USB_SPEED_HIGH, 1710 .bind = gadgetfs_probe, 1711 .unbind = gadgetfs_nop, 1712 .setup = (void *)gadgetfs_nop, 1713 .disconnect = gadgetfs_nop, 1714 .driver = { 1715 .name = "nop", 1716 }, 1717 }; 1718 1719 1720 /* DEVICE INITIALIZATION 1721 * 1722 * fd = open ("/dev/gadget/$CHIP", O_RDWR) 1723 * status = write (fd, descriptors, sizeof descriptors) 1724 * 1725 * That write establishes the device configuration, so the kernel can 1726 * bind to the controller ... guaranteeing it can handle enumeration 1727 * at all necessary speeds. Descriptor order is: 1728 * 1729 * . message tag (u32, host order) ... for now, must be zero; it 1730 * would change to support features like multi-config devices 1731 * . full/low speed config ... all wTotalLength bytes (with interface, 1732 * class, altsetting, endpoint, and other descriptors) 1733 * . high speed config ... all descriptors, for high speed operation; 1734 * this one's optional except for high-speed hardware 1735 * . device descriptor 1736 * 1737 * Endpoints are not yet enabled. Drivers must wait until device 1738 * configuration and interface altsetting changes create 1739 * the need to configure (or unconfigure) them. 1740 * 1741 * After initialization, the device stays active for as long as that 1742 * $CHIP file is open. Events must then be read from that descriptor, 1743 * such as configuration notifications. 1744 */ 1745 1746 static int is_valid_config (struct usb_config_descriptor *config) 1747 { 1748 return config->bDescriptorType == USB_DT_CONFIG 1749 && config->bLength == USB_DT_CONFIG_SIZE 1750 && config->bConfigurationValue != 0 1751 && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0 1752 && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0; 1753 /* FIXME if gadget->is_otg, _must_ include an otg descriptor */ 1754 /* FIXME check lengths: walk to end */ 1755 } 1756 1757 static ssize_t 1758 dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) 1759 { 1760 struct dev_data *dev = fd->private_data; 1761 ssize_t value = len, length = len; 1762 unsigned total; 1763 u32 tag; 1764 char *kbuf; 1765 1766 spin_lock_irq(&dev->lock); 1767 if (dev->state > STATE_DEV_OPENED) { 1768 value = ep0_write(fd, buf, len, ptr); 1769 spin_unlock_irq(&dev->lock); 1770 return value; 1771 } 1772 spin_unlock_irq(&dev->lock); 1773 1774 if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) 1775 return -EINVAL; 1776 1777 /* we might need to change message format someday */ 1778 if (copy_from_user (&tag, buf, 4)) 1779 return -EFAULT; 1780 if (tag != 0) 1781 return -EINVAL; 1782 buf += 4; 1783 length -= 4; 1784 1785 kbuf = memdup_user(buf, length); 1786 if (IS_ERR(kbuf)) 1787 return PTR_ERR(kbuf); 1788 1789 spin_lock_irq (&dev->lock); 1790 value = -EINVAL; 1791 if (dev->buf) 1792 goto fail; 1793 dev->buf = kbuf; 1794 1795 /* full or low speed config */ 1796 dev->config = (void *) kbuf; 1797 total = le16_to_cpu(dev->config->wTotalLength); 1798 if (!is_valid_config (dev->config) || total >= length) 1799 goto fail; 1800 kbuf += total; 1801 length -= total; 1802 1803 /* optional high speed config */ 1804 if (kbuf [1] == USB_DT_CONFIG) { 1805 dev->hs_config = (void *) kbuf; 1806 total = le16_to_cpu(dev->hs_config->wTotalLength); 1807 if (!is_valid_config (dev->hs_config) || total >= length) 1808 goto fail; 1809 kbuf += total; 1810 length -= total; 1811 } 1812 1813 /* could support multiple configs, using another encoding! */ 1814 1815 /* device descriptor (tweaked for paranoia) */ 1816 if (length != USB_DT_DEVICE_SIZE) 1817 goto fail; 1818 dev->dev = (void *)kbuf; 1819 if (dev->dev->bLength != USB_DT_DEVICE_SIZE 1820 || dev->dev->bDescriptorType != USB_DT_DEVICE 1821 || dev->dev->bNumConfigurations != 1) 1822 goto fail; 1823 dev->dev->bNumConfigurations = 1; 1824 dev->dev->bcdUSB = cpu_to_le16 (0x0200); 1825 1826 /* triggers gadgetfs_bind(); then we can enumerate. */ 1827 spin_unlock_irq (&dev->lock); 1828 if (dev->hs_config) 1829 gadgetfs_driver.max_speed = USB_SPEED_HIGH; 1830 else 1831 gadgetfs_driver.max_speed = USB_SPEED_FULL; 1832 1833 value = usb_gadget_probe_driver(&gadgetfs_driver); 1834 if (value != 0) { 1835 kfree (dev->buf); 1836 dev->buf = NULL; 1837 } else { 1838 /* at this point "good" hardware has for the first time 1839 * let the USB the host see us. alternatively, if users 1840 * unplug/replug that will clear all the error state. 1841 * 1842 * note: everything running before here was guaranteed 1843 * to choke driver model style diagnostics. from here 1844 * on, they can work ... except in cleanup paths that 1845 * kick in after the ep0 descriptor is closed. 1846 */ 1847 value = len; 1848 } 1849 return value; 1850 1851 fail: 1852 spin_unlock_irq (&dev->lock); 1853 pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev); 1854 kfree (dev->buf); 1855 dev->buf = NULL; 1856 return value; 1857 } 1858 1859 static int 1860 dev_open (struct inode *inode, struct file *fd) 1861 { 1862 struct dev_data *dev = inode->i_private; 1863 int value = -EBUSY; 1864 1865 spin_lock_irq(&dev->lock); 1866 if (dev->state == STATE_DEV_DISABLED) { 1867 dev->ev_next = 0; 1868 dev->state = STATE_DEV_OPENED; 1869 fd->private_data = dev; 1870 get_dev (dev); 1871 value = 0; 1872 } 1873 spin_unlock_irq(&dev->lock); 1874 return value; 1875 } 1876 1877 static const struct file_operations ep0_operations = { 1878 .llseek = no_llseek, 1879 1880 .open = dev_open, 1881 .read = ep0_read, 1882 .write = dev_config, 1883 .fasync = ep0_fasync, 1884 .poll = ep0_poll, 1885 .unlocked_ioctl = dev_ioctl, 1886 .release = dev_release, 1887 }; 1888 1889 /*----------------------------------------------------------------------*/ 1890 1891 /* FILESYSTEM AND SUPERBLOCK OPERATIONS 1892 * 1893 * Mounting the filesystem creates a controller file, used first for 1894 * device configuration then later for event monitoring. 1895 */ 1896 1897 1898 /* FIXME PAM etc could set this security policy without mount options 1899 * if epfiles inherited ownership and permissons from ep0 ... 1900 */ 1901 1902 static unsigned default_uid; 1903 static unsigned default_gid; 1904 static unsigned default_perm = S_IRUSR | S_IWUSR; 1905 1906 module_param (default_uid, uint, 0644); 1907 module_param (default_gid, uint, 0644); 1908 module_param (default_perm, uint, 0644); 1909 1910 1911 static struct inode * 1912 gadgetfs_make_inode (struct super_block *sb, 1913 void *data, const struct file_operations *fops, 1914 int mode) 1915 { 1916 struct inode *inode = new_inode (sb); 1917 1918 if (inode) { 1919 inode->i_ino = get_next_ino(); 1920 inode->i_mode = mode; 1921 inode->i_uid = make_kuid(&init_user_ns, default_uid); 1922 inode->i_gid = make_kgid(&init_user_ns, default_gid); 1923 inode->i_atime = inode->i_mtime = inode->i_ctime 1924 = CURRENT_TIME; 1925 inode->i_private = data; 1926 inode->i_fop = fops; 1927 } 1928 return inode; 1929 } 1930 1931 /* creates in fs root directory, so non-renamable and non-linkable. 1932 * so inode and dentry are paired, until device reconfig. 1933 */ 1934 static struct dentry * 1935 gadgetfs_create_file (struct super_block *sb, char const *name, 1936 void *data, const struct file_operations *fops) 1937 { 1938 struct dentry *dentry; 1939 struct inode *inode; 1940 1941 dentry = d_alloc_name(sb->s_root, name); 1942 if (!dentry) 1943 return NULL; 1944 1945 inode = gadgetfs_make_inode (sb, data, fops, 1946 S_IFREG | (default_perm & S_IRWXUGO)); 1947 if (!inode) { 1948 dput(dentry); 1949 return NULL; 1950 } 1951 d_add (dentry, inode); 1952 return dentry; 1953 } 1954 1955 static const struct super_operations gadget_fs_operations = { 1956 .statfs = simple_statfs, 1957 .drop_inode = generic_delete_inode, 1958 }; 1959 1960 static int 1961 gadgetfs_fill_super (struct super_block *sb, void *opts, int silent) 1962 { 1963 struct inode *inode; 1964 struct dev_data *dev; 1965 1966 if (the_device) 1967 return -ESRCH; 1968 1969 /* fake probe to determine $CHIP */ 1970 CHIP = NULL; 1971 usb_gadget_probe_driver(&probe_driver); 1972 if (!CHIP) 1973 return -ENODEV; 1974 1975 /* superblock */ 1976 sb->s_blocksize = PAGE_CACHE_SIZE; 1977 sb->s_blocksize_bits = PAGE_CACHE_SHIFT; 1978 sb->s_magic = GADGETFS_MAGIC; 1979 sb->s_op = &gadget_fs_operations; 1980 sb->s_time_gran = 1; 1981 1982 /* root inode */ 1983 inode = gadgetfs_make_inode (sb, 1984 NULL, &simple_dir_operations, 1985 S_IFDIR | S_IRUGO | S_IXUGO); 1986 if (!inode) 1987 goto Enomem; 1988 inode->i_op = &simple_dir_inode_operations; 1989 if (!(sb->s_root = d_make_root (inode))) 1990 goto Enomem; 1991 1992 /* the ep0 file is named after the controller we expect; 1993 * user mode code can use it for sanity checks, like we do. 1994 */ 1995 dev = dev_new (); 1996 if (!dev) 1997 goto Enomem; 1998 1999 dev->sb = sb; 2000 dev->dentry = gadgetfs_create_file(sb, CHIP, dev, &ep0_operations); 2001 if (!dev->dentry) { 2002 put_dev(dev); 2003 goto Enomem; 2004 } 2005 2006 /* other endpoint files are available after hardware setup, 2007 * from binding to a controller. 2008 */ 2009 the_device = dev; 2010 return 0; 2011 2012 Enomem: 2013 return -ENOMEM; 2014 } 2015 2016 /* "mount -t gadgetfs path /dev/gadget" ends up here */ 2017 static struct dentry * 2018 gadgetfs_mount (struct file_system_type *t, int flags, 2019 const char *path, void *opts) 2020 { 2021 return mount_single (t, flags, opts, gadgetfs_fill_super); 2022 } 2023 2024 static void 2025 gadgetfs_kill_sb (struct super_block *sb) 2026 { 2027 kill_litter_super (sb); 2028 if (the_device) { 2029 put_dev (the_device); 2030 the_device = NULL; 2031 } 2032 } 2033 2034 /*----------------------------------------------------------------------*/ 2035 2036 static struct file_system_type gadgetfs_type = { 2037 .owner = THIS_MODULE, 2038 .name = shortname, 2039 .mount = gadgetfs_mount, 2040 .kill_sb = gadgetfs_kill_sb, 2041 }; 2042 MODULE_ALIAS_FS("gadgetfs"); 2043 2044 /*----------------------------------------------------------------------*/ 2045 2046 static int __init init (void) 2047 { 2048 int status; 2049 2050 status = register_filesystem (&gadgetfs_type); 2051 if (status == 0) 2052 pr_info ("%s: %s, version " DRIVER_VERSION "\n", 2053 shortname, driver_desc); 2054 return status; 2055 } 2056 module_init (init); 2057 2058 static void __exit cleanup (void) 2059 { 2060 pr_debug ("unregister %s\n", shortname); 2061 unregister_filesystem (&gadgetfs_type); 2062 } 2063 module_exit (cleanup); 2064 2065