1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * USB Raw Gadget driver. 4 * See Documentation/usb/raw-gadget.rst for more details. 5 * 6 * Andrey Konovalov <andreyknvl@gmail.com> 7 */ 8 9 #include <linux/compiler.h> 10 #include <linux/debugfs.h> 11 #include <linux/delay.h> 12 #include <linux/kref.h> 13 #include <linux/miscdevice.h> 14 #include <linux/module.h> 15 #include <linux/semaphore.h> 16 #include <linux/sched.h> 17 #include <linux/slab.h> 18 #include <linux/uaccess.h> 19 #include <linux/wait.h> 20 21 #include <linux/usb.h> 22 #include <linux/usb/ch9.h> 23 #include <linux/usb/ch11.h> 24 #include <linux/usb/gadget.h> 25 26 #include <uapi/linux/usb/raw_gadget.h> 27 28 #define DRIVER_DESC "USB Raw Gadget" 29 #define DRIVER_NAME "raw-gadget" 30 31 MODULE_DESCRIPTION(DRIVER_DESC); 32 MODULE_AUTHOR("Andrey Konovalov"); 33 MODULE_LICENSE("GPL"); 34 35 /*----------------------------------------------------------------------*/ 36 37 #define RAW_EVENT_QUEUE_SIZE 16 38 39 struct raw_event_queue { 40 /* See the comment in raw_event_queue_fetch() for locking details. */ 41 spinlock_t lock; 42 struct semaphore sema; 43 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE]; 44 int size; 45 }; 46 47 static void raw_event_queue_init(struct raw_event_queue *queue) 48 { 49 spin_lock_init(&queue->lock); 50 sema_init(&queue->sema, 0); 51 queue->size = 0; 52 } 53 54 static int raw_event_queue_add(struct raw_event_queue *queue, 55 enum usb_raw_event_type type, size_t length, const void *data) 56 { 57 unsigned long flags; 58 struct usb_raw_event *event; 59 60 spin_lock_irqsave(&queue->lock, flags); 61 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) { 62 spin_unlock_irqrestore(&queue->lock, flags); 63 return -ENOMEM; 64 } 65 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC); 66 if (!event) { 67 spin_unlock_irqrestore(&queue->lock, flags); 68 return -ENOMEM; 69 } 70 event->type = type; 71 event->length = length; 72 if (event->length) 73 memcpy(&event->data[0], data, length); 74 queue->events[queue->size] = event; 75 queue->size++; 76 up(&queue->sema); 77 spin_unlock_irqrestore(&queue->lock, flags); 78 return 0; 79 } 80 81 static struct usb_raw_event *raw_event_queue_fetch( 82 struct raw_event_queue *queue) 83 { 84 unsigned long flags; 85 struct usb_raw_event *event; 86 87 /* 88 * This function can be called concurrently. We first check that 89 * there's at least one event queued by decrementing the semaphore, 90 * and then take the lock to protect queue struct fields. 91 */ 92 if (down_interruptible(&queue->sema)) 93 return NULL; 94 spin_lock_irqsave(&queue->lock, flags); 95 if (WARN_ON(!queue->size)) 96 return NULL; 97 event = queue->events[0]; 98 queue->size--; 99 memmove(&queue->events[0], &queue->events[1], 100 queue->size * sizeof(queue->events[0])); 101 spin_unlock_irqrestore(&queue->lock, flags); 102 return event; 103 } 104 105 static void raw_event_queue_destroy(struct raw_event_queue *queue) 106 { 107 int i; 108 109 for (i = 0; i < queue->size; i++) 110 kfree(queue->events[i]); 111 queue->size = 0; 112 } 113 114 /*----------------------------------------------------------------------*/ 115 116 struct raw_dev; 117 118 #define USB_RAW_MAX_ENDPOINTS 32 119 120 enum ep_state { 121 STATE_EP_DISABLED, 122 STATE_EP_ENABLED, 123 }; 124 125 struct raw_ep { 126 struct raw_dev *dev; 127 enum ep_state state; 128 struct usb_ep *ep; 129 struct usb_request *req; 130 bool urb_queued; 131 bool disabling; 132 ssize_t status; 133 }; 134 135 enum dev_state { 136 STATE_DEV_INVALID = 0, 137 STATE_DEV_OPENED, 138 STATE_DEV_INITIALIZED, 139 STATE_DEV_RUNNING, 140 STATE_DEV_CLOSED, 141 STATE_DEV_FAILED 142 }; 143 144 struct raw_dev { 145 struct kref count; 146 spinlock_t lock; 147 148 const char *udc_name; 149 struct usb_gadget_driver driver; 150 151 /* Reference to misc device: */ 152 struct device *dev; 153 154 /* Protected by lock: */ 155 enum dev_state state; 156 bool gadget_registered; 157 struct usb_gadget *gadget; 158 struct usb_request *req; 159 bool ep0_in_pending; 160 bool ep0_out_pending; 161 bool ep0_urb_queued; 162 ssize_t ep0_status; 163 struct raw_ep eps[USB_RAW_MAX_ENDPOINTS]; 164 165 struct completion ep0_done; 166 struct raw_event_queue queue; 167 }; 168 169 static struct raw_dev *dev_new(void) 170 { 171 struct raw_dev *dev; 172 173 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 174 if (!dev) 175 return NULL; 176 /* Matches kref_put() in raw_release(). */ 177 kref_init(&dev->count); 178 spin_lock_init(&dev->lock); 179 init_completion(&dev->ep0_done); 180 raw_event_queue_init(&dev->queue); 181 return dev; 182 } 183 184 static void dev_free(struct kref *kref) 185 { 186 struct raw_dev *dev = container_of(kref, struct raw_dev, count); 187 int i; 188 189 kfree(dev->udc_name); 190 kfree(dev->driver.udc_name); 191 if (dev->req) { 192 if (dev->ep0_urb_queued) 193 usb_ep_dequeue(dev->gadget->ep0, dev->req); 194 usb_ep_free_request(dev->gadget->ep0, dev->req); 195 } 196 raw_event_queue_destroy(&dev->queue); 197 for (i = 0; i < USB_RAW_MAX_ENDPOINTS; i++) { 198 if (dev->eps[i].state != STATE_EP_ENABLED) 199 continue; 200 usb_ep_disable(dev->eps[i].ep); 201 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 202 kfree(dev->eps[i].ep->desc); 203 dev->eps[i].state = STATE_EP_DISABLED; 204 } 205 kfree(dev); 206 } 207 208 /*----------------------------------------------------------------------*/ 209 210 static int raw_queue_event(struct raw_dev *dev, 211 enum usb_raw_event_type type, size_t length, const void *data) 212 { 213 int ret = 0; 214 unsigned long flags; 215 216 ret = raw_event_queue_add(&dev->queue, type, length, data); 217 if (ret < 0) { 218 spin_lock_irqsave(&dev->lock, flags); 219 dev->state = STATE_DEV_FAILED; 220 spin_unlock_irqrestore(&dev->lock, flags); 221 } 222 return ret; 223 } 224 225 static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req) 226 { 227 struct raw_dev *dev = req->context; 228 unsigned long flags; 229 230 spin_lock_irqsave(&dev->lock, flags); 231 if (req->status) 232 dev->ep0_status = req->status; 233 else 234 dev->ep0_status = req->actual; 235 if (dev->ep0_in_pending) 236 dev->ep0_in_pending = false; 237 else 238 dev->ep0_out_pending = false; 239 spin_unlock_irqrestore(&dev->lock, flags); 240 241 complete(&dev->ep0_done); 242 } 243 244 static int gadget_bind(struct usb_gadget *gadget, 245 struct usb_gadget_driver *driver) 246 { 247 int ret = 0; 248 struct raw_dev *dev = container_of(driver, struct raw_dev, driver); 249 struct usb_request *req; 250 unsigned long flags; 251 252 if (strcmp(gadget->name, dev->udc_name) != 0) 253 return -ENODEV; 254 255 set_gadget_data(gadget, dev); 256 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL); 257 if (!req) { 258 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n"); 259 set_gadget_data(gadget, NULL); 260 return -ENOMEM; 261 } 262 263 spin_lock_irqsave(&dev->lock, flags); 264 dev->req = req; 265 dev->req->context = dev; 266 dev->req->complete = gadget_ep0_complete; 267 dev->gadget = gadget; 268 spin_unlock_irqrestore(&dev->lock, flags); 269 270 /* Matches kref_put() in gadget_unbind(). */ 271 kref_get(&dev->count); 272 273 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); 274 if (ret < 0) 275 dev_err(&gadget->dev, "failed to queue event\n"); 276 277 return ret; 278 } 279 280 static void gadget_unbind(struct usb_gadget *gadget) 281 { 282 struct raw_dev *dev = get_gadget_data(gadget); 283 284 set_gadget_data(gadget, NULL); 285 /* Matches kref_get() in gadget_bind(). */ 286 kref_put(&dev->count, dev_free); 287 } 288 289 static int gadget_setup(struct usb_gadget *gadget, 290 const struct usb_ctrlrequest *ctrl) 291 { 292 int ret = 0; 293 struct raw_dev *dev = get_gadget_data(gadget); 294 unsigned long flags; 295 296 spin_lock_irqsave(&dev->lock, flags); 297 if (dev->state != STATE_DEV_RUNNING) { 298 dev_err(&gadget->dev, "ignoring, device is not running\n"); 299 ret = -ENODEV; 300 goto out_unlock; 301 } 302 if (dev->ep0_in_pending || dev->ep0_out_pending) { 303 dev_dbg(&gadget->dev, "stalling, request already pending\n"); 304 ret = -EBUSY; 305 goto out_unlock; 306 } 307 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) 308 dev->ep0_in_pending = true; 309 else 310 dev->ep0_out_pending = true; 311 spin_unlock_irqrestore(&dev->lock, flags); 312 313 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl); 314 if (ret < 0) 315 dev_err(&gadget->dev, "failed to queue event\n"); 316 goto out; 317 318 out_unlock: 319 spin_unlock_irqrestore(&dev->lock, flags); 320 out: 321 return ret; 322 } 323 324 /* These are currently unused but present in case UDC driver requires them. */ 325 static void gadget_disconnect(struct usb_gadget *gadget) { } 326 static void gadget_suspend(struct usb_gadget *gadget) { } 327 static void gadget_resume(struct usb_gadget *gadget) { } 328 static void gadget_reset(struct usb_gadget *gadget) { } 329 330 /*----------------------------------------------------------------------*/ 331 332 static struct miscdevice raw_misc_device; 333 334 static int raw_open(struct inode *inode, struct file *fd) 335 { 336 struct raw_dev *dev; 337 338 /* Nonblocking I/O is not supported yet. */ 339 if (fd->f_flags & O_NONBLOCK) 340 return -EINVAL; 341 342 dev = dev_new(); 343 if (!dev) 344 return -ENOMEM; 345 fd->private_data = dev; 346 dev->state = STATE_DEV_OPENED; 347 dev->dev = raw_misc_device.this_device; 348 return 0; 349 } 350 351 static int raw_release(struct inode *inode, struct file *fd) 352 { 353 int ret = 0; 354 struct raw_dev *dev = fd->private_data; 355 unsigned long flags; 356 bool unregister = false; 357 358 spin_lock_irqsave(&dev->lock, flags); 359 dev->state = STATE_DEV_CLOSED; 360 if (!dev->gadget) { 361 spin_unlock_irqrestore(&dev->lock, flags); 362 goto out_put; 363 } 364 if (dev->gadget_registered) 365 unregister = true; 366 dev->gadget_registered = false; 367 spin_unlock_irqrestore(&dev->lock, flags); 368 369 if (unregister) { 370 ret = usb_gadget_unregister_driver(&dev->driver); 371 if (ret != 0) 372 dev_err(dev->dev, 373 "usb_gadget_unregister_driver() failed with %d\n", 374 ret); 375 /* Matches kref_get() in raw_ioctl_run(). */ 376 kref_put(&dev->count, dev_free); 377 } 378 379 out_put: 380 /* Matches dev_new() in raw_open(). */ 381 kref_put(&dev->count, dev_free); 382 return ret; 383 } 384 385 /*----------------------------------------------------------------------*/ 386 387 static int raw_ioctl_init(struct raw_dev *dev, unsigned long value) 388 { 389 int ret = 0; 390 struct usb_raw_init arg; 391 char *udc_driver_name; 392 char *udc_device_name; 393 unsigned long flags; 394 395 ret = copy_from_user(&arg, (void __user *)value, sizeof(arg)); 396 if (ret) 397 return ret; 398 399 switch (arg.speed) { 400 case USB_SPEED_UNKNOWN: 401 arg.speed = USB_SPEED_HIGH; 402 break; 403 case USB_SPEED_LOW: 404 case USB_SPEED_FULL: 405 case USB_SPEED_HIGH: 406 case USB_SPEED_SUPER: 407 break; 408 default: 409 return -EINVAL; 410 } 411 412 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 413 if (!udc_driver_name) 414 return -ENOMEM; 415 ret = strscpy(udc_driver_name, &arg.driver_name[0], 416 UDC_NAME_LENGTH_MAX); 417 if (ret < 0) { 418 kfree(udc_driver_name); 419 return ret; 420 } 421 ret = 0; 422 423 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 424 if (!udc_device_name) { 425 kfree(udc_driver_name); 426 return -ENOMEM; 427 } 428 ret = strscpy(udc_device_name, &arg.device_name[0], 429 UDC_NAME_LENGTH_MAX); 430 if (ret < 0) { 431 kfree(udc_driver_name); 432 kfree(udc_device_name); 433 return ret; 434 } 435 ret = 0; 436 437 spin_lock_irqsave(&dev->lock, flags); 438 if (dev->state != STATE_DEV_OPENED) { 439 dev_dbg(dev->dev, "fail, device is not opened\n"); 440 kfree(udc_driver_name); 441 kfree(udc_device_name); 442 ret = -EINVAL; 443 goto out_unlock; 444 } 445 dev->udc_name = udc_driver_name; 446 447 dev->driver.function = DRIVER_DESC; 448 dev->driver.max_speed = arg.speed; 449 dev->driver.setup = gadget_setup; 450 dev->driver.disconnect = gadget_disconnect; 451 dev->driver.bind = gadget_bind; 452 dev->driver.unbind = gadget_unbind; 453 dev->driver.suspend = gadget_suspend; 454 dev->driver.resume = gadget_resume; 455 dev->driver.reset = gadget_reset; 456 dev->driver.driver.name = DRIVER_NAME; 457 dev->driver.udc_name = udc_device_name; 458 dev->driver.match_existing_only = 1; 459 460 dev->state = STATE_DEV_INITIALIZED; 461 462 out_unlock: 463 spin_unlock_irqrestore(&dev->lock, flags); 464 return ret; 465 } 466 467 static int raw_ioctl_run(struct raw_dev *dev, unsigned long value) 468 { 469 int ret = 0; 470 unsigned long flags; 471 472 if (value) 473 return -EINVAL; 474 475 spin_lock_irqsave(&dev->lock, flags); 476 if (dev->state != STATE_DEV_INITIALIZED) { 477 dev_dbg(dev->dev, "fail, device is not initialized\n"); 478 ret = -EINVAL; 479 goto out_unlock; 480 } 481 spin_unlock_irqrestore(&dev->lock, flags); 482 483 ret = usb_gadget_probe_driver(&dev->driver); 484 485 spin_lock_irqsave(&dev->lock, flags); 486 if (ret) { 487 dev_err(dev->dev, 488 "fail, usb_gadget_probe_driver returned %d\n", ret); 489 dev->state = STATE_DEV_FAILED; 490 goto out_unlock; 491 } 492 dev->gadget_registered = true; 493 dev->state = STATE_DEV_RUNNING; 494 /* Matches kref_put() in raw_release(). */ 495 kref_get(&dev->count); 496 497 out_unlock: 498 spin_unlock_irqrestore(&dev->lock, flags); 499 return ret; 500 } 501 502 static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value) 503 { 504 int ret = 0; 505 struct usb_raw_event arg; 506 unsigned long flags; 507 struct usb_raw_event *event; 508 uint32_t length; 509 510 ret = copy_from_user(&arg, (void __user *)value, sizeof(arg)); 511 if (ret) 512 return ret; 513 514 spin_lock_irqsave(&dev->lock, flags); 515 if (dev->state != STATE_DEV_RUNNING) { 516 dev_dbg(dev->dev, "fail, device is not running\n"); 517 spin_unlock_irqrestore(&dev->lock, flags); 518 return -EINVAL; 519 } 520 if (!dev->gadget) { 521 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 522 spin_unlock_irqrestore(&dev->lock, flags); 523 return -EBUSY; 524 } 525 spin_unlock_irqrestore(&dev->lock, flags); 526 527 event = raw_event_queue_fetch(&dev->queue); 528 if (!event) { 529 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n"); 530 return -EINTR; 531 } 532 length = min(arg.length, event->length); 533 ret = copy_to_user((void __user *)value, event, 534 sizeof(*event) + length); 535 return ret; 536 } 537 538 static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, 539 bool get_from_user) 540 { 541 int ret; 542 void *data; 543 544 ret = copy_from_user(io, ptr, sizeof(*io)); 545 if (ret) 546 return ERR_PTR(ret); 547 if (io->ep >= USB_RAW_MAX_ENDPOINTS) 548 return ERR_PTR(-EINVAL); 549 if (!usb_raw_io_flags_valid(io->flags)) 550 return ERR_PTR(-EINVAL); 551 if (io->length > PAGE_SIZE) 552 return ERR_PTR(-EINVAL); 553 if (get_from_user) 554 data = memdup_user(ptr + sizeof(*io), io->length); 555 else { 556 data = kmalloc(io->length, GFP_KERNEL); 557 if (!data) 558 data = ERR_PTR(-ENOMEM); 559 } 560 return data; 561 } 562 563 static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 564 void *data, bool in) 565 { 566 int ret = 0; 567 unsigned long flags; 568 569 spin_lock_irqsave(&dev->lock, flags); 570 if (dev->state != STATE_DEV_RUNNING) { 571 dev_dbg(dev->dev, "fail, device is not running\n"); 572 ret = -EINVAL; 573 goto out_unlock; 574 } 575 if (!dev->gadget) { 576 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 577 ret = -EBUSY; 578 goto out_unlock; 579 } 580 if (dev->ep0_urb_queued) { 581 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 582 ret = -EBUSY; 583 goto out_unlock; 584 } 585 if ((in && !dev->ep0_in_pending) || 586 (!in && !dev->ep0_out_pending)) { 587 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 588 ret = -EBUSY; 589 goto out_unlock; 590 } 591 if (WARN_ON(in && dev->ep0_out_pending)) { 592 ret = -ENODEV; 593 dev->state = STATE_DEV_FAILED; 594 goto out_done; 595 } 596 if (WARN_ON(!in && dev->ep0_in_pending)) { 597 ret = -ENODEV; 598 dev->state = STATE_DEV_FAILED; 599 goto out_done; 600 } 601 602 dev->req->buf = data; 603 dev->req->length = io->length; 604 dev->req->zero = usb_raw_io_flags_zero(io->flags); 605 dev->ep0_urb_queued = true; 606 spin_unlock_irqrestore(&dev->lock, flags); 607 608 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL); 609 if (ret) { 610 dev_err(&dev->gadget->dev, 611 "fail, usb_ep_queue returned %d\n", ret); 612 spin_lock_irqsave(&dev->lock, flags); 613 dev->state = STATE_DEV_FAILED; 614 goto out_done; 615 } 616 617 ret = wait_for_completion_interruptible(&dev->ep0_done); 618 if (ret) { 619 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 620 usb_ep_dequeue(dev->gadget->ep0, dev->req); 621 wait_for_completion(&dev->ep0_done); 622 spin_lock_irqsave(&dev->lock, flags); 623 goto out_done; 624 } 625 626 spin_lock_irqsave(&dev->lock, flags); 627 ret = dev->ep0_status; 628 629 out_done: 630 dev->ep0_urb_queued = false; 631 out_unlock: 632 spin_unlock_irqrestore(&dev->lock, flags); 633 return ret; 634 } 635 636 static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value) 637 { 638 int ret = 0; 639 void *data; 640 struct usb_raw_ep_io io; 641 642 data = raw_alloc_io_data(&io, (void __user *)value, true); 643 if (IS_ERR(data)) 644 return PTR_ERR(data); 645 ret = raw_process_ep0_io(dev, &io, data, true); 646 kfree(data); 647 return ret; 648 } 649 650 static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value) 651 { 652 int ret = 0; 653 void *data; 654 struct usb_raw_ep_io io; 655 unsigned int length; 656 657 data = raw_alloc_io_data(&io, (void __user *)value, false); 658 if (IS_ERR(data)) 659 return PTR_ERR(data); 660 ret = raw_process_ep0_io(dev, &io, data, false); 661 if (ret < 0) { 662 kfree(data); 663 return ret; 664 } 665 length = min(io.length, (unsigned int)ret); 666 ret = copy_to_user((void __user *)(value + sizeof(io)), data, length); 667 kfree(data); 668 return ret; 669 } 670 671 static bool check_ep_caps(struct usb_ep *ep, 672 struct usb_endpoint_descriptor *desc) 673 { 674 switch (usb_endpoint_type(desc)) { 675 case USB_ENDPOINT_XFER_ISOC: 676 if (!ep->caps.type_iso) 677 return false; 678 break; 679 case USB_ENDPOINT_XFER_BULK: 680 if (!ep->caps.type_bulk) 681 return false; 682 break; 683 case USB_ENDPOINT_XFER_INT: 684 if (!ep->caps.type_int) 685 return false; 686 break; 687 default: 688 return false; 689 } 690 691 if (usb_endpoint_dir_in(desc) && !ep->caps.dir_in) 692 return false; 693 if (usb_endpoint_dir_out(desc) && !ep->caps.dir_out) 694 return false; 695 696 return true; 697 } 698 699 static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value) 700 { 701 int ret = 0, i; 702 unsigned long flags; 703 struct usb_endpoint_descriptor *desc; 704 struct usb_ep *ep = NULL; 705 706 desc = memdup_user((void __user *)value, sizeof(*desc)); 707 if (IS_ERR(desc)) 708 return PTR_ERR(desc); 709 710 /* 711 * Endpoints with a maxpacket length of 0 can cause crashes in UDC 712 * drivers. 713 */ 714 if (usb_endpoint_maxp(desc) == 0) { 715 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n"); 716 kfree(desc); 717 return -EINVAL; 718 } 719 720 spin_lock_irqsave(&dev->lock, flags); 721 if (dev->state != STATE_DEV_RUNNING) { 722 dev_dbg(dev->dev, "fail, device is not running\n"); 723 ret = -EINVAL; 724 goto out_free; 725 } 726 if (!dev->gadget) { 727 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 728 ret = -EBUSY; 729 goto out_free; 730 } 731 732 for (i = 0; i < USB_RAW_MAX_ENDPOINTS; i++) { 733 if (dev->eps[i].state == STATE_EP_ENABLED) 734 continue; 735 break; 736 } 737 if (i == USB_RAW_MAX_ENDPOINTS) { 738 dev_dbg(&dev->gadget->dev, 739 "fail, no device endpoints available\n"); 740 ret = -EBUSY; 741 goto out_free; 742 } 743 744 gadget_for_each_ep(ep, dev->gadget) { 745 if (ep->enabled) 746 continue; 747 if (!check_ep_caps(ep, desc)) 748 continue; 749 ep->desc = desc; 750 ret = usb_ep_enable(ep); 751 if (ret < 0) { 752 dev_err(&dev->gadget->dev, 753 "fail, usb_ep_enable returned %d\n", ret); 754 goto out_free; 755 } 756 dev->eps[i].req = usb_ep_alloc_request(ep, GFP_ATOMIC); 757 if (!dev->eps[i].req) { 758 dev_err(&dev->gadget->dev, 759 "fail, usb_ep_alloc_request failed\n"); 760 usb_ep_disable(ep); 761 ret = -ENOMEM; 762 goto out_free; 763 } 764 dev->eps[i].ep = ep; 765 dev->eps[i].state = STATE_EP_ENABLED; 766 ep->driver_data = &dev->eps[i]; 767 ret = i; 768 goto out_unlock; 769 } 770 771 dev_dbg(&dev->gadget->dev, "fail, no gadget endpoints available\n"); 772 ret = -EBUSY; 773 774 out_free: 775 kfree(desc); 776 out_unlock: 777 spin_unlock_irqrestore(&dev->lock, flags); 778 return ret; 779 } 780 781 static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value) 782 { 783 int ret = 0, i = value; 784 unsigned long flags; 785 const void *desc; 786 787 if (i < 0 || i >= USB_RAW_MAX_ENDPOINTS) 788 return -EINVAL; 789 790 spin_lock_irqsave(&dev->lock, flags); 791 if (dev->state != STATE_DEV_RUNNING) { 792 dev_dbg(dev->dev, "fail, device is not running\n"); 793 ret = -EINVAL; 794 goto out_unlock; 795 } 796 if (!dev->gadget) { 797 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 798 ret = -EBUSY; 799 goto out_unlock; 800 } 801 if (dev->eps[i].state != STATE_EP_ENABLED) { 802 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 803 ret = -EINVAL; 804 goto out_unlock; 805 } 806 if (dev->eps[i].disabling) { 807 dev_dbg(&dev->gadget->dev, 808 "fail, disable already in progress\n"); 809 ret = -EINVAL; 810 goto out_unlock; 811 } 812 if (dev->eps[i].urb_queued) { 813 dev_dbg(&dev->gadget->dev, 814 "fail, waiting for urb completion\n"); 815 ret = -EINVAL; 816 goto out_unlock; 817 } 818 dev->eps[i].disabling = true; 819 spin_unlock_irqrestore(&dev->lock, flags); 820 821 usb_ep_disable(dev->eps[i].ep); 822 823 spin_lock_irqsave(&dev->lock, flags); 824 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 825 desc = dev->eps[i].ep->desc; 826 dev->eps[i].ep = NULL; 827 dev->eps[i].state = STATE_EP_DISABLED; 828 kfree(desc); 829 dev->eps[i].disabling = false; 830 831 out_unlock: 832 spin_unlock_irqrestore(&dev->lock, flags); 833 return ret; 834 } 835 836 static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req) 837 { 838 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data; 839 struct raw_dev *dev = r_ep->dev; 840 unsigned long flags; 841 842 spin_lock_irqsave(&dev->lock, flags); 843 if (req->status) 844 r_ep->status = req->status; 845 else 846 r_ep->status = req->actual; 847 spin_unlock_irqrestore(&dev->lock, flags); 848 849 complete((struct completion *)req->context); 850 } 851 852 static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 853 void *data, bool in) 854 { 855 int ret = 0; 856 unsigned long flags; 857 struct raw_ep *ep = &dev->eps[io->ep]; 858 DECLARE_COMPLETION_ONSTACK(done); 859 860 spin_lock_irqsave(&dev->lock, flags); 861 if (dev->state != STATE_DEV_RUNNING) { 862 dev_dbg(dev->dev, "fail, device is not running\n"); 863 ret = -EINVAL; 864 goto out_unlock; 865 } 866 if (!dev->gadget) { 867 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 868 ret = -EBUSY; 869 goto out_unlock; 870 } 871 if (ep->state != STATE_EP_ENABLED) { 872 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 873 ret = -EBUSY; 874 goto out_unlock; 875 } 876 if (ep->disabling) { 877 dev_dbg(&dev->gadget->dev, 878 "fail, endpoint is already being disabled\n"); 879 ret = -EBUSY; 880 goto out_unlock; 881 } 882 if (ep->urb_queued) { 883 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 884 ret = -EBUSY; 885 goto out_unlock; 886 } 887 if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) { 888 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 889 ret = -EINVAL; 890 goto out_unlock; 891 } 892 893 ep->dev = dev; 894 ep->req->context = &done; 895 ep->req->complete = gadget_ep_complete; 896 ep->req->buf = data; 897 ep->req->length = io->length; 898 ep->req->zero = usb_raw_io_flags_zero(io->flags); 899 ep->urb_queued = true; 900 spin_unlock_irqrestore(&dev->lock, flags); 901 902 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL); 903 if (ret) { 904 dev_err(&dev->gadget->dev, 905 "fail, usb_ep_queue returned %d\n", ret); 906 spin_lock_irqsave(&dev->lock, flags); 907 dev->state = STATE_DEV_FAILED; 908 goto out_done; 909 } 910 911 ret = wait_for_completion_interruptible(&done); 912 if (ret) { 913 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 914 usb_ep_dequeue(ep->ep, ep->req); 915 wait_for_completion(&done); 916 spin_lock_irqsave(&dev->lock, flags); 917 goto out_done; 918 } 919 920 spin_lock_irqsave(&dev->lock, flags); 921 ret = ep->status; 922 923 out_done: 924 ep->urb_queued = false; 925 out_unlock: 926 spin_unlock_irqrestore(&dev->lock, flags); 927 return ret; 928 } 929 930 static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value) 931 { 932 int ret = 0; 933 char *data; 934 struct usb_raw_ep_io io; 935 936 data = raw_alloc_io_data(&io, (void __user *)value, true); 937 if (IS_ERR(data)) 938 return PTR_ERR(data); 939 ret = raw_process_ep_io(dev, &io, data, true); 940 kfree(data); 941 return ret; 942 } 943 944 static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value) 945 { 946 int ret = 0; 947 char *data; 948 struct usb_raw_ep_io io; 949 unsigned int length; 950 951 data = raw_alloc_io_data(&io, (void __user *)value, false); 952 if (IS_ERR(data)) 953 return PTR_ERR(data); 954 ret = raw_process_ep_io(dev, &io, data, false); 955 if (ret < 0) { 956 kfree(data); 957 return ret; 958 } 959 length = min(io.length, (unsigned int)ret); 960 ret = copy_to_user((void __user *)(value + sizeof(io)), data, length); 961 kfree(data); 962 return ret; 963 } 964 965 static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value) 966 { 967 int ret = 0; 968 unsigned long flags; 969 970 if (value) 971 return -EINVAL; 972 spin_lock_irqsave(&dev->lock, flags); 973 if (dev->state != STATE_DEV_RUNNING) { 974 dev_dbg(dev->dev, "fail, device is not running\n"); 975 ret = -EINVAL; 976 goto out_unlock; 977 } 978 if (!dev->gadget) { 979 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 980 ret = -EBUSY; 981 goto out_unlock; 982 } 983 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED); 984 985 out_unlock: 986 spin_unlock_irqrestore(&dev->lock, flags); 987 return ret; 988 } 989 990 static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value) 991 { 992 int ret = 0; 993 unsigned long flags; 994 995 spin_lock_irqsave(&dev->lock, flags); 996 if (dev->state != STATE_DEV_RUNNING) { 997 dev_dbg(dev->dev, "fail, device is not running\n"); 998 ret = -EINVAL; 999 goto out_unlock; 1000 } 1001 if (!dev->gadget) { 1002 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1003 ret = -EBUSY; 1004 goto out_unlock; 1005 } 1006 usb_gadget_vbus_draw(dev->gadget, 2 * value); 1007 1008 out_unlock: 1009 spin_unlock_irqrestore(&dev->lock, flags); 1010 return ret; 1011 } 1012 1013 static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value) 1014 { 1015 struct raw_dev *dev = fd->private_data; 1016 int ret = 0; 1017 1018 if (!dev) 1019 return -EBUSY; 1020 1021 switch (cmd) { 1022 case USB_RAW_IOCTL_INIT: 1023 ret = raw_ioctl_init(dev, value); 1024 break; 1025 case USB_RAW_IOCTL_RUN: 1026 ret = raw_ioctl_run(dev, value); 1027 break; 1028 case USB_RAW_IOCTL_EVENT_FETCH: 1029 ret = raw_ioctl_event_fetch(dev, value); 1030 break; 1031 case USB_RAW_IOCTL_EP0_WRITE: 1032 ret = raw_ioctl_ep0_write(dev, value); 1033 break; 1034 case USB_RAW_IOCTL_EP0_READ: 1035 ret = raw_ioctl_ep0_read(dev, value); 1036 break; 1037 case USB_RAW_IOCTL_EP_ENABLE: 1038 ret = raw_ioctl_ep_enable(dev, value); 1039 break; 1040 case USB_RAW_IOCTL_EP_DISABLE: 1041 ret = raw_ioctl_ep_disable(dev, value); 1042 break; 1043 case USB_RAW_IOCTL_EP_WRITE: 1044 ret = raw_ioctl_ep_write(dev, value); 1045 break; 1046 case USB_RAW_IOCTL_EP_READ: 1047 ret = raw_ioctl_ep_read(dev, value); 1048 break; 1049 case USB_RAW_IOCTL_CONFIGURE: 1050 ret = raw_ioctl_configure(dev, value); 1051 break; 1052 case USB_RAW_IOCTL_VBUS_DRAW: 1053 ret = raw_ioctl_vbus_draw(dev, value); 1054 break; 1055 default: 1056 ret = -EINVAL; 1057 } 1058 1059 return ret; 1060 } 1061 1062 /*----------------------------------------------------------------------*/ 1063 1064 static const struct file_operations raw_fops = { 1065 .open = raw_open, 1066 .unlocked_ioctl = raw_ioctl, 1067 .compat_ioctl = raw_ioctl, 1068 .release = raw_release, 1069 .llseek = no_llseek, 1070 }; 1071 1072 static struct miscdevice raw_misc_device = { 1073 .minor = MISC_DYNAMIC_MINOR, 1074 .name = DRIVER_NAME, 1075 .fops = &raw_fops, 1076 }; 1077 1078 module_misc_device(raw_misc_device); 1079