1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * USB Raw Gadget driver. 4 * See Documentation/usb/raw-gadget.rst for more details. 5 * 6 * Copyright (c) 2020 Google, Inc. 7 * Author: Andrey Konovalov <andreyknvl@gmail.com> 8 */ 9 10 #include <linux/compiler.h> 11 #include <linux/ctype.h> 12 #include <linux/debugfs.h> 13 #include <linux/delay.h> 14 #include <linux/kref.h> 15 #include <linux/miscdevice.h> 16 #include <linux/module.h> 17 #include <linux/semaphore.h> 18 #include <linux/sched.h> 19 #include <linux/slab.h> 20 #include <linux/uaccess.h> 21 #include <linux/wait.h> 22 23 #include <linux/usb.h> 24 #include <linux/usb/ch9.h> 25 #include <linux/usb/ch11.h> 26 #include <linux/usb/gadget.h> 27 28 #include <uapi/linux/usb/raw_gadget.h> 29 30 #define DRIVER_DESC "USB Raw Gadget" 31 #define DRIVER_NAME "raw-gadget" 32 33 MODULE_DESCRIPTION(DRIVER_DESC); 34 MODULE_AUTHOR("Andrey Konovalov"); 35 MODULE_LICENSE("GPL"); 36 37 /*----------------------------------------------------------------------*/ 38 39 #define RAW_EVENT_QUEUE_SIZE 16 40 41 struct raw_event_queue { 42 /* See the comment in raw_event_queue_fetch() for locking details. */ 43 spinlock_t lock; 44 struct semaphore sema; 45 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE]; 46 int size; 47 }; 48 49 static void raw_event_queue_init(struct raw_event_queue *queue) 50 { 51 spin_lock_init(&queue->lock); 52 sema_init(&queue->sema, 0); 53 queue->size = 0; 54 } 55 56 static int raw_event_queue_add(struct raw_event_queue *queue, 57 enum usb_raw_event_type type, size_t length, const void *data) 58 { 59 unsigned long flags; 60 struct usb_raw_event *event; 61 62 spin_lock_irqsave(&queue->lock, flags); 63 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) { 64 spin_unlock_irqrestore(&queue->lock, flags); 65 return -ENOMEM; 66 } 67 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC); 68 if (!event) { 69 spin_unlock_irqrestore(&queue->lock, flags); 70 return -ENOMEM; 71 } 72 event->type = type; 73 event->length = length; 74 if (event->length) 75 memcpy(&event->data[0], data, length); 76 queue->events[queue->size] = event; 77 queue->size++; 78 up(&queue->sema); 79 spin_unlock_irqrestore(&queue->lock, flags); 80 return 0; 81 } 82 83 static struct usb_raw_event *raw_event_queue_fetch( 84 struct raw_event_queue *queue) 85 { 86 int ret; 87 unsigned long flags; 88 struct usb_raw_event *event; 89 90 /* 91 * This function can be called concurrently. We first check that 92 * there's at least one event queued by decrementing the semaphore, 93 * and then take the lock to protect queue struct fields. 94 */ 95 ret = down_interruptible(&queue->sema); 96 if (ret) 97 return ERR_PTR(ret); 98 spin_lock_irqsave(&queue->lock, flags); 99 /* 100 * queue->size must have the same value as queue->sema counter (before 101 * the down_interruptible() call above), so this check is a fail-safe. 102 */ 103 if (WARN_ON(!queue->size)) { 104 spin_unlock_irqrestore(&queue->lock, flags); 105 return ERR_PTR(-ENODEV); 106 } 107 event = queue->events[0]; 108 queue->size--; 109 memmove(&queue->events[0], &queue->events[1], 110 queue->size * sizeof(queue->events[0])); 111 spin_unlock_irqrestore(&queue->lock, flags); 112 return event; 113 } 114 115 static void raw_event_queue_destroy(struct raw_event_queue *queue) 116 { 117 int i; 118 119 for (i = 0; i < queue->size; i++) 120 kfree(queue->events[i]); 121 queue->size = 0; 122 } 123 124 /*----------------------------------------------------------------------*/ 125 126 struct raw_dev; 127 128 enum ep_state { 129 STATE_EP_DISABLED, 130 STATE_EP_ENABLED, 131 }; 132 133 struct raw_ep { 134 struct raw_dev *dev; 135 enum ep_state state; 136 struct usb_ep *ep; 137 u8 addr; 138 struct usb_request *req; 139 bool urb_queued; 140 bool disabling; 141 ssize_t status; 142 }; 143 144 enum dev_state { 145 STATE_DEV_INVALID = 0, 146 STATE_DEV_OPENED, 147 STATE_DEV_INITIALIZED, 148 STATE_DEV_REGISTERING, 149 STATE_DEV_RUNNING, 150 STATE_DEV_CLOSED, 151 STATE_DEV_FAILED 152 }; 153 154 struct raw_dev { 155 struct kref count; 156 spinlock_t lock; 157 158 const char *udc_name; 159 struct usb_gadget_driver driver; 160 161 /* Reference to misc device: */ 162 struct device *dev; 163 164 /* Protected by lock: */ 165 enum dev_state state; 166 bool gadget_registered; 167 struct usb_gadget *gadget; 168 struct usb_request *req; 169 bool ep0_in_pending; 170 bool ep0_out_pending; 171 bool ep0_urb_queued; 172 ssize_t ep0_status; 173 struct raw_ep eps[USB_RAW_EPS_NUM_MAX]; 174 int eps_num; 175 176 struct completion ep0_done; 177 struct raw_event_queue queue; 178 }; 179 180 static struct raw_dev *dev_new(void) 181 { 182 struct raw_dev *dev; 183 184 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 185 if (!dev) 186 return NULL; 187 /* Matches kref_put() in raw_release(). */ 188 kref_init(&dev->count); 189 spin_lock_init(&dev->lock); 190 init_completion(&dev->ep0_done); 191 raw_event_queue_init(&dev->queue); 192 return dev; 193 } 194 195 static void dev_free(struct kref *kref) 196 { 197 struct raw_dev *dev = container_of(kref, struct raw_dev, count); 198 int i; 199 200 kfree(dev->udc_name); 201 kfree(dev->driver.udc_name); 202 if (dev->req) { 203 if (dev->ep0_urb_queued) 204 usb_ep_dequeue(dev->gadget->ep0, dev->req); 205 usb_ep_free_request(dev->gadget->ep0, dev->req); 206 } 207 raw_event_queue_destroy(&dev->queue); 208 for (i = 0; i < dev->eps_num; i++) { 209 if (dev->eps[i].state == STATE_EP_DISABLED) 210 continue; 211 usb_ep_disable(dev->eps[i].ep); 212 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 213 kfree(dev->eps[i].ep->desc); 214 dev->eps[i].state = STATE_EP_DISABLED; 215 } 216 kfree(dev); 217 } 218 219 /*----------------------------------------------------------------------*/ 220 221 static int raw_queue_event(struct raw_dev *dev, 222 enum usb_raw_event_type type, size_t length, const void *data) 223 { 224 int ret = 0; 225 unsigned long flags; 226 227 ret = raw_event_queue_add(&dev->queue, type, length, data); 228 if (ret < 0) { 229 spin_lock_irqsave(&dev->lock, flags); 230 dev->state = STATE_DEV_FAILED; 231 spin_unlock_irqrestore(&dev->lock, flags); 232 } 233 return ret; 234 } 235 236 static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req) 237 { 238 struct raw_dev *dev = req->context; 239 unsigned long flags; 240 241 spin_lock_irqsave(&dev->lock, flags); 242 if (req->status) 243 dev->ep0_status = req->status; 244 else 245 dev->ep0_status = req->actual; 246 if (dev->ep0_in_pending) 247 dev->ep0_in_pending = false; 248 else 249 dev->ep0_out_pending = false; 250 spin_unlock_irqrestore(&dev->lock, flags); 251 252 complete(&dev->ep0_done); 253 } 254 255 static u8 get_ep_addr(const char *name) 256 { 257 /* If the endpoint has fixed function (named as e.g. "ep12out-bulk"), 258 * parse the endpoint address from its name. We deliberately use 259 * deprecated simple_strtoul() function here, as the number isn't 260 * followed by '\0' nor '\n'. 261 */ 262 if (isdigit(name[2])) 263 return simple_strtoul(&name[2], NULL, 10); 264 /* Otherwise the endpoint is configurable (named as e.g. "ep-a"). */ 265 return USB_RAW_EP_ADDR_ANY; 266 } 267 268 static int gadget_bind(struct usb_gadget *gadget, 269 struct usb_gadget_driver *driver) 270 { 271 int ret = 0, i = 0; 272 struct raw_dev *dev = container_of(driver, struct raw_dev, driver); 273 struct usb_request *req; 274 struct usb_ep *ep; 275 unsigned long flags; 276 277 if (strcmp(gadget->name, dev->udc_name) != 0) 278 return -ENODEV; 279 280 set_gadget_data(gadget, dev); 281 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL); 282 if (!req) { 283 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n"); 284 set_gadget_data(gadget, NULL); 285 return -ENOMEM; 286 } 287 288 spin_lock_irqsave(&dev->lock, flags); 289 dev->req = req; 290 dev->req->context = dev; 291 dev->req->complete = gadget_ep0_complete; 292 dev->gadget = gadget; 293 gadget_for_each_ep(ep, dev->gadget) { 294 dev->eps[i].ep = ep; 295 dev->eps[i].addr = get_ep_addr(ep->name); 296 dev->eps[i].state = STATE_EP_DISABLED; 297 i++; 298 } 299 dev->eps_num = i; 300 spin_unlock_irqrestore(&dev->lock, flags); 301 302 /* Matches kref_put() in gadget_unbind(). */ 303 kref_get(&dev->count); 304 305 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); 306 if (ret < 0) 307 dev_err(&gadget->dev, "failed to queue event\n"); 308 309 return ret; 310 } 311 312 static void gadget_unbind(struct usb_gadget *gadget) 313 { 314 struct raw_dev *dev = get_gadget_data(gadget); 315 316 set_gadget_data(gadget, NULL); 317 /* Matches kref_get() in gadget_bind(). */ 318 kref_put(&dev->count, dev_free); 319 } 320 321 static int gadget_setup(struct usb_gadget *gadget, 322 const struct usb_ctrlrequest *ctrl) 323 { 324 int ret = 0; 325 struct raw_dev *dev = get_gadget_data(gadget); 326 unsigned long flags; 327 328 spin_lock_irqsave(&dev->lock, flags); 329 if (dev->state != STATE_DEV_RUNNING) { 330 dev_err(&gadget->dev, "ignoring, device is not running\n"); 331 ret = -ENODEV; 332 goto out_unlock; 333 } 334 if (dev->ep0_in_pending || dev->ep0_out_pending) { 335 dev_dbg(&gadget->dev, "stalling, request already pending\n"); 336 ret = -EBUSY; 337 goto out_unlock; 338 } 339 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) 340 dev->ep0_in_pending = true; 341 else 342 dev->ep0_out_pending = true; 343 spin_unlock_irqrestore(&dev->lock, flags); 344 345 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl); 346 if (ret < 0) 347 dev_err(&gadget->dev, "failed to queue event\n"); 348 goto out; 349 350 out_unlock: 351 spin_unlock_irqrestore(&dev->lock, flags); 352 out: 353 return ret; 354 } 355 356 /* These are currently unused but present in case UDC driver requires them. */ 357 static void gadget_disconnect(struct usb_gadget *gadget) { } 358 static void gadget_suspend(struct usb_gadget *gadget) { } 359 static void gadget_resume(struct usb_gadget *gadget) { } 360 static void gadget_reset(struct usb_gadget *gadget) { } 361 362 /*----------------------------------------------------------------------*/ 363 364 static struct miscdevice raw_misc_device; 365 366 static int raw_open(struct inode *inode, struct file *fd) 367 { 368 struct raw_dev *dev; 369 370 /* Nonblocking I/O is not supported yet. */ 371 if (fd->f_flags & O_NONBLOCK) 372 return -EINVAL; 373 374 dev = dev_new(); 375 if (!dev) 376 return -ENOMEM; 377 fd->private_data = dev; 378 dev->state = STATE_DEV_OPENED; 379 dev->dev = raw_misc_device.this_device; 380 return 0; 381 } 382 383 static int raw_release(struct inode *inode, struct file *fd) 384 { 385 int ret = 0; 386 struct raw_dev *dev = fd->private_data; 387 unsigned long flags; 388 bool unregister = false; 389 390 spin_lock_irqsave(&dev->lock, flags); 391 dev->state = STATE_DEV_CLOSED; 392 if (!dev->gadget) { 393 spin_unlock_irqrestore(&dev->lock, flags); 394 goto out_put; 395 } 396 if (dev->gadget_registered) 397 unregister = true; 398 dev->gadget_registered = false; 399 spin_unlock_irqrestore(&dev->lock, flags); 400 401 if (unregister) { 402 ret = usb_gadget_unregister_driver(&dev->driver); 403 if (ret != 0) 404 dev_err(dev->dev, 405 "usb_gadget_unregister_driver() failed with %d\n", 406 ret); 407 /* Matches kref_get() in raw_ioctl_run(). */ 408 kref_put(&dev->count, dev_free); 409 } 410 411 out_put: 412 /* Matches dev_new() in raw_open(). */ 413 kref_put(&dev->count, dev_free); 414 return ret; 415 } 416 417 /*----------------------------------------------------------------------*/ 418 419 static int raw_ioctl_init(struct raw_dev *dev, unsigned long value) 420 { 421 int ret = 0; 422 struct usb_raw_init arg; 423 char *udc_driver_name; 424 char *udc_device_name; 425 unsigned long flags; 426 427 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 428 return -EFAULT; 429 430 switch (arg.speed) { 431 case USB_SPEED_UNKNOWN: 432 arg.speed = USB_SPEED_HIGH; 433 break; 434 case USB_SPEED_LOW: 435 case USB_SPEED_FULL: 436 case USB_SPEED_HIGH: 437 case USB_SPEED_SUPER: 438 break; 439 default: 440 return -EINVAL; 441 } 442 443 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 444 if (!udc_driver_name) 445 return -ENOMEM; 446 ret = strscpy(udc_driver_name, &arg.driver_name[0], 447 UDC_NAME_LENGTH_MAX); 448 if (ret < 0) { 449 kfree(udc_driver_name); 450 return ret; 451 } 452 ret = 0; 453 454 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 455 if (!udc_device_name) { 456 kfree(udc_driver_name); 457 return -ENOMEM; 458 } 459 ret = strscpy(udc_device_name, &arg.device_name[0], 460 UDC_NAME_LENGTH_MAX); 461 if (ret < 0) { 462 kfree(udc_driver_name); 463 kfree(udc_device_name); 464 return ret; 465 } 466 ret = 0; 467 468 spin_lock_irqsave(&dev->lock, flags); 469 if (dev->state != STATE_DEV_OPENED) { 470 dev_dbg(dev->dev, "fail, device is not opened\n"); 471 kfree(udc_driver_name); 472 kfree(udc_device_name); 473 ret = -EINVAL; 474 goto out_unlock; 475 } 476 dev->udc_name = udc_driver_name; 477 478 dev->driver.function = DRIVER_DESC; 479 dev->driver.max_speed = arg.speed; 480 dev->driver.setup = gadget_setup; 481 dev->driver.disconnect = gadget_disconnect; 482 dev->driver.bind = gadget_bind; 483 dev->driver.unbind = gadget_unbind; 484 dev->driver.suspend = gadget_suspend; 485 dev->driver.resume = gadget_resume; 486 dev->driver.reset = gadget_reset; 487 dev->driver.driver.name = DRIVER_NAME; 488 dev->driver.udc_name = udc_device_name; 489 dev->driver.match_existing_only = 1; 490 491 dev->state = STATE_DEV_INITIALIZED; 492 493 out_unlock: 494 spin_unlock_irqrestore(&dev->lock, flags); 495 return ret; 496 } 497 498 static int raw_ioctl_run(struct raw_dev *dev, unsigned long value) 499 { 500 int ret = 0; 501 unsigned long flags; 502 503 if (value) 504 return -EINVAL; 505 506 spin_lock_irqsave(&dev->lock, flags); 507 if (dev->state != STATE_DEV_INITIALIZED) { 508 dev_dbg(dev->dev, "fail, device is not initialized\n"); 509 ret = -EINVAL; 510 goto out_unlock; 511 } 512 dev->state = STATE_DEV_REGISTERING; 513 spin_unlock_irqrestore(&dev->lock, flags); 514 515 ret = usb_gadget_register_driver(&dev->driver); 516 517 spin_lock_irqsave(&dev->lock, flags); 518 if (ret) { 519 dev_err(dev->dev, 520 "fail, usb_gadget_register_driver returned %d\n", ret); 521 dev->state = STATE_DEV_FAILED; 522 goto out_unlock; 523 } 524 dev->gadget_registered = true; 525 dev->state = STATE_DEV_RUNNING; 526 /* Matches kref_put() in raw_release(). */ 527 kref_get(&dev->count); 528 529 out_unlock: 530 spin_unlock_irqrestore(&dev->lock, flags); 531 return ret; 532 } 533 534 static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value) 535 { 536 struct usb_raw_event arg; 537 unsigned long flags; 538 struct usb_raw_event *event; 539 uint32_t length; 540 541 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 542 return -EFAULT; 543 544 spin_lock_irqsave(&dev->lock, flags); 545 if (dev->state != STATE_DEV_RUNNING) { 546 dev_dbg(dev->dev, "fail, device is not running\n"); 547 spin_unlock_irqrestore(&dev->lock, flags); 548 return -EINVAL; 549 } 550 if (!dev->gadget) { 551 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 552 spin_unlock_irqrestore(&dev->lock, flags); 553 return -EBUSY; 554 } 555 spin_unlock_irqrestore(&dev->lock, flags); 556 557 event = raw_event_queue_fetch(&dev->queue); 558 if (PTR_ERR(event) == -EINTR) { 559 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n"); 560 return -EINTR; 561 } 562 if (IS_ERR(event)) { 563 dev_err(&dev->gadget->dev, "failed to fetch event\n"); 564 spin_lock_irqsave(&dev->lock, flags); 565 dev->state = STATE_DEV_FAILED; 566 spin_unlock_irqrestore(&dev->lock, flags); 567 return -ENODEV; 568 } 569 length = min(arg.length, event->length); 570 if (copy_to_user((void __user *)value, event, sizeof(*event) + length)) { 571 kfree(event); 572 return -EFAULT; 573 } 574 575 kfree(event); 576 return 0; 577 } 578 579 static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, 580 bool get_from_user) 581 { 582 void *data; 583 584 if (copy_from_user(io, ptr, sizeof(*io))) 585 return ERR_PTR(-EFAULT); 586 if (io->ep >= USB_RAW_EPS_NUM_MAX) 587 return ERR_PTR(-EINVAL); 588 if (!usb_raw_io_flags_valid(io->flags)) 589 return ERR_PTR(-EINVAL); 590 if (io->length > PAGE_SIZE) 591 return ERR_PTR(-EINVAL); 592 if (get_from_user) 593 data = memdup_user(ptr + sizeof(*io), io->length); 594 else { 595 data = kmalloc(io->length, GFP_KERNEL); 596 if (!data) 597 data = ERR_PTR(-ENOMEM); 598 } 599 return data; 600 } 601 602 static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 603 void *data, bool in) 604 { 605 int ret = 0; 606 unsigned long flags; 607 608 spin_lock_irqsave(&dev->lock, flags); 609 if (dev->state != STATE_DEV_RUNNING) { 610 dev_dbg(dev->dev, "fail, device is not running\n"); 611 ret = -EINVAL; 612 goto out_unlock; 613 } 614 if (!dev->gadget) { 615 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 616 ret = -EBUSY; 617 goto out_unlock; 618 } 619 if (dev->ep0_urb_queued) { 620 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 621 ret = -EBUSY; 622 goto out_unlock; 623 } 624 if ((in && !dev->ep0_in_pending) || 625 (!in && !dev->ep0_out_pending)) { 626 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 627 ret = -EBUSY; 628 goto out_unlock; 629 } 630 if (WARN_ON(in && dev->ep0_out_pending)) { 631 ret = -ENODEV; 632 dev->state = STATE_DEV_FAILED; 633 goto out_done; 634 } 635 if (WARN_ON(!in && dev->ep0_in_pending)) { 636 ret = -ENODEV; 637 dev->state = STATE_DEV_FAILED; 638 goto out_done; 639 } 640 641 dev->req->buf = data; 642 dev->req->length = io->length; 643 dev->req->zero = usb_raw_io_flags_zero(io->flags); 644 dev->ep0_urb_queued = true; 645 spin_unlock_irqrestore(&dev->lock, flags); 646 647 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL); 648 if (ret) { 649 dev_err(&dev->gadget->dev, 650 "fail, usb_ep_queue returned %d\n", ret); 651 spin_lock_irqsave(&dev->lock, flags); 652 dev->state = STATE_DEV_FAILED; 653 goto out_done; 654 } 655 656 ret = wait_for_completion_interruptible(&dev->ep0_done); 657 if (ret) { 658 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 659 usb_ep_dequeue(dev->gadget->ep0, dev->req); 660 wait_for_completion(&dev->ep0_done); 661 spin_lock_irqsave(&dev->lock, flags); 662 goto out_done; 663 } 664 665 spin_lock_irqsave(&dev->lock, flags); 666 ret = dev->ep0_status; 667 668 out_done: 669 dev->ep0_urb_queued = false; 670 out_unlock: 671 spin_unlock_irqrestore(&dev->lock, flags); 672 return ret; 673 } 674 675 static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value) 676 { 677 int ret = 0; 678 void *data; 679 struct usb_raw_ep_io io; 680 681 data = raw_alloc_io_data(&io, (void __user *)value, true); 682 if (IS_ERR(data)) 683 return PTR_ERR(data); 684 ret = raw_process_ep0_io(dev, &io, data, true); 685 kfree(data); 686 return ret; 687 } 688 689 static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value) 690 { 691 int ret = 0; 692 void *data; 693 struct usb_raw_ep_io io; 694 unsigned int length; 695 696 data = raw_alloc_io_data(&io, (void __user *)value, false); 697 if (IS_ERR(data)) 698 return PTR_ERR(data); 699 ret = raw_process_ep0_io(dev, &io, data, false); 700 if (ret < 0) 701 goto free; 702 703 length = min(io.length, (unsigned int)ret); 704 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 705 ret = -EFAULT; 706 else 707 ret = length; 708 free: 709 kfree(data); 710 return ret; 711 } 712 713 static int raw_ioctl_ep0_stall(struct raw_dev *dev, unsigned long value) 714 { 715 int ret = 0; 716 unsigned long flags; 717 718 if (value) 719 return -EINVAL; 720 spin_lock_irqsave(&dev->lock, flags); 721 if (dev->state != STATE_DEV_RUNNING) { 722 dev_dbg(dev->dev, "fail, device is not running\n"); 723 ret = -EINVAL; 724 goto out_unlock; 725 } 726 if (!dev->gadget) { 727 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 728 ret = -EBUSY; 729 goto out_unlock; 730 } 731 if (dev->ep0_urb_queued) { 732 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 733 ret = -EBUSY; 734 goto out_unlock; 735 } 736 if (!dev->ep0_in_pending && !dev->ep0_out_pending) { 737 dev_dbg(&dev->gadget->dev, "fail, no request pending\n"); 738 ret = -EBUSY; 739 goto out_unlock; 740 } 741 742 ret = usb_ep_set_halt(dev->gadget->ep0); 743 if (ret < 0) 744 dev_err(&dev->gadget->dev, 745 "fail, usb_ep_set_halt returned %d\n", ret); 746 747 if (dev->ep0_in_pending) 748 dev->ep0_in_pending = false; 749 else 750 dev->ep0_out_pending = false; 751 752 out_unlock: 753 spin_unlock_irqrestore(&dev->lock, flags); 754 return ret; 755 } 756 757 static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value) 758 { 759 int ret = 0, i; 760 unsigned long flags; 761 struct usb_endpoint_descriptor *desc; 762 struct raw_ep *ep; 763 bool ep_props_matched = false; 764 765 desc = memdup_user((void __user *)value, sizeof(*desc)); 766 if (IS_ERR(desc)) 767 return PTR_ERR(desc); 768 769 /* 770 * Endpoints with a maxpacket length of 0 can cause crashes in UDC 771 * drivers. 772 */ 773 if (usb_endpoint_maxp(desc) == 0) { 774 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n"); 775 kfree(desc); 776 return -EINVAL; 777 } 778 779 spin_lock_irqsave(&dev->lock, flags); 780 if (dev->state != STATE_DEV_RUNNING) { 781 dev_dbg(dev->dev, "fail, device is not running\n"); 782 ret = -EINVAL; 783 goto out_free; 784 } 785 if (!dev->gadget) { 786 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 787 ret = -EBUSY; 788 goto out_free; 789 } 790 791 for (i = 0; i < dev->eps_num; i++) { 792 ep = &dev->eps[i]; 793 if (ep->addr != usb_endpoint_num(desc) && 794 ep->addr != USB_RAW_EP_ADDR_ANY) 795 continue; 796 if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep, desc, NULL)) 797 continue; 798 ep_props_matched = true; 799 if (ep->state != STATE_EP_DISABLED) 800 continue; 801 ep->ep->desc = desc; 802 ret = usb_ep_enable(ep->ep); 803 if (ret < 0) { 804 dev_err(&dev->gadget->dev, 805 "fail, usb_ep_enable returned %d\n", ret); 806 goto out_free; 807 } 808 ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); 809 if (!ep->req) { 810 dev_err(&dev->gadget->dev, 811 "fail, usb_ep_alloc_request failed\n"); 812 usb_ep_disable(ep->ep); 813 ret = -ENOMEM; 814 goto out_free; 815 } 816 ep->state = STATE_EP_ENABLED; 817 ep->ep->driver_data = ep; 818 ret = i; 819 goto out_unlock; 820 } 821 822 if (!ep_props_matched) { 823 dev_dbg(&dev->gadget->dev, "fail, bad endpoint descriptor\n"); 824 ret = -EINVAL; 825 } else { 826 dev_dbg(&dev->gadget->dev, "fail, no endpoints available\n"); 827 ret = -EBUSY; 828 } 829 830 out_free: 831 kfree(desc); 832 out_unlock: 833 spin_unlock_irqrestore(&dev->lock, flags); 834 return ret; 835 } 836 837 static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value) 838 { 839 int ret = 0, i = value; 840 unsigned long flags; 841 842 spin_lock_irqsave(&dev->lock, flags); 843 if (dev->state != STATE_DEV_RUNNING) { 844 dev_dbg(dev->dev, "fail, device is not running\n"); 845 ret = -EINVAL; 846 goto out_unlock; 847 } 848 if (!dev->gadget) { 849 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 850 ret = -EBUSY; 851 goto out_unlock; 852 } 853 if (i < 0 || i >= dev->eps_num) { 854 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 855 ret = -EBUSY; 856 goto out_unlock; 857 } 858 if (dev->eps[i].state == STATE_EP_DISABLED) { 859 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 860 ret = -EINVAL; 861 goto out_unlock; 862 } 863 if (dev->eps[i].disabling) { 864 dev_dbg(&dev->gadget->dev, 865 "fail, disable already in progress\n"); 866 ret = -EINVAL; 867 goto out_unlock; 868 } 869 if (dev->eps[i].urb_queued) { 870 dev_dbg(&dev->gadget->dev, 871 "fail, waiting for urb completion\n"); 872 ret = -EINVAL; 873 goto out_unlock; 874 } 875 dev->eps[i].disabling = true; 876 spin_unlock_irqrestore(&dev->lock, flags); 877 878 usb_ep_disable(dev->eps[i].ep); 879 880 spin_lock_irqsave(&dev->lock, flags); 881 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 882 kfree(dev->eps[i].ep->desc); 883 dev->eps[i].state = STATE_EP_DISABLED; 884 dev->eps[i].disabling = false; 885 886 out_unlock: 887 spin_unlock_irqrestore(&dev->lock, flags); 888 return ret; 889 } 890 891 static int raw_ioctl_ep_set_clear_halt_wedge(struct raw_dev *dev, 892 unsigned long value, bool set, bool halt) 893 { 894 int ret = 0, i = value; 895 unsigned long flags; 896 897 spin_lock_irqsave(&dev->lock, flags); 898 if (dev->state != STATE_DEV_RUNNING) { 899 dev_dbg(dev->dev, "fail, device is not running\n"); 900 ret = -EINVAL; 901 goto out_unlock; 902 } 903 if (!dev->gadget) { 904 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 905 ret = -EBUSY; 906 goto out_unlock; 907 } 908 if (i < 0 || i >= dev->eps_num) { 909 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 910 ret = -EBUSY; 911 goto out_unlock; 912 } 913 if (dev->eps[i].state == STATE_EP_DISABLED) { 914 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 915 ret = -EINVAL; 916 goto out_unlock; 917 } 918 if (dev->eps[i].disabling) { 919 dev_dbg(&dev->gadget->dev, 920 "fail, disable is in progress\n"); 921 ret = -EINVAL; 922 goto out_unlock; 923 } 924 if (dev->eps[i].urb_queued) { 925 dev_dbg(&dev->gadget->dev, 926 "fail, waiting for urb completion\n"); 927 ret = -EINVAL; 928 goto out_unlock; 929 } 930 if (usb_endpoint_xfer_isoc(dev->eps[i].ep->desc)) { 931 dev_dbg(&dev->gadget->dev, 932 "fail, can't halt/wedge ISO endpoint\n"); 933 ret = -EINVAL; 934 goto out_unlock; 935 } 936 937 if (set && halt) { 938 ret = usb_ep_set_halt(dev->eps[i].ep); 939 if (ret < 0) 940 dev_err(&dev->gadget->dev, 941 "fail, usb_ep_set_halt returned %d\n", ret); 942 } else if (!set && halt) { 943 ret = usb_ep_clear_halt(dev->eps[i].ep); 944 if (ret < 0) 945 dev_err(&dev->gadget->dev, 946 "fail, usb_ep_clear_halt returned %d\n", ret); 947 } else if (set && !halt) { 948 ret = usb_ep_set_wedge(dev->eps[i].ep); 949 if (ret < 0) 950 dev_err(&dev->gadget->dev, 951 "fail, usb_ep_set_wedge returned %d\n", ret); 952 } 953 954 out_unlock: 955 spin_unlock_irqrestore(&dev->lock, flags); 956 return ret; 957 } 958 959 static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req) 960 { 961 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data; 962 struct raw_dev *dev = r_ep->dev; 963 unsigned long flags; 964 965 spin_lock_irqsave(&dev->lock, flags); 966 if (req->status) 967 r_ep->status = req->status; 968 else 969 r_ep->status = req->actual; 970 spin_unlock_irqrestore(&dev->lock, flags); 971 972 complete((struct completion *)req->context); 973 } 974 975 static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 976 void *data, bool in) 977 { 978 int ret = 0; 979 unsigned long flags; 980 struct raw_ep *ep; 981 DECLARE_COMPLETION_ONSTACK(done); 982 983 spin_lock_irqsave(&dev->lock, flags); 984 if (dev->state != STATE_DEV_RUNNING) { 985 dev_dbg(dev->dev, "fail, device is not running\n"); 986 ret = -EINVAL; 987 goto out_unlock; 988 } 989 if (!dev->gadget) { 990 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 991 ret = -EBUSY; 992 goto out_unlock; 993 } 994 if (io->ep >= dev->eps_num) { 995 dev_dbg(&dev->gadget->dev, "fail, invalid endpoint\n"); 996 ret = -EINVAL; 997 goto out_unlock; 998 } 999 ep = &dev->eps[io->ep]; 1000 if (ep->state != STATE_EP_ENABLED) { 1001 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 1002 ret = -EBUSY; 1003 goto out_unlock; 1004 } 1005 if (ep->disabling) { 1006 dev_dbg(&dev->gadget->dev, 1007 "fail, endpoint is already being disabled\n"); 1008 ret = -EBUSY; 1009 goto out_unlock; 1010 } 1011 if (ep->urb_queued) { 1012 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 1013 ret = -EBUSY; 1014 goto out_unlock; 1015 } 1016 if (in != usb_endpoint_dir_in(ep->ep->desc)) { 1017 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 1018 ret = -EINVAL; 1019 goto out_unlock; 1020 } 1021 1022 ep->dev = dev; 1023 ep->req->context = &done; 1024 ep->req->complete = gadget_ep_complete; 1025 ep->req->buf = data; 1026 ep->req->length = io->length; 1027 ep->req->zero = usb_raw_io_flags_zero(io->flags); 1028 ep->urb_queued = true; 1029 spin_unlock_irqrestore(&dev->lock, flags); 1030 1031 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL); 1032 if (ret) { 1033 dev_err(&dev->gadget->dev, 1034 "fail, usb_ep_queue returned %d\n", ret); 1035 spin_lock_irqsave(&dev->lock, flags); 1036 dev->state = STATE_DEV_FAILED; 1037 goto out_done; 1038 } 1039 1040 ret = wait_for_completion_interruptible(&done); 1041 if (ret) { 1042 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 1043 usb_ep_dequeue(ep->ep, ep->req); 1044 wait_for_completion(&done); 1045 spin_lock_irqsave(&dev->lock, flags); 1046 goto out_done; 1047 } 1048 1049 spin_lock_irqsave(&dev->lock, flags); 1050 ret = ep->status; 1051 1052 out_done: 1053 ep->urb_queued = false; 1054 out_unlock: 1055 spin_unlock_irqrestore(&dev->lock, flags); 1056 return ret; 1057 } 1058 1059 static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value) 1060 { 1061 int ret = 0; 1062 char *data; 1063 struct usb_raw_ep_io io; 1064 1065 data = raw_alloc_io_data(&io, (void __user *)value, true); 1066 if (IS_ERR(data)) 1067 return PTR_ERR(data); 1068 ret = raw_process_ep_io(dev, &io, data, true); 1069 kfree(data); 1070 return ret; 1071 } 1072 1073 static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value) 1074 { 1075 int ret = 0; 1076 char *data; 1077 struct usb_raw_ep_io io; 1078 unsigned int length; 1079 1080 data = raw_alloc_io_data(&io, (void __user *)value, false); 1081 if (IS_ERR(data)) 1082 return PTR_ERR(data); 1083 ret = raw_process_ep_io(dev, &io, data, false); 1084 if (ret < 0) 1085 goto free; 1086 1087 length = min(io.length, (unsigned int)ret); 1088 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 1089 ret = -EFAULT; 1090 else 1091 ret = length; 1092 free: 1093 kfree(data); 1094 return ret; 1095 } 1096 1097 static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value) 1098 { 1099 int ret = 0; 1100 unsigned long flags; 1101 1102 if (value) 1103 return -EINVAL; 1104 spin_lock_irqsave(&dev->lock, flags); 1105 if (dev->state != STATE_DEV_RUNNING) { 1106 dev_dbg(dev->dev, "fail, device is not running\n"); 1107 ret = -EINVAL; 1108 goto out_unlock; 1109 } 1110 if (!dev->gadget) { 1111 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1112 ret = -EBUSY; 1113 goto out_unlock; 1114 } 1115 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED); 1116 1117 out_unlock: 1118 spin_unlock_irqrestore(&dev->lock, flags); 1119 return ret; 1120 } 1121 1122 static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value) 1123 { 1124 int ret = 0; 1125 unsigned long flags; 1126 1127 spin_lock_irqsave(&dev->lock, flags); 1128 if (dev->state != STATE_DEV_RUNNING) { 1129 dev_dbg(dev->dev, "fail, device is not running\n"); 1130 ret = -EINVAL; 1131 goto out_unlock; 1132 } 1133 if (!dev->gadget) { 1134 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1135 ret = -EBUSY; 1136 goto out_unlock; 1137 } 1138 usb_gadget_vbus_draw(dev->gadget, 2 * value); 1139 1140 out_unlock: 1141 spin_unlock_irqrestore(&dev->lock, flags); 1142 return ret; 1143 } 1144 1145 static void fill_ep_caps(struct usb_ep_caps *caps, 1146 struct usb_raw_ep_caps *raw_caps) 1147 { 1148 raw_caps->type_control = caps->type_control; 1149 raw_caps->type_iso = caps->type_iso; 1150 raw_caps->type_bulk = caps->type_bulk; 1151 raw_caps->type_int = caps->type_int; 1152 raw_caps->dir_in = caps->dir_in; 1153 raw_caps->dir_out = caps->dir_out; 1154 } 1155 1156 static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits) 1157 { 1158 limits->maxpacket_limit = ep->maxpacket_limit; 1159 limits->max_streams = ep->max_streams; 1160 } 1161 1162 static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value) 1163 { 1164 int ret = 0, i; 1165 unsigned long flags; 1166 struct usb_raw_eps_info *info; 1167 struct raw_ep *ep; 1168 1169 info = kzalloc(sizeof(*info), GFP_KERNEL); 1170 if (!info) { 1171 ret = -ENOMEM; 1172 goto out; 1173 } 1174 1175 spin_lock_irqsave(&dev->lock, flags); 1176 if (dev->state != STATE_DEV_RUNNING) { 1177 dev_dbg(dev->dev, "fail, device is not running\n"); 1178 ret = -EINVAL; 1179 spin_unlock_irqrestore(&dev->lock, flags); 1180 goto out_free; 1181 } 1182 if (!dev->gadget) { 1183 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1184 ret = -EBUSY; 1185 spin_unlock_irqrestore(&dev->lock, flags); 1186 goto out_free; 1187 } 1188 1189 for (i = 0; i < dev->eps_num; i++) { 1190 ep = &dev->eps[i]; 1191 strscpy(&info->eps[i].name[0], ep->ep->name, 1192 USB_RAW_EP_NAME_MAX); 1193 info->eps[i].addr = ep->addr; 1194 fill_ep_caps(&ep->ep->caps, &info->eps[i].caps); 1195 fill_ep_limits(ep->ep, &info->eps[i].limits); 1196 } 1197 ret = dev->eps_num; 1198 spin_unlock_irqrestore(&dev->lock, flags); 1199 1200 if (copy_to_user((void __user *)value, info, sizeof(*info))) 1201 ret = -EFAULT; 1202 1203 out_free: 1204 kfree(info); 1205 out: 1206 return ret; 1207 } 1208 1209 static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value) 1210 { 1211 struct raw_dev *dev = fd->private_data; 1212 int ret = 0; 1213 1214 if (!dev) 1215 return -EBUSY; 1216 1217 switch (cmd) { 1218 case USB_RAW_IOCTL_INIT: 1219 ret = raw_ioctl_init(dev, value); 1220 break; 1221 case USB_RAW_IOCTL_RUN: 1222 ret = raw_ioctl_run(dev, value); 1223 break; 1224 case USB_RAW_IOCTL_EVENT_FETCH: 1225 ret = raw_ioctl_event_fetch(dev, value); 1226 break; 1227 case USB_RAW_IOCTL_EP0_WRITE: 1228 ret = raw_ioctl_ep0_write(dev, value); 1229 break; 1230 case USB_RAW_IOCTL_EP0_READ: 1231 ret = raw_ioctl_ep0_read(dev, value); 1232 break; 1233 case USB_RAW_IOCTL_EP_ENABLE: 1234 ret = raw_ioctl_ep_enable(dev, value); 1235 break; 1236 case USB_RAW_IOCTL_EP_DISABLE: 1237 ret = raw_ioctl_ep_disable(dev, value); 1238 break; 1239 case USB_RAW_IOCTL_EP_WRITE: 1240 ret = raw_ioctl_ep_write(dev, value); 1241 break; 1242 case USB_RAW_IOCTL_EP_READ: 1243 ret = raw_ioctl_ep_read(dev, value); 1244 break; 1245 case USB_RAW_IOCTL_CONFIGURE: 1246 ret = raw_ioctl_configure(dev, value); 1247 break; 1248 case USB_RAW_IOCTL_VBUS_DRAW: 1249 ret = raw_ioctl_vbus_draw(dev, value); 1250 break; 1251 case USB_RAW_IOCTL_EPS_INFO: 1252 ret = raw_ioctl_eps_info(dev, value); 1253 break; 1254 case USB_RAW_IOCTL_EP0_STALL: 1255 ret = raw_ioctl_ep0_stall(dev, value); 1256 break; 1257 case USB_RAW_IOCTL_EP_SET_HALT: 1258 ret = raw_ioctl_ep_set_clear_halt_wedge( 1259 dev, value, true, true); 1260 break; 1261 case USB_RAW_IOCTL_EP_CLEAR_HALT: 1262 ret = raw_ioctl_ep_set_clear_halt_wedge( 1263 dev, value, false, true); 1264 break; 1265 case USB_RAW_IOCTL_EP_SET_WEDGE: 1266 ret = raw_ioctl_ep_set_clear_halt_wedge( 1267 dev, value, true, false); 1268 break; 1269 default: 1270 ret = -EINVAL; 1271 } 1272 1273 return ret; 1274 } 1275 1276 /*----------------------------------------------------------------------*/ 1277 1278 static const struct file_operations raw_fops = { 1279 .open = raw_open, 1280 .unlocked_ioctl = raw_ioctl, 1281 .compat_ioctl = raw_ioctl, 1282 .release = raw_release, 1283 .llseek = no_llseek, 1284 }; 1285 1286 static struct miscdevice raw_misc_device = { 1287 .minor = MISC_DYNAMIC_MINOR, 1288 .name = DRIVER_NAME, 1289 .fops = &raw_fops, 1290 }; 1291 1292 module_misc_device(raw_misc_device); 1293