1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * USB Raw Gadget driver. 4 * See Documentation/usb/raw-gadget.rst for more details. 5 * 6 * Andrey Konovalov <andreyknvl@gmail.com> 7 */ 8 9 #include <linux/compiler.h> 10 #include <linux/ctype.h> 11 #include <linux/debugfs.h> 12 #include <linux/delay.h> 13 #include <linux/kref.h> 14 #include <linux/miscdevice.h> 15 #include <linux/module.h> 16 #include <linux/semaphore.h> 17 #include <linux/sched.h> 18 #include <linux/slab.h> 19 #include <linux/uaccess.h> 20 #include <linux/wait.h> 21 22 #include <linux/usb.h> 23 #include <linux/usb/ch9.h> 24 #include <linux/usb/ch11.h> 25 #include <linux/usb/gadget.h> 26 27 #include <uapi/linux/usb/raw_gadget.h> 28 29 #define DRIVER_DESC "USB Raw Gadget" 30 #define DRIVER_NAME "raw-gadget" 31 32 MODULE_DESCRIPTION(DRIVER_DESC); 33 MODULE_AUTHOR("Andrey Konovalov"); 34 MODULE_LICENSE("GPL"); 35 36 /*----------------------------------------------------------------------*/ 37 38 #define RAW_EVENT_QUEUE_SIZE 16 39 40 struct raw_event_queue { 41 /* See the comment in raw_event_queue_fetch() for locking details. */ 42 spinlock_t lock; 43 struct semaphore sema; 44 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE]; 45 int size; 46 }; 47 48 static void raw_event_queue_init(struct raw_event_queue *queue) 49 { 50 spin_lock_init(&queue->lock); 51 sema_init(&queue->sema, 0); 52 queue->size = 0; 53 } 54 55 static int raw_event_queue_add(struct raw_event_queue *queue, 56 enum usb_raw_event_type type, size_t length, const void *data) 57 { 58 unsigned long flags; 59 struct usb_raw_event *event; 60 61 spin_lock_irqsave(&queue->lock, flags); 62 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) { 63 spin_unlock_irqrestore(&queue->lock, flags); 64 return -ENOMEM; 65 } 66 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC); 67 if (!event) { 68 spin_unlock_irqrestore(&queue->lock, flags); 69 return -ENOMEM; 70 } 71 event->type = type; 72 event->length = length; 73 if (event->length) 74 memcpy(&event->data[0], data, length); 75 queue->events[queue->size] = event; 76 queue->size++; 77 up(&queue->sema); 78 spin_unlock_irqrestore(&queue->lock, flags); 79 return 0; 80 } 81 82 static struct usb_raw_event *raw_event_queue_fetch( 83 struct raw_event_queue *queue) 84 { 85 int ret; 86 unsigned long flags; 87 struct usb_raw_event *event; 88 89 /* 90 * This function can be called concurrently. We first check that 91 * there's at least one event queued by decrementing the semaphore, 92 * and then take the lock to protect queue struct fields. 93 */ 94 ret = down_interruptible(&queue->sema); 95 if (ret) 96 return ERR_PTR(ret); 97 spin_lock_irqsave(&queue->lock, flags); 98 /* 99 * queue->size must have the same value as queue->sema counter (before 100 * the down_interruptible() call above), so this check is a fail-safe. 101 */ 102 if (WARN_ON(!queue->size)) { 103 spin_unlock_irqrestore(&queue->lock, flags); 104 return ERR_PTR(-ENODEV); 105 } 106 event = queue->events[0]; 107 queue->size--; 108 memmove(&queue->events[0], &queue->events[1], 109 queue->size * sizeof(queue->events[0])); 110 spin_unlock_irqrestore(&queue->lock, flags); 111 return event; 112 } 113 114 static void raw_event_queue_destroy(struct raw_event_queue *queue) 115 { 116 int i; 117 118 for (i = 0; i < queue->size; i++) 119 kfree(queue->events[i]); 120 queue->size = 0; 121 } 122 123 /*----------------------------------------------------------------------*/ 124 125 struct raw_dev; 126 127 enum ep_state { 128 STATE_EP_DISABLED, 129 STATE_EP_ENABLED, 130 }; 131 132 struct raw_ep { 133 struct raw_dev *dev; 134 enum ep_state state; 135 struct usb_ep *ep; 136 u8 addr; 137 struct usb_request *req; 138 bool urb_queued; 139 bool disabling; 140 ssize_t status; 141 }; 142 143 enum dev_state { 144 STATE_DEV_INVALID = 0, 145 STATE_DEV_OPENED, 146 STATE_DEV_INITIALIZED, 147 STATE_DEV_RUNNING, 148 STATE_DEV_CLOSED, 149 STATE_DEV_FAILED 150 }; 151 152 struct raw_dev { 153 struct kref count; 154 spinlock_t lock; 155 156 const char *udc_name; 157 struct usb_gadget_driver driver; 158 159 /* Reference to misc device: */ 160 struct device *dev; 161 162 /* Protected by lock: */ 163 enum dev_state state; 164 bool gadget_registered; 165 struct usb_gadget *gadget; 166 struct usb_request *req; 167 bool ep0_in_pending; 168 bool ep0_out_pending; 169 bool ep0_urb_queued; 170 ssize_t ep0_status; 171 struct raw_ep eps[USB_RAW_EPS_NUM_MAX]; 172 int eps_num; 173 174 struct completion ep0_done; 175 struct raw_event_queue queue; 176 }; 177 178 static struct raw_dev *dev_new(void) 179 { 180 struct raw_dev *dev; 181 182 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 183 if (!dev) 184 return NULL; 185 /* Matches kref_put() in raw_release(). */ 186 kref_init(&dev->count); 187 spin_lock_init(&dev->lock); 188 init_completion(&dev->ep0_done); 189 raw_event_queue_init(&dev->queue); 190 return dev; 191 } 192 193 static void dev_free(struct kref *kref) 194 { 195 struct raw_dev *dev = container_of(kref, struct raw_dev, count); 196 int i; 197 198 kfree(dev->udc_name); 199 kfree(dev->driver.udc_name); 200 if (dev->req) { 201 if (dev->ep0_urb_queued) 202 usb_ep_dequeue(dev->gadget->ep0, dev->req); 203 usb_ep_free_request(dev->gadget->ep0, dev->req); 204 } 205 raw_event_queue_destroy(&dev->queue); 206 for (i = 0; i < dev->eps_num; i++) { 207 if (dev->eps[i].state == STATE_EP_DISABLED) 208 continue; 209 usb_ep_disable(dev->eps[i].ep); 210 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 211 kfree(dev->eps[i].ep->desc); 212 dev->eps[i].state = STATE_EP_DISABLED; 213 } 214 kfree(dev); 215 } 216 217 /*----------------------------------------------------------------------*/ 218 219 static int raw_queue_event(struct raw_dev *dev, 220 enum usb_raw_event_type type, size_t length, const void *data) 221 { 222 int ret = 0; 223 unsigned long flags; 224 225 ret = raw_event_queue_add(&dev->queue, type, length, data); 226 if (ret < 0) { 227 spin_lock_irqsave(&dev->lock, flags); 228 dev->state = STATE_DEV_FAILED; 229 spin_unlock_irqrestore(&dev->lock, flags); 230 } 231 return ret; 232 } 233 234 static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req) 235 { 236 struct raw_dev *dev = req->context; 237 unsigned long flags; 238 239 spin_lock_irqsave(&dev->lock, flags); 240 if (req->status) 241 dev->ep0_status = req->status; 242 else 243 dev->ep0_status = req->actual; 244 if (dev->ep0_in_pending) 245 dev->ep0_in_pending = false; 246 else 247 dev->ep0_out_pending = false; 248 spin_unlock_irqrestore(&dev->lock, flags); 249 250 complete(&dev->ep0_done); 251 } 252 253 static u8 get_ep_addr(const char *name) 254 { 255 /* If the endpoint has fixed function (named as e.g. "ep12out-bulk"), 256 * parse the endpoint address from its name. We deliberately use 257 * deprecated simple_strtoul() function here, as the number isn't 258 * followed by '\0' nor '\n'. 259 */ 260 if (isdigit(name[2])) 261 return simple_strtoul(&name[2], NULL, 10); 262 /* Otherwise the endpoint is configurable (named as e.g. "ep-a"). */ 263 return USB_RAW_EP_ADDR_ANY; 264 } 265 266 static int gadget_bind(struct usb_gadget *gadget, 267 struct usb_gadget_driver *driver) 268 { 269 int ret = 0, i = 0; 270 struct raw_dev *dev = container_of(driver, struct raw_dev, driver); 271 struct usb_request *req; 272 struct usb_ep *ep; 273 unsigned long flags; 274 275 if (strcmp(gadget->name, dev->udc_name) != 0) 276 return -ENODEV; 277 278 set_gadget_data(gadget, dev); 279 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL); 280 if (!req) { 281 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n"); 282 set_gadget_data(gadget, NULL); 283 return -ENOMEM; 284 } 285 286 spin_lock_irqsave(&dev->lock, flags); 287 dev->req = req; 288 dev->req->context = dev; 289 dev->req->complete = gadget_ep0_complete; 290 dev->gadget = gadget; 291 gadget_for_each_ep(ep, dev->gadget) { 292 dev->eps[i].ep = ep; 293 dev->eps[i].addr = get_ep_addr(ep->name); 294 dev->eps[i].state = STATE_EP_DISABLED; 295 i++; 296 } 297 dev->eps_num = i; 298 spin_unlock_irqrestore(&dev->lock, flags); 299 300 /* Matches kref_put() in gadget_unbind(). */ 301 kref_get(&dev->count); 302 303 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); 304 if (ret < 0) 305 dev_err(&gadget->dev, "failed to queue event\n"); 306 307 return ret; 308 } 309 310 static void gadget_unbind(struct usb_gadget *gadget) 311 { 312 struct raw_dev *dev = get_gadget_data(gadget); 313 314 set_gadget_data(gadget, NULL); 315 /* Matches kref_get() in gadget_bind(). */ 316 kref_put(&dev->count, dev_free); 317 } 318 319 static int gadget_setup(struct usb_gadget *gadget, 320 const struct usb_ctrlrequest *ctrl) 321 { 322 int ret = 0; 323 struct raw_dev *dev = get_gadget_data(gadget); 324 unsigned long flags; 325 326 spin_lock_irqsave(&dev->lock, flags); 327 if (dev->state != STATE_DEV_RUNNING) { 328 dev_err(&gadget->dev, "ignoring, device is not running\n"); 329 ret = -ENODEV; 330 goto out_unlock; 331 } 332 if (dev->ep0_in_pending || dev->ep0_out_pending) { 333 dev_dbg(&gadget->dev, "stalling, request already pending\n"); 334 ret = -EBUSY; 335 goto out_unlock; 336 } 337 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) 338 dev->ep0_in_pending = true; 339 else 340 dev->ep0_out_pending = true; 341 spin_unlock_irqrestore(&dev->lock, flags); 342 343 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl); 344 if (ret < 0) 345 dev_err(&gadget->dev, "failed to queue event\n"); 346 goto out; 347 348 out_unlock: 349 spin_unlock_irqrestore(&dev->lock, flags); 350 out: 351 return ret; 352 } 353 354 /* These are currently unused but present in case UDC driver requires them. */ 355 static void gadget_disconnect(struct usb_gadget *gadget) { } 356 static void gadget_suspend(struct usb_gadget *gadget) { } 357 static void gadget_resume(struct usb_gadget *gadget) { } 358 static void gadget_reset(struct usb_gadget *gadget) { } 359 360 /*----------------------------------------------------------------------*/ 361 362 static struct miscdevice raw_misc_device; 363 364 static int raw_open(struct inode *inode, struct file *fd) 365 { 366 struct raw_dev *dev; 367 368 /* Nonblocking I/O is not supported yet. */ 369 if (fd->f_flags & O_NONBLOCK) 370 return -EINVAL; 371 372 dev = dev_new(); 373 if (!dev) 374 return -ENOMEM; 375 fd->private_data = dev; 376 dev->state = STATE_DEV_OPENED; 377 dev->dev = raw_misc_device.this_device; 378 return 0; 379 } 380 381 static int raw_release(struct inode *inode, struct file *fd) 382 { 383 int ret = 0; 384 struct raw_dev *dev = fd->private_data; 385 unsigned long flags; 386 bool unregister = false; 387 388 spin_lock_irqsave(&dev->lock, flags); 389 dev->state = STATE_DEV_CLOSED; 390 if (!dev->gadget) { 391 spin_unlock_irqrestore(&dev->lock, flags); 392 goto out_put; 393 } 394 if (dev->gadget_registered) 395 unregister = true; 396 dev->gadget_registered = false; 397 spin_unlock_irqrestore(&dev->lock, flags); 398 399 if (unregister) { 400 ret = usb_gadget_unregister_driver(&dev->driver); 401 if (ret != 0) 402 dev_err(dev->dev, 403 "usb_gadget_unregister_driver() failed with %d\n", 404 ret); 405 /* Matches kref_get() in raw_ioctl_run(). */ 406 kref_put(&dev->count, dev_free); 407 } 408 409 out_put: 410 /* Matches dev_new() in raw_open(). */ 411 kref_put(&dev->count, dev_free); 412 return ret; 413 } 414 415 /*----------------------------------------------------------------------*/ 416 417 static int raw_ioctl_init(struct raw_dev *dev, unsigned long value) 418 { 419 int ret = 0; 420 struct usb_raw_init arg; 421 char *udc_driver_name; 422 char *udc_device_name; 423 unsigned long flags; 424 425 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 426 return -EFAULT; 427 428 switch (arg.speed) { 429 case USB_SPEED_UNKNOWN: 430 arg.speed = USB_SPEED_HIGH; 431 break; 432 case USB_SPEED_LOW: 433 case USB_SPEED_FULL: 434 case USB_SPEED_HIGH: 435 case USB_SPEED_SUPER: 436 break; 437 default: 438 return -EINVAL; 439 } 440 441 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 442 if (!udc_driver_name) 443 return -ENOMEM; 444 ret = strscpy(udc_driver_name, &arg.driver_name[0], 445 UDC_NAME_LENGTH_MAX); 446 if (ret < 0) { 447 kfree(udc_driver_name); 448 return ret; 449 } 450 ret = 0; 451 452 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 453 if (!udc_device_name) { 454 kfree(udc_driver_name); 455 return -ENOMEM; 456 } 457 ret = strscpy(udc_device_name, &arg.device_name[0], 458 UDC_NAME_LENGTH_MAX); 459 if (ret < 0) { 460 kfree(udc_driver_name); 461 kfree(udc_device_name); 462 return ret; 463 } 464 ret = 0; 465 466 spin_lock_irqsave(&dev->lock, flags); 467 if (dev->state != STATE_DEV_OPENED) { 468 dev_dbg(dev->dev, "fail, device is not opened\n"); 469 kfree(udc_driver_name); 470 kfree(udc_device_name); 471 ret = -EINVAL; 472 goto out_unlock; 473 } 474 dev->udc_name = udc_driver_name; 475 476 dev->driver.function = DRIVER_DESC; 477 dev->driver.max_speed = arg.speed; 478 dev->driver.setup = gadget_setup; 479 dev->driver.disconnect = gadget_disconnect; 480 dev->driver.bind = gadget_bind; 481 dev->driver.unbind = gadget_unbind; 482 dev->driver.suspend = gadget_suspend; 483 dev->driver.resume = gadget_resume; 484 dev->driver.reset = gadget_reset; 485 dev->driver.driver.name = DRIVER_NAME; 486 dev->driver.udc_name = udc_device_name; 487 dev->driver.match_existing_only = 1; 488 489 dev->state = STATE_DEV_INITIALIZED; 490 491 out_unlock: 492 spin_unlock_irqrestore(&dev->lock, flags); 493 return ret; 494 } 495 496 static int raw_ioctl_run(struct raw_dev *dev, unsigned long value) 497 { 498 int ret = 0; 499 unsigned long flags; 500 501 if (value) 502 return -EINVAL; 503 504 spin_lock_irqsave(&dev->lock, flags); 505 if (dev->state != STATE_DEV_INITIALIZED) { 506 dev_dbg(dev->dev, "fail, device is not initialized\n"); 507 ret = -EINVAL; 508 goto out_unlock; 509 } 510 spin_unlock_irqrestore(&dev->lock, flags); 511 512 ret = usb_gadget_probe_driver(&dev->driver); 513 514 spin_lock_irqsave(&dev->lock, flags); 515 if (ret) { 516 dev_err(dev->dev, 517 "fail, usb_gadget_probe_driver returned %d\n", ret); 518 dev->state = STATE_DEV_FAILED; 519 goto out_unlock; 520 } 521 dev->gadget_registered = true; 522 dev->state = STATE_DEV_RUNNING; 523 /* Matches kref_put() in raw_release(). */ 524 kref_get(&dev->count); 525 526 out_unlock: 527 spin_unlock_irqrestore(&dev->lock, flags); 528 return ret; 529 } 530 531 static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value) 532 { 533 struct usb_raw_event arg; 534 unsigned long flags; 535 struct usb_raw_event *event; 536 uint32_t length; 537 538 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 539 return -EFAULT; 540 541 spin_lock_irqsave(&dev->lock, flags); 542 if (dev->state != STATE_DEV_RUNNING) { 543 dev_dbg(dev->dev, "fail, device is not running\n"); 544 spin_unlock_irqrestore(&dev->lock, flags); 545 return -EINVAL; 546 } 547 if (!dev->gadget) { 548 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 549 spin_unlock_irqrestore(&dev->lock, flags); 550 return -EBUSY; 551 } 552 spin_unlock_irqrestore(&dev->lock, flags); 553 554 event = raw_event_queue_fetch(&dev->queue); 555 if (PTR_ERR(event) == -EINTR) { 556 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n"); 557 return -EINTR; 558 } 559 if (IS_ERR(event)) { 560 dev_err(&dev->gadget->dev, "failed to fetch event\n"); 561 spin_lock_irqsave(&dev->lock, flags); 562 dev->state = STATE_DEV_FAILED; 563 spin_unlock_irqrestore(&dev->lock, flags); 564 return -ENODEV; 565 } 566 length = min(arg.length, event->length); 567 if (copy_to_user((void __user *)value, event, sizeof(*event) + length)) 568 return -EFAULT; 569 570 return 0; 571 } 572 573 static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, 574 bool get_from_user) 575 { 576 void *data; 577 578 if (copy_from_user(io, ptr, sizeof(*io))) 579 return ERR_PTR(-EFAULT); 580 if (io->ep >= USB_RAW_EPS_NUM_MAX) 581 return ERR_PTR(-EINVAL); 582 if (!usb_raw_io_flags_valid(io->flags)) 583 return ERR_PTR(-EINVAL); 584 if (io->length > PAGE_SIZE) 585 return ERR_PTR(-EINVAL); 586 if (get_from_user) 587 data = memdup_user(ptr + sizeof(*io), io->length); 588 else { 589 data = kmalloc(io->length, GFP_KERNEL); 590 if (!data) 591 data = ERR_PTR(-ENOMEM); 592 } 593 return data; 594 } 595 596 static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 597 void *data, bool in) 598 { 599 int ret = 0; 600 unsigned long flags; 601 602 spin_lock_irqsave(&dev->lock, flags); 603 if (dev->state != STATE_DEV_RUNNING) { 604 dev_dbg(dev->dev, "fail, device is not running\n"); 605 ret = -EINVAL; 606 goto out_unlock; 607 } 608 if (!dev->gadget) { 609 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 610 ret = -EBUSY; 611 goto out_unlock; 612 } 613 if (dev->ep0_urb_queued) { 614 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 615 ret = -EBUSY; 616 goto out_unlock; 617 } 618 if ((in && !dev->ep0_in_pending) || 619 (!in && !dev->ep0_out_pending)) { 620 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 621 ret = -EBUSY; 622 goto out_unlock; 623 } 624 if (WARN_ON(in && dev->ep0_out_pending)) { 625 ret = -ENODEV; 626 dev->state = STATE_DEV_FAILED; 627 goto out_done; 628 } 629 if (WARN_ON(!in && dev->ep0_in_pending)) { 630 ret = -ENODEV; 631 dev->state = STATE_DEV_FAILED; 632 goto out_done; 633 } 634 635 dev->req->buf = data; 636 dev->req->length = io->length; 637 dev->req->zero = usb_raw_io_flags_zero(io->flags); 638 dev->ep0_urb_queued = true; 639 spin_unlock_irqrestore(&dev->lock, flags); 640 641 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL); 642 if (ret) { 643 dev_err(&dev->gadget->dev, 644 "fail, usb_ep_queue returned %d\n", ret); 645 spin_lock_irqsave(&dev->lock, flags); 646 dev->state = STATE_DEV_FAILED; 647 goto out_done; 648 } 649 650 ret = wait_for_completion_interruptible(&dev->ep0_done); 651 if (ret) { 652 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 653 usb_ep_dequeue(dev->gadget->ep0, dev->req); 654 wait_for_completion(&dev->ep0_done); 655 spin_lock_irqsave(&dev->lock, flags); 656 goto out_done; 657 } 658 659 spin_lock_irqsave(&dev->lock, flags); 660 ret = dev->ep0_status; 661 662 out_done: 663 dev->ep0_urb_queued = false; 664 out_unlock: 665 spin_unlock_irqrestore(&dev->lock, flags); 666 return ret; 667 } 668 669 static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value) 670 { 671 int ret = 0; 672 void *data; 673 struct usb_raw_ep_io io; 674 675 data = raw_alloc_io_data(&io, (void __user *)value, true); 676 if (IS_ERR(data)) 677 return PTR_ERR(data); 678 ret = raw_process_ep0_io(dev, &io, data, true); 679 kfree(data); 680 return ret; 681 } 682 683 static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value) 684 { 685 int ret = 0; 686 void *data; 687 struct usb_raw_ep_io io; 688 unsigned int length; 689 690 data = raw_alloc_io_data(&io, (void __user *)value, false); 691 if (IS_ERR(data)) 692 return PTR_ERR(data); 693 ret = raw_process_ep0_io(dev, &io, data, false); 694 if (ret < 0) 695 goto free; 696 697 length = min(io.length, (unsigned int)ret); 698 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 699 ret = -EFAULT; 700 else 701 ret = length; 702 free: 703 kfree(data); 704 return ret; 705 } 706 707 static int raw_ioctl_ep0_stall(struct raw_dev *dev, unsigned long value) 708 { 709 int ret = 0; 710 unsigned long flags; 711 712 if (value) 713 return -EINVAL; 714 spin_lock_irqsave(&dev->lock, flags); 715 if (dev->state != STATE_DEV_RUNNING) { 716 dev_dbg(dev->dev, "fail, device is not running\n"); 717 ret = -EINVAL; 718 goto out_unlock; 719 } 720 if (!dev->gadget) { 721 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 722 ret = -EBUSY; 723 goto out_unlock; 724 } 725 if (dev->ep0_urb_queued) { 726 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 727 ret = -EBUSY; 728 goto out_unlock; 729 } 730 if (!dev->ep0_in_pending && !dev->ep0_out_pending) { 731 dev_dbg(&dev->gadget->dev, "fail, no request pending\n"); 732 ret = -EBUSY; 733 goto out_unlock; 734 } 735 736 ret = usb_ep_set_halt(dev->gadget->ep0); 737 if (ret < 0) 738 dev_err(&dev->gadget->dev, 739 "fail, usb_ep_set_halt returned %d\n", ret); 740 741 if (dev->ep0_in_pending) 742 dev->ep0_in_pending = false; 743 else 744 dev->ep0_out_pending = false; 745 746 out_unlock: 747 spin_unlock_irqrestore(&dev->lock, flags); 748 return ret; 749 } 750 751 static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value) 752 { 753 int ret = 0, i; 754 unsigned long flags; 755 struct usb_endpoint_descriptor *desc; 756 struct raw_ep *ep; 757 758 desc = memdup_user((void __user *)value, sizeof(*desc)); 759 if (IS_ERR(desc)) 760 return PTR_ERR(desc); 761 762 /* 763 * Endpoints with a maxpacket length of 0 can cause crashes in UDC 764 * drivers. 765 */ 766 if (usb_endpoint_maxp(desc) == 0) { 767 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n"); 768 kfree(desc); 769 return -EINVAL; 770 } 771 772 spin_lock_irqsave(&dev->lock, flags); 773 if (dev->state != STATE_DEV_RUNNING) { 774 dev_dbg(dev->dev, "fail, device is not running\n"); 775 ret = -EINVAL; 776 goto out_free; 777 } 778 if (!dev->gadget) { 779 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 780 ret = -EBUSY; 781 goto out_free; 782 } 783 784 for (i = 0; i < dev->eps_num; i++) { 785 ep = &dev->eps[i]; 786 if (ep->state != STATE_EP_DISABLED) 787 continue; 788 if (ep->addr != usb_endpoint_num(desc) && 789 ep->addr != USB_RAW_EP_ADDR_ANY) 790 continue; 791 if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep, desc, NULL)) 792 continue; 793 ep->ep->desc = desc; 794 ret = usb_ep_enable(ep->ep); 795 if (ret < 0) { 796 dev_err(&dev->gadget->dev, 797 "fail, usb_ep_enable returned %d\n", ret); 798 goto out_free; 799 } 800 ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); 801 if (!ep->req) { 802 dev_err(&dev->gadget->dev, 803 "fail, usb_ep_alloc_request failed\n"); 804 usb_ep_disable(ep->ep); 805 ret = -ENOMEM; 806 goto out_free; 807 } 808 ep->state = STATE_EP_ENABLED; 809 ep->ep->driver_data = ep; 810 ret = i; 811 goto out_unlock; 812 } 813 814 dev_dbg(&dev->gadget->dev, "fail, no gadget endpoints available\n"); 815 ret = -EBUSY; 816 817 out_free: 818 kfree(desc); 819 out_unlock: 820 spin_unlock_irqrestore(&dev->lock, flags); 821 return ret; 822 } 823 824 static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value) 825 { 826 int ret = 0, i = value; 827 unsigned long flags; 828 829 spin_lock_irqsave(&dev->lock, flags); 830 if (dev->state != STATE_DEV_RUNNING) { 831 dev_dbg(dev->dev, "fail, device is not running\n"); 832 ret = -EINVAL; 833 goto out_unlock; 834 } 835 if (!dev->gadget) { 836 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 837 ret = -EBUSY; 838 goto out_unlock; 839 } 840 if (i < 0 || i >= dev->eps_num) { 841 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 842 ret = -EBUSY; 843 goto out_unlock; 844 } 845 if (dev->eps[i].state == STATE_EP_DISABLED) { 846 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 847 ret = -EINVAL; 848 goto out_unlock; 849 } 850 if (dev->eps[i].disabling) { 851 dev_dbg(&dev->gadget->dev, 852 "fail, disable already in progress\n"); 853 ret = -EINVAL; 854 goto out_unlock; 855 } 856 if (dev->eps[i].urb_queued) { 857 dev_dbg(&dev->gadget->dev, 858 "fail, waiting for urb completion\n"); 859 ret = -EINVAL; 860 goto out_unlock; 861 } 862 dev->eps[i].disabling = true; 863 spin_unlock_irqrestore(&dev->lock, flags); 864 865 usb_ep_disable(dev->eps[i].ep); 866 867 spin_lock_irqsave(&dev->lock, flags); 868 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 869 kfree(dev->eps[i].ep->desc); 870 dev->eps[i].state = STATE_EP_DISABLED; 871 dev->eps[i].disabling = false; 872 873 out_unlock: 874 spin_unlock_irqrestore(&dev->lock, flags); 875 return ret; 876 } 877 878 static int raw_ioctl_ep_set_clear_halt_wedge(struct raw_dev *dev, 879 unsigned long value, bool set, bool halt) 880 { 881 int ret = 0, i = value; 882 unsigned long flags; 883 884 spin_lock_irqsave(&dev->lock, flags); 885 if (dev->state != STATE_DEV_RUNNING) { 886 dev_dbg(dev->dev, "fail, device is not running\n"); 887 ret = -EINVAL; 888 goto out_unlock; 889 } 890 if (!dev->gadget) { 891 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 892 ret = -EBUSY; 893 goto out_unlock; 894 } 895 if (i < 0 || i >= dev->eps_num) { 896 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 897 ret = -EBUSY; 898 goto out_unlock; 899 } 900 if (dev->eps[i].state == STATE_EP_DISABLED) { 901 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 902 ret = -EINVAL; 903 goto out_unlock; 904 } 905 if (dev->eps[i].disabling) { 906 dev_dbg(&dev->gadget->dev, 907 "fail, disable is in progress\n"); 908 ret = -EINVAL; 909 goto out_unlock; 910 } 911 if (dev->eps[i].urb_queued) { 912 dev_dbg(&dev->gadget->dev, 913 "fail, waiting for urb completion\n"); 914 ret = -EINVAL; 915 goto out_unlock; 916 } 917 if (usb_endpoint_xfer_isoc(dev->eps[i].ep->desc)) { 918 dev_dbg(&dev->gadget->dev, 919 "fail, can't halt/wedge ISO endpoint\n"); 920 ret = -EINVAL; 921 goto out_unlock; 922 } 923 924 if (set && halt) { 925 ret = usb_ep_set_halt(dev->eps[i].ep); 926 if (ret < 0) 927 dev_err(&dev->gadget->dev, 928 "fail, usb_ep_set_halt returned %d\n", ret); 929 } else if (!set && halt) { 930 ret = usb_ep_clear_halt(dev->eps[i].ep); 931 if (ret < 0) 932 dev_err(&dev->gadget->dev, 933 "fail, usb_ep_clear_halt returned %d\n", ret); 934 } else if (set && !halt) { 935 ret = usb_ep_set_wedge(dev->eps[i].ep); 936 if (ret < 0) 937 dev_err(&dev->gadget->dev, 938 "fail, usb_ep_set_wedge returned %d\n", ret); 939 } 940 941 out_unlock: 942 spin_unlock_irqrestore(&dev->lock, flags); 943 return ret; 944 } 945 946 static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req) 947 { 948 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data; 949 struct raw_dev *dev = r_ep->dev; 950 unsigned long flags; 951 952 spin_lock_irqsave(&dev->lock, flags); 953 if (req->status) 954 r_ep->status = req->status; 955 else 956 r_ep->status = req->actual; 957 spin_unlock_irqrestore(&dev->lock, flags); 958 959 complete((struct completion *)req->context); 960 } 961 962 static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 963 void *data, bool in) 964 { 965 int ret = 0; 966 unsigned long flags; 967 struct raw_ep *ep; 968 DECLARE_COMPLETION_ONSTACK(done); 969 970 spin_lock_irqsave(&dev->lock, flags); 971 if (dev->state != STATE_DEV_RUNNING) { 972 dev_dbg(dev->dev, "fail, device is not running\n"); 973 ret = -EINVAL; 974 goto out_unlock; 975 } 976 if (!dev->gadget) { 977 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 978 ret = -EBUSY; 979 goto out_unlock; 980 } 981 if (io->ep >= dev->eps_num) { 982 dev_dbg(&dev->gadget->dev, "fail, invalid endpoint\n"); 983 ret = -EINVAL; 984 goto out_unlock; 985 } 986 ep = &dev->eps[io->ep]; 987 if (ep->state != STATE_EP_ENABLED) { 988 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 989 ret = -EBUSY; 990 goto out_unlock; 991 } 992 if (ep->disabling) { 993 dev_dbg(&dev->gadget->dev, 994 "fail, endpoint is already being disabled\n"); 995 ret = -EBUSY; 996 goto out_unlock; 997 } 998 if (ep->urb_queued) { 999 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 1000 ret = -EBUSY; 1001 goto out_unlock; 1002 } 1003 if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) { 1004 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 1005 ret = -EINVAL; 1006 goto out_unlock; 1007 } 1008 1009 ep->dev = dev; 1010 ep->req->context = &done; 1011 ep->req->complete = gadget_ep_complete; 1012 ep->req->buf = data; 1013 ep->req->length = io->length; 1014 ep->req->zero = usb_raw_io_flags_zero(io->flags); 1015 ep->urb_queued = true; 1016 spin_unlock_irqrestore(&dev->lock, flags); 1017 1018 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL); 1019 if (ret) { 1020 dev_err(&dev->gadget->dev, 1021 "fail, usb_ep_queue returned %d\n", ret); 1022 spin_lock_irqsave(&dev->lock, flags); 1023 dev->state = STATE_DEV_FAILED; 1024 goto out_done; 1025 } 1026 1027 ret = wait_for_completion_interruptible(&done); 1028 if (ret) { 1029 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 1030 usb_ep_dequeue(ep->ep, ep->req); 1031 wait_for_completion(&done); 1032 spin_lock_irqsave(&dev->lock, flags); 1033 goto out_done; 1034 } 1035 1036 spin_lock_irqsave(&dev->lock, flags); 1037 ret = ep->status; 1038 1039 out_done: 1040 ep->urb_queued = false; 1041 out_unlock: 1042 spin_unlock_irqrestore(&dev->lock, flags); 1043 return ret; 1044 } 1045 1046 static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value) 1047 { 1048 int ret = 0; 1049 char *data; 1050 struct usb_raw_ep_io io; 1051 1052 data = raw_alloc_io_data(&io, (void __user *)value, true); 1053 if (IS_ERR(data)) 1054 return PTR_ERR(data); 1055 ret = raw_process_ep_io(dev, &io, data, true); 1056 kfree(data); 1057 return ret; 1058 } 1059 1060 static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value) 1061 { 1062 int ret = 0; 1063 char *data; 1064 struct usb_raw_ep_io io; 1065 unsigned int length; 1066 1067 data = raw_alloc_io_data(&io, (void __user *)value, false); 1068 if (IS_ERR(data)) 1069 return PTR_ERR(data); 1070 ret = raw_process_ep_io(dev, &io, data, false); 1071 if (ret < 0) 1072 goto free; 1073 1074 length = min(io.length, (unsigned int)ret); 1075 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 1076 ret = -EFAULT; 1077 else 1078 ret = length; 1079 free: 1080 kfree(data); 1081 return ret; 1082 } 1083 1084 static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value) 1085 { 1086 int ret = 0; 1087 unsigned long flags; 1088 1089 if (value) 1090 return -EINVAL; 1091 spin_lock_irqsave(&dev->lock, flags); 1092 if (dev->state != STATE_DEV_RUNNING) { 1093 dev_dbg(dev->dev, "fail, device is not running\n"); 1094 ret = -EINVAL; 1095 goto out_unlock; 1096 } 1097 if (!dev->gadget) { 1098 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1099 ret = -EBUSY; 1100 goto out_unlock; 1101 } 1102 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED); 1103 1104 out_unlock: 1105 spin_unlock_irqrestore(&dev->lock, flags); 1106 return ret; 1107 } 1108 1109 static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value) 1110 { 1111 int ret = 0; 1112 unsigned long flags; 1113 1114 spin_lock_irqsave(&dev->lock, flags); 1115 if (dev->state != STATE_DEV_RUNNING) { 1116 dev_dbg(dev->dev, "fail, device is not running\n"); 1117 ret = -EINVAL; 1118 goto out_unlock; 1119 } 1120 if (!dev->gadget) { 1121 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1122 ret = -EBUSY; 1123 goto out_unlock; 1124 } 1125 usb_gadget_vbus_draw(dev->gadget, 2 * value); 1126 1127 out_unlock: 1128 spin_unlock_irqrestore(&dev->lock, flags); 1129 return ret; 1130 } 1131 1132 static void fill_ep_caps(struct usb_ep_caps *caps, 1133 struct usb_raw_ep_caps *raw_caps) 1134 { 1135 raw_caps->type_control = caps->type_control; 1136 raw_caps->type_iso = caps->type_iso; 1137 raw_caps->type_bulk = caps->type_bulk; 1138 raw_caps->type_int = caps->type_int; 1139 raw_caps->dir_in = caps->dir_in; 1140 raw_caps->dir_out = caps->dir_out; 1141 } 1142 1143 static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits) 1144 { 1145 limits->maxpacket_limit = ep->maxpacket_limit; 1146 limits->max_streams = ep->max_streams; 1147 } 1148 1149 static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value) 1150 { 1151 int ret = 0, i; 1152 unsigned long flags; 1153 struct usb_raw_eps_info *info; 1154 struct raw_ep *ep; 1155 1156 info = kmalloc(sizeof(*info), GFP_KERNEL); 1157 if (!info) { 1158 ret = -ENOMEM; 1159 goto out; 1160 } 1161 1162 spin_lock_irqsave(&dev->lock, flags); 1163 if (dev->state != STATE_DEV_RUNNING) { 1164 dev_dbg(dev->dev, "fail, device is not running\n"); 1165 ret = -EINVAL; 1166 spin_unlock_irqrestore(&dev->lock, flags); 1167 goto out_free; 1168 } 1169 if (!dev->gadget) { 1170 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1171 ret = -EBUSY; 1172 spin_unlock_irqrestore(&dev->lock, flags); 1173 goto out_free; 1174 } 1175 1176 memset(info, 0, sizeof(*info)); 1177 for (i = 0; i < dev->eps_num; i++) { 1178 ep = &dev->eps[i]; 1179 strscpy(&info->eps[i].name[0], ep->ep->name, 1180 USB_RAW_EP_NAME_MAX); 1181 info->eps[i].addr = ep->addr; 1182 fill_ep_caps(&ep->ep->caps, &info->eps[i].caps); 1183 fill_ep_limits(ep->ep, &info->eps[i].limits); 1184 } 1185 ret = dev->eps_num; 1186 spin_unlock_irqrestore(&dev->lock, flags); 1187 1188 if (copy_to_user((void __user *)value, info, sizeof(*info))) 1189 ret = -EFAULT; 1190 1191 out_free: 1192 kfree(info); 1193 out: 1194 return ret; 1195 } 1196 1197 static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value) 1198 { 1199 struct raw_dev *dev = fd->private_data; 1200 int ret = 0; 1201 1202 if (!dev) 1203 return -EBUSY; 1204 1205 switch (cmd) { 1206 case USB_RAW_IOCTL_INIT: 1207 ret = raw_ioctl_init(dev, value); 1208 break; 1209 case USB_RAW_IOCTL_RUN: 1210 ret = raw_ioctl_run(dev, value); 1211 break; 1212 case USB_RAW_IOCTL_EVENT_FETCH: 1213 ret = raw_ioctl_event_fetch(dev, value); 1214 break; 1215 case USB_RAW_IOCTL_EP0_WRITE: 1216 ret = raw_ioctl_ep0_write(dev, value); 1217 break; 1218 case USB_RAW_IOCTL_EP0_READ: 1219 ret = raw_ioctl_ep0_read(dev, value); 1220 break; 1221 case USB_RAW_IOCTL_EP_ENABLE: 1222 ret = raw_ioctl_ep_enable(dev, value); 1223 break; 1224 case USB_RAW_IOCTL_EP_DISABLE: 1225 ret = raw_ioctl_ep_disable(dev, value); 1226 break; 1227 case USB_RAW_IOCTL_EP_WRITE: 1228 ret = raw_ioctl_ep_write(dev, value); 1229 break; 1230 case USB_RAW_IOCTL_EP_READ: 1231 ret = raw_ioctl_ep_read(dev, value); 1232 break; 1233 case USB_RAW_IOCTL_CONFIGURE: 1234 ret = raw_ioctl_configure(dev, value); 1235 break; 1236 case USB_RAW_IOCTL_VBUS_DRAW: 1237 ret = raw_ioctl_vbus_draw(dev, value); 1238 break; 1239 case USB_RAW_IOCTL_EPS_INFO: 1240 ret = raw_ioctl_eps_info(dev, value); 1241 break; 1242 case USB_RAW_IOCTL_EP0_STALL: 1243 ret = raw_ioctl_ep0_stall(dev, value); 1244 break; 1245 case USB_RAW_IOCTL_EP_SET_HALT: 1246 ret = raw_ioctl_ep_set_clear_halt_wedge( 1247 dev, value, true, true); 1248 break; 1249 case USB_RAW_IOCTL_EP_CLEAR_HALT: 1250 ret = raw_ioctl_ep_set_clear_halt_wedge( 1251 dev, value, false, true); 1252 break; 1253 case USB_RAW_IOCTL_EP_SET_WEDGE: 1254 ret = raw_ioctl_ep_set_clear_halt_wedge( 1255 dev, value, true, false); 1256 break; 1257 default: 1258 ret = -EINVAL; 1259 } 1260 1261 return ret; 1262 } 1263 1264 /*----------------------------------------------------------------------*/ 1265 1266 static const struct file_operations raw_fops = { 1267 .open = raw_open, 1268 .unlocked_ioctl = raw_ioctl, 1269 .compat_ioctl = raw_ioctl, 1270 .release = raw_release, 1271 .llseek = no_llseek, 1272 }; 1273 1274 static struct miscdevice raw_misc_device = { 1275 .minor = MISC_DYNAMIC_MINOR, 1276 .name = DRIVER_NAME, 1277 .fops = &raw_fops, 1278 }; 1279 1280 module_misc_device(raw_misc_device); 1281