1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * USB Raw Gadget driver. 4 * See Documentation/usb/raw-gadget.rst for more details. 5 * 6 * Andrey Konovalov <andreyknvl@gmail.com> 7 */ 8 9 #include <linux/compiler.h> 10 #include <linux/ctype.h> 11 #include <linux/debugfs.h> 12 #include <linux/delay.h> 13 #include <linux/kref.h> 14 #include <linux/miscdevice.h> 15 #include <linux/module.h> 16 #include <linux/semaphore.h> 17 #include <linux/sched.h> 18 #include <linux/slab.h> 19 #include <linux/uaccess.h> 20 #include <linux/wait.h> 21 22 #include <linux/usb.h> 23 #include <linux/usb/ch9.h> 24 #include <linux/usb/ch11.h> 25 #include <linux/usb/gadget.h> 26 27 #include <uapi/linux/usb/raw_gadget.h> 28 29 #define DRIVER_DESC "USB Raw Gadget" 30 #define DRIVER_NAME "raw-gadget" 31 32 MODULE_DESCRIPTION(DRIVER_DESC); 33 MODULE_AUTHOR("Andrey Konovalov"); 34 MODULE_LICENSE("GPL"); 35 36 /*----------------------------------------------------------------------*/ 37 38 #define RAW_EVENT_QUEUE_SIZE 16 39 40 struct raw_event_queue { 41 /* See the comment in raw_event_queue_fetch() for locking details. */ 42 spinlock_t lock; 43 struct semaphore sema; 44 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE]; 45 int size; 46 }; 47 48 static void raw_event_queue_init(struct raw_event_queue *queue) 49 { 50 spin_lock_init(&queue->lock); 51 sema_init(&queue->sema, 0); 52 queue->size = 0; 53 } 54 55 static int raw_event_queue_add(struct raw_event_queue *queue, 56 enum usb_raw_event_type type, size_t length, const void *data) 57 { 58 unsigned long flags; 59 struct usb_raw_event *event; 60 61 spin_lock_irqsave(&queue->lock, flags); 62 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) { 63 spin_unlock_irqrestore(&queue->lock, flags); 64 return -ENOMEM; 65 } 66 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC); 67 if (!event) { 68 spin_unlock_irqrestore(&queue->lock, flags); 69 return -ENOMEM; 70 } 71 event->type = type; 72 event->length = length; 73 if (event->length) 74 memcpy(&event->data[0], data, length); 75 queue->events[queue->size] = event; 76 queue->size++; 77 up(&queue->sema); 78 spin_unlock_irqrestore(&queue->lock, flags); 79 return 0; 80 } 81 82 static struct usb_raw_event *raw_event_queue_fetch( 83 struct raw_event_queue *queue) 84 { 85 int ret; 86 unsigned long flags; 87 struct usb_raw_event *event; 88 89 /* 90 * This function can be called concurrently. We first check that 91 * there's at least one event queued by decrementing the semaphore, 92 * and then take the lock to protect queue struct fields. 93 */ 94 ret = down_interruptible(&queue->sema); 95 if (ret) 96 return ERR_PTR(ret); 97 spin_lock_irqsave(&queue->lock, flags); 98 /* 99 * queue->size must have the same value as queue->sema counter (before 100 * the down_interruptible() call above), so this check is a fail-safe. 101 */ 102 if (WARN_ON(!queue->size)) { 103 spin_unlock_irqrestore(&queue->lock, flags); 104 return ERR_PTR(-ENODEV); 105 } 106 event = queue->events[0]; 107 queue->size--; 108 memmove(&queue->events[0], &queue->events[1], 109 queue->size * sizeof(queue->events[0])); 110 spin_unlock_irqrestore(&queue->lock, flags); 111 return event; 112 } 113 114 static void raw_event_queue_destroy(struct raw_event_queue *queue) 115 { 116 int i; 117 118 for (i = 0; i < queue->size; i++) 119 kfree(queue->events[i]); 120 queue->size = 0; 121 } 122 123 /*----------------------------------------------------------------------*/ 124 125 struct raw_dev; 126 127 enum ep_state { 128 STATE_EP_DISABLED, 129 STATE_EP_ENABLED, 130 }; 131 132 struct raw_ep { 133 struct raw_dev *dev; 134 enum ep_state state; 135 struct usb_ep *ep; 136 u8 addr; 137 struct usb_request *req; 138 bool urb_queued; 139 bool disabling; 140 ssize_t status; 141 }; 142 143 enum dev_state { 144 STATE_DEV_INVALID = 0, 145 STATE_DEV_OPENED, 146 STATE_DEV_INITIALIZED, 147 STATE_DEV_RUNNING, 148 STATE_DEV_CLOSED, 149 STATE_DEV_FAILED 150 }; 151 152 struct raw_dev { 153 struct kref count; 154 spinlock_t lock; 155 156 const char *udc_name; 157 struct usb_gadget_driver driver; 158 159 /* Reference to misc device: */ 160 struct device *dev; 161 162 /* Protected by lock: */ 163 enum dev_state state; 164 bool gadget_registered; 165 struct usb_gadget *gadget; 166 struct usb_request *req; 167 bool ep0_in_pending; 168 bool ep0_out_pending; 169 bool ep0_urb_queued; 170 ssize_t ep0_status; 171 struct raw_ep eps[USB_RAW_EPS_NUM_MAX]; 172 int eps_num; 173 174 struct completion ep0_done; 175 struct raw_event_queue queue; 176 }; 177 178 static struct raw_dev *dev_new(void) 179 { 180 struct raw_dev *dev; 181 182 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 183 if (!dev) 184 return NULL; 185 /* Matches kref_put() in raw_release(). */ 186 kref_init(&dev->count); 187 spin_lock_init(&dev->lock); 188 init_completion(&dev->ep0_done); 189 raw_event_queue_init(&dev->queue); 190 return dev; 191 } 192 193 static void dev_free(struct kref *kref) 194 { 195 struct raw_dev *dev = container_of(kref, struct raw_dev, count); 196 int i; 197 198 kfree(dev->udc_name); 199 kfree(dev->driver.udc_name); 200 if (dev->req) { 201 if (dev->ep0_urb_queued) 202 usb_ep_dequeue(dev->gadget->ep0, dev->req); 203 usb_ep_free_request(dev->gadget->ep0, dev->req); 204 } 205 raw_event_queue_destroy(&dev->queue); 206 for (i = 0; i < dev->eps_num; i++) { 207 if (dev->eps[i].state == STATE_EP_DISABLED) 208 continue; 209 usb_ep_disable(dev->eps[i].ep); 210 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 211 kfree(dev->eps[i].ep->desc); 212 dev->eps[i].state = STATE_EP_DISABLED; 213 } 214 kfree(dev); 215 } 216 217 /*----------------------------------------------------------------------*/ 218 219 static int raw_queue_event(struct raw_dev *dev, 220 enum usb_raw_event_type type, size_t length, const void *data) 221 { 222 int ret = 0; 223 unsigned long flags; 224 225 ret = raw_event_queue_add(&dev->queue, type, length, data); 226 if (ret < 0) { 227 spin_lock_irqsave(&dev->lock, flags); 228 dev->state = STATE_DEV_FAILED; 229 spin_unlock_irqrestore(&dev->lock, flags); 230 } 231 return ret; 232 } 233 234 static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req) 235 { 236 struct raw_dev *dev = req->context; 237 unsigned long flags; 238 239 spin_lock_irqsave(&dev->lock, flags); 240 if (req->status) 241 dev->ep0_status = req->status; 242 else 243 dev->ep0_status = req->actual; 244 if (dev->ep0_in_pending) 245 dev->ep0_in_pending = false; 246 else 247 dev->ep0_out_pending = false; 248 spin_unlock_irqrestore(&dev->lock, flags); 249 250 complete(&dev->ep0_done); 251 } 252 253 static u8 get_ep_addr(const char *name) 254 { 255 /* If the endpoint has fixed function (named as e.g. "ep12out-bulk"), 256 * parse the endpoint address from its name. We deliberately use 257 * deprecated simple_strtoul() function here, as the number isn't 258 * followed by '\0' nor '\n'. 259 */ 260 if (isdigit(name[2])) 261 return simple_strtoul(&name[2], NULL, 10); 262 /* Otherwise the endpoint is configurable (named as e.g. "ep-a"). */ 263 return USB_RAW_EP_ADDR_ANY; 264 } 265 266 static int gadget_bind(struct usb_gadget *gadget, 267 struct usb_gadget_driver *driver) 268 { 269 int ret = 0, i = 0; 270 struct raw_dev *dev = container_of(driver, struct raw_dev, driver); 271 struct usb_request *req; 272 struct usb_ep *ep; 273 unsigned long flags; 274 275 if (strcmp(gadget->name, dev->udc_name) != 0) 276 return -ENODEV; 277 278 set_gadget_data(gadget, dev); 279 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL); 280 if (!req) { 281 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n"); 282 set_gadget_data(gadget, NULL); 283 return -ENOMEM; 284 } 285 286 spin_lock_irqsave(&dev->lock, flags); 287 dev->req = req; 288 dev->req->context = dev; 289 dev->req->complete = gadget_ep0_complete; 290 dev->gadget = gadget; 291 gadget_for_each_ep(ep, dev->gadget) { 292 dev->eps[i].ep = ep; 293 dev->eps[i].addr = get_ep_addr(ep->name); 294 dev->eps[i].state = STATE_EP_DISABLED; 295 i++; 296 } 297 dev->eps_num = i; 298 spin_unlock_irqrestore(&dev->lock, flags); 299 300 /* Matches kref_put() in gadget_unbind(). */ 301 kref_get(&dev->count); 302 303 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); 304 if (ret < 0) 305 dev_err(&gadget->dev, "failed to queue event\n"); 306 307 return ret; 308 } 309 310 static void gadget_unbind(struct usb_gadget *gadget) 311 { 312 struct raw_dev *dev = get_gadget_data(gadget); 313 314 set_gadget_data(gadget, NULL); 315 /* Matches kref_get() in gadget_bind(). */ 316 kref_put(&dev->count, dev_free); 317 } 318 319 static int gadget_setup(struct usb_gadget *gadget, 320 const struct usb_ctrlrequest *ctrl) 321 { 322 int ret = 0; 323 struct raw_dev *dev = get_gadget_data(gadget); 324 unsigned long flags; 325 326 spin_lock_irqsave(&dev->lock, flags); 327 if (dev->state != STATE_DEV_RUNNING) { 328 dev_err(&gadget->dev, "ignoring, device is not running\n"); 329 ret = -ENODEV; 330 goto out_unlock; 331 } 332 if (dev->ep0_in_pending || dev->ep0_out_pending) { 333 dev_dbg(&gadget->dev, "stalling, request already pending\n"); 334 ret = -EBUSY; 335 goto out_unlock; 336 } 337 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) 338 dev->ep0_in_pending = true; 339 else 340 dev->ep0_out_pending = true; 341 spin_unlock_irqrestore(&dev->lock, flags); 342 343 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl); 344 if (ret < 0) 345 dev_err(&gadget->dev, "failed to queue event\n"); 346 goto out; 347 348 out_unlock: 349 spin_unlock_irqrestore(&dev->lock, flags); 350 out: 351 return ret; 352 } 353 354 /* These are currently unused but present in case UDC driver requires them. */ 355 static void gadget_disconnect(struct usb_gadget *gadget) { } 356 static void gadget_suspend(struct usb_gadget *gadget) { } 357 static void gadget_resume(struct usb_gadget *gadget) { } 358 static void gadget_reset(struct usb_gadget *gadget) { } 359 360 /*----------------------------------------------------------------------*/ 361 362 static struct miscdevice raw_misc_device; 363 364 static int raw_open(struct inode *inode, struct file *fd) 365 { 366 struct raw_dev *dev; 367 368 /* Nonblocking I/O is not supported yet. */ 369 if (fd->f_flags & O_NONBLOCK) 370 return -EINVAL; 371 372 dev = dev_new(); 373 if (!dev) 374 return -ENOMEM; 375 fd->private_data = dev; 376 dev->state = STATE_DEV_OPENED; 377 dev->dev = raw_misc_device.this_device; 378 return 0; 379 } 380 381 static int raw_release(struct inode *inode, struct file *fd) 382 { 383 int ret = 0; 384 struct raw_dev *dev = fd->private_data; 385 unsigned long flags; 386 bool unregister = false; 387 388 spin_lock_irqsave(&dev->lock, flags); 389 dev->state = STATE_DEV_CLOSED; 390 if (!dev->gadget) { 391 spin_unlock_irqrestore(&dev->lock, flags); 392 goto out_put; 393 } 394 if (dev->gadget_registered) 395 unregister = true; 396 dev->gadget_registered = false; 397 spin_unlock_irqrestore(&dev->lock, flags); 398 399 if (unregister) { 400 ret = usb_gadget_unregister_driver(&dev->driver); 401 if (ret != 0) 402 dev_err(dev->dev, 403 "usb_gadget_unregister_driver() failed with %d\n", 404 ret); 405 /* Matches kref_get() in raw_ioctl_run(). */ 406 kref_put(&dev->count, dev_free); 407 } 408 409 out_put: 410 /* Matches dev_new() in raw_open(). */ 411 kref_put(&dev->count, dev_free); 412 return ret; 413 } 414 415 /*----------------------------------------------------------------------*/ 416 417 static int raw_ioctl_init(struct raw_dev *dev, unsigned long value) 418 { 419 int ret = 0; 420 struct usb_raw_init arg; 421 char *udc_driver_name; 422 char *udc_device_name; 423 unsigned long flags; 424 425 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 426 return -EFAULT; 427 428 switch (arg.speed) { 429 case USB_SPEED_UNKNOWN: 430 arg.speed = USB_SPEED_HIGH; 431 break; 432 case USB_SPEED_LOW: 433 case USB_SPEED_FULL: 434 case USB_SPEED_HIGH: 435 case USB_SPEED_SUPER: 436 break; 437 default: 438 return -EINVAL; 439 } 440 441 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 442 if (!udc_driver_name) 443 return -ENOMEM; 444 ret = strscpy(udc_driver_name, &arg.driver_name[0], 445 UDC_NAME_LENGTH_MAX); 446 if (ret < 0) { 447 kfree(udc_driver_name); 448 return ret; 449 } 450 ret = 0; 451 452 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL); 453 if (!udc_device_name) { 454 kfree(udc_driver_name); 455 return -ENOMEM; 456 } 457 ret = strscpy(udc_device_name, &arg.device_name[0], 458 UDC_NAME_LENGTH_MAX); 459 if (ret < 0) { 460 kfree(udc_driver_name); 461 kfree(udc_device_name); 462 return ret; 463 } 464 ret = 0; 465 466 spin_lock_irqsave(&dev->lock, flags); 467 if (dev->state != STATE_DEV_OPENED) { 468 dev_dbg(dev->dev, "fail, device is not opened\n"); 469 kfree(udc_driver_name); 470 kfree(udc_device_name); 471 ret = -EINVAL; 472 goto out_unlock; 473 } 474 dev->udc_name = udc_driver_name; 475 476 dev->driver.function = DRIVER_DESC; 477 dev->driver.max_speed = arg.speed; 478 dev->driver.setup = gadget_setup; 479 dev->driver.disconnect = gadget_disconnect; 480 dev->driver.bind = gadget_bind; 481 dev->driver.unbind = gadget_unbind; 482 dev->driver.suspend = gadget_suspend; 483 dev->driver.resume = gadget_resume; 484 dev->driver.reset = gadget_reset; 485 dev->driver.driver.name = DRIVER_NAME; 486 dev->driver.udc_name = udc_device_name; 487 dev->driver.match_existing_only = 1; 488 489 dev->state = STATE_DEV_INITIALIZED; 490 491 out_unlock: 492 spin_unlock_irqrestore(&dev->lock, flags); 493 return ret; 494 } 495 496 static int raw_ioctl_run(struct raw_dev *dev, unsigned long value) 497 { 498 int ret = 0; 499 unsigned long flags; 500 501 if (value) 502 return -EINVAL; 503 504 spin_lock_irqsave(&dev->lock, flags); 505 if (dev->state != STATE_DEV_INITIALIZED) { 506 dev_dbg(dev->dev, "fail, device is not initialized\n"); 507 ret = -EINVAL; 508 goto out_unlock; 509 } 510 spin_unlock_irqrestore(&dev->lock, flags); 511 512 ret = usb_gadget_probe_driver(&dev->driver); 513 514 spin_lock_irqsave(&dev->lock, flags); 515 if (ret) { 516 dev_err(dev->dev, 517 "fail, usb_gadget_probe_driver returned %d\n", ret); 518 dev->state = STATE_DEV_FAILED; 519 goto out_unlock; 520 } 521 dev->gadget_registered = true; 522 dev->state = STATE_DEV_RUNNING; 523 /* Matches kref_put() in raw_release(). */ 524 kref_get(&dev->count); 525 526 out_unlock: 527 spin_unlock_irqrestore(&dev->lock, flags); 528 return ret; 529 } 530 531 static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value) 532 { 533 struct usb_raw_event arg; 534 unsigned long flags; 535 struct usb_raw_event *event; 536 uint32_t length; 537 538 if (copy_from_user(&arg, (void __user *)value, sizeof(arg))) 539 return -EFAULT; 540 541 spin_lock_irqsave(&dev->lock, flags); 542 if (dev->state != STATE_DEV_RUNNING) { 543 dev_dbg(dev->dev, "fail, device is not running\n"); 544 spin_unlock_irqrestore(&dev->lock, flags); 545 return -EINVAL; 546 } 547 if (!dev->gadget) { 548 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 549 spin_unlock_irqrestore(&dev->lock, flags); 550 return -EBUSY; 551 } 552 spin_unlock_irqrestore(&dev->lock, flags); 553 554 event = raw_event_queue_fetch(&dev->queue); 555 if (PTR_ERR(event) == -EINTR) { 556 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n"); 557 return -EINTR; 558 } 559 if (IS_ERR(event)) { 560 dev_err(&dev->gadget->dev, "failed to fetch event\n"); 561 spin_lock_irqsave(&dev->lock, flags); 562 dev->state = STATE_DEV_FAILED; 563 spin_unlock_irqrestore(&dev->lock, flags); 564 return -ENODEV; 565 } 566 length = min(arg.length, event->length); 567 if (copy_to_user((void __user *)value, event, sizeof(*event) + length)) { 568 kfree(event); 569 return -EFAULT; 570 } 571 572 kfree(event); 573 return 0; 574 } 575 576 static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, 577 bool get_from_user) 578 { 579 void *data; 580 581 if (copy_from_user(io, ptr, sizeof(*io))) 582 return ERR_PTR(-EFAULT); 583 if (io->ep >= USB_RAW_EPS_NUM_MAX) 584 return ERR_PTR(-EINVAL); 585 if (!usb_raw_io_flags_valid(io->flags)) 586 return ERR_PTR(-EINVAL); 587 if (io->length > PAGE_SIZE) 588 return ERR_PTR(-EINVAL); 589 if (get_from_user) 590 data = memdup_user(ptr + sizeof(*io), io->length); 591 else { 592 data = kmalloc(io->length, GFP_KERNEL); 593 if (!data) 594 data = ERR_PTR(-ENOMEM); 595 } 596 return data; 597 } 598 599 static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 600 void *data, bool in) 601 { 602 int ret = 0; 603 unsigned long flags; 604 605 spin_lock_irqsave(&dev->lock, flags); 606 if (dev->state != STATE_DEV_RUNNING) { 607 dev_dbg(dev->dev, "fail, device is not running\n"); 608 ret = -EINVAL; 609 goto out_unlock; 610 } 611 if (!dev->gadget) { 612 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 613 ret = -EBUSY; 614 goto out_unlock; 615 } 616 if (dev->ep0_urb_queued) { 617 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 618 ret = -EBUSY; 619 goto out_unlock; 620 } 621 if ((in && !dev->ep0_in_pending) || 622 (!in && !dev->ep0_out_pending)) { 623 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 624 ret = -EBUSY; 625 goto out_unlock; 626 } 627 if (WARN_ON(in && dev->ep0_out_pending)) { 628 ret = -ENODEV; 629 dev->state = STATE_DEV_FAILED; 630 goto out_done; 631 } 632 if (WARN_ON(!in && dev->ep0_in_pending)) { 633 ret = -ENODEV; 634 dev->state = STATE_DEV_FAILED; 635 goto out_done; 636 } 637 638 dev->req->buf = data; 639 dev->req->length = io->length; 640 dev->req->zero = usb_raw_io_flags_zero(io->flags); 641 dev->ep0_urb_queued = true; 642 spin_unlock_irqrestore(&dev->lock, flags); 643 644 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL); 645 if (ret) { 646 dev_err(&dev->gadget->dev, 647 "fail, usb_ep_queue returned %d\n", ret); 648 spin_lock_irqsave(&dev->lock, flags); 649 dev->state = STATE_DEV_FAILED; 650 goto out_done; 651 } 652 653 ret = wait_for_completion_interruptible(&dev->ep0_done); 654 if (ret) { 655 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 656 usb_ep_dequeue(dev->gadget->ep0, dev->req); 657 wait_for_completion(&dev->ep0_done); 658 spin_lock_irqsave(&dev->lock, flags); 659 goto out_done; 660 } 661 662 spin_lock_irqsave(&dev->lock, flags); 663 ret = dev->ep0_status; 664 665 out_done: 666 dev->ep0_urb_queued = false; 667 out_unlock: 668 spin_unlock_irqrestore(&dev->lock, flags); 669 return ret; 670 } 671 672 static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value) 673 { 674 int ret = 0; 675 void *data; 676 struct usb_raw_ep_io io; 677 678 data = raw_alloc_io_data(&io, (void __user *)value, true); 679 if (IS_ERR(data)) 680 return PTR_ERR(data); 681 ret = raw_process_ep0_io(dev, &io, data, true); 682 kfree(data); 683 return ret; 684 } 685 686 static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value) 687 { 688 int ret = 0; 689 void *data; 690 struct usb_raw_ep_io io; 691 unsigned int length; 692 693 data = raw_alloc_io_data(&io, (void __user *)value, false); 694 if (IS_ERR(data)) 695 return PTR_ERR(data); 696 ret = raw_process_ep0_io(dev, &io, data, false); 697 if (ret < 0) 698 goto free; 699 700 length = min(io.length, (unsigned int)ret); 701 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 702 ret = -EFAULT; 703 else 704 ret = length; 705 free: 706 kfree(data); 707 return ret; 708 } 709 710 static int raw_ioctl_ep0_stall(struct raw_dev *dev, unsigned long value) 711 { 712 int ret = 0; 713 unsigned long flags; 714 715 if (value) 716 return -EINVAL; 717 spin_lock_irqsave(&dev->lock, flags); 718 if (dev->state != STATE_DEV_RUNNING) { 719 dev_dbg(dev->dev, "fail, device is not running\n"); 720 ret = -EINVAL; 721 goto out_unlock; 722 } 723 if (!dev->gadget) { 724 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 725 ret = -EBUSY; 726 goto out_unlock; 727 } 728 if (dev->ep0_urb_queued) { 729 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 730 ret = -EBUSY; 731 goto out_unlock; 732 } 733 if (!dev->ep0_in_pending && !dev->ep0_out_pending) { 734 dev_dbg(&dev->gadget->dev, "fail, no request pending\n"); 735 ret = -EBUSY; 736 goto out_unlock; 737 } 738 739 ret = usb_ep_set_halt(dev->gadget->ep0); 740 if (ret < 0) 741 dev_err(&dev->gadget->dev, 742 "fail, usb_ep_set_halt returned %d\n", ret); 743 744 if (dev->ep0_in_pending) 745 dev->ep0_in_pending = false; 746 else 747 dev->ep0_out_pending = false; 748 749 out_unlock: 750 spin_unlock_irqrestore(&dev->lock, flags); 751 return ret; 752 } 753 754 static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value) 755 { 756 int ret = 0, i; 757 unsigned long flags; 758 struct usb_endpoint_descriptor *desc; 759 struct raw_ep *ep; 760 761 desc = memdup_user((void __user *)value, sizeof(*desc)); 762 if (IS_ERR(desc)) 763 return PTR_ERR(desc); 764 765 /* 766 * Endpoints with a maxpacket length of 0 can cause crashes in UDC 767 * drivers. 768 */ 769 if (usb_endpoint_maxp(desc) == 0) { 770 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n"); 771 kfree(desc); 772 return -EINVAL; 773 } 774 775 spin_lock_irqsave(&dev->lock, flags); 776 if (dev->state != STATE_DEV_RUNNING) { 777 dev_dbg(dev->dev, "fail, device is not running\n"); 778 ret = -EINVAL; 779 goto out_free; 780 } 781 if (!dev->gadget) { 782 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 783 ret = -EBUSY; 784 goto out_free; 785 } 786 787 for (i = 0; i < dev->eps_num; i++) { 788 ep = &dev->eps[i]; 789 if (ep->state != STATE_EP_DISABLED) 790 continue; 791 if (ep->addr != usb_endpoint_num(desc) && 792 ep->addr != USB_RAW_EP_ADDR_ANY) 793 continue; 794 if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep, desc, NULL)) 795 continue; 796 ep->ep->desc = desc; 797 ret = usb_ep_enable(ep->ep); 798 if (ret < 0) { 799 dev_err(&dev->gadget->dev, 800 "fail, usb_ep_enable returned %d\n", ret); 801 goto out_free; 802 } 803 ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC); 804 if (!ep->req) { 805 dev_err(&dev->gadget->dev, 806 "fail, usb_ep_alloc_request failed\n"); 807 usb_ep_disable(ep->ep); 808 ret = -ENOMEM; 809 goto out_free; 810 } 811 ep->state = STATE_EP_ENABLED; 812 ep->ep->driver_data = ep; 813 ret = i; 814 goto out_unlock; 815 } 816 817 dev_dbg(&dev->gadget->dev, "fail, no gadget endpoints available\n"); 818 ret = -EBUSY; 819 820 out_free: 821 kfree(desc); 822 out_unlock: 823 spin_unlock_irqrestore(&dev->lock, flags); 824 return ret; 825 } 826 827 static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value) 828 { 829 int ret = 0, i = value; 830 unsigned long flags; 831 832 spin_lock_irqsave(&dev->lock, flags); 833 if (dev->state != STATE_DEV_RUNNING) { 834 dev_dbg(dev->dev, "fail, device is not running\n"); 835 ret = -EINVAL; 836 goto out_unlock; 837 } 838 if (!dev->gadget) { 839 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 840 ret = -EBUSY; 841 goto out_unlock; 842 } 843 if (i < 0 || i >= dev->eps_num) { 844 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 845 ret = -EBUSY; 846 goto out_unlock; 847 } 848 if (dev->eps[i].state == STATE_EP_DISABLED) { 849 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 850 ret = -EINVAL; 851 goto out_unlock; 852 } 853 if (dev->eps[i].disabling) { 854 dev_dbg(&dev->gadget->dev, 855 "fail, disable already in progress\n"); 856 ret = -EINVAL; 857 goto out_unlock; 858 } 859 if (dev->eps[i].urb_queued) { 860 dev_dbg(&dev->gadget->dev, 861 "fail, waiting for urb completion\n"); 862 ret = -EINVAL; 863 goto out_unlock; 864 } 865 dev->eps[i].disabling = true; 866 spin_unlock_irqrestore(&dev->lock, flags); 867 868 usb_ep_disable(dev->eps[i].ep); 869 870 spin_lock_irqsave(&dev->lock, flags); 871 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req); 872 kfree(dev->eps[i].ep->desc); 873 dev->eps[i].state = STATE_EP_DISABLED; 874 dev->eps[i].disabling = false; 875 876 out_unlock: 877 spin_unlock_irqrestore(&dev->lock, flags); 878 return ret; 879 } 880 881 static int raw_ioctl_ep_set_clear_halt_wedge(struct raw_dev *dev, 882 unsigned long value, bool set, bool halt) 883 { 884 int ret = 0, i = value; 885 unsigned long flags; 886 887 spin_lock_irqsave(&dev->lock, flags); 888 if (dev->state != STATE_DEV_RUNNING) { 889 dev_dbg(dev->dev, "fail, device is not running\n"); 890 ret = -EINVAL; 891 goto out_unlock; 892 } 893 if (!dev->gadget) { 894 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 895 ret = -EBUSY; 896 goto out_unlock; 897 } 898 if (i < 0 || i >= dev->eps_num) { 899 dev_dbg(dev->dev, "fail, invalid endpoint\n"); 900 ret = -EBUSY; 901 goto out_unlock; 902 } 903 if (dev->eps[i].state == STATE_EP_DISABLED) { 904 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 905 ret = -EINVAL; 906 goto out_unlock; 907 } 908 if (dev->eps[i].disabling) { 909 dev_dbg(&dev->gadget->dev, 910 "fail, disable is in progress\n"); 911 ret = -EINVAL; 912 goto out_unlock; 913 } 914 if (dev->eps[i].urb_queued) { 915 dev_dbg(&dev->gadget->dev, 916 "fail, waiting for urb completion\n"); 917 ret = -EINVAL; 918 goto out_unlock; 919 } 920 if (usb_endpoint_xfer_isoc(dev->eps[i].ep->desc)) { 921 dev_dbg(&dev->gadget->dev, 922 "fail, can't halt/wedge ISO endpoint\n"); 923 ret = -EINVAL; 924 goto out_unlock; 925 } 926 927 if (set && halt) { 928 ret = usb_ep_set_halt(dev->eps[i].ep); 929 if (ret < 0) 930 dev_err(&dev->gadget->dev, 931 "fail, usb_ep_set_halt returned %d\n", ret); 932 } else if (!set && halt) { 933 ret = usb_ep_clear_halt(dev->eps[i].ep); 934 if (ret < 0) 935 dev_err(&dev->gadget->dev, 936 "fail, usb_ep_clear_halt returned %d\n", ret); 937 } else if (set && !halt) { 938 ret = usb_ep_set_wedge(dev->eps[i].ep); 939 if (ret < 0) 940 dev_err(&dev->gadget->dev, 941 "fail, usb_ep_set_wedge returned %d\n", ret); 942 } 943 944 out_unlock: 945 spin_unlock_irqrestore(&dev->lock, flags); 946 return ret; 947 } 948 949 static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req) 950 { 951 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data; 952 struct raw_dev *dev = r_ep->dev; 953 unsigned long flags; 954 955 spin_lock_irqsave(&dev->lock, flags); 956 if (req->status) 957 r_ep->status = req->status; 958 else 959 r_ep->status = req->actual; 960 spin_unlock_irqrestore(&dev->lock, flags); 961 962 complete((struct completion *)req->context); 963 } 964 965 static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io, 966 void *data, bool in) 967 { 968 int ret = 0; 969 unsigned long flags; 970 struct raw_ep *ep; 971 DECLARE_COMPLETION_ONSTACK(done); 972 973 spin_lock_irqsave(&dev->lock, flags); 974 if (dev->state != STATE_DEV_RUNNING) { 975 dev_dbg(dev->dev, "fail, device is not running\n"); 976 ret = -EINVAL; 977 goto out_unlock; 978 } 979 if (!dev->gadget) { 980 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 981 ret = -EBUSY; 982 goto out_unlock; 983 } 984 if (io->ep >= dev->eps_num) { 985 dev_dbg(&dev->gadget->dev, "fail, invalid endpoint\n"); 986 ret = -EINVAL; 987 goto out_unlock; 988 } 989 ep = &dev->eps[io->ep]; 990 if (ep->state != STATE_EP_ENABLED) { 991 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n"); 992 ret = -EBUSY; 993 goto out_unlock; 994 } 995 if (ep->disabling) { 996 dev_dbg(&dev->gadget->dev, 997 "fail, endpoint is already being disabled\n"); 998 ret = -EBUSY; 999 goto out_unlock; 1000 } 1001 if (ep->urb_queued) { 1002 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n"); 1003 ret = -EBUSY; 1004 goto out_unlock; 1005 } 1006 if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) { 1007 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); 1008 ret = -EINVAL; 1009 goto out_unlock; 1010 } 1011 1012 ep->dev = dev; 1013 ep->req->context = &done; 1014 ep->req->complete = gadget_ep_complete; 1015 ep->req->buf = data; 1016 ep->req->length = io->length; 1017 ep->req->zero = usb_raw_io_flags_zero(io->flags); 1018 ep->urb_queued = true; 1019 spin_unlock_irqrestore(&dev->lock, flags); 1020 1021 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL); 1022 if (ret) { 1023 dev_err(&dev->gadget->dev, 1024 "fail, usb_ep_queue returned %d\n", ret); 1025 spin_lock_irqsave(&dev->lock, flags); 1026 dev->state = STATE_DEV_FAILED; 1027 goto out_done; 1028 } 1029 1030 ret = wait_for_completion_interruptible(&done); 1031 if (ret) { 1032 dev_dbg(&dev->gadget->dev, "wait interrupted\n"); 1033 usb_ep_dequeue(ep->ep, ep->req); 1034 wait_for_completion(&done); 1035 spin_lock_irqsave(&dev->lock, flags); 1036 goto out_done; 1037 } 1038 1039 spin_lock_irqsave(&dev->lock, flags); 1040 ret = ep->status; 1041 1042 out_done: 1043 ep->urb_queued = false; 1044 out_unlock: 1045 spin_unlock_irqrestore(&dev->lock, flags); 1046 return ret; 1047 } 1048 1049 static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value) 1050 { 1051 int ret = 0; 1052 char *data; 1053 struct usb_raw_ep_io io; 1054 1055 data = raw_alloc_io_data(&io, (void __user *)value, true); 1056 if (IS_ERR(data)) 1057 return PTR_ERR(data); 1058 ret = raw_process_ep_io(dev, &io, data, true); 1059 kfree(data); 1060 return ret; 1061 } 1062 1063 static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value) 1064 { 1065 int ret = 0; 1066 char *data; 1067 struct usb_raw_ep_io io; 1068 unsigned int length; 1069 1070 data = raw_alloc_io_data(&io, (void __user *)value, false); 1071 if (IS_ERR(data)) 1072 return PTR_ERR(data); 1073 ret = raw_process_ep_io(dev, &io, data, false); 1074 if (ret < 0) 1075 goto free; 1076 1077 length = min(io.length, (unsigned int)ret); 1078 if (copy_to_user((void __user *)(value + sizeof(io)), data, length)) 1079 ret = -EFAULT; 1080 else 1081 ret = length; 1082 free: 1083 kfree(data); 1084 return ret; 1085 } 1086 1087 static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value) 1088 { 1089 int ret = 0; 1090 unsigned long flags; 1091 1092 if (value) 1093 return -EINVAL; 1094 spin_lock_irqsave(&dev->lock, flags); 1095 if (dev->state != STATE_DEV_RUNNING) { 1096 dev_dbg(dev->dev, "fail, device is not running\n"); 1097 ret = -EINVAL; 1098 goto out_unlock; 1099 } 1100 if (!dev->gadget) { 1101 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1102 ret = -EBUSY; 1103 goto out_unlock; 1104 } 1105 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED); 1106 1107 out_unlock: 1108 spin_unlock_irqrestore(&dev->lock, flags); 1109 return ret; 1110 } 1111 1112 static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value) 1113 { 1114 int ret = 0; 1115 unsigned long flags; 1116 1117 spin_lock_irqsave(&dev->lock, flags); 1118 if (dev->state != STATE_DEV_RUNNING) { 1119 dev_dbg(dev->dev, "fail, device is not running\n"); 1120 ret = -EINVAL; 1121 goto out_unlock; 1122 } 1123 if (!dev->gadget) { 1124 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1125 ret = -EBUSY; 1126 goto out_unlock; 1127 } 1128 usb_gadget_vbus_draw(dev->gadget, 2 * value); 1129 1130 out_unlock: 1131 spin_unlock_irqrestore(&dev->lock, flags); 1132 return ret; 1133 } 1134 1135 static void fill_ep_caps(struct usb_ep_caps *caps, 1136 struct usb_raw_ep_caps *raw_caps) 1137 { 1138 raw_caps->type_control = caps->type_control; 1139 raw_caps->type_iso = caps->type_iso; 1140 raw_caps->type_bulk = caps->type_bulk; 1141 raw_caps->type_int = caps->type_int; 1142 raw_caps->dir_in = caps->dir_in; 1143 raw_caps->dir_out = caps->dir_out; 1144 } 1145 1146 static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits) 1147 { 1148 limits->maxpacket_limit = ep->maxpacket_limit; 1149 limits->max_streams = ep->max_streams; 1150 } 1151 1152 static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value) 1153 { 1154 int ret = 0, i; 1155 unsigned long flags; 1156 struct usb_raw_eps_info *info; 1157 struct raw_ep *ep; 1158 1159 info = kmalloc(sizeof(*info), GFP_KERNEL); 1160 if (!info) { 1161 ret = -ENOMEM; 1162 goto out; 1163 } 1164 1165 spin_lock_irqsave(&dev->lock, flags); 1166 if (dev->state != STATE_DEV_RUNNING) { 1167 dev_dbg(dev->dev, "fail, device is not running\n"); 1168 ret = -EINVAL; 1169 spin_unlock_irqrestore(&dev->lock, flags); 1170 goto out_free; 1171 } 1172 if (!dev->gadget) { 1173 dev_dbg(dev->dev, "fail, gadget is not bound\n"); 1174 ret = -EBUSY; 1175 spin_unlock_irqrestore(&dev->lock, flags); 1176 goto out_free; 1177 } 1178 1179 memset(info, 0, sizeof(*info)); 1180 for (i = 0; i < dev->eps_num; i++) { 1181 ep = &dev->eps[i]; 1182 strscpy(&info->eps[i].name[0], ep->ep->name, 1183 USB_RAW_EP_NAME_MAX); 1184 info->eps[i].addr = ep->addr; 1185 fill_ep_caps(&ep->ep->caps, &info->eps[i].caps); 1186 fill_ep_limits(ep->ep, &info->eps[i].limits); 1187 } 1188 ret = dev->eps_num; 1189 spin_unlock_irqrestore(&dev->lock, flags); 1190 1191 if (copy_to_user((void __user *)value, info, sizeof(*info))) 1192 ret = -EFAULT; 1193 1194 out_free: 1195 kfree(info); 1196 out: 1197 return ret; 1198 } 1199 1200 static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value) 1201 { 1202 struct raw_dev *dev = fd->private_data; 1203 int ret = 0; 1204 1205 if (!dev) 1206 return -EBUSY; 1207 1208 switch (cmd) { 1209 case USB_RAW_IOCTL_INIT: 1210 ret = raw_ioctl_init(dev, value); 1211 break; 1212 case USB_RAW_IOCTL_RUN: 1213 ret = raw_ioctl_run(dev, value); 1214 break; 1215 case USB_RAW_IOCTL_EVENT_FETCH: 1216 ret = raw_ioctl_event_fetch(dev, value); 1217 break; 1218 case USB_RAW_IOCTL_EP0_WRITE: 1219 ret = raw_ioctl_ep0_write(dev, value); 1220 break; 1221 case USB_RAW_IOCTL_EP0_READ: 1222 ret = raw_ioctl_ep0_read(dev, value); 1223 break; 1224 case USB_RAW_IOCTL_EP_ENABLE: 1225 ret = raw_ioctl_ep_enable(dev, value); 1226 break; 1227 case USB_RAW_IOCTL_EP_DISABLE: 1228 ret = raw_ioctl_ep_disable(dev, value); 1229 break; 1230 case USB_RAW_IOCTL_EP_WRITE: 1231 ret = raw_ioctl_ep_write(dev, value); 1232 break; 1233 case USB_RAW_IOCTL_EP_READ: 1234 ret = raw_ioctl_ep_read(dev, value); 1235 break; 1236 case USB_RAW_IOCTL_CONFIGURE: 1237 ret = raw_ioctl_configure(dev, value); 1238 break; 1239 case USB_RAW_IOCTL_VBUS_DRAW: 1240 ret = raw_ioctl_vbus_draw(dev, value); 1241 break; 1242 case USB_RAW_IOCTL_EPS_INFO: 1243 ret = raw_ioctl_eps_info(dev, value); 1244 break; 1245 case USB_RAW_IOCTL_EP0_STALL: 1246 ret = raw_ioctl_ep0_stall(dev, value); 1247 break; 1248 case USB_RAW_IOCTL_EP_SET_HALT: 1249 ret = raw_ioctl_ep_set_clear_halt_wedge( 1250 dev, value, true, true); 1251 break; 1252 case USB_RAW_IOCTL_EP_CLEAR_HALT: 1253 ret = raw_ioctl_ep_set_clear_halt_wedge( 1254 dev, value, false, true); 1255 break; 1256 case USB_RAW_IOCTL_EP_SET_WEDGE: 1257 ret = raw_ioctl_ep_set_clear_halt_wedge( 1258 dev, value, true, false); 1259 break; 1260 default: 1261 ret = -EINVAL; 1262 } 1263 1264 return ret; 1265 } 1266 1267 /*----------------------------------------------------------------------*/ 1268 1269 static const struct file_operations raw_fops = { 1270 .open = raw_open, 1271 .unlocked_ioctl = raw_ioctl, 1272 .compat_ioctl = raw_ioctl, 1273 .release = raw_release, 1274 .llseek = no_llseek, 1275 }; 1276 1277 static struct miscdevice raw_misc_device = { 1278 .minor = MISC_DYNAMIC_MINOR, 1279 .name = DRIVER_NAME, 1280 .fops = &raw_fops, 1281 }; 1282 1283 module_misc_device(raw_misc_device); 1284