xref: /linux/drivers/usb/misc/usbtest.c (revision b889fcf63cb62e7fdb7816565e28f44dbe4a76a5)
1 #include <linux/kernel.h>
2 #include <linux/errno.h>
3 #include <linux/init.h>
4 #include <linux/slab.h>
5 #include <linux/mm.h>
6 #include <linux/module.h>
7 #include <linux/moduleparam.h>
8 #include <linux/scatterlist.h>
9 #include <linux/mutex.h>
10 
11 #include <linux/usb.h>
12 
13 
14 /*-------------------------------------------------------------------------*/
15 
16 /* FIXME make these public somewhere; usbdevfs.h? */
17 struct usbtest_param {
18 	/* inputs */
19 	unsigned		test_num;	/* 0..(TEST_CASES-1) */
20 	unsigned		iterations;
21 	unsigned		length;
22 	unsigned		vary;
23 	unsigned		sglen;
24 
25 	/* outputs */
26 	struct timeval		duration;
27 };
28 #define USBTEST_REQUEST	_IOWR('U', 100, struct usbtest_param)
29 
30 /*-------------------------------------------------------------------------*/
31 
32 #define	GENERIC		/* let probe() bind using module params */
33 
34 /* Some devices that can be used for testing will have "real" drivers.
35  * Entries for those need to be enabled here by hand, after disabling
36  * that "real" driver.
37  */
38 //#define	IBOT2		/* grab iBOT2 webcams */
39 //#define	KEYSPAN_19Qi	/* grab un-renumerated serial adapter */
40 
41 /*-------------------------------------------------------------------------*/
42 
43 struct usbtest_info {
44 	const char		*name;
45 	u8			ep_in;		/* bulk/intr source */
46 	u8			ep_out;		/* bulk/intr sink */
47 	unsigned		autoconf:1;
48 	unsigned		ctrl_out:1;
49 	unsigned		iso:1;		/* try iso in/out */
50 	int			alt;
51 };
52 
53 /* this is accessed only through usbfs ioctl calls.
54  * one ioctl to issue a test ... one lock per device.
55  * tests create other threads if they need them.
56  * urbs and buffers are allocated dynamically,
57  * and data generated deterministically.
58  */
59 struct usbtest_dev {
60 	struct usb_interface	*intf;
61 	struct usbtest_info	*info;
62 	int			in_pipe;
63 	int			out_pipe;
64 	int			in_iso_pipe;
65 	int			out_iso_pipe;
66 	struct usb_endpoint_descriptor	*iso_in, *iso_out;
67 	struct mutex		lock;
68 
69 #define TBUF_SIZE	256
70 	u8			*buf;
71 };
72 
73 static struct usb_device *testdev_to_usbdev(struct usbtest_dev *test)
74 {
75 	return interface_to_usbdev(test->intf);
76 }
77 
78 /* set up all urbs so they can be used with either bulk or interrupt */
79 #define	INTERRUPT_RATE		1	/* msec/transfer */
80 
81 #define ERROR(tdev, fmt, args...) \
82 	dev_err(&(tdev)->intf->dev , fmt , ## args)
83 #define WARNING(tdev, fmt, args...) \
84 	dev_warn(&(tdev)->intf->dev , fmt , ## args)
85 
86 #define GUARD_BYTE	0xA5
87 
88 /*-------------------------------------------------------------------------*/
89 
90 static int
91 get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
92 {
93 	int				tmp;
94 	struct usb_host_interface	*alt;
95 	struct usb_host_endpoint	*in, *out;
96 	struct usb_host_endpoint	*iso_in, *iso_out;
97 	struct usb_device		*udev;
98 
99 	for (tmp = 0; tmp < intf->num_altsetting; tmp++) {
100 		unsigned	ep;
101 
102 		in = out = NULL;
103 		iso_in = iso_out = NULL;
104 		alt = intf->altsetting + tmp;
105 
106 		/* take the first altsetting with in-bulk + out-bulk;
107 		 * ignore other endpoints and altsettings.
108 		 */
109 		for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) {
110 			struct usb_host_endpoint	*e;
111 
112 			e = alt->endpoint + ep;
113 			switch (e->desc.bmAttributes) {
114 			case USB_ENDPOINT_XFER_BULK:
115 				break;
116 			case USB_ENDPOINT_XFER_ISOC:
117 				if (dev->info->iso)
118 					goto try_iso;
119 				/* FALLTHROUGH */
120 			default:
121 				continue;
122 			}
123 			if (usb_endpoint_dir_in(&e->desc)) {
124 				if (!in)
125 					in = e;
126 			} else {
127 				if (!out)
128 					out = e;
129 			}
130 			continue;
131 try_iso:
132 			if (usb_endpoint_dir_in(&e->desc)) {
133 				if (!iso_in)
134 					iso_in = e;
135 			} else {
136 				if (!iso_out)
137 					iso_out = e;
138 			}
139 		}
140 		if ((in && out)  ||  iso_in || iso_out)
141 			goto found;
142 	}
143 	return -EINVAL;
144 
145 found:
146 	udev = testdev_to_usbdev(dev);
147 	if (alt->desc.bAlternateSetting != 0) {
148 		tmp = usb_set_interface(udev,
149 				alt->desc.bInterfaceNumber,
150 				alt->desc.bAlternateSetting);
151 		if (tmp < 0)
152 			return tmp;
153 	}
154 
155 	if (in) {
156 		dev->in_pipe = usb_rcvbulkpipe(udev,
157 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
158 		dev->out_pipe = usb_sndbulkpipe(udev,
159 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
160 	}
161 	if (iso_in) {
162 		dev->iso_in = &iso_in->desc;
163 		dev->in_iso_pipe = usb_rcvisocpipe(udev,
164 				iso_in->desc.bEndpointAddress
165 					& USB_ENDPOINT_NUMBER_MASK);
166 	}
167 
168 	if (iso_out) {
169 		dev->iso_out = &iso_out->desc;
170 		dev->out_iso_pipe = usb_sndisocpipe(udev,
171 				iso_out->desc.bEndpointAddress
172 					& USB_ENDPOINT_NUMBER_MASK);
173 	}
174 	return 0;
175 }
176 
177 /*-------------------------------------------------------------------------*/
178 
179 /* Support for testing basic non-queued I/O streams.
180  *
181  * These just package urbs as requests that can be easily canceled.
182  * Each urb's data buffer is dynamically allocated; callers can fill
183  * them with non-zero test data (or test for it) when appropriate.
184  */
185 
186 static void simple_callback(struct urb *urb)
187 {
188 	complete(urb->context);
189 }
190 
191 static struct urb *usbtest_alloc_urb(
192 	struct usb_device	*udev,
193 	int			pipe,
194 	unsigned long		bytes,
195 	unsigned		transfer_flags,
196 	unsigned		offset)
197 {
198 	struct urb		*urb;
199 
200 	urb = usb_alloc_urb(0, GFP_KERNEL);
201 	if (!urb)
202 		return urb;
203 	usb_fill_bulk_urb(urb, udev, pipe, NULL, bytes, simple_callback, NULL);
204 	urb->interval = (udev->speed == USB_SPEED_HIGH)
205 			? (INTERRUPT_RATE << 3)
206 			: INTERRUPT_RATE;
207 	urb->transfer_flags = transfer_flags;
208 	if (usb_pipein(pipe))
209 		urb->transfer_flags |= URB_SHORT_NOT_OK;
210 
211 	if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
212 		urb->transfer_buffer = usb_alloc_coherent(udev, bytes + offset,
213 			GFP_KERNEL, &urb->transfer_dma);
214 	else
215 		urb->transfer_buffer = kmalloc(bytes + offset, GFP_KERNEL);
216 
217 	if (!urb->transfer_buffer) {
218 		usb_free_urb(urb);
219 		return NULL;
220 	}
221 
222 	/* To test unaligned transfers add an offset and fill the
223 		unused memory with a guard value */
224 	if (offset) {
225 		memset(urb->transfer_buffer, GUARD_BYTE, offset);
226 		urb->transfer_buffer += offset;
227 		if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
228 			urb->transfer_dma += offset;
229 	}
230 
231 	/* For inbound transfers use guard byte so that test fails if
232 		data not correctly copied */
233 	memset(urb->transfer_buffer,
234 			usb_pipein(urb->pipe) ? GUARD_BYTE : 0,
235 			bytes);
236 	return urb;
237 }
238 
239 static struct urb *simple_alloc_urb(
240 	struct usb_device	*udev,
241 	int			pipe,
242 	unsigned long		bytes)
243 {
244 	return usbtest_alloc_urb(udev, pipe, bytes, URB_NO_TRANSFER_DMA_MAP, 0);
245 }
246 
247 static unsigned pattern;
248 static unsigned mod_pattern;
249 module_param_named(pattern, mod_pattern, uint, S_IRUGO | S_IWUSR);
250 MODULE_PARM_DESC(mod_pattern, "i/o pattern (0 == zeroes)");
251 
252 static inline void simple_fill_buf(struct urb *urb)
253 {
254 	unsigned	i;
255 	u8		*buf = urb->transfer_buffer;
256 	unsigned	len = urb->transfer_buffer_length;
257 
258 	switch (pattern) {
259 	default:
260 		/* FALLTHROUGH */
261 	case 0:
262 		memset(buf, 0, len);
263 		break;
264 	case 1:			/* mod63 */
265 		for (i = 0; i < len; i++)
266 			*buf++ = (u8) (i % 63);
267 		break;
268 	}
269 }
270 
271 static inline unsigned long buffer_offset(void *buf)
272 {
273 	return (unsigned long)buf & (ARCH_KMALLOC_MINALIGN - 1);
274 }
275 
276 static int check_guard_bytes(struct usbtest_dev *tdev, struct urb *urb)
277 {
278 	u8 *buf = urb->transfer_buffer;
279 	u8 *guard = buf - buffer_offset(buf);
280 	unsigned i;
281 
282 	for (i = 0; guard < buf; i++, guard++) {
283 		if (*guard != GUARD_BYTE) {
284 			ERROR(tdev, "guard byte[%d] %d (not %d)\n",
285 				i, *guard, GUARD_BYTE);
286 			return -EINVAL;
287 		}
288 	}
289 	return 0;
290 }
291 
292 static int simple_check_buf(struct usbtest_dev *tdev, struct urb *urb)
293 {
294 	unsigned	i;
295 	u8		expected;
296 	u8		*buf = urb->transfer_buffer;
297 	unsigned	len = urb->actual_length;
298 
299 	int ret = check_guard_bytes(tdev, urb);
300 	if (ret)
301 		return ret;
302 
303 	for (i = 0; i < len; i++, buf++) {
304 		switch (pattern) {
305 		/* all-zeroes has no synchronization issues */
306 		case 0:
307 			expected = 0;
308 			break;
309 		/* mod63 stays in sync with short-terminated transfers,
310 		 * or otherwise when host and gadget agree on how large
311 		 * each usb transfer request should be.  resync is done
312 		 * with set_interface or set_config.
313 		 */
314 		case 1:			/* mod63 */
315 			expected = i % 63;
316 			break;
317 		/* always fail unsupported patterns */
318 		default:
319 			expected = !*buf;
320 			break;
321 		}
322 		if (*buf == expected)
323 			continue;
324 		ERROR(tdev, "buf[%d] = %d (not %d)\n", i, *buf, expected);
325 		return -EINVAL;
326 	}
327 	return 0;
328 }
329 
330 static void simple_free_urb(struct urb *urb)
331 {
332 	unsigned long offset = buffer_offset(urb->transfer_buffer);
333 
334 	if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
335 		usb_free_coherent(
336 			urb->dev,
337 			urb->transfer_buffer_length + offset,
338 			urb->transfer_buffer - offset,
339 			urb->transfer_dma - offset);
340 	else
341 		kfree(urb->transfer_buffer - offset);
342 	usb_free_urb(urb);
343 }
344 
345 static int simple_io(
346 	struct usbtest_dev	*tdev,
347 	struct urb		*urb,
348 	int			iterations,
349 	int			vary,
350 	int			expected,
351 	const char		*label
352 )
353 {
354 	struct usb_device	*udev = urb->dev;
355 	int			max = urb->transfer_buffer_length;
356 	struct completion	completion;
357 	int			retval = 0;
358 
359 	urb->context = &completion;
360 	while (retval == 0 && iterations-- > 0) {
361 		init_completion(&completion);
362 		if (usb_pipeout(urb->pipe)) {
363 			simple_fill_buf(urb);
364 			urb->transfer_flags |= URB_ZERO_PACKET;
365 		}
366 		retval = usb_submit_urb(urb, GFP_KERNEL);
367 		if (retval != 0)
368 			break;
369 
370 		/* NOTE:  no timeouts; can't be broken out of by interrupt */
371 		wait_for_completion(&completion);
372 		retval = urb->status;
373 		urb->dev = udev;
374 		if (retval == 0 && usb_pipein(urb->pipe))
375 			retval = simple_check_buf(tdev, urb);
376 
377 		if (vary) {
378 			int	len = urb->transfer_buffer_length;
379 
380 			len += vary;
381 			len %= max;
382 			if (len == 0)
383 				len = (vary < max) ? vary : max;
384 			urb->transfer_buffer_length = len;
385 		}
386 
387 		/* FIXME if endpoint halted, clear halt (and log) */
388 	}
389 	urb->transfer_buffer_length = max;
390 
391 	if (expected != retval)
392 		dev_err(&udev->dev,
393 			"%s failed, iterations left %d, status %d (not %d)\n",
394 				label, iterations, retval, expected);
395 	return retval;
396 }
397 
398 
399 /*-------------------------------------------------------------------------*/
400 
401 /* We use scatterlist primitives to test queued I/O.
402  * Yes, this also tests the scatterlist primitives.
403  */
404 
405 static void free_sglist(struct scatterlist *sg, int nents)
406 {
407 	unsigned		i;
408 
409 	if (!sg)
410 		return;
411 	for (i = 0; i < nents; i++) {
412 		if (!sg_page(&sg[i]))
413 			continue;
414 		kfree(sg_virt(&sg[i]));
415 	}
416 	kfree(sg);
417 }
418 
419 static struct scatterlist *
420 alloc_sglist(int nents, int max, int vary)
421 {
422 	struct scatterlist	*sg;
423 	unsigned		i;
424 	unsigned		size = max;
425 
426 	if (max == 0)
427 		return NULL;
428 
429 	sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
430 	if (!sg)
431 		return NULL;
432 	sg_init_table(sg, nents);
433 
434 	for (i = 0; i < nents; i++) {
435 		char		*buf;
436 		unsigned	j;
437 
438 		buf = kzalloc(size, GFP_KERNEL);
439 		if (!buf) {
440 			free_sglist(sg, i);
441 			return NULL;
442 		}
443 
444 		/* kmalloc pages are always physically contiguous! */
445 		sg_set_buf(&sg[i], buf, size);
446 
447 		switch (pattern) {
448 		case 0:
449 			/* already zeroed */
450 			break;
451 		case 1:
452 			for (j = 0; j < size; j++)
453 				*buf++ = (u8) (j % 63);
454 			break;
455 		}
456 
457 		if (vary) {
458 			size += vary;
459 			size %= max;
460 			if (size == 0)
461 				size = (vary < max) ? vary : max;
462 		}
463 	}
464 
465 	return sg;
466 }
467 
468 static int perform_sglist(
469 	struct usbtest_dev	*tdev,
470 	unsigned		iterations,
471 	int			pipe,
472 	struct usb_sg_request	*req,
473 	struct scatterlist	*sg,
474 	int			nents
475 )
476 {
477 	struct usb_device	*udev = testdev_to_usbdev(tdev);
478 	int			retval = 0;
479 
480 	while (retval == 0 && iterations-- > 0) {
481 		retval = usb_sg_init(req, udev, pipe,
482 				(udev->speed == USB_SPEED_HIGH)
483 					? (INTERRUPT_RATE << 3)
484 					: INTERRUPT_RATE,
485 				sg, nents, 0, GFP_KERNEL);
486 
487 		if (retval)
488 			break;
489 		usb_sg_wait(req);
490 		retval = req->status;
491 
492 		/* FIXME check resulting data pattern */
493 
494 		/* FIXME if endpoint halted, clear halt (and log) */
495 	}
496 
497 	/* FIXME for unlink or fault handling tests, don't report
498 	 * failure if retval is as we expected ...
499 	 */
500 	if (retval)
501 		ERROR(tdev, "perform_sglist failed, "
502 				"iterations left %d, status %d\n",
503 				iterations, retval);
504 	return retval;
505 }
506 
507 
508 /*-------------------------------------------------------------------------*/
509 
510 /* unqueued control message testing
511  *
512  * there's a nice set of device functional requirements in chapter 9 of the
513  * usb 2.0 spec, which we can apply to ANY device, even ones that don't use
514  * special test firmware.
515  *
516  * we know the device is configured (or suspended) by the time it's visible
517  * through usbfs.  we can't change that, so we won't test enumeration (which
518  * worked 'well enough' to get here, this time), power management (ditto),
519  * or remote wakeup (which needs human interaction).
520  */
521 
522 static unsigned realworld = 1;
523 module_param(realworld, uint, 0);
524 MODULE_PARM_DESC(realworld, "clear to demand stricter spec compliance");
525 
526 static int get_altsetting(struct usbtest_dev *dev)
527 {
528 	struct usb_interface	*iface = dev->intf;
529 	struct usb_device	*udev = interface_to_usbdev(iface);
530 	int			retval;
531 
532 	retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
533 			USB_REQ_GET_INTERFACE, USB_DIR_IN|USB_RECIP_INTERFACE,
534 			0, iface->altsetting[0].desc.bInterfaceNumber,
535 			dev->buf, 1, USB_CTRL_GET_TIMEOUT);
536 	switch (retval) {
537 	case 1:
538 		return dev->buf[0];
539 	case 0:
540 		retval = -ERANGE;
541 		/* FALLTHROUGH */
542 	default:
543 		return retval;
544 	}
545 }
546 
547 static int set_altsetting(struct usbtest_dev *dev, int alternate)
548 {
549 	struct usb_interface		*iface = dev->intf;
550 	struct usb_device		*udev;
551 
552 	if (alternate < 0 || alternate >= 256)
553 		return -EINVAL;
554 
555 	udev = interface_to_usbdev(iface);
556 	return usb_set_interface(udev,
557 			iface->altsetting[0].desc.bInterfaceNumber,
558 			alternate);
559 }
560 
561 static int is_good_config(struct usbtest_dev *tdev, int len)
562 {
563 	struct usb_config_descriptor	*config;
564 
565 	if (len < sizeof *config)
566 		return 0;
567 	config = (struct usb_config_descriptor *) tdev->buf;
568 
569 	switch (config->bDescriptorType) {
570 	case USB_DT_CONFIG:
571 	case USB_DT_OTHER_SPEED_CONFIG:
572 		if (config->bLength != 9) {
573 			ERROR(tdev, "bogus config descriptor length\n");
574 			return 0;
575 		}
576 		/* this bit 'must be 1' but often isn't */
577 		if (!realworld && !(config->bmAttributes & 0x80)) {
578 			ERROR(tdev, "high bit of config attributes not set\n");
579 			return 0;
580 		}
581 		if (config->bmAttributes & 0x1f) {	/* reserved == 0 */
582 			ERROR(tdev, "reserved config bits set\n");
583 			return 0;
584 		}
585 		break;
586 	default:
587 		return 0;
588 	}
589 
590 	if (le16_to_cpu(config->wTotalLength) == len)	/* read it all */
591 		return 1;
592 	if (le16_to_cpu(config->wTotalLength) >= TBUF_SIZE)	/* max partial read */
593 		return 1;
594 	ERROR(tdev, "bogus config descriptor read size\n");
595 	return 0;
596 }
597 
598 /* sanity test for standard requests working with usb_control_mesg() and some
599  * of the utility functions which use it.
600  *
601  * this doesn't test how endpoint halts behave or data toggles get set, since
602  * we won't do I/O to bulk/interrupt endpoints here (which is how to change
603  * halt or toggle).  toggle testing is impractical without support from hcds.
604  *
605  * this avoids failing devices linux would normally work with, by not testing
606  * config/altsetting operations for devices that only support their defaults.
607  * such devices rarely support those needless operations.
608  *
609  * NOTE that since this is a sanity test, it's not examining boundary cases
610  * to see if usbcore, hcd, and device all behave right.  such testing would
611  * involve varied read sizes and other operation sequences.
612  */
613 static int ch9_postconfig(struct usbtest_dev *dev)
614 {
615 	struct usb_interface	*iface = dev->intf;
616 	struct usb_device	*udev = interface_to_usbdev(iface);
617 	int			i, alt, retval;
618 
619 	/* [9.2.3] if there's more than one altsetting, we need to be able to
620 	 * set and get each one.  mostly trusts the descriptors from usbcore.
621 	 */
622 	for (i = 0; i < iface->num_altsetting; i++) {
623 
624 		/* 9.2.3 constrains the range here */
625 		alt = iface->altsetting[i].desc.bAlternateSetting;
626 		if (alt < 0 || alt >= iface->num_altsetting) {
627 			dev_err(&iface->dev,
628 					"invalid alt [%d].bAltSetting = %d\n",
629 					i, alt);
630 		}
631 
632 		/* [real world] get/set unimplemented if there's only one */
633 		if (realworld && iface->num_altsetting == 1)
634 			continue;
635 
636 		/* [9.4.10] set_interface */
637 		retval = set_altsetting(dev, alt);
638 		if (retval) {
639 			dev_err(&iface->dev, "can't set_interface = %d, %d\n",
640 					alt, retval);
641 			return retval;
642 		}
643 
644 		/* [9.4.4] get_interface always works */
645 		retval = get_altsetting(dev);
646 		if (retval != alt) {
647 			dev_err(&iface->dev, "get alt should be %d, was %d\n",
648 					alt, retval);
649 			return (retval < 0) ? retval : -EDOM;
650 		}
651 
652 	}
653 
654 	/* [real world] get_config unimplemented if there's only one */
655 	if (!realworld || udev->descriptor.bNumConfigurations != 1) {
656 		int	expected = udev->actconfig->desc.bConfigurationValue;
657 
658 		/* [9.4.2] get_configuration always works
659 		 * ... although some cheap devices (like one TI Hub I've got)
660 		 * won't return config descriptors except before set_config.
661 		 */
662 		retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
663 				USB_REQ_GET_CONFIGURATION,
664 				USB_DIR_IN | USB_RECIP_DEVICE,
665 				0, 0, dev->buf, 1, USB_CTRL_GET_TIMEOUT);
666 		if (retval != 1 || dev->buf[0] != expected) {
667 			dev_err(&iface->dev, "get config --> %d %d (1 %d)\n",
668 				retval, dev->buf[0], expected);
669 			return (retval < 0) ? retval : -EDOM;
670 		}
671 	}
672 
673 	/* there's always [9.4.3] a device descriptor [9.6.1] */
674 	retval = usb_get_descriptor(udev, USB_DT_DEVICE, 0,
675 			dev->buf, sizeof udev->descriptor);
676 	if (retval != sizeof udev->descriptor) {
677 		dev_err(&iface->dev, "dev descriptor --> %d\n", retval);
678 		return (retval < 0) ? retval : -EDOM;
679 	}
680 
681 	/* there's always [9.4.3] at least one config descriptor [9.6.3] */
682 	for (i = 0; i < udev->descriptor.bNumConfigurations; i++) {
683 		retval = usb_get_descriptor(udev, USB_DT_CONFIG, i,
684 				dev->buf, TBUF_SIZE);
685 		if (!is_good_config(dev, retval)) {
686 			dev_err(&iface->dev,
687 					"config [%d] descriptor --> %d\n",
688 					i, retval);
689 			return (retval < 0) ? retval : -EDOM;
690 		}
691 
692 		/* FIXME cross-checking udev->config[i] to make sure usbcore
693 		 * parsed it right (etc) would be good testing paranoia
694 		 */
695 	}
696 
697 	/* and sometimes [9.2.6.6] speed dependent descriptors */
698 	if (le16_to_cpu(udev->descriptor.bcdUSB) == 0x0200) {
699 		struct usb_qualifier_descriptor *d = NULL;
700 
701 		/* device qualifier [9.6.2] */
702 		retval = usb_get_descriptor(udev,
703 				USB_DT_DEVICE_QUALIFIER, 0, dev->buf,
704 				sizeof(struct usb_qualifier_descriptor));
705 		if (retval == -EPIPE) {
706 			if (udev->speed == USB_SPEED_HIGH) {
707 				dev_err(&iface->dev,
708 						"hs dev qualifier --> %d\n",
709 						retval);
710 				return (retval < 0) ? retval : -EDOM;
711 			}
712 			/* usb2.0 but not high-speed capable; fine */
713 		} else if (retval != sizeof(struct usb_qualifier_descriptor)) {
714 			dev_err(&iface->dev, "dev qualifier --> %d\n", retval);
715 			return (retval < 0) ? retval : -EDOM;
716 		} else
717 			d = (struct usb_qualifier_descriptor *) dev->buf;
718 
719 		/* might not have [9.6.2] any other-speed configs [9.6.4] */
720 		if (d) {
721 			unsigned max = d->bNumConfigurations;
722 			for (i = 0; i < max; i++) {
723 				retval = usb_get_descriptor(udev,
724 					USB_DT_OTHER_SPEED_CONFIG, i,
725 					dev->buf, TBUF_SIZE);
726 				if (!is_good_config(dev, retval)) {
727 					dev_err(&iface->dev,
728 						"other speed config --> %d\n",
729 						retval);
730 					return (retval < 0) ? retval : -EDOM;
731 				}
732 			}
733 		}
734 	}
735 	/* FIXME fetch strings from at least the device descriptor */
736 
737 	/* [9.4.5] get_status always works */
738 	retval = usb_get_status(udev, USB_RECIP_DEVICE, 0, dev->buf);
739 	if (retval != 2) {
740 		dev_err(&iface->dev, "get dev status --> %d\n", retval);
741 		return (retval < 0) ? retval : -EDOM;
742 	}
743 
744 	/* FIXME configuration.bmAttributes says if we could try to set/clear
745 	 * the device's remote wakeup feature ... if we can, test that here
746 	 */
747 
748 	retval = usb_get_status(udev, USB_RECIP_INTERFACE,
749 			iface->altsetting[0].desc.bInterfaceNumber, dev->buf);
750 	if (retval != 2) {
751 		dev_err(&iface->dev, "get interface status --> %d\n", retval);
752 		return (retval < 0) ? retval : -EDOM;
753 	}
754 	/* FIXME get status for each endpoint in the interface */
755 
756 	return 0;
757 }
758 
759 /*-------------------------------------------------------------------------*/
760 
761 /* use ch9 requests to test whether:
762  *   (a) queues work for control, keeping N subtests queued and
763  *       active (auto-resubmit) for M loops through the queue.
764  *   (b) protocol stalls (control-only) will autorecover.
765  *       it's not like bulk/intr; no halt clearing.
766  *   (c) short control reads are reported and handled.
767  *   (d) queues are always processed in-order
768  */
769 
770 struct ctrl_ctx {
771 	spinlock_t		lock;
772 	struct usbtest_dev	*dev;
773 	struct completion	complete;
774 	unsigned		count;
775 	unsigned		pending;
776 	int			status;
777 	struct urb		**urb;
778 	struct usbtest_param	*param;
779 	int			last;
780 };
781 
782 #define NUM_SUBCASES	15		/* how many test subcases here? */
783 
784 struct subcase {
785 	struct usb_ctrlrequest	setup;
786 	int			number;
787 	int			expected;
788 };
789 
790 static void ctrl_complete(struct urb *urb)
791 {
792 	struct ctrl_ctx		*ctx = urb->context;
793 	struct usb_ctrlrequest	*reqp;
794 	struct subcase		*subcase;
795 	int			status = urb->status;
796 
797 	reqp = (struct usb_ctrlrequest *)urb->setup_packet;
798 	subcase = container_of(reqp, struct subcase, setup);
799 
800 	spin_lock(&ctx->lock);
801 	ctx->count--;
802 	ctx->pending--;
803 
804 	/* queue must transfer and complete in fifo order, unless
805 	 * usb_unlink_urb() is used to unlink something not at the
806 	 * physical queue head (not tested).
807 	 */
808 	if (subcase->number > 0) {
809 		if ((subcase->number - ctx->last) != 1) {
810 			ERROR(ctx->dev,
811 				"subcase %d completed out of order, last %d\n",
812 				subcase->number, ctx->last);
813 			status = -EDOM;
814 			ctx->last = subcase->number;
815 			goto error;
816 		}
817 	}
818 	ctx->last = subcase->number;
819 
820 	/* succeed or fault in only one way? */
821 	if (status == subcase->expected)
822 		status = 0;
823 
824 	/* async unlink for cleanup? */
825 	else if (status != -ECONNRESET) {
826 
827 		/* some faults are allowed, not required */
828 		if (subcase->expected > 0 && (
829 			  ((status == -subcase->expected	/* happened */
830 			   || status == 0))))			/* didn't */
831 			status = 0;
832 		/* sometimes more than one fault is allowed */
833 		else if (subcase->number == 12 && status == -EPIPE)
834 			status = 0;
835 		else
836 			ERROR(ctx->dev, "subtest %d error, status %d\n",
837 					subcase->number, status);
838 	}
839 
840 	/* unexpected status codes mean errors; ideally, in hardware */
841 	if (status) {
842 error:
843 		if (ctx->status == 0) {
844 			int		i;
845 
846 			ctx->status = status;
847 			ERROR(ctx->dev, "control queue %02x.%02x, err %d, "
848 					"%d left, subcase %d, len %d/%d\n",
849 					reqp->bRequestType, reqp->bRequest,
850 					status, ctx->count, subcase->number,
851 					urb->actual_length,
852 					urb->transfer_buffer_length);
853 
854 			/* FIXME this "unlink everything" exit route should
855 			 * be a separate test case.
856 			 */
857 
858 			/* unlink whatever's still pending */
859 			for (i = 1; i < ctx->param->sglen; i++) {
860 				struct urb *u = ctx->urb[
861 							(i + subcase->number)
862 							% ctx->param->sglen];
863 
864 				if (u == urb || !u->dev)
865 					continue;
866 				spin_unlock(&ctx->lock);
867 				status = usb_unlink_urb(u);
868 				spin_lock(&ctx->lock);
869 				switch (status) {
870 				case -EINPROGRESS:
871 				case -EBUSY:
872 				case -EIDRM:
873 					continue;
874 				default:
875 					ERROR(ctx->dev, "urb unlink --> %d\n",
876 							status);
877 				}
878 			}
879 			status = ctx->status;
880 		}
881 	}
882 
883 	/* resubmit if we need to, else mark this as done */
884 	if ((status == 0) && (ctx->pending < ctx->count)) {
885 		status = usb_submit_urb(urb, GFP_ATOMIC);
886 		if (status != 0) {
887 			ERROR(ctx->dev,
888 				"can't resubmit ctrl %02x.%02x, err %d\n",
889 				reqp->bRequestType, reqp->bRequest, status);
890 			urb->dev = NULL;
891 		} else
892 			ctx->pending++;
893 	} else
894 		urb->dev = NULL;
895 
896 	/* signal completion when nothing's queued */
897 	if (ctx->pending == 0)
898 		complete(&ctx->complete);
899 	spin_unlock(&ctx->lock);
900 }
901 
902 static int
903 test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
904 {
905 	struct usb_device	*udev = testdev_to_usbdev(dev);
906 	struct urb		**urb;
907 	struct ctrl_ctx		context;
908 	int			i;
909 
910 	if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
911 		return -EOPNOTSUPP;
912 
913 	spin_lock_init(&context.lock);
914 	context.dev = dev;
915 	init_completion(&context.complete);
916 	context.count = param->sglen * param->iterations;
917 	context.pending = 0;
918 	context.status = -ENOMEM;
919 	context.param = param;
920 	context.last = -1;
921 
922 	/* allocate and init the urbs we'll queue.
923 	 * as with bulk/intr sglists, sglen is the queue depth; it also
924 	 * controls which subtests run (more tests than sglen) or rerun.
925 	 */
926 	urb = kcalloc(param->sglen, sizeof(struct urb *), GFP_KERNEL);
927 	if (!urb)
928 		return -ENOMEM;
929 	for (i = 0; i < param->sglen; i++) {
930 		int			pipe = usb_rcvctrlpipe(udev, 0);
931 		unsigned		len;
932 		struct urb		*u;
933 		struct usb_ctrlrequest	req;
934 		struct subcase		*reqp;
935 
936 		/* sign of this variable means:
937 		 *  -: tested code must return this (negative) error code
938 		 *  +: tested code may return this (negative too) error code
939 		 */
940 		int			expected = 0;
941 
942 		/* requests here are mostly expected to succeed on any
943 		 * device, but some are chosen to trigger protocol stalls
944 		 * or short reads.
945 		 */
946 		memset(&req, 0, sizeof req);
947 		req.bRequest = USB_REQ_GET_DESCRIPTOR;
948 		req.bRequestType = USB_DIR_IN|USB_RECIP_DEVICE;
949 
950 		switch (i % NUM_SUBCASES) {
951 		case 0:		/* get device descriptor */
952 			req.wValue = cpu_to_le16(USB_DT_DEVICE << 8);
953 			len = sizeof(struct usb_device_descriptor);
954 			break;
955 		case 1:		/* get first config descriptor (only) */
956 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
957 			len = sizeof(struct usb_config_descriptor);
958 			break;
959 		case 2:		/* get altsetting (OFTEN STALLS) */
960 			req.bRequest = USB_REQ_GET_INTERFACE;
961 			req.bRequestType = USB_DIR_IN|USB_RECIP_INTERFACE;
962 			/* index = 0 means first interface */
963 			len = 1;
964 			expected = EPIPE;
965 			break;
966 		case 3:		/* get interface status */
967 			req.bRequest = USB_REQ_GET_STATUS;
968 			req.bRequestType = USB_DIR_IN|USB_RECIP_INTERFACE;
969 			/* interface 0 */
970 			len = 2;
971 			break;
972 		case 4:		/* get device status */
973 			req.bRequest = USB_REQ_GET_STATUS;
974 			req.bRequestType = USB_DIR_IN|USB_RECIP_DEVICE;
975 			len = 2;
976 			break;
977 		case 5:		/* get device qualifier (MAY STALL) */
978 			req.wValue = cpu_to_le16 (USB_DT_DEVICE_QUALIFIER << 8);
979 			len = sizeof(struct usb_qualifier_descriptor);
980 			if (udev->speed != USB_SPEED_HIGH)
981 				expected = EPIPE;
982 			break;
983 		case 6:		/* get first config descriptor, plus interface */
984 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
985 			len = sizeof(struct usb_config_descriptor);
986 			len += sizeof(struct usb_interface_descriptor);
987 			break;
988 		case 7:		/* get interface descriptor (ALWAYS STALLS) */
989 			req.wValue = cpu_to_le16 (USB_DT_INTERFACE << 8);
990 			/* interface == 0 */
991 			len = sizeof(struct usb_interface_descriptor);
992 			expected = -EPIPE;
993 			break;
994 		/* NOTE: two consecutive stalls in the queue here.
995 		 *  that tests fault recovery a bit more aggressively. */
996 		case 8:		/* clear endpoint halt (MAY STALL) */
997 			req.bRequest = USB_REQ_CLEAR_FEATURE;
998 			req.bRequestType = USB_RECIP_ENDPOINT;
999 			/* wValue 0 == ep halt */
1000 			/* wIndex 0 == ep0 (shouldn't halt!) */
1001 			len = 0;
1002 			pipe = usb_sndctrlpipe(udev, 0);
1003 			expected = EPIPE;
1004 			break;
1005 		case 9:		/* get endpoint status */
1006 			req.bRequest = USB_REQ_GET_STATUS;
1007 			req.bRequestType = USB_DIR_IN|USB_RECIP_ENDPOINT;
1008 			/* endpoint 0 */
1009 			len = 2;
1010 			break;
1011 		case 10:	/* trigger short read (EREMOTEIO) */
1012 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1013 			len = 1024;
1014 			expected = -EREMOTEIO;
1015 			break;
1016 		/* NOTE: two consecutive _different_ faults in the queue. */
1017 		case 11:	/* get endpoint descriptor (ALWAYS STALLS) */
1018 			req.wValue = cpu_to_le16(USB_DT_ENDPOINT << 8);
1019 			/* endpoint == 0 */
1020 			len = sizeof(struct usb_interface_descriptor);
1021 			expected = EPIPE;
1022 			break;
1023 		/* NOTE: sometimes even a third fault in the queue! */
1024 		case 12:	/* get string 0 descriptor (MAY STALL) */
1025 			req.wValue = cpu_to_le16(USB_DT_STRING << 8);
1026 			/* string == 0, for language IDs */
1027 			len = sizeof(struct usb_interface_descriptor);
1028 			/* may succeed when > 4 languages */
1029 			expected = EREMOTEIO;	/* or EPIPE, if no strings */
1030 			break;
1031 		case 13:	/* short read, resembling case 10 */
1032 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1033 			/* last data packet "should" be DATA1, not DATA0 */
1034 			if (udev->speed == USB_SPEED_SUPER)
1035 				len = 1024 - 512;
1036 			else
1037 				len = 1024 - udev->descriptor.bMaxPacketSize0;
1038 			expected = -EREMOTEIO;
1039 			break;
1040 		case 14:	/* short read; try to fill the last packet */
1041 			req.wValue = cpu_to_le16((USB_DT_DEVICE << 8) | 0);
1042 			/* device descriptor size == 18 bytes */
1043 			len = udev->descriptor.bMaxPacketSize0;
1044 			if (udev->speed == USB_SPEED_SUPER)
1045 				len = 512;
1046 			switch (len) {
1047 			case 8:
1048 				len = 24;
1049 				break;
1050 			case 16:
1051 				len = 32;
1052 				break;
1053 			}
1054 			expected = -EREMOTEIO;
1055 			break;
1056 		default:
1057 			ERROR(dev, "bogus number of ctrl queue testcases!\n");
1058 			context.status = -EINVAL;
1059 			goto cleanup;
1060 		}
1061 		req.wLength = cpu_to_le16(len);
1062 		urb[i] = u = simple_alloc_urb(udev, pipe, len);
1063 		if (!u)
1064 			goto cleanup;
1065 
1066 		reqp = kmalloc(sizeof *reqp, GFP_KERNEL);
1067 		if (!reqp)
1068 			goto cleanup;
1069 		reqp->setup = req;
1070 		reqp->number = i % NUM_SUBCASES;
1071 		reqp->expected = expected;
1072 		u->setup_packet = (char *) &reqp->setup;
1073 
1074 		u->context = &context;
1075 		u->complete = ctrl_complete;
1076 	}
1077 
1078 	/* queue the urbs */
1079 	context.urb = urb;
1080 	spin_lock_irq(&context.lock);
1081 	for (i = 0; i < param->sglen; i++) {
1082 		context.status = usb_submit_urb(urb[i], GFP_ATOMIC);
1083 		if (context.status != 0) {
1084 			ERROR(dev, "can't submit urb[%d], status %d\n",
1085 					i, context.status);
1086 			context.count = context.pending;
1087 			break;
1088 		}
1089 		context.pending++;
1090 	}
1091 	spin_unlock_irq(&context.lock);
1092 
1093 	/* FIXME  set timer and time out; provide a disconnect hook */
1094 
1095 	/* wait for the last one to complete */
1096 	if (context.pending > 0)
1097 		wait_for_completion(&context.complete);
1098 
1099 cleanup:
1100 	for (i = 0; i < param->sglen; i++) {
1101 		if (!urb[i])
1102 			continue;
1103 		urb[i]->dev = udev;
1104 		kfree(urb[i]->setup_packet);
1105 		simple_free_urb(urb[i]);
1106 	}
1107 	kfree(urb);
1108 	return context.status;
1109 }
1110 #undef NUM_SUBCASES
1111 
1112 
1113 /*-------------------------------------------------------------------------*/
1114 
1115 static void unlink1_callback(struct urb *urb)
1116 {
1117 	int	status = urb->status;
1118 
1119 	/* we "know" -EPIPE (stall) never happens */
1120 	if (!status)
1121 		status = usb_submit_urb(urb, GFP_ATOMIC);
1122 	if (status) {
1123 		urb->status = status;
1124 		complete(urb->context);
1125 	}
1126 }
1127 
1128 static int unlink1(struct usbtest_dev *dev, int pipe, int size, int async)
1129 {
1130 	struct urb		*urb;
1131 	struct completion	completion;
1132 	int			retval = 0;
1133 
1134 	init_completion(&completion);
1135 	urb = simple_alloc_urb(testdev_to_usbdev(dev), pipe, size);
1136 	if (!urb)
1137 		return -ENOMEM;
1138 	urb->context = &completion;
1139 	urb->complete = unlink1_callback;
1140 
1141 	/* keep the endpoint busy.  there are lots of hc/hcd-internal
1142 	 * states, and testing should get to all of them over time.
1143 	 *
1144 	 * FIXME want additional tests for when endpoint is STALLing
1145 	 * due to errors, or is just NAKing requests.
1146 	 */
1147 	retval = usb_submit_urb(urb, GFP_KERNEL);
1148 	if (retval != 0) {
1149 		dev_err(&dev->intf->dev, "submit fail %d\n", retval);
1150 		return retval;
1151 	}
1152 
1153 	/* unlinking that should always work.  variable delay tests more
1154 	 * hcd states and code paths, even with little other system load.
1155 	 */
1156 	msleep(jiffies % (2 * INTERRUPT_RATE));
1157 	if (async) {
1158 		while (!completion_done(&completion)) {
1159 			retval = usb_unlink_urb(urb);
1160 
1161 			switch (retval) {
1162 			case -EBUSY:
1163 			case -EIDRM:
1164 				/* we can't unlink urbs while they're completing
1165 				 * or if they've completed, and we haven't
1166 				 * resubmitted. "normal" drivers would prevent
1167 				 * resubmission, but since we're testing unlink
1168 				 * paths, we can't.
1169 				 */
1170 				ERROR(dev, "unlink retry\n");
1171 				continue;
1172 			case 0:
1173 			case -EINPROGRESS:
1174 				break;
1175 
1176 			default:
1177 				dev_err(&dev->intf->dev,
1178 					"unlink fail %d\n", retval);
1179 				return retval;
1180 			}
1181 
1182 			break;
1183 		}
1184 	} else
1185 		usb_kill_urb(urb);
1186 
1187 	wait_for_completion(&completion);
1188 	retval = urb->status;
1189 	simple_free_urb(urb);
1190 
1191 	if (async)
1192 		return (retval == -ECONNRESET) ? 0 : retval - 1000;
1193 	else
1194 		return (retval == -ENOENT || retval == -EPERM) ?
1195 				0 : retval - 2000;
1196 }
1197 
1198 static int unlink_simple(struct usbtest_dev *dev, int pipe, int len)
1199 {
1200 	int			retval = 0;
1201 
1202 	/* test sync and async paths */
1203 	retval = unlink1(dev, pipe, len, 1);
1204 	if (!retval)
1205 		retval = unlink1(dev, pipe, len, 0);
1206 	return retval;
1207 }
1208 
1209 /*-------------------------------------------------------------------------*/
1210 
1211 struct queued_ctx {
1212 	struct completion	complete;
1213 	atomic_t		pending;
1214 	unsigned		num;
1215 	int			status;
1216 	struct urb		**urbs;
1217 };
1218 
1219 static void unlink_queued_callback(struct urb *urb)
1220 {
1221 	int			status = urb->status;
1222 	struct queued_ctx	*ctx = urb->context;
1223 
1224 	if (ctx->status)
1225 		goto done;
1226 	if (urb == ctx->urbs[ctx->num - 4] || urb == ctx->urbs[ctx->num - 2]) {
1227 		if (status == -ECONNRESET)
1228 			goto done;
1229 		/* What error should we report if the URB completed normally? */
1230 	}
1231 	if (status != 0)
1232 		ctx->status = status;
1233 
1234  done:
1235 	if (atomic_dec_and_test(&ctx->pending))
1236 		complete(&ctx->complete);
1237 }
1238 
1239 static int unlink_queued(struct usbtest_dev *dev, int pipe, unsigned num,
1240 		unsigned size)
1241 {
1242 	struct queued_ctx	ctx;
1243 	struct usb_device	*udev = testdev_to_usbdev(dev);
1244 	void			*buf;
1245 	dma_addr_t		buf_dma;
1246 	int			i;
1247 	int			retval = -ENOMEM;
1248 
1249 	init_completion(&ctx.complete);
1250 	atomic_set(&ctx.pending, 1);	/* One more than the actual value */
1251 	ctx.num = num;
1252 	ctx.status = 0;
1253 
1254 	buf = usb_alloc_coherent(udev, size, GFP_KERNEL, &buf_dma);
1255 	if (!buf)
1256 		return retval;
1257 	memset(buf, 0, size);
1258 
1259 	/* Allocate and init the urbs we'll queue */
1260 	ctx.urbs = kcalloc(num, sizeof(struct urb *), GFP_KERNEL);
1261 	if (!ctx.urbs)
1262 		goto free_buf;
1263 	for (i = 0; i < num; i++) {
1264 		ctx.urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
1265 		if (!ctx.urbs[i])
1266 			goto free_urbs;
1267 		usb_fill_bulk_urb(ctx.urbs[i], udev, pipe, buf, size,
1268 				unlink_queued_callback, &ctx);
1269 		ctx.urbs[i]->transfer_dma = buf_dma;
1270 		ctx.urbs[i]->transfer_flags = URB_NO_TRANSFER_DMA_MAP;
1271 	}
1272 
1273 	/* Submit all the URBs and then unlink URBs num - 4 and num - 2. */
1274 	for (i = 0; i < num; i++) {
1275 		atomic_inc(&ctx.pending);
1276 		retval = usb_submit_urb(ctx.urbs[i], GFP_KERNEL);
1277 		if (retval != 0) {
1278 			dev_err(&dev->intf->dev, "submit urbs[%d] fail %d\n",
1279 					i, retval);
1280 			atomic_dec(&ctx.pending);
1281 			ctx.status = retval;
1282 			break;
1283 		}
1284 	}
1285 	if (i == num) {
1286 		usb_unlink_urb(ctx.urbs[num - 4]);
1287 		usb_unlink_urb(ctx.urbs[num - 2]);
1288 	} else {
1289 		while (--i >= 0)
1290 			usb_unlink_urb(ctx.urbs[i]);
1291 	}
1292 
1293 	if (atomic_dec_and_test(&ctx.pending))		/* The extra count */
1294 		complete(&ctx.complete);
1295 	wait_for_completion(&ctx.complete);
1296 	retval = ctx.status;
1297 
1298  free_urbs:
1299 	for (i = 0; i < num; i++)
1300 		usb_free_urb(ctx.urbs[i]);
1301 	kfree(ctx.urbs);
1302  free_buf:
1303 	usb_free_coherent(udev, size, buf, buf_dma);
1304 	return retval;
1305 }
1306 
1307 /*-------------------------------------------------------------------------*/
1308 
1309 static int verify_not_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)
1310 {
1311 	int	retval;
1312 	u16	status;
1313 
1314 	/* shouldn't look or act halted */
1315 	retval = usb_get_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);
1316 	if (retval < 0) {
1317 		ERROR(tdev, "ep %02x couldn't get no-halt status, %d\n",
1318 				ep, retval);
1319 		return retval;
1320 	}
1321 	if (status != 0) {
1322 		ERROR(tdev, "ep %02x bogus status: %04x != 0\n", ep, status);
1323 		return -EINVAL;
1324 	}
1325 	retval = simple_io(tdev, urb, 1, 0, 0, __func__);
1326 	if (retval != 0)
1327 		return -EINVAL;
1328 	return 0;
1329 }
1330 
1331 static int verify_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)
1332 {
1333 	int	retval;
1334 	u16	status;
1335 
1336 	/* should look and act halted */
1337 	retval = usb_get_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);
1338 	if (retval < 0) {
1339 		ERROR(tdev, "ep %02x couldn't get halt status, %d\n",
1340 				ep, retval);
1341 		return retval;
1342 	}
1343 	le16_to_cpus(&status);
1344 	if (status != 1) {
1345 		ERROR(tdev, "ep %02x bogus status: %04x != 1\n", ep, status);
1346 		return -EINVAL;
1347 	}
1348 	retval = simple_io(tdev, urb, 1, 0, -EPIPE, __func__);
1349 	if (retval != -EPIPE)
1350 		return -EINVAL;
1351 	retval = simple_io(tdev, urb, 1, 0, -EPIPE, "verify_still_halted");
1352 	if (retval != -EPIPE)
1353 		return -EINVAL;
1354 	return 0;
1355 }
1356 
1357 static int test_halt(struct usbtest_dev *tdev, int ep, struct urb *urb)
1358 {
1359 	int	retval;
1360 
1361 	/* shouldn't look or act halted now */
1362 	retval = verify_not_halted(tdev, ep, urb);
1363 	if (retval < 0)
1364 		return retval;
1365 
1366 	/* set halt (protocol test only), verify it worked */
1367 	retval = usb_control_msg(urb->dev, usb_sndctrlpipe(urb->dev, 0),
1368 			USB_REQ_SET_FEATURE, USB_RECIP_ENDPOINT,
1369 			USB_ENDPOINT_HALT, ep,
1370 			NULL, 0, USB_CTRL_SET_TIMEOUT);
1371 	if (retval < 0) {
1372 		ERROR(tdev, "ep %02x couldn't set halt, %d\n", ep, retval);
1373 		return retval;
1374 	}
1375 	retval = verify_halted(tdev, ep, urb);
1376 	if (retval < 0)
1377 		return retval;
1378 
1379 	/* clear halt (tests API + protocol), verify it worked */
1380 	retval = usb_clear_halt(urb->dev, urb->pipe);
1381 	if (retval < 0) {
1382 		ERROR(tdev, "ep %02x couldn't clear halt, %d\n", ep, retval);
1383 		return retval;
1384 	}
1385 	retval = verify_not_halted(tdev, ep, urb);
1386 	if (retval < 0)
1387 		return retval;
1388 
1389 	/* NOTE:  could also verify SET_INTERFACE clear halts ... */
1390 
1391 	return 0;
1392 }
1393 
1394 static int halt_simple(struct usbtest_dev *dev)
1395 {
1396 	int			ep;
1397 	int			retval = 0;
1398 	struct urb		*urb;
1399 	struct usb_device	*udev = testdev_to_usbdev(dev);
1400 
1401 	if (udev->speed == USB_SPEED_SUPER)
1402 		urb = simple_alloc_urb(udev, 0, 1024);
1403 	else
1404 		urb = simple_alloc_urb(udev, 0, 512);
1405 	if (urb == NULL)
1406 		return -ENOMEM;
1407 
1408 	if (dev->in_pipe) {
1409 		ep = usb_pipeendpoint(dev->in_pipe) | USB_DIR_IN;
1410 		urb->pipe = dev->in_pipe;
1411 		retval = test_halt(dev, ep, urb);
1412 		if (retval < 0)
1413 			goto done;
1414 	}
1415 
1416 	if (dev->out_pipe) {
1417 		ep = usb_pipeendpoint(dev->out_pipe);
1418 		urb->pipe = dev->out_pipe;
1419 		retval = test_halt(dev, ep, urb);
1420 	}
1421 done:
1422 	simple_free_urb(urb);
1423 	return retval;
1424 }
1425 
1426 /*-------------------------------------------------------------------------*/
1427 
1428 /* Control OUT tests use the vendor control requests from Intel's
1429  * USB 2.0 compliance test device:  write a buffer, read it back.
1430  *
1431  * Intel's spec only _requires_ that it work for one packet, which
1432  * is pretty weak.   Some HCDs place limits here; most devices will
1433  * need to be able to handle more than one OUT data packet.  We'll
1434  * try whatever we're told to try.
1435  */
1436 static int ctrl_out(struct usbtest_dev *dev,
1437 		unsigned count, unsigned length, unsigned vary, unsigned offset)
1438 {
1439 	unsigned		i, j, len;
1440 	int			retval;
1441 	u8			*buf;
1442 	char			*what = "?";
1443 	struct usb_device	*udev;
1444 
1445 	if (length < 1 || length > 0xffff || vary >= length)
1446 		return -EINVAL;
1447 
1448 	buf = kmalloc(length + offset, GFP_KERNEL);
1449 	if (!buf)
1450 		return -ENOMEM;
1451 
1452 	buf += offset;
1453 	udev = testdev_to_usbdev(dev);
1454 	len = length;
1455 	retval = 0;
1456 
1457 	/* NOTE:  hardware might well act differently if we pushed it
1458 	 * with lots back-to-back queued requests.
1459 	 */
1460 	for (i = 0; i < count; i++) {
1461 		/* write patterned data */
1462 		for (j = 0; j < len; j++)
1463 			buf[j] = i + j;
1464 		retval = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
1465 				0x5b, USB_DIR_OUT|USB_TYPE_VENDOR,
1466 				0, 0, buf, len, USB_CTRL_SET_TIMEOUT);
1467 		if (retval != len) {
1468 			what = "write";
1469 			if (retval >= 0) {
1470 				ERROR(dev, "ctrl_out, wlen %d (expected %d)\n",
1471 						retval, len);
1472 				retval = -EBADMSG;
1473 			}
1474 			break;
1475 		}
1476 
1477 		/* read it back -- assuming nothing intervened!!  */
1478 		retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
1479 				0x5c, USB_DIR_IN|USB_TYPE_VENDOR,
1480 				0, 0, buf, len, USB_CTRL_GET_TIMEOUT);
1481 		if (retval != len) {
1482 			what = "read";
1483 			if (retval >= 0) {
1484 				ERROR(dev, "ctrl_out, rlen %d (expected %d)\n",
1485 						retval, len);
1486 				retval = -EBADMSG;
1487 			}
1488 			break;
1489 		}
1490 
1491 		/* fail if we can't verify */
1492 		for (j = 0; j < len; j++) {
1493 			if (buf[j] != (u8) (i + j)) {
1494 				ERROR(dev, "ctrl_out, byte %d is %d not %d\n",
1495 					j, buf[j], (u8) i + j);
1496 				retval = -EBADMSG;
1497 				break;
1498 			}
1499 		}
1500 		if (retval < 0) {
1501 			what = "verify";
1502 			break;
1503 		}
1504 
1505 		len += vary;
1506 
1507 		/* [real world] the "zero bytes IN" case isn't really used.
1508 		 * hardware can easily trip up in this weird case, since its
1509 		 * status stage is IN, not OUT like other ep0in transfers.
1510 		 */
1511 		if (len > length)
1512 			len = realworld ? 1 : 0;
1513 	}
1514 
1515 	if (retval < 0)
1516 		ERROR(dev, "ctrl_out %s failed, code %d, count %d\n",
1517 			what, retval, i);
1518 
1519 	kfree(buf - offset);
1520 	return retval;
1521 }
1522 
1523 /*-------------------------------------------------------------------------*/
1524 
1525 /* ISO tests ... mimics common usage
1526  *  - buffer length is split into N packets (mostly maxpacket sized)
1527  *  - multi-buffers according to sglen
1528  */
1529 
1530 struct iso_context {
1531 	unsigned		count;
1532 	unsigned		pending;
1533 	spinlock_t		lock;
1534 	struct completion	done;
1535 	int			submit_error;
1536 	unsigned long		errors;
1537 	unsigned long		packet_count;
1538 	struct usbtest_dev	*dev;
1539 };
1540 
1541 static void iso_callback(struct urb *urb)
1542 {
1543 	struct iso_context	*ctx = urb->context;
1544 
1545 	spin_lock(&ctx->lock);
1546 	ctx->count--;
1547 
1548 	ctx->packet_count += urb->number_of_packets;
1549 	if (urb->error_count > 0)
1550 		ctx->errors += urb->error_count;
1551 	else if (urb->status != 0)
1552 		ctx->errors += urb->number_of_packets;
1553 	else if (urb->actual_length != urb->transfer_buffer_length)
1554 		ctx->errors++;
1555 	else if (check_guard_bytes(ctx->dev, urb) != 0)
1556 		ctx->errors++;
1557 
1558 	if (urb->status == 0 && ctx->count > (ctx->pending - 1)
1559 			&& !ctx->submit_error) {
1560 		int status = usb_submit_urb(urb, GFP_ATOMIC);
1561 		switch (status) {
1562 		case 0:
1563 			goto done;
1564 		default:
1565 			dev_err(&ctx->dev->intf->dev,
1566 					"iso resubmit err %d\n",
1567 					status);
1568 			/* FALLTHROUGH */
1569 		case -ENODEV:			/* disconnected */
1570 		case -ESHUTDOWN:		/* endpoint disabled */
1571 			ctx->submit_error = 1;
1572 			break;
1573 		}
1574 	}
1575 
1576 	ctx->pending--;
1577 	if (ctx->pending == 0) {
1578 		if (ctx->errors)
1579 			dev_err(&ctx->dev->intf->dev,
1580 				"iso test, %lu errors out of %lu\n",
1581 				ctx->errors, ctx->packet_count);
1582 		complete(&ctx->done);
1583 	}
1584 done:
1585 	spin_unlock(&ctx->lock);
1586 }
1587 
1588 static struct urb *iso_alloc_urb(
1589 	struct usb_device	*udev,
1590 	int			pipe,
1591 	struct usb_endpoint_descriptor	*desc,
1592 	long			bytes,
1593 	unsigned offset
1594 )
1595 {
1596 	struct urb		*urb;
1597 	unsigned		i, maxp, packets;
1598 
1599 	if (bytes < 0 || !desc)
1600 		return NULL;
1601 	maxp = 0x7ff & usb_endpoint_maxp(desc);
1602 	maxp *= 1 + (0x3 & (usb_endpoint_maxp(desc) >> 11));
1603 	packets = DIV_ROUND_UP(bytes, maxp);
1604 
1605 	urb = usb_alloc_urb(packets, GFP_KERNEL);
1606 	if (!urb)
1607 		return urb;
1608 	urb->dev = udev;
1609 	urb->pipe = pipe;
1610 
1611 	urb->number_of_packets = packets;
1612 	urb->transfer_buffer_length = bytes;
1613 	urb->transfer_buffer = usb_alloc_coherent(udev, bytes + offset,
1614 							GFP_KERNEL,
1615 							&urb->transfer_dma);
1616 	if (!urb->transfer_buffer) {
1617 		usb_free_urb(urb);
1618 		return NULL;
1619 	}
1620 	if (offset) {
1621 		memset(urb->transfer_buffer, GUARD_BYTE, offset);
1622 		urb->transfer_buffer += offset;
1623 		urb->transfer_dma += offset;
1624 	}
1625 	/* For inbound transfers use guard byte so that test fails if
1626 		data not correctly copied */
1627 	memset(urb->transfer_buffer,
1628 			usb_pipein(urb->pipe) ? GUARD_BYTE : 0,
1629 			bytes);
1630 
1631 	for (i = 0; i < packets; i++) {
1632 		/* here, only the last packet will be short */
1633 		urb->iso_frame_desc[i].length = min((unsigned) bytes, maxp);
1634 		bytes -= urb->iso_frame_desc[i].length;
1635 
1636 		urb->iso_frame_desc[i].offset = maxp * i;
1637 	}
1638 
1639 	urb->complete = iso_callback;
1640 	/* urb->context = SET BY CALLER */
1641 	urb->interval = 1 << (desc->bInterval - 1);
1642 	urb->transfer_flags = URB_ISO_ASAP | URB_NO_TRANSFER_DMA_MAP;
1643 	return urb;
1644 }
1645 
1646 static int
1647 test_iso_queue(struct usbtest_dev *dev, struct usbtest_param *param,
1648 		int pipe, struct usb_endpoint_descriptor *desc, unsigned offset)
1649 {
1650 	struct iso_context	context;
1651 	struct usb_device	*udev;
1652 	unsigned		i;
1653 	unsigned long		packets = 0;
1654 	int			status = 0;
1655 	struct urb		*urbs[10];	/* FIXME no limit */
1656 
1657 	if (param->sglen > 10)
1658 		return -EDOM;
1659 
1660 	memset(&context, 0, sizeof context);
1661 	context.count = param->iterations * param->sglen;
1662 	context.dev = dev;
1663 	init_completion(&context.done);
1664 	spin_lock_init(&context.lock);
1665 
1666 	memset(urbs, 0, sizeof urbs);
1667 	udev = testdev_to_usbdev(dev);
1668 	dev_info(&dev->intf->dev,
1669 		"... iso period %d %sframes, wMaxPacket %04x\n",
1670 		1 << (desc->bInterval - 1),
1671 		(udev->speed == USB_SPEED_HIGH) ? "micro" : "",
1672 		usb_endpoint_maxp(desc));
1673 
1674 	for (i = 0; i < param->sglen; i++) {
1675 		urbs[i] = iso_alloc_urb(udev, pipe, desc,
1676 					param->length, offset);
1677 		if (!urbs[i]) {
1678 			status = -ENOMEM;
1679 			goto fail;
1680 		}
1681 		packets += urbs[i]->number_of_packets;
1682 		urbs[i]->context = &context;
1683 	}
1684 	packets *= param->iterations;
1685 	dev_info(&dev->intf->dev,
1686 		"... total %lu msec (%lu packets)\n",
1687 		(packets * (1 << (desc->bInterval - 1)))
1688 			/ ((udev->speed == USB_SPEED_HIGH) ? 8 : 1),
1689 		packets);
1690 
1691 	spin_lock_irq(&context.lock);
1692 	for (i = 0; i < param->sglen; i++) {
1693 		++context.pending;
1694 		status = usb_submit_urb(urbs[i], GFP_ATOMIC);
1695 		if (status < 0) {
1696 			ERROR(dev, "submit iso[%d], error %d\n", i, status);
1697 			if (i == 0) {
1698 				spin_unlock_irq(&context.lock);
1699 				goto fail;
1700 			}
1701 
1702 			simple_free_urb(urbs[i]);
1703 			urbs[i] = NULL;
1704 			context.pending--;
1705 			context.submit_error = 1;
1706 			break;
1707 		}
1708 	}
1709 	spin_unlock_irq(&context.lock);
1710 
1711 	wait_for_completion(&context.done);
1712 
1713 	for (i = 0; i < param->sglen; i++) {
1714 		if (urbs[i])
1715 			simple_free_urb(urbs[i]);
1716 	}
1717 	/*
1718 	 * Isochronous transfers are expected to fail sometimes.  As an
1719 	 * arbitrary limit, we will report an error if any submissions
1720 	 * fail or if the transfer failure rate is > 10%.
1721 	 */
1722 	if (status != 0)
1723 		;
1724 	else if (context.submit_error)
1725 		status = -EACCES;
1726 	else if (context.errors > context.packet_count / 10)
1727 		status = -EIO;
1728 	return status;
1729 
1730 fail:
1731 	for (i = 0; i < param->sglen; i++) {
1732 		if (urbs[i])
1733 			simple_free_urb(urbs[i]);
1734 	}
1735 	return status;
1736 }
1737 
1738 static int test_unaligned_bulk(
1739 	struct usbtest_dev *tdev,
1740 	int pipe,
1741 	unsigned length,
1742 	int iterations,
1743 	unsigned transfer_flags,
1744 	const char *label)
1745 {
1746 	int retval;
1747 	struct urb *urb = usbtest_alloc_urb(
1748 		testdev_to_usbdev(tdev), pipe, length, transfer_flags, 1);
1749 
1750 	if (!urb)
1751 		return -ENOMEM;
1752 
1753 	retval = simple_io(tdev, urb, iterations, 0, 0, label);
1754 	simple_free_urb(urb);
1755 	return retval;
1756 }
1757 
1758 /*-------------------------------------------------------------------------*/
1759 
1760 /* We only have this one interface to user space, through usbfs.
1761  * User mode code can scan usbfs to find N different devices (maybe on
1762  * different busses) to use when testing, and allocate one thread per
1763  * test.  So discovery is simplified, and we have no device naming issues.
1764  *
1765  * Don't use these only as stress/load tests.  Use them along with with
1766  * other USB bus activity:  plugging, unplugging, mousing, mp3 playback,
1767  * video capture, and so on.  Run different tests at different times, in
1768  * different sequences.  Nothing here should interact with other devices,
1769  * except indirectly by consuming USB bandwidth and CPU resources for test
1770  * threads and request completion.  But the only way to know that for sure
1771  * is to test when HC queues are in use by many devices.
1772  *
1773  * WARNING:  Because usbfs grabs udev->dev.sem before calling this ioctl(),
1774  * it locks out usbcore in certain code paths.  Notably, if you disconnect
1775  * the device-under-test, khubd will wait block forever waiting for the
1776  * ioctl to complete ... so that usb_disconnect() can abort the pending
1777  * urbs and then call usbtest_disconnect().  To abort a test, you're best
1778  * off just killing the userspace task and waiting for it to exit.
1779  */
1780 
1781 static int
1782 usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
1783 {
1784 	struct usbtest_dev	*dev = usb_get_intfdata(intf);
1785 	struct usb_device	*udev = testdev_to_usbdev(dev);
1786 	struct usbtest_param	*param = buf;
1787 	int			retval = -EOPNOTSUPP;
1788 	struct urb		*urb;
1789 	struct scatterlist	*sg;
1790 	struct usb_sg_request	req;
1791 	struct timeval		start;
1792 	unsigned		i;
1793 
1794 	/* FIXME USBDEVFS_CONNECTINFO doesn't say how fast the device is. */
1795 
1796 	pattern = mod_pattern;
1797 
1798 	if (code != USBTEST_REQUEST)
1799 		return -EOPNOTSUPP;
1800 
1801 	if (param->iterations <= 0)
1802 		return -EINVAL;
1803 
1804 	if (mutex_lock_interruptible(&dev->lock))
1805 		return -ERESTARTSYS;
1806 
1807 	/* FIXME: What if a system sleep starts while a test is running? */
1808 
1809 	/* some devices, like ez-usb default devices, need a non-default
1810 	 * altsetting to have any active endpoints.  some tests change
1811 	 * altsettings; force a default so most tests don't need to check.
1812 	 */
1813 	if (dev->info->alt >= 0) {
1814 		int	res;
1815 
1816 		if (intf->altsetting->desc.bInterfaceNumber) {
1817 			mutex_unlock(&dev->lock);
1818 			return -ENODEV;
1819 		}
1820 		res = set_altsetting(dev, dev->info->alt);
1821 		if (res) {
1822 			dev_err(&intf->dev,
1823 					"set altsetting to %d failed, %d\n",
1824 					dev->info->alt, res);
1825 			mutex_unlock(&dev->lock);
1826 			return res;
1827 		}
1828 	}
1829 
1830 	/*
1831 	 * Just a bunch of test cases that every HCD is expected to handle.
1832 	 *
1833 	 * Some may need specific firmware, though it'd be good to have
1834 	 * one firmware image to handle all the test cases.
1835 	 *
1836 	 * FIXME add more tests!  cancel requests, verify the data, control
1837 	 * queueing, concurrent read+write threads, and so on.
1838 	 */
1839 	do_gettimeofday(&start);
1840 	switch (param->test_num) {
1841 
1842 	case 0:
1843 		dev_info(&intf->dev, "TEST 0:  NOP\n");
1844 		retval = 0;
1845 		break;
1846 
1847 	/* Simple non-queued bulk I/O tests */
1848 	case 1:
1849 		if (dev->out_pipe == 0)
1850 			break;
1851 		dev_info(&intf->dev,
1852 				"TEST 1:  write %d bytes %u times\n",
1853 				param->length, param->iterations);
1854 		urb = simple_alloc_urb(udev, dev->out_pipe, param->length);
1855 		if (!urb) {
1856 			retval = -ENOMEM;
1857 			break;
1858 		}
1859 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
1860 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test1");
1861 		simple_free_urb(urb);
1862 		break;
1863 	case 2:
1864 		if (dev->in_pipe == 0)
1865 			break;
1866 		dev_info(&intf->dev,
1867 				"TEST 2:  read %d bytes %u times\n",
1868 				param->length, param->iterations);
1869 		urb = simple_alloc_urb(udev, dev->in_pipe, param->length);
1870 		if (!urb) {
1871 			retval = -ENOMEM;
1872 			break;
1873 		}
1874 		/* FIRMWARE:  bulk source (maybe generates short writes) */
1875 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test2");
1876 		simple_free_urb(urb);
1877 		break;
1878 	case 3:
1879 		if (dev->out_pipe == 0 || param->vary == 0)
1880 			break;
1881 		dev_info(&intf->dev,
1882 				"TEST 3:  write/%d 0..%d bytes %u times\n",
1883 				param->vary, param->length, param->iterations);
1884 		urb = simple_alloc_urb(udev, dev->out_pipe, param->length);
1885 		if (!urb) {
1886 			retval = -ENOMEM;
1887 			break;
1888 		}
1889 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
1890 		retval = simple_io(dev, urb, param->iterations, param->vary,
1891 					0, "test3");
1892 		simple_free_urb(urb);
1893 		break;
1894 	case 4:
1895 		if (dev->in_pipe == 0 || param->vary == 0)
1896 			break;
1897 		dev_info(&intf->dev,
1898 				"TEST 4:  read/%d 0..%d bytes %u times\n",
1899 				param->vary, param->length, param->iterations);
1900 		urb = simple_alloc_urb(udev, dev->in_pipe, param->length);
1901 		if (!urb) {
1902 			retval = -ENOMEM;
1903 			break;
1904 		}
1905 		/* FIRMWARE:  bulk source (maybe generates short writes) */
1906 		retval = simple_io(dev, urb, param->iterations, param->vary,
1907 					0, "test4");
1908 		simple_free_urb(urb);
1909 		break;
1910 
1911 	/* Queued bulk I/O tests */
1912 	case 5:
1913 		if (dev->out_pipe == 0 || param->sglen == 0)
1914 			break;
1915 		dev_info(&intf->dev,
1916 			"TEST 5:  write %d sglists %d entries of %d bytes\n",
1917 				param->iterations,
1918 				param->sglen, param->length);
1919 		sg = alloc_sglist(param->sglen, param->length, 0);
1920 		if (!sg) {
1921 			retval = -ENOMEM;
1922 			break;
1923 		}
1924 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
1925 		retval = perform_sglist(dev, param->iterations, dev->out_pipe,
1926 				&req, sg, param->sglen);
1927 		free_sglist(sg, param->sglen);
1928 		break;
1929 
1930 	case 6:
1931 		if (dev->in_pipe == 0 || param->sglen == 0)
1932 			break;
1933 		dev_info(&intf->dev,
1934 			"TEST 6:  read %d sglists %d entries of %d bytes\n",
1935 				param->iterations,
1936 				param->sglen, param->length);
1937 		sg = alloc_sglist(param->sglen, param->length, 0);
1938 		if (!sg) {
1939 			retval = -ENOMEM;
1940 			break;
1941 		}
1942 		/* FIRMWARE:  bulk source (maybe generates short writes) */
1943 		retval = perform_sglist(dev, param->iterations, dev->in_pipe,
1944 				&req, sg, param->sglen);
1945 		free_sglist(sg, param->sglen);
1946 		break;
1947 	case 7:
1948 		if (dev->out_pipe == 0 || param->sglen == 0 || param->vary == 0)
1949 			break;
1950 		dev_info(&intf->dev,
1951 			"TEST 7:  write/%d %d sglists %d entries 0..%d bytes\n",
1952 				param->vary, param->iterations,
1953 				param->sglen, param->length);
1954 		sg = alloc_sglist(param->sglen, param->length, param->vary);
1955 		if (!sg) {
1956 			retval = -ENOMEM;
1957 			break;
1958 		}
1959 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
1960 		retval = perform_sglist(dev, param->iterations, dev->out_pipe,
1961 				&req, sg, param->sglen);
1962 		free_sglist(sg, param->sglen);
1963 		break;
1964 	case 8:
1965 		if (dev->in_pipe == 0 || param->sglen == 0 || param->vary == 0)
1966 			break;
1967 		dev_info(&intf->dev,
1968 			"TEST 8:  read/%d %d sglists %d entries 0..%d bytes\n",
1969 				param->vary, param->iterations,
1970 				param->sglen, param->length);
1971 		sg = alloc_sglist(param->sglen, param->length, param->vary);
1972 		if (!sg) {
1973 			retval = -ENOMEM;
1974 			break;
1975 		}
1976 		/* FIRMWARE:  bulk source (maybe generates short writes) */
1977 		retval = perform_sglist(dev, param->iterations, dev->in_pipe,
1978 				&req, sg, param->sglen);
1979 		free_sglist(sg, param->sglen);
1980 		break;
1981 
1982 	/* non-queued sanity tests for control (chapter 9 subset) */
1983 	case 9:
1984 		retval = 0;
1985 		dev_info(&intf->dev,
1986 			"TEST 9:  ch9 (subset) control tests, %d times\n",
1987 				param->iterations);
1988 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
1989 			retval = ch9_postconfig(dev);
1990 		if (retval)
1991 			dev_err(&intf->dev, "ch9 subset failed, "
1992 					"iterations left %d\n", i);
1993 		break;
1994 
1995 	/* queued control messaging */
1996 	case 10:
1997 		retval = 0;
1998 		dev_info(&intf->dev,
1999 				"TEST 10:  queue %d control calls, %d times\n",
2000 				param->sglen,
2001 				param->iterations);
2002 		retval = test_ctrl_queue(dev, param);
2003 		break;
2004 
2005 	/* simple non-queued unlinks (ring with one urb) */
2006 	case 11:
2007 		if (dev->in_pipe == 0 || !param->length)
2008 			break;
2009 		retval = 0;
2010 		dev_info(&intf->dev, "TEST 11:  unlink %d reads of %d\n",
2011 				param->iterations, param->length);
2012 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2013 			retval = unlink_simple(dev, dev->in_pipe,
2014 						param->length);
2015 		if (retval)
2016 			dev_err(&intf->dev, "unlink reads failed %d, "
2017 				"iterations left %d\n", retval, i);
2018 		break;
2019 	case 12:
2020 		if (dev->out_pipe == 0 || !param->length)
2021 			break;
2022 		retval = 0;
2023 		dev_info(&intf->dev, "TEST 12:  unlink %d writes of %d\n",
2024 				param->iterations, param->length);
2025 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2026 			retval = unlink_simple(dev, dev->out_pipe,
2027 						param->length);
2028 		if (retval)
2029 			dev_err(&intf->dev, "unlink writes failed %d, "
2030 				"iterations left %d\n", retval, i);
2031 		break;
2032 
2033 	/* ep halt tests */
2034 	case 13:
2035 		if (dev->out_pipe == 0 && dev->in_pipe == 0)
2036 			break;
2037 		retval = 0;
2038 		dev_info(&intf->dev, "TEST 13:  set/clear %d halts\n",
2039 				param->iterations);
2040 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2041 			retval = halt_simple(dev);
2042 
2043 		if (retval)
2044 			ERROR(dev, "halts failed, iterations left %d\n", i);
2045 		break;
2046 
2047 	/* control write tests */
2048 	case 14:
2049 		if (!dev->info->ctrl_out)
2050 			break;
2051 		dev_info(&intf->dev, "TEST 14:  %d ep0out, %d..%d vary %d\n",
2052 				param->iterations,
2053 				realworld ? 1 : 0, param->length,
2054 				param->vary);
2055 		retval = ctrl_out(dev, param->iterations,
2056 				param->length, param->vary, 0);
2057 		break;
2058 
2059 	/* iso write tests */
2060 	case 15:
2061 		if (dev->out_iso_pipe == 0 || param->sglen == 0)
2062 			break;
2063 		dev_info(&intf->dev,
2064 			"TEST 15:  write %d iso, %d entries of %d bytes\n",
2065 				param->iterations,
2066 				param->sglen, param->length);
2067 		/* FIRMWARE:  iso sink */
2068 		retval = test_iso_queue(dev, param,
2069 				dev->out_iso_pipe, dev->iso_out, 0);
2070 		break;
2071 
2072 	/* iso read tests */
2073 	case 16:
2074 		if (dev->in_iso_pipe == 0 || param->sglen == 0)
2075 			break;
2076 		dev_info(&intf->dev,
2077 			"TEST 16:  read %d iso, %d entries of %d bytes\n",
2078 				param->iterations,
2079 				param->sglen, param->length);
2080 		/* FIRMWARE:  iso source */
2081 		retval = test_iso_queue(dev, param,
2082 				dev->in_iso_pipe, dev->iso_in, 0);
2083 		break;
2084 
2085 	/* FIXME scatterlist cancel (needs helper thread) */
2086 
2087 	/* Tests for bulk I/O using DMA mapping by core and odd address */
2088 	case 17:
2089 		if (dev->out_pipe == 0)
2090 			break;
2091 		dev_info(&intf->dev,
2092 			"TEST 17:  write odd addr %d bytes %u times core map\n",
2093 			param->length, param->iterations);
2094 
2095 		retval = test_unaligned_bulk(
2096 				dev, dev->out_pipe,
2097 				param->length, param->iterations,
2098 				0, "test17");
2099 		break;
2100 
2101 	case 18:
2102 		if (dev->in_pipe == 0)
2103 			break;
2104 		dev_info(&intf->dev,
2105 			"TEST 18:  read odd addr %d bytes %u times core map\n",
2106 			param->length, param->iterations);
2107 
2108 		retval = test_unaligned_bulk(
2109 				dev, dev->in_pipe,
2110 				param->length, param->iterations,
2111 				0, "test18");
2112 		break;
2113 
2114 	/* Tests for bulk I/O using premapped coherent buffer and odd address */
2115 	case 19:
2116 		if (dev->out_pipe == 0)
2117 			break;
2118 		dev_info(&intf->dev,
2119 			"TEST 19:  write odd addr %d bytes %u times premapped\n",
2120 			param->length, param->iterations);
2121 
2122 		retval = test_unaligned_bulk(
2123 				dev, dev->out_pipe,
2124 				param->length, param->iterations,
2125 				URB_NO_TRANSFER_DMA_MAP, "test19");
2126 		break;
2127 
2128 	case 20:
2129 		if (dev->in_pipe == 0)
2130 			break;
2131 		dev_info(&intf->dev,
2132 			"TEST 20:  read odd addr %d bytes %u times premapped\n",
2133 			param->length, param->iterations);
2134 
2135 		retval = test_unaligned_bulk(
2136 				dev, dev->in_pipe,
2137 				param->length, param->iterations,
2138 				URB_NO_TRANSFER_DMA_MAP, "test20");
2139 		break;
2140 
2141 	/* control write tests with unaligned buffer */
2142 	case 21:
2143 		if (!dev->info->ctrl_out)
2144 			break;
2145 		dev_info(&intf->dev,
2146 				"TEST 21:  %d ep0out odd addr, %d..%d vary %d\n",
2147 				param->iterations,
2148 				realworld ? 1 : 0, param->length,
2149 				param->vary);
2150 		retval = ctrl_out(dev, param->iterations,
2151 				param->length, param->vary, 1);
2152 		break;
2153 
2154 	/* unaligned iso tests */
2155 	case 22:
2156 		if (dev->out_iso_pipe == 0 || param->sglen == 0)
2157 			break;
2158 		dev_info(&intf->dev,
2159 			"TEST 22:  write %d iso odd, %d entries of %d bytes\n",
2160 				param->iterations,
2161 				param->sglen, param->length);
2162 		retval = test_iso_queue(dev, param,
2163 				dev->out_iso_pipe, dev->iso_out, 1);
2164 		break;
2165 
2166 	case 23:
2167 		if (dev->in_iso_pipe == 0 || param->sglen == 0)
2168 			break;
2169 		dev_info(&intf->dev,
2170 			"TEST 23:  read %d iso odd, %d entries of %d bytes\n",
2171 				param->iterations,
2172 				param->sglen, param->length);
2173 		retval = test_iso_queue(dev, param,
2174 				dev->in_iso_pipe, dev->iso_in, 1);
2175 		break;
2176 
2177 	/* unlink URBs from a bulk-OUT queue */
2178 	case 24:
2179 		if (dev->out_pipe == 0 || !param->length || param->sglen < 4)
2180 			break;
2181 		retval = 0;
2182 		dev_info(&intf->dev, "TEST 17:  unlink from %d queues of "
2183 				"%d %d-byte writes\n",
2184 				param->iterations, param->sglen, param->length);
2185 		for (i = param->iterations; retval == 0 && i > 0; --i) {
2186 			retval = unlink_queued(dev, dev->out_pipe,
2187 						param->sglen, param->length);
2188 			if (retval) {
2189 				dev_err(&intf->dev,
2190 					"unlink queued writes failed %d, "
2191 					"iterations left %d\n", retval, i);
2192 				break;
2193 			}
2194 		}
2195 		break;
2196 
2197 	}
2198 	do_gettimeofday(&param->duration);
2199 	param->duration.tv_sec -= start.tv_sec;
2200 	param->duration.tv_usec -= start.tv_usec;
2201 	if (param->duration.tv_usec < 0) {
2202 		param->duration.tv_usec += 1000 * 1000;
2203 		param->duration.tv_sec -= 1;
2204 	}
2205 	mutex_unlock(&dev->lock);
2206 	return retval;
2207 }
2208 
2209 /*-------------------------------------------------------------------------*/
2210 
2211 static unsigned force_interrupt;
2212 module_param(force_interrupt, uint, 0);
2213 MODULE_PARM_DESC(force_interrupt, "0 = test default; else interrupt");
2214 
2215 #ifdef	GENERIC
2216 static unsigned short vendor;
2217 module_param(vendor, ushort, 0);
2218 MODULE_PARM_DESC(vendor, "vendor code (from usb-if)");
2219 
2220 static unsigned short product;
2221 module_param(product, ushort, 0);
2222 MODULE_PARM_DESC(product, "product code (from vendor)");
2223 #endif
2224 
2225 static int
2226 usbtest_probe(struct usb_interface *intf, const struct usb_device_id *id)
2227 {
2228 	struct usb_device	*udev;
2229 	struct usbtest_dev	*dev;
2230 	struct usbtest_info	*info;
2231 	char			*rtest, *wtest;
2232 	char			*irtest, *iwtest;
2233 
2234 	udev = interface_to_usbdev(intf);
2235 
2236 #ifdef	GENERIC
2237 	/* specify devices by module parameters? */
2238 	if (id->match_flags == 0) {
2239 		/* vendor match required, product match optional */
2240 		if (!vendor || le16_to_cpu(udev->descriptor.idVendor) != (u16)vendor)
2241 			return -ENODEV;
2242 		if (product && le16_to_cpu(udev->descriptor.idProduct) != (u16)product)
2243 			return -ENODEV;
2244 		dev_info(&intf->dev, "matched module params, "
2245 					"vend=0x%04x prod=0x%04x\n",
2246 				le16_to_cpu(udev->descriptor.idVendor),
2247 				le16_to_cpu(udev->descriptor.idProduct));
2248 	}
2249 #endif
2250 
2251 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
2252 	if (!dev)
2253 		return -ENOMEM;
2254 	info = (struct usbtest_info *) id->driver_info;
2255 	dev->info = info;
2256 	mutex_init(&dev->lock);
2257 
2258 	dev->intf = intf;
2259 
2260 	/* cacheline-aligned scratch for i/o */
2261 	dev->buf = kmalloc(TBUF_SIZE, GFP_KERNEL);
2262 	if (dev->buf == NULL) {
2263 		kfree(dev);
2264 		return -ENOMEM;
2265 	}
2266 
2267 	/* NOTE this doesn't yet test the handful of difference that are
2268 	 * visible with high speed interrupts:  bigger maxpacket (1K) and
2269 	 * "high bandwidth" modes (up to 3 packets/uframe).
2270 	 */
2271 	rtest = wtest = "";
2272 	irtest = iwtest = "";
2273 	if (force_interrupt || udev->speed == USB_SPEED_LOW) {
2274 		if (info->ep_in) {
2275 			dev->in_pipe = usb_rcvintpipe(udev, info->ep_in);
2276 			rtest = " intr-in";
2277 		}
2278 		if (info->ep_out) {
2279 			dev->out_pipe = usb_sndintpipe(udev, info->ep_out);
2280 			wtest = " intr-out";
2281 		}
2282 	} else {
2283 		if (info->autoconf) {
2284 			int status;
2285 
2286 			status = get_endpoints(dev, intf);
2287 			if (status < 0) {
2288 				WARNING(dev, "couldn't get endpoints, %d\n",
2289 						status);
2290 				kfree(dev->buf);
2291 				kfree(dev);
2292 				return status;
2293 			}
2294 			/* may find bulk or ISO pipes */
2295 		} else {
2296 			if (info->ep_in)
2297 				dev->in_pipe = usb_rcvbulkpipe(udev,
2298 							info->ep_in);
2299 			if (info->ep_out)
2300 				dev->out_pipe = usb_sndbulkpipe(udev,
2301 							info->ep_out);
2302 		}
2303 		if (dev->in_pipe)
2304 			rtest = " bulk-in";
2305 		if (dev->out_pipe)
2306 			wtest = " bulk-out";
2307 		if (dev->in_iso_pipe)
2308 			irtest = " iso-in";
2309 		if (dev->out_iso_pipe)
2310 			iwtest = " iso-out";
2311 	}
2312 
2313 	usb_set_intfdata(intf, dev);
2314 	dev_info(&intf->dev, "%s\n", info->name);
2315 	dev_info(&intf->dev, "%s {control%s%s%s%s%s} tests%s\n",
2316 			usb_speed_string(udev->speed),
2317 			info->ctrl_out ? " in/out" : "",
2318 			rtest, wtest,
2319 			irtest, iwtest,
2320 			info->alt >= 0 ? " (+alt)" : "");
2321 	return 0;
2322 }
2323 
2324 static int usbtest_suspend(struct usb_interface *intf, pm_message_t message)
2325 {
2326 	return 0;
2327 }
2328 
2329 static int usbtest_resume(struct usb_interface *intf)
2330 {
2331 	return 0;
2332 }
2333 
2334 
2335 static void usbtest_disconnect(struct usb_interface *intf)
2336 {
2337 	struct usbtest_dev	*dev = usb_get_intfdata(intf);
2338 
2339 	usb_set_intfdata(intf, NULL);
2340 	dev_dbg(&intf->dev, "disconnect\n");
2341 	kfree(dev);
2342 }
2343 
2344 /* Basic testing only needs a device that can source or sink bulk traffic.
2345  * Any device can test control transfers (default with GENERIC binding).
2346  *
2347  * Several entries work with the default EP0 implementation that's built
2348  * into EZ-USB chips.  There's a default vendor ID which can be overridden
2349  * by (very) small config EEPROMS, but otherwise all these devices act
2350  * identically until firmware is loaded:  only EP0 works.  It turns out
2351  * to be easy to make other endpoints work, without modifying that EP0
2352  * behavior.  For now, we expect that kind of firmware.
2353  */
2354 
2355 /* an21xx or fx versions of ez-usb */
2356 static struct usbtest_info ez1_info = {
2357 	.name		= "EZ-USB device",
2358 	.ep_in		= 2,
2359 	.ep_out		= 2,
2360 	.alt		= 1,
2361 };
2362 
2363 /* fx2 version of ez-usb */
2364 static struct usbtest_info ez2_info = {
2365 	.name		= "FX2 device",
2366 	.ep_in		= 6,
2367 	.ep_out		= 2,
2368 	.alt		= 1,
2369 };
2370 
2371 /* ezusb family device with dedicated usb test firmware,
2372  */
2373 static struct usbtest_info fw_info = {
2374 	.name		= "usb test device",
2375 	.ep_in		= 2,
2376 	.ep_out		= 2,
2377 	.alt		= 1,
2378 	.autoconf	= 1,		/* iso and ctrl_out need autoconf */
2379 	.ctrl_out	= 1,
2380 	.iso		= 1,		/* iso_ep's are #8 in/out */
2381 };
2382 
2383 /* peripheral running Linux and 'zero.c' test firmware, or
2384  * its user-mode cousin. different versions of this use
2385  * different hardware with the same vendor/product codes.
2386  * host side MUST rely on the endpoint descriptors.
2387  */
2388 static struct usbtest_info gz_info = {
2389 	.name		= "Linux gadget zero",
2390 	.autoconf	= 1,
2391 	.ctrl_out	= 1,
2392 	.iso		= 1,
2393 	.alt		= 0,
2394 };
2395 
2396 static struct usbtest_info um_info = {
2397 	.name		= "Linux user mode test driver",
2398 	.autoconf	= 1,
2399 	.alt		= -1,
2400 };
2401 
2402 static struct usbtest_info um2_info = {
2403 	.name		= "Linux user mode ISO test driver",
2404 	.autoconf	= 1,
2405 	.iso		= 1,
2406 	.alt		= -1,
2407 };
2408 
2409 #ifdef IBOT2
2410 /* this is a nice source of high speed bulk data;
2411  * uses an FX2, with firmware provided in the device
2412  */
2413 static struct usbtest_info ibot2_info = {
2414 	.name		= "iBOT2 webcam",
2415 	.ep_in		= 2,
2416 	.alt		= -1,
2417 };
2418 #endif
2419 
2420 #ifdef GENERIC
2421 /* we can use any device to test control traffic */
2422 static struct usbtest_info generic_info = {
2423 	.name		= "Generic USB device",
2424 	.alt		= -1,
2425 };
2426 #endif
2427 
2428 
2429 static const struct usb_device_id id_table[] = {
2430 
2431 	/*-------------------------------------------------------------*/
2432 
2433 	/* EZ-USB devices which download firmware to replace (or in our
2434 	 * case augment) the default device implementation.
2435 	 */
2436 
2437 	/* generic EZ-USB FX controller */
2438 	{ USB_DEVICE(0x0547, 0x2235),
2439 		.driver_info = (unsigned long) &ez1_info,
2440 	},
2441 
2442 	/* CY3671 development board with EZ-USB FX */
2443 	{ USB_DEVICE(0x0547, 0x0080),
2444 		.driver_info = (unsigned long) &ez1_info,
2445 	},
2446 
2447 	/* generic EZ-USB FX2 controller (or development board) */
2448 	{ USB_DEVICE(0x04b4, 0x8613),
2449 		.driver_info = (unsigned long) &ez2_info,
2450 	},
2451 
2452 	/* re-enumerated usb test device firmware */
2453 	{ USB_DEVICE(0xfff0, 0xfff0),
2454 		.driver_info = (unsigned long) &fw_info,
2455 	},
2456 
2457 	/* "Gadget Zero" firmware runs under Linux */
2458 	{ USB_DEVICE(0x0525, 0xa4a0),
2459 		.driver_info = (unsigned long) &gz_info,
2460 	},
2461 
2462 	/* so does a user-mode variant */
2463 	{ USB_DEVICE(0x0525, 0xa4a4),
2464 		.driver_info = (unsigned long) &um_info,
2465 	},
2466 
2467 	/* ... and a user-mode variant that talks iso */
2468 	{ USB_DEVICE(0x0525, 0xa4a3),
2469 		.driver_info = (unsigned long) &um2_info,
2470 	},
2471 
2472 #ifdef KEYSPAN_19Qi
2473 	/* Keyspan 19qi uses an21xx (original EZ-USB) */
2474 	/* this does not coexist with the real Keyspan 19qi driver! */
2475 	{ USB_DEVICE(0x06cd, 0x010b),
2476 		.driver_info = (unsigned long) &ez1_info,
2477 	},
2478 #endif
2479 
2480 	/*-------------------------------------------------------------*/
2481 
2482 #ifdef IBOT2
2483 	/* iBOT2 makes a nice source of high speed bulk-in data */
2484 	/* this does not coexist with a real iBOT2 driver! */
2485 	{ USB_DEVICE(0x0b62, 0x0059),
2486 		.driver_info = (unsigned long) &ibot2_info,
2487 	},
2488 #endif
2489 
2490 	/*-------------------------------------------------------------*/
2491 
2492 #ifdef GENERIC
2493 	/* module params can specify devices to use for control tests */
2494 	{ .driver_info = (unsigned long) &generic_info, },
2495 #endif
2496 
2497 	/*-------------------------------------------------------------*/
2498 
2499 	{ }
2500 };
2501 MODULE_DEVICE_TABLE(usb, id_table);
2502 
2503 static struct usb_driver usbtest_driver = {
2504 	.name =		"usbtest",
2505 	.id_table =	id_table,
2506 	.probe =	usbtest_probe,
2507 	.unlocked_ioctl = usbtest_ioctl,
2508 	.disconnect =	usbtest_disconnect,
2509 	.suspend =	usbtest_suspend,
2510 	.resume =	usbtest_resume,
2511 };
2512 
2513 /*-------------------------------------------------------------------------*/
2514 
2515 static int __init usbtest_init(void)
2516 {
2517 #ifdef GENERIC
2518 	if (vendor)
2519 		pr_debug("params: vend=0x%04x prod=0x%04x\n", vendor, product);
2520 #endif
2521 	return usb_register(&usbtest_driver);
2522 }
2523 module_init(usbtest_init);
2524 
2525 static void __exit usbtest_exit(void)
2526 {
2527 	usb_deregister(&usbtest_driver);
2528 }
2529 module_exit(usbtest_exit);
2530 
2531 MODULE_DESCRIPTION("USB Core/HCD Testing Driver");
2532 MODULE_LICENSE("GPL");
2533 
2534