1/* 2 * f_fs.c -- user mode file system API for USB composite function controllers 3 * 4 * Copyright (C) 2010 Samsung Electronics 5 * Author: Michal Nazarewicz <mina86@mina86.com> 6 * 7 * Based on inode.c (GadgetFS) which was: 8 * Copyright (C) 2003-2004 David Brownell 9 * Copyright (C) 2003 Agilent Technologies 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 */ 16 17 18/* #define DEBUG */ 19/* #define VERBOSE_DEBUG */ 20 21#include <linux/blkdev.h> 22#include <linux/pagemap.h> 23#include <linux/export.h> 24#include <linux/hid.h> 25#include <linux/module.h> 26#include <linux/uio.h> 27#include <asm/unaligned.h> 28 29#include <linux/usb/composite.h> 30#include <linux/usb/functionfs.h> 31 32#include <linux/aio.h> 33#include <linux/mmu_context.h> 34#include <linux/poll.h> 35#include <linux/eventfd.h> 36 37#include "u_fs.h" 38#include "u_f.h" 39#include "u_os_desc.h" 40#include "configfs.h" 41 42#define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */ 43 44/* Reference counter handling */ 45static void ffs_data_get(struct ffs_data *ffs); 46static void ffs_data_put(struct ffs_data *ffs); 47/* Creates new ffs_data object. */ 48static struct ffs_data *__must_check ffs_data_new(void) __attribute__((malloc)); 49 50/* Opened counter handling. */ 51static void ffs_data_opened(struct ffs_data *ffs); 52static void ffs_data_closed(struct ffs_data *ffs); 53 54/* Called with ffs->mutex held; take over ownership of data. */ 55static int __must_check 56__ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len); 57static int __must_check 58__ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len); 59 60 61/* The function structure ***************************************************/ 62 63struct ffs_ep; 64 65struct ffs_function { 66 struct usb_configuration *conf; 67 struct usb_gadget *gadget; 68 struct ffs_data *ffs; 69 70 struct ffs_ep *eps; 71 u8 eps_revmap[16]; 72 short *interfaces_nums; 73 74 struct usb_function function; 75}; 76 77 78static struct ffs_function *ffs_func_from_usb(struct usb_function *f) 79{ 80 return container_of(f, struct ffs_function, function); 81} 82 83 84static inline enum ffs_setup_state 85ffs_setup_state_clear_cancelled(struct ffs_data *ffs) 86{ 87 return (enum ffs_setup_state) 88 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP); 89} 90 91 92static void ffs_func_eps_disable(struct ffs_function *func); 93static int __must_check ffs_func_eps_enable(struct ffs_function *func); 94 95static int ffs_func_bind(struct usb_configuration *, 96 struct usb_function *); 97static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned); 98static void ffs_func_disable(struct usb_function *); 99static int ffs_func_setup(struct usb_function *, 100 const struct usb_ctrlrequest *); 101static void ffs_func_suspend(struct usb_function *); 102static void ffs_func_resume(struct usb_function *); 103 104 105static int ffs_func_revmap_ep(struct ffs_function *func, u8 num); 106static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf); 107 108 109/* The endpoints structures *************************************************/ 110 111struct ffs_ep { 112 struct usb_ep *ep; /* P: ffs->eps_lock */ 113 struct usb_request *req; /* P: epfile->mutex */ 114 115 /* [0]: full speed, [1]: high speed, [2]: super speed */ 116 struct usb_endpoint_descriptor *descs[3]; 117 118 u8 num; 119 120 int status; /* P: epfile->mutex */ 121}; 122 123struct ffs_epfile { 124 /* Protects ep->ep and ep->req. */ 125 struct mutex mutex; 126 wait_queue_head_t wait; 127 128 struct ffs_data *ffs; 129 struct ffs_ep *ep; /* P: ffs->eps_lock */ 130 131 struct dentry *dentry; 132 133 char name[5]; 134 135 unsigned char in; /* P: ffs->eps_lock */ 136 unsigned char isoc; /* P: ffs->eps_lock */ 137 138 unsigned char _pad; 139}; 140 141/* ffs_io_data structure ***************************************************/ 142 143struct ffs_io_data { 144 bool aio; 145 bool read; 146 147 struct kiocb *kiocb; 148 struct iov_iter data; 149 const void *to_free; 150 char *buf; 151 152 struct mm_struct *mm; 153 struct work_struct work; 154 155 struct usb_ep *ep; 156 struct usb_request *req; 157 158 struct ffs_data *ffs; 159}; 160 161struct ffs_desc_helper { 162 struct ffs_data *ffs; 163 unsigned interfaces_count; 164 unsigned eps_count; 165}; 166 167static int __must_check ffs_epfiles_create(struct ffs_data *ffs); 168static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count); 169 170static struct dentry * 171ffs_sb_create_file(struct super_block *sb, const char *name, void *data, 172 const struct file_operations *fops); 173 174/* Devices management *******************************************************/ 175 176DEFINE_MUTEX(ffs_lock); 177EXPORT_SYMBOL_GPL(ffs_lock); 178 179static struct ffs_dev *_ffs_find_dev(const char *name); 180static struct ffs_dev *_ffs_alloc_dev(void); 181static int _ffs_name_dev(struct ffs_dev *dev, const char *name); 182static void _ffs_free_dev(struct ffs_dev *dev); 183static void *ffs_acquire_dev(const char *dev_name); 184static void ffs_release_dev(struct ffs_data *ffs_data); 185static int ffs_ready(struct ffs_data *ffs); 186static void ffs_closed(struct ffs_data *ffs); 187 188/* Misc helper functions ****************************************************/ 189 190static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock) 191 __attribute__((warn_unused_result, nonnull)); 192static char *ffs_prepare_buffer(const char __user *buf, size_t len) 193 __attribute__((warn_unused_result, nonnull)); 194 195 196/* Control file aka ep0 *****************************************************/ 197 198static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req) 199{ 200 struct ffs_data *ffs = req->context; 201 202 complete_all(&ffs->ep0req_completion); 203} 204 205static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) 206{ 207 struct usb_request *req = ffs->ep0req; 208 int ret; 209 210 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); 211 212 spin_unlock_irq(&ffs->ev.waitq.lock); 213 214 req->buf = data; 215 req->length = len; 216 217 /* 218 * UDC layer requires to provide a buffer even for ZLP, but should 219 * not use it at all. Let's provide some poisoned pointer to catch 220 * possible bug in the driver. 221 */ 222 if (req->buf == NULL) 223 req->buf = (void *)0xDEADBABE; 224 225 reinit_completion(&ffs->ep0req_completion); 226 227 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC); 228 if (unlikely(ret < 0)) 229 return ret; 230 231 ret = wait_for_completion_interruptible(&ffs->ep0req_completion); 232 if (unlikely(ret)) { 233 usb_ep_dequeue(ffs->gadget->ep0, req); 234 return -EINTR; 235 } 236 237 ffs->setup_state = FFS_NO_SETUP; 238 return req->status ? req->status : req->actual; 239} 240 241static int __ffs_ep0_stall(struct ffs_data *ffs) 242{ 243 if (ffs->ev.can_stall) { 244 pr_vdebug("ep0 stall\n"); 245 usb_ep_set_halt(ffs->gadget->ep0); 246 ffs->setup_state = FFS_NO_SETUP; 247 return -EL2HLT; 248 } else { 249 pr_debug("bogus ep0 stall!\n"); 250 return -ESRCH; 251 } 252} 253 254static ssize_t ffs_ep0_write(struct file *file, const char __user *buf, 255 size_t len, loff_t *ptr) 256{ 257 struct ffs_data *ffs = file->private_data; 258 ssize_t ret; 259 char *data; 260 261 ENTER(); 262 263 /* Fast check if setup was canceled */ 264 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED) 265 return -EIDRM; 266 267 /* Acquire mutex */ 268 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 269 if (unlikely(ret < 0)) 270 return ret; 271 272 /* Check state */ 273 switch (ffs->state) { 274 case FFS_READ_DESCRIPTORS: 275 case FFS_READ_STRINGS: 276 /* Copy data */ 277 if (unlikely(len < 16)) { 278 ret = -EINVAL; 279 break; 280 } 281 282 data = ffs_prepare_buffer(buf, len); 283 if (IS_ERR(data)) { 284 ret = PTR_ERR(data); 285 break; 286 } 287 288 /* Handle data */ 289 if (ffs->state == FFS_READ_DESCRIPTORS) { 290 pr_info("read descriptors\n"); 291 ret = __ffs_data_got_descs(ffs, data, len); 292 if (unlikely(ret < 0)) 293 break; 294 295 ffs->state = FFS_READ_STRINGS; 296 ret = len; 297 } else { 298 pr_info("read strings\n"); 299 ret = __ffs_data_got_strings(ffs, data, len); 300 if (unlikely(ret < 0)) 301 break; 302 303 ret = ffs_epfiles_create(ffs); 304 if (unlikely(ret)) { 305 ffs->state = FFS_CLOSING; 306 break; 307 } 308 309 ffs->state = FFS_ACTIVE; 310 mutex_unlock(&ffs->mutex); 311 312 ret = ffs_ready(ffs); 313 if (unlikely(ret < 0)) { 314 ffs->state = FFS_CLOSING; 315 return ret; 316 } 317 318 return len; 319 } 320 break; 321 322 case FFS_ACTIVE: 323 data = NULL; 324 /* 325 * We're called from user space, we can use _irq 326 * rather then _irqsave 327 */ 328 spin_lock_irq(&ffs->ev.waitq.lock); 329 switch (ffs_setup_state_clear_cancelled(ffs)) { 330 case FFS_SETUP_CANCELLED: 331 ret = -EIDRM; 332 goto done_spin; 333 334 case FFS_NO_SETUP: 335 ret = -ESRCH; 336 goto done_spin; 337 338 case FFS_SETUP_PENDING: 339 break; 340 } 341 342 /* FFS_SETUP_PENDING */ 343 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) { 344 spin_unlock_irq(&ffs->ev.waitq.lock); 345 ret = __ffs_ep0_stall(ffs); 346 break; 347 } 348 349 /* FFS_SETUP_PENDING and not stall */ 350 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength)); 351 352 spin_unlock_irq(&ffs->ev.waitq.lock); 353 354 data = ffs_prepare_buffer(buf, len); 355 if (IS_ERR(data)) { 356 ret = PTR_ERR(data); 357 break; 358 } 359 360 spin_lock_irq(&ffs->ev.waitq.lock); 361 362 /* 363 * We are guaranteed to be still in FFS_ACTIVE state 364 * but the state of setup could have changed from 365 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need 366 * to check for that. If that happened we copied data 367 * from user space in vain but it's unlikely. 368 * 369 * For sure we are not in FFS_NO_SETUP since this is 370 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP 371 * transition can be performed and it's protected by 372 * mutex. 373 */ 374 if (ffs_setup_state_clear_cancelled(ffs) == 375 FFS_SETUP_CANCELLED) { 376 ret = -EIDRM; 377done_spin: 378 spin_unlock_irq(&ffs->ev.waitq.lock); 379 } else { 380 /* unlocks spinlock */ 381 ret = __ffs_ep0_queue_wait(ffs, data, len); 382 } 383 kfree(data); 384 break; 385 386 default: 387 ret = -EBADFD; 388 break; 389 } 390 391 mutex_unlock(&ffs->mutex); 392 return ret; 393} 394 395/* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */ 396static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf, 397 size_t n) 398{ 399 /* 400 * n cannot be bigger than ffs->ev.count, which cannot be bigger than 401 * size of ffs->ev.types array (which is four) so that's how much space 402 * we reserve. 403 */ 404 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)]; 405 const size_t size = n * sizeof *events; 406 unsigned i = 0; 407 408 memset(events, 0, size); 409 410 do { 411 events[i].type = ffs->ev.types[i]; 412 if (events[i].type == FUNCTIONFS_SETUP) { 413 events[i].u.setup = ffs->ev.setup; 414 ffs->setup_state = FFS_SETUP_PENDING; 415 } 416 } while (++i < n); 417 418 ffs->ev.count -= n; 419 if (ffs->ev.count) 420 memmove(ffs->ev.types, ffs->ev.types + n, 421 ffs->ev.count * sizeof *ffs->ev.types); 422 423 spin_unlock_irq(&ffs->ev.waitq.lock); 424 mutex_unlock(&ffs->mutex); 425 426 return unlikely(copy_to_user(buf, events, size)) ? -EFAULT : size; 427} 428 429static ssize_t ffs_ep0_read(struct file *file, char __user *buf, 430 size_t len, loff_t *ptr) 431{ 432 struct ffs_data *ffs = file->private_data; 433 char *data = NULL; 434 size_t n; 435 int ret; 436 437 ENTER(); 438 439 /* Fast check if setup was canceled */ 440 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED) 441 return -EIDRM; 442 443 /* Acquire mutex */ 444 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 445 if (unlikely(ret < 0)) 446 return ret; 447 448 /* Check state */ 449 if (ffs->state != FFS_ACTIVE) { 450 ret = -EBADFD; 451 goto done_mutex; 452 } 453 454 /* 455 * We're called from user space, we can use _irq rather then 456 * _irqsave 457 */ 458 spin_lock_irq(&ffs->ev.waitq.lock); 459 460 switch (ffs_setup_state_clear_cancelled(ffs)) { 461 case FFS_SETUP_CANCELLED: 462 ret = -EIDRM; 463 break; 464 465 case FFS_NO_SETUP: 466 n = len / sizeof(struct usb_functionfs_event); 467 if (unlikely(!n)) { 468 ret = -EINVAL; 469 break; 470 } 471 472 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) { 473 ret = -EAGAIN; 474 break; 475 } 476 477 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq, 478 ffs->ev.count)) { 479 ret = -EINTR; 480 break; 481 } 482 483 return __ffs_ep0_read_events(ffs, buf, 484 min(n, (size_t)ffs->ev.count)); 485 486 case FFS_SETUP_PENDING: 487 if (ffs->ev.setup.bRequestType & USB_DIR_IN) { 488 spin_unlock_irq(&ffs->ev.waitq.lock); 489 ret = __ffs_ep0_stall(ffs); 490 goto done_mutex; 491 } 492 493 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength)); 494 495 spin_unlock_irq(&ffs->ev.waitq.lock); 496 497 if (likely(len)) { 498 data = kmalloc(len, GFP_KERNEL); 499 if (unlikely(!data)) { 500 ret = -ENOMEM; 501 goto done_mutex; 502 } 503 } 504 505 spin_lock_irq(&ffs->ev.waitq.lock); 506 507 /* See ffs_ep0_write() */ 508 if (ffs_setup_state_clear_cancelled(ffs) == 509 FFS_SETUP_CANCELLED) { 510 ret = -EIDRM; 511 break; 512 } 513 514 /* unlocks spinlock */ 515 ret = __ffs_ep0_queue_wait(ffs, data, len); 516 if (likely(ret > 0) && unlikely(copy_to_user(buf, data, len))) 517 ret = -EFAULT; 518 goto done_mutex; 519 520 default: 521 ret = -EBADFD; 522 break; 523 } 524 525 spin_unlock_irq(&ffs->ev.waitq.lock); 526done_mutex: 527 mutex_unlock(&ffs->mutex); 528 kfree(data); 529 return ret; 530} 531 532static int ffs_ep0_open(struct inode *inode, struct file *file) 533{ 534 struct ffs_data *ffs = inode->i_private; 535 536 ENTER(); 537 538 if (unlikely(ffs->state == FFS_CLOSING)) 539 return -EBUSY; 540 541 file->private_data = ffs; 542 ffs_data_opened(ffs); 543 544 return 0; 545} 546 547static int ffs_ep0_release(struct inode *inode, struct file *file) 548{ 549 struct ffs_data *ffs = file->private_data; 550 551 ENTER(); 552 553 ffs_data_closed(ffs); 554 555 return 0; 556} 557 558static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value) 559{ 560 struct ffs_data *ffs = file->private_data; 561 struct usb_gadget *gadget = ffs->gadget; 562 long ret; 563 564 ENTER(); 565 566 if (code == FUNCTIONFS_INTERFACE_REVMAP) { 567 struct ffs_function *func = ffs->func; 568 ret = func ? ffs_func_revmap_intf(func, value) : -ENODEV; 569 } else if (gadget && gadget->ops->ioctl) { 570 ret = gadget->ops->ioctl(gadget, code, value); 571 } else { 572 ret = -ENOTTY; 573 } 574 575 return ret; 576} 577 578static unsigned int ffs_ep0_poll(struct file *file, poll_table *wait) 579{ 580 struct ffs_data *ffs = file->private_data; 581 unsigned int mask = POLLWRNORM; 582 int ret; 583 584 poll_wait(file, &ffs->ev.waitq, wait); 585 586 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); 587 if (unlikely(ret < 0)) 588 return mask; 589 590 switch (ffs->state) { 591 case FFS_READ_DESCRIPTORS: 592 case FFS_READ_STRINGS: 593 mask |= POLLOUT; 594 break; 595 596 case FFS_ACTIVE: 597 switch (ffs->setup_state) { 598 case FFS_NO_SETUP: 599 if (ffs->ev.count) 600 mask |= POLLIN; 601 break; 602 603 case FFS_SETUP_PENDING: 604 case FFS_SETUP_CANCELLED: 605 mask |= (POLLIN | POLLOUT); 606 break; 607 } 608 case FFS_CLOSING: 609 break; 610 case FFS_DEACTIVATED: 611 break; 612 } 613 614 mutex_unlock(&ffs->mutex); 615 616 return mask; 617} 618 619static const struct file_operations ffs_ep0_operations = { 620 .llseek = no_llseek, 621 622 .open = ffs_ep0_open, 623 .write = ffs_ep0_write, 624 .read = ffs_ep0_read, 625 .release = ffs_ep0_release, 626 .unlocked_ioctl = ffs_ep0_ioctl, 627 .poll = ffs_ep0_poll, 628}; 629 630 631/* "Normal" endpoints operations ********************************************/ 632 633static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req) 634{ 635 ENTER(); 636 if (likely(req->context)) { 637 struct ffs_ep *ep = _ep->driver_data; 638 ep->status = req->status ? req->status : req->actual; 639 complete(req->context); 640 } 641} 642 643static void ffs_user_copy_worker(struct work_struct *work) 644{ 645 struct ffs_io_data *io_data = container_of(work, struct ffs_io_data, 646 work); 647 int ret = io_data->req->status ? io_data->req->status : 648 io_data->req->actual; 649 bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; 650 651 if (io_data->read && ret > 0) { 652 use_mm(io_data->mm); 653 ret = copy_to_iter(io_data->buf, ret, &io_data->data); 654 if (ret != io_data->req->actual && iov_iter_count(&io_data->data)) 655 ret = -EFAULT; 656 unuse_mm(io_data->mm); 657 } 658 659 io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); 660 661 if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd) 662 eventfd_signal(io_data->ffs->ffs_eventfd, 1); 663 664 usb_ep_free_request(io_data->ep, io_data->req); 665 666 if (io_data->read) 667 kfree(io_data->to_free); 668 kfree(io_data->buf); 669 kfree(io_data); 670} 671 672static void ffs_epfile_async_io_complete(struct usb_ep *_ep, 673 struct usb_request *req) 674{ 675 struct ffs_io_data *io_data = req->context; 676 677 ENTER(); 678 679 INIT_WORK(&io_data->work, ffs_user_copy_worker); 680 schedule_work(&io_data->work); 681} 682 683static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 684{ 685 struct ffs_epfile *epfile = file->private_data; 686 struct ffs_ep *ep; 687 char *data = NULL; 688 ssize_t ret, data_len = -EINVAL; 689 int halt; 690 691 /* Are we still active? */ 692 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) { 693 ret = -ENODEV; 694 goto error; 695 } 696 697 /* Wait for endpoint to be enabled */ 698 ep = epfile->ep; 699 if (!ep) { 700 if (file->f_flags & O_NONBLOCK) { 701 ret = -EAGAIN; 702 goto error; 703 } 704 705 ret = wait_event_interruptible(epfile->wait, (ep = epfile->ep)); 706 if (ret) { 707 ret = -EINTR; 708 goto error; 709 } 710 } 711 712 /* Do we halt? */ 713 halt = (!io_data->read == !epfile->in); 714 if (halt && epfile->isoc) { 715 ret = -EINVAL; 716 goto error; 717 } 718 719 /* Allocate & copy */ 720 if (!halt) { 721 /* 722 * if we _do_ wait above, the epfile->ffs->gadget might be NULL 723 * before the waiting completes, so do not assign to 'gadget' earlier 724 */ 725 struct usb_gadget *gadget = epfile->ffs->gadget; 726 size_t copied; 727 728 spin_lock_irq(&epfile->ffs->eps_lock); 729 /* In the meantime, endpoint got disabled or changed. */ 730 if (epfile->ep != ep) { 731 spin_unlock_irq(&epfile->ffs->eps_lock); 732 return -ESHUTDOWN; 733 } 734 data_len = iov_iter_count(&io_data->data); 735 /* 736 * Controller may require buffer size to be aligned to 737 * maxpacketsize of an out endpoint. 738 */ 739 if (io_data->read) 740 data_len = usb_ep_align_maybe(gadget, ep->ep, data_len); 741 spin_unlock_irq(&epfile->ffs->eps_lock); 742 743 data = kmalloc(data_len, GFP_KERNEL); 744 if (unlikely(!data)) 745 return -ENOMEM; 746 if (!io_data->read) { 747 copied = copy_from_iter(data, data_len, &io_data->data); 748 if (copied != data_len) { 749 ret = -EFAULT; 750 goto error; 751 } 752 } 753 } 754 755 /* We will be using request */ 756 ret = ffs_mutex_lock(&epfile->mutex, file->f_flags & O_NONBLOCK); 757 if (unlikely(ret)) 758 goto error; 759 760 spin_lock_irq(&epfile->ffs->eps_lock); 761 762 if (epfile->ep != ep) { 763 /* In the meantime, endpoint got disabled or changed. */ 764 ret = -ESHUTDOWN; 765 spin_unlock_irq(&epfile->ffs->eps_lock); 766 } else if (halt) { 767 /* Halt */ 768 if (likely(epfile->ep == ep) && !WARN_ON(!ep->ep)) 769 usb_ep_set_halt(ep->ep); 770 spin_unlock_irq(&epfile->ffs->eps_lock); 771 ret = -EBADMSG; 772 } else { 773 /* Fire the request */ 774 struct usb_request *req; 775 776 /* 777 * Sanity Check: even though data_len can't be used 778 * uninitialized at the time I write this comment, some 779 * compilers complain about this situation. 780 * In order to keep the code clean from warnings, data_len is 781 * being initialized to -EINVAL during its declaration, which 782 * means we can't rely on compiler anymore to warn no future 783 * changes won't result in data_len being used uninitialized. 784 * For such reason, we're adding this redundant sanity check 785 * here. 786 */ 787 if (unlikely(data_len == -EINVAL)) { 788 WARN(1, "%s: data_len == -EINVAL\n", __func__); 789 ret = -EINVAL; 790 goto error_lock; 791 } 792 793 if (io_data->aio) { 794 req = usb_ep_alloc_request(ep->ep, GFP_KERNEL); 795 if (unlikely(!req)) 796 goto error_lock; 797 798 req->buf = data; 799 req->length = data_len; 800 801 io_data->buf = data; 802 io_data->ep = ep->ep; 803 io_data->req = req; 804 io_data->ffs = epfile->ffs; 805 806 req->context = io_data; 807 req->complete = ffs_epfile_async_io_complete; 808 809 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC); 810 if (unlikely(ret)) { 811 usb_ep_free_request(ep->ep, req); 812 goto error_lock; 813 } 814 ret = -EIOCBQUEUED; 815 816 spin_unlock_irq(&epfile->ffs->eps_lock); 817 } else { 818 DECLARE_COMPLETION_ONSTACK(done); 819 820 req = ep->req; 821 req->buf = data; 822 req->length = data_len; 823 824 req->context = &done; 825 req->complete = ffs_epfile_io_complete; 826 827 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC); 828 829 spin_unlock_irq(&epfile->ffs->eps_lock); 830 831 if (unlikely(ret < 0)) { 832 /* nop */ 833 } else if (unlikely( 834 wait_for_completion_interruptible(&done))) { 835 ret = -EINTR; 836 usb_ep_dequeue(ep->ep, req); 837 } else { 838 /* 839 * XXX We may end up silently droping data 840 * here. Since data_len (i.e. req->length) may 841 * be bigger than len (after being rounded up 842 * to maxpacketsize), we may end up with more 843 * data then user space has space for. 844 */ 845 ret = ep->status; 846 if (io_data->read && ret > 0) { 847 ret = copy_to_iter(data, ret, &io_data->data); 848 if (!ret) 849 ret = -EFAULT; 850 } 851 } 852 kfree(data); 853 } 854 } 855 856 mutex_unlock(&epfile->mutex); 857 return ret; 858 859error_lock: 860 spin_unlock_irq(&epfile->ffs->eps_lock); 861 mutex_unlock(&epfile->mutex); 862error: 863 kfree(data); 864 return ret; 865} 866 867static int 868ffs_epfile_open(struct inode *inode, struct file *file) 869{ 870 struct ffs_epfile *epfile = inode->i_private; 871 872 ENTER(); 873 874 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) 875 return -ENODEV; 876 877 file->private_data = epfile; 878 ffs_data_opened(epfile->ffs); 879 880 return 0; 881} 882 883static int ffs_aio_cancel(struct kiocb *kiocb) 884{ 885 struct ffs_io_data *io_data = kiocb->private; 886 struct ffs_epfile *epfile = kiocb->ki_filp->private_data; 887 int value; 888 889 ENTER(); 890 891 spin_lock_irq(&epfile->ffs->eps_lock); 892 893 if (likely(io_data && io_data->ep && io_data->req)) 894 value = usb_ep_dequeue(io_data->ep, io_data->req); 895 else 896 value = -EINVAL; 897 898 spin_unlock_irq(&epfile->ffs->eps_lock); 899 900 return value; 901} 902 903static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) 904{ 905 struct ffs_io_data io_data, *p = &io_data; 906 ssize_t res; 907 908 ENTER(); 909 910 if (!is_sync_kiocb(kiocb)) { 911 p = kmalloc(sizeof(io_data), GFP_KERNEL); 912 if (unlikely(!p)) 913 return -ENOMEM; 914 p->aio = true; 915 } else { 916 p->aio = false; 917 } 918 919 p->read = false; 920 p->kiocb = kiocb; 921 p->data = *from; 922 p->mm = current->mm; 923 924 kiocb->private = p; 925 926 if (p->aio) 927 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); 928 929 res = ffs_epfile_io(kiocb->ki_filp, p); 930 if (res == -EIOCBQUEUED) 931 return res; 932 if (p->aio) 933 kfree(p); 934 else 935 *from = p->data; 936 return res; 937} 938 939static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) 940{ 941 struct ffs_io_data io_data, *p = &io_data; 942 ssize_t res; 943 944 ENTER(); 945 946 if (!is_sync_kiocb(kiocb)) { 947 p = kmalloc(sizeof(io_data), GFP_KERNEL); 948 if (unlikely(!p)) 949 return -ENOMEM; 950 p->aio = true; 951 } else { 952 p->aio = false; 953 } 954 955 p->read = true; 956 p->kiocb = kiocb; 957 if (p->aio) { 958 p->to_free = dup_iter(&p->data, to, GFP_KERNEL); 959 if (!p->to_free) { 960 kfree(p); 961 return -ENOMEM; 962 } 963 } else { 964 p->data = *to; 965 p->to_free = NULL; 966 } 967 p->mm = current->mm; 968 969 kiocb->private = p; 970 971 if (p->aio) 972 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); 973 974 res = ffs_epfile_io(kiocb->ki_filp, p); 975 if (res == -EIOCBQUEUED) 976 return res; 977 978 if (p->aio) { 979 kfree(p->to_free); 980 kfree(p); 981 } else { 982 *to = p->data; 983 } 984 return res; 985} 986 987static int 988ffs_epfile_release(struct inode *inode, struct file *file) 989{ 990 struct ffs_epfile *epfile = inode->i_private; 991 992 ENTER(); 993 994 ffs_data_closed(epfile->ffs); 995 996 return 0; 997} 998 999static long ffs_epfile_ioctl(struct file *file, unsigned code, 1000 unsigned long value) 1001{ 1002 struct ffs_epfile *epfile = file->private_data; 1003 int ret; 1004 1005 ENTER(); 1006 1007 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) 1008 return -ENODEV; 1009 1010 spin_lock_irq(&epfile->ffs->eps_lock); 1011 if (likely(epfile->ep)) { 1012 switch (code) { 1013 case FUNCTIONFS_FIFO_STATUS: 1014 ret = usb_ep_fifo_status(epfile->ep->ep); 1015 break; 1016 case FUNCTIONFS_FIFO_FLUSH: 1017 usb_ep_fifo_flush(epfile->ep->ep); 1018 ret = 0; 1019 break; 1020 case FUNCTIONFS_CLEAR_HALT: 1021 ret = usb_ep_clear_halt(epfile->ep->ep); 1022 break; 1023 case FUNCTIONFS_ENDPOINT_REVMAP: 1024 ret = epfile->ep->num; 1025 break; 1026 case FUNCTIONFS_ENDPOINT_DESC: 1027 { 1028 int desc_idx; 1029 struct usb_endpoint_descriptor *desc; 1030 1031 switch (epfile->ffs->gadget->speed) { 1032 case USB_SPEED_SUPER: 1033 desc_idx = 2; 1034 break; 1035 case USB_SPEED_HIGH: 1036 desc_idx = 1; 1037 break; 1038 default: 1039 desc_idx = 0; 1040 } 1041 desc = epfile->ep->descs[desc_idx]; 1042 1043 spin_unlock_irq(&epfile->ffs->eps_lock); 1044 ret = copy_to_user((void *)value, desc, sizeof(*desc)); 1045 if (ret) 1046 ret = -EFAULT; 1047 return ret; 1048 } 1049 default: 1050 ret = -ENOTTY; 1051 } 1052 } else { 1053 ret = -ENODEV; 1054 } 1055 spin_unlock_irq(&epfile->ffs->eps_lock); 1056 1057 return ret; 1058} 1059 1060static const struct file_operations ffs_epfile_operations = { 1061 .llseek = no_llseek, 1062 1063 .open = ffs_epfile_open, 1064 .write_iter = ffs_epfile_write_iter, 1065 .read_iter = ffs_epfile_read_iter, 1066 .release = ffs_epfile_release, 1067 .unlocked_ioctl = ffs_epfile_ioctl, 1068}; 1069 1070 1071/* File system and super block operations ***********************************/ 1072 1073/* 1074 * Mounting the file system creates a controller file, used first for 1075 * function configuration then later for event monitoring. 1076 */ 1077 1078static struct inode *__must_check 1079ffs_sb_make_inode(struct super_block *sb, void *data, 1080 const struct file_operations *fops, 1081 const struct inode_operations *iops, 1082 struct ffs_file_perms *perms) 1083{ 1084 struct inode *inode; 1085 1086 ENTER(); 1087 1088 inode = new_inode(sb); 1089 1090 if (likely(inode)) { 1091 struct timespec current_time = CURRENT_TIME; 1092 1093 inode->i_ino = get_next_ino(); 1094 inode->i_mode = perms->mode; 1095 inode->i_uid = perms->uid; 1096 inode->i_gid = perms->gid; 1097 inode->i_atime = current_time; 1098 inode->i_mtime = current_time; 1099 inode->i_ctime = current_time; 1100 inode->i_private = data; 1101 if (fops) 1102 inode->i_fop = fops; 1103 if (iops) 1104 inode->i_op = iops; 1105 } 1106 1107 return inode; 1108} 1109 1110/* Create "regular" file */ 1111static struct dentry *ffs_sb_create_file(struct super_block *sb, 1112 const char *name, void *data, 1113 const struct file_operations *fops) 1114{ 1115 struct ffs_data *ffs = sb->s_fs_info; 1116 struct dentry *dentry; 1117 struct inode *inode; 1118 1119 ENTER(); 1120 1121 dentry = d_alloc_name(sb->s_root, name); 1122 if (unlikely(!dentry)) 1123 return NULL; 1124 1125 inode = ffs_sb_make_inode(sb, data, fops, NULL, &ffs->file_perms); 1126 if (unlikely(!inode)) { 1127 dput(dentry); 1128 return NULL; 1129 } 1130 1131 d_add(dentry, inode); 1132 return dentry; 1133} 1134 1135/* Super block */ 1136static const struct super_operations ffs_sb_operations = { 1137 .statfs = simple_statfs, 1138 .drop_inode = generic_delete_inode, 1139}; 1140 1141struct ffs_sb_fill_data { 1142 struct ffs_file_perms perms; 1143 umode_t root_mode; 1144 const char *dev_name; 1145 bool no_disconnect; 1146 struct ffs_data *ffs_data; 1147}; 1148 1149static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) 1150{ 1151 struct ffs_sb_fill_data *data = _data; 1152 struct inode *inode; 1153 struct ffs_data *ffs = data->ffs_data; 1154 1155 ENTER(); 1156 1157 ffs->sb = sb; 1158 data->ffs_data = NULL; 1159 sb->s_fs_info = ffs; 1160 sb->s_blocksize = PAGE_CACHE_SIZE; 1161 sb->s_blocksize_bits = PAGE_CACHE_SHIFT; 1162 sb->s_magic = FUNCTIONFS_MAGIC; 1163 sb->s_op = &ffs_sb_operations; 1164 sb->s_time_gran = 1; 1165 1166 /* Root inode */ 1167 data->perms.mode = data->root_mode; 1168 inode = ffs_sb_make_inode(sb, NULL, 1169 &simple_dir_operations, 1170 &simple_dir_inode_operations, 1171 &data->perms); 1172 sb->s_root = d_make_root(inode); 1173 if (unlikely(!sb->s_root)) 1174 return -ENOMEM; 1175 1176 /* EP0 file */ 1177 if (unlikely(!ffs_sb_create_file(sb, "ep0", ffs, 1178 &ffs_ep0_operations))) 1179 return -ENOMEM; 1180 1181 return 0; 1182} 1183 1184static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) 1185{ 1186 ENTER(); 1187 1188 if (!opts || !*opts) 1189 return 0; 1190 1191 for (;;) { 1192 unsigned long value; 1193 char *eq, *comma; 1194 1195 /* Option limit */ 1196 comma = strchr(opts, ','); 1197 if (comma) 1198 *comma = 0; 1199 1200 /* Value limit */ 1201 eq = strchr(opts, '='); 1202 if (unlikely(!eq)) { 1203 pr_err("'=' missing in %s\n", opts); 1204 return -EINVAL; 1205 } 1206 *eq = 0; 1207 1208 /* Parse value */ 1209 if (kstrtoul(eq + 1, 0, &value)) { 1210 pr_err("%s: invalid value: %s\n", opts, eq + 1); 1211 return -EINVAL; 1212 } 1213 1214 /* Interpret option */ 1215 switch (eq - opts) { 1216 case 13: 1217 if (!memcmp(opts, "no_disconnect", 13)) 1218 data->no_disconnect = !!value; 1219 else 1220 goto invalid; 1221 break; 1222 case 5: 1223 if (!memcmp(opts, "rmode", 5)) 1224 data->root_mode = (value & 0555) | S_IFDIR; 1225 else if (!memcmp(opts, "fmode", 5)) 1226 data->perms.mode = (value & 0666) | S_IFREG; 1227 else 1228 goto invalid; 1229 break; 1230 1231 case 4: 1232 if (!memcmp(opts, "mode", 4)) { 1233 data->root_mode = (value & 0555) | S_IFDIR; 1234 data->perms.mode = (value & 0666) | S_IFREG; 1235 } else { 1236 goto invalid; 1237 } 1238 break; 1239 1240 case 3: 1241 if (!memcmp(opts, "uid", 3)) { 1242 data->perms.uid = make_kuid(current_user_ns(), value); 1243 if (!uid_valid(data->perms.uid)) { 1244 pr_err("%s: unmapped value: %lu\n", opts, value); 1245 return -EINVAL; 1246 } 1247 } else if (!memcmp(opts, "gid", 3)) { 1248 data->perms.gid = make_kgid(current_user_ns(), value); 1249 if (!gid_valid(data->perms.gid)) { 1250 pr_err("%s: unmapped value: %lu\n", opts, value); 1251 return -EINVAL; 1252 } 1253 } else { 1254 goto invalid; 1255 } 1256 break; 1257 1258 default: 1259invalid: 1260 pr_err("%s: invalid option\n", opts); 1261 return -EINVAL; 1262 } 1263 1264 /* Next iteration */ 1265 if (!comma) 1266 break; 1267 opts = comma + 1; 1268 } 1269 1270 return 0; 1271} 1272 1273/* "mount -t functionfs dev_name /dev/function" ends up here */ 1274 1275static struct dentry * 1276ffs_fs_mount(struct file_system_type *t, int flags, 1277 const char *dev_name, void *opts) 1278{ 1279 struct ffs_sb_fill_data data = { 1280 .perms = { 1281 .mode = S_IFREG | 0600, 1282 .uid = GLOBAL_ROOT_UID, 1283 .gid = GLOBAL_ROOT_GID, 1284 }, 1285 .root_mode = S_IFDIR | 0500, 1286 .no_disconnect = false, 1287 }; 1288 struct dentry *rv; 1289 int ret; 1290 void *ffs_dev; 1291 struct ffs_data *ffs; 1292 1293 ENTER(); 1294 1295 ret = ffs_fs_parse_opts(&data, opts); 1296 if (unlikely(ret < 0)) 1297 return ERR_PTR(ret); 1298 1299 ffs = ffs_data_new(); 1300 if (unlikely(!ffs)) 1301 return ERR_PTR(-ENOMEM); 1302 ffs->file_perms = data.perms; 1303 ffs->no_disconnect = data.no_disconnect; 1304 1305 ffs->dev_name = kstrdup(dev_name, GFP_KERNEL); 1306 if (unlikely(!ffs->dev_name)) { 1307 ffs_data_put(ffs); 1308 return ERR_PTR(-ENOMEM); 1309 } 1310 1311 ffs_dev = ffs_acquire_dev(dev_name); 1312 if (IS_ERR(ffs_dev)) { 1313 ffs_data_put(ffs); 1314 return ERR_CAST(ffs_dev); 1315 } 1316 ffs->private_data = ffs_dev; 1317 data.ffs_data = ffs; 1318 1319 rv = mount_nodev(t, flags, &data, ffs_sb_fill); 1320 if (IS_ERR(rv) && data.ffs_data) { 1321 ffs_release_dev(data.ffs_data); 1322 ffs_data_put(data.ffs_data); 1323 } 1324 return rv; 1325} 1326 1327static void 1328ffs_fs_kill_sb(struct super_block *sb) 1329{ 1330 ENTER(); 1331 1332 kill_litter_super(sb); 1333 if (sb->s_fs_info) { 1334 ffs_release_dev(sb->s_fs_info); 1335 ffs_data_closed(sb->s_fs_info); 1336 ffs_data_put(sb->s_fs_info); 1337 } 1338} 1339 1340static struct file_system_type ffs_fs_type = { 1341 .owner = THIS_MODULE, 1342 .name = "functionfs", 1343 .mount = ffs_fs_mount, 1344 .kill_sb = ffs_fs_kill_sb, 1345}; 1346MODULE_ALIAS_FS("functionfs"); 1347 1348 1349/* Driver's main init/cleanup functions *************************************/ 1350 1351static int functionfs_init(void) 1352{ 1353 int ret; 1354 1355 ENTER(); 1356 1357 ret = register_filesystem(&ffs_fs_type); 1358 if (likely(!ret)) 1359 pr_info("file system registered\n"); 1360 else 1361 pr_err("failed registering file system (%d)\n", ret); 1362 1363 return ret; 1364} 1365 1366static void functionfs_cleanup(void) 1367{ 1368 ENTER(); 1369 1370 pr_info("unloading\n"); 1371 unregister_filesystem(&ffs_fs_type); 1372} 1373 1374 1375/* ffs_data and ffs_function construction and destruction code **************/ 1376 1377static void ffs_data_clear(struct ffs_data *ffs); 1378static void ffs_data_reset(struct ffs_data *ffs); 1379 1380static void ffs_data_get(struct ffs_data *ffs) 1381{ 1382 ENTER(); 1383 1384 atomic_inc(&ffs->ref); 1385} 1386 1387static void ffs_data_opened(struct ffs_data *ffs) 1388{ 1389 ENTER(); 1390 1391 atomic_inc(&ffs->ref); 1392 if (atomic_add_return(1, &ffs->opened) == 1 && 1393 ffs->state == FFS_DEACTIVATED) { 1394 ffs->state = FFS_CLOSING; 1395 ffs_data_reset(ffs); 1396 } 1397} 1398 1399static void ffs_data_put(struct ffs_data *ffs) 1400{ 1401 ENTER(); 1402 1403 if (unlikely(atomic_dec_and_test(&ffs->ref))) { 1404 pr_info("%s(): freeing\n", __func__); 1405 ffs_data_clear(ffs); 1406 BUG_ON(waitqueue_active(&ffs->ev.waitq) || 1407 waitqueue_active(&ffs->ep0req_completion.wait)); 1408 kfree(ffs->dev_name); 1409 kfree(ffs); 1410 } 1411} 1412 1413static void ffs_data_closed(struct ffs_data *ffs) 1414{ 1415 ENTER(); 1416 1417 if (atomic_dec_and_test(&ffs->opened)) { 1418 if (ffs->no_disconnect) { 1419 ffs->state = FFS_DEACTIVATED; 1420 if (ffs->epfiles) { 1421 ffs_epfiles_destroy(ffs->epfiles, 1422 ffs->eps_count); 1423 ffs->epfiles = NULL; 1424 } 1425 if (ffs->setup_state == FFS_SETUP_PENDING) 1426 __ffs_ep0_stall(ffs); 1427 } else { 1428 ffs->state = FFS_CLOSING; 1429 ffs_data_reset(ffs); 1430 } 1431 } 1432 if (atomic_read(&ffs->opened) < 0) { 1433 ffs->state = FFS_CLOSING; 1434 ffs_data_reset(ffs); 1435 } 1436 1437 ffs_data_put(ffs); 1438} 1439 1440static struct ffs_data *ffs_data_new(void) 1441{ 1442 struct ffs_data *ffs = kzalloc(sizeof *ffs, GFP_KERNEL); 1443 if (unlikely(!ffs)) 1444 return NULL; 1445 1446 ENTER(); 1447 1448 atomic_set(&ffs->ref, 1); 1449 atomic_set(&ffs->opened, 0); 1450 ffs->state = FFS_READ_DESCRIPTORS; 1451 mutex_init(&ffs->mutex); 1452 spin_lock_init(&ffs->eps_lock); 1453 init_waitqueue_head(&ffs->ev.waitq); 1454 init_completion(&ffs->ep0req_completion); 1455 1456 /* XXX REVISIT need to update it in some places, or do we? */ 1457 ffs->ev.can_stall = 1; 1458 1459 return ffs; 1460} 1461 1462static void ffs_data_clear(struct ffs_data *ffs) 1463{ 1464 ENTER(); 1465 1466 ffs_closed(ffs); 1467 1468 BUG_ON(ffs->gadget); 1469 1470 if (ffs->epfiles) 1471 ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); 1472 1473 if (ffs->ffs_eventfd) 1474 eventfd_ctx_put(ffs->ffs_eventfd); 1475 1476 kfree(ffs->raw_descs_data); 1477 kfree(ffs->raw_strings); 1478 kfree(ffs->stringtabs); 1479} 1480 1481static void ffs_data_reset(struct ffs_data *ffs) 1482{ 1483 ENTER(); 1484 1485 ffs_data_clear(ffs); 1486 1487 ffs->epfiles = NULL; 1488 ffs->raw_descs_data = NULL; 1489 ffs->raw_descs = NULL; 1490 ffs->raw_strings = NULL; 1491 ffs->stringtabs = NULL; 1492 1493 ffs->raw_descs_length = 0; 1494 ffs->fs_descs_count = 0; 1495 ffs->hs_descs_count = 0; 1496 ffs->ss_descs_count = 0; 1497 1498 ffs->strings_count = 0; 1499 ffs->interfaces_count = 0; 1500 ffs->eps_count = 0; 1501 1502 ffs->ev.count = 0; 1503 1504 ffs->state = FFS_READ_DESCRIPTORS; 1505 ffs->setup_state = FFS_NO_SETUP; 1506 ffs->flags = 0; 1507} 1508 1509 1510static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev) 1511{ 1512 struct usb_gadget_strings **lang; 1513 int first_id; 1514 1515 ENTER(); 1516 1517 if (WARN_ON(ffs->state != FFS_ACTIVE 1518 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags))) 1519 return -EBADFD; 1520 1521 first_id = usb_string_ids_n(cdev, ffs->strings_count); 1522 if (unlikely(first_id < 0)) 1523 return first_id; 1524 1525 ffs->ep0req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL); 1526 if (unlikely(!ffs->ep0req)) 1527 return -ENOMEM; 1528 ffs->ep0req->complete = ffs_ep0_complete; 1529 ffs->ep0req->context = ffs; 1530 1531 lang = ffs->stringtabs; 1532 if (lang) { 1533 for (; *lang; ++lang) { 1534 struct usb_string *str = (*lang)->strings; 1535 int id = first_id; 1536 for (; str->s; ++id, ++str) 1537 str->id = id; 1538 } 1539 } 1540 1541 ffs->gadget = cdev->gadget; 1542 ffs_data_get(ffs); 1543 return 0; 1544} 1545 1546static void functionfs_unbind(struct ffs_data *ffs) 1547{ 1548 ENTER(); 1549 1550 if (!WARN_ON(!ffs->gadget)) { 1551 usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); 1552 ffs->ep0req = NULL; 1553 ffs->gadget = NULL; 1554 clear_bit(FFS_FL_BOUND, &ffs->flags); 1555 ffs_data_put(ffs); 1556 } 1557} 1558 1559static int ffs_epfiles_create(struct ffs_data *ffs) 1560{ 1561 struct ffs_epfile *epfile, *epfiles; 1562 unsigned i, count; 1563 1564 ENTER(); 1565 1566 count = ffs->eps_count; 1567 epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL); 1568 if (!epfiles) 1569 return -ENOMEM; 1570 1571 epfile = epfiles; 1572 for (i = 1; i <= count; ++i, ++epfile) { 1573 epfile->ffs = ffs; 1574 mutex_init(&epfile->mutex); 1575 init_waitqueue_head(&epfile->wait); 1576 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 1577 sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]); 1578 else 1579 sprintf(epfile->name, "ep%u", i); 1580 epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name, 1581 epfile, 1582 &ffs_epfile_operations); 1583 if (unlikely(!epfile->dentry)) { 1584 ffs_epfiles_destroy(epfiles, i - 1); 1585 return -ENOMEM; 1586 } 1587 } 1588 1589 ffs->epfiles = epfiles; 1590 return 0; 1591} 1592 1593static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) 1594{ 1595 struct ffs_epfile *epfile = epfiles; 1596 1597 ENTER(); 1598 1599 for (; count; --count, ++epfile) { 1600 BUG_ON(mutex_is_locked(&epfile->mutex) || 1601 waitqueue_active(&epfile->wait)); 1602 if (epfile->dentry) { 1603 d_delete(epfile->dentry); 1604 dput(epfile->dentry); 1605 epfile->dentry = NULL; 1606 } 1607 } 1608 1609 kfree(epfiles); 1610} 1611 1612static void ffs_func_eps_disable(struct ffs_function *func) 1613{ 1614 struct ffs_ep *ep = func->eps; 1615 struct ffs_epfile *epfile = func->ffs->epfiles; 1616 unsigned count = func->ffs->eps_count; 1617 unsigned long flags; 1618 1619 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1620 do { 1621 /* pending requests get nuked */ 1622 if (likely(ep->ep)) 1623 usb_ep_disable(ep->ep); 1624 ++ep; 1625 1626 if (epfile) { 1627 epfile->ep = NULL; 1628 ++epfile; 1629 } 1630 } while (--count); 1631 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 1632} 1633 1634static int ffs_func_eps_enable(struct ffs_function *func) 1635{ 1636 struct ffs_data *ffs = func->ffs; 1637 struct ffs_ep *ep = func->eps; 1638 struct ffs_epfile *epfile = ffs->epfiles; 1639 unsigned count = ffs->eps_count; 1640 unsigned long flags; 1641 int ret = 0; 1642 1643 spin_lock_irqsave(&func->ffs->eps_lock, flags); 1644 do { 1645 struct usb_endpoint_descriptor *ds; 1646 int desc_idx; 1647 1648 if (ffs->gadget->speed == USB_SPEED_SUPER) 1649 desc_idx = 2; 1650 else if (ffs->gadget->speed == USB_SPEED_HIGH) 1651 desc_idx = 1; 1652 else 1653 desc_idx = 0; 1654 1655 /* fall-back to lower speed if desc missing for current speed */ 1656 do { 1657 ds = ep->descs[desc_idx]; 1658 } while (!ds && --desc_idx >= 0); 1659 1660 if (!ds) { 1661 ret = -EINVAL; 1662 break; 1663 } 1664 1665 ep->ep->driver_data = ep; 1666 ep->ep->desc = ds; 1667 ret = usb_ep_enable(ep->ep); 1668 if (likely(!ret)) { 1669 epfile->ep = ep; 1670 epfile->in = usb_endpoint_dir_in(ds); 1671 epfile->isoc = usb_endpoint_xfer_isoc(ds); 1672 } else { 1673 break; 1674 } 1675 1676 wake_up(&epfile->wait); 1677 1678 ++ep; 1679 ++epfile; 1680 } while (--count); 1681 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 1682 1683 return ret; 1684} 1685 1686 1687/* Parsing and building descriptors and strings *****************************/ 1688 1689/* 1690 * This validates if data pointed by data is a valid USB descriptor as 1691 * well as record how many interfaces, endpoints and strings are 1692 * required by given configuration. Returns address after the 1693 * descriptor or NULL if data is invalid. 1694 */ 1695 1696enum ffs_entity_type { 1697 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT 1698}; 1699 1700enum ffs_os_desc_type { 1701 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP 1702}; 1703 1704typedef int (*ffs_entity_callback)(enum ffs_entity_type entity, 1705 u8 *valuep, 1706 struct usb_descriptor_header *desc, 1707 void *priv); 1708 1709typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity, 1710 struct usb_os_desc_header *h, void *data, 1711 unsigned len, void *priv); 1712 1713static int __must_check ffs_do_single_desc(char *data, unsigned len, 1714 ffs_entity_callback entity, 1715 void *priv) 1716{ 1717 struct usb_descriptor_header *_ds = (void *)data; 1718 u8 length; 1719 int ret; 1720 1721 ENTER(); 1722 1723 /* At least two bytes are required: length and type */ 1724 if (len < 2) { 1725 pr_vdebug("descriptor too short\n"); 1726 return -EINVAL; 1727 } 1728 1729 /* If we have at least as many bytes as the descriptor takes? */ 1730 length = _ds->bLength; 1731 if (len < length) { 1732 pr_vdebug("descriptor longer then available data\n"); 1733 return -EINVAL; 1734 } 1735 1736#define __entity_check_INTERFACE(val) 1 1737#define __entity_check_STRING(val) (val) 1738#define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK) 1739#define __entity(type, val) do { \ 1740 pr_vdebug("entity " #type "(%02x)\n", (val)); \ 1741 if (unlikely(!__entity_check_ ##type(val))) { \ 1742 pr_vdebug("invalid entity's value\n"); \ 1743 return -EINVAL; \ 1744 } \ 1745 ret = entity(FFS_ ##type, &val, _ds, priv); \ 1746 if (unlikely(ret < 0)) { \ 1747 pr_debug("entity " #type "(%02x); ret = %d\n", \ 1748 (val), ret); \ 1749 return ret; \ 1750 } \ 1751 } while (0) 1752 1753 /* Parse descriptor depending on type. */ 1754 switch (_ds->bDescriptorType) { 1755 case USB_DT_DEVICE: 1756 case USB_DT_CONFIG: 1757 case USB_DT_STRING: 1758 case USB_DT_DEVICE_QUALIFIER: 1759 /* function can't have any of those */ 1760 pr_vdebug("descriptor reserved for gadget: %d\n", 1761 _ds->bDescriptorType); 1762 return -EINVAL; 1763 1764 case USB_DT_INTERFACE: { 1765 struct usb_interface_descriptor *ds = (void *)_ds; 1766 pr_vdebug("interface descriptor\n"); 1767 if (length != sizeof *ds) 1768 goto inv_length; 1769 1770 __entity(INTERFACE, ds->bInterfaceNumber); 1771 if (ds->iInterface) 1772 __entity(STRING, ds->iInterface); 1773 } 1774 break; 1775 1776 case USB_DT_ENDPOINT: { 1777 struct usb_endpoint_descriptor *ds = (void *)_ds; 1778 pr_vdebug("endpoint descriptor\n"); 1779 if (length != USB_DT_ENDPOINT_SIZE && 1780 length != USB_DT_ENDPOINT_AUDIO_SIZE) 1781 goto inv_length; 1782 __entity(ENDPOINT, ds->bEndpointAddress); 1783 } 1784 break; 1785 1786 case HID_DT_HID: 1787 pr_vdebug("hid descriptor\n"); 1788 if (length != sizeof(struct hid_descriptor)) 1789 goto inv_length; 1790 break; 1791 1792 case USB_DT_OTG: 1793 if (length != sizeof(struct usb_otg_descriptor)) 1794 goto inv_length; 1795 break; 1796 1797 case USB_DT_INTERFACE_ASSOCIATION: { 1798 struct usb_interface_assoc_descriptor *ds = (void *)_ds; 1799 pr_vdebug("interface association descriptor\n"); 1800 if (length != sizeof *ds) 1801 goto inv_length; 1802 if (ds->iFunction) 1803 __entity(STRING, ds->iFunction); 1804 } 1805 break; 1806 1807 case USB_DT_SS_ENDPOINT_COMP: 1808 pr_vdebug("EP SS companion descriptor\n"); 1809 if (length != sizeof(struct usb_ss_ep_comp_descriptor)) 1810 goto inv_length; 1811 break; 1812 1813 case USB_DT_OTHER_SPEED_CONFIG: 1814 case USB_DT_INTERFACE_POWER: 1815 case USB_DT_DEBUG: 1816 case USB_DT_SECURITY: 1817 case USB_DT_CS_RADIO_CONTROL: 1818 /* TODO */ 1819 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType); 1820 return -EINVAL; 1821 1822 default: 1823 /* We should never be here */ 1824 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType); 1825 return -EINVAL; 1826 1827inv_length: 1828 pr_vdebug("invalid length: %d (descriptor %d)\n", 1829 _ds->bLength, _ds->bDescriptorType); 1830 return -EINVAL; 1831 } 1832 1833#undef __entity 1834#undef __entity_check_DESCRIPTOR 1835#undef __entity_check_INTERFACE 1836#undef __entity_check_STRING 1837#undef __entity_check_ENDPOINT 1838 1839 return length; 1840} 1841 1842static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len, 1843 ffs_entity_callback entity, void *priv) 1844{ 1845 const unsigned _len = len; 1846 unsigned long num = 0; 1847 1848 ENTER(); 1849 1850 for (;;) { 1851 int ret; 1852 1853 if (num == count) 1854 data = NULL; 1855 1856 /* Record "descriptor" entity */ 1857 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv); 1858 if (unlikely(ret < 0)) { 1859 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n", 1860 num, ret); 1861 return ret; 1862 } 1863 1864 if (!data) 1865 return _len - len; 1866 1867 ret = ffs_do_single_desc(data, len, entity, priv); 1868 if (unlikely(ret < 0)) { 1869 pr_debug("%s returns %d\n", __func__, ret); 1870 return ret; 1871 } 1872 1873 len -= ret; 1874 data += ret; 1875 ++num; 1876 } 1877} 1878 1879static int __ffs_data_do_entity(enum ffs_entity_type type, 1880 u8 *valuep, struct usb_descriptor_header *desc, 1881 void *priv) 1882{ 1883 struct ffs_desc_helper *helper = priv; 1884 struct usb_endpoint_descriptor *d; 1885 1886 ENTER(); 1887 1888 switch (type) { 1889 case FFS_DESCRIPTOR: 1890 break; 1891 1892 case FFS_INTERFACE: 1893 /* 1894 * Interfaces are indexed from zero so if we 1895 * encountered interface "n" then there are at least 1896 * "n+1" interfaces. 1897 */ 1898 if (*valuep >= helper->interfaces_count) 1899 helper->interfaces_count = *valuep + 1; 1900 break; 1901 1902 case FFS_STRING: 1903 /* 1904 * Strings are indexed from 1 (0 is magic ;) reserved 1905 * for languages list or some such) 1906 */ 1907 if (*valuep > helper->ffs->strings_count) 1908 helper->ffs->strings_count = *valuep; 1909 break; 1910 1911 case FFS_ENDPOINT: 1912 d = (void *)desc; 1913 helper->eps_count++; 1914 if (helper->eps_count >= 15) 1915 return -EINVAL; 1916 /* Check if descriptors for any speed were already parsed */ 1917 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count) 1918 helper->ffs->eps_addrmap[helper->eps_count] = 1919 d->bEndpointAddress; 1920 else if (helper->ffs->eps_addrmap[helper->eps_count] != 1921 d->bEndpointAddress) 1922 return -EINVAL; 1923 break; 1924 } 1925 1926 return 0; 1927} 1928 1929static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type, 1930 struct usb_os_desc_header *desc) 1931{ 1932 u16 bcd_version = le16_to_cpu(desc->bcdVersion); 1933 u16 w_index = le16_to_cpu(desc->wIndex); 1934 1935 if (bcd_version != 1) { 1936 pr_vdebug("unsupported os descriptors version: %d", 1937 bcd_version); 1938 return -EINVAL; 1939 } 1940 switch (w_index) { 1941 case 0x4: 1942 *next_type = FFS_OS_DESC_EXT_COMPAT; 1943 break; 1944 case 0x5: 1945 *next_type = FFS_OS_DESC_EXT_PROP; 1946 break; 1947 default: 1948 pr_vdebug("unsupported os descriptor type: %d", w_index); 1949 return -EINVAL; 1950 } 1951 1952 return sizeof(*desc); 1953} 1954 1955/* 1956 * Process all extended compatibility/extended property descriptors 1957 * of a feature descriptor 1958 */ 1959static int __must_check ffs_do_single_os_desc(char *data, unsigned len, 1960 enum ffs_os_desc_type type, 1961 u16 feature_count, 1962 ffs_os_desc_callback entity, 1963 void *priv, 1964 struct usb_os_desc_header *h) 1965{ 1966 int ret; 1967 const unsigned _len = len; 1968 1969 ENTER(); 1970 1971 /* loop over all ext compat/ext prop descriptors */ 1972 while (feature_count--) { 1973 ret = entity(type, h, data, len, priv); 1974 if (unlikely(ret < 0)) { 1975 pr_debug("bad OS descriptor, type: %d\n", type); 1976 return ret; 1977 } 1978 data += ret; 1979 len -= ret; 1980 } 1981 return _len - len; 1982} 1983 1984/* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */ 1985static int __must_check ffs_do_os_descs(unsigned count, 1986 char *data, unsigned len, 1987 ffs_os_desc_callback entity, void *priv) 1988{ 1989 const unsigned _len = len; 1990 unsigned long num = 0; 1991 1992 ENTER(); 1993 1994 for (num = 0; num < count; ++num) { 1995 int ret; 1996 enum ffs_os_desc_type type; 1997 u16 feature_count; 1998 struct usb_os_desc_header *desc = (void *)data; 1999 2000 if (len < sizeof(*desc)) 2001 return -EINVAL; 2002 2003 /* 2004 * Record "descriptor" entity. 2005 * Process dwLength, bcdVersion, wIndex, get b/wCount. 2006 * Move the data pointer to the beginning of extended 2007 * compatibilities proper or extended properties proper 2008 * portions of the data 2009 */ 2010 if (le32_to_cpu(desc->dwLength) > len) 2011 return -EINVAL; 2012 2013 ret = __ffs_do_os_desc_header(&type, desc); 2014 if (unlikely(ret < 0)) { 2015 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n", 2016 num, ret); 2017 return ret; 2018 } 2019 /* 2020 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??" 2021 */ 2022 feature_count = le16_to_cpu(desc->wCount); 2023 if (type == FFS_OS_DESC_EXT_COMPAT && 2024 (feature_count > 255 || desc->Reserved)) 2025 return -EINVAL; 2026 len -= ret; 2027 data += ret; 2028 2029 /* 2030 * Process all function/property descriptors 2031 * of this Feature Descriptor 2032 */ 2033 ret = ffs_do_single_os_desc(data, len, type, 2034 feature_count, entity, priv, desc); 2035 if (unlikely(ret < 0)) { 2036 pr_debug("%s returns %d\n", __func__, ret); 2037 return ret; 2038 } 2039 2040 len -= ret; 2041 data += ret; 2042 } 2043 return _len - len; 2044} 2045 2046/** 2047 * Validate contents of the buffer from userspace related to OS descriptors. 2048 */ 2049static int __ffs_data_do_os_desc(enum ffs_os_desc_type type, 2050 struct usb_os_desc_header *h, void *data, 2051 unsigned len, void *priv) 2052{ 2053 struct ffs_data *ffs = priv; 2054 u8 length; 2055 2056 ENTER(); 2057 2058 switch (type) { 2059 case FFS_OS_DESC_EXT_COMPAT: { 2060 struct usb_ext_compat_desc *d = data; 2061 int i; 2062 2063 if (len < sizeof(*d) || 2064 d->bFirstInterfaceNumber >= ffs->interfaces_count || 2065 d->Reserved1) 2066 return -EINVAL; 2067 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i) 2068 if (d->Reserved2[i]) 2069 return -EINVAL; 2070 2071 length = sizeof(struct usb_ext_compat_desc); 2072 } 2073 break; 2074 case FFS_OS_DESC_EXT_PROP: { 2075 struct usb_ext_prop_desc *d = data; 2076 u32 type, pdl; 2077 u16 pnl; 2078 2079 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count) 2080 return -EINVAL; 2081 length = le32_to_cpu(d->dwSize); 2082 type = le32_to_cpu(d->dwPropertyDataType); 2083 if (type < USB_EXT_PROP_UNICODE || 2084 type > USB_EXT_PROP_UNICODE_MULTI) { 2085 pr_vdebug("unsupported os descriptor property type: %d", 2086 type); 2087 return -EINVAL; 2088 } 2089 pnl = le16_to_cpu(d->wPropertyNameLength); 2090 pdl = le32_to_cpu(*(u32 *)((u8 *)data + 10 + pnl)); 2091 if (length != 14 + pnl + pdl) { 2092 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n", 2093 length, pnl, pdl, type); 2094 return -EINVAL; 2095 } 2096 ++ffs->ms_os_descs_ext_prop_count; 2097 /* property name reported to the host as "WCHAR"s */ 2098 ffs->ms_os_descs_ext_prop_name_len += pnl * 2; 2099 ffs->ms_os_descs_ext_prop_data_len += pdl; 2100 } 2101 break; 2102 default: 2103 pr_vdebug("unknown descriptor: %d\n", type); 2104 return -EINVAL; 2105 } 2106 return length; 2107} 2108 2109static int __ffs_data_got_descs(struct ffs_data *ffs, 2110 char *const _data, size_t len) 2111{ 2112 char *data = _data, *raw_descs; 2113 unsigned os_descs_count = 0, counts[3], flags; 2114 int ret = -EINVAL, i; 2115 struct ffs_desc_helper helper; 2116 2117 ENTER(); 2118 2119 if (get_unaligned_le32(data + 4) != len) 2120 goto error; 2121 2122 switch (get_unaligned_le32(data)) { 2123 case FUNCTIONFS_DESCRIPTORS_MAGIC: 2124 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC; 2125 data += 8; 2126 len -= 8; 2127 break; 2128 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2: 2129 flags = get_unaligned_le32(data + 8); 2130 ffs->user_flags = flags; 2131 if (flags & ~(FUNCTIONFS_HAS_FS_DESC | 2132 FUNCTIONFS_HAS_HS_DESC | 2133 FUNCTIONFS_HAS_SS_DESC | 2134 FUNCTIONFS_HAS_MS_OS_DESC | 2135 FUNCTIONFS_VIRTUAL_ADDR | 2136 FUNCTIONFS_EVENTFD)) { 2137 ret = -ENOSYS; 2138 goto error; 2139 } 2140 data += 12; 2141 len -= 12; 2142 break; 2143 default: 2144 goto error; 2145 } 2146 2147 if (flags & FUNCTIONFS_EVENTFD) { 2148 if (len < 4) 2149 goto error; 2150 ffs->ffs_eventfd = 2151 eventfd_ctx_fdget((int)get_unaligned_le32(data)); 2152 if (IS_ERR(ffs->ffs_eventfd)) { 2153 ret = PTR_ERR(ffs->ffs_eventfd); 2154 ffs->ffs_eventfd = NULL; 2155 goto error; 2156 } 2157 data += 4; 2158 len -= 4; 2159 } 2160 2161 /* Read fs_count, hs_count and ss_count (if present) */ 2162 for (i = 0; i < 3; ++i) { 2163 if (!(flags & (1 << i))) { 2164 counts[i] = 0; 2165 } else if (len < 4) { 2166 goto error; 2167 } else { 2168 counts[i] = get_unaligned_le32(data); 2169 data += 4; 2170 len -= 4; 2171 } 2172 } 2173 if (flags & (1 << i)) { 2174 os_descs_count = get_unaligned_le32(data); 2175 data += 4; 2176 len -= 4; 2177 }; 2178 2179 /* Read descriptors */ 2180 raw_descs = data; 2181 helper.ffs = ffs; 2182 for (i = 0; i < 3; ++i) { 2183 if (!counts[i]) 2184 continue; 2185 helper.interfaces_count = 0; 2186 helper.eps_count = 0; 2187 ret = ffs_do_descs(counts[i], data, len, 2188 __ffs_data_do_entity, &helper); 2189 if (ret < 0) 2190 goto error; 2191 if (!ffs->eps_count && !ffs->interfaces_count) { 2192 ffs->eps_count = helper.eps_count; 2193 ffs->interfaces_count = helper.interfaces_count; 2194 } else { 2195 if (ffs->eps_count != helper.eps_count) { 2196 ret = -EINVAL; 2197 goto error; 2198 } 2199 if (ffs->interfaces_count != helper.interfaces_count) { 2200 ret = -EINVAL; 2201 goto error; 2202 } 2203 } 2204 data += ret; 2205 len -= ret; 2206 } 2207 if (os_descs_count) { 2208 ret = ffs_do_os_descs(os_descs_count, data, len, 2209 __ffs_data_do_os_desc, ffs); 2210 if (ret < 0) 2211 goto error; 2212 data += ret; 2213 len -= ret; 2214 } 2215 2216 if (raw_descs == data || len) { 2217 ret = -EINVAL; 2218 goto error; 2219 } 2220 2221 ffs->raw_descs_data = _data; 2222 ffs->raw_descs = raw_descs; 2223 ffs->raw_descs_length = data - raw_descs; 2224 ffs->fs_descs_count = counts[0]; 2225 ffs->hs_descs_count = counts[1]; 2226 ffs->ss_descs_count = counts[2]; 2227 ffs->ms_os_descs_count = os_descs_count; 2228 2229 return 0; 2230 2231error: 2232 kfree(_data); 2233 return ret; 2234} 2235 2236static int __ffs_data_got_strings(struct ffs_data *ffs, 2237 char *const _data, size_t len) 2238{ 2239 u32 str_count, needed_count, lang_count; 2240 struct usb_gadget_strings **stringtabs, *t; 2241 struct usb_string *strings, *s; 2242 const char *data = _data; 2243 2244 ENTER(); 2245 2246 if (unlikely(get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC || 2247 get_unaligned_le32(data + 4) != len)) 2248 goto error; 2249 str_count = get_unaligned_le32(data + 8); 2250 lang_count = get_unaligned_le32(data + 12); 2251 2252 /* if one is zero the other must be zero */ 2253 if (unlikely(!str_count != !lang_count)) 2254 goto error; 2255 2256 /* Do we have at least as many strings as descriptors need? */ 2257 needed_count = ffs->strings_count; 2258 if (unlikely(str_count < needed_count)) 2259 goto error; 2260 2261 /* 2262 * If we don't need any strings just return and free all 2263 * memory. 2264 */ 2265 if (!needed_count) { 2266 kfree(_data); 2267 return 0; 2268 } 2269 2270 /* Allocate everything in one chunk so there's less maintenance. */ 2271 { 2272 unsigned i = 0; 2273 vla_group(d); 2274 vla_item(d, struct usb_gadget_strings *, stringtabs, 2275 lang_count + 1); 2276 vla_item(d, struct usb_gadget_strings, stringtab, lang_count); 2277 vla_item(d, struct usb_string, strings, 2278 lang_count*(needed_count+1)); 2279 2280 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL); 2281 2282 if (unlikely(!vlabuf)) { 2283 kfree(_data); 2284 return -ENOMEM; 2285 } 2286 2287 /* Initialize the VLA pointers */ 2288 stringtabs = vla_ptr(vlabuf, d, stringtabs); 2289 t = vla_ptr(vlabuf, d, stringtab); 2290 i = lang_count; 2291 do { 2292 *stringtabs++ = t++; 2293 } while (--i); 2294 *stringtabs = NULL; 2295 2296 /* stringtabs = vlabuf = d_stringtabs for later kfree */ 2297 stringtabs = vla_ptr(vlabuf, d, stringtabs); 2298 t = vla_ptr(vlabuf, d, stringtab); 2299 s = vla_ptr(vlabuf, d, strings); 2300 strings = s; 2301 } 2302 2303 /* For each language */ 2304 data += 16; 2305 len -= 16; 2306 2307 do { /* lang_count > 0 so we can use do-while */ 2308 unsigned needed = needed_count; 2309 2310 if (unlikely(len < 3)) 2311 goto error_free; 2312 t->language = get_unaligned_le16(data); 2313 t->strings = s; 2314 ++t; 2315 2316 data += 2; 2317 len -= 2; 2318 2319 /* For each string */ 2320 do { /* str_count > 0 so we can use do-while */ 2321 size_t length = strnlen(data, len); 2322 2323 if (unlikely(length == len)) 2324 goto error_free; 2325 2326 /* 2327 * User may provide more strings then we need, 2328 * if that's the case we simply ignore the 2329 * rest 2330 */ 2331 if (likely(needed)) { 2332 /* 2333 * s->id will be set while adding 2334 * function to configuration so for 2335 * now just leave garbage here. 2336 */ 2337 s->s = data; 2338 --needed; 2339 ++s; 2340 } 2341 2342 data += length + 1; 2343 len -= length + 1; 2344 } while (--str_count); 2345 2346 s->id = 0; /* terminator */ 2347 s->s = NULL; 2348 ++s; 2349 2350 } while (--lang_count); 2351 2352 /* Some garbage left? */ 2353 if (unlikely(len)) 2354 goto error_free; 2355 2356 /* Done! */ 2357 ffs->stringtabs = stringtabs; 2358 ffs->raw_strings = _data; 2359 2360 return 0; 2361 2362error_free: 2363 kfree(stringtabs); 2364error: 2365 kfree(_data); 2366 return -EINVAL; 2367} 2368 2369 2370/* Events handling and management *******************************************/ 2371 2372static void __ffs_event_add(struct ffs_data *ffs, 2373 enum usb_functionfs_event_type type) 2374{ 2375 enum usb_functionfs_event_type rem_type1, rem_type2 = type; 2376 int neg = 0; 2377 2378 /* 2379 * Abort any unhandled setup 2380 * 2381 * We do not need to worry about some cmpxchg() changing value 2382 * of ffs->setup_state without holding the lock because when 2383 * state is FFS_SETUP_PENDING cmpxchg() in several places in 2384 * the source does nothing. 2385 */ 2386 if (ffs->setup_state == FFS_SETUP_PENDING) 2387 ffs->setup_state = FFS_SETUP_CANCELLED; 2388 2389 /* 2390 * Logic of this function guarantees that there are at most four pending 2391 * evens on ffs->ev.types queue. This is important because the queue 2392 * has space for four elements only and __ffs_ep0_read_events function 2393 * depends on that limit as well. If more event types are added, those 2394 * limits have to be revisited or guaranteed to still hold. 2395 */ 2396 switch (type) { 2397 case FUNCTIONFS_RESUME: 2398 rem_type2 = FUNCTIONFS_SUSPEND; 2399 /* FALL THROUGH */ 2400 case FUNCTIONFS_SUSPEND: 2401 case FUNCTIONFS_SETUP: 2402 rem_type1 = type; 2403 /* Discard all similar events */ 2404 break; 2405 2406 case FUNCTIONFS_BIND: 2407 case FUNCTIONFS_UNBIND: 2408 case FUNCTIONFS_DISABLE: 2409 case FUNCTIONFS_ENABLE: 2410 /* Discard everything other then power management. */ 2411 rem_type1 = FUNCTIONFS_SUSPEND; 2412 rem_type2 = FUNCTIONFS_RESUME; 2413 neg = 1; 2414 break; 2415 2416 default: 2417 WARN(1, "%d: unknown event, this should not happen\n", type); 2418 return; 2419 } 2420 2421 { 2422 u8 *ev = ffs->ev.types, *out = ev; 2423 unsigned n = ffs->ev.count; 2424 for (; n; --n, ++ev) 2425 if ((*ev == rem_type1 || *ev == rem_type2) == neg) 2426 *out++ = *ev; 2427 else 2428 pr_vdebug("purging event %d\n", *ev); 2429 ffs->ev.count = out - ffs->ev.types; 2430 } 2431 2432 pr_vdebug("adding event %d\n", type); 2433 ffs->ev.types[ffs->ev.count++] = type; 2434 wake_up_locked(&ffs->ev.waitq); 2435 if (ffs->ffs_eventfd) 2436 eventfd_signal(ffs->ffs_eventfd, 1); 2437} 2438 2439static void ffs_event_add(struct ffs_data *ffs, 2440 enum usb_functionfs_event_type type) 2441{ 2442 unsigned long flags; 2443 spin_lock_irqsave(&ffs->ev.waitq.lock, flags); 2444 __ffs_event_add(ffs, type); 2445 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); 2446} 2447 2448/* Bind/unbind USB function hooks *******************************************/ 2449 2450static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address) 2451{ 2452 int i; 2453 2454 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i) 2455 if (ffs->eps_addrmap[i] == endpoint_address) 2456 return i; 2457 return -ENOENT; 2458} 2459 2460static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep, 2461 struct usb_descriptor_header *desc, 2462 void *priv) 2463{ 2464 struct usb_endpoint_descriptor *ds = (void *)desc; 2465 struct ffs_function *func = priv; 2466 struct ffs_ep *ffs_ep; 2467 unsigned ep_desc_id; 2468 int idx; 2469 static const char *speed_names[] = { "full", "high", "super" }; 2470 2471 if (type != FFS_DESCRIPTOR) 2472 return 0; 2473 2474 /* 2475 * If ss_descriptors is not NULL, we are reading super speed 2476 * descriptors; if hs_descriptors is not NULL, we are reading high 2477 * speed descriptors; otherwise, we are reading full speed 2478 * descriptors. 2479 */ 2480 if (func->function.ss_descriptors) { 2481 ep_desc_id = 2; 2482 func->function.ss_descriptors[(long)valuep] = desc; 2483 } else if (func->function.hs_descriptors) { 2484 ep_desc_id = 1; 2485 func->function.hs_descriptors[(long)valuep] = desc; 2486 } else { 2487 ep_desc_id = 0; 2488 func->function.fs_descriptors[(long)valuep] = desc; 2489 } 2490 2491 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT) 2492 return 0; 2493 2494 idx = ffs_ep_addr2idx(func->ffs, ds->bEndpointAddress) - 1; 2495 if (idx < 0) 2496 return idx; 2497 2498 ffs_ep = func->eps + idx; 2499 2500 if (unlikely(ffs_ep->descs[ep_desc_id])) { 2501 pr_err("two %sspeed descriptors for EP %d\n", 2502 speed_names[ep_desc_id], 2503 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); 2504 return -EINVAL; 2505 } 2506 ffs_ep->descs[ep_desc_id] = ds; 2507 2508 ffs_dump_mem(": Original ep desc", ds, ds->bLength); 2509 if (ffs_ep->ep) { 2510 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress; 2511 if (!ds->wMaxPacketSize) 2512 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize; 2513 } else { 2514 struct usb_request *req; 2515 struct usb_ep *ep; 2516 u8 bEndpointAddress; 2517 2518 /* 2519 * We back up bEndpointAddress because autoconfig overwrites 2520 * it with physical endpoint address. 2521 */ 2522 bEndpointAddress = ds->bEndpointAddress; 2523 pr_vdebug("autoconfig\n"); 2524 ep = usb_ep_autoconfig(func->gadget, ds); 2525 if (unlikely(!ep)) 2526 return -ENOTSUPP; 2527 ep->driver_data = func->eps + idx; 2528 2529 req = usb_ep_alloc_request(ep, GFP_KERNEL); 2530 if (unlikely(!req)) 2531 return -ENOMEM; 2532 2533 ffs_ep->ep = ep; 2534 ffs_ep->req = req; 2535 func->eps_revmap[ds->bEndpointAddress & 2536 USB_ENDPOINT_NUMBER_MASK] = idx + 1; 2537 /* 2538 * If we use virtual address mapping, we restore 2539 * original bEndpointAddress value. 2540 */ 2541 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 2542 ds->bEndpointAddress = bEndpointAddress; 2543 } 2544 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength); 2545 2546 return 0; 2547} 2548 2549static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep, 2550 struct usb_descriptor_header *desc, 2551 void *priv) 2552{ 2553 struct ffs_function *func = priv; 2554 unsigned idx; 2555 u8 newValue; 2556 2557 switch (type) { 2558 default: 2559 case FFS_DESCRIPTOR: 2560 /* Handled in previous pass by __ffs_func_bind_do_descs() */ 2561 return 0; 2562 2563 case FFS_INTERFACE: 2564 idx = *valuep; 2565 if (func->interfaces_nums[idx] < 0) { 2566 int id = usb_interface_id(func->conf, &func->function); 2567 if (unlikely(id < 0)) 2568 return id; 2569 func->interfaces_nums[idx] = id; 2570 } 2571 newValue = func->interfaces_nums[idx]; 2572 break; 2573 2574 case FFS_STRING: 2575 /* String' IDs are allocated when fsf_data is bound to cdev */ 2576 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id; 2577 break; 2578 2579 case FFS_ENDPOINT: 2580 /* 2581 * USB_DT_ENDPOINT are handled in 2582 * __ffs_func_bind_do_descs(). 2583 */ 2584 if (desc->bDescriptorType == USB_DT_ENDPOINT) 2585 return 0; 2586 2587 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1; 2588 if (unlikely(!func->eps[idx].ep)) 2589 return -EINVAL; 2590 2591 { 2592 struct usb_endpoint_descriptor **descs; 2593 descs = func->eps[idx].descs; 2594 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress; 2595 } 2596 break; 2597 } 2598 2599 pr_vdebug("%02x -> %02x\n", *valuep, newValue); 2600 *valuep = newValue; 2601 return 0; 2602} 2603 2604static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type, 2605 struct usb_os_desc_header *h, void *data, 2606 unsigned len, void *priv) 2607{ 2608 struct ffs_function *func = priv; 2609 u8 length = 0; 2610 2611 switch (type) { 2612 case FFS_OS_DESC_EXT_COMPAT: { 2613 struct usb_ext_compat_desc *desc = data; 2614 struct usb_os_desc_table *t; 2615 2616 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber]; 2617 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber]; 2618 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID, 2619 ARRAY_SIZE(desc->CompatibleID) + 2620 ARRAY_SIZE(desc->SubCompatibleID)); 2621 length = sizeof(*desc); 2622 } 2623 break; 2624 case FFS_OS_DESC_EXT_PROP: { 2625 struct usb_ext_prop_desc *desc = data; 2626 struct usb_os_desc_table *t; 2627 struct usb_os_desc_ext_prop *ext_prop; 2628 char *ext_prop_name; 2629 char *ext_prop_data; 2630 2631 t = &func->function.os_desc_table[h->interface]; 2632 t->if_id = func->interfaces_nums[h->interface]; 2633 2634 ext_prop = func->ffs->ms_os_descs_ext_prop_avail; 2635 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop); 2636 2637 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType); 2638 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength); 2639 ext_prop->data_len = le32_to_cpu(*(u32 *) 2640 usb_ext_prop_data_len_ptr(data, ext_prop->name_len)); 2641 length = ext_prop->name_len + ext_prop->data_len + 14; 2642 2643 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail; 2644 func->ffs->ms_os_descs_ext_prop_name_avail += 2645 ext_prop->name_len; 2646 2647 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail; 2648 func->ffs->ms_os_descs_ext_prop_data_avail += 2649 ext_prop->data_len; 2650 memcpy(ext_prop_data, 2651 usb_ext_prop_data_ptr(data, ext_prop->name_len), 2652 ext_prop->data_len); 2653 /* unicode data reported to the host as "WCHAR"s */ 2654 switch (ext_prop->type) { 2655 case USB_EXT_PROP_UNICODE: 2656 case USB_EXT_PROP_UNICODE_ENV: 2657 case USB_EXT_PROP_UNICODE_LINK: 2658 case USB_EXT_PROP_UNICODE_MULTI: 2659 ext_prop->data_len *= 2; 2660 break; 2661 } 2662 ext_prop->data = ext_prop_data; 2663 2664 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data), 2665 ext_prop->name_len); 2666 /* property name reported to the host as "WCHAR"s */ 2667 ext_prop->name_len *= 2; 2668 ext_prop->name = ext_prop_name; 2669 2670 t->os_desc->ext_prop_len += 2671 ext_prop->name_len + ext_prop->data_len + 14; 2672 ++t->os_desc->ext_prop_count; 2673 list_add_tail(&ext_prop->entry, &t->os_desc->ext_prop); 2674 } 2675 break; 2676 default: 2677 pr_vdebug("unknown descriptor: %d\n", type); 2678 } 2679 2680 return length; 2681} 2682 2683static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f, 2684 struct usb_configuration *c) 2685{ 2686 struct ffs_function *func = ffs_func_from_usb(f); 2687 struct f_fs_opts *ffs_opts = 2688 container_of(f->fi, struct f_fs_opts, func_inst); 2689 int ret; 2690 2691 ENTER(); 2692 2693 /* 2694 * Legacy gadget triggers binding in functionfs_ready_callback, 2695 * which already uses locking; taking the same lock here would 2696 * cause a deadlock. 2697 * 2698 * Configfs-enabled gadgets however do need ffs_dev_lock. 2699 */ 2700 if (!ffs_opts->no_configfs) 2701 ffs_dev_lock(); 2702 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV; 2703 func->ffs = ffs_opts->dev->ffs_data; 2704 if (!ffs_opts->no_configfs) 2705 ffs_dev_unlock(); 2706 if (ret) 2707 return ERR_PTR(ret); 2708 2709 func->conf = c; 2710 func->gadget = c->cdev->gadget; 2711 2712 /* 2713 * in drivers/usb/gadget/configfs.c:configfs_composite_bind() 2714 * configurations are bound in sequence with list_for_each_entry, 2715 * in each configuration its functions are bound in sequence 2716 * with list_for_each_entry, so we assume no race condition 2717 * with regard to ffs_opts->bound access 2718 */ 2719 if (!ffs_opts->refcnt) { 2720 ret = functionfs_bind(func->ffs, c->cdev); 2721 if (ret) 2722 return ERR_PTR(ret); 2723 } 2724 ffs_opts->refcnt++; 2725 func->function.strings = func->ffs->stringtabs; 2726 2727 return ffs_opts; 2728} 2729 2730static int _ffs_func_bind(struct usb_configuration *c, 2731 struct usb_function *f) 2732{ 2733 struct ffs_function *func = ffs_func_from_usb(f); 2734 struct ffs_data *ffs = func->ffs; 2735 2736 const int full = !!func->ffs->fs_descs_count; 2737 const int high = gadget_is_dualspeed(func->gadget) && 2738 func->ffs->hs_descs_count; 2739 const int super = gadget_is_superspeed(func->gadget) && 2740 func->ffs->ss_descs_count; 2741 2742 int fs_len, hs_len, ss_len, ret, i; 2743 2744 /* Make it a single chunk, less management later on */ 2745 vla_group(d); 2746 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count); 2747 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs, 2748 full ? ffs->fs_descs_count + 1 : 0); 2749 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs, 2750 high ? ffs->hs_descs_count + 1 : 0); 2751 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs, 2752 super ? ffs->ss_descs_count + 1 : 0); 2753 vla_item_with_sz(d, short, inums, ffs->interfaces_count); 2754 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table, 2755 c->cdev->use_os_string ? ffs->interfaces_count : 0); 2756 vla_item_with_sz(d, char[16], ext_compat, 2757 c->cdev->use_os_string ? ffs->interfaces_count : 0); 2758 vla_item_with_sz(d, struct usb_os_desc, os_desc, 2759 c->cdev->use_os_string ? ffs->interfaces_count : 0); 2760 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop, 2761 ffs->ms_os_descs_ext_prop_count); 2762 vla_item_with_sz(d, char, ext_prop_name, 2763 ffs->ms_os_descs_ext_prop_name_len); 2764 vla_item_with_sz(d, char, ext_prop_data, 2765 ffs->ms_os_descs_ext_prop_data_len); 2766 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length); 2767 char *vlabuf; 2768 2769 ENTER(); 2770 2771 /* Has descriptors only for speeds gadget does not support */ 2772 if (unlikely(!(full | high | super))) 2773 return -ENOTSUPP; 2774 2775 /* Allocate a single chunk, less management later on */ 2776 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL); 2777 if (unlikely(!vlabuf)) 2778 return -ENOMEM; 2779 2780 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop); 2781 ffs->ms_os_descs_ext_prop_name_avail = 2782 vla_ptr(vlabuf, d, ext_prop_name); 2783 ffs->ms_os_descs_ext_prop_data_avail = 2784 vla_ptr(vlabuf, d, ext_prop_data); 2785 2786 /* Copy descriptors */ 2787 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs, 2788 ffs->raw_descs_length); 2789 2790 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz); 2791 for (ret = ffs->eps_count; ret; --ret) { 2792 struct ffs_ep *ptr; 2793 2794 ptr = vla_ptr(vlabuf, d, eps); 2795 ptr[ret].num = -1; 2796 } 2797 2798 /* Save pointers 2799 * d_eps == vlabuf, func->eps used to kfree vlabuf later 2800 */ 2801 func->eps = vla_ptr(vlabuf, d, eps); 2802 func->interfaces_nums = vla_ptr(vlabuf, d, inums); 2803 2804 /* 2805 * Go through all the endpoint descriptors and allocate 2806 * endpoints first, so that later we can rewrite the endpoint 2807 * numbers without worrying that it may be described later on. 2808 */ 2809 if (likely(full)) { 2810 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs); 2811 fs_len = ffs_do_descs(ffs->fs_descs_count, 2812 vla_ptr(vlabuf, d, raw_descs), 2813 d_raw_descs__sz, 2814 __ffs_func_bind_do_descs, func); 2815 if (unlikely(fs_len < 0)) { 2816 ret = fs_len; 2817 goto error; 2818 } 2819 } else { 2820 fs_len = 0; 2821 } 2822 2823 if (likely(high)) { 2824 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs); 2825 hs_len = ffs_do_descs(ffs->hs_descs_count, 2826 vla_ptr(vlabuf, d, raw_descs) + fs_len, 2827 d_raw_descs__sz - fs_len, 2828 __ffs_func_bind_do_descs, func); 2829 if (unlikely(hs_len < 0)) { 2830 ret = hs_len; 2831 goto error; 2832 } 2833 } else { 2834 hs_len = 0; 2835 } 2836 2837 if (likely(super)) { 2838 func->function.ss_descriptors = vla_ptr(vlabuf, d, ss_descs); 2839 ss_len = ffs_do_descs(ffs->ss_descs_count, 2840 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len, 2841 d_raw_descs__sz - fs_len - hs_len, 2842 __ffs_func_bind_do_descs, func); 2843 if (unlikely(ss_len < 0)) { 2844 ret = ss_len; 2845 goto error; 2846 } 2847 } else { 2848 ss_len = 0; 2849 } 2850 2851 /* 2852 * Now handle interface numbers allocation and interface and 2853 * endpoint numbers rewriting. We can do that in one go 2854 * now. 2855 */ 2856 ret = ffs_do_descs(ffs->fs_descs_count + 2857 (high ? ffs->hs_descs_count : 0) + 2858 (super ? ffs->ss_descs_count : 0), 2859 vla_ptr(vlabuf, d, raw_descs), d_raw_descs__sz, 2860 __ffs_func_bind_do_nums, func); 2861 if (unlikely(ret < 0)) 2862 goto error; 2863 2864 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table); 2865 if (c->cdev->use_os_string) 2866 for (i = 0; i < ffs->interfaces_count; ++i) { 2867 struct usb_os_desc *desc; 2868 2869 desc = func->function.os_desc_table[i].os_desc = 2870 vla_ptr(vlabuf, d, os_desc) + 2871 i * sizeof(struct usb_os_desc); 2872 desc->ext_compat_id = 2873 vla_ptr(vlabuf, d, ext_compat) + i * 16; 2874 INIT_LIST_HEAD(&desc->ext_prop); 2875 } 2876 ret = ffs_do_os_descs(ffs->ms_os_descs_count, 2877 vla_ptr(vlabuf, d, raw_descs) + 2878 fs_len + hs_len + ss_len, 2879 d_raw_descs__sz - fs_len - hs_len - ss_len, 2880 __ffs_func_bind_do_os_desc, func); 2881 if (unlikely(ret < 0)) 2882 goto error; 2883 func->function.os_desc_n = 2884 c->cdev->use_os_string ? ffs->interfaces_count : 0; 2885 2886 /* And we're done */ 2887 ffs_event_add(ffs, FUNCTIONFS_BIND); 2888 return 0; 2889 2890error: 2891 /* XXX Do we need to release all claimed endpoints here? */ 2892 return ret; 2893} 2894 2895static int ffs_func_bind(struct usb_configuration *c, 2896 struct usb_function *f) 2897{ 2898 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c); 2899 struct ffs_function *func = ffs_func_from_usb(f); 2900 int ret; 2901 2902 if (IS_ERR(ffs_opts)) 2903 return PTR_ERR(ffs_opts); 2904 2905 ret = _ffs_func_bind(c, f); 2906 if (ret && !--ffs_opts->refcnt) 2907 functionfs_unbind(func->ffs); 2908 2909 return ret; 2910} 2911 2912 2913/* Other USB function hooks *************************************************/ 2914 2915static void ffs_reset_work(struct work_struct *work) 2916{ 2917 struct ffs_data *ffs = container_of(work, 2918 struct ffs_data, reset_work); 2919 ffs_data_reset(ffs); 2920} 2921 2922static int ffs_func_set_alt(struct usb_function *f, 2923 unsigned interface, unsigned alt) 2924{ 2925 struct ffs_function *func = ffs_func_from_usb(f); 2926 struct ffs_data *ffs = func->ffs; 2927 int ret = 0, intf; 2928 2929 if (alt != (unsigned)-1) { 2930 intf = ffs_func_revmap_intf(func, interface); 2931 if (unlikely(intf < 0)) 2932 return intf; 2933 } 2934 2935 if (ffs->func) 2936 ffs_func_eps_disable(ffs->func); 2937 2938 if (ffs->state == FFS_DEACTIVATED) { 2939 ffs->state = FFS_CLOSING; 2940 INIT_WORK(&ffs->reset_work, ffs_reset_work); 2941 schedule_work(&ffs->reset_work); 2942 return -ENODEV; 2943 } 2944 2945 if (ffs->state != FFS_ACTIVE) 2946 return -ENODEV; 2947 2948 if (alt == (unsigned)-1) { 2949 ffs->func = NULL; 2950 ffs_event_add(ffs, FUNCTIONFS_DISABLE); 2951 return 0; 2952 } 2953 2954 ffs->func = func; 2955 ret = ffs_func_eps_enable(func); 2956 if (likely(ret >= 0)) 2957 ffs_event_add(ffs, FUNCTIONFS_ENABLE); 2958 return ret; 2959} 2960 2961static void ffs_func_disable(struct usb_function *f) 2962{ 2963 ffs_func_set_alt(f, 0, (unsigned)-1); 2964} 2965 2966static int ffs_func_setup(struct usb_function *f, 2967 const struct usb_ctrlrequest *creq) 2968{ 2969 struct ffs_function *func = ffs_func_from_usb(f); 2970 struct ffs_data *ffs = func->ffs; 2971 unsigned long flags; 2972 int ret; 2973 2974 ENTER(); 2975 2976 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType); 2977 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest); 2978 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue)); 2979 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex)); 2980 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength)); 2981 2982 /* 2983 * Most requests directed to interface go through here 2984 * (notable exceptions are set/get interface) so we need to 2985 * handle them. All other either handled by composite or 2986 * passed to usb_configuration->setup() (if one is set). No 2987 * matter, we will handle requests directed to endpoint here 2988 * as well (as it's straightforward) but what to do with any 2989 * other request? 2990 */ 2991 if (ffs->state != FFS_ACTIVE) 2992 return -ENODEV; 2993 2994 switch (creq->bRequestType & USB_RECIP_MASK) { 2995 case USB_RECIP_INTERFACE: 2996 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex)); 2997 if (unlikely(ret < 0)) 2998 return ret; 2999 break; 3000 3001 case USB_RECIP_ENDPOINT: 3002 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex)); 3003 if (unlikely(ret < 0)) 3004 return ret; 3005 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) 3006 ret = func->ffs->eps_addrmap[ret]; 3007 break; 3008 3009 default: 3010 return -EOPNOTSUPP; 3011 } 3012 3013 spin_lock_irqsave(&ffs->ev.waitq.lock, flags); 3014 ffs->ev.setup = *creq; 3015 ffs->ev.setup.wIndex = cpu_to_le16(ret); 3016 __ffs_event_add(ffs, FUNCTIONFS_SETUP); 3017 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); 3018 3019 return 0; 3020} 3021 3022static void ffs_func_suspend(struct usb_function *f) 3023{ 3024 ENTER(); 3025 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_SUSPEND); 3026} 3027 3028static void ffs_func_resume(struct usb_function *f) 3029{ 3030 ENTER(); 3031 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_RESUME); 3032} 3033 3034 3035/* Endpoint and interface numbers reverse mapping ***************************/ 3036 3037static int ffs_func_revmap_ep(struct ffs_function *func, u8 num) 3038{ 3039 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK]; 3040 return num ? num : -EDOM; 3041} 3042 3043static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf) 3044{ 3045 short *nums = func->interfaces_nums; 3046 unsigned count = func->ffs->interfaces_count; 3047 3048 for (; count; --count, ++nums) { 3049 if (*nums >= 0 && *nums == intf) 3050 return nums - func->interfaces_nums; 3051 } 3052 3053 return -EDOM; 3054} 3055 3056 3057/* Devices management *******************************************************/ 3058 3059static LIST_HEAD(ffs_devices); 3060 3061static struct ffs_dev *_ffs_do_find_dev(const char *name) 3062{ 3063 struct ffs_dev *dev; 3064 3065 list_for_each_entry(dev, &ffs_devices, entry) { 3066 if (!dev->name || !name) 3067 continue; 3068 if (strcmp(dev->name, name) == 0) 3069 return dev; 3070 } 3071 3072 return NULL; 3073} 3074 3075/* 3076 * ffs_lock must be taken by the caller of this function 3077 */ 3078static struct ffs_dev *_ffs_get_single_dev(void) 3079{ 3080 struct ffs_dev *dev; 3081 3082 if (list_is_singular(&ffs_devices)) { 3083 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry); 3084 if (dev->single) 3085 return dev; 3086 } 3087 3088 return NULL; 3089} 3090 3091/* 3092 * ffs_lock must be taken by the caller of this function 3093 */ 3094static struct ffs_dev *_ffs_find_dev(const char *name) 3095{ 3096 struct ffs_dev *dev; 3097 3098 dev = _ffs_get_single_dev(); 3099 if (dev) 3100 return dev; 3101 3102 return _ffs_do_find_dev(name); 3103} 3104 3105/* Configfs support *********************************************************/ 3106 3107static inline struct f_fs_opts *to_ffs_opts(struct config_item *item) 3108{ 3109 return container_of(to_config_group(item), struct f_fs_opts, 3110 func_inst.group); 3111} 3112 3113static void ffs_attr_release(struct config_item *item) 3114{ 3115 struct f_fs_opts *opts = to_ffs_opts(item); 3116 3117 usb_put_function_instance(&opts->func_inst); 3118} 3119 3120static struct configfs_item_operations ffs_item_ops = { 3121 .release = ffs_attr_release, 3122}; 3123 3124static struct config_item_type ffs_func_type = { 3125 .ct_item_ops = &ffs_item_ops, 3126 .ct_owner = THIS_MODULE, 3127}; 3128 3129 3130/* Function registration interface ******************************************/ 3131 3132static void ffs_free_inst(struct usb_function_instance *f) 3133{ 3134 struct f_fs_opts *opts; 3135 3136 opts = to_f_fs_opts(f); 3137 ffs_dev_lock(); 3138 _ffs_free_dev(opts->dev); 3139 ffs_dev_unlock(); 3140 kfree(opts); 3141} 3142 3143#define MAX_INST_NAME_LEN 40 3144 3145static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name) 3146{ 3147 struct f_fs_opts *opts; 3148 char *ptr; 3149 const char *tmp; 3150 int name_len, ret; 3151 3152 name_len = strlen(name) + 1; 3153 if (name_len > MAX_INST_NAME_LEN) 3154 return -ENAMETOOLONG; 3155 3156 ptr = kstrndup(name, name_len, GFP_KERNEL); 3157 if (!ptr) 3158 return -ENOMEM; 3159 3160 opts = to_f_fs_opts(fi); 3161 tmp = NULL; 3162 3163 ffs_dev_lock(); 3164 3165 tmp = opts->dev->name_allocated ? opts->dev->name : NULL; 3166 ret = _ffs_name_dev(opts->dev, ptr); 3167 if (ret) { 3168 kfree(ptr); 3169 ffs_dev_unlock(); 3170 return ret; 3171 } 3172 opts->dev->name_allocated = true; 3173 3174 ffs_dev_unlock(); 3175 3176 kfree(tmp); 3177 3178 return 0; 3179} 3180 3181static struct usb_function_instance *ffs_alloc_inst(void) 3182{ 3183 struct f_fs_opts *opts; 3184 struct ffs_dev *dev; 3185 3186 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 3187 if (!opts) 3188 return ERR_PTR(-ENOMEM); 3189 3190 opts->func_inst.set_inst_name = ffs_set_inst_name; 3191 opts->func_inst.free_func_inst = ffs_free_inst; 3192 ffs_dev_lock(); 3193 dev = _ffs_alloc_dev(); 3194 ffs_dev_unlock(); 3195 if (IS_ERR(dev)) { 3196 kfree(opts); 3197 return ERR_CAST(dev); 3198 } 3199 opts->dev = dev; 3200 dev->opts = opts; 3201 3202 config_group_init_type_name(&opts->func_inst.group, "", 3203 &ffs_func_type); 3204 return &opts->func_inst; 3205} 3206 3207static void ffs_free(struct usb_function *f) 3208{ 3209 kfree(ffs_func_from_usb(f)); 3210} 3211 3212static void ffs_func_unbind(struct usb_configuration *c, 3213 struct usb_function *f) 3214{ 3215 struct ffs_function *func = ffs_func_from_usb(f); 3216 struct ffs_data *ffs = func->ffs; 3217 struct f_fs_opts *opts = 3218 container_of(f->fi, struct f_fs_opts, func_inst); 3219 struct ffs_ep *ep = func->eps; 3220 unsigned count = ffs->eps_count; 3221 unsigned long flags; 3222 3223 ENTER(); 3224 if (ffs->func == func) { 3225 ffs_func_eps_disable(func); 3226 ffs->func = NULL; 3227 } 3228 3229 if (!--opts->refcnt) 3230 functionfs_unbind(ffs); 3231 3232 /* cleanup after autoconfig */ 3233 spin_lock_irqsave(&func->ffs->eps_lock, flags); 3234 do { 3235 if (ep->ep && ep->req) 3236 usb_ep_free_request(ep->ep, ep->req); 3237 ep->req = NULL; 3238 ++ep; 3239 } while (--count); 3240 spin_unlock_irqrestore(&func->ffs->eps_lock, flags); 3241 kfree(func->eps); 3242 func->eps = NULL; 3243 /* 3244 * eps, descriptors and interfaces_nums are allocated in the 3245 * same chunk so only one free is required. 3246 */ 3247 func->function.fs_descriptors = NULL; 3248 func->function.hs_descriptors = NULL; 3249 func->function.ss_descriptors = NULL; 3250 func->interfaces_nums = NULL; 3251 3252 ffs_event_add(ffs, FUNCTIONFS_UNBIND); 3253} 3254 3255static struct usb_function *ffs_alloc(struct usb_function_instance *fi) 3256{ 3257 struct ffs_function *func; 3258 3259 ENTER(); 3260 3261 func = kzalloc(sizeof(*func), GFP_KERNEL); 3262 if (unlikely(!func)) 3263 return ERR_PTR(-ENOMEM); 3264 3265 func->function.name = "Function FS Gadget"; 3266 3267 func->function.bind = ffs_func_bind; 3268 func->function.unbind = ffs_func_unbind; 3269 func->function.set_alt = ffs_func_set_alt; 3270 func->function.disable = ffs_func_disable; 3271 func->function.setup = ffs_func_setup; 3272 func->function.suspend = ffs_func_suspend; 3273 func->function.resume = ffs_func_resume; 3274 func->function.free_func = ffs_free; 3275 3276 return &func->function; 3277} 3278 3279/* 3280 * ffs_lock must be taken by the caller of this function 3281 */ 3282static struct ffs_dev *_ffs_alloc_dev(void) 3283{ 3284 struct ffs_dev *dev; 3285 int ret; 3286 3287 if (_ffs_get_single_dev()) 3288 return ERR_PTR(-EBUSY); 3289 3290 dev = kzalloc(sizeof(*dev), GFP_KERNEL); 3291 if (!dev) 3292 return ERR_PTR(-ENOMEM); 3293 3294 if (list_empty(&ffs_devices)) { 3295 ret = functionfs_init(); 3296 if (ret) { 3297 kfree(dev); 3298 return ERR_PTR(ret); 3299 } 3300 } 3301 3302 list_add(&dev->entry, &ffs_devices); 3303 3304 return dev; 3305} 3306 3307/* 3308 * ffs_lock must be taken by the caller of this function 3309 * The caller is responsible for "name" being available whenever f_fs needs it 3310 */ 3311static int _ffs_name_dev(struct ffs_dev *dev, const char *name) 3312{ 3313 struct ffs_dev *existing; 3314 3315 existing = _ffs_do_find_dev(name); 3316 if (existing) 3317 return -EBUSY; 3318 3319 dev->name = name; 3320 3321 return 0; 3322} 3323 3324/* 3325 * The caller is responsible for "name" being available whenever f_fs needs it 3326 */ 3327int ffs_name_dev(struct ffs_dev *dev, const char *name) 3328{ 3329 int ret; 3330 3331 ffs_dev_lock(); 3332 ret = _ffs_name_dev(dev, name); 3333 ffs_dev_unlock(); 3334 3335 return ret; 3336} 3337EXPORT_SYMBOL_GPL(ffs_name_dev); 3338 3339int ffs_single_dev(struct ffs_dev *dev) 3340{ 3341 int ret; 3342 3343 ret = 0; 3344 ffs_dev_lock(); 3345 3346 if (!list_is_singular(&ffs_devices)) 3347 ret = -EBUSY; 3348 else 3349 dev->single = true; 3350 3351 ffs_dev_unlock(); 3352 return ret; 3353} 3354EXPORT_SYMBOL_GPL(ffs_single_dev); 3355 3356/* 3357 * ffs_lock must be taken by the caller of this function 3358 */ 3359static void _ffs_free_dev(struct ffs_dev *dev) 3360{ 3361 list_del(&dev->entry); 3362 if (dev->name_allocated) 3363 kfree(dev->name); 3364 kfree(dev); 3365 if (list_empty(&ffs_devices)) 3366 functionfs_cleanup(); 3367} 3368 3369static void *ffs_acquire_dev(const char *dev_name) 3370{ 3371 struct ffs_dev *ffs_dev; 3372 3373 ENTER(); 3374 ffs_dev_lock(); 3375 3376 ffs_dev = _ffs_find_dev(dev_name); 3377 if (!ffs_dev) 3378 ffs_dev = ERR_PTR(-ENOENT); 3379 else if (ffs_dev->mounted) 3380 ffs_dev = ERR_PTR(-EBUSY); 3381 else if (ffs_dev->ffs_acquire_dev_callback && 3382 ffs_dev->ffs_acquire_dev_callback(ffs_dev)) 3383 ffs_dev = ERR_PTR(-ENOENT); 3384 else 3385 ffs_dev->mounted = true; 3386 3387 ffs_dev_unlock(); 3388 return ffs_dev; 3389} 3390 3391static void ffs_release_dev(struct ffs_data *ffs_data) 3392{ 3393 struct ffs_dev *ffs_dev; 3394 3395 ENTER(); 3396 ffs_dev_lock(); 3397 3398 ffs_dev = ffs_data->private_data; 3399 if (ffs_dev) { 3400 ffs_dev->mounted = false; 3401 3402 if (ffs_dev->ffs_release_dev_callback) 3403 ffs_dev->ffs_release_dev_callback(ffs_dev); 3404 } 3405 3406 ffs_dev_unlock(); 3407} 3408 3409static int ffs_ready(struct ffs_data *ffs) 3410{ 3411 struct ffs_dev *ffs_obj; 3412 int ret = 0; 3413 3414 ENTER(); 3415 ffs_dev_lock(); 3416 3417 ffs_obj = ffs->private_data; 3418 if (!ffs_obj) { 3419 ret = -EINVAL; 3420 goto done; 3421 } 3422 if (WARN_ON(ffs_obj->desc_ready)) { 3423 ret = -EBUSY; 3424 goto done; 3425 } 3426 3427 ffs_obj->desc_ready = true; 3428 ffs_obj->ffs_data = ffs; 3429 3430 if (ffs_obj->ffs_ready_callback) { 3431 ret = ffs_obj->ffs_ready_callback(ffs); 3432 if (ret) 3433 goto done; 3434 } 3435 3436 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags); 3437done: 3438 ffs_dev_unlock(); 3439 return ret; 3440} 3441 3442static void ffs_closed(struct ffs_data *ffs) 3443{ 3444 struct ffs_dev *ffs_obj; 3445 struct f_fs_opts *opts; 3446 3447 ENTER(); 3448 ffs_dev_lock(); 3449 3450 ffs_obj = ffs->private_data; 3451 if (!ffs_obj) 3452 goto done; 3453 3454 ffs_obj->desc_ready = false; 3455 3456 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && 3457 ffs_obj->ffs_closed_callback) 3458 ffs_obj->ffs_closed_callback(ffs); 3459 3460 if (ffs_obj->opts) 3461 opts = ffs_obj->opts; 3462 else 3463 goto done; 3464 3465 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent 3466 || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount)) 3467 goto done; 3468 3469 unregister_gadget_item(ffs_obj->opts-> 3470 func_inst.group.cg_item.ci_parent->ci_parent); 3471done: 3472 ffs_dev_unlock(); 3473} 3474 3475/* Misc helper functions ****************************************************/ 3476 3477static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock) 3478{ 3479 return nonblock 3480 ? likely(mutex_trylock(mutex)) ? 0 : -EAGAIN 3481 : mutex_lock_interruptible(mutex); 3482} 3483 3484static char *ffs_prepare_buffer(const char __user *buf, size_t len) 3485{ 3486 char *data; 3487 3488 if (unlikely(!len)) 3489 return NULL; 3490 3491 data = kmalloc(len, GFP_KERNEL); 3492 if (unlikely(!data)) 3493 return ERR_PTR(-ENOMEM); 3494 3495 if (unlikely(copy_from_user(data, buf, len))) { 3496 kfree(data); 3497 return ERR_PTR(-EFAULT); 3498 } 3499 3500 pr_vdebug("Buffer from user space:\n"); 3501 ffs_dump_mem("", data, len); 3502 3503 return data; 3504} 3505 3506DECLARE_USB_FUNCTION_INIT(ffs, ffs_alloc_inst, ffs_alloc); 3507MODULE_LICENSE("GPL"); 3508MODULE_AUTHOR("Michal Nazarewicz"); 3509