1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * f_fs.c -- user mode file system API for USB composite function controllers
4 *
5 * Copyright (C) 2010 Samsung Electronics
6 * Author: Michal Nazarewicz <mina86@mina86.com>
7 *
8 * Based on inode.c (GadgetFS) which was:
9 * Copyright (C) 2003-2004 David Brownell
10 * Copyright (C) 2003 Agilent Technologies
11 */
12
13 /* #define DEBUG */
14 /* #define VERBOSE_DEBUG */
15
16 #include <linux/export.h>
17 #include <linux/hid.h>
18 #include <linux/miscdevice.h>
19 #include <linux/usb/functionfs.h>
20 #include <linux/kfifo.h>
21 #include <linux/module.h>
22 #include <linux/poll.h>
23 #include <linux/eventfd.h>
24 #include <linux/dma-mapping.h>
25 #include <linux/usb/cdc.h>
26 #include <linux/interrupt.h>
27 #include "u_generic.h"
28 #include "u_f.h"
29 #include "u_os_desc.h"
30 #include "configfs.h"
31
32 #define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */
33
34 /* Reference counter handling */
35 static void ffs_data_get(struct ffs_data *ffs);
36 static void ffs_data_put(struct ffs_data *ffs);
37 /* Creates new ffs_data object. */
38 static struct ffs_data *__must_check ffs_data_new(const char *dev_name)
39 __attribute__((malloc));
40
41 /* Called with ffs->mutex held; take over ownership of data. */
42 static int __must_check
43 __ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len);
44 static int __must_check
45 __ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len);
46
47 /* The function structure ***************************************************/
48
49 struct ffs_ep;
50
51 struct ffs_function {
52 struct usb_configuration *conf;
53 struct usb_gadget *gadget;
54 struct ffs_data *ffs;
55
56 struct ffs_ep *eps;
57 u8 eps_revmap[16];
58 short *interfaces_nums;
59
60 struct usb_function function;
61 };
ffs_func_from_usb(struct usb_function * f)62 static struct ffs_function *ffs_func_from_usb(struct usb_function *f)
63 {
64 return container_of(f, struct ffs_function, function);
65 }
ffs_setup_state_clear_cancelled(struct ffs_data * ffs)66 static inline enum ffs_setup_state ffs_setup_state_clear_cancelled(struct ffs_data *ffs)
67 {
68 return (enum ffs_setup_state)
69 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP);
70 }
71 static void ffs_func_eps_disable(struct ffs_function *func);
72 static int __must_check ffs_func_eps_enable(struct ffs_function *func);
73
74 static int ffs_func_bind(struct usb_configuration *,
75 struct usb_function *);
76 static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned);
77 static void ffs_func_disable(struct usb_function *);
78 static int ffs_func_setup(struct usb_function *,
79 const struct usb_ctrlrequest *);
80 static bool ffs_func_req_match(struct usb_function *,
81 const struct usb_ctrlrequest *,
82 bool config0);
83 static void ffs_func_suspend(struct usb_function *);
84 static void ffs_func_resume(struct usb_function *);
85
86 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num);
87 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf);
88
89 /* The endpoints structures *************************************************/
90 struct ffs_ep {
91 struct usb_ep *ep; /* P: ffs->eps_lock */
92 struct usb_request *req; /* P: epfile->mutex */
93
94 /* [0]: full speed, [1]: high speed, [2]: super speed */
95 struct usb_endpoint_descriptor *descs[3];
96
97 u8 num;
98
99 int status; /* P: epfile->mutex */
100 };
101
102 struct ffs_epfile {
103 /* Protects ep->ep and ep->req. */
104 struct mutex mutex;
105 struct list_head memory_list;
106 struct ffs_data *ffs;
107 struct ffs_ep *ep; /* P: ffs->eps_lock */
108 /*
109 * Buffer for holding data from partial reads which may happen since
110 * we’re rounding user read requests to a multiple of a max packet size.
111 *
112 * The pointer is initialised with NULL value and may be set by
113 * __ffs_epfile_read_data function to point to a temporary buffer.
114 *
115 * In normal operation, calls to __ffs_epfile_read_buffered will consume
116 * data from said buffer and eventually free it. Importantly, while the
117 * function is using the buffer, it sets the pointer to NULL. This is
118 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered
119 * can never run concurrently (they are synchronised by epfile->mutex)
120 * so the latter will not assign a new value to the pointer.
121 *
122 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is
123 * valid) and sets the pointer to READ_BUFFER_DROP value. This special
124 * value is crux of the synchronisation between ffs_func_eps_disable and
125 * __ffs_epfile_read_data.
126 *
127 * Once __ffs_epfile_read_data is about to finish it will try to set the
128 * pointer back to its old value (as described above), but seeing as the
129 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free
130 * the buffer.
131 *
132 * == State transitions ==
133 *
134 * • ptr == NULL: (initial state)
135 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP
136 * ◦ __ffs_epfile_read_buffered: nop
137 * ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf
138 * ◦ reading finishes: n/a, not in ‘and reading’ state
139 * • ptr == DROP:
140 * ◦ __ffs_epfile_read_buffer_free: nop
141 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL
142 * ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop
143 * ◦ reading finishes: n/a, not in ‘and reading’ state
144 * • ptr == buf:
145 * ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP
146 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL and reading
147 * ◦ __ffs_epfile_read_data: n/a, __ffs_epfile_read_buffered
148 * is always called first
149 * ◦ reading finishes: n/a, not in ‘and reading’ state
150 * • ptr == NULL and reading:
151 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading
152 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
153 * ◦ __ffs_epfile_read_data: n/a, mutex is held
154 * ◦ reading finishes and …
155 * … all data read: free buf, go to ptr == NULL
156 * … otherwise: go to ptr == buf and reading
157 * • ptr == DROP and reading:
158 * ◦ __ffs_epfile_read_buffer_free: nop
159 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
160 * ◦ __ffs_epfile_read_data: n/a, mutex is held
161 * ◦ reading finishes: free buf, go to ptr == DROP
162 */
163 struct ffs_buffer *read_buffer;
164 #define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN))
165
166 char name[MAX_NAMELEN];
167 dev_t devno;
168 struct cdev cdev;
169 struct device *device;
170
171 unsigned char in; /* P: ffs->eps_lock */
172 unsigned char isoc; /* P: ffs->eps_lock */
173
174 struct kfifo reqEventFifo;
175 wait_queue_head_t wait_que;
176
177 unsigned char _pad;
178 };
179
180 struct ffs_buffer {
181 size_t length;
182 char *data;
183 char storage[];
184 };
185
186 /* ffs_io_data structure ***************************************************/
187
188 struct ffs_io_data {
189 uint32_t aio;
190 uint32_t read;
191 uint32_t len;
192 uint32_t timeout;
193 uint64_t buf;
194 uint32_t actual;
195 int status;
196 struct tasklet_struct task;
197 struct usb_ep *ep;
198 struct usb_request *req;
199 struct ffs_epfile *epfile;
200 struct ffs_data *ffs;
201 };
202
203 struct ffs_desc_helper {
204 struct ffs_data *ffs;
205 unsigned interfaces_count;
206 unsigned eps_count;
207 };
208
209 static int __must_check ffs_epfiles_create(struct ffs_data *ffs);
210 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count);
211
212 /* Devices management *******************************************************/
213
214 DEFINE_MUTEX(ffs_lock_adapter);
215 EXPORT_SYMBOL_GPL(ffs_lock_adapter);
216
217 static struct ffs_dev *_ffs_find_dev(const char *name);
218 static struct ffs_dev *_ffs_alloc_dev(void);
219 static void _ffs_free_dev(struct ffs_dev *dev);
220 static void *ffs_acquire_dev(const char *dev_name);
221 static void ffs_release_dev(struct ffs_data *ffs_data);
222 static int ffs_ready(struct ffs_data *ffs);
223 static void ffs_closed(struct ffs_data *ffs);
224
225 /* Misc helper functions ****************************************************/
226
227 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
228 __attribute__((warn_unused_result, nonnull));
229 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
230 __attribute__((warn_unused_result, nonnull));
231
232 struct class *ffs_class;
ffs_devnode(struct device * dev,umode_t * mode)233 static char *ffs_devnode(struct device *dev, umode_t *mode)
234 {
235 if (mode)
236 *mode = 0666;
237 return kasprintf(GFP_KERNEL, "functionfs/%s", dev_name(dev));
238 }
239
240 /* Control file aka ep0 *****************************************************/
generic_find_ep0_memory_area(struct ffs_data * ffs,uint64_t buf,uint32_t len)241 static struct ffs_memory *generic_find_ep0_memory_area(struct ffs_data *ffs, uint64_t buf, uint32_t len)
242 {
243 struct ffs_memory *ffsm = NULL;
244 struct ffs_memory *iter = NULL;
245 uint64_t buf_start = buf;
246 unsigned long flags;
247
248 spin_lock_irqsave(&ffs->mem_lock, flags);
249 list_for_each_entry(iter, &ffs->memory_list, memlist) {
250 if (buf_start >= iter->vm_start &&
251 buf_start < iter->vm_start + iter->size) {
252 if (len <= iter->vm_start + iter->size - buf_start) {
253 ffsm = iter;
254 break;
255 }
256 }
257 }
258 spin_unlock_irqrestore(&ffs->mem_lock, flags);
259 return ffsm;
260 }
261
ffs_ep0_complete(struct usb_ep * ep,struct usb_request * req)262 static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req)
263 {
264 struct ffs_data *ffs = req->context;
265
266 complete(&ffs->ep0req_completion);
267
268 ffs->setup_state = FFS_NO_SETUP;
269 }
270
ffs_ep0_async_io_complete(struct usb_ep * _ep,struct usb_request * req)271 static void ffs_ep0_async_io_complete(struct usb_ep *_ep, struct usb_request *req)
272 {
273 struct ffs_io_data *io_data = req->context;
274 struct ffs_data *ffs = io_data->ffs;
275 ENTER();
276
277 io_data->status = io_data->req->status;
278 io_data->actual = io_data->req->actual;
279 kfifo_in(&ffs->reqEventFifo, &io_data->buf, sizeof(struct UsbFnReqEvent));
280 wake_up_all(&ffs->wait_que);
281
282 list_del(&req->list);
283 usb_ep_free_request(io_data->ep, io_data->req);
284 kfree(io_data);
285
286 }
287
__ffs_ep0_queue_wait(struct ffs_data * ffs,char * data,size_t len)288 static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
289 __releases(&ffs->ev.waitq.lock)
290 {
291 struct usb_request *req = ffs->ep0req;
292 int ret;
293
294 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
295
296 spin_unlock_irq(&ffs->ev.waitq.lock);
297
298 req->buf = data;
299 req->length = len;
300
301 /*
302 * UDC layer requires to provide a buffer even for ZLP, but should
303 * not use it at all. Let's provide some poisoned pointer to catch
304 * possible bug in the driver.
305 */
306 if (req->buf == NULL)
307 req->buf = (void *)0xDEADBABE;
308
309 reinit_completion(&ffs->ep0req_completion);
310
311 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
312 if (unlikely(ret < 0))
313 return ret;
314
315 ret = wait_for_completion_interruptible(&ffs->ep0req_completion);
316 if (unlikely(ret)) {
317 usb_ep_dequeue(ffs->gadget->ep0, req);
318 return -EINTR;
319 }
320
321 ffs->setup_state = FFS_NO_SETUP;
322 return req->status ? req->status : req->actual;
323 }
324
__ffs_ep0_stall(struct ffs_data * ffs)325 static int __ffs_ep0_stall(struct ffs_data *ffs)
326 {
327 if (ffs->ev.can_stall) {
328 pr_vdebug("ep0 stall\n");
329 usb_ep_set_halt(ffs->gadget->ep0);
330 ffs->setup_state = FFS_NO_SETUP;
331 return -EL2HLT;
332 } else {
333 pr_debug("bogus ep0 stall!\n");
334 return -ESRCH;
335 }
336 }
337
ffs_ep0_write(struct file * file,const char __user * buf,size_t len,loff_t * ptr)338 static ssize_t ffs_ep0_write(struct file *file, const char __user *buf, size_t len, loff_t *ptr)
339 {
340 struct ffs_data *ffs = file->private_data;
341 ssize_t ret;
342 char *data = NULL;
343
344 ENTER();
345
346 /* Fast check if setup was canceled */
347 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
348 return -EIDRM;
349
350 /* Acquire mutex */
351 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
352 if (unlikely(ret < 0))
353 return ret;
354
355 /* Check state */
356 switch (ffs->state) {
357 case FFS_READ_DESCRIPTORS:
358 case FFS_READ_STRINGS:
359 /* Copy data */
360 if (unlikely(len < 16)) {
361 ret = -EINVAL;
362 break;
363 }
364
365 data = ffs_prepare_buffer(buf, len);
366 if (IS_ERR(data)) {
367 ret = PTR_ERR(data);
368 break;
369 }
370
371 /* Handle data */
372 if (ffs->state == FFS_READ_DESCRIPTORS) {
373 pr_info("read descriptors\n");
374 ret = __ffs_data_got_descs(ffs, data, len);
375 if (unlikely(ret < 0))
376 break;
377
378 ffs->state = FFS_READ_STRINGS;
379 ret = len;
380 } else {
381 pr_info("read strings\n");
382 ret = __ffs_data_got_strings(ffs, data, len);
383 if (unlikely(ret < 0))
384 break;
385
386 ret = ffs_epfiles_create(ffs);
387 if (unlikely(ret)) {
388 ffs->state = FFS_CLOSING;
389 break;
390 }
391
392 ffs->state = FFS_ACTIVE;
393 mutex_unlock(&ffs->mutex);
394
395 ret = ffs_ready(ffs);
396 if (unlikely(ret < 0)) {
397 ffs->state = FFS_CLOSING;
398 return ret;
399 }
400
401 return len;
402 }
403 break;
404
405 case FFS_ACTIVE:
406 data = NULL;
407 /*
408 * We're called from user space, we can use _irq
409 * rather then _irqsave
410 */
411 spin_lock_irq(&ffs->ev.waitq.lock);
412 switch (ffs_setup_state_clear_cancelled(ffs)) {
413 case FFS_SETUP_CANCELLED:
414 ret = -EIDRM;
415 goto done_spin;
416
417 case FFS_NO_SETUP:
418 ret = -ESRCH;
419 goto done_spin;
420
421 case FFS_SETUP_PENDING:
422 break;
423 }
424
425 /* FFS_SETUP_PENDING */
426 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) {
427 spin_unlock_irq(&ffs->ev.waitq.lock);
428 ret = __ffs_ep0_stall(ffs);
429 break;
430 }
431
432 /* FFS_SETUP_PENDING and not stall */
433 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
434
435 spin_unlock_irq(&ffs->ev.waitq.lock);
436
437 data = ffs_prepare_buffer(buf, len);
438 if (IS_ERR(data)) {
439 ret = PTR_ERR(data);
440 break;
441 }
442
443 spin_lock_irq(&ffs->ev.waitq.lock);
444
445 /*
446 * We are guaranteed to be still in FFS_ACTIVE state
447 * but the state of setup could have changed from
448 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need
449 * to check for that. If that happened we copied data
450 * from user space in vain but it's unlikely.
451 *
452 * For sure we are not in FFS_NO_SETUP since this is
453 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP
454 * transition can be performed and it's protected by
455 * mutex.
456 */
457 if (ffs_setup_state_clear_cancelled(ffs) ==
458 FFS_SETUP_CANCELLED) {
459 ret = -EIDRM;
460 done_spin:
461 spin_unlock_irq(&ffs->ev.waitq.lock);
462 } else {
463 /* unlocks spinlock */
464 ret = __ffs_ep0_queue_wait(ffs, data, len);
465 }
466 kfree(data);
467 break;
468
469 default:
470 ret = -EBADFD;
471 break;
472 }
473
474 mutex_unlock(&ffs->mutex);
475 return ret;
476 }
477
478 /* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */
__ffs_ep0_read_events(struct ffs_data * ffs,char __user * buf,size_t n)479 static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf, size_t n)
480 __releases(&ffs->ev.waitq.lock)
481 {
482 /*
483 * n cannot be bigger than ffs->ev.count, which cannot be bigger than
484 * size of ffs->ev.types array (which is four) so that's how much space
485 * we reserve.
486 */
487 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)];
488 const size_t size = n * sizeof *events;
489 unsigned i = 0;
490
491 memset(events, 0, size);
492
493 do {
494 events[i].type = ffs->ev.types[i];
495 if (events[i].type == FUNCTIONFS_SETUP) {
496 events[i].u.setup = ffs->ev.setup;
497 ffs->setup_state = FFS_SETUP_PENDING;
498 }
499 } while (++i < n);
500
501 ffs->ev.count -= n;
502 if (ffs->ev.count)
503 memmove(ffs->ev.types, ffs->ev.types + n, ffs->ev.count * sizeof *ffs->ev.types);
504
505 spin_unlock_irq(&ffs->ev.waitq.lock);
506 mutex_unlock(&ffs->mutex);
507
508 return unlikely(copy_to_user(buf, events, size)) ? -EFAULT : size;
509 }
510
ffs_ep0_read(struct file * file,char __user * buf,size_t len,loff_t * ptr)511 static ssize_t ffs_ep0_read(struct file *file, char __user *buf, size_t len, loff_t *ptr)
512 {
513 struct ffs_data *ffs = file->private_data;
514 char *data = NULL;
515 size_t n;
516 int ret;
517
518 ENTER();
519
520 /* Fast check if setup was canceled */
521 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
522 return -EIDRM;
523
524 /* Acquire mutex */
525 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
526 if (unlikely(ret < 0))
527 return ret;
528
529 /* Check state */
530 if (ffs->state != FFS_ACTIVE) {
531 ret = -EBADFD;
532 goto done_mutex;
533 }
534
535 /*
536 * We're called from user space, we can use _irq rather then
537 * _irqsave
538 */
539 spin_lock_irq(&ffs->ev.waitq.lock);
540
541 switch (ffs_setup_state_clear_cancelled(ffs)) {
542 case FFS_SETUP_CANCELLED:
543 ret = -EIDRM;
544 break;
545
546 case FFS_NO_SETUP:
547 n = len / sizeof(struct usb_functionfs_event);
548 if (unlikely(!n)) {
549 ret = -EINVAL;
550 break;
551 }
552
553 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) {
554 ret = -EAGAIN;
555 break;
556 }
557
558 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq,
559 ffs->ev.count)) {
560 ret = -EINTR;
561 break;
562 }
563
564 /* unlocks spinlock */
565 return __ffs_ep0_read_events(ffs, buf,
566 min(n, (size_t)ffs->ev.count));
567
568 case FFS_SETUP_PENDING:
569 if (ffs->ev.setup.bRequestType & USB_DIR_IN) {
570 spin_unlock_irq(&ffs->ev.waitq.lock);
571 ret = __ffs_ep0_stall(ffs);
572 goto done_mutex;
573 }
574
575 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
576
577 spin_unlock_irq(&ffs->ev.waitq.lock);
578
579 if (likely(len)) {
580 data = kmalloc(len, GFP_KERNEL);
581 if (unlikely(!data)) {
582 ret = -ENOMEM;
583 goto done_mutex;
584 }
585 }
586
587 spin_lock_irq(&ffs->ev.waitq.lock);
588
589 /* See ffs_ep0_write() */
590 if (ffs_setup_state_clear_cancelled(ffs) ==
591 FFS_SETUP_CANCELLED) {
592 ret = -EIDRM;
593 break;
594 }
595
596 /* unlocks spinlock */
597 ret = __ffs_ep0_queue_wait(ffs, data, len);
598 if (likely(ret > 0) && unlikely(copy_to_user(buf, data, len)))
599 ret = -EFAULT;
600 goto done_mutex;
601
602 default:
603 ret = -EBADFD;
604 break;
605 }
606
607 spin_unlock_irq(&ffs->ev.waitq.lock);
608 done_mutex:
609 mutex_unlock(&ffs->mutex);
610 kfree(data);
611 return ret;
612 }
613
ffs_ep0_open(struct inode * inode,struct file * file)614 static int ffs_ep0_open(struct inode *inode, struct file *file)
615 {
616 struct ffs_data *ffs = container_of(inode->i_cdev, struct ffs_data, cdev);
617 ENTER();
618
619 if (unlikely(ffs->state == FFS_CLOSING))
620 return -EBUSY;
621
622 file->private_data = ffs;
623 return 0;
624 }
625
ffs_ep0_release(struct inode * inode,struct file * file)626 static int ffs_ep0_release(struct inode *inode, struct file *file)
627 {
628 ENTER();
629 return 0;
630 }
631
ffs_ep0_iorw(struct file * file,struct ffs_io_data * io_data)632 static ssize_t ffs_ep0_iorw(struct file *file, struct ffs_io_data *io_data)
633 {
634 struct ffs_data *ffs = file->private_data;
635 struct usb_request *req = NULL;
636 ssize_t ret, data_len = io_data->len;
637 bool interrupted = false;
638 struct ffs_memory *ffsm = NULL;
639
640 /* Are we still active? */
641 if (WARN_ON(ffs->state != FFS_ACTIVE))
642 return -ENODEV;
643 ffsm = generic_find_ep0_memory_area(ffs, io_data->buf, data_len);
644 if (ffsm == NULL)
645 {
646 return -ENODEV;
647 }
648 if (!io_data->aio) {
649 reinit_completion(&ffs->ep0req_completion);
650
651 req = ffs->ep0req;
652 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
653 req->length = data_len;
654 req->complete = ffs_ep0_complete;
655
656 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
657 if (unlikely(ret < 0))
658 goto error;
659
660 if (io_data->timeout > 0) {
661 ret = wait_for_completion_interruptible_timeout(&ffs->ep0req_completion, io_data->timeout);
662 if (ret < 0) {
663 /*
664 * To avoid race condition with ffs_epfile_io_complete,
665 * dequeue the request first then check
666 * status. usb_ep_dequeue API should guarantee no race
667 * condition with req->complete callback.
668 */
669 usb_ep_dequeue(ffs->gadget->ep0, req);
670 wait_for_completion(&ffs->ep0req_completion);
671 interrupted = req->status < 0;
672 } else if (ret == 0) {
673 ret = -EBUSY;
674 usb_ep_dequeue(ffs->gadget->ep0, req);
675 wait_for_completion(&ffs->ep0req_completion);
676 goto error;
677 }
678 } else {
679 ret = wait_for_completion_interruptible(&ffs->ep0req_completion);
680 if (ret < 0) {
681 usb_ep_dequeue(ffs->gadget->ep0, req);
682 wait_for_completion(&ffs->ep0req_completion);
683 interrupted = req->status < 0;
684 }
685 }
686
687 if (interrupted) {
688 ret = -EINTR;
689 } else {
690 ret = req->actual;
691 }
692 goto error;
693 }
694 else if (!(req = usb_ep_alloc_request(ffs->gadget->ep0, GFP_ATOMIC))) {
695 ret = -ENOMEM;
696 }
697 else {
698 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
699 req->length = data_len;
700
701 io_data->ep = ffs->gadget->ep0;
702 io_data->req = req;
703 io_data->ffs = ffs;
704
705 req->context = io_data;
706 req->complete = ffs_ep0_async_io_complete;
707 list_add(&req->list, &ffs->ep0req->list);
708 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
709 if (unlikely(ret)) {
710 usb_ep_free_request(ffs->gadget->ep0, req);
711 goto error;
712 }
713
714 ret = -EIOCBQUEUED;
715 }
716
717 error:
718 return ret;
719 }
720
ffs_ep0_ioctl(struct file * file,unsigned code,unsigned long value)721 static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value)
722 {
723 struct ffs_data *ffs = file->private_data;
724 long ret = 0;
725 unsigned int copied = 0;
726 struct ffs_memory *ffsm = NULL;
727 struct generic_memory mem;
728
729 ENTER();
730
731 switch (code) {
732 case FUNCTIONFS_ENDPOINT_QUEUE_INIT:
733 ret = kfifo_alloc(&ffs->reqEventFifo, MAX_REQUEST * sizeof(struct UsbFnReqEvent), GFP_KERNEL);
734 break;
735 case FUNCTIONFS_ENDPOINT_QUEUE_DEL:
736 kfifo_free(&ffs->reqEventFifo);
737 break;
738 case FUNCTIONFS_ENDPOINT_RELEASE_BUF:
739 if (copy_from_user(&mem, (void __user *)value, sizeof(mem)))
740 {
741 pr_info("copy from user failed\n");
742 return -EFAULT;
743 }
744 ffsm = generic_find_ep0_memory_area(ffs, mem.buf, mem.size);
745 if (ffsm == NULL)
746 {
747 return -EFAULT;
748 }
749 list_del(&ffsm->memlist);
750 kfree((void *)ffsm->mem);
751 kfree(ffsm);
752 break;
753 case FUNCTIONFS_ENDPOINT_READ:
754 case FUNCTIONFS_ENDPOINT_WRITE:
755 {
756 struct IoData myIoData;
757 struct ffs_io_data io_data, *p = &io_data;
758 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
759 if (unlikely(ret)) {
760 return -EFAULT;
761 }
762 if (myIoData.aio) {
763 p = kmalloc(sizeof(io_data), GFP_KERNEL);
764 if (unlikely(!p))
765 return -ENOMEM;
766 } else {
767 memset(p, 0, sizeof(*p));
768 }
769 memcpy(p, &myIoData, sizeof(struct IoData));
770
771 ret = ffs_ep0_iorw(file, p);
772 if (ret == -EIOCBQUEUED) {
773 return 0;
774 }
775 if (p->aio)
776 kfree(p);
777 return ret;
778 }
779 case FUNCTIONFS_ENDPOINT_RW_CANCEL:
780 {
781 struct usb_request *req;
782 struct IoData myIoData;
783 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
784 if (unlikely(ret)) {
785 return -EFAULT;
786 }
787 ffsm = generic_find_ep0_memory_area(ffs, myIoData.buf, myIoData.len);
788 if (ffsm == NULL)
789 {
790 return -EFAULT;
791 }
792 list_for_each_entry(req, &ffs->ep0req->list, list) {
793 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
794 usb_ep_dequeue(ffs->gadget->ep0, req);
795 return 0;
796 }
797 }
798 return -EFAULT;
799 }
800 case FUNCTIONFS_ENDPOINT_GET_REQ_STATUS:
801 {
802 struct usb_request *req;
803 struct IoData myIoData;
804 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
805 if (unlikely(ret)) {
806 return -EFAULT;
807 }
808 ffsm = generic_find_ep0_memory_area(ffs, myIoData.buf, myIoData.len);
809 if (ffsm == NULL)
810 {
811 return -EFAULT;
812 }
813 list_for_each_entry(req, &ffs->ep0req->list, list) {
814 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
815 return req->status;
816 }
817 }
818 return -EFAULT;
819 }
820 case FUNCTIONFS_ENDPOINT_GET_EP0_EVENT:
821 if (!kfifo_is_empty(&ffs->reqEventFifo)) {
822 ret = kfifo_to_user(&ffs->reqEventFifo, (void __user *)value,
823 sizeof(struct UsbFnReqEvent), &copied) == 0 ? copied : -1;
824 if (ret > 0) {
825 ffs->setup_state = FFS_NO_SETUP;
826 return ret;
827 }
828 }
829
830 return -EFAULT;
831 }
832
833 return ret;
834 }
835
836 #ifdef CONFIG_COMPAT
ffs_ep0_compat_ioctl(struct file * file,unsigned code,unsigned long value)837 static long ffs_ep0_compat_ioctl(struct file *file, unsigned code,
838 unsigned long value)
839 {
840 return ffs_ep0_ioctl(file, code, value);
841 }
842 #endif
843
ffs_ep0_poll(struct file * file,poll_table * wait)844 static __poll_t ffs_ep0_poll(struct file *file, poll_table *wait)
845 {
846 struct ffs_data *ffs = file->private_data;
847 __poll_t mask = EPOLLWRNORM;
848 int ret;
849
850 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
851 if (unlikely(ret < 0))
852 return mask;
853
854 switch (ffs->state) {
855 case FFS_READ_DESCRIPTORS:
856 case FFS_READ_STRINGS:
857 mask |= EPOLLOUT;
858 break;
859
860 case FFS_ACTIVE:
861 switch (ffs->setup_state) {
862 case FFS_NO_SETUP:
863 poll_wait(file, &ffs->ev.waitq, wait);
864 if (ffs->ev.count)
865 mask |= EPOLLIN;
866 break;
867
868 case FFS_SETUP_PENDING:
869 case FFS_SETUP_CANCELLED:
870 poll_wait(file, &ffs->wait_que, wait);
871 if (!kfifo_is_empty(&ffs->reqEventFifo))
872 {
873 mask |= EPOLLOUT;
874 }
875 break;
876 }
877 case FFS_CLOSING:
878 break;
879 case FFS_DEACTIVATED:
880 break;
881 }
882
883 mutex_unlock(&ffs->mutex);
884
885 return mask;
886 }
887
ffs_ep0_mmap(struct file * file,struct vm_area_struct * vma)888 static int ffs_ep0_mmap(struct file *file, struct vm_area_struct *vma)
889 {
890 struct ffs_data *ffs = file->private_data;
891 size_t size = vma->vm_end - vma->vm_start;
892 unsigned long flags;
893 struct ffs_memory *ffsm = NULL;
894 void *virt_mem = NULL;
895
896 if (ffs == NULL) {
897 pr_info("Invalid private parameter!\n");
898 return -EINVAL;
899 }
900 virt_mem = kmalloc(size, GFP_KERNEL);
901 if (virt_mem == NULL)
902 {
903 pr_info("%s alloc memory failed!\n", __FUNCTION__);
904 return -ENOMEM;
905 }
906 ffsm = kmalloc(sizeof(struct ffs_memory), GFP_KERNEL);
907 if (ffsm == NULL)
908 {
909 pr_info("%s alloc memory failed!\n", __FUNCTION__);
910 goto error_free_mem;
911 }
912 if (remap_pfn_range(vma, vma->vm_start, virt_to_phys(virt_mem)>>PAGE_SHIFT,
913 vma->vm_end - vma->vm_start, vma->vm_page_prot)) {
914 goto error_free_ffsm;
915 }
916 ffsm->mem = (uint64_t)virt_mem;
917 ffsm->size = size;
918 ffsm->vm_start = vma->vm_start;
919 INIT_LIST_HEAD(&ffsm->memlist);
920 spin_lock_irqsave(&ffs->mem_lock, flags);
921 list_add_tail(&ffsm->memlist, &ffs->memory_list);
922 spin_unlock_irqrestore(&ffs->mem_lock, flags);
923 return 0;
924 error_free_ffsm:
925 kfree(ffsm);
926 error_free_mem:
927 kfree(virt_mem);
928 return -1;
929 }
930
931 static const struct file_operations ffs_ep0_operations = {
932 .owner = THIS_MODULE,
933 .llseek = no_llseek,
934 .open = ffs_ep0_open,
935 .write = ffs_ep0_write,
936 .read = ffs_ep0_read,
937 .release = ffs_ep0_release,
938 .unlocked_ioctl = ffs_ep0_ioctl,
939 #ifdef CONFIG_COMPAT
940 .compat_ioctl = ffs_ep0_compat_ioctl,
941 #endif
942 .poll = ffs_ep0_poll,
943 .mmap = ffs_ep0_mmap,
944 };
945
946 /* "Normal" endpoints operations ********************************************/
generic_find_memory_area(struct ffs_epfile * epfile,uint64_t buf,uint32_t len)947 static struct ffs_memory *generic_find_memory_area(struct ffs_epfile *epfile, uint64_t buf, uint32_t len)
948 {
949 struct ffs_memory *ffsm = NULL, *iter = NULL;
950 uint64_t buf_start = buf;
951
952 list_for_each_entry(iter, &epfile->memory_list, memlist) {
953 if (buf_start >= iter->vm_start &&
954 buf_start < iter->vm_start + iter->size) {
955 if (len <= iter->vm_start + iter->size - buf_start) {
956 ffsm = iter;
957 break;
958 }
959 }
960 }
961 return ffsm;
962 }
963
ffs_epfile_io_complete(struct usb_ep * _ep,struct usb_request * req)964 static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
965 {
966 ENTER();
967 if (likely(req->context)) {
968 struct ffs_ep *ep = _ep->driver_data;
969 ep->status = req->status ? req->status : req->actual;
970 complete(req->context);
971 }
972 }
973
epfile_task_proc(unsigned long context)974 static void epfile_task_proc(unsigned long context)
975 {
976 struct ffs_io_data *io_data = (struct ffs_io_data *)context;
977 struct ffs_epfile *epfile = io_data->epfile;
978 unsigned long flags;
979
980 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
981 io_data->status = io_data->req->status;
982 io_data->actual = io_data->req->actual;
983 kfifo_in(&epfile->reqEventFifo, &io_data->buf, sizeof(struct UsbFnReqEvent));
984 list_del(&io_data->req->list);
985 usb_ep_free_request(io_data->ep, io_data->req);
986 kfree(io_data);
987 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
988 wake_up_all(&epfile->wait_que);
989 }
990
ffs_epfile_async_io_complete(struct usb_ep * _ep,struct usb_request * req)991 static void ffs_epfile_async_io_complete(struct usb_ep *_ep, struct usb_request *req)
992 {
993 struct ffs_io_data *io_data = req->context;
994
995 tasklet_init(&io_data->task, epfile_task_proc, (uintptr_t)io_data);
996 tasklet_schedule(&io_data->task);
997
998 }
999
ffs_epfile_open(struct inode * inode,struct file * file)1000 static int ffs_epfile_open(struct inode *inode, struct file *file)
1001 {
1002 struct ffs_epfile *epfile = container_of(inode->i_cdev, struct ffs_epfile, cdev);
1003 ENTER();
1004 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1005 return -ENODEV;
1006
1007 file->private_data = epfile;
1008 return 0;
1009 }
1010
ffs_epfile_release(struct inode * inode,struct file * file)1011 static int ffs_epfile_release(struct inode *inode, struct file *file)
1012 {
1013 ENTER();
1014 return 0;
1015 }
1016
ffs_epfile_mmap(struct file * file,struct vm_area_struct * vma)1017 static int ffs_epfile_mmap(struct file *file, struct vm_area_struct *vma)
1018 {
1019 struct ffs_epfile *epfile = file->private_data;
1020 size_t size = vma->vm_end - vma->vm_start;
1021 struct ffs_memory *ffsm = NULL;
1022 unsigned long flags;
1023 void *virt_mem = NULL;
1024
1025 if (epfile == NULL)
1026 {
1027 pr_info("Invalid private parameter!\n");
1028 return -EINVAL;
1029 }
1030 virt_mem = kmalloc(size, GFP_KERNEL);
1031 if (virt_mem == NULL)
1032 {
1033 pr_info("%s alloc memory failed!\n", __FUNCTION__);
1034 return -ENOMEM;
1035 }
1036 ffsm = kmalloc(sizeof(struct ffs_memory), GFP_KERNEL);
1037 if (ffsm == NULL)
1038 {
1039 pr_info("%s alloc memory failed!\n", __FUNCTION__);
1040 goto error_free_mem;
1041 }
1042 if (remap_pfn_range(vma, vma->vm_start, virt_to_phys(virt_mem)>>PAGE_SHIFT,
1043 vma->vm_end - vma->vm_start, vma->vm_page_prot))
1044 {
1045 goto error_free_ffsm;
1046 }
1047 ffsm->mem = (uint64_t)virt_mem;
1048 ffsm->size = size;
1049 ffsm->vm_start = vma->vm_start;
1050 INIT_LIST_HEAD(&ffsm->memlist);
1051 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1052 list_add_tail(&ffsm->memlist, &epfile->memory_list);
1053 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
1054
1055 return 0;
1056 error_free_ffsm:
1057 kfree(ffsm);
1058 error_free_mem:
1059 kfree(virt_mem);
1060
1061 return -1;
1062 }
1063
ffs_epfile_iorw(struct file * file,struct ffs_io_data * io_data)1064 static ssize_t ffs_epfile_iorw(struct file *file, struct ffs_io_data *io_data)
1065 {
1066 struct ffs_epfile *epfile = file->private_data;
1067 struct usb_request *req = NULL;
1068 struct ffs_ep *ep = NULL;
1069 struct ffs_memory *ffsm = NULL;
1070 ssize_t ret, data_len = -EINVAL;
1071 int halt;
1072
1073 /* Are we still active? */
1074 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1075 return -ENODEV;
1076
1077 /* Wait for endpoint to be enabled */
1078 ep = epfile->ep;
1079 if (!ep) {
1080 if (file->f_flags & O_NONBLOCK)
1081 return -EAGAIN;
1082
1083 ret = wait_event_interruptible(
1084 epfile->ffs->wait, (ep = epfile->ep));
1085 if (ret)
1086 return -EINTR;
1087 }
1088
1089 /* Do we halt? */
1090 halt = (!io_data->read == !epfile->in);
1091 if (halt && epfile->isoc)
1092 return -EINVAL;
1093
1094 /* We will be using request and read_buffer */
1095 ret = ffs_mutex_lock(&epfile->mutex, file->f_flags & O_NONBLOCK);
1096 if (unlikely(ret))
1097 goto error;
1098
1099 /* Allocate & copy */
1100 if (!halt) {
1101 struct usb_gadget *gadget;
1102 /*
1103 * if we _do_ wait above, the epfile->ffs->gadget might be NULL
1104 * before the waiting completes, so do not assign to 'gadget'
1105 * earlier
1106 */
1107 gadget = epfile->ffs->gadget;
1108
1109 spin_lock_irq(&epfile->ffs->eps_lock);
1110 /* In the meantime, endpoint got disabled or changed. */
1111 if (epfile->ep != ep) {
1112 ret = -ESHUTDOWN;
1113 goto error_lock;
1114 }
1115 data_len = io_data->len;
1116 /*
1117 * Controller may require buffer size to be aligned to
1118 * maxpacketsize of an out endpoint.
1119 */
1120 if (io_data->read)
1121 data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);
1122 spin_unlock_irq(&epfile->ffs->eps_lock);
1123 }
1124
1125 spin_lock_irq(&epfile->ffs->eps_lock);
1126 ffsm = generic_find_memory_area(epfile, io_data->buf, io_data->len);
1127 if (ffsm == NULL)
1128 {
1129 return -EFAULT;
1130 }
1131 if (epfile->ep != ep) {
1132 /* In the meantime, endpoint got disabled or changed. */
1133 ret = -ESHUTDOWN;
1134 }
1135 else if (halt) {
1136 ret = usb_ep_set_halt(ep->ep);
1137 if (!ret)
1138 ret = -EBADMSG;
1139 }
1140 else if (!io_data->aio) {
1141 DECLARE_COMPLETION_ONSTACK(done);
1142 bool interrupted = false;
1143
1144 req = ep->req;
1145 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
1146 req->length = data_len;
1147
1148 req->context = &done;
1149 req->complete = ffs_epfile_io_complete;
1150
1151 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1152 if (unlikely(ret < 0))
1153 goto error_lock;
1154
1155 spin_unlock_irq(&epfile->ffs->eps_lock);
1156 if (io_data->timeout > 0) {
1157 ret = wait_for_completion_interruptible_timeout(&done, io_data->timeout);
1158 if (ret < 0) {
1159 /*
1160 * To avoid race condition with ffs_epfile_io_complete,
1161 * dequeue the request first then check
1162 * status. usb_ep_dequeue API should guarantee no race
1163 * condition with req->complete callback.
1164 */
1165 usb_ep_dequeue(ep->ep, req);
1166 wait_for_completion(&done);
1167 interrupted = ep->status < 0;
1168 } else if (ret == 0) {
1169 ret = -EBUSY;
1170 usb_ep_dequeue(ep->ep, req);
1171 wait_for_completion(&done);
1172 goto error_mutex;
1173 }
1174 } else {
1175 ret = wait_for_completion_interruptible(&done);
1176 if (ret < 0) {
1177 usb_ep_dequeue(ep->ep, req);
1178 wait_for_completion(&done);
1179 interrupted = ep->status < 0;
1180 }
1181 }
1182
1183 if (interrupted) {
1184 ret = -EINTR;
1185 } else {
1186 ret = req->actual;
1187 }
1188 goto error_mutex;
1189 }
1190 else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
1191 ret = -ENOMEM;
1192 }
1193 else {
1194 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
1195 req->length = data_len;
1196
1197 io_data->ep = ep->ep;
1198 io_data->req = req;
1199 io_data->epfile = epfile;
1200
1201 req->context = io_data;
1202 req->complete = ffs_epfile_async_io_complete;
1203 list_add(&req->list, &ep->req->list);
1204 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1205 if (unlikely(ret)) {
1206 usb_ep_free_request(ep->ep, req);
1207 goto error_lock;
1208 }
1209
1210 ret = -EIOCBQUEUED;
1211 }
1212
1213 error_lock:
1214 spin_unlock_irq(&epfile->ffs->eps_lock);
1215 error_mutex:
1216 mutex_unlock(&epfile->mutex);
1217 error:
1218 return ret;
1219 }
1220
ffs_epfile_ioctl(struct file * file,unsigned code,unsigned long value)1221 static long ffs_epfile_ioctl(struct file *file, unsigned code, unsigned long value)
1222 {
1223 struct ffs_epfile *epfile = file->private_data;
1224 struct ffs_ep *ep = epfile->ep;
1225 int ret = 0;
1226 struct generic_memory mem;
1227 struct ffs_memory *ffsm = NULL;
1228
1229 ENTER();
1230
1231 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1232 return -ENODEV;
1233
1234 spin_lock_irq(&epfile->ffs->eps_lock);
1235
1236 switch (code) {
1237 case FUNCTIONFS_ENDPOINT_QUEUE_INIT:
1238 ret = kfifo_alloc(&epfile->reqEventFifo, MAX_REQUEST * sizeof(struct UsbFnReqEvent), GFP_KERNEL);
1239 break;
1240 case FUNCTIONFS_ENDPOINT_QUEUE_DEL:
1241 kfifo_free(&epfile->reqEventFifo);
1242 break;
1243 case FUNCTIONFS_ENDPOINT_RELEASE_BUF:
1244 if (copy_from_user(&mem, (void __user *)value, sizeof(mem)))
1245 {
1246 pr_info("copy from user failed\n");
1247 return -EFAULT;
1248 }
1249 ffsm = generic_find_memory_area(epfile, mem.buf, mem.size);
1250 if (ffsm == NULL)
1251 {
1252 return -EFAULT;
1253 }
1254 list_del(&ffsm->memlist);
1255 kfree((void *)ffsm->mem);
1256 kfree(ffsm);
1257 break;
1258 case FUNCTIONFS_ENDPOINT_READ:
1259 case FUNCTIONFS_ENDPOINT_WRITE:
1260 {
1261 struct IoData myIoData;
1262 struct ffs_io_data io_data, *p = &io_data;
1263 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
1264 if (unlikely(ret)) {
1265 spin_unlock_irq(&epfile->ffs->eps_lock);
1266 return -EFAULT;
1267 }
1268 if (myIoData.aio) {
1269 p = kmalloc(sizeof(io_data), GFP_KERNEL);
1270 if (unlikely(!p)) {
1271 spin_unlock_irq(&epfile->ffs->eps_lock);
1272 return -ENOMEM;
1273 }
1274 } else {
1275 memset(p, 0, sizeof(*p));
1276 }
1277 memcpy(p, &myIoData, sizeof(struct IoData));
1278
1279 spin_unlock_irq(&epfile->ffs->eps_lock);
1280 ret = ffs_epfile_iorw(file, p);
1281 if (ret == -EIOCBQUEUED) {
1282 return 0;
1283 }
1284 if (p->aio)
1285 kfree(p);
1286 return ret;
1287 }
1288 case FUNCTIONFS_ENDPOINT_RW_CANCEL:
1289 {
1290 struct usb_request *req;
1291 struct IoData myIoData;
1292 if (!ep) {
1293 spin_unlock_irq(&epfile->ffs->eps_lock);
1294 return -EFAULT;
1295 }
1296 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
1297 if (unlikely(ret)) {
1298 spin_unlock_irq(&epfile->ffs->eps_lock);
1299 return -EFAULT;
1300 }
1301 ffsm = generic_find_memory_area(epfile, myIoData.buf, myIoData.len);
1302 if (ffsm == NULL)
1303 {
1304 return -EFAULT;
1305 }
1306 list_for_each_entry(req, &epfile->ep->req->list, list) {
1307 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
1308 usb_ep_dequeue(epfile->ep->ep, req);
1309 spin_unlock_irq(&epfile->ffs->eps_lock);
1310 return 0;
1311 }
1312 }
1313 spin_unlock_irq(&epfile->ffs->eps_lock);
1314 return -EFAULT;
1315 }
1316 case FUNCTIONFS_ENDPOINT_GET_REQ_STATUS:
1317 {
1318 struct usb_request *req;
1319 struct IoData myIoData;
1320 if (!ep) {
1321 spin_unlock_irq(&epfile->ffs->eps_lock);
1322 return -EFAULT;
1323 }
1324 ret = copy_from_user(&myIoData,(void __user *)value, sizeof(struct IoData));
1325 if (unlikely(ret)) {
1326 spin_unlock_irq(&epfile->ffs->eps_lock);
1327 return -EFAULT;
1328 }
1329 ffsm = generic_find_memory_area(epfile, myIoData.buf, myIoData.len);
1330 if (ffsm == NULL)
1331 {
1332 return -EFAULT;
1333 }
1334 list_for_each_entry(req, &epfile->ep->req->list, list) {
1335 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
1336 spin_unlock_irq(&epfile->ffs->eps_lock);
1337 return req->status;
1338 }
1339 }
1340 spin_unlock_irq(&epfile->ffs->eps_lock);
1341 return -EFAULT;
1342 }
1343 case FUNCTIONFS_FIFO_STATUS:
1344 ret = usb_ep_fifo_status(epfile->ep->ep);
1345 break;
1346 case FUNCTIONFS_FIFO_FLUSH:
1347 usb_ep_fifo_flush(epfile->ep->ep);
1348 ret = 0;
1349 break;
1350 case FUNCTIONFS_CLEAR_HALT:
1351 ret = usb_ep_clear_halt(epfile->ep->ep);
1352 break;
1353 case FUNCTIONFS_ENDPOINT_REVMAP:
1354 ret = epfile->ep->num;
1355 break;
1356 case FUNCTIONFS_ENDPOINT_DESC:
1357 {
1358 int desc_idx;
1359 int i;
1360 struct usb_endpoint_descriptor *desc;
1361
1362 switch (epfile->ffs->speed) {
1363 case USB_SPEED_SUPER:
1364 desc_idx = 2;
1365 break;
1366 case USB_SPEED_HIGH:
1367 desc_idx = 1;
1368 break;
1369 default:
1370 desc_idx = 1;
1371 }
1372 for (i = 0; i < epfile->ffs->eps_count; i++) {
1373 if (epfile->ffs->epfiles + i == epfile)
1374 break;
1375 }
1376 ep = epfile->ffs->eps + i;
1377 desc = ep->descs[desc_idx];
1378 spin_unlock_irq(&epfile->ffs->eps_lock);
1379 ret = copy_to_user((void __user *)value, desc, desc->bLength);
1380 if (ret)
1381 ret = -EFAULT;
1382 return ret;
1383 }
1384 default:
1385 ret = -ENOTTY;
1386 }
1387 spin_unlock_irq(&epfile->ffs->eps_lock);
1388
1389 return ret;
1390 }
1391
ffs_epfile_read(struct file * file,char __user * buf,size_t count,loff_t * f_pos)1392 static ssize_t ffs_epfile_read(struct file *file, char __user *buf, size_t count, loff_t *f_pos)
1393 {
1394 int status = 0;
1395 unsigned int copied = 0;
1396 unsigned long flags;
1397 struct ffs_epfile *epfile = file->private_data;
1398 ENTER();
1399 if (kfifo_is_empty(&epfile->reqEventFifo)) {
1400 return 0;
1401 }
1402 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1403 status = kfifo_to_user(&epfile->reqEventFifo, buf, count, &copied) == 0 ? copied : -1;
1404 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
1405
1406 return status;
1407 }
1408
ffs_epfile_write(struct file * file,const char __user * buf,size_t count,loff_t * f_pos)1409 static ssize_t ffs_epfile_write(struct file *file, const char __user *buf, size_t count, loff_t *f_pos)
1410 {
1411 return count;
1412 }
1413
ffs_epfile_poll(struct file * file,struct poll_table_struct * wait)1414 static unsigned int ffs_epfile_poll(struct file *file, struct poll_table_struct * wait)
1415 {
1416 unsigned int mask = 0;
1417 struct ffs_epfile *epfile = file->private_data;
1418 ENTER();
1419 poll_wait(file, &epfile->wait_que, wait);
1420 if (!kfifo_is_empty(&epfile->reqEventFifo)) {
1421 mask |= POLLIN;
1422 }
1423 return mask;
1424 }
1425
1426 #ifdef CONFIG_COMPAT
ffs_epfile_compat_ioctl(struct file * file,unsigned code,unsigned long value)1427 static long ffs_epfile_compat_ioctl(struct file *file, unsigned code,
1428 unsigned long value)
1429 {
1430 return ffs_epfile_ioctl(file, code, value);
1431 }
1432 #endif
1433
1434 static const struct file_operations ffs_epfile_operations = {
1435 .owner = THIS_MODULE,
1436 .llseek = no_llseek,
1437 .mmap = ffs_epfile_mmap,
1438 .read = ffs_epfile_read,
1439 .write = ffs_epfile_write,
1440 .poll = ffs_epfile_poll,
1441 .open = ffs_epfile_open,
1442 .release = ffs_epfile_release,
1443 .unlocked_ioctl = ffs_epfile_ioctl,
1444 #ifdef CONFIG_COMPAT
1445 .compat_ioctl = ffs_epfile_compat_ioctl,
1446 #endif
1447 };
1448
1449 /* ffs_data and ffs_function construction and destruction code **************/
1450 static void ffs_data_clear(struct ffs_data *ffs);
1451 static void ffs_data_reset(struct ffs_data *ffs);
1452 static dev_t g_dev;
1453 #define MAX_EP_DEV 10
usbfn_ioctl(struct file * file,unsigned int cmd,unsigned long value)1454 static long usbfn_ioctl(struct file *file, unsigned int cmd, unsigned long value)
1455 {
1456 long ret;
1457 ENTER();
1458 switch(cmd)
1459 {
1460 case FUNCTIONFS_NEWFN:
1461 {
1462 struct ffs_dev *ffs_dev;
1463 struct ffs_data *ffs;
1464 struct FuncNew newfn;
1465 char nameEp0[MAX_NAMELEN];
1466 ret = copy_from_user(&newfn, (void __user *)value, sizeof(struct FuncNew ));
1467 if (unlikely(ret)) {
1468 return -EFAULT;
1469 }
1470 ffs = ffs_data_new(newfn.name);
1471 if (unlikely(!ffs)) {
1472 return (-ENOMEM);
1473 }
1474
1475 memcpy(ffs->dev_name, newfn.name, newfn.nameLen);
1476
1477 if (unlikely(!ffs->dev_name)) {
1478 ffs_data_put(ffs);
1479 return (-ENOMEM);
1480 }
1481
1482 if (sprintf(nameEp0, "%s.ep%u", ffs->dev_name, 0) < 0) {
1483 ffs_data_put(ffs);
1484 return -EFAULT;
1485 }
1486 ffs_dev = ffs_acquire_dev(newfn.name);
1487 if (IS_ERR(ffs_dev)) {
1488 ffs_data_put(ffs);
1489 return (-ENODEV);
1490 }
1491 ffs->private_data = ffs_dev;
1492
1493 ret = alloc_chrdev_region(&g_dev, 0, MAX_EP_DEV, nameEp0);
1494 if (ret < 0) {
1495 ffs_release_dev(ffs);
1496 ffs_data_put(ffs);
1497 return -EBUSY;
1498 }
1499 cdev_init(&ffs->cdev, &ffs_ep0_operations);
1500 ffs->devno = MKDEV(MAJOR(g_dev), 0);
1501 ret = cdev_add(&ffs->cdev, ffs->devno, 1);
1502 if (ret) {
1503 ffs_release_dev(ffs);
1504 ffs_data_put(ffs);
1505 return -EBUSY;
1506 }
1507
1508 ffs->fn_device = device_create(ffs_class, NULL, ffs->devno, NULL, nameEp0);
1509 if (IS_ERR(ffs->fn_device)) {
1510 cdev_del(&ffs->cdev);
1511 ffs_release_dev(ffs);
1512 ffs_data_put(ffs);
1513 return -EBUSY;
1514 }
1515 return 0;
1516 }
1517 case FUNCTIONFS_DELFN:
1518 {
1519 struct FuncNew newfn;
1520 struct ffs_data *ffs;
1521 struct ffs_dev *ffs_dev;
1522 ret = copy_from_user(&newfn, (void __user *)value, sizeof(struct FuncNew ));
1523 if (unlikely(ret)) {
1524 return -EFAULT;
1525 }
1526
1527 ffs_dev = _ffs_find_dev(newfn.name);
1528 if (IS_ERR(ffs_dev)) {
1529 return -EFAULT;
1530 }
1531 ffs = ffs_dev->ffs_data;
1532 device_destroy(ffs_class, ffs->devno);
1533 cdev_del(&ffs->cdev);
1534 unregister_chrdev_region(g_dev, MAX_EP_DEV);
1535 ffs_release_dev(ffs);
1536 ffs_data_clear(ffs);
1537 destroy_workqueue(ffs->io_completion_wq);
1538 kfree(ffs);
1539 return 0;
1540 }
1541 default:
1542 ret = -ENOTTY;
1543 }
1544
1545 return ret;
1546 }
1547
usbfn_open(struct inode * inode,struct file * file)1548 static int usbfn_open(struct inode *inode, struct file *file)
1549 {
1550 return 0;
1551 }
1552
usbfn_release(struct inode * inode,struct file * file)1553 static int usbfn_release(struct inode *inode, struct file *file)
1554 {
1555 return 0;
1556 }
1557
1558 static struct file_operations usbfn_fops = {
1559 .owner = THIS_MODULE,
1560 .unlocked_ioctl = usbfn_ioctl,
1561 .open = usbfn_open,
1562 .release = usbfn_release,
1563 #ifdef CONFIG_COMPAT
1564 .compat_ioctl = usbfn_ioctl,
1565 #endif
1566 };
1567
1568 static struct miscdevice usbfn_misc = {
1569 .minor = MISC_DYNAMIC_MINOR,
1570 .name = "usbfn",
1571 .fops = &usbfn_fops,
1572 };
1573
1574 /* Driver's main init/cleanup functions *************************************/
functionfs_init(void)1575 static int functionfs_init(void)
1576 {
1577 int ret;
1578
1579 ENTER();
1580 ret = misc_register(&usbfn_misc);
1581 if (likely(!ret))
1582 pr_info("file system registered\n");
1583 else
1584 pr_err("failed registering file system (%d)\n", ret);
1585
1586 ffs_class = class_create(THIS_MODULE, "functionfs");
1587 if (IS_ERR(ffs_class))
1588 return PTR_ERR(ffs_class);
1589
1590 ffs_class->devnode = ffs_devnode;
1591
1592 return ret;
1593 }
1594
functionfs_cleanup(void)1595 static void functionfs_cleanup(void)
1596 {
1597 ENTER();
1598 class_destroy(ffs_class);
1599 misc_deregister(&usbfn_misc);
1600 }
1601
ffs_data_get(struct ffs_data * ffs)1602 static void ffs_data_get(struct ffs_data *ffs)
1603 {
1604 ENTER();
1605 refcount_inc(&ffs->ref);
1606 }
1607
ffs_data_put(struct ffs_data * ffs)1608 static void ffs_data_put(struct ffs_data *ffs)
1609 {
1610 ENTER();
1611 if (unlikely(refcount_dec_and_test(&ffs->ref))) {
1612 pr_info("%s(): freeing\n", __func__);
1613 ffs_data_clear(ffs);
1614 BUG_ON(waitqueue_active(&ffs->ev.waitq) ||
1615 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0)
1616 swait_active(&ffs->ep0req_completion.wait) ||
1617 #else
1618 waitqueue_active(&ffs->ep0req_completion.wait) ||
1619 #endif
1620 waitqueue_active(&ffs->wait) ||
1621 waitqueue_active(&ffs->wait_que));
1622 destroy_workqueue(ffs->io_completion_wq);
1623 kfree(ffs);
1624 }
1625 }
1626
ffs_data_new(const char * dev_name)1627 static struct ffs_data *ffs_data_new(const char *dev_name)
1628 {
1629 struct ffs_data *ffs = kzalloc(sizeof *ffs, GFP_KERNEL);
1630 if (unlikely(!ffs))
1631 return NULL;
1632
1633 ENTER();
1634
1635 ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name);
1636 if (!ffs->io_completion_wq) {
1637 kfree(ffs);
1638 return NULL;
1639 }
1640
1641 refcount_set(&ffs->ref, 1);
1642 atomic_set(&ffs->opened, 0);
1643 ffs->state = FFS_READ_DESCRIPTORS;
1644 mutex_init(&ffs->mutex);
1645 spin_lock_init(&ffs->eps_lock);
1646 spin_lock_init(&ffs->mem_lock);
1647 init_waitqueue_head(&ffs->ev.waitq);
1648 init_waitqueue_head(&ffs->wait);
1649 init_waitqueue_head(&ffs->wait_que);
1650 init_completion(&ffs->ep0req_completion);
1651 INIT_LIST_HEAD(&ffs->memory_list);
1652 ffs->ev.can_stall = 1;
1653
1654 return ffs;
1655 }
1656
ffs_data_clear(struct ffs_data * ffs)1657 static void ffs_data_clear(struct ffs_data *ffs)
1658 {
1659 ENTER();
1660
1661 ffs_closed(ffs);
1662
1663 BUG_ON(ffs->gadget);
1664
1665 if (ffs->epfiles)
1666 ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
1667
1668 if (ffs->ffs_eventfd)
1669 eventfd_ctx_put(ffs->ffs_eventfd);
1670
1671 kfree(ffs->raw_descs_data);
1672 kfree(ffs->raw_strings);
1673 kfree(ffs->stringtabs);
1674 }
1675
ffs_data_reset(struct ffs_data * ffs)1676 static void ffs_data_reset(struct ffs_data *ffs)
1677 {
1678 ENTER();
1679
1680 ffs_data_clear(ffs);
1681
1682 ffs->epfiles = NULL;
1683 ffs->raw_descs_data = NULL;
1684 ffs->raw_descs = NULL;
1685 ffs->raw_strings = NULL;
1686 ffs->stringtabs = NULL;
1687
1688 ffs->raw_descs_length = 0;
1689 ffs->fs_descs_count = 0;
1690 ffs->hs_descs_count = 0;
1691 ffs->ss_descs_count = 0;
1692
1693 ffs->strings_count = 0;
1694 ffs->interfaces_count = 0;
1695 ffs->eps_count = 0;
1696
1697 ffs->ev.count = 0;
1698
1699 ffs->state = FFS_READ_DESCRIPTORS;
1700 ffs->setup_state = FFS_NO_SETUP;
1701 ffs->flags = 0;
1702 }
1703
functionfs_bind(struct ffs_data * ffs,struct usb_composite_dev * cdev)1704 static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
1705 {
1706 struct usb_gadget_strings **lang;
1707 int first_id;
1708
1709 ENTER();
1710
1711 if (WARN_ON(ffs->state != FFS_ACTIVE
1712 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
1713 return -EBADFD;
1714
1715 first_id = usb_string_ids_n(cdev, ffs->strings_count);
1716 if (unlikely(first_id < 0))
1717 return first_id;
1718
1719 ffs->ep0req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
1720 if (unlikely(!ffs->ep0req))
1721 return -ENOMEM;
1722 ffs->ep0req->complete = ffs_ep0_complete;
1723 ffs->ep0req->context = ffs;
1724 INIT_LIST_HEAD(&ffs->ep0req->list);
1725
1726 lang = ffs->stringtabs;
1727 if (lang) {
1728 for (; *lang; ++lang) {
1729 struct usb_string *str = (*lang)->strings;
1730 int id = first_id;
1731 for (; str->s; ++id, ++str)
1732 str->id = id;
1733 }
1734 }
1735
1736 ffs->gadget = cdev->gadget;
1737 ffs->speed = cdev->gadget->speed;
1738 ffs_data_get(ffs);
1739 return 0;
1740 }
1741
functionfs_unbind(struct ffs_data * ffs)1742 static void functionfs_unbind(struct ffs_data *ffs)
1743 {
1744 ENTER();
1745
1746 if (!WARN_ON(!ffs->gadget)) {
1747 usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
1748 ffs->ep0req = NULL;
1749 ffs->gadget = NULL;
1750 clear_bit(FFS_FL_BOUND, &ffs->flags);
1751 ffs_data_put(ffs);
1752 }
1753 }
1754
ffs_epfiles_create(struct ffs_data * ffs)1755 static int ffs_epfiles_create(struct ffs_data *ffs)
1756 {
1757 struct ffs_epfile *epfile = NULL, *epfiles = NULL;
1758 unsigned int i, count ,ret;
1759
1760 ENTER();
1761
1762 count = ffs->eps_count;
1763 epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
1764 if (!epfiles)
1765 return -ENOMEM;
1766
1767 epfile = epfiles;
1768 for (i = 1; i <= count; ++i, ++epfile) {
1769 epfile->ffs = ffs;
1770 mutex_init(&epfile->mutex);
1771 INIT_LIST_HEAD(&epfile->memory_list);
1772 init_waitqueue_head(&epfile->wait_que);
1773 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) {
1774 if (sprintf(epfile->name, "%s.ep%02x", ffs->dev_name, ffs->eps_addrmap[i]) < 0) {
1775 return -EFAULT;
1776 }
1777 } else {
1778 if (sprintf(epfile->name, "%s.ep%u", ffs->dev_name, i) < 0) {
1779 return -EFAULT;
1780 }
1781 }
1782
1783 cdev_init(&epfile->cdev, &ffs_epfile_operations);
1784 epfile->devno=MKDEV(MAJOR(ffs->devno), i);
1785 ret = cdev_add(&epfile->cdev, epfile->devno, 1);
1786 if (ret)
1787 {
1788 ffs_epfiles_destroy(epfiles, i - 1);
1789 return -EBUSY;
1790 }
1791
1792 epfile->device = device_create(ffs_class, NULL, epfile->devno, NULL, epfile->name);
1793 if (IS_ERR(epfile->device))
1794 {
1795 cdev_del(&epfile->cdev);
1796 ffs_epfiles_destroy(epfiles, i - 1);
1797 return -EBUSY;
1798 }
1799 }
1800
1801 ffs->epfiles = epfiles;
1802 return 0;
1803 }
1804
ffs_epfiles_destroy(struct ffs_epfile * epfiles,unsigned count)1805 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
1806 {
1807 struct ffs_epfile *epfile = epfiles;
1808
1809 ENTER();
1810
1811 for (; count; --count, ++epfile) {
1812 BUG_ON(mutex_is_locked(&epfile->mutex));
1813 device_destroy(ffs_class, epfile->devno);
1814 cdev_del(&epfile->cdev);
1815 }
1816
1817 kfree(epfiles);
1818 }
1819
ffs_func_eps_disable(struct ffs_function * func)1820 static void ffs_func_eps_disable(struct ffs_function *func)
1821 {
1822 struct ffs_ep *ep = func->eps;
1823 struct ffs_epfile *epfile = func->ffs->epfiles;
1824 unsigned count = func->ffs->eps_count;
1825 unsigned long flags;
1826
1827 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1828 while (count--) {
1829 /* pending requests get nuked */
1830 if (likely(ep->ep))
1831 usb_ep_disable(ep->ep);
1832 ++ep;
1833
1834 if (epfile) {
1835 epfile->ep = NULL;
1836 ++epfile;
1837 }
1838 }
1839 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
1840 }
1841
ffs_func_eps_enable(struct ffs_function * func)1842 static int ffs_func_eps_enable(struct ffs_function *func)
1843 {
1844 struct ffs_data *ffs = func->ffs;
1845 struct ffs_ep *ep = func->eps;
1846 struct ffs_epfile *epfile = ffs->epfiles;
1847 unsigned count = ffs->eps_count;
1848 unsigned long flags;
1849 int ret = 0;
1850
1851 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1852 while(count--) {
1853 ep->ep->driver_data = ep;
1854
1855 ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
1856 if (ret) {
1857 pr_err("%s: config_ep_by_speed(%s) returned %d\n",
1858 __func__, ep->ep->name, ret);
1859 break;
1860 }
1861
1862 ret = usb_ep_enable(ep->ep);
1863 if (likely(!ret)) {
1864 epfile->ep = ep;
1865 epfile->in = usb_endpoint_dir_in(ep->ep->desc);
1866 epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc);
1867 } else {
1868 break;
1869 }
1870
1871 ++ep;
1872 ++epfile;
1873 }
1874
1875 wake_up_interruptible(&ffs->wait);
1876 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
1877
1878 return ret;
1879 }
1880
1881 /* Parsing and building descriptors and strings *****************************/
1882
1883 /*
1884 * This validates if data pointed by data is a valid USB descriptor as
1885 * well as record how many interfaces, endpoints and strings are
1886 * required by given configuration. Returns address after the
1887 * descriptor or NULL if data is invalid.
1888 */
1889 enum ffs_entity_type {
1890 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT
1891 };
1892
1893 enum ffs_os_desc_type {
1894 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP
1895 };
1896
1897 typedef int (*ffs_entity_callback)(enum ffs_entity_type entity, u8 *valuep,
1898 struct usb_descriptor_header *desc,
1899 void *priv);
1900
1901 typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity,
1902 struct usb_os_desc_header *h, void *data,
1903 unsigned len, void *priv);
1904
ffs_do_single_desc(char * data,unsigned len,ffs_entity_callback entity,void * priv)1905 static int __must_check ffs_do_single_desc(char *data, unsigned len,
1906 ffs_entity_callback entity,
1907 void *priv)
1908 {
1909 struct usb_descriptor_header *_ds = (void *)data;
1910 u8 length;
1911 int ret;
1912
1913 ENTER();
1914
1915 /* At least two bytes are required: length and type */
1916 if (len < 2) {
1917 pr_vdebug("descriptor too short\n");
1918 return -EINVAL;
1919 }
1920
1921 /* If we have at least as many bytes as the descriptor takes? */
1922 length = _ds->bLength;
1923 if (len < length) {
1924 pr_vdebug("descriptor longer then available data\n");
1925 return -EINVAL;
1926 }
1927
1928 #define __entity_check_INTERFACE(val) 1
1929 #define __entity_check_STRING(val) (val)
1930 #define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK)
1931 #define __entity(type, val) do { \
1932 pr_vdebug("entity " #type "(%02x)\n", (val)); \
1933 if (unlikely(!__entity_check_ ##type(val))) { \
1934 pr_vdebug("invalid entity's value\n"); \
1935 return -EINVAL; \
1936 } \
1937 ret = entity(FFS_ ##type, &val, _ds, priv); \
1938 if (unlikely(ret < 0)) { \
1939 pr_debug("entity " #type "(%02x); ret = %d\n", \
1940 (val), ret); \
1941 return ret; \
1942 } \
1943 } while (0)
1944
1945 /* Parse descriptor depending on type. */
1946 switch (_ds->bDescriptorType) {
1947 case USB_DT_DEVICE:
1948 case USB_DT_CONFIG:
1949 case USB_DT_STRING:
1950 case USB_DT_DEVICE_QUALIFIER:
1951 /* function can't have any of those */
1952 pr_vdebug("descriptor reserved for gadget: %d\n",
1953 _ds->bDescriptorType);
1954 return -EINVAL;
1955
1956 case USB_DT_INTERFACE: {
1957 struct usb_interface_descriptor *ds = (void *)_ds;
1958 pr_vdebug("interface descriptor\n");
1959 if (length != sizeof *ds)
1960 goto inv_length;
1961
1962 __entity(INTERFACE, ds->bInterfaceNumber);
1963 if (ds->iInterface)
1964 __entity(STRING, ds->iInterface);
1965 }
1966 break;
1967
1968 case USB_DT_ENDPOINT: {
1969 struct usb_endpoint_descriptor *ds = (void *)_ds;
1970 pr_vdebug("endpoint descriptor\n");
1971 if (length != USB_DT_ENDPOINT_SIZE &&
1972 length != USB_DT_ENDPOINT_AUDIO_SIZE)
1973 goto inv_length;
1974 __entity(ENDPOINT, ds->bEndpointAddress);
1975 }
1976 break;
1977
1978 case HID_DT_HID:
1979 pr_vdebug("hid descriptor\n");
1980 if (length != sizeof(struct hid_descriptor))
1981 goto inv_length;
1982 break;
1983
1984 case USB_DT_OTG:
1985 if (length != sizeof(struct usb_otg_descriptor))
1986 goto inv_length;
1987 break;
1988
1989 case USB_DT_INTERFACE_ASSOCIATION: {
1990 struct usb_interface_assoc_descriptor *ds = (void *)_ds;
1991 pr_vdebug("interface association descriptor\n");
1992 if (length != sizeof *ds)
1993 goto inv_length;
1994 if (ds->iFunction)
1995 __entity(STRING, ds->iFunction);
1996 }
1997 break;
1998
1999 case USB_DT_SS_ENDPOINT_COMP:
2000 pr_vdebug("EP SS companion descriptor\n");
2001 if (length != sizeof(struct usb_ss_ep_comp_descriptor))
2002 goto inv_length;
2003 break;
2004
2005 case USB_DT_OTHER_SPEED_CONFIG:
2006 case USB_DT_INTERFACE_POWER:
2007 case USB_DT_DEBUG:
2008 case USB_DT_SECURITY:
2009 case USB_DT_CS_RADIO_CONTROL:
2010 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType);
2011 break;
2012 default:
2013 /* We should never be here */
2014 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType);
2015 break;
2016 inv_length:
2017 pr_vdebug("invalid length: %d (descriptor %d)\n",
2018 _ds->bLength, _ds->bDescriptorType);
2019 return -EINVAL;
2020 }
2021
2022 #undef __entity
2023 #undef __entity_check_DESCRIPTOR
2024 #undef __entity_check_INTERFACE
2025 #undef __entity_check_STRING
2026 #undef __entity_check_ENDPOINT
2027
2028 return length;
2029 }
2030
ffs_do_descs(unsigned count,char * data,unsigned len,ffs_entity_callback entity,void * priv)2031 static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len,
2032 ffs_entity_callback entity, void *priv)
2033 {
2034 const unsigned _len = len;
2035 uintptr_t num = 0;
2036
2037 ENTER();
2038
2039 for (;;) {
2040 int ret;
2041
2042 if (num == count)
2043 data = NULL;
2044
2045 /* Record "descriptor" entity */
2046 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv);
2047 if (unlikely(ret < 0)) {
2048 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n",
2049 num, ret);
2050 return ret;
2051 }
2052
2053 if (!data)
2054 return _len - len;
2055
2056 ret = ffs_do_single_desc(data, len, entity, priv);
2057 if (unlikely(ret < 0)) {
2058 pr_debug("%s returns %d\n", __func__, ret);
2059 return ret;
2060 }
2061
2062 len -= ret;
2063 data += ret;
2064 ++num;
2065 }
2066 }
2067
__ffs_data_do_entity(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2068 static int __ffs_data_do_entity(enum ffs_entity_type type,
2069 u8 *valuep, struct usb_descriptor_header *desc,
2070 void *priv)
2071 {
2072 struct ffs_desc_helper *helper = priv;
2073 struct usb_endpoint_descriptor *d = NULL;
2074
2075 ENTER();
2076
2077 switch (type) {
2078 case FFS_DESCRIPTOR:
2079 break;
2080
2081 case FFS_INTERFACE:
2082 /*
2083 * Interfaces are indexed from zero so if we
2084 * encountered interface "n" then there are at least
2085 * "n+1" interfaces.
2086 */
2087 if (*valuep >= helper->interfaces_count)
2088 helper->interfaces_count = *valuep + 1;
2089 break;
2090
2091 case FFS_STRING:
2092 /*
2093 * Strings are indexed from 1 (0 is reserved
2094 * for languages list)
2095 */
2096 if (*valuep > helper->ffs->strings_count)
2097 helper->ffs->strings_count = *valuep;
2098 break;
2099
2100 case FFS_ENDPOINT:
2101 d = (void *)desc;
2102 helper->eps_count++;
2103 if (helper->eps_count >= FFS_MAX_EPS_COUNT)
2104 return -EINVAL;
2105 /* Check if descriptors for any speed were already parsed */
2106 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count)
2107 helper->ffs->eps_addrmap[helper->eps_count] =
2108 d->bEndpointAddress;
2109 else if (helper->ffs->eps_addrmap[helper->eps_count] !=
2110 d->bEndpointAddress)
2111 return -EINVAL;
2112 break;
2113 }
2114
2115 return 0;
2116 }
2117
__ffs_do_os_desc_header(enum ffs_os_desc_type * next_type,struct usb_os_desc_header * desc)2118 static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type,
2119 struct usb_os_desc_header *desc)
2120 {
2121 u16 bcd_version = le16_to_cpu(desc->bcdVersion);
2122 u16 w_index = le16_to_cpu(desc->wIndex);
2123
2124 if (bcd_version != 1) {
2125 pr_vdebug("unsupported os descriptors version: %d",
2126 bcd_version);
2127 return -EINVAL;
2128 }
2129 switch (w_index) {
2130 case 0x4:
2131 *next_type = FFS_OS_DESC_EXT_COMPAT;
2132 break;
2133 case 0x5:
2134 *next_type = FFS_OS_DESC_EXT_PROP;
2135 break;
2136 default:
2137 pr_vdebug("unsupported os descriptor type: %d", w_index);
2138 return -EINVAL;
2139 }
2140
2141 return sizeof(*desc);
2142 }
2143
2144 /*
2145 * Process all extended compatibility/extended property descriptors
2146 * of a feature descriptor
2147 */
ffs_do_single_os_desc(char * data,unsigned len,enum ffs_os_desc_type type,u16 feature_count,ffs_os_desc_callback entity,void * priv,struct usb_os_desc_header * h)2148 static int __must_check ffs_do_single_os_desc(char *data, unsigned len,
2149 enum ffs_os_desc_type type,
2150 u16 feature_count,
2151 ffs_os_desc_callback entity,
2152 void *priv,
2153 struct usb_os_desc_header *h)
2154 {
2155 int ret;
2156 const unsigned _len = len;
2157
2158 ENTER();
2159
2160 /* loop over all ext compat/ext prop descriptors */
2161 while (feature_count--) {
2162 ret = entity(type, h, data, len, priv);
2163 if (unlikely(ret < 0)) {
2164 pr_debug("bad OS descriptor, type: %d\n", type);
2165 return ret;
2166 }
2167 data += ret;
2168 len -= ret;
2169 }
2170 return _len - len;
2171 }
2172
2173 /* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */
ffs_do_os_descs(unsigned count,char * data,unsigned len,ffs_os_desc_callback entity,void * priv)2174 static int __must_check ffs_do_os_descs(unsigned count,
2175 char *data, unsigned len,
2176 ffs_os_desc_callback entity, void *priv)
2177 {
2178 const unsigned _len = len;
2179 unsigned long num = 0;
2180
2181 ENTER();
2182
2183 for (num = 0; num < count; ++num) {
2184 int ret;
2185 enum ffs_os_desc_type type;
2186 u16 feature_count;
2187 struct usb_os_desc_header *desc = (void *)data;
2188
2189 if (len < sizeof(*desc))
2190 return -EINVAL;
2191
2192 /*
2193 * Record "descriptor" entity.
2194 * Process dwLength, bcdVersion, wIndex, get b/wCount.
2195 * Move the data pointer to the beginning of extended
2196 * compatibilities proper or extended properties proper
2197 * portions of the data
2198 */
2199 if (le32_to_cpu(desc->dwLength) > len)
2200 return -EINVAL;
2201
2202 ret = __ffs_do_os_desc_header(&type, desc);
2203 if (unlikely(ret < 0)) {
2204 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n",
2205 num, ret);
2206 return ret;
2207 }
2208 /*
2209 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??"
2210 */
2211 feature_count = le16_to_cpu(desc->wCount);
2212 if (type == FFS_OS_DESC_EXT_COMPAT &&
2213 (feature_count > 255 || desc->Reserved))
2214 return -EINVAL;
2215 len -= ret;
2216 data += ret;
2217
2218 /*
2219 * Process all function/property descriptors
2220 * of this Feature Descriptor
2221 */
2222 ret = ffs_do_single_os_desc(data, len, type,
2223 feature_count, entity, priv, desc);
2224 if (unlikely(ret < 0)) {
2225 pr_debug("%s returns %d\n", __func__, ret);
2226 return ret;
2227 }
2228
2229 len -= ret;
2230 data += ret;
2231 }
2232 return _len - len;
2233 }
2234
2235 /**
2236 * Validate contents of the buffer from userspace related to OS descriptors.
2237 */
__ffs_data_do_os_desc(enum ffs_os_desc_type type,struct usb_os_desc_header * h,void * data,unsigned len,void * priv)2238 static int __ffs_data_do_os_desc(enum ffs_os_desc_type type,
2239 struct usb_os_desc_header *h, void *data,
2240 unsigned len, void *priv)
2241 {
2242 struct ffs_data *ffs = priv;
2243 u8 length;
2244
2245 ENTER();
2246
2247 switch (type) {
2248 case FFS_OS_DESC_EXT_COMPAT: {
2249 struct usb_ext_compat_desc *d = data;
2250 int i;
2251
2252 if (len < sizeof(*d) ||
2253 d->bFirstInterfaceNumber >= ffs->interfaces_count)
2254 return -EINVAL;
2255 if (d->Reserved1 != 1) {
2256 /*
2257 * According to the spec, Reserved1 must be set to 1
2258 * but older kernels incorrectly rejected non-zero
2259 * values. We fix it here to avoid returning EINVAL
2260 * in response to values we used to accept.
2261 */
2262 pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
2263 d->Reserved1 = 1;
2264 }
2265 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
2266 if (d->Reserved2[i])
2267 return -EINVAL;
2268
2269 length = sizeof(struct usb_ext_compat_desc);
2270 }
2271 break;
2272 case FFS_OS_DESC_EXT_PROP: {
2273 struct usb_ext_prop_desc *d = data;
2274 u32 type, pdl;
2275 u16 pnl;
2276
2277 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count)
2278 return -EINVAL;
2279 length = le32_to_cpu(d->dwSize);
2280 if (len < length)
2281 return -EINVAL;
2282 type = le32_to_cpu(d->dwPropertyDataType);
2283 if (type < USB_EXT_PROP_UNICODE ||
2284 type > USB_EXT_PROP_UNICODE_MULTI) {
2285 pr_vdebug("unsupported os descriptor property type: %d",
2286 type);
2287 return -EINVAL;
2288 }
2289 pnl = le16_to_cpu(d->wPropertyNameLength);
2290 if (length < 14 + pnl) {
2291 pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n",
2292 length, pnl, type);
2293 return -EINVAL;
2294 }
2295 pdl = le32_to_cpu(*(__le32 *)((u8 *)data + 10 + pnl));
2296 if (length != 14 + pnl + pdl) {
2297 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n",
2298 length, pnl, pdl, type);
2299 return -EINVAL;
2300 }
2301 ++ffs->ms_os_descs_ext_prop_count;
2302 /* property name reported to the host as "WCHAR"s */
2303 ffs->ms_os_descs_ext_prop_name_len += pnl * 2;
2304 ffs->ms_os_descs_ext_prop_data_len += pdl;
2305 }
2306 break;
2307 default:
2308 pr_vdebug("unknown descriptor: %d\n", type);
2309 return -EINVAL;
2310 }
2311 return length;
2312 }
2313
__ffs_data_got_descs(struct ffs_data * ffs,char * const _data,size_t len)2314 static int __ffs_data_got_descs(struct ffs_data *ffs,
2315 char *const _data, size_t len)
2316 {
2317 char *data = _data, *raw_descs = NULL;
2318 unsigned os_descs_count = 0, counts[3], flags;
2319 int ret = -EINVAL, i;
2320 struct ffs_desc_helper helper;
2321
2322 ENTER();
2323
2324 if (get_unaligned_le32(data + 4) != len)
2325 goto error;
2326
2327 switch (get_unaligned_le32(data)) {
2328 case FUNCTIONFS_DESCRIPTORS_MAGIC:
2329 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC;
2330 data += 8;
2331 len -= 8;
2332 break;
2333 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2:
2334 flags = get_unaligned_le32(data + 8);
2335 ffs->user_flags = flags;
2336 if (flags & ~(FUNCTIONFS_HAS_FS_DESC |
2337 FUNCTIONFS_HAS_HS_DESC |
2338 FUNCTIONFS_HAS_SS_DESC |
2339 FUNCTIONFS_HAS_MS_OS_DESC |
2340 FUNCTIONFS_VIRTUAL_ADDR |
2341 FUNCTIONFS_EVENTFD |
2342 FUNCTIONFS_ALL_CTRL_RECIP |
2343 FUNCTIONFS_CONFIG0_SETUP)) {
2344 ret = -ENOSYS;
2345 goto error;
2346 }
2347 data += 12;
2348 len -= 12;
2349 break;
2350 default:
2351 goto error;
2352 }
2353
2354 if (flags & FUNCTIONFS_EVENTFD) {
2355 if (len < 4)
2356 goto error;
2357 ffs->ffs_eventfd =
2358 eventfd_ctx_fdget((int)get_unaligned_le32(data));
2359 if (IS_ERR(ffs->ffs_eventfd)) {
2360 ret = PTR_ERR(ffs->ffs_eventfd);
2361 ffs->ffs_eventfd = NULL;
2362 goto error;
2363 }
2364 data += 4;
2365 len -= 4;
2366 }
2367
2368 /* Read fs_count, hs_count and ss_count (if present) */
2369 for (i = 0; i < 3; ++i) {
2370 if (!(flags & (1 << i))) {
2371 counts[i] = 0;
2372 } else if (len < 4) {
2373 goto error;
2374 } else {
2375 counts[i] = get_unaligned_le32(data);
2376 data += 4;
2377 len -= 4;
2378 }
2379 }
2380 if (flags & (1 << i)) {
2381 if (len < 4) {
2382 goto error;
2383 }
2384 os_descs_count = get_unaligned_le32(data);
2385 data += 4;
2386 len -= 4;
2387 }
2388
2389 /* Read descriptors */
2390 raw_descs = data;
2391 helper.ffs = ffs;
2392 for (i = 0; i < 3; ++i) {
2393 if (!counts[i])
2394 continue;
2395 helper.interfaces_count = 0;
2396 helper.eps_count = 0;
2397 ret = ffs_do_descs(counts[i], data, len,
2398 __ffs_data_do_entity, &helper);
2399 if (ret < 0)
2400 goto error;
2401 if (!ffs->eps_count && !ffs->interfaces_count) {
2402 ffs->eps_count = helper.eps_count;
2403 ffs->interfaces_count = helper.interfaces_count;
2404 } else {
2405 if (ffs->eps_count != helper.eps_count) {
2406 ret = -EINVAL;
2407 goto error;
2408 }
2409 if (ffs->interfaces_count != helper.interfaces_count) {
2410 ret = -EINVAL;
2411 goto error;
2412 }
2413 }
2414 data += ret;
2415 len -= ret;
2416 }
2417 if (os_descs_count) {
2418 ret = ffs_do_os_descs(os_descs_count, data, len,
2419 __ffs_data_do_os_desc, ffs);
2420 if (ret < 0)
2421 goto error;
2422 data += ret;
2423 len -= ret;
2424 }
2425
2426 if (raw_descs == data || len) {
2427 ret = -EINVAL;
2428 goto error;
2429 }
2430
2431 ffs->raw_descs_data = _data;
2432 ffs->raw_descs = raw_descs;
2433 ffs->raw_descs_length = data - raw_descs;
2434 ffs->fs_descs_count = counts[0];
2435 ffs->hs_descs_count = counts[1];
2436 ffs->ss_descs_count = counts[2];
2437 ffs->ms_os_descs_count = os_descs_count;
2438
2439 return 0;
2440
2441 error:
2442 kfree(_data);
2443 return ret;
2444 }
2445
__ffs_data_got_strings(struct ffs_data * ffs,char * const _data,size_t len)2446 static int __ffs_data_got_strings(struct ffs_data *ffs,
2447 char *const _data, size_t len)
2448 {
2449 u32 str_count, needed_count, lang_count;
2450 struct usb_gadget_strings **stringtabs = NULL, *t = NULL;
2451 const char *data = _data;
2452 struct usb_string *s = NULL;
2453
2454 ENTER();
2455
2456 if (unlikely(len < 16 ||
2457 get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC ||
2458 get_unaligned_le32(data + 4) != len))
2459 goto error;
2460 str_count = get_unaligned_le32(data + 8);
2461 lang_count = get_unaligned_le32(data + 12);
2462
2463 /* if one is zero the other must be zero */
2464 if (unlikely(!str_count != !lang_count))
2465 goto error;
2466
2467 /* Do we have at least as many strings as descriptors need? */
2468 needed_count = ffs->strings_count;
2469 if (unlikely(str_count < needed_count))
2470 goto error;
2471
2472 /*
2473 * If we don't need any strings just return and free all
2474 * memory.
2475 */
2476 if (!needed_count) {
2477 kfree(_data);
2478 return 0;
2479 }
2480
2481 /* Allocate everything in one chunk so there's less maintenance. */
2482 {
2483 unsigned i = 0;
2484 vla_group(d);
2485 vla_item(d, struct usb_gadget_strings *, stringtabs,
2486 lang_count + 1);
2487 vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
2488 vla_item(d, struct usb_string, strings,
2489 lang_count*(needed_count+1));
2490
2491 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
2492
2493 if (unlikely(!vlabuf)) {
2494 kfree(_data);
2495 return -ENOMEM;
2496 }
2497
2498 /* Initialize the VLA pointers */
2499 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2500 t = vla_ptr(vlabuf, d, stringtab);
2501 i = lang_count;
2502 do {
2503 *stringtabs++ = t++;
2504 } while (--i);
2505 *stringtabs = NULL;
2506
2507 /* stringtabs = vlabuf = d_stringtabs for later kfree */
2508 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2509 t = vla_ptr(vlabuf, d, stringtab);
2510 s = vla_ptr(vlabuf, d, strings);
2511 }
2512
2513 /* For each language */
2514 data += 16;
2515 len -= 16;
2516
2517 do { /* lang_count > 0 so we can use do-while */
2518 unsigned needed = needed_count;
2519
2520 if (unlikely(len < 3))
2521 goto error_free;
2522 t->language = get_unaligned_le16(data);
2523 t->strings = s;
2524 ++t;
2525
2526 data += 2;
2527 len -= 2;
2528
2529 /* For each string */
2530 do { /* str_count > 0 so we can use do-while */
2531 size_t length = strnlen(data, len);
2532
2533 if (unlikely(length == len))
2534 goto error_free;
2535
2536 /*
2537 * User may provide more strings then we need,
2538 * if that's the case we simply ignore the
2539 * rest
2540 */
2541 if (likely(needed)) {
2542 /*
2543 * s->id will be set while adding
2544 * function to configuration so for
2545 * now just leave garbage here.
2546 */
2547 s->s = data;
2548 --needed;
2549 ++s;
2550 }
2551
2552 data += length + 1;
2553 len -= length + 1;
2554 } while (--str_count);
2555
2556 s->id = 0; /* terminator */
2557 s->s = NULL;
2558 ++s;
2559
2560 } while (--lang_count);
2561
2562 /* Some garbage left? */
2563 if (unlikely(len))
2564 goto error_free;
2565
2566 /* Done! */
2567 ffs->stringtabs = stringtabs;
2568 ffs->raw_strings = _data;
2569
2570 return 0;
2571
2572 error_free:
2573 kfree(stringtabs);
2574 error:
2575 kfree(_data);
2576 return -EINVAL;
2577 }
2578
2579 /* Events handling and management *******************************************/
__ffs_event_add(struct ffs_data * ffs,enum usb_functionfs_event_type type)2580 static void __ffs_event_add(struct ffs_data *ffs,
2581 enum usb_functionfs_event_type type)
2582 {
2583 enum usb_functionfs_event_type rem_type1, rem_type2 = type;
2584 int neg = 0;
2585
2586 /*
2587 * Abort any unhandled setup
2588 *
2589 * We do not need to worry about some cmpxchg() changing value
2590 * of ffs->setup_state without holding the lock because when
2591 * state is FFS_SETUP_PENDING cmpxchg() in several places in
2592 * the source does nothing.
2593 */
2594 if (ffs->setup_state == FFS_SETUP_PENDING)
2595 ffs->setup_state = FFS_SETUP_CANCELLED;
2596
2597 /*
2598 * Logic of this function guarantees that there are at most four pending
2599 * evens on ffs->ev.types queue. This is important because the queue
2600 * has space for four elements only and __ffs_ep0_read_events function
2601 * depends on that limit as well. If more event types are added, those
2602 * limits have to be revisited or guaranteed to still hold.
2603 */
2604 switch (type) {
2605 case FUNCTIONFS_RESUME:
2606 rem_type2 = FUNCTIONFS_SUSPEND;
2607 /* FALL THROUGH */
2608 case FUNCTIONFS_SUSPEND:
2609 case FUNCTIONFS_SETUP:
2610 rem_type1 = type;
2611 /* Discard all similar events */
2612 break;
2613
2614 case FUNCTIONFS_BIND:
2615 case FUNCTIONFS_UNBIND:
2616 case FUNCTIONFS_DISABLE:
2617 case FUNCTIONFS_ENABLE:
2618 /* Discard everything other then power management. */
2619 rem_type1 = FUNCTIONFS_SUSPEND;
2620 rem_type2 = FUNCTIONFS_RESUME;
2621 neg = 1;
2622 break;
2623
2624 default:
2625 WARN(1, "%d: unknown event, this should not happen\n", type);
2626 return;
2627 }
2628
2629 {
2630 u8 *ev = ffs->ev.types, *out = ev;
2631 unsigned n = ffs->ev.count;
2632 for (; n; --n, ++ev)
2633 if ((*ev == rem_type1 || *ev == rem_type2) == neg)
2634 *out++ = *ev;
2635 else
2636 pr_vdebug("purging event %d\n", *ev);
2637 ffs->ev.count = out - ffs->ev.types;
2638 }
2639
2640 pr_vdebug("adding event %d\n", type);
2641 ffs->ev.types[ffs->ev.count++] = type;
2642 wake_up_locked(&ffs->ev.waitq);
2643 if (ffs->ffs_eventfd)
2644 eventfd_signal(ffs->ffs_eventfd, 1);
2645 }
2646
ffs_event_add(struct ffs_data * ffs,enum usb_functionfs_event_type type)2647 static void ffs_event_add(struct ffs_data *ffs,
2648 enum usb_functionfs_event_type type)
2649 {
2650 unsigned long flags;
2651 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
2652 __ffs_event_add(ffs, type);
2653 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
2654 }
2655
2656 /* Bind/unbind USB function hooks *******************************************/
2657
ffs_ep_addr2idx(struct ffs_data * ffs,u8 endpoint_address)2658 static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address)
2659 {
2660 int i;
2661
2662 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i)
2663 if (ffs->eps_addrmap[i] == endpoint_address)
2664 return i;
2665 return -ENOENT;
2666 }
2667
__ffs_func_bind_do_descs(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2668 static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
2669 struct usb_descriptor_header *desc,
2670 void *priv)
2671 {
2672 struct usb_endpoint_descriptor *ds = (void *)desc;
2673 struct ffs_function *func = priv;
2674 struct ffs_ep *ffs_ep = NULL;
2675 unsigned ep_desc_id;
2676 int idx;
2677 static const char *speed_names[] = { "full", "high", "super" };
2678
2679 if (type != FFS_DESCRIPTOR)
2680 return 0;
2681
2682 /*
2683 * If ss_descriptors is not NULL, we are reading super speed
2684 * descriptors; if hs_descriptors is not NULL, we are reading high
2685 * speed descriptors; otherwise, we are reading full speed
2686 * descriptors.
2687 */
2688 if (func->function.ss_descriptors) {
2689 ep_desc_id = 2;
2690 func->function.ss_descriptors[(uintptr_t)valuep] = desc;
2691 } else if (func->function.hs_descriptors) {
2692 ep_desc_id = 1;
2693 func->function.hs_descriptors[(uintptr_t)valuep] = desc;
2694 } else {
2695 ep_desc_id = 0;
2696 func->function.fs_descriptors[(uintptr_t)valuep] = desc;
2697 }
2698
2699 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT)
2700 return 0;
2701
2702 idx = ffs_ep_addr2idx(func->ffs, ds->bEndpointAddress) - 1;
2703 if (idx < 0)
2704 return idx;
2705
2706 ffs_ep = func->eps + idx;
2707
2708 if (unlikely(ffs_ep->descs[ep_desc_id])) {
2709 pr_err("two %sspeed descriptors for EP %d\n",
2710 speed_names[ep_desc_id],
2711 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
2712 return -EINVAL;
2713 }
2714 ffs_ep->descs[ep_desc_id] = ds;
2715
2716 ffs_dump_mem(": Original ep desc", ds, ds->bLength);
2717 if (ffs_ep->ep) {
2718 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress;
2719 if (!ds->wMaxPacketSize)
2720 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize;
2721 } else {
2722 struct usb_request *req = NULL;
2723 struct usb_ep *ep = NULL;
2724 u8 bEndpointAddress;
2725
2726 /*
2727 * We back up bEndpointAddress because autoconfig overwrites
2728 * it with physical endpoint address.
2729 */
2730 bEndpointAddress = ds->bEndpointAddress;
2731 pr_vdebug("autoconfig\n");
2732 ep = usb_ep_autoconfig(func->gadget, ds);
2733 if (unlikely(!ep))
2734 return -ENOTSUPP;
2735 ep->driver_data = func->eps + idx;
2736
2737 req = usb_ep_alloc_request(ep, GFP_KERNEL);
2738 if (unlikely(!req))
2739 return -ENOMEM;
2740
2741 ffs_ep->ep = ep;
2742 ffs_ep->req = req;
2743 INIT_LIST_HEAD(&ffs_ep->req->list);
2744 func->eps_revmap[ds->bEndpointAddress &
2745 USB_ENDPOINT_NUMBER_MASK] = idx + 1;
2746 /*
2747 * If we use virtual address mapping, we restore
2748 * original bEndpointAddress value.
2749 */
2750 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
2751 ds->bEndpointAddress = bEndpointAddress;
2752 }
2753 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength);
2754
2755 return 0;
2756 }
2757
__ffs_func_bind_do_nums(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2758 static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep,
2759 struct usb_descriptor_header *desc,
2760 void *priv)
2761 {
2762 struct ffs_function *func = priv;
2763 unsigned idx;
2764 u8 newValue;
2765
2766 switch (type) {
2767 default:
2768 case FFS_DESCRIPTOR:
2769 /* Handled in previous pass by __ffs_func_bind_do_descs() */
2770 return 0;
2771
2772 case FFS_INTERFACE:
2773 idx = *valuep;
2774 if (func->interfaces_nums[idx] < 0) {
2775 int id = usb_interface_id(func->conf, &func->function);
2776 if (unlikely(id < 0))
2777 return id;
2778 func->interfaces_nums[idx] = id;
2779 }
2780 newValue = func->interfaces_nums[idx];
2781 break;
2782
2783 case FFS_STRING:
2784 /* String' IDs are allocated when fsf_data is bound to cdev */
2785 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id;
2786 break;
2787
2788 case FFS_ENDPOINT:
2789 /*
2790 * USB_DT_ENDPOINT are handled in
2791 * __ffs_func_bind_do_descs().
2792 */
2793 if (desc->bDescriptorType == USB_DT_ENDPOINT)
2794 return 0;
2795
2796 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1;
2797 if (unlikely(!func->eps[idx].ep))
2798 return -EINVAL;
2799
2800 {
2801 struct usb_endpoint_descriptor **descs;
2802 descs = func->eps[idx].descs;
2803 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress;
2804 }
2805 break;
2806 }
2807
2808 pr_vdebug("%02x -> %02x\n", *valuep, newValue);
2809 *valuep = newValue;
2810 return 0;
2811 }
2812
__ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,struct usb_os_desc_header * h,void * data,unsigned len,void * priv)2813 static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
2814 struct usb_os_desc_header *h, void *data,
2815 unsigned len, void *priv)
2816 {
2817 struct ffs_function *func = priv;
2818 u8 length = 0;
2819
2820 switch (type) {
2821 case FFS_OS_DESC_EXT_COMPAT: {
2822 struct usb_ext_compat_desc *desc = data;
2823 struct usb_os_desc_table *t;
2824
2825 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber];
2826 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber];
2827 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID,
2828 ARRAY_SIZE(desc->CompatibleID) + ARRAY_SIZE(desc->SubCompatibleID));
2829 length = sizeof(*desc);
2830 }
2831 break;
2832 case FFS_OS_DESC_EXT_PROP: {
2833 struct usb_ext_prop_desc *desc = data;
2834 struct usb_os_desc_table *t;
2835 struct usb_os_desc_ext_prop *ext_prop;
2836 char *ext_prop_name;
2837 char *ext_prop_data;
2838
2839 t = &func->function.os_desc_table[h->interface];
2840 t->if_id = func->interfaces_nums[h->interface];
2841
2842 ext_prop = func->ffs->ms_os_descs_ext_prop_avail;
2843 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop);
2844
2845 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
2846 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
2847 ext_prop->data_len = le32_to_cpu(*(__le32 *)
2848 usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
2849 length = ext_prop->name_len + ext_prop->data_len + 14;
2850
2851 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail;
2852 func->ffs->ms_os_descs_ext_prop_name_avail +=
2853 ext_prop->name_len;
2854
2855 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail;
2856 func->ffs->ms_os_descs_ext_prop_data_avail +=
2857 ext_prop->data_len;
2858 memcpy(ext_prop_data, usb_ext_prop_data_ptr(data, ext_prop->name_len),
2859 ext_prop->data_len);
2860 /* unicode data reported to the host as "WCHAR"s */
2861 switch (ext_prop->type) {
2862 case USB_EXT_PROP_UNICODE:
2863 case USB_EXT_PROP_UNICODE_ENV:
2864 case USB_EXT_PROP_UNICODE_LINK:
2865 case USB_EXT_PROP_UNICODE_MULTI:
2866 ext_prop->data_len *= 2;
2867 break;
2868 }
2869 ext_prop->data = ext_prop_data;
2870
2871 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data),
2872 ext_prop->name_len);
2873 /* property name reported to the host as "WCHAR"s */
2874 ext_prop->name_len *= 2;
2875 ext_prop->name = ext_prop_name;
2876
2877 t->os_desc->ext_prop_len +=
2878 ext_prop->name_len + ext_prop->data_len + 14;
2879 ++t->os_desc->ext_prop_count;
2880 list_add_tail(&ext_prop->entry, &t->os_desc->ext_prop);
2881 }
2882 break;
2883 default:
2884 pr_vdebug("unknown descriptor: %d\n", type);
2885 }
2886
2887 return length;
2888 }
2889
ffs_do_functionfs_bind(struct usb_function * f,struct usb_configuration * c)2890 static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
2891 struct usb_configuration *c)
2892 {
2893 struct ffs_function *func = ffs_func_from_usb(f);
2894 struct f_fs_opts *ffs_opts =
2895 container_of(f->fi, struct f_fs_opts, func_inst);
2896 int ret;
2897
2898 ENTER();
2899
2900 /*
2901 * Legacy gadget triggers binding in functionfs_ready_callback,
2902 * which already uses locking; taking the same lock here would
2903 * cause a deadlock.
2904 *
2905 * Configfs-enabled gadgets however do need ffs_dev_lock.
2906 */
2907 if (!ffs_opts->no_configfs)
2908 ffs_dev_lock();
2909 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV;
2910 func->ffs = ffs_opts->dev->ffs_data;
2911 if (!ffs_opts->no_configfs)
2912 ffs_dev_unlock();
2913 if (ret)
2914 return ERR_PTR(ret);
2915
2916 func->conf = c;
2917 func->gadget = c->cdev->gadget;
2918
2919 /*
2920 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
2921 * configurations are bound in sequence with list_for_each_entry,
2922 * in each configuration its functions are bound in sequence
2923 * with list_for_each_entry, so we assume no race condition
2924 * with regard to ffs_opts->bound access
2925 */
2926 if (!ffs_opts->refcnt) {
2927 ret = functionfs_bind(func->ffs, c->cdev);
2928 if (ret)
2929 return ERR_PTR(ret);
2930 }
2931 ffs_opts->refcnt++;
2932 func->function.strings = func->ffs->stringtabs;
2933
2934 return ffs_opts;
2935 }
2936
_ffs_func_bind(struct usb_configuration * c,struct usb_function * f)2937 static int _ffs_func_bind(struct usb_configuration *c, struct usb_function *f)
2938 {
2939 struct ffs_function *func = ffs_func_from_usb(f);
2940 struct ffs_data *ffs = func->ffs;
2941
2942 const int full = !!func->ffs->fs_descs_count;
2943 const int high = !!func->ffs->hs_descs_count;
2944 const int super = !!func->ffs->ss_descs_count;
2945
2946 int fs_len, hs_len, ss_len, ret, i;
2947 struct ffs_ep *eps_ptr = NULL;
2948 struct usb_descriptor_header *des_head = NULL;
2949 struct usb_interface_descriptor *intf_ctl = NULL;
2950 struct usb_interface_descriptor *intf_data = NULL;
2951 /* Make it a single chunk, less management later on */
2952 vla_group(d);
2953 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count);
2954 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs,
2955 full ? ffs->fs_descs_count + 1 : 0);
2956 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs,
2957 high ? ffs->hs_descs_count + 1 : 0);
2958 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs,
2959 super ? ffs->ss_descs_count + 1 : 0);
2960 vla_item_with_sz(d, short, inums, ffs->interfaces_count);
2961 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table,
2962 c->cdev->use_os_string ? ffs->interfaces_count : 0);
2963 vla_item_with_sz(d, char[16], ext_compat,
2964 c->cdev->use_os_string ? ffs->interfaces_count : 0);
2965 vla_item_with_sz(d, struct usb_os_desc, os_desc,
2966 c->cdev->use_os_string ? ffs->interfaces_count : 0);
2967 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop,
2968 ffs->ms_os_descs_ext_prop_count);
2969 vla_item_with_sz(d, char, ext_prop_name,
2970 ffs->ms_os_descs_ext_prop_name_len);
2971 vla_item_with_sz(d, char, ext_prop_data,
2972 ffs->ms_os_descs_ext_prop_data_len);
2973 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length);
2974 char *vlabuf = NULL;
2975
2976 ENTER();
2977
2978 /* Has descriptors only for speeds gadget does not support */
2979 if (unlikely(!(full | high | super)))
2980 return -ENOTSUPP;
2981
2982 /* Allocate a single chunk, less management later on */
2983 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL);
2984 if (unlikely(!vlabuf))
2985 return -ENOMEM;
2986
2987 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop);
2988 ffs->ms_os_descs_ext_prop_name_avail =
2989 vla_ptr(vlabuf, d, ext_prop_name);
2990 ffs->ms_os_descs_ext_prop_data_avail =
2991 vla_ptr(vlabuf, d, ext_prop_data);
2992
2993 /* Copy descriptors */
2994 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs, ffs->raw_descs_length);
2995
2996 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
2997
2998 eps_ptr = vla_ptr(vlabuf, d, eps);
2999 for (i = 0; i < ffs->eps_count; i++)
3000 eps_ptr[i].num = -1;
3001
3002 /* Save pointers
3003 * d_eps == vlabuf, func->eps used to kfree vlabuf later
3004 */
3005 func->eps = vla_ptr(vlabuf, d, eps);
3006 func->interfaces_nums = vla_ptr(vlabuf, d, inums);
3007
3008 /*
3009 * Go through all the endpoint descriptors and allocate
3010 * endpoints first, so that later we can rewrite the endpoint
3011 * numbers without worrying that it may be described later on.
3012 */
3013 if (likely(full)) {
3014 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs);
3015 fs_len = ffs_do_descs(ffs->fs_descs_count,
3016 vla_ptr(vlabuf, d, raw_descs),
3017 d_raw_descs__sz,
3018 __ffs_func_bind_do_descs, func);
3019 if (unlikely(fs_len < 0)) {
3020 ret = fs_len;
3021 goto error;
3022 }
3023 } else {
3024 fs_len = 0;
3025 }
3026 if (likely(high)) {
3027 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs);
3028 hs_len = ffs_do_descs(ffs->hs_descs_count,
3029 vla_ptr(vlabuf, d, raw_descs) + fs_len,
3030 d_raw_descs__sz - fs_len,
3031 __ffs_func_bind_do_descs, func);
3032 if (unlikely(hs_len < 0)) {
3033 ret = hs_len;
3034 goto error;
3035 }
3036 } else {
3037 hs_len = 0;
3038 }
3039 if (likely(super)) {
3040 func->function.ss_descriptors = vla_ptr(vlabuf, d, ss_descs);
3041 ss_len = ffs_do_descs(ffs->ss_descs_count,
3042 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len,
3043 d_raw_descs__sz - fs_len - hs_len,
3044 __ffs_func_bind_do_descs, func);
3045 if (unlikely(ss_len < 0)) {
3046 ret = ss_len;
3047 goto error;
3048 }
3049 } else {
3050 ss_len = 0;
3051 }
3052 /*
3053 * Now handle interface numbers allocation and interface and
3054 * endpoint numbers rewriting. We can do that in one go
3055 * now.
3056 */
3057 ret = ffs_do_descs(ffs->fs_descs_count +
3058 (high ? ffs->hs_descs_count : 0) +
3059 (super ? ffs->ss_descs_count : 0),
3060 vla_ptr(vlabuf, d, raw_descs), d_raw_descs__sz,
3061 __ffs_func_bind_do_nums, func);
3062 if (unlikely(ret < 0))
3063 goto error;
3064
3065 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table);
3066 if (c->cdev->use_os_string) {
3067 for (i = 0; i < ffs->interfaces_count; ++i) {
3068 struct usb_os_desc *desc;
3069
3070 desc = func->function.os_desc_table[i].os_desc =
3071 vla_ptr(vlabuf, d, os_desc) +
3072 i * sizeof(struct usb_os_desc);
3073 desc->ext_compat_id =
3074 vla_ptr(vlabuf, d, ext_compat) + i * 16;
3075 INIT_LIST_HEAD(&desc->ext_prop);
3076 }
3077 ret = ffs_do_os_descs(ffs->ms_os_descs_count,
3078 vla_ptr(vlabuf, d, raw_descs) +
3079 fs_len + hs_len + ss_len,
3080 d_raw_descs__sz - fs_len - hs_len -
3081 ss_len,
3082 __ffs_func_bind_do_os_desc, func);
3083 if (unlikely(ret < 0))
3084 goto error;
3085 }
3086 func->function.os_desc_n =
3087 c->cdev->use_os_string ? ffs->interfaces_count : 0;
3088
3089 for (i = 0; i< func->ffs->fs_descs_count; i++) {
3090 des_head = func->function.fs_descriptors[i];
3091 if (des_head->bDescriptorType == USB_DT_INTERFACE) {
3092 struct usb_interface_descriptor *intf = (struct usb_interface_descriptor *)des_head;
3093 if (intf->bNumEndpoints > 0) {
3094 if (intf_ctl == NULL) {
3095 intf_ctl = intf;
3096 } else {
3097 intf_data = intf;
3098 break;
3099 }
3100 }
3101 }
3102 }
3103 for (i = 0; i< func->ffs->fs_descs_count; i++) {
3104 des_head = func->function.fs_descriptors[i];
3105 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3106 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3107 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3108 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3109 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3110 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3111 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3112 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3113 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3114 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3115 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3116 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3117 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3118 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3119 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3120 }
3121 }
3122 }
3123 for (i = 0; i< func->ffs->hs_descs_count; i++) {
3124 des_head = func->function.hs_descriptors[i];
3125 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3126 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3127 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3128 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3129 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3130 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3131 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3132 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3133 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3134 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3135 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3136 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3137 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3138 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3139 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3140 }
3141 }
3142 }
3143 for (i = 0; i< func->ffs->ss_descs_count; i++) {
3144 des_head = func->function.ss_descriptors[i];
3145 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3146 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3147 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3148 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3149 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3150 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3151 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3152 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3153 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3154 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3155 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3156 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3157 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3158 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3159 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3160 }
3161 }
3162 }
3163 /* And we're done */
3164 ffs->eps = func->eps;
3165 ffs_event_add(ffs, FUNCTIONFS_BIND);
3166 return 0;
3167
3168 error:
3169 /* XXX Do we need to release all claimed endpoints here? */
3170 return ret;
3171 }
3172
ffs_func_bind(struct usb_configuration * c,struct usb_function * f)3173 static int ffs_func_bind(struct usb_configuration *c, struct usb_function *f)
3174 {
3175 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c);
3176 struct ffs_function *func = ffs_func_from_usb(f);
3177 int ret;
3178
3179 if (IS_ERR(ffs_opts))
3180 return PTR_ERR(ffs_opts);
3181
3182 ret = _ffs_func_bind(c, f);
3183 if (ret && !--ffs_opts->refcnt)
3184 functionfs_unbind(func->ffs);
3185
3186 return ret;
3187 }
3188
3189 /* Other USB function hooks *************************************************/
ffs_reset_work(struct work_struct * work)3190 static void ffs_reset_work(struct work_struct *work)
3191 {
3192 struct ffs_data *ffs = container_of(work,
3193 struct ffs_data, reset_work);
3194 ffs_data_reset(ffs);
3195 }
3196
ffs_func_set_alt(struct usb_function * f,unsigned interface,unsigned alt)3197 static int ffs_func_set_alt(struct usb_function *f,
3198 unsigned interface, unsigned alt)
3199 {
3200 struct ffs_function *func = ffs_func_from_usb(f);
3201 struct ffs_data *ffs = func->ffs;
3202 int ret = 0, intf;
3203
3204 if (alt != (unsigned)-1) {
3205 intf = ffs_func_revmap_intf(func, interface);
3206 if (unlikely(intf < 0))
3207 return intf;
3208 }
3209
3210 if (ffs->func)
3211 ffs_func_eps_disable(ffs->func);
3212
3213 if (ffs->state == FFS_DEACTIVATED) {
3214 ffs->state = FFS_CLOSING;
3215 INIT_WORK(&ffs->reset_work, ffs_reset_work);
3216 schedule_work(&ffs->reset_work);
3217 return -ENODEV;
3218 }
3219
3220 if (ffs->state != FFS_ACTIVE)
3221 return -ENODEV;
3222
3223 if (alt == (unsigned)-1) {
3224 ffs->func = NULL;
3225 ffs_event_add(ffs, FUNCTIONFS_DISABLE);
3226 return 0;
3227 }
3228
3229 ffs->func = func;
3230 ret = ffs_func_eps_enable(func);
3231 if (likely(ret >= 0))
3232 ffs_event_add(ffs, FUNCTIONFS_ENABLE);
3233 return ret;
3234 }
3235
ffs_func_disable(struct usb_function * f)3236 static void ffs_func_disable(struct usb_function *f)
3237 {
3238 ffs_func_set_alt(f, 0, (unsigned)-1);
3239 }
3240
ffs_func_setup(struct usb_function * f,const struct usb_ctrlrequest * creq)3241 static int ffs_func_setup(struct usb_function *f, const struct usb_ctrlrequest *creq)
3242 {
3243 struct ffs_function *func = ffs_func_from_usb(f);
3244 struct ffs_data *ffs = func->ffs;
3245 unsigned long flags;
3246 int ret;
3247
3248 ENTER();
3249
3250 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType);
3251 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest);
3252 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue));
3253 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex));
3254 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength));
3255
3256 /*
3257 * Most requests directed to interface go through here
3258 * (notable exceptions are set/get interface) so we need to
3259 * handle them. All other either handled by composite or
3260 * passed to usb_configuration->setup() (if one is set). No
3261 * matter, we will handle requests directed to endpoint here
3262 * as well (as it's straightforward). Other request recipient
3263 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP
3264 * is being used.
3265 */
3266 if (ffs->state != FFS_ACTIVE)
3267 return -ENODEV;
3268
3269 switch (creq->bRequestType & USB_RECIP_MASK) {
3270 case USB_RECIP_INTERFACE:
3271 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex));
3272 if (unlikely(ret < 0))
3273 return ret;
3274 break;
3275
3276 case USB_RECIP_ENDPOINT:
3277 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex));
3278 if (unlikely(ret < 0))
3279 return ret;
3280 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
3281 ret = func->ffs->eps_addrmap[ret];
3282 break;
3283
3284 default:
3285 if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP)
3286 ret = le16_to_cpu(creq->wIndex);
3287 else
3288 return -EOPNOTSUPP;
3289 }
3290
3291 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
3292 ffs->ev.setup = *creq;
3293 ffs->ev.setup.wIndex = cpu_to_le16(ret);
3294 __ffs_event_add(ffs, FUNCTIONFS_SETUP);
3295 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
3296
3297 return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
3298 }
3299
ffs_func_req_match(struct usb_function * f,const struct usb_ctrlrequest * creq,bool config0)3300 static bool ffs_func_req_match(struct usb_function *f,
3301 const struct usb_ctrlrequest *creq,
3302 bool config0)
3303 {
3304 struct ffs_function *func = ffs_func_from_usb(f);
3305
3306 if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP))
3307 return false;
3308
3309 switch (creq->bRequestType & USB_RECIP_MASK) {
3310 case USB_RECIP_INTERFACE:
3311 return (ffs_func_revmap_intf(func,
3312 le16_to_cpu(creq->wIndex)) >= 0);
3313 case USB_RECIP_ENDPOINT:
3314 return (ffs_func_revmap_ep(func,
3315 le16_to_cpu(creq->wIndex)) >= 0);
3316 default:
3317 return (bool) (func->ffs->user_flags &
3318 FUNCTIONFS_ALL_CTRL_RECIP);
3319 }
3320 }
3321
ffs_func_suspend(struct usb_function * f)3322 static void ffs_func_suspend(struct usb_function *f)
3323 {
3324 ENTER();
3325 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_SUSPEND);
3326 }
3327
ffs_func_resume(struct usb_function * f)3328 static void ffs_func_resume(struct usb_function *f)
3329 {
3330 ENTER();
3331 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_RESUME);
3332 }
3333
3334 /* Endpoint and interface numbers reverse mapping ***************************/
ffs_func_revmap_ep(struct ffs_function * func,u8 num)3335 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num)
3336 {
3337 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK];
3338 return num ? num : -EDOM;
3339 }
3340
ffs_func_revmap_intf(struct ffs_function * func,u8 intf)3341 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf)
3342 {
3343 short *nums = func->interfaces_nums;
3344 unsigned count = func->ffs->interfaces_count;
3345
3346 for (; count; --count, ++nums) {
3347 if (*nums >= 0 && *nums == intf)
3348 return nums - func->interfaces_nums;
3349 }
3350
3351 return -EDOM;
3352 }
3353
3354 /* Devices management *******************************************************/
3355 static LIST_HEAD(ffs_devices);
3356
_ffs_do_find_dev(const char * name)3357 static struct ffs_dev *_ffs_do_find_dev(const char *name)
3358 {
3359 struct ffs_dev *dev = NULL;
3360
3361 if (!name)
3362 return NULL;
3363
3364 list_for_each_entry(dev, &ffs_devices, entry) {
3365 if (!dev->name)
3366 return NULL;
3367 if (strcmp(dev->name, name) == 0)
3368 return dev;
3369 }
3370
3371 return NULL;
3372 }
3373
3374 /*
3375 * ffs_lock must be taken by the caller of this function
3376 */
_ffs_get_single_dev(void)3377 static struct ffs_dev *_ffs_get_single_dev(void)
3378 {
3379 struct ffs_dev *dev = NULL;
3380
3381 if (list_is_singular(&ffs_devices)) {
3382 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry);
3383 if (dev->single)
3384 return dev;
3385 }
3386
3387 return NULL;
3388 }
3389
3390 /*
3391 * ffs_lock must be taken by the caller of this function
3392 */
_ffs_find_dev(const char * name)3393 static struct ffs_dev *_ffs_find_dev(const char *name)
3394 {
3395 struct ffs_dev *dev;
3396
3397 dev = _ffs_get_single_dev();
3398 if (dev)
3399 return dev;
3400
3401 return _ffs_do_find_dev(name);
3402 }
3403
3404 /* Configfs support *********************************************************/
to_ffs_opts(struct config_item * item)3405 static inline struct f_fs_opts *to_ffs_opts(struct config_item *item)
3406 {
3407 return container_of(to_config_group(item), struct f_fs_opts,
3408 func_inst.group);
3409 }
3410
ffs_attr_release(struct config_item * item)3411 static void ffs_attr_release(struct config_item *item)
3412 {
3413 struct f_fs_opts *opts = to_ffs_opts(item);
3414
3415 usb_put_function_instance(&opts->func_inst);
3416 }
3417
3418 static struct configfs_item_operations ffs_item_ops = {
3419 .release = ffs_attr_release,
3420 };
3421
3422 static const struct config_item_type ffs_func_type = {
3423 .ct_item_ops = &ffs_item_ops,
3424 .ct_owner = THIS_MODULE,
3425 };
3426
3427 /* Function registration interface ******************************************/
ffs_free_inst(struct usb_function_instance * f)3428 static void ffs_free_inst(struct usb_function_instance *f)
3429 {
3430 struct f_fs_opts *opts;
3431
3432 opts = to_f_fs_opts(f);
3433 ffs_dev_lock();
3434 _ffs_free_dev(opts->dev);
3435 ffs_dev_unlock();
3436 kfree(opts);
3437 }
3438
ffs_set_inst_name(struct usb_function_instance * fi,const char * name)3439 static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name)
3440 {
3441 char name_dev[MAX_NAMELEN] = {0};
3442 if (snprintf(name_dev, MAX_NAMELEN - 1, "%s.%s", FUNCTION_GENERIC, name) < 0) {
3443 return -EFAULT;
3444 }
3445 if (strlen(name_dev) >= sizeof_field(struct ffs_dev, name))
3446 return -ENAMETOOLONG;
3447 return ffs_name_dev_adapter(to_f_fs_opts(fi)->dev, name_dev);
3448 }
3449
ffs_alloc_inst(void)3450 static struct usb_function_instance *ffs_alloc_inst(void)
3451 {
3452 struct f_fs_opts *opts = NULL;
3453 struct ffs_dev *dev = NULL;
3454
3455 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3456 if (!opts)
3457 return ERR_PTR(-ENOMEM);
3458
3459 opts->func_inst.set_inst_name = ffs_set_inst_name;
3460 opts->func_inst.free_func_inst = ffs_free_inst;
3461 ffs_dev_lock();
3462 dev = _ffs_alloc_dev();
3463 ffs_dev_unlock();
3464 if (IS_ERR(dev)) {
3465 kfree(opts);
3466 return ERR_CAST(dev);
3467 }
3468 opts->dev = dev;
3469 dev->opts = opts;
3470
3471 config_group_init_type_name(&opts->func_inst.group, "",
3472 &ffs_func_type);
3473 return &opts->func_inst;
3474 }
3475
ffs_free(struct usb_function * f)3476 static void ffs_free(struct usb_function *f)
3477 {
3478 kfree(ffs_func_from_usb(f));
3479 }
3480
ffs_func_unbind(struct usb_configuration * c,struct usb_function * f)3481 static void ffs_func_unbind(struct usb_configuration *c,
3482 struct usb_function *f)
3483 {
3484 struct ffs_function *func = ffs_func_from_usb(f);
3485 struct ffs_data *ffs = func->ffs;
3486 struct f_fs_opts *opts =
3487 container_of(f->fi, struct f_fs_opts, func_inst);
3488 struct ffs_ep *ep = func->eps;
3489 unsigned count = ffs->eps_count;
3490 unsigned long flags;
3491
3492 ENTER();
3493 if (ffs->func == func) {
3494 ffs_func_eps_disable(func);
3495 ffs->func = NULL;
3496 }
3497
3498 if (!--opts->refcnt)
3499 functionfs_unbind(ffs);
3500
3501 /* cleanup after autoconfig */
3502 spin_lock_irqsave(&func->ffs->eps_lock, flags);
3503 while (count--) {
3504 if (ep->ep && ep->req)
3505 usb_ep_free_request(ep->ep, ep->req);
3506 ep->req = NULL;
3507 ++ep;
3508 }
3509 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
3510 kfree(func->eps);
3511 func->eps = NULL;
3512 /*
3513 * eps, descriptors and interfaces_nums are allocated in the
3514 * same chunk so only one free is required.
3515 */
3516 func->function.fs_descriptors = NULL;
3517 func->function.hs_descriptors = NULL;
3518 func->function.ss_descriptors = NULL;
3519 func->interfaces_nums = NULL;
3520
3521 ffs_event_add(ffs, FUNCTIONFS_UNBIND);
3522 }
3523
ffs_func_get_alt(struct usb_function * f,unsigned intf)3524 static int ffs_func_get_alt(struct usb_function *f, unsigned intf)
3525 {
3526 if (intf == 0)
3527 return 0;
3528 return 1;
3529 }
3530
ffs_alloc(struct usb_function_instance * fi)3531 static struct usb_function *ffs_alloc(struct usb_function_instance *fi)
3532 {
3533 struct ffs_function *func = NULL;
3534
3535 ENTER();
3536
3537 func = kzalloc(sizeof(*func), GFP_KERNEL);
3538 if (unlikely(!func))
3539 return ERR_PTR(-ENOMEM);
3540
3541 func->function.name = "FunctionFS Adapter";
3542
3543 func->function.bind = ffs_func_bind;
3544 func->function.unbind = ffs_func_unbind;
3545 func->function.set_alt = ffs_func_set_alt;
3546 func->function.get_alt = ffs_func_get_alt;
3547 func->function.disable = ffs_func_disable;
3548 func->function.setup = ffs_func_setup;
3549 func->function.req_match = ffs_func_req_match;
3550 func->function.suspend = ffs_func_suspend;
3551 func->function.resume = ffs_func_resume;
3552 func->function.free_func = ffs_free;
3553
3554 return &func->function;
3555 }
3556
3557 /*
3558 * ffs_lock must be taken by the caller of this function
3559 */
_ffs_alloc_dev(void)3560 static struct ffs_dev *_ffs_alloc_dev(void)
3561 {
3562 struct ffs_dev *dev = NULL;
3563 int ret;
3564
3565 if (_ffs_get_single_dev())
3566 return ERR_PTR(-EBUSY);
3567
3568 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3569 if (!dev)
3570 return ERR_PTR(-ENOMEM);
3571
3572 if (list_empty(&ffs_devices)) {
3573 ret = functionfs_init();
3574 if (ret) {
3575 kfree(dev);
3576 return ERR_PTR(ret);
3577 }
3578 }
3579
3580 list_add(&dev->entry, &ffs_devices);
3581
3582 return dev;
3583 }
3584
ffs_name_dev_adapter(struct ffs_dev * dev,const char * name)3585 int ffs_name_dev_adapter(struct ffs_dev *dev, const char *name)
3586 {
3587 struct ffs_dev *existing = NULL;
3588 int ret = 0;
3589
3590 ffs_dev_lock();
3591
3592 existing = _ffs_do_find_dev(name);
3593 if (!existing)
3594 strlcpy(dev->name, name, ARRAY_SIZE(dev->name));
3595 else if (existing != dev)
3596 ret = -EBUSY;
3597
3598 ffs_dev_unlock();
3599
3600 return ret;
3601 }
3602 EXPORT_SYMBOL_GPL(ffs_name_dev_adapter);
3603
ffs_single_dev_adapter(struct ffs_dev * dev)3604 int ffs_single_dev_adapter(struct ffs_dev *dev)
3605 {
3606 int ret;
3607
3608 ret = 0;
3609 ffs_dev_lock();
3610
3611 if (!list_is_singular(&ffs_devices))
3612 ret = -EBUSY;
3613 else
3614 dev->single = true;
3615
3616 ffs_dev_unlock();
3617 return ret;
3618 }
3619 EXPORT_SYMBOL_GPL(ffs_single_dev_adapter);
3620 /*
3621 * ffs_lock must be taken by the caller of this function
3622 */
_ffs_free_dev(struct ffs_dev * dev)3623 static void _ffs_free_dev(struct ffs_dev *dev)
3624 {
3625 list_del(&dev->entry);
3626
3627 /* Clear the private_data pointer to stop incorrect dev access */
3628 if (dev->ffs_data)
3629 dev->ffs_data->private_data = NULL;
3630
3631 kfree(dev);
3632 if (list_empty(&ffs_devices))
3633 functionfs_cleanup();
3634 }
3635
ffs_acquire_dev(const char * dev_name)3636 static void *ffs_acquire_dev(const char *dev_name)
3637 {
3638 struct ffs_dev *ffs_dev = NULL;
3639
3640 ENTER();
3641 ffs_dev_lock();
3642
3643 ffs_dev = _ffs_find_dev(dev_name);
3644 if (!ffs_dev)
3645 ffs_dev = ERR_PTR(-ENOENT);
3646 else if (ffs_dev->mounted)
3647 ffs_dev = ERR_PTR(-EBUSY);
3648 else if (ffs_dev->ffs_acquire_dev_callback &&
3649 ffs_dev->ffs_acquire_dev_callback(ffs_dev))
3650 ffs_dev = ERR_PTR(-ENOENT);
3651 else
3652 ffs_dev->mounted = true;
3653
3654 ffs_dev_unlock();
3655 return ffs_dev;
3656 }
3657
ffs_release_dev(struct ffs_data * ffs_data)3658 static void ffs_release_dev(struct ffs_data *ffs_data)
3659 {
3660 struct ffs_dev *ffs_dev = NULL;
3661
3662 ENTER();
3663 ffs_dev_lock();
3664
3665 ffs_dev = ffs_data->private_data;
3666 if (ffs_dev) {
3667 ffs_dev->mounted = false;
3668
3669 if (ffs_dev->ffs_release_dev_callback)
3670 ffs_dev->ffs_release_dev_callback(ffs_dev);
3671 }
3672
3673 ffs_dev_unlock();
3674 }
3675
ffs_ready(struct ffs_data * ffs)3676 static int ffs_ready(struct ffs_data *ffs)
3677 {
3678 struct ffs_dev *ffs_obj = NULL;
3679 int ret = 0;
3680
3681 ENTER();
3682 ffs_dev_lock();
3683
3684 ffs_obj = ffs->private_data;
3685 if (!ffs_obj) {
3686 ret = -EINVAL;
3687 goto done;
3688 }
3689 if (WARN_ON(ffs_obj->desc_ready)) {
3690 ret = -EBUSY;
3691 goto done;
3692 }
3693
3694 ffs_obj->desc_ready = true;
3695 ffs_obj->ffs_data = ffs;
3696
3697 if (ffs_obj->ffs_ready_callback) {
3698 ret = ffs_obj->ffs_ready_callback(ffs);
3699 if (ret)
3700 goto done;
3701 }
3702
3703 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags);
3704 done:
3705 ffs_dev_unlock();
3706 return ret;
3707 }
3708
ffs_closed(struct ffs_data * ffs)3709 static void ffs_closed(struct ffs_data *ffs)
3710 {
3711 struct ffs_dev *ffs_obj = NULL;
3712 struct f_fs_opts *opts = NULL;
3713 struct config_item *ci = NULL;
3714
3715 ENTER();
3716 ffs_dev_lock();
3717
3718 ffs_obj = ffs->private_data;
3719 if (!ffs_obj)
3720 goto done;
3721
3722 ffs_obj->desc_ready = false;
3723 ffs_obj->ffs_data = NULL;
3724
3725 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) &&
3726 ffs_obj->ffs_closed_callback)
3727 ffs_obj->ffs_closed_callback(ffs);
3728
3729 if (ffs_obj->opts)
3730 opts = ffs_obj->opts;
3731 else
3732 goto done;
3733
3734 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
3735 || !kref_read(&opts->func_inst.group.cg_item.ci_kref))
3736 goto done;
3737
3738 ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
3739 ffs_dev_unlock();
3740
3741 if (test_bit(FFS_FL_BOUND, &ffs->flags))
3742 unregister_gadget_item(ci);
3743 return;
3744 done:
3745 ffs_dev_unlock();
3746 }
3747
3748 /* Misc helper functions ****************************************************/
ffs_mutex_lock(struct mutex * mutex,unsigned nonblock)3749 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
3750 {
3751 return nonblock
3752 ? likely(mutex_trylock(mutex)) ? 0 : -EAGAIN
3753 : mutex_lock_interruptible(mutex);
3754 }
3755
ffs_prepare_buffer(const char __user * buf,size_t len)3756 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
3757 {
3758 char *data = NULL;
3759
3760 if (unlikely(!len))
3761 return NULL;
3762
3763 data = kmalloc(len, GFP_KERNEL);
3764 if (unlikely(!data))
3765 return ERR_PTR(-ENOMEM);
3766
3767 if (unlikely(copy_from_user(data, buf, len))) {
3768 kfree(data);
3769 return ERR_PTR(-EFAULT);
3770 }
3771
3772 pr_vdebug("Buffer from user space:\n");
3773 ffs_dump_mem("", data, len);
3774
3775 return data;
3776 }
3777
3778 DECLARE_USB_FUNCTION_INIT(f_generic, ffs_alloc_inst, ffs_alloc);
3779 MODULE_LICENSE("GPL");