1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * f_fs.c -- user mode file system API for USB composite function controllers
4 *
5 * Copyright (C) 2010 Samsung Electronics
6 * Author: Michal Nazarewicz <mina86@mina86.com>
7 *
8 * Based on inode.c (GadgetFS) which was:
9 * Copyright (C) 2003-2004 David Brownell
10 * Copyright (C) 2003 Agilent Technologies
11 */
12
13 /* #define DEBUG */
14 /* #define VERBOSE_DEBUG */
15 #include <asm/ptrace.h>
16 #include <linux/export.h>
17 #include <linux/hid.h>
18 #include <linux/miscdevice.h>
19 #include <linux/usb/functionfs.h>
20 #include <linux/kfifo.h>
21 #include <linux/module.h>
22 #include <linux/poll.h>
23 #include <linux/eventfd.h>
24 #include <linux/dma-mapping.h>
25 #include <linux/usb/cdc.h>
26 #include <linux/interrupt.h>
27 #include "u_generic.h"
28 #include "u_f.h"
29 #include "u_os_desc.h"
30 #include "configfs.h"
31
32 #define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */
33 #define USB_CDC_SET_COMM_FEATURE 0x02
34
35 /* Reference counter handling */
36 static void ffs_data_get(struct ffs_data *ffs);
37 static void ffs_data_put(struct ffs_data *ffs);
38 /* Creates new ffs_data object. */
39 static struct ffs_data *__must_check ffs_data_new(const char *dev_name)
40 __attribute__((malloc));
41
42 /* Called with ffs->mutex held; take over ownership of data. */
43 static int __must_check
44 __ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len);
45 static int __must_check
46 __ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len);
47
48 /* The function structure ***************************************************/
49
50 struct ffs_ep;
51
52 struct ffs_function {
53 struct usb_configuration *conf;
54 struct usb_gadget *gadget;
55 struct ffs_data *ffs;
56
57 struct ffs_ep *eps;
58 u8 eps_revmap[16];
59 short *interfaces_nums;
60
61 struct usb_function function;
62 };
ffs_func_from_usb(struct usb_function * f)63 static struct ffs_function *ffs_func_from_usb(struct usb_function *f)
64 {
65 return container_of(f, struct ffs_function, function);
66 }
ffs_setup_state_clear_cancelled(struct ffs_data * ffs)67 static inline enum ffs_setup_state ffs_setup_state_clear_cancelled(struct ffs_data *ffs)
68 {
69 return (enum ffs_setup_state)
70 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP);
71 }
72 static void ffs_func_eps_disable(struct ffs_function *func);
73 static int __must_check ffs_func_eps_enable(struct ffs_function *func);
74
75 static int ffs_func_bind(struct usb_configuration *,
76 struct usb_function *);
77 static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned);
78 static void ffs_func_disable(struct usb_function *);
79 static int ffs_func_setup(struct usb_function *,
80 const struct usb_ctrlrequest *);
81 static bool ffs_func_req_match(struct usb_function *,
82 const struct usb_ctrlrequest *,
83 bool config0);
84 static void ffs_func_suspend(struct usb_function *);
85 static void ffs_func_resume(struct usb_function *);
86
87 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num);
88 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf);
89
90 /* The endpoints structures *************************************************/
91 struct ffs_ep {
92 struct usb_ep *ep; /* P: ffs->eps_lock */
93 struct usb_request *req; /* P: epfile->mutex */
94
95 /* [0]: full speed, [1]: high speed, [2]: super speed */
96 struct usb_endpoint_descriptor *descs[3];
97
98 u8 num;
99
100 int status; /* P: epfile->mutex */
101 };
102
103 struct ffs_epfile {
104 /* Protects ep->ep and ep->req. */
105 struct mutex mutex;
106 struct list_head memory_list;
107 struct ffs_data *ffs;
108 struct ffs_ep *ep; /* P: ffs->eps_lock */
109 /*
110 * Buffer for holding data from partial reads which may happen since
111 * we’re rounding user read requests to a multiple of a max packet size.
112 *
113 * The pointer is initialised with NULL value and may be set by
114 * __ffs_epfile_read_data function to point to a temporary buffer.
115 *
116 * In normal operation, calls to __ffs_epfile_read_buffered will consume
117 * data from said buffer and eventually free it. Importantly, while the
118 * function is using the buffer, it sets the pointer to NULL. This is
119 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered
120 * can never run concurrently (they are synchronised by epfile->mutex)
121 * so the latter will not assign a new value to the pointer.
122 *
123 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is
124 * valid) and sets the pointer to READ_BUFFER_DROP value. This special
125 * value is crux of the synchronisation between ffs_func_eps_disable and
126 * __ffs_epfile_read_data.
127 *
128 * Once __ffs_epfile_read_data is about to finish it will try to set the
129 * pointer back to its old value (as described above), but seeing as the
130 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free
131 * the buffer.
132 *
133 * == State transitions ==
134 *
135 * • ptr == NULL: (initial state)
136 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP
137 * ◦ __ffs_epfile_read_buffered: nop
138 * ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf
139 * ◦ reading finishes: n/a, not in ‘and reading’ state
140 * • ptr == DROP:
141 * ◦ __ffs_epfile_read_buffer_free: nop
142 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL
143 * ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop
144 * ◦ reading finishes: n/a, not in ‘and reading’ state
145 * • ptr == buf:
146 * ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP
147 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL and reading
148 * ◦ __ffs_epfile_read_data: n/a, __ffs_epfile_read_buffered
149 * is always called first
150 * ◦ reading finishes: n/a, not in ‘and reading’ state
151 * • ptr == NULL and reading:
152 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading
153 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
154 * ◦ __ffs_epfile_read_data: n/a, mutex is held
155 * ◦ reading finishes and …
156 * … all data read: free buf, go to ptr == NULL
157 * … otherwise: go to ptr == buf and reading
158 * • ptr == DROP and reading:
159 * ◦ __ffs_epfile_read_buffer_free: nop
160 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
161 * ◦ __ffs_epfile_read_data: n/a, mutex is held
162 * ◦ reading finishes: free buf, go to ptr == DROP
163 */
164 struct ffs_buffer *read_buffer;
165 #define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN))
166
167 char name[MAX_NAMELEN];
168 dev_t devno;
169 struct cdev *cdev;
170 struct device *device;
171
172 unsigned char in; /* P: ffs->eps_lock */
173 unsigned char isoc; /* P: ffs->eps_lock */
174
175 struct kfifo reqEventFifo;
176 wait_queue_head_t wait_que;
177
178 unsigned char _pad;
179 atomic_t force_wakeup;
180 };
181
182 struct ffs_buffer {
183 size_t length;
184 char *data;
185 char storage[];
186 };
187
188 /* ffs_io_data structure ***************************************************/
189
190 struct ffs_io_data {
191 uint32_t aio;
192 uint32_t read;
193 uint32_t len;
194 uint32_t timeout;
195 uint64_t buf;
196 uint32_t actual;
197 int status;
198 struct tasklet_struct task;
199 struct usb_ep *ep;
200 struct usb_request *req;
201 struct ffs_epfile *epfile;
202 struct ffs_data *ffs;
203 struct work_struct work;
204 };
205
206 struct ffs_desc_helper {
207 struct ffs_data *ffs;
208 unsigned interfaces_count;
209 unsigned eps_count;
210 };
211
212 static int __must_check ffs_epfiles_create(struct ffs_data *ffs);
213 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count);
214
215 /* Devices management *******************************************************/
216
217 DEFINE_MUTEX(ffs_lock_adapter);
218 EXPORT_SYMBOL_GPL(ffs_lock_adapter);
219
220 static struct ffs_dev *_ffs_find_dev(const char *name);
221 static struct ffs_dev *_ffs_alloc_dev(void);
222 static void _ffs_free_dev(struct ffs_dev *dev);
223 static void *ffs_acquire_dev(const char *dev_name);
224 static void ffs_release_dev(struct ffs_data *ffs_data);
225 static int ffs_ready(struct ffs_data *ffs);
226 static void ffs_closed(struct ffs_data *ffs);
227
228 /* Misc helper functions ****************************************************/
229
230 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
231 __attribute__((warn_unused_result, nonnull));
232 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
233 __attribute__((warn_unused_result, nonnull));
234
235 struct class *ffs_class;
ffs_devnode(const struct device * dev,umode_t * mode)236 static char *ffs_devnode(const struct device *dev, umode_t *mode)
237 {
238 if (mode)
239 *mode = 0666;
240 return kasprintf(GFP_KERNEL, "functionfs/%s", dev_name(dev));
241 }
242
243 /* Control file aka ep0 *****************************************************/
generic_find_ep0_memory_area(struct ffs_data * ffs,uint64_t buf,uint32_t len)244 static struct ffs_memory *generic_find_ep0_memory_area(struct ffs_data *ffs, uint64_t buf, uint32_t len)
245 {
246 struct ffs_memory *ffsm = NULL;
247 struct ffs_memory *iter = NULL;
248 uint64_t buf_start = buf;
249 unsigned long flags;
250
251 spin_lock_irqsave(&ffs->mem_lock, flags);
252 list_for_each_entry(iter, &ffs->memory_list, memlist) {
253 if (buf_start >= iter->vm_start &&
254 buf_start < iter->vm_start + iter->size) {
255 if (len <= iter->vm_start + iter->size - buf_start) {
256 ffsm = iter;
257 break;
258 }
259 }
260 }
261 spin_unlock_irqrestore(&ffs->mem_lock, flags);
262 return ffsm;
263 }
264
ffs_ep0_complete(struct usb_ep * ep,struct usb_request * req)265 static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req)
266 {
267 struct ffs_data *ffs = req->context;
268
269 complete(&ffs->ep0req_completion);
270
271 ffs->setup_state = FFS_NO_SETUP;
272 }
273
ffs_ep0_async_io_complete(struct usb_ep * _ep,struct usb_request * req)274 static void ffs_ep0_async_io_complete(struct usb_ep *_ep, struct usb_request *req)
275 {
276 struct ffs_io_data *io_data = req->context;
277 struct ffs_data *ffs = io_data->ffs;
278 ENTER();
279
280 io_data->status = io_data->req->status;
281 io_data->actual = io_data->req->actual;
282 kfifo_in(&ffs->reqEventFifo, &io_data->buf, sizeof(struct UsbFnReqEvent));
283 wake_up_all(&ffs->wait_que);
284
285 list_del(&req->list);
286 usb_ep_free_request(io_data->ep, io_data->req);
287 kfree(io_data);
288
289 }
290
__ffs_ep0_queue_wait(struct ffs_data * ffs,char * data,size_t len)291 static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
292 __releases(&ffs->ev.waitq.lock)
293 {
294 struct usb_request *req = ffs->ep0req;
295 int ret;
296
297 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
298
299 spin_unlock_irq(&ffs->ev.waitq.lock);
300
301 req->buf = data;
302 req->length = len;
303
304 /*
305 * UDC layer requires to provide a buffer even for ZLP, but should
306 * not use it at all. Let's provide some poisoned pointer to catch
307 * possible bug in the driver.
308 */
309 if (req->buf == NULL)
310 req->buf = (void *)0xDEADBABE;
311
312 reinit_completion(&ffs->ep0req_completion);
313
314 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
315 if (unlikely(ret < 0))
316 return ret;
317
318 ret = wait_for_completion_interruptible(&ffs->ep0req_completion);
319 if (unlikely(ret)) {
320 usb_ep_dequeue(ffs->gadget->ep0, req);
321 return -EINTR;
322 }
323
324 ffs->setup_state = FFS_NO_SETUP;
325 return req->status ? req->status : req->actual;
326 }
327
__ffs_ep0_stall(struct ffs_data * ffs)328 static int __ffs_ep0_stall(struct ffs_data *ffs)
329 {
330 if (ffs->ev.can_stall) {
331 pr_vdebug("ep0 stall\n");
332 usb_ep_set_halt(ffs->gadget->ep0);
333 ffs->setup_state = FFS_NO_SETUP;
334 return -EL2HLT;
335 } else {
336 pr_debug("bogus ep0 stall!\n");
337 return -ESRCH;
338 }
339 }
340
ffs_ep0_write(struct file * file,const char __user * buf,size_t len,loff_t * ptr)341 static ssize_t ffs_ep0_write(struct file *file, const char __user *buf, size_t len, loff_t *ptr)
342 {
343 struct ffs_data *ffs = file->private_data;
344 ssize_t ret;
345 char *data = NULL;
346
347 ENTER();
348
349 /* Fast check if setup was canceled */
350 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
351 return -EIDRM;
352
353 /* Acquire mutex */
354 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
355 if (unlikely(ret < 0))
356 return ret;
357
358 /* Check state */
359 switch (ffs->state) {
360 case FFS_READ_DESCRIPTORS:
361 case FFS_READ_STRINGS:
362 /* Copy data */
363 if (unlikely(len < 16)) {
364 ret = -EINVAL;
365 break;
366 }
367
368 data = ffs_prepare_buffer(buf, len);
369 if (IS_ERR(data)) {
370 ret = PTR_ERR(data);
371 break;
372 }
373
374 /* Handle data */
375 if (ffs->state == FFS_READ_DESCRIPTORS) {
376 pr_info("read descriptors\n");
377 ret = __ffs_data_got_descs(ffs, data, len);
378 if (unlikely(ret < 0))
379 break;
380
381 ffs->state = FFS_READ_STRINGS;
382 ret = len;
383 } else {
384 pr_info("read strings\n");
385 ret = __ffs_data_got_strings(ffs, data, len);
386 if (unlikely(ret < 0))
387 break;
388
389 ret = ffs_epfiles_create(ffs);
390 if (unlikely(ret)) {
391 ffs->state = FFS_CLOSING;
392 break;
393 }
394
395 ffs->state = FFS_ACTIVE;
396 mutex_unlock(&ffs->mutex);
397
398 ret = ffs_ready(ffs);
399 if (unlikely(ret < 0)) {
400 ffs->state = FFS_CLOSING;
401 return ret;
402 }
403
404 return len;
405 }
406 break;
407
408 case FFS_ACTIVE:
409 data = NULL;
410 /*
411 * We're called from user space, we can use _irq
412 * rather then _irqsave
413 */
414 spin_lock_irq(&ffs->ev.waitq.lock);
415 switch (ffs_setup_state_clear_cancelled(ffs)) {
416 case FFS_SETUP_CANCELLED:
417 ret = -EIDRM;
418 goto done_spin;
419
420 case FFS_NO_SETUP:
421 ret = -ESRCH;
422 goto done_spin;
423
424 case FFS_SETUP_PENDING:
425 break;
426 }
427
428 /* FFS_SETUP_PENDING */
429 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) {
430 spin_unlock_irq(&ffs->ev.waitq.lock);
431 ret = __ffs_ep0_stall(ffs);
432 break;
433 }
434
435 /* FFS_SETUP_PENDING and not stall */
436 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
437
438 spin_unlock_irq(&ffs->ev.waitq.lock);
439
440 data = ffs_prepare_buffer(buf, len);
441 if (IS_ERR(data)) {
442 ret = PTR_ERR(data);
443 break;
444 }
445
446 spin_lock_irq(&ffs->ev.waitq.lock);
447
448 /*
449 * We are guaranteed to be still in FFS_ACTIVE state
450 * but the state of setup could have changed from
451 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need
452 * to check for that. If that happened we copied data
453 * from user space in vain but it's unlikely.
454 *
455 * For sure we are not in FFS_NO_SETUP since this is
456 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP
457 * transition can be performed and it's protected by
458 * mutex.
459 */
460 if (ffs_setup_state_clear_cancelled(ffs) ==
461 FFS_SETUP_CANCELLED) {
462 ret = -EIDRM;
463 done_spin:
464 spin_unlock_irq(&ffs->ev.waitq.lock);
465 } else {
466 /* unlocks spinlock */
467 ret = __ffs_ep0_queue_wait(ffs, data, len);
468 }
469 kfree(data);
470 break;
471
472 default:
473 ret = -EBADFD;
474 break;
475 }
476
477 mutex_unlock(&ffs->mutex);
478 return ret;
479 }
480
481 /* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */
__ffs_ep0_read_events(struct ffs_data * ffs,char __user * buf,size_t n)482 static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf, size_t n)
483 __releases(&ffs->ev.waitq.lock)
484 {
485 /*
486 * n cannot be bigger than ffs->ev.count, which cannot be bigger than
487 * size of ffs->ev.types array (which is four) so that's how much space
488 * we reserve.
489 */
490 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)];
491 const size_t size = n * sizeof *events;
492 unsigned i = 0;
493
494 memset(events, 0, size);
495
496 do {
497 events[i].type = ffs->ev.types[i];
498 if (events[i].type == FUNCTIONFS_SETUP) {
499 events[i].u.setup = ffs->ev.setup;
500 ffs->setup_state = FFS_SETUP_PENDING;
501 }
502 } while (++i < n);
503
504 ffs->ev.count -= n;
505 if (ffs->ev.count)
506 memmove(ffs->ev.types, ffs->ev.types + n, ffs->ev.count * sizeof *ffs->ev.types);
507
508 spin_unlock_irq(&ffs->ev.waitq.lock);
509 mutex_unlock(&ffs->mutex);
510
511 return unlikely(copy_to_user(buf, events, size)) ? -EFAULT : size;
512 }
513
ffs_ep0_read(struct file * file,char __user * buf,size_t len,loff_t * ptr)514 static ssize_t ffs_ep0_read(struct file *file, char __user *buf, size_t len, loff_t *ptr)
515 {
516 struct ffs_data *ffs = file->private_data;
517 char *data = NULL;
518 size_t n;
519 int ret;
520
521 ENTER();
522
523 /* Fast check if setup was canceled */
524 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
525 return -EIDRM;
526
527 /* Acquire mutex */
528 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
529 if (unlikely(ret < 0))
530 return ret;
531
532 /* Check state */
533 if (ffs->state != FFS_ACTIVE) {
534 ret = -EBADFD;
535 goto done_mutex;
536 }
537
538 /*
539 * We're called from user space, we can use _irq rather then
540 * _irqsave
541 */
542 spin_lock_irq(&ffs->ev.waitq.lock);
543
544 switch (ffs_setup_state_clear_cancelled(ffs)) {
545 case FFS_SETUP_CANCELLED:
546 ret = -EIDRM;
547 break;
548
549 case FFS_NO_SETUP:
550 n = len / sizeof(struct usb_functionfs_event);
551 if (unlikely(!n)) {
552 ret = -EINVAL;
553 break;
554 }
555
556 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) {
557 ret = -EAGAIN;
558 break;
559 }
560
561 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq,
562 ffs->ev.count)) {
563 ret = -EINTR;
564 break;
565 }
566
567 /* unlocks spinlock */
568 return __ffs_ep0_read_events(ffs, buf,
569 min(n, (size_t)ffs->ev.count));
570
571 case FFS_SETUP_PENDING:
572 if (ffs->ev.setup.bRequestType & USB_DIR_IN) {
573 spin_unlock_irq(&ffs->ev.waitq.lock);
574 ret = __ffs_ep0_stall(ffs);
575 goto done_mutex;
576 }
577
578 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
579
580 spin_unlock_irq(&ffs->ev.waitq.lock);
581
582 if (likely(len)) {
583 data = kmalloc(len, GFP_KERNEL);
584 if (unlikely(!data)) {
585 ret = -ENOMEM;
586 goto done_mutex;
587 }
588 }
589
590 spin_lock_irq(&ffs->ev.waitq.lock);
591
592 /* See ffs_ep0_write() */
593 if (ffs_setup_state_clear_cancelled(ffs) ==
594 FFS_SETUP_CANCELLED) {
595 ret = -EIDRM;
596 break;
597 }
598
599 /* unlocks spinlock */
600 ret = __ffs_ep0_queue_wait(ffs, data, len);
601 if (likely(ret > 0) && unlikely(copy_to_user(buf, data, len)))
602 ret = -EFAULT;
603 goto done_mutex;
604
605 default:
606 ret = -EBADFD;
607 break;
608 }
609
610 spin_unlock_irq(&ffs->ev.waitq.lock);
611 done_mutex:
612 mutex_unlock(&ffs->mutex);
613 kfree(data);
614 return ret;
615 }
616
617 struct ffs_data_list {
618 struct list_head list;
619 struct ffs_data *ffs_data;
620 };
621
622 static struct ffs_data_list ffs_data_head = { 0 };
623
map_cdev_to_ffs_data(struct ffs_data * data)624 static bool map_cdev_to_ffs_data(struct ffs_data *data)
625 {
626 if (data == NULL) {
627 return false;
628 }
629
630 if (ffs_data_head.list.next == NULL) {
631 INIT_LIST_HEAD(&ffs_data_head.list);
632 }
633
634 struct ffs_data_list *entry = kmalloc(sizeof(struct ffs_data_list), GFP_KERNEL);
635 if (!entry) {
636 return false;
637 }
638 entry->ffs_data = data;
639 list_add_tail(&entry->list, &ffs_data_head.list);
640 return true;
641 }
642
unmap_cdev_to_ffs_data(struct ffs_data * data)643 static bool unmap_cdev_to_ffs_data(struct ffs_data *data)
644 {
645 if (data == NULL || ffs_data_head.list.next == NULL) {
646 return false;
647 }
648
649 struct ffs_data_list *data_entry = NULL, *tmp = NULL;
650 list_for_each_entry_safe(data_entry, tmp, &ffs_data_head.list, list) {
651 if (data_entry != NULL && data_entry->ffs_data == data) {
652 list_del(&data_entry->list);
653 kfree((void *)data_entry);
654 data_entry = NULL;
655 return true;
656 }
657 }
658 return false;
659 }
660
find_ffs_data(struct cdev * cdev)661 static struct ffs_data *find_ffs_data(struct cdev *cdev)
662 {
663 if (ffs_data_head.list.next == NULL || cdev ==NULL) {
664 return NULL;
665 }
666
667 struct ffs_data_list *data_entry = NULL;
668 list_for_each_entry(data_entry, &ffs_data_head.list, list) {
669 if (data_entry != NULL && data_entry->ffs_data != NULL && data_entry->ffs_data->cdev == cdev) {
670 return data_entry->ffs_data;
671 }
672 }
673 return NULL;
674 }
675
ffs_ep0_open(struct inode * inode,struct file * file)676 static int ffs_ep0_open(struct inode *inode, struct file *file)
677 {
678 ENTER();
679
680 struct ffs_data *ffs = find_ffs_data(inode->i_cdev);
681
682 if (!ffs) {
683 pr_err("[%s]ffs not found\n", __func__);
684 return -EBUSY;
685 }
686
687 if (unlikely(ffs->state == FFS_CLOSING))
688 return -EBUSY;
689
690 file->private_data = ffs;
691 return 0;
692 }
693
ffs_ep0_release(struct inode * inode,struct file * file)694 static int ffs_ep0_release(struct inode *inode, struct file *file)
695 {
696 ENTER();
697 return 0;
698 }
699
ffs_ep0_iorw(struct file * file,struct ffs_io_data * io_data)700 static ssize_t ffs_ep0_iorw(struct file *file, struct ffs_io_data *io_data)
701 {
702 struct ffs_data *ffs = file->private_data;
703 struct usb_request *req = NULL;
704 ssize_t ret, data_len = io_data->len;
705 bool interrupted = false;
706 struct ffs_memory *ffsm = NULL;
707
708 /* Are we still active? */
709 if (WARN_ON(ffs->state != FFS_ACTIVE))
710 return -ENODEV;
711 ffsm = generic_find_ep0_memory_area(ffs, io_data->buf, data_len);
712 if (ffsm == NULL)
713 {
714 return -ENODEV;
715 }
716 if (!io_data->aio) {
717 reinit_completion(&ffs->ep0req_completion);
718
719 req = ffs->ep0req;
720 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
721 req->length = data_len;
722 req->complete = ffs_ep0_complete;
723
724 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
725 if (unlikely(ret < 0))
726 goto error;
727
728 if (io_data->timeout > 0) {
729 ret = wait_for_completion_interruptible_timeout(&ffs->ep0req_completion, io_data->timeout);
730 if (ret < 0) {
731 /*
732 * To avoid race condition with ffs_epfile_io_complete,
733 * dequeue the request first then check
734 * status. usb_ep_dequeue API should guarantee no race
735 * condition with req->complete callback.
736 */
737 usb_ep_dequeue(ffs->gadget->ep0, req);
738 wait_for_completion(&ffs->ep0req_completion);
739 interrupted = req->status < 0;
740 } else if (ret == 0) {
741 ret = -EBUSY;
742 usb_ep_dequeue(ffs->gadget->ep0, req);
743 wait_for_completion(&ffs->ep0req_completion);
744 goto error;
745 }
746 } else {
747 ret = wait_for_completion_interruptible(&ffs->ep0req_completion);
748 if (ret < 0) {
749 usb_ep_dequeue(ffs->gadget->ep0, req);
750 wait_for_completion(&ffs->ep0req_completion);
751 interrupted = req->status < 0;
752 }
753 }
754
755 if (interrupted) {
756 ret = -EINTR;
757 } else {
758 ret = req->actual;
759 }
760 goto error;
761 }
762 else if (!(req = usb_ep_alloc_request(ffs->gadget->ep0, GFP_ATOMIC))) {
763 ret = -ENOMEM;
764 }
765 else {
766 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
767 req->length = data_len;
768
769 io_data->ep = ffs->gadget->ep0;
770 io_data->req = req;
771 io_data->ffs = ffs;
772
773 req->context = io_data;
774 req->complete = ffs_ep0_async_io_complete;
775 list_add(&req->list, &ffs->ep0req->list);
776 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
777 if (unlikely(ret)) {
778 usb_ep_free_request(ffs->gadget->ep0, req);
779 goto error;
780 }
781
782 ret = -EIOCBQUEUED;
783 }
784
785 error:
786 return ret;
787 }
788
ffs_ep0_ioctl(struct file * file,unsigned code,unsigned long value)789 static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value)
790 {
791 struct ffs_data *ffs = file->private_data;
792 long ret = 0;
793 unsigned int copied = 0;
794 struct ffs_memory *ffsm = NULL;
795 struct generic_memory mem;
796
797 ENTER();
798
799 switch (code) {
800 case FUNCTIONFS_ENDPOINT_QUEUE_INIT:
801 ret = kfifo_alloc(&ffs->reqEventFifo, MAX_REQUEST * sizeof(struct UsbFnReqEvent), GFP_KERNEL);
802 break;
803 case FUNCTIONFS_ENDPOINT_QUEUE_DEL:
804 kfifo_free(&ffs->reqEventFifo);
805 break;
806 case FUNCTIONFS_ENDPOINT_RELEASE_BUF:
807 if (copy_from_user(&mem, (void __user *)value, sizeof(mem)))
808 {
809 pr_info("copy from user failed\n");
810 return -EFAULT;
811 }
812 ffsm = generic_find_ep0_memory_area(ffs, mem.buf, mem.size);
813 if (ffsm == NULL)
814 {
815 return -EFAULT;
816 }
817 list_del(&ffsm->memlist);
818 kfree((void *)ffsm->mem);
819 kfree(ffsm);
820 break;
821 case FUNCTIONFS_ENDPOINT_READ:
822 case FUNCTIONFS_ENDPOINT_WRITE:
823 {
824 struct IoData myIoData;
825 struct ffs_io_data io_data, *p = &io_data;
826 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
827 if (unlikely(ret)) {
828 return -EFAULT;
829 }
830 if (myIoData.aio) {
831 p = kmalloc(sizeof(io_data), GFP_KERNEL);
832 if (unlikely(!p))
833 return -ENOMEM;
834 } else {
835 memset(p, 0, sizeof(*p));
836 }
837 memcpy(p, &myIoData, sizeof(struct IoData));
838
839 ret = ffs_ep0_iorw(file, p);
840 if (ret == -EIOCBQUEUED) {
841 return 0;
842 }
843 if (p->aio)
844 kfree(p);
845 return ret;
846 }
847 case FUNCTIONFS_ENDPOINT_RW_CANCEL:
848 {
849 struct usb_request *req;
850 struct IoData myIoData;
851 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
852 if (unlikely(ret)) {
853 pr_err("[%s] cancel: copy from user failed\n", __func__);
854 return -EFAULT;
855 }
856
857 if (ffs == NULL || ffs->ep0req == NULL) {
858 pr_err("[%s] ffs or ep0req is null\n", __func__);
859 return -EFAULT;
860 }
861
862 ffsm = generic_find_ep0_memory_area(ffs, myIoData.buf, myIoData.len);
863 if (ffsm == NULL)
864 {
865 pr_err("[%s] ffsm is null\n", __func__);
866 return -EFAULT;
867 }
868 list_for_each_entry(req, &ffs->ep0req->list, list) {
869 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
870 usb_ep_dequeue(ffs->gadget->ep0, req);
871 return 0;
872 }
873 }
874 return -EFAULT;
875 }
876 case FUNCTIONFS_ENDPOINT_GET_REQ_STATUS:
877 {
878 struct usb_request *req;
879 struct IoData myIoData;
880 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
881 if (unlikely(ret)) {
882 return -EFAULT;
883 }
884 ffsm = generic_find_ep0_memory_area(ffs, myIoData.buf, myIoData.len);
885 if (ffsm == NULL)
886 {
887 return -EFAULT;
888 }
889 list_for_each_entry(req, &ffs->ep0req->list, list) {
890 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
891 return req->status;
892 }
893 }
894 return -EFAULT;
895 }
896 case FUNCTIONFS_ENDPOINT_GET_EP0_EVENT:
897 if (!kfifo_is_empty(&ffs->reqEventFifo)) {
898 ret = kfifo_to_user(&ffs->reqEventFifo, (void __user *)value,
899 sizeof(struct UsbFnReqEvent), &copied) == 0 ? copied : -1;
900 if (ret > 0) {
901 ffs->setup_state = FFS_NO_SETUP;
902 return ret;
903 }
904 }
905
906 return -EFAULT;
907 }
908
909 return ret;
910 }
911
912 #ifdef CONFIG_COMPAT
ffs_ep0_compat_ioctl(struct file * file,unsigned code,unsigned long value)913 static long ffs_ep0_compat_ioctl(struct file *file, unsigned code,
914 unsigned long value)
915 {
916 return ffs_ep0_ioctl(file, code, value);
917 }
918 #endif
919
ffs_ep0_poll(struct file * file,poll_table * wait)920 static __poll_t ffs_ep0_poll(struct file *file, poll_table *wait)
921 {
922 struct ffs_data *ffs = file->private_data;
923 __poll_t mask = EPOLLWRNORM;
924 int ret;
925
926 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
927 if (unlikely(ret < 0))
928 return mask;
929
930 switch (ffs->state) {
931 case FFS_READ_DESCRIPTORS:
932 case FFS_READ_STRINGS:
933 mask |= EPOLLOUT;
934 break;
935
936 case FFS_ACTIVE:
937 switch (ffs->setup_state) {
938 case FFS_NO_SETUP:
939 poll_wait(file, &ffs->ev.waitq, wait);
940 if (ffs->ev.count)
941 mask |= EPOLLIN;
942 break;
943
944 case FFS_SETUP_PENDING:
945 case FFS_SETUP_CANCELLED:
946 poll_wait(file, &ffs->wait_que, wait);
947 if (!kfifo_is_empty(&ffs->reqEventFifo))
948 {
949 mask |= EPOLLOUT;
950 }
951 break;
952 }
953 case FFS_CLOSING:
954 break;
955 case FFS_DEACTIVATED:
956 break;
957 }
958
959 mutex_unlock(&ffs->mutex);
960
961 return mask;
962 }
963
ffs_ep0_mmap(struct file * file,struct vm_area_struct * vma)964 static int ffs_ep0_mmap(struct file *file, struct vm_area_struct *vma)
965 {
966 struct ffs_data *ffs = file->private_data;
967 size_t size = vma->vm_end - vma->vm_start;
968 unsigned long flags;
969 struct ffs_memory *ffsm = NULL;
970 void *virt_mem = NULL;
971
972 if (ffs == NULL) {
973 pr_info("Invalid private parameter!\n");
974 return -EINVAL;
975 }
976 virt_mem = kmalloc(size, GFP_KERNEL);
977 if (virt_mem == NULL)
978 {
979 pr_info("%s alloc memory failed!\n", __FUNCTION__);
980 return -ENOMEM;
981 }
982 ffsm = kmalloc(sizeof(struct ffs_memory), GFP_KERNEL);
983 if (ffsm == NULL)
984 {
985 pr_info("%s alloc memory failed!\n", __FUNCTION__);
986 goto error_free_mem;
987 }
988 if (remap_pfn_range(vma, vma->vm_start, virt_to_phys(virt_mem)>>PAGE_SHIFT,
989 vma->vm_end - vma->vm_start, vma->vm_page_prot)) {
990 goto error_free_ffsm;
991 }
992 ffsm->mem = (uint64_t)virt_mem;
993 ffsm->size = size;
994 ffsm->vm_start = vma->vm_start;
995 INIT_LIST_HEAD(&ffsm->memlist);
996 spin_lock_irqsave(&ffs->mem_lock, flags);
997 list_add_tail(&ffsm->memlist, &ffs->memory_list);
998 spin_unlock_irqrestore(&ffs->mem_lock, flags);
999 return 0;
1000 error_free_ffsm:
1001 kfree(ffsm);
1002 error_free_mem:
1003 kfree(virt_mem);
1004 return -1;
1005 }
1006
1007 static const struct file_operations ffs_ep0_operations = {
1008 .owner = THIS_MODULE,
1009 .llseek = no_llseek,
1010 .open = ffs_ep0_open,
1011 .write = ffs_ep0_write,
1012 .read = ffs_ep0_read,
1013 .release = ffs_ep0_release,
1014 .unlocked_ioctl = ffs_ep0_ioctl,
1015 #ifdef CONFIG_COMPAT
1016 .compat_ioctl = ffs_ep0_compat_ioctl,
1017 #endif
1018 .poll = ffs_ep0_poll,
1019 .mmap = ffs_ep0_mmap,
1020 };
1021
1022 /* "Normal" endpoints operations ********************************************/
generic_find_memory_area(struct ffs_epfile * epfile,uint64_t buf,uint32_t len)1023 static struct ffs_memory *generic_find_memory_area(struct ffs_epfile *epfile, uint64_t buf, uint32_t len)
1024 {
1025 struct ffs_memory *ffsm = NULL, *iter = NULL;
1026 uint64_t buf_start = buf;
1027
1028 list_for_each_entry(iter, &epfile->memory_list, memlist) {
1029 if (buf_start >= iter->vm_start &&
1030 buf_start < iter->vm_start + iter->size) {
1031 if (len <= iter->vm_start + iter->size - buf_start) {
1032 ffsm = iter;
1033 break;
1034 }
1035 }
1036 }
1037 return ffsm;
1038 }
1039
ffs_epfile_io_complete(struct usb_ep * _ep,struct usb_request * req)1040 static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
1041 {
1042 ENTER();
1043 if (likely(req->context)) {
1044 struct ffs_ep *ep = _ep->driver_data;
1045 ep->status = req->status ? req->status : req->actual;
1046 complete(req->context);
1047 }
1048 }
1049
epfile_task_proc(struct work_struct * work)1050 static void epfile_task_proc(struct work_struct *work)
1051 {
1052 struct ffs_io_data *io_data = container_of(work, struct ffs_io_data, work);
1053 struct ffs_epfile *epfile = io_data->epfile;
1054 unsigned long flags;
1055
1056 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1057 io_data->status = io_data->req->status;
1058 io_data->actual = io_data->req->actual;
1059 kfifo_in(&epfile->reqEventFifo, &io_data->buf, sizeof(struct UsbFnReqEvent));
1060 list_del(&io_data->req->list);
1061 usb_ep_free_request(io_data->ep, io_data->req);
1062 kfree(io_data);
1063 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
1064 wake_up_all(&epfile->wait_que);
1065 }
1066
ffs_epfile_async_io_complete(struct usb_ep * _ep,struct usb_request * req)1067 static void ffs_epfile_async_io_complete(struct usb_ep *_ep, struct usb_request *req)
1068 {
1069 struct ffs_io_data *io_data = req->context;
1070 struct ffs_data *ffs = io_data->ffs;
1071 INIT_WORK(&io_data->work, epfile_task_proc);
1072 queue_work(ffs->io_completion_wq, &io_data->work);
1073 }
1074
1075 struct ffs_epfile_list {
1076 struct list_head list;
1077 struct ffs_epfile *ffs_epfile;
1078 };
1079
1080 static struct ffs_epfile_list ffs_epfile_head = { 0 };
1081
map_cdev_to_ffs_epfile(struct ffs_epfile * data)1082 static bool map_cdev_to_ffs_epfile(struct ffs_epfile *data)
1083 {
1084 if (data == NULL) {
1085 return false;
1086 }
1087
1088 if (ffs_epfile_head.list.next == NULL) {
1089 INIT_LIST_HEAD(&ffs_epfile_head.list);
1090 }
1091
1092 struct ffs_epfile_list *entry = kmalloc(sizeof(struct ffs_epfile_list), GFP_KERNEL);
1093 if (!entry) {
1094 return false;
1095 }
1096 entry->ffs_epfile = data;
1097 list_add_tail(&entry->list, &ffs_epfile_head.list);
1098 return true;
1099 }
1100
unmap_cdev_to_ffs_epfile(struct ffs_epfile * data)1101 static bool unmap_cdev_to_ffs_epfile(struct ffs_epfile *data)
1102 {
1103 if (data == NULL || ffs_epfile_head.list.next == NULL) {
1104 return false;
1105 }
1106
1107 struct ffs_epfile_list *data_entry = NULL, *tmp =NULL;
1108 list_for_each_entry_safe(data_entry, tmp, &ffs_epfile_head.list, list) {
1109 if (data_entry != NULL && data_entry->ffs_epfile == data) {
1110 list_del(&data_entry->list);
1111 kfree((void *)data_entry);
1112 data_entry = NULL;
1113 return true;
1114 }
1115 }
1116 return false;
1117 }
1118
find_ffs_epfile(struct cdev * cdev)1119 static struct ffs_epfile *find_ffs_epfile(struct cdev *cdev)
1120 {
1121 if (ffs_epfile_head.list.next == NULL || cdev ==NULL) {
1122 return NULL;
1123 }
1124
1125 struct ffs_epfile_list *data_entry = NULL;
1126 list_for_each_entry(data_entry, &ffs_epfile_head.list, list) {
1127 if (data_entry != NULL && data_entry->ffs_epfile != NULL && data_entry->ffs_epfile->cdev == cdev) {
1128 return data_entry->ffs_epfile;
1129 }
1130 }
1131 return NULL;
1132 }
1133
ffs_epfile_open(struct inode * inode,struct file * file)1134 static int ffs_epfile_open(struct inode *inode, struct file *file)
1135 {
1136 ENTER();
1137 struct ffs_epfile *epfile = find_ffs_epfile(inode->i_cdev);
1138 if (epfile ==NULL) {
1139 pr_err("[%s]epfile not found\n", __func__);
1140 return -ENODEV;
1141 }
1142
1143 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1144 return -ENODEV;
1145
1146 file->private_data = epfile;
1147 return 0;
1148 }
1149
ffs_epfile_release(struct inode * inode,struct file * file)1150 static int ffs_epfile_release(struct inode *inode, struct file *file)
1151 {
1152 ENTER();
1153 return 0;
1154 }
1155
ffs_epfile_mmap(struct file * file,struct vm_area_struct * vma)1156 static int ffs_epfile_mmap(struct file *file, struct vm_area_struct *vma)
1157 {
1158 struct ffs_epfile *epfile = file->private_data;
1159 size_t size = vma->vm_end - vma->vm_start;
1160 struct ffs_memory *ffsm = NULL;
1161 unsigned long flags;
1162 void *virt_mem = NULL;
1163
1164 if (epfile == NULL)
1165 {
1166 pr_info("Invalid private parameter!\n");
1167 return -EINVAL;
1168 }
1169 virt_mem = kmalloc(size, GFP_KERNEL);
1170 if (virt_mem == NULL)
1171 {
1172 pr_info("%s alloc virt_mem memory failed!\n", __FUNCTION__);
1173 return -ENOMEM;
1174 }
1175 ffsm = kmalloc(sizeof(struct ffs_memory), GFP_KERNEL);
1176 if (ffsm == NULL)
1177 {
1178 pr_info("%s alloc ffsm memory failed!\n", __FUNCTION__);
1179 goto error_free_mem;
1180 }
1181 if (remap_pfn_range(vma, vma->vm_start, virt_to_phys(virt_mem)>>PAGE_SHIFT,
1182 vma->vm_end - vma->vm_start, vma->vm_page_prot))
1183 {
1184 goto error_free_ffsm;
1185 }
1186 ffsm->mem = (uint64_t)virt_mem;
1187 ffsm->size = size;
1188 ffsm->vm_start = vma->vm_start;
1189 INIT_LIST_HEAD(&ffsm->memlist);
1190 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1191 list_add_tail(&ffsm->memlist, &epfile->memory_list);
1192 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
1193
1194 return 0;
1195 error_free_ffsm:
1196 kfree(ffsm);
1197 error_free_mem:
1198 kfree(virt_mem);
1199
1200 return -1;
1201 }
1202
ffs_epfile_iorw(struct file * file,struct ffs_io_data * io_data)1203 static ssize_t ffs_epfile_iorw(struct file *file, struct ffs_io_data *io_data)
1204 {
1205 struct ffs_epfile *epfile = file->private_data;
1206 struct usb_request *req = NULL;
1207 struct ffs_ep *ep = NULL;
1208 struct ffs_memory *ffsm = NULL;
1209 ssize_t ret, data_len = -EINVAL;
1210 int halt;
1211
1212 /* Are we still active? */
1213 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1214 return -ENODEV;
1215
1216 /* Wait for endpoint to be enabled */
1217 ep = epfile->ep;
1218 if (!ep) {
1219 if (file->f_flags & O_NONBLOCK)
1220 return -EAGAIN;
1221 pr_info("%s ep is null, wait epfile->ep interrupt.\n", __FUNCTION__);
1222 ret = wait_event_interruptible(
1223 epfile->ffs->wait, ((epfile->ep) || atomic_read(&epfile->force_wakeup)));
1224 if (ret || !epfile->ep) {
1225 atomic_set(&epfile->force_wakeup, 0);
1226 return -EINTR;
1227 }
1228 }
1229
1230 /* Do we halt? */
1231 halt = (!io_data->read == !epfile->in);
1232 if (halt && epfile->isoc)
1233 return -EINVAL;
1234
1235 /* We will be using request and read_buffer */
1236 ret = ffs_mutex_lock(&epfile->mutex, file->f_flags & O_NONBLOCK);
1237 if (unlikely(ret))
1238 goto error;
1239
1240 /* Allocate & copy */
1241 if (!halt) {
1242 struct usb_gadget *gadget;
1243 /*
1244 * if we _do_ wait above, the epfile->ffs->gadget might be NULL
1245 * before the waiting completes, so do not assign to 'gadget'
1246 * earlier
1247 */
1248 gadget = epfile->ffs->gadget;
1249
1250 spin_lock_irq(&epfile->ffs->eps_lock);
1251 /* In the meantime, endpoint got disabled or changed. */
1252 if (epfile->ep != ep) {
1253 ret = -ESHUTDOWN;
1254 goto error_lock;
1255 }
1256 data_len = io_data->len;
1257 /*
1258 * Controller may require buffer size to be aligned to
1259 * maxpacketsize of an out endpoint.
1260 */
1261 if (io_data->read)
1262 data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);
1263 spin_unlock_irq(&epfile->ffs->eps_lock);
1264 }
1265
1266 spin_lock_irq(&epfile->ffs->eps_lock);
1267 ffsm = generic_find_memory_area(epfile, io_data->buf, io_data->len);
1268 if (ffsm == NULL)
1269 {
1270 ret = -EFAULT;
1271 goto error_lock;
1272 }
1273 if (epfile->ep != ep) {
1274 /* In the meantime, endpoint got disabled or changed. */
1275 ret = -ESHUTDOWN;
1276 }
1277 else if (halt) {
1278 ret = usb_ep_set_halt(ep->ep);
1279 if (!ret)
1280 ret = -EBADMSG;
1281 }
1282 else if (!io_data->aio) {
1283 DECLARE_COMPLETION_ONSTACK(done);
1284 bool interrupted = false;
1285
1286 req = ep->req;
1287 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
1288 req->length = data_len;
1289
1290 req->context = &done;
1291 req->complete = ffs_epfile_io_complete;
1292
1293 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1294 if (unlikely(ret < 0))
1295 goto error_lock;
1296
1297 spin_unlock_irq(&epfile->ffs->eps_lock);
1298 if (io_data->timeout > 0) {
1299 ret = wait_for_completion_interruptible_timeout(&done, io_data->timeout);
1300 if (ret < 0) {
1301 /*
1302 * To avoid race condition with ffs_epfile_io_complete,
1303 * dequeue the request first then check
1304 * status. usb_ep_dequeue API should guarantee no race
1305 * condition with req->complete callback.
1306 */
1307 usb_ep_dequeue(ep->ep, req);
1308 wait_for_completion(&done);
1309 interrupted = ep->status < 0;
1310 } else if (ret == 0) {
1311 ret = -EBUSY;
1312 usb_ep_dequeue(ep->ep, req);
1313 wait_for_completion(&done);
1314 goto error_mutex;
1315 }
1316 } else {
1317 ret = wait_for_completion_interruptible(&done);
1318 if (ret < 0) {
1319 usb_ep_dequeue(ep->ep, req);
1320 wait_for_completion(&done);
1321 interrupted = ep->status < 0;
1322 }
1323 }
1324
1325 if (interrupted) {
1326 ret = -EINTR;
1327 } else {
1328 ret = req->actual;
1329 }
1330 goto error_mutex;
1331 }
1332 else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
1333 ret = -ENOMEM;
1334 }
1335 else {
1336 req->buf = (void *)(ffsm->mem + io_data->buf - ffsm->vm_start);
1337 req->length = data_len;
1338
1339 io_data->ep = ep->ep;
1340 io_data->req = req;
1341 io_data->epfile = epfile;
1342 io_data->ffs = epfile->ffs;
1343
1344 req->context = io_data;
1345 req->complete = ffs_epfile_async_io_complete;
1346 list_add(&req->list, &ep->req->list);
1347 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1348 if (unlikely(ret)) {
1349 usb_ep_free_request(ep->ep, req);
1350 goto error_lock;
1351 }
1352
1353 ret = -EIOCBQUEUED;
1354 }
1355
1356 error_lock:
1357 spin_unlock_irq(&epfile->ffs->eps_lock);
1358 error_mutex:
1359 mutex_unlock(&epfile->mutex);
1360 error:
1361 return ret;
1362 }
1363
ffs_epfile_ioctl(struct file * file,unsigned code,unsigned long value)1364 static long ffs_epfile_ioctl(struct file *file, unsigned code, unsigned long value)
1365 {
1366 struct ffs_epfile *epfile = file->private_data;
1367 int ret = 0;
1368 struct generic_memory mem;
1369 struct ffs_memory *ffsm = NULL;
1370
1371 ENTER();
1372
1373 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1374 return -ENODEV;
1375
1376 spin_lock_irq(&epfile->ffs->eps_lock);
1377 struct ffs_ep *ep = epfile->ep;
1378
1379 switch (code) {
1380 case FUNCTIONFS_ENDPOINT_QUEUE_INIT:
1381 ret = kfifo_alloc(&epfile->reqEventFifo, MAX_REQUEST * sizeof(struct UsbFnReqEvent), GFP_KERNEL);
1382 break;
1383 case FUNCTIONFS_ENDPOINT_QUEUE_DEL:
1384 kfifo_free(&epfile->reqEventFifo);
1385 break;
1386 case FUNCTIONFS_ENDPOINT_RELEASE_BUF:
1387 if (copy_from_user(&mem, (void __user *)value, sizeof(mem)))
1388 {
1389 pr_err("[%s:%d] copy from user failed\n", __func__, __LINE__);
1390 spin_unlock_irq(&epfile->ffs->eps_lock);
1391 return -EFAULT;
1392 }
1393 ffsm = generic_find_memory_area(epfile, mem.buf, mem.size);
1394 if (ffsm == NULL)
1395 {
1396 pr_err("[%s:%d] ffsm is null\n", __func__, __LINE__);
1397 spin_unlock_irq(&epfile->ffs->eps_lock);
1398 return -EFAULT;
1399 }
1400 list_del(&ffsm->memlist);
1401 kfree((void *)ffsm->mem);
1402 kfree(ffsm);
1403 break;
1404 case FUNCTIONFS_ENDPOINT_READ:
1405 case FUNCTIONFS_ENDPOINT_WRITE:
1406 {
1407 struct IoData myIoData;
1408 struct ffs_io_data io_data, *p = &io_data;
1409 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
1410 if (unlikely(ret)) {
1411 pr_err("[%s:%d] copy from user failed\n", __func__, __LINE__);
1412 spin_unlock_irq(&epfile->ffs->eps_lock);
1413 return -EFAULT;
1414 }
1415 if (myIoData.aio) {
1416 p = kmalloc(sizeof(io_data), GFP_KERNEL);
1417 if (unlikely(!p)) {
1418 pr_err("[%s:%d] kmalloc failed\n", __func__, __LINE__);
1419 spin_unlock_irq(&epfile->ffs->eps_lock);
1420 return -ENOMEM;
1421 }
1422 } else {
1423 memset(p, 0, sizeof(*p));
1424 }
1425 memcpy(p, &myIoData, sizeof(struct IoData));
1426
1427 spin_unlock_irq(&epfile->ffs->eps_lock);
1428 ret = ffs_epfile_iorw(file, p);
1429 if (ret == -EIOCBQUEUED) {
1430 return 0;
1431 }
1432 if (p->aio)
1433 kfree(p);
1434 return ret;
1435 }
1436 case FUNCTIONFS_ENDPOINT_RW_CANCEL:
1437 {
1438 struct usb_request *req;
1439 struct IoData myIoData;
1440 if (!ep) {
1441 pr_err("[%s:%d] ep is null\n", __func__, __LINE__);
1442 atomic_set(&epfile->force_wakeup, 1);
1443 wake_up_interruptible(&epfile->ffs->wait);
1444 spin_unlock_irq(&epfile->ffs->eps_lock);
1445 return -EFAULT;
1446 }
1447 ret = copy_from_user(&myIoData, (void __user *)value, sizeof(struct IoData));
1448 if (unlikely(ret)) {
1449 pr_err("[%s:%d] cp from user failed\n", __func__, __LINE__);
1450 spin_unlock_irq(&epfile->ffs->eps_lock);
1451 return -EFAULT;
1452 }
1453 ffsm = generic_find_memory_area(epfile, myIoData.buf, myIoData.len);
1454 if (ffsm == NULL)
1455 {
1456 pr_err("[%s:%d] ffsm is null\n", __func__, __LINE__);
1457 spin_unlock_irq(&epfile->ffs->eps_lock);
1458 return -EFAULT;
1459 }
1460 list_for_each_entry(req, &epfile->ep->req->list, list) {
1461 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
1462 usb_ep_dequeue(epfile->ep->ep, req);
1463 pr_info("[%s:%d] req dequeued\n", __func__, __LINE__);
1464 spin_unlock_irq(&epfile->ffs->eps_lock);
1465 return 0;
1466 }
1467 }
1468 if (epfile->ep->req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
1469 usb_ep_dequeue(epfile->ep->ep, epfile->ep->req);
1470 pr_info("[%s:%d] epfile->ep->req dequeued\n", __func__, __LINE__);
1471 spin_unlock_irq(&epfile->ffs->eps_lock);
1472 return 0;
1473 }
1474 spin_unlock_irq(&epfile->ffs->eps_lock);
1475 return -EFAULT;
1476 }
1477 case FUNCTIONFS_ENDPOINT_GET_REQ_STATUS:
1478 {
1479 struct usb_request *req;
1480 struct IoData myIoData;
1481 if (!ep) {
1482 pr_err("[%s:%d] ep is null\n", __func__, __LINE__);
1483 spin_unlock_irq(&epfile->ffs->eps_lock);
1484 return -EFAULT;
1485 }
1486 ret = copy_from_user(&myIoData,(void __user *)value, sizeof(struct IoData));
1487 if (unlikely(ret)) {
1488 pr_err("[%s:%d] cp from user failed\n", __func__, __LINE__);
1489 spin_unlock_irq(&epfile->ffs->eps_lock);
1490 return -EFAULT;
1491 }
1492 ffsm = generic_find_memory_area(epfile, myIoData.buf, myIoData.len);
1493 if (ffsm == NULL)
1494 {
1495 pr_err("[%s:%d] ffsm is null\n", __func__, __LINE__);
1496 spin_unlock_irq(&epfile->ffs->eps_lock);
1497 return -EFAULT;
1498 }
1499 list_for_each_entry(req, &epfile->ep->req->list, list) {
1500 if (req->buf == (void *)(ffsm->mem + myIoData.buf - ffsm->vm_start)) {
1501 spin_unlock_irq(&epfile->ffs->eps_lock);
1502 return req->status;
1503 }
1504 }
1505 spin_unlock_irq(&epfile->ffs->eps_lock);
1506 return -EFAULT;
1507 }
1508 case FUNCTIONFS_FIFO_STATUS:
1509 ret = usb_ep_fifo_status(epfile->ep->ep);
1510 break;
1511 case FUNCTIONFS_FIFO_FLUSH:
1512 usb_ep_fifo_flush(epfile->ep->ep);
1513 ret = 0;
1514 break;
1515 case FUNCTIONFS_CLEAR_HALT:
1516 ret = usb_ep_clear_halt(epfile->ep->ep);
1517 break;
1518 case FUNCTIONFS_ENDPOINT_REVMAP:
1519 ret = epfile->ep->num;
1520 break;
1521 case FUNCTIONFS_ENDPOINT_DESC:
1522 {
1523 int desc_idx;
1524 int i;
1525 struct usb_endpoint_descriptor *desc;
1526
1527 switch (epfile->ffs->speed) {
1528 case USB_SPEED_SUPER:
1529 desc_idx = 2;
1530 break;
1531 case USB_SPEED_HIGH:
1532 desc_idx = 1;
1533 break;
1534 default:
1535 desc_idx = 1;
1536 }
1537 for (i = 0; i < epfile->ffs->eps_count; i++) {
1538 if (epfile->ffs->epfiles + i == epfile)
1539 break;
1540 }
1541 if (epfile->ffs->eps == NULL) {
1542 pr_err("[%s:%d] eps has been freed\n", __func__, __LINE__);
1543 ret = -EFAULT;
1544 break;
1545 }
1546 ep = epfile->ffs->eps + i;
1547 desc = ep->descs[desc_idx];
1548 pr_info("[%s:%d] spin_unlock_irq\n", __func__, __LINE__);
1549 spin_unlock_irq(&epfile->ffs->eps_lock);
1550 if (!desc || IS_ERR(desc)) {
1551 pr_err("[%s:%d] invalid desc %x\n", __func__, __LINE__, desc);
1552 return -EFAULT;
1553 }
1554 ret = copy_to_user((void __user *)value, desc, desc->bLength);
1555 if (ret)
1556 ret = -EFAULT;
1557 return ret;
1558 }
1559 default:
1560 ret = -ENOTTY;
1561 }
1562 spin_unlock_irq(&epfile->ffs->eps_lock);
1563
1564 return ret;
1565 }
1566
ffs_epfile_read(struct file * file,char __user * buf,size_t count,loff_t * f_pos)1567 static ssize_t ffs_epfile_read(struct file *file, char __user *buf, size_t count, loff_t *f_pos)
1568 {
1569 int status = 0;
1570 unsigned int copied = 0;
1571 unsigned long flags;
1572 struct ffs_epfile *epfile = file->private_data;
1573 ENTER();
1574 if (kfifo_is_empty(&epfile->reqEventFifo)) {
1575 return 0;
1576 }
1577 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1578 status = kfifo_to_user(&epfile->reqEventFifo, buf, count, &copied) == 0 ? copied : -1;
1579 spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
1580
1581 return status;
1582 }
1583
ffs_epfile_write(struct file * file,const char __user * buf,size_t count,loff_t * f_pos)1584 static ssize_t ffs_epfile_write(struct file *file, const char __user *buf, size_t count, loff_t *f_pos)
1585 {
1586 return count;
1587 }
1588
ffs_epfile_poll(struct file * file,struct poll_table_struct * wait)1589 static unsigned int ffs_epfile_poll(struct file *file, struct poll_table_struct * wait)
1590 {
1591 unsigned int mask = 0;
1592 struct ffs_epfile *epfile = file->private_data;
1593 ENTER();
1594 poll_wait(file, &epfile->wait_que, wait);
1595 if (!kfifo_is_empty(&epfile->reqEventFifo)) {
1596 mask |= POLLIN;
1597 }
1598 return mask;
1599 }
1600
1601 #ifdef CONFIG_COMPAT
ffs_epfile_compat_ioctl(struct file * file,unsigned code,unsigned long value)1602 static long ffs_epfile_compat_ioctl(struct file *file, unsigned code,
1603 unsigned long value)
1604 {
1605 return ffs_epfile_ioctl(file, code, value);
1606 }
1607 #endif
1608
1609 static const struct file_operations ffs_epfile_operations = {
1610 .owner = THIS_MODULE,
1611 .llseek = no_llseek,
1612 .mmap = ffs_epfile_mmap,
1613 .read = ffs_epfile_read,
1614 .write = ffs_epfile_write,
1615 .poll = ffs_epfile_poll,
1616 .open = ffs_epfile_open,
1617 .release = ffs_epfile_release,
1618 .unlocked_ioctl = ffs_epfile_ioctl,
1619 #ifdef CONFIG_COMPAT
1620 .compat_ioctl = ffs_epfile_compat_ioctl,
1621 #endif
1622 };
1623
1624 /* ffs_data and ffs_function construction and destruction code **************/
1625 static void ffs_data_clear(struct ffs_data *ffs);
1626 static void ffs_data_reset(struct ffs_data *ffs);
1627 static dev_t g_dev;
1628 #define MAX_EP_DEV 10
usbfn_ioctl(struct file * file,unsigned int cmd,unsigned long value)1629 static long usbfn_ioctl(struct file *file, unsigned int cmd, unsigned long value)
1630 {
1631 long ret;
1632 ENTER();
1633 switch(cmd)
1634 {
1635 case FUNCTIONFS_NEWFN:
1636 {
1637 struct ffs_dev *ffs_dev;
1638 struct ffs_data *ffs;
1639 struct FuncNew newfn;
1640 char nameEp0[MAX_NAMELEN];
1641 ret = copy_from_user(&newfn, (void __user *)value, sizeof(struct FuncNew ));
1642 if (unlikely(ret)) {
1643 return -EFAULT;
1644 }
1645 ffs = ffs_data_new(newfn.name);
1646 if (unlikely(!ffs)) {
1647 return (-ENOMEM);
1648 }
1649
1650 memcpy(ffs->dev_name, newfn.name, newfn.nameLen);
1651
1652 if (unlikely(!ffs->dev_name)) {
1653 ffs_data_put(ffs);
1654 return (-ENOMEM);
1655 }
1656
1657 if (sprintf(nameEp0, "%s.ep%u", ffs->dev_name, 0) < 0) {
1658 ffs_data_put(ffs);
1659 return -EFAULT;
1660 }
1661 ffs_dev = ffs_acquire_dev(newfn.name);
1662 if (IS_ERR(ffs_dev)) {
1663 ffs_data_put(ffs);
1664 return (-ENODEV);
1665 }
1666 ffs->private_data = ffs_dev;
1667
1668 ret = alloc_chrdev_region(&g_dev, 0, MAX_EP_DEV, nameEp0);
1669 if (ret < 0) {
1670 ffs_release_dev(ffs);
1671 ffs_data_put(ffs);
1672 return -EBUSY;
1673 }
1674 ffs->cdev = cdev_alloc();
1675 pr_warn("[%s] cdev_alloc\n", __func__);
1676 dump_stack();
1677 if (!ffs->cdev) {
1678 pr_err("newfn cdev_alloc failed\n");
1679 ffs_release_dev(ffs);
1680 ffs_data_put(ffs);
1681 return -EFAULT;
1682 }
1683 ffs->cdev->ops = &ffs_ep0_operations;
1684 ffs->devno = MKDEV(MAJOR(g_dev), 0);
1685 ret = cdev_add(ffs->cdev, ffs->devno, 1);
1686 if (ret) {
1687 ffs_release_dev(ffs);
1688 ffs_data_put(ffs);
1689 return -EBUSY;
1690 }
1691
1692 ffs->fn_device = device_create(ffs_class, NULL, ffs->devno, NULL, nameEp0);
1693 if (IS_ERR(ffs->fn_device) || !map_cdev_to_ffs_data(ffs)) {
1694 pr_err("[%s] cdev_del\n", __func__);
1695 dump_stack();
1696 cdev_del(ffs->cdev);
1697 ffs_release_dev(ffs);
1698 ffs_data_put(ffs);
1699 return -EBUSY;
1700 }
1701 return 0;
1702 }
1703 case FUNCTIONFS_DELFN:
1704 {
1705 struct FuncNew newfn;
1706 struct ffs_data *ffs;
1707 struct ffs_dev *ffs_dev;
1708 ret = copy_from_user(&newfn, (void __user *)value, sizeof(struct FuncNew ));
1709 if (unlikely(ret)) {
1710 return -EFAULT;
1711 }
1712
1713 ffs_dev = _ffs_find_dev(newfn.name);
1714 if (IS_ERR(ffs_dev)) {
1715 return -EFAULT;
1716 }
1717 ffs = ffs_dev->ffs_data;
1718 if (unlikely(!ffs)) {
1719 return (-EINVAL);
1720 }
1721 device_destroy(ffs_class, ffs->devno);
1722 pr_warn("[%s] cdev_del\n", __func__);
1723 dump_stack();
1724 cdev_del(ffs->cdev);
1725 pr_warn("[%s] unmap_cdev_to_ffs_data\n", __func__);
1726 if (!unmap_cdev_to_ffs_data(ffs)) {
1727 pr_warn("[%s] unmap_cdev_to_ffs_data failed", __func__);
1728 }
1729 unregister_chrdev_region(g_dev, MAX_EP_DEV);
1730 ffs_release_dev(ffs);
1731 ffs_data_clear(ffs);
1732 destroy_workqueue(ffs->io_completion_wq);
1733 kfree(ffs);
1734 return 0;
1735 }
1736 default:
1737 ret = -ENOTTY;
1738 }
1739
1740 return ret;
1741 }
1742
usbfn_open(struct inode * inode,struct file * file)1743 static int usbfn_open(struct inode *inode, struct file *file)
1744 {
1745 return 0;
1746 }
1747
usbfn_release(struct inode * inode,struct file * file)1748 static int usbfn_release(struct inode *inode, struct file *file)
1749 {
1750 return 0;
1751 }
1752
1753 static struct file_operations usbfn_fops = {
1754 .owner = THIS_MODULE,
1755 .unlocked_ioctl = usbfn_ioctl,
1756 .open = usbfn_open,
1757 .release = usbfn_release,
1758 #ifdef CONFIG_COMPAT
1759 .compat_ioctl = usbfn_ioctl,
1760 #endif
1761 };
1762
1763 static struct miscdevice usbfn_misc = {
1764 .minor = MISC_DYNAMIC_MINOR,
1765 .name = "usbfn",
1766 .fops = &usbfn_fops,
1767 };
1768
1769 /* Driver's main init/cleanup functions *************************************/
functionfs_init(void)1770 static int functionfs_init(void)
1771 {
1772 int ret;
1773
1774 ENTER();
1775 ret = misc_register(&usbfn_misc);
1776 if (likely(!ret))
1777 pr_info("file system registered\n");
1778 else
1779 pr_err("failed registering file system (%d)\n", ret);
1780
1781 ffs_class = class_create("functionfs");
1782 if (IS_ERR(ffs_class))
1783 return PTR_ERR(ffs_class);
1784
1785 ffs_class->devnode = ffs_devnode;
1786
1787 return ret;
1788 }
1789
functionfs_cleanup(void)1790 static void functionfs_cleanup(void)
1791 {
1792 ENTER();
1793 class_destroy(ffs_class);
1794 misc_deregister(&usbfn_misc);
1795 }
1796
ffs_data_get(struct ffs_data * ffs)1797 static void ffs_data_get(struct ffs_data *ffs)
1798 {
1799 ENTER();
1800 refcount_inc(&ffs->ref);
1801 }
1802
ffs_data_put(struct ffs_data * ffs)1803 static void ffs_data_put(struct ffs_data *ffs)
1804 {
1805 ENTER();
1806 if (unlikely(refcount_dec_and_test(&ffs->ref))) {
1807 pr_info("%s(): freeing\n", __func__);
1808 ffs_data_clear(ffs);
1809 BUG_ON(waitqueue_active(&ffs->ev.waitq) ||
1810 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0)
1811 swait_active(&ffs->ep0req_completion.wait) ||
1812 #else
1813 waitqueue_active(&ffs->ep0req_completion.wait) ||
1814 #endif
1815 waitqueue_active(&ffs->wait) ||
1816 waitqueue_active(&ffs->wait_que));
1817 destroy_workqueue(ffs->io_completion_wq);
1818 kfree(ffs);
1819 }
1820 }
1821
ffs_data_new(const char * dev_name)1822 static struct ffs_data *ffs_data_new(const char *dev_name)
1823 {
1824 struct ffs_data *ffs = kzalloc(sizeof *ffs, GFP_KERNEL);
1825 if (unlikely(!ffs))
1826 return NULL;
1827
1828 ENTER();
1829
1830 ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name);
1831 if (!ffs->io_completion_wq) {
1832 kfree(ffs);
1833 return NULL;
1834 }
1835
1836 refcount_set(&ffs->ref, 1);
1837 atomic_set(&ffs->opened, 0);
1838 ffs->state = FFS_READ_DESCRIPTORS;
1839 mutex_init(&ffs->mutex);
1840 spin_lock_init(&ffs->eps_lock);
1841 spin_lock_init(&ffs->mem_lock);
1842 init_waitqueue_head(&ffs->ev.waitq);
1843 init_waitqueue_head(&ffs->wait);
1844 init_waitqueue_head(&ffs->wait_que);
1845 init_completion(&ffs->ep0req_completion);
1846 INIT_LIST_HEAD(&ffs->memory_list);
1847 ffs->ev.can_stall = 1;
1848
1849 return ffs;
1850 }
1851
ffs_data_clear(struct ffs_data * ffs)1852 static void ffs_data_clear(struct ffs_data *ffs)
1853 {
1854 ENTER();
1855
1856 ffs_closed(ffs);
1857
1858 BUG_ON(ffs->gadget);
1859
1860 if (ffs->epfiles)
1861 ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
1862
1863 if (ffs->ffs_eventfd)
1864 eventfd_ctx_put(ffs->ffs_eventfd);
1865
1866 kfree(ffs->raw_descs_data);
1867 kfree(ffs->raw_strings);
1868 kfree(ffs->stringtabs);
1869 }
1870
ffs_data_reset(struct ffs_data * ffs)1871 static void ffs_data_reset(struct ffs_data *ffs)
1872 {
1873 ENTER();
1874
1875 ffs_data_clear(ffs);
1876
1877 ffs->epfiles = NULL;
1878 ffs->raw_descs_data = NULL;
1879 ffs->raw_descs = NULL;
1880 ffs->raw_strings = NULL;
1881 ffs->stringtabs = NULL;
1882
1883 ffs->raw_descs_length = 0;
1884 ffs->fs_descs_count = 0;
1885 ffs->hs_descs_count = 0;
1886 ffs->ss_descs_count = 0;
1887
1888 ffs->strings_count = 0;
1889 ffs->interfaces_count = 0;
1890 ffs->eps_count = 0;
1891
1892 ffs->ev.count = 0;
1893
1894 ffs->state = FFS_READ_DESCRIPTORS;
1895 ffs->setup_state = FFS_NO_SETUP;
1896 ffs->flags = 0;
1897 }
1898
functionfs_bind(struct ffs_data * ffs,struct usb_composite_dev * cdev)1899 static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
1900 {
1901 struct usb_gadget_strings **lang;
1902 int first_id;
1903
1904 ENTER();
1905
1906 if (WARN_ON(ffs->state != FFS_ACTIVE
1907 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
1908 return -EBADFD;
1909
1910 first_id = usb_string_ids_n(cdev, ffs->strings_count);
1911 if (unlikely(first_id < 0))
1912 return first_id;
1913
1914 ffs->ep0req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
1915 if (unlikely(!ffs->ep0req))
1916 return -ENOMEM;
1917 ffs->ep0req->complete = ffs_ep0_complete;
1918 ffs->ep0req->context = ffs;
1919 INIT_LIST_HEAD(&ffs->ep0req->list);
1920
1921 lang = ffs->stringtabs;
1922 if (lang) {
1923 for (; *lang; ++lang) {
1924 struct usb_string *str = (*lang)->strings;
1925 int id = first_id;
1926 for (; str->s; ++id, ++str)
1927 str->id = id;
1928 }
1929 }
1930
1931 ffs->gadget = cdev->gadget;
1932 ffs->speed = cdev->gadget->speed;
1933 ffs_data_get(ffs);
1934 return 0;
1935 }
1936
functionfs_unbind(struct ffs_data * ffs)1937 static void functionfs_unbind(struct ffs_data *ffs)
1938 {
1939 ENTER();
1940
1941 if (!WARN_ON(!ffs->gadget)) {
1942 usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
1943 ffs->ep0req = NULL;
1944 ffs->gadget = NULL;
1945 clear_bit(FFS_FL_BOUND, &ffs->flags);
1946 ffs_data_put(ffs);
1947 }
1948 }
1949
ffs_epfiles_create(struct ffs_data * ffs)1950 static int ffs_epfiles_create(struct ffs_data *ffs)
1951 {
1952 struct ffs_epfile *epfile = NULL, *epfiles = NULL;
1953 unsigned int i, count ,ret;
1954
1955 ENTER();
1956
1957 count = ffs->eps_count;
1958 epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
1959 if (!epfiles)
1960 return -ENOMEM;
1961
1962 epfile = epfiles;
1963 for (i = 1; i <= count; ++i, ++epfile) {
1964 epfile->ffs = ffs;
1965 mutex_init(&epfile->mutex);
1966 INIT_LIST_HEAD(&epfile->memory_list);
1967 init_waitqueue_head(&epfile->wait_que);
1968 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR) {
1969 if (sprintf(epfile->name, "%s.ep%02x", ffs->dev_name, ffs->eps_addrmap[i]) < 0) {
1970 pr_err("[%s:%d] sprintf failed\n", __func__, __LINE__);
1971 ffs_epfiles_destroy(epfiles, i - 1);
1972 return -EFAULT;
1973 }
1974 } else {
1975 if (sprintf(epfile->name, "%s.ep%u", ffs->dev_name, i) < 0) {
1976 pr_err("[%s:%d] sprintf failed\n", __func__, __LINE__);
1977 ffs_epfiles_destroy(epfiles, i - 1);
1978 return -EFAULT;
1979 }
1980 }
1981 atomic_set(&epfile->force_wakeup, 0);
1982 epfile->cdev = cdev_alloc();
1983 pr_warn("[%s] cdev_alloc\n", __func__);
1984 dump_stack();
1985 if (!epfile->cdev) {
1986 pr_err("ffs_epfiles_create cdev_alloc failed\n");
1987 ffs_epfiles_destroy(epfiles, i - 1);
1988 return -EFAULT;
1989 }
1990 epfile->cdev->ops = &ffs_epfile_operations;
1991 epfile->devno=MKDEV(MAJOR(ffs->devno), i);
1992 ret = cdev_add(epfile->cdev, epfile->devno, 1);
1993 if (ret)
1994 {
1995 pr_err("[%s:%d] cdev_add failed\n", __func__, __LINE__);
1996 cdev_del(epfile->cdev);
1997 ffs_epfiles_destroy(epfiles, i - 1);
1998 return -EBUSY;
1999 }
2000
2001 epfile->device = device_create(ffs_class, NULL, epfile->devno, NULL, epfile->name);
2002 if (IS_ERR(epfile->device) || !map_cdev_to_ffs_epfile(epfile))
2003 {
2004 pr_err("[%s] cdev_del\n", __func__);
2005 dump_stack();
2006 cdev_del(epfile->cdev);
2007 ffs_epfiles_destroy(epfiles, i - 1);
2008 return -EBUSY;
2009 }
2010 }
2011
2012 ffs->epfiles = epfiles;
2013 return 0;
2014 }
2015
ffs_epfiles_destroy(struct ffs_epfile * epfiles,unsigned count)2016 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
2017 {
2018 struct ffs_epfile *epfile = epfiles;
2019
2020 ENTER();
2021
2022 for (; count; --count, ++epfile) {
2023 BUG_ON(mutex_is_locked(&epfile->mutex));
2024 device_destroy(ffs_class, epfile->devno);
2025 pr_warn("[%s] cdev_del\n",__func__);
2026 dump_stack();
2027 cdev_del(epfile->cdev);
2028 if (!unmap_cdev_to_ffs_epfile(epfile)) {
2029 pr_warn("[%s] unmap_cdev_to_ffs_epfile failed", __func__);
2030 }
2031 }
2032
2033 kfree(epfiles);
2034 }
2035
ffs_func_eps_disable(struct ffs_function * func)2036 static void ffs_func_eps_disable(struct ffs_function *func)
2037 {
2038 struct ffs_ep *ep = func->eps;
2039 struct ffs_epfile *epfile = func->ffs->epfiles;
2040 unsigned count = func->ffs->eps_count;
2041 unsigned long flags;
2042
2043 spin_lock_irqsave(&func->ffs->eps_lock, flags);
2044 while (count--) {
2045 /* pending requests get nuked */
2046 if (likely(ep->ep))
2047 usb_ep_disable(ep->ep);
2048 ++ep;
2049
2050 if (epfile) {
2051 epfile->ep = NULL;
2052 ++epfile;
2053 }
2054 }
2055 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
2056 }
2057
ffs_func_eps_enable(struct ffs_function * func)2058 static int ffs_func_eps_enable(struct ffs_function *func)
2059 {
2060 struct ffs_data *ffs = func->ffs;
2061 struct ffs_ep *ep = func->eps;
2062 struct ffs_epfile *epfile = ffs->epfiles;
2063 unsigned count = ffs->eps_count;
2064 unsigned long flags;
2065 int ret = 0;
2066
2067 spin_lock_irqsave(&func->ffs->eps_lock, flags);
2068 while(count--) {
2069 ep->ep->driver_data = ep;
2070
2071 ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
2072 if (ret) {
2073 pr_err("%s: config_ep_by_speed(%s) returned %d\n",
2074 __func__, ep->ep->name, ret);
2075 break;
2076 }
2077
2078 ret = usb_ep_enable(ep->ep);
2079 if (likely(!ret)) {
2080 epfile->ep = ep;
2081 epfile->in = usb_endpoint_dir_in(ep->ep->desc);
2082 epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc);
2083 } else {
2084 break;
2085 }
2086
2087 ++ep;
2088 ++epfile;
2089 }
2090
2091 wake_up_interruptible(&ffs->wait);
2092 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
2093
2094 return ret;
2095 }
2096
2097 /* Parsing and building descriptors and strings *****************************/
2098
2099 /*
2100 * This validates if data pointed by data is a valid USB descriptor as
2101 * well as record how many interfaces, endpoints and strings are
2102 * required by given configuration. Returns address after the
2103 * descriptor or NULL if data is invalid.
2104 */
2105 enum ffs_entity_type {
2106 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT
2107 };
2108
2109 enum ffs_os_desc_type {
2110 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP
2111 };
2112
2113 typedef int (*ffs_entity_callback)(enum ffs_entity_type entity, u8 *valuep,
2114 struct usb_descriptor_header *desc,
2115 void *priv);
2116
2117 typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity,
2118 struct usb_os_desc_header *h, void *data,
2119 unsigned len, void *priv);
2120
ffs_do_single_desc(char * data,unsigned len,ffs_entity_callback entity,void * priv)2121 static int __must_check ffs_do_single_desc(char *data, unsigned len,
2122 ffs_entity_callback entity,
2123 void *priv)
2124 {
2125 struct usb_descriptor_header *_ds = (void *)data;
2126 u8 length;
2127 int ret;
2128
2129 ENTER();
2130
2131 /* At least two bytes are required: length and type */
2132 if (len < 2) {
2133 pr_vdebug("descriptor too short\n");
2134 return -EINVAL;
2135 }
2136
2137 /* If we have at least as many bytes as the descriptor takes? */
2138 length = _ds->bLength;
2139 if (len < length) {
2140 pr_vdebug("descriptor longer then available data\n");
2141 return -EINVAL;
2142 }
2143
2144 #define __entity_check_INTERFACE(val) 1
2145 #define __entity_check_STRING(val) (val)
2146 #define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK)
2147 #define __entity(type, val) do { \
2148 pr_vdebug("entity " #type "(%02x)\n", (val)); \
2149 if (unlikely(!__entity_check_ ##type(val))) { \
2150 pr_vdebug("invalid entity's value\n"); \
2151 return -EINVAL; \
2152 } \
2153 ret = entity(FFS_ ##type, &val, _ds, priv); \
2154 if (unlikely(ret < 0)) { \
2155 pr_debug("entity " #type "(%02x); ret = %d\n", \
2156 (val), ret); \
2157 return ret; \
2158 } \
2159 } while (0)
2160
2161 /* Parse descriptor depending on type. */
2162 switch (_ds->bDescriptorType) {
2163 case USB_DT_DEVICE:
2164 case USB_DT_CONFIG:
2165 case USB_DT_STRING:
2166 case USB_DT_DEVICE_QUALIFIER:
2167 /* function can't have any of those */
2168 pr_vdebug("descriptor reserved for gadget: %d\n",
2169 _ds->bDescriptorType);
2170 return -EINVAL;
2171
2172 case USB_DT_INTERFACE: {
2173 struct usb_interface_descriptor *ds = (void *)_ds;
2174 pr_vdebug("interface descriptor\n");
2175 if (length != sizeof *ds)
2176 goto inv_length;
2177
2178 __entity(INTERFACE, ds->bInterfaceNumber);
2179 if (ds->iInterface)
2180 __entity(STRING, ds->iInterface);
2181 }
2182 break;
2183
2184 case USB_DT_ENDPOINT: {
2185 struct usb_endpoint_descriptor *ds = (void *)_ds;
2186 pr_vdebug("endpoint descriptor\n");
2187 if (length != USB_DT_ENDPOINT_SIZE &&
2188 length != USB_DT_ENDPOINT_AUDIO_SIZE)
2189 goto inv_length;
2190 __entity(ENDPOINT, ds->bEndpointAddress);
2191 }
2192 break;
2193
2194 case HID_DT_HID:
2195 pr_vdebug("hid descriptor\n");
2196 if (length != sizeof(struct hid_descriptor))
2197 goto inv_length;
2198 break;
2199
2200 case USB_DT_OTG:
2201 if (length != sizeof(struct usb_otg_descriptor))
2202 goto inv_length;
2203 break;
2204
2205 case USB_DT_INTERFACE_ASSOCIATION: {
2206 struct usb_interface_assoc_descriptor *ds = (void *)_ds;
2207 pr_vdebug("interface association descriptor\n");
2208 if (length != sizeof *ds)
2209 goto inv_length;
2210 if (ds->iFunction)
2211 __entity(STRING, ds->iFunction);
2212 }
2213 break;
2214
2215 case USB_DT_SS_ENDPOINT_COMP:
2216 pr_vdebug("EP SS companion descriptor\n");
2217 if (length != sizeof(struct usb_ss_ep_comp_descriptor))
2218 goto inv_length;
2219 break;
2220
2221 case USB_DT_OTHER_SPEED_CONFIG:
2222 case USB_DT_INTERFACE_POWER:
2223 case USB_DT_DEBUG:
2224 case USB_DT_SECURITY:
2225 case USB_DT_CS_RADIO_CONTROL:
2226 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType);
2227 break;
2228 default:
2229 /* We should never be here */
2230 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType);
2231 break;
2232 inv_length:
2233 pr_vdebug("invalid length: %d (descriptor %d)\n",
2234 _ds->bLength, _ds->bDescriptorType);
2235 return -EINVAL;
2236 }
2237
2238 #undef __entity
2239 #undef __entity_check_DESCRIPTOR
2240 #undef __entity_check_INTERFACE
2241 #undef __entity_check_STRING
2242 #undef __entity_check_ENDPOINT
2243
2244 return length;
2245 }
2246
ffs_do_descs(unsigned count,char * data,unsigned len,ffs_entity_callback entity,void * priv)2247 static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len,
2248 ffs_entity_callback entity, void *priv)
2249 {
2250 const unsigned _len = len;
2251 uintptr_t num = 0;
2252
2253 ENTER();
2254
2255 for (;;) {
2256 int ret;
2257
2258 if (num == count)
2259 data = NULL;
2260
2261 /* Record "descriptor" entity */
2262 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv);
2263 if (unlikely(ret < 0)) {
2264 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n",
2265 num, ret);
2266 return ret;
2267 }
2268
2269 if (!data)
2270 return _len - len;
2271
2272 ret = ffs_do_single_desc(data, len, entity, priv);
2273 if (unlikely(ret < 0)) {
2274 pr_debug("%s returns %d\n", __func__, ret);
2275 return ret;
2276 }
2277
2278 len -= ret;
2279 data += ret;
2280 ++num;
2281 }
2282 }
2283
__ffs_data_do_entity(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2284 static int __ffs_data_do_entity(enum ffs_entity_type type,
2285 u8 *valuep, struct usb_descriptor_header *desc,
2286 void *priv)
2287 {
2288 struct ffs_desc_helper *helper = priv;
2289 struct usb_endpoint_descriptor *d = NULL;
2290
2291 ENTER();
2292
2293 switch (type) {
2294 case FFS_DESCRIPTOR:
2295 break;
2296
2297 case FFS_INTERFACE:
2298 /*
2299 * Interfaces are indexed from zero so if we
2300 * encountered interface "n" then there are at least
2301 * "n+1" interfaces.
2302 */
2303 if (*valuep >= helper->interfaces_count)
2304 helper->interfaces_count = *valuep + 1;
2305 break;
2306
2307 case FFS_STRING:
2308 /*
2309 * Strings are indexed from 1 (0 is reserved
2310 * for languages list)
2311 */
2312 if (*valuep > helper->ffs->strings_count)
2313 helper->ffs->strings_count = *valuep;
2314 break;
2315
2316 case FFS_ENDPOINT:
2317 d = (void *)desc;
2318 helper->eps_count++;
2319 if (helper->eps_count >= FFS_MAX_EPS_COUNT)
2320 return -EINVAL;
2321 /* Check if descriptors for any speed were already parsed */
2322 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count)
2323 helper->ffs->eps_addrmap[helper->eps_count] =
2324 d->bEndpointAddress;
2325 else if (helper->ffs->eps_addrmap[helper->eps_count] !=
2326 d->bEndpointAddress)
2327 return -EINVAL;
2328 break;
2329 }
2330
2331 return 0;
2332 }
2333
__ffs_do_os_desc_header(enum ffs_os_desc_type * next_type,struct usb_os_desc_header * desc)2334 static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type,
2335 struct usb_os_desc_header *desc)
2336 {
2337 u16 bcd_version = le16_to_cpu(desc->bcdVersion);
2338 u16 w_index = le16_to_cpu(desc->wIndex);
2339
2340 if (bcd_version != 1) {
2341 pr_vdebug("unsupported os descriptors version: %d",
2342 bcd_version);
2343 return -EINVAL;
2344 }
2345 switch (w_index) {
2346 case 0x4:
2347 *next_type = FFS_OS_DESC_EXT_COMPAT;
2348 break;
2349 case 0x5:
2350 *next_type = FFS_OS_DESC_EXT_PROP;
2351 break;
2352 default:
2353 pr_vdebug("unsupported os descriptor type: %d", w_index);
2354 return -EINVAL;
2355 }
2356
2357 return sizeof(*desc);
2358 }
2359
2360 /*
2361 * Process all extended compatibility/extended property descriptors
2362 * of a feature descriptor
2363 */
ffs_do_single_os_desc(char * data,unsigned len,enum ffs_os_desc_type type,u16 feature_count,ffs_os_desc_callback entity,void * priv,struct usb_os_desc_header * h)2364 static int __must_check ffs_do_single_os_desc(char *data, unsigned len,
2365 enum ffs_os_desc_type type,
2366 u16 feature_count,
2367 ffs_os_desc_callback entity,
2368 void *priv,
2369 struct usb_os_desc_header *h)
2370 {
2371 int ret;
2372 const unsigned _len = len;
2373
2374 ENTER();
2375
2376 /* loop over all ext compat/ext prop descriptors */
2377 while (feature_count--) {
2378 ret = entity(type, h, data, len, priv);
2379 if (unlikely(ret < 0)) {
2380 pr_debug("bad OS descriptor, type: %d\n", type);
2381 return ret;
2382 }
2383 data += ret;
2384 len -= ret;
2385 }
2386 return _len - len;
2387 }
2388
2389 /* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */
ffs_do_os_descs(unsigned count,char * data,unsigned len,ffs_os_desc_callback entity,void * priv)2390 static int __must_check ffs_do_os_descs(unsigned count,
2391 char *data, unsigned len,
2392 ffs_os_desc_callback entity, void *priv)
2393 {
2394 const unsigned _len = len;
2395 unsigned long num = 0;
2396
2397 ENTER();
2398
2399 for (num = 0; num < count; ++num) {
2400 int ret;
2401 enum ffs_os_desc_type type;
2402 u16 feature_count;
2403 struct usb_os_desc_header *desc = (void *)data;
2404
2405 if (len < sizeof(*desc))
2406 return -EINVAL;
2407
2408 /*
2409 * Record "descriptor" entity.
2410 * Process dwLength, bcdVersion, wIndex, get b/wCount.
2411 * Move the data pointer to the beginning of extended
2412 * compatibilities proper or extended properties proper
2413 * portions of the data
2414 */
2415 if (le32_to_cpu(desc->dwLength) > len)
2416 return -EINVAL;
2417
2418 ret = __ffs_do_os_desc_header(&type, desc);
2419 if (unlikely(ret < 0)) {
2420 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n",
2421 num, ret);
2422 return ret;
2423 }
2424 /*
2425 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??"
2426 */
2427 feature_count = le16_to_cpu(desc->wCount);
2428 if (type == FFS_OS_DESC_EXT_COMPAT &&
2429 (feature_count > 255 || desc->Reserved))
2430 return -EINVAL;
2431 len -= ret;
2432 data += ret;
2433
2434 /*
2435 * Process all function/property descriptors
2436 * of this Feature Descriptor
2437 */
2438 ret = ffs_do_single_os_desc(data, len, type,
2439 feature_count, entity, priv, desc);
2440 if (unlikely(ret < 0)) {
2441 pr_debug("%s returns %d\n", __func__, ret);
2442 return ret;
2443 }
2444
2445 len -= ret;
2446 data += ret;
2447 }
2448 return _len - len;
2449 }
2450
2451 /**
2452 * Validate contents of the buffer from userspace related to OS descriptors.
2453 */
__ffs_data_do_os_desc(enum ffs_os_desc_type type,struct usb_os_desc_header * h,void * data,unsigned len,void * priv)2454 static int __ffs_data_do_os_desc(enum ffs_os_desc_type type,
2455 struct usb_os_desc_header *h, void *data,
2456 unsigned len, void *priv)
2457 {
2458 struct ffs_data *ffs = priv;
2459 u8 length;
2460
2461 ENTER();
2462
2463 switch (type) {
2464 case FFS_OS_DESC_EXT_COMPAT: {
2465 struct usb_ext_compat_desc *d = data;
2466 int i;
2467
2468 if (len < sizeof(*d) ||
2469 d->bFirstInterfaceNumber >= ffs->interfaces_count)
2470 return -EINVAL;
2471 if (d->Reserved1 != 1) {
2472 /*
2473 * According to the spec, Reserved1 must be set to 1
2474 * but older kernels incorrectly rejected non-zero
2475 * values. We fix it here to avoid returning EINVAL
2476 * in response to values we used to accept.
2477 */
2478 pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
2479 d->Reserved1 = 1;
2480 }
2481 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
2482 if (d->Reserved2[i])
2483 return -EINVAL;
2484
2485 length = sizeof(struct usb_ext_compat_desc);
2486 }
2487 break;
2488 case FFS_OS_DESC_EXT_PROP: {
2489 struct usb_ext_prop_desc *d = data;
2490 u32 type, pdl;
2491 u16 pnl;
2492
2493 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count)
2494 return -EINVAL;
2495 length = le32_to_cpu(d->dwSize);
2496 if (len < length)
2497 return -EINVAL;
2498 type = le32_to_cpu(d->dwPropertyDataType);
2499 if (type < USB_EXT_PROP_UNICODE ||
2500 type > USB_EXT_PROP_UNICODE_MULTI) {
2501 pr_vdebug("unsupported os descriptor property type: %d",
2502 type);
2503 return -EINVAL;
2504 }
2505 pnl = le16_to_cpu(d->wPropertyNameLength);
2506 if (length < 14 + pnl) {
2507 pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n",
2508 length, pnl, type);
2509 return -EINVAL;
2510 }
2511 pdl = le32_to_cpu(*(__le32 *)((u8 *)data + 10 + pnl));
2512 if (length != 14 + pnl + pdl) {
2513 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n",
2514 length, pnl, pdl, type);
2515 return -EINVAL;
2516 }
2517 ++ffs->ms_os_descs_ext_prop_count;
2518 /* property name reported to the host as "WCHAR"s */
2519 ffs->ms_os_descs_ext_prop_name_len += pnl * 2;
2520 ffs->ms_os_descs_ext_prop_data_len += pdl;
2521 }
2522 break;
2523 default:
2524 pr_vdebug("unknown descriptor: %d\n", type);
2525 return -EINVAL;
2526 }
2527 return length;
2528 }
2529
__ffs_data_got_descs(struct ffs_data * ffs,char * const _data,size_t len)2530 static int __ffs_data_got_descs(struct ffs_data *ffs,
2531 char *const _data, size_t len)
2532 {
2533 char *data = _data, *raw_descs = NULL;
2534 unsigned os_descs_count = 0, counts[3], flags;
2535 int ret = -EINVAL, i;
2536 struct ffs_desc_helper helper;
2537
2538 ENTER();
2539
2540 if (get_unaligned_le32(data + 4) != len)
2541 goto error;
2542
2543 switch (get_unaligned_le32(data)) {
2544 case FUNCTIONFS_DESCRIPTORS_MAGIC:
2545 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC;
2546 data += 8;
2547 len -= 8;
2548 break;
2549 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2:
2550 flags = get_unaligned_le32(data + 8);
2551 ffs->user_flags = flags;
2552 if (flags & ~(FUNCTIONFS_HAS_FS_DESC |
2553 FUNCTIONFS_HAS_HS_DESC |
2554 FUNCTIONFS_HAS_SS_DESC |
2555 FUNCTIONFS_HAS_MS_OS_DESC |
2556 FUNCTIONFS_VIRTUAL_ADDR |
2557 FUNCTIONFS_EVENTFD |
2558 FUNCTIONFS_ALL_CTRL_RECIP |
2559 FUNCTIONFS_CONFIG0_SETUP)) {
2560 ret = -ENOSYS;
2561 goto error;
2562 }
2563 data += 12;
2564 len -= 12;
2565 break;
2566 default:
2567 goto error;
2568 }
2569
2570 if (flags & FUNCTIONFS_EVENTFD) {
2571 if (len < 4)
2572 goto error;
2573 ffs->ffs_eventfd =
2574 eventfd_ctx_fdget((int)get_unaligned_le32(data));
2575 if (IS_ERR(ffs->ffs_eventfd)) {
2576 ret = PTR_ERR(ffs->ffs_eventfd);
2577 ffs->ffs_eventfd = NULL;
2578 goto error;
2579 }
2580 data += 4;
2581 len -= 4;
2582 }
2583
2584 /* Read fs_count, hs_count and ss_count (if present) */
2585 for (i = 0; i < 3; ++i) {
2586 if (!(flags & (1 << i))) {
2587 counts[i] = 0;
2588 } else if (len < 4) {
2589 goto error;
2590 } else {
2591 counts[i] = get_unaligned_le32(data);
2592 data += 4;
2593 len -= 4;
2594 }
2595 }
2596 if (flags & (1 << i)) {
2597 if (len < 4) {
2598 goto error;
2599 }
2600 os_descs_count = get_unaligned_le32(data);
2601 data += 4;
2602 len -= 4;
2603 }
2604
2605 /* Read descriptors */
2606 raw_descs = data;
2607 helper.ffs = ffs;
2608 for (i = 0; i < 3; ++i) {
2609 if (!counts[i])
2610 continue;
2611 helper.interfaces_count = 0;
2612 helper.eps_count = 0;
2613 ret = ffs_do_descs(counts[i], data, len,
2614 __ffs_data_do_entity, &helper);
2615 if (ret < 0)
2616 goto error;
2617 if (!ffs->eps_count && !ffs->interfaces_count) {
2618 ffs->eps_count = helper.eps_count;
2619 ffs->interfaces_count = helper.interfaces_count;
2620 } else {
2621 if (ffs->eps_count != helper.eps_count) {
2622 ret = -EINVAL;
2623 goto error;
2624 }
2625 if (ffs->interfaces_count != helper.interfaces_count) {
2626 ret = -EINVAL;
2627 goto error;
2628 }
2629 }
2630 data += ret;
2631 len -= ret;
2632 }
2633 if (os_descs_count) {
2634 ret = ffs_do_os_descs(os_descs_count, data, len,
2635 __ffs_data_do_os_desc, ffs);
2636 if (ret < 0)
2637 goto error;
2638 data += ret;
2639 len -= ret;
2640 }
2641
2642 if (raw_descs == data || len) {
2643 ret = -EINVAL;
2644 goto error;
2645 }
2646
2647 ffs->raw_descs_data = _data;
2648 ffs->raw_descs = raw_descs;
2649 ffs->raw_descs_length = data - raw_descs;
2650 ffs->fs_descs_count = counts[0];
2651 ffs->hs_descs_count = counts[1];
2652 ffs->ss_descs_count = counts[2];
2653 ffs->ms_os_descs_count = os_descs_count;
2654
2655 return 0;
2656
2657 error:
2658 kfree(_data);
2659 return ret;
2660 }
2661
__ffs_data_got_strings(struct ffs_data * ffs,char * const _data,size_t len)2662 static int __ffs_data_got_strings(struct ffs_data *ffs,
2663 char *const _data, size_t len)
2664 {
2665 u32 str_count, needed_count, lang_count;
2666 struct usb_gadget_strings **stringtabs = NULL, *t = NULL;
2667 const char *data = _data;
2668 struct usb_string *s = NULL;
2669
2670 ENTER();
2671
2672 if (unlikely(len < 16 ||
2673 get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC ||
2674 get_unaligned_le32(data + 4) != len))
2675 goto error;
2676 str_count = get_unaligned_le32(data + 8);
2677 lang_count = get_unaligned_le32(data + 12);
2678
2679 /* if one is zero the other must be zero */
2680 if (unlikely(!str_count != !lang_count))
2681 goto error;
2682
2683 /* Do we have at least as many strings as descriptors need? */
2684 needed_count = ffs->strings_count;
2685 if (unlikely(str_count < needed_count))
2686 goto error;
2687
2688 /*
2689 * If we don't need any strings just return and free all
2690 * memory.
2691 */
2692 if (!needed_count) {
2693 kfree(_data);
2694 return 0;
2695 }
2696
2697 /* Allocate everything in one chunk so there's less maintenance. */
2698 {
2699 unsigned i = 0;
2700 vla_group(d);
2701 vla_item(d, struct usb_gadget_strings *, stringtabs,
2702 lang_count + 1);
2703 vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
2704 vla_item(d, struct usb_string, strings,
2705 lang_count*(needed_count+1));
2706
2707 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
2708
2709 if (unlikely(!vlabuf)) {
2710 kfree(_data);
2711 return -ENOMEM;
2712 }
2713
2714 /* Initialize the VLA pointers */
2715 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2716 t = vla_ptr(vlabuf, d, stringtab);
2717 i = lang_count;
2718 do {
2719 *stringtabs++ = t++;
2720 } while (--i);
2721 *stringtabs = NULL;
2722
2723 /* stringtabs = vlabuf = d_stringtabs for later kfree */
2724 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2725 t = vla_ptr(vlabuf, d, stringtab);
2726 s = vla_ptr(vlabuf, d, strings);
2727 }
2728
2729 /* For each language */
2730 data += 16;
2731 len -= 16;
2732
2733 do { /* lang_count > 0 so we can use do-while */
2734 unsigned needed = needed_count;
2735
2736 if (unlikely(len < 3))
2737 goto error_free;
2738 t->language = get_unaligned_le16(data);
2739 t->strings = s;
2740 ++t;
2741
2742 data += 2;
2743 len -= 2;
2744
2745 /* For each string */
2746 do { /* str_count > 0 so we can use do-while */
2747 size_t length = strnlen(data, len);
2748
2749 if (unlikely(length == len))
2750 goto error_free;
2751
2752 /*
2753 * User may provide more strings then we need,
2754 * if that's the case we simply ignore the
2755 * rest
2756 */
2757 if (likely(needed)) {
2758 /*
2759 * s->id will be set while adding
2760 * function to configuration so for
2761 * now just leave garbage here.
2762 */
2763 s->s = data;
2764 --needed;
2765 ++s;
2766 }
2767
2768 data += length + 1;
2769 len -= length + 1;
2770 } while (--str_count);
2771
2772 s->id = 0; /* terminator */
2773 s->s = NULL;
2774 ++s;
2775
2776 } while (--lang_count);
2777
2778 /* Some garbage left? */
2779 if (unlikely(len))
2780 goto error_free;
2781
2782 /* Done! */
2783 ffs->stringtabs = stringtabs;
2784 ffs->raw_strings = _data;
2785
2786 return 0;
2787
2788 error_free:
2789 kfree(stringtabs);
2790 error:
2791 kfree(_data);
2792 return -EINVAL;
2793 }
2794
2795 /* Events handling and management *******************************************/
__ffs_event_add(struct ffs_data * ffs,enum usb_functionfs_event_type type)2796 static void __ffs_event_add(struct ffs_data *ffs,
2797 enum usb_functionfs_event_type type)
2798 {
2799 enum usb_functionfs_event_type rem_type1, rem_type2 = type;
2800 int neg = 0;
2801
2802 /*
2803 * Abort any unhandled setup
2804 *
2805 * We do not need to worry about some cmpxchg() changing value
2806 * of ffs->setup_state without holding the lock because when
2807 * state is FFS_SETUP_PENDING cmpxchg() in several places in
2808 * the source does nothing.
2809 */
2810 if (ffs->setup_state == FFS_SETUP_PENDING)
2811 ffs->setup_state = FFS_SETUP_CANCELLED;
2812
2813 /*
2814 * Logic of this function guarantees that there are at most four pending
2815 * evens on ffs->ev.types queue. This is important because the queue
2816 * has space for four elements only and __ffs_ep0_read_events function
2817 * depends on that limit as well. If more event types are added, those
2818 * limits have to be revisited or guaranteed to still hold.
2819 */
2820 switch (type) {
2821 case FUNCTIONFS_RESUME:
2822 rem_type2 = FUNCTIONFS_SUSPEND;
2823 /* FALL THROUGH */
2824 case FUNCTIONFS_SUSPEND:
2825 case FUNCTIONFS_SETUP:
2826 rem_type1 = type;
2827 /* Discard all similar events */
2828 break;
2829
2830 case FUNCTIONFS_BIND:
2831 case FUNCTIONFS_UNBIND:
2832 case FUNCTIONFS_DISABLE:
2833 case FUNCTIONFS_ENABLE:
2834 /* Discard everything other then power management. */
2835 rem_type1 = FUNCTIONFS_SUSPEND;
2836 rem_type2 = FUNCTIONFS_RESUME;
2837 neg = 1;
2838 break;
2839
2840 default:
2841 WARN(1, "%d: unknown event, this should not happen\n", type);
2842 return;
2843 }
2844
2845 {
2846 u8 *ev = ffs->ev.types, *out = ev;
2847 unsigned n = ffs->ev.count;
2848 for (; n; --n, ++ev)
2849 if ((*ev == rem_type1 || *ev == rem_type2) == neg)
2850 *out++ = *ev;
2851 else
2852 pr_vdebug("purging event %d\n", *ev);
2853 ffs->ev.count = out - ffs->ev.types;
2854 }
2855
2856 pr_vdebug("adding event %d\n", type);
2857 ffs->ev.types[ffs->ev.count++] = type;
2858 wake_up_locked(&ffs->ev.waitq);
2859 if (ffs->ffs_eventfd)
2860 eventfd_signal(ffs->ffs_eventfd, 1);
2861 }
2862
ffs_event_add(struct ffs_data * ffs,enum usb_functionfs_event_type type)2863 static void ffs_event_add(struct ffs_data *ffs,
2864 enum usb_functionfs_event_type type)
2865 {
2866 unsigned long flags;
2867 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
2868 __ffs_event_add(ffs, type);
2869 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
2870 }
2871
2872 /* Bind/unbind USB function hooks *******************************************/
2873
ffs_ep_addr2idx(struct ffs_data * ffs,u8 endpoint_address)2874 static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address)
2875 {
2876 int i;
2877
2878 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i)
2879 if (ffs->eps_addrmap[i] == endpoint_address)
2880 return i;
2881 return -ENOENT;
2882 }
2883
__ffs_func_bind_do_descs(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2884 static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
2885 struct usb_descriptor_header *desc,
2886 void *priv)
2887 {
2888 struct usb_endpoint_descriptor *ds = (void *)desc;
2889 struct ffs_function *func = priv;
2890 struct ffs_ep *ffs_ep = NULL;
2891 unsigned ep_desc_id;
2892 int idx;
2893 static const char *speed_names[] = { "full", "high", "super" };
2894
2895 if (type != FFS_DESCRIPTOR)
2896 return 0;
2897
2898 /*
2899 * If ss_descriptors is not NULL, we are reading super speed
2900 * descriptors; if hs_descriptors is not NULL, we are reading high
2901 * speed descriptors; otherwise, we are reading full speed
2902 * descriptors.
2903 */
2904 if (func->function.ss_descriptors) {
2905 ep_desc_id = 2;
2906 func->function.ss_descriptors[(uintptr_t)valuep] = desc;
2907 } else if (func->function.hs_descriptors) {
2908 ep_desc_id = 1;
2909 func->function.hs_descriptors[(uintptr_t)valuep] = desc;
2910 } else {
2911 ep_desc_id = 0;
2912 func->function.fs_descriptors[(uintptr_t)valuep] = desc;
2913 }
2914
2915 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT)
2916 return 0;
2917
2918 idx = ffs_ep_addr2idx(func->ffs, ds->bEndpointAddress) - 1;
2919 if (idx < 0)
2920 return idx;
2921
2922 ffs_ep = func->eps + idx;
2923
2924 if (unlikely(ffs_ep->descs[ep_desc_id])) {
2925 pr_err("two %sspeed descriptors for EP %d\n",
2926 speed_names[ep_desc_id],
2927 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
2928 return -EINVAL;
2929 }
2930 ffs_ep->descs[ep_desc_id] = ds;
2931
2932 ffs_dump_mem(": Original ep desc", ds, ds->bLength);
2933 if (ffs_ep->ep) {
2934 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress;
2935 if (!ds->wMaxPacketSize)
2936 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize;
2937 } else {
2938 struct usb_request *req = NULL;
2939 struct usb_ep *ep = NULL;
2940 u8 bEndpointAddress;
2941
2942 /*
2943 * We back up bEndpointAddress because autoconfig overwrites
2944 * it with physical endpoint address.
2945 */
2946 bEndpointAddress = ds->bEndpointAddress;
2947 pr_vdebug("autoconfig\n");
2948 ep = usb_ep_autoconfig(func->gadget, ds);
2949 if (unlikely(!ep))
2950 return -ENOTSUPP;
2951 ep->driver_data = func->eps + idx;
2952
2953 req = usb_ep_alloc_request(ep, GFP_KERNEL);
2954 if (unlikely(!req))
2955 return -ENOMEM;
2956
2957 ffs_ep->ep = ep;
2958 ffs_ep->req = req;
2959 INIT_LIST_HEAD(&ffs_ep->req->list);
2960 func->eps_revmap[ds->bEndpointAddress &
2961 USB_ENDPOINT_NUMBER_MASK] = idx + 1;
2962 /*
2963 * If we use virtual address mapping, we restore
2964 * original bEndpointAddress value.
2965 */
2966 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
2967 ds->bEndpointAddress = bEndpointAddress;
2968 }
2969 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength);
2970
2971 return 0;
2972 }
2973
__ffs_func_bind_do_nums(enum ffs_entity_type type,u8 * valuep,struct usb_descriptor_header * desc,void * priv)2974 static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep,
2975 struct usb_descriptor_header *desc,
2976 void *priv)
2977 {
2978 struct ffs_function *func = priv;
2979 unsigned idx;
2980 u8 newValue;
2981
2982 switch (type) {
2983 default:
2984 case FFS_DESCRIPTOR:
2985 /* Handled in previous pass by __ffs_func_bind_do_descs() */
2986 return 0;
2987
2988 case FFS_INTERFACE:
2989 idx = *valuep;
2990 if (func->interfaces_nums[idx] < 0) {
2991 int id = usb_interface_id(func->conf, &func->function);
2992 if (unlikely(id < 0))
2993 return id;
2994 func->interfaces_nums[idx] = id;
2995 }
2996 newValue = func->interfaces_nums[idx];
2997 break;
2998
2999 case FFS_STRING:
3000 /* String' IDs are allocated when fsf_data is bound to cdev */
3001 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id;
3002 break;
3003
3004 case FFS_ENDPOINT:
3005 /*
3006 * USB_DT_ENDPOINT are handled in
3007 * __ffs_func_bind_do_descs().
3008 */
3009 if (desc->bDescriptorType == USB_DT_ENDPOINT)
3010 return 0;
3011
3012 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1;
3013 if (unlikely(!func->eps[idx].ep))
3014 return -EINVAL;
3015
3016 {
3017 struct usb_endpoint_descriptor **descs;
3018 descs = func->eps[idx].descs;
3019 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress;
3020 }
3021 break;
3022 }
3023
3024 pr_vdebug("%02x -> %02x\n", *valuep, newValue);
3025 *valuep = newValue;
3026 return 0;
3027 }
3028
__ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,struct usb_os_desc_header * h,void * data,unsigned len,void * priv)3029 static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
3030 struct usb_os_desc_header *h, void *data,
3031 unsigned len, void *priv)
3032 {
3033 struct ffs_function *func = priv;
3034 u8 length = 0;
3035
3036 switch (type) {
3037 case FFS_OS_DESC_EXT_COMPAT: {
3038 struct usb_ext_compat_desc *desc = data;
3039 struct usb_os_desc_table *t;
3040
3041 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber];
3042 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber];
3043 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID,
3044 ARRAY_SIZE(desc->CompatibleID) + ARRAY_SIZE(desc->SubCompatibleID));
3045 length = sizeof(*desc);
3046 }
3047 break;
3048 case FFS_OS_DESC_EXT_PROP: {
3049 struct usb_ext_prop_desc *desc = data;
3050 struct usb_os_desc_table *t;
3051 struct usb_os_desc_ext_prop *ext_prop;
3052 char *ext_prop_name;
3053 char *ext_prop_data;
3054
3055 t = &func->function.os_desc_table[h->interface];
3056 t->if_id = func->interfaces_nums[h->interface];
3057
3058 ext_prop = func->ffs->ms_os_descs_ext_prop_avail;
3059 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop);
3060
3061 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
3062 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
3063 ext_prop->data_len = le32_to_cpu(*(__le32 *)
3064 usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
3065 length = ext_prop->name_len + ext_prop->data_len + 14;
3066
3067 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail;
3068 func->ffs->ms_os_descs_ext_prop_name_avail +=
3069 ext_prop->name_len;
3070
3071 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail;
3072 func->ffs->ms_os_descs_ext_prop_data_avail +=
3073 ext_prop->data_len;
3074 memcpy(ext_prop_data, usb_ext_prop_data_ptr(data, ext_prop->name_len),
3075 ext_prop->data_len);
3076 /* unicode data reported to the host as "WCHAR"s */
3077 switch (ext_prop->type) {
3078 case USB_EXT_PROP_UNICODE:
3079 case USB_EXT_PROP_UNICODE_ENV:
3080 case USB_EXT_PROP_UNICODE_LINK:
3081 case USB_EXT_PROP_UNICODE_MULTI:
3082 ext_prop->data_len *= 2;
3083 break;
3084 }
3085 ext_prop->data = ext_prop_data;
3086
3087 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data),
3088 ext_prop->name_len);
3089 /* property name reported to the host as "WCHAR"s */
3090 ext_prop->name_len *= 2;
3091 ext_prop->name = ext_prop_name;
3092
3093 t->os_desc->ext_prop_len +=
3094 ext_prop->name_len + ext_prop->data_len + 14;
3095 ++t->os_desc->ext_prop_count;
3096 list_add_tail(&ext_prop->entry, &t->os_desc->ext_prop);
3097 }
3098 break;
3099 default:
3100 pr_vdebug("unknown descriptor: %d\n", type);
3101 }
3102
3103 return length;
3104 }
3105
ffs_do_functionfs_bind(struct usb_function * f,struct usb_configuration * c)3106 static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
3107 struct usb_configuration *c)
3108 {
3109 struct ffs_function *func = ffs_func_from_usb(f);
3110 struct f_fs_opts *ffs_opts =
3111 container_of(f->fi, struct f_fs_opts, func_inst);
3112 int ret;
3113
3114 ENTER();
3115
3116 /*
3117 * Legacy gadget triggers binding in functionfs_ready_callback,
3118 * which already uses locking; taking the same lock here would
3119 * cause a deadlock.
3120 *
3121 * Configfs-enabled gadgets however do need ffs_dev_lock.
3122 */
3123 if (!ffs_opts->no_configfs)
3124 ffs_dev_lock();
3125 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV;
3126 func->ffs = ffs_opts->dev->ffs_data;
3127 if (!ffs_opts->no_configfs)
3128 ffs_dev_unlock();
3129 if (ret)
3130 return ERR_PTR(ret);
3131
3132 func->conf = c;
3133 func->gadget = c->cdev->gadget;
3134
3135 /*
3136 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
3137 * configurations are bound in sequence with list_for_each_entry,
3138 * in each configuration its functions are bound in sequence
3139 * with list_for_each_entry, so we assume no race condition
3140 * with regard to ffs_opts->bound access
3141 */
3142 if (!ffs_opts->refcnt) {
3143 ret = functionfs_bind(func->ffs, c->cdev);
3144 if (ret)
3145 return ERR_PTR(ret);
3146 }
3147 ffs_opts->refcnt++;
3148 func->function.strings = func->ffs->stringtabs;
3149
3150 return ffs_opts;
3151 }
3152
_ffs_func_bind(struct usb_configuration * c,struct usb_function * f)3153 static int _ffs_func_bind(struct usb_configuration *c, struct usb_function *f)
3154 {
3155 struct ffs_function *func = ffs_func_from_usb(f);
3156 struct ffs_data *ffs = func->ffs;
3157
3158 const int full = !!func->ffs->fs_descs_count;
3159 const int high = !!func->ffs->hs_descs_count;
3160 const int super = !!func->ffs->ss_descs_count;
3161
3162 int fs_len, hs_len, ss_len, ret, i;
3163 struct ffs_ep *eps_ptr = NULL;
3164 struct usb_descriptor_header *des_head = NULL;
3165 struct usb_interface_descriptor *intf_ctl = NULL;
3166 struct usb_interface_descriptor *intf_data = NULL;
3167 /* Make it a single chunk, less management later on */
3168 vla_group(d);
3169 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count);
3170 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs,
3171 full ? ffs->fs_descs_count + 1 : 0);
3172 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs,
3173 high ? ffs->hs_descs_count + 1 : 0);
3174 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs,
3175 super ? ffs->ss_descs_count + 1 : 0);
3176 vla_item_with_sz(d, short, inums, ffs->interfaces_count);
3177 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table,
3178 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3179 vla_item_with_sz(d, char[16], ext_compat,
3180 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3181 vla_item_with_sz(d, struct usb_os_desc, os_desc,
3182 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3183 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop,
3184 ffs->ms_os_descs_ext_prop_count);
3185 vla_item_with_sz(d, char, ext_prop_name,
3186 ffs->ms_os_descs_ext_prop_name_len);
3187 vla_item_with_sz(d, char, ext_prop_data,
3188 ffs->ms_os_descs_ext_prop_data_len);
3189 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length);
3190 char *vlabuf = NULL;
3191
3192 ENTER();
3193
3194 /* Has descriptors only for speeds gadget does not support */
3195 if (unlikely(!(full | high | super)))
3196 return -ENOTSUPP;
3197
3198 /* Allocate a single chunk, less management later on */
3199 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL);
3200 if (unlikely(!vlabuf))
3201 return -ENOMEM;
3202
3203 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop);
3204 ffs->ms_os_descs_ext_prop_name_avail =
3205 vla_ptr(vlabuf, d, ext_prop_name);
3206 ffs->ms_os_descs_ext_prop_data_avail =
3207 vla_ptr(vlabuf, d, ext_prop_data);
3208
3209 /* Copy descriptors */
3210 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs, ffs->raw_descs_length);
3211
3212 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
3213
3214 eps_ptr = vla_ptr(vlabuf, d, eps);
3215 for (i = 0; i < ffs->eps_count; i++)
3216 eps_ptr[i].num = -1;
3217
3218 /* Save pointers
3219 * d_eps == vlabuf, func->eps used to kfree vlabuf later
3220 */
3221 func->eps = vla_ptr(vlabuf, d, eps);
3222 func->interfaces_nums = vla_ptr(vlabuf, d, inums);
3223
3224 /*
3225 * Go through all the endpoint descriptors and allocate
3226 * endpoints first, so that later we can rewrite the endpoint
3227 * numbers without worrying that it may be described later on.
3228 */
3229 if (likely(full)) {
3230 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs);
3231 fs_len = ffs_do_descs(ffs->fs_descs_count,
3232 vla_ptr(vlabuf, d, raw_descs),
3233 d_raw_descs__sz,
3234 __ffs_func_bind_do_descs, func);
3235 if (unlikely(fs_len < 0)) {
3236 ret = fs_len;
3237 goto error;
3238 }
3239 } else {
3240 fs_len = 0;
3241 }
3242 if (likely(high)) {
3243 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs);
3244 hs_len = ffs_do_descs(ffs->hs_descs_count,
3245 vla_ptr(vlabuf, d, raw_descs) + fs_len,
3246 d_raw_descs__sz - fs_len,
3247 __ffs_func_bind_do_descs, func);
3248 if (unlikely(hs_len < 0)) {
3249 ret = hs_len;
3250 goto error;
3251 }
3252 } else {
3253 hs_len = 0;
3254 }
3255 if (likely(super)) {
3256 func->function.ss_descriptors = vla_ptr(vlabuf, d, ss_descs);
3257 ss_len = ffs_do_descs(ffs->ss_descs_count,
3258 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len,
3259 d_raw_descs__sz - fs_len - hs_len,
3260 __ffs_func_bind_do_descs, func);
3261 if (unlikely(ss_len < 0)) {
3262 ret = ss_len;
3263 goto error;
3264 }
3265 } else {
3266 ss_len = 0;
3267 }
3268 /*
3269 * Now handle interface numbers allocation and interface and
3270 * endpoint numbers rewriting. We can do that in one go
3271 * now.
3272 */
3273 ret = ffs_do_descs(ffs->fs_descs_count +
3274 (high ? ffs->hs_descs_count : 0) +
3275 (super ? ffs->ss_descs_count : 0),
3276 vla_ptr(vlabuf, d, raw_descs), d_raw_descs__sz,
3277 __ffs_func_bind_do_nums, func);
3278 if (unlikely(ret < 0))
3279 goto error;
3280
3281 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table);
3282 if (c->cdev->use_os_string) {
3283 for (i = 0; i < ffs->interfaces_count; ++i) {
3284 struct usb_os_desc *desc;
3285
3286 desc = func->function.os_desc_table[i].os_desc =
3287 vla_ptr(vlabuf, d, os_desc) +
3288 i * sizeof(struct usb_os_desc);
3289 desc->ext_compat_id =
3290 vla_ptr(vlabuf, d, ext_compat) + i * 16;
3291 INIT_LIST_HEAD(&desc->ext_prop);
3292 }
3293 ret = ffs_do_os_descs(ffs->ms_os_descs_count,
3294 vla_ptr(vlabuf, d, raw_descs) +
3295 fs_len + hs_len + ss_len,
3296 d_raw_descs__sz - fs_len - hs_len -
3297 ss_len,
3298 __ffs_func_bind_do_os_desc, func);
3299 if (unlikely(ret < 0))
3300 goto error;
3301 }
3302 func->function.os_desc_n =
3303 c->cdev->use_os_string ? ffs->interfaces_count : 0;
3304
3305 for (i = 0; i< func->ffs->fs_descs_count; i++) {
3306 des_head = func->function.fs_descriptors[i];
3307 if (des_head->bDescriptorType == USB_DT_INTERFACE) {
3308 struct usb_interface_descriptor *intf = (struct usb_interface_descriptor *)des_head;
3309 if (intf->bNumEndpoints > 0) {
3310 if (intf_ctl == NULL) {
3311 intf_ctl = intf;
3312 } else {
3313 intf_data = intf;
3314 break;
3315 }
3316 }
3317 }
3318 }
3319 for (i = 0; i< func->ffs->fs_descs_count; i++) {
3320 des_head = func->function.fs_descriptors[i];
3321 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3322 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3323 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3324 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3325 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3326 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3327 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3328 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3329 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3330 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3331 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3332 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3333 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3334 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3335 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3336 }
3337 }
3338 }
3339 for (i = 0; i< func->ffs->hs_descs_count; i++) {
3340 des_head = func->function.hs_descriptors[i];
3341 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3342 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3343 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3344 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3345 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3346 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3347 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3348 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3349 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3350 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3351 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3352 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3353 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3354 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3355 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3356 }
3357 }
3358 }
3359 for (i = 0; i< func->ffs->ss_descs_count; i++) {
3360 des_head = func->function.ss_descriptors[i];
3361 if (des_head->bDescriptorType == USB_DT_INTERFACE_ASSOCIATION) {
3362 struct usb_interface_assoc_descriptor *a_dec = (struct usb_interface_assoc_descriptor *)des_head;
3363 a_dec->bFirstInterface = intf_ctl->bInterfaceNumber;
3364 } else if (des_head->bDescriptorType == USB_DT_CS_INTERFACE) {
3365 struct usb_cdc_header_desc *cs_des = (struct usb_cdc_header_desc *)des_head;
3366 if (cs_des->bDescriptorSubType == USB_CDC_CALL_MANAGEMENT_TYPE) {
3367 struct usb_cdc_call_mgmt_descriptor *mgmt_des = (struct usb_cdc_call_mgmt_descriptor *)des_head;
3368 mgmt_des->bDataInterface = intf_data->bInterfaceNumber;
3369 } else if (cs_des->bDescriptorSubType == USB_CDC_UNION_TYPE) {
3370 struct usb_cdc_union_desc *union_des = (struct usb_cdc_union_desc *)des_head;
3371 union_des->bMasterInterface0 = intf_ctl->bInterfaceNumber;
3372 union_des->bSlaveInterface0 = intf_data->bInterfaceNumber;
3373 } else if (cs_des->bDescriptorSubType == USB_CDC_ETHERNET_TYPE) {
3374 struct usb_cdc_ether_desc *ether_des = (struct usb_cdc_ether_desc *)des_head;
3375 ether_des->iMACAddress = intf_ctl->iInterface + 1;
3376 }
3377 }
3378 }
3379 /* And we're done */
3380 ffs->eps = func->eps;
3381 ffs_event_add(ffs, FUNCTIONFS_BIND);
3382 return 0;
3383
3384 error:
3385 /* XXX Do we need to release all claimed endpoints here? */
3386 return ret;
3387 }
3388
ffs_func_bind(struct usb_configuration * c,struct usb_function * f)3389 static int ffs_func_bind(struct usb_configuration *c, struct usb_function *f)
3390 {
3391 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c);
3392 struct ffs_function *func = ffs_func_from_usb(f);
3393 int ret;
3394
3395 if (IS_ERR(ffs_opts))
3396 return PTR_ERR(ffs_opts);
3397
3398 ret = _ffs_func_bind(c, f);
3399 if (ret && !--ffs_opts->refcnt)
3400 functionfs_unbind(func->ffs);
3401
3402 return ret;
3403 }
3404
3405 /* Other USB function hooks *************************************************/
ffs_reset_work(struct work_struct * work)3406 static void ffs_reset_work(struct work_struct *work)
3407 {
3408 struct ffs_data *ffs = container_of(work,
3409 struct ffs_data, reset_work);
3410 ffs_data_reset(ffs);
3411 }
3412
ffs_func_set_alt(struct usb_function * f,unsigned interface,unsigned alt)3413 static int ffs_func_set_alt(struct usb_function *f,
3414 unsigned interface, unsigned alt)
3415 {
3416 struct ffs_function *func = ffs_func_from_usb(f);
3417 struct ffs_data *ffs = func->ffs;
3418 int ret = 0, intf;
3419
3420 if (alt != (unsigned)-1) {
3421 intf = ffs_func_revmap_intf(func, interface);
3422 if (unlikely(intf < 0))
3423 return intf;
3424 }
3425
3426 if (ffs->func)
3427 ffs_func_eps_disable(ffs->func);
3428
3429 if (ffs->state == FFS_DEACTIVATED) {
3430 ffs->state = FFS_CLOSING;
3431 INIT_WORK(&ffs->reset_work, ffs_reset_work);
3432 schedule_work(&ffs->reset_work);
3433 return -ENODEV;
3434 }
3435
3436 if (ffs == NULL || ffs->state != FFS_ACTIVE)
3437 return -ENODEV;
3438
3439 if (alt == (unsigned)-1) {
3440 ffs->func = NULL;
3441 ffs_event_add(ffs, FUNCTIONFS_DISABLE);
3442 return 0;
3443 }
3444
3445 ffs->func = func;
3446 ret = ffs_func_eps_enable(func);
3447 if (likely(ret >= 0))
3448 ffs_event_add(ffs, FUNCTIONFS_ENABLE);
3449 return ret;
3450 }
3451
ffs_func_disable(struct usb_function * f)3452 static void ffs_func_disable(struct usb_function *f)
3453 {
3454 ffs_func_set_alt(f, 0, (unsigned)-1);
3455 }
3456
ffs_func_setup(struct usb_function * f,const struct usb_ctrlrequest * creq)3457 static int ffs_func_setup(struct usb_function *f, const struct usb_ctrlrequest *creq)
3458 {
3459 struct ffs_function *func = ffs_func_from_usb(f);
3460 struct ffs_data *ffs = func->ffs;
3461 unsigned long flags;
3462 int ret;
3463
3464 ENTER();
3465
3466 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType);
3467 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest);
3468 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue));
3469 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex));
3470 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength));
3471
3472 /*
3473 * Most requests directed to interface go through here
3474 * (notable exceptions are set/get interface) so we need to
3475 * handle them. All other either handled by composite or
3476 * passed to usb_configuration->setup() (if one is set). No
3477 * matter, we will handle requests directed to endpoint here
3478 * as well (as it's straightforward). Other request recipient
3479 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP
3480 * is being used.
3481 */
3482 if (!ffs || ffs->state != FFS_ACTIVE) {
3483 pr_err("[%s:%d] ffs is null or ffs->state is not active: %d\n", __func__, __LINE__, ffs);
3484 return -ENODEV;
3485 }
3486
3487 switch (creq->bRequestType & USB_RECIP_MASK) {
3488 case USB_RECIP_INTERFACE:
3489 if (creq->bRequestType == (USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) &&
3490 creq->bRequest == USB_CDC_SET_COMM_FEATURE) {
3491 return -EOPNOTSUPP;
3492 }
3493 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex));
3494 if (unlikely(ret < 0))
3495 return ret;
3496 break;
3497
3498 case USB_RECIP_ENDPOINT:
3499 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex));
3500 if (unlikely(ret < 0))
3501 return ret;
3502 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
3503 ret = func->ffs->eps_addrmap[ret];
3504 break;
3505
3506 default:
3507 if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP)
3508 ret = le16_to_cpu(creq->wIndex);
3509 else
3510 return -EOPNOTSUPP;
3511 }
3512 pr_info("f_generic setup:bRequestType=%02x,bRequest=%02x,wValue=%04x,wIndex=%04x,wLength=%04x,ret=%d\n",
3513 creq->bRequestType,
3514 creq->bRequest,
3515 le16_to_cpu(creq->wValue),
3516 le16_to_cpu(creq->wIndex),
3517 le16_to_cpu(creq->wLength),
3518 ret);
3519
3520 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
3521 ffs->ev.setup = *creq;
3522 ffs->ev.setup.wIndex = cpu_to_le16(ret);
3523 __ffs_event_add(ffs, FUNCTIONFS_SETUP);
3524 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
3525
3526 return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
3527 }
3528
ffs_func_req_match(struct usb_function * f,const struct usb_ctrlrequest * creq,bool config0)3529 static bool ffs_func_req_match(struct usb_function *f,
3530 const struct usb_ctrlrequest *creq,
3531 bool config0)
3532 {
3533 struct ffs_function *func = ffs_func_from_usb(f);
3534
3535 if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP))
3536 return false;
3537
3538 switch (creq->bRequestType & USB_RECIP_MASK) {
3539 case USB_RECIP_INTERFACE:
3540 return (ffs_func_revmap_intf(func,
3541 le16_to_cpu(creq->wIndex)) >= 0);
3542 case USB_RECIP_ENDPOINT:
3543 return (ffs_func_revmap_ep(func,
3544 le16_to_cpu(creq->wIndex)) >= 0);
3545 default:
3546 return (bool) (func->ffs->user_flags &
3547 FUNCTIONFS_ALL_CTRL_RECIP);
3548 }
3549 }
3550
ffs_func_suspend(struct usb_function * f)3551 static void ffs_func_suspend(struct usb_function *f)
3552 {
3553 ENTER();
3554 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_SUSPEND);
3555 }
3556
ffs_func_resume(struct usb_function * f)3557 static void ffs_func_resume(struct usb_function *f)
3558 {
3559 ENTER();
3560 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_RESUME);
3561 }
3562
3563 /* Endpoint and interface numbers reverse mapping ***************************/
ffs_func_revmap_ep(struct ffs_function * func,u8 num)3564 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num)
3565 {
3566 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK];
3567 return num ? num : -EDOM;
3568 }
3569
ffs_func_revmap_intf(struct ffs_function * func,u8 intf)3570 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf)
3571 {
3572 short *nums = func->interfaces_nums;
3573 unsigned count = func->ffs->interfaces_count;
3574
3575 for (; count; --count, ++nums) {
3576 if (*nums >= 0 && *nums == intf)
3577 return nums - func->interfaces_nums;
3578 }
3579
3580 return -EDOM;
3581 }
3582
3583 /* Devices management *******************************************************/
3584 static LIST_HEAD(ffs_devices);
3585
_ffs_do_find_dev(const char * name)3586 static struct ffs_dev *_ffs_do_find_dev(const char *name)
3587 {
3588 struct ffs_dev *dev = NULL;
3589
3590 if (!name)
3591 return NULL;
3592
3593 list_for_each_entry(dev, &ffs_devices, entry) {
3594 if (!dev->name)
3595 return NULL;
3596 if (strcmp(dev->name, name) == 0)
3597 return dev;
3598 }
3599
3600 return NULL;
3601 }
3602
3603 /*
3604 * ffs_lock must be taken by the caller of this function
3605 */
_ffs_get_single_dev(void)3606 static struct ffs_dev *_ffs_get_single_dev(void)
3607 {
3608 struct ffs_dev *dev = NULL;
3609
3610 if (list_is_singular(&ffs_devices)) {
3611 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry);
3612 if (dev->single)
3613 return dev;
3614 }
3615
3616 return NULL;
3617 }
3618
3619 /*
3620 * ffs_lock must be taken by the caller of this function
3621 */
_ffs_find_dev(const char * name)3622 static struct ffs_dev *_ffs_find_dev(const char *name)
3623 {
3624 struct ffs_dev *dev;
3625
3626 dev = _ffs_get_single_dev();
3627 if (dev)
3628 return dev;
3629
3630 return _ffs_do_find_dev(name);
3631 }
3632
3633 /* Configfs support *********************************************************/
to_ffs_opts(struct config_item * item)3634 static inline struct f_fs_opts *to_ffs_opts(struct config_item *item)
3635 {
3636 return container_of(to_config_group(item), struct f_fs_opts,
3637 func_inst.group);
3638 }
3639
ffs_attr_release(struct config_item * item)3640 static void ffs_attr_release(struct config_item *item)
3641 {
3642 struct f_fs_opts *opts = to_ffs_opts(item);
3643
3644 usb_put_function_instance(&opts->func_inst);
3645 }
3646
3647 static struct configfs_item_operations ffs_item_ops = {
3648 .release = ffs_attr_release,
3649 };
3650
3651 static const struct config_item_type ffs_func_type = {
3652 .ct_item_ops = &ffs_item_ops,
3653 .ct_owner = THIS_MODULE,
3654 };
3655
3656 /* Function registration interface ******************************************/
ffs_free_inst(struct usb_function_instance * f)3657 static void ffs_free_inst(struct usb_function_instance *f)
3658 {
3659 struct f_fs_opts *opts;
3660
3661 opts = to_f_fs_opts(f);
3662 ffs_dev_lock();
3663 _ffs_free_dev(opts->dev);
3664 ffs_dev_unlock();
3665 kfree(opts);
3666 }
3667
ffs_set_inst_name(struct usb_function_instance * fi,const char * name)3668 static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name)
3669 {
3670 char name_dev[MAX_NAMELEN] = {0};
3671 if (snprintf(name_dev, MAX_NAMELEN - 1, "%s.%s", FUNCTION_GENERIC, name) < 0) {
3672 return -EFAULT;
3673 }
3674 if (strlen(name_dev) >= sizeof_field(struct ffs_dev, name))
3675 return -ENAMETOOLONG;
3676 return ffs_name_dev_adapter(to_f_fs_opts(fi)->dev, name_dev);
3677 }
3678
ffs_alloc_inst(void)3679 static struct usb_function_instance *ffs_alloc_inst(void)
3680 {
3681 struct f_fs_opts *opts = NULL;
3682 struct ffs_dev *dev = NULL;
3683
3684 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3685 if (!opts)
3686 return ERR_PTR(-ENOMEM);
3687
3688 opts->func_inst.set_inst_name = ffs_set_inst_name;
3689 opts->func_inst.free_func_inst = ffs_free_inst;
3690 ffs_dev_lock();
3691 dev = _ffs_alloc_dev();
3692 ffs_dev_unlock();
3693 if (IS_ERR(dev)) {
3694 kfree(opts);
3695 return ERR_CAST(dev);
3696 }
3697 opts->dev = dev;
3698 dev->opts = opts;
3699
3700 config_group_init_type_name(&opts->func_inst.group, "",
3701 &ffs_func_type);
3702 return &opts->func_inst;
3703 }
3704
ffs_free(struct usb_function * f)3705 static void ffs_free(struct usb_function *f)
3706 {
3707 kfree(ffs_func_from_usb(f));
3708 }
3709
fgeneric_func_unbind(struct usb_configuration * c,struct usb_function * f)3710 static void fgeneric_func_unbind(struct usb_configuration *c,
3711 struct usb_function *f)
3712 {
3713 struct ffs_function *func = ffs_func_from_usb(f);
3714 struct ffs_data *ffs = func->ffs;
3715 struct f_fs_opts *opts =
3716 container_of(f->fi, struct f_fs_opts, func_inst);
3717 struct ffs_ep *ep = func->eps;
3718 unsigned count = ffs->eps_count;
3719 unsigned long flags;
3720
3721 ENTER();
3722 pr_info("[%s:%d] f_generic unbind\n", __func__, __LINE__);
3723
3724 if (ffs->func == func) {
3725 ffs_func_eps_disable(func);
3726 ffs->func = NULL;
3727 }
3728
3729 if (!--opts->refcnt)
3730 functionfs_unbind(ffs);
3731
3732 /* cleanup after autoconfig */
3733 spin_lock_irqsave(&func->ffs->eps_lock, flags);
3734 while (count--) {
3735 if (ep->ep && ep->req)
3736 usb_ep_free_request(ep->ep, ep->req);
3737 ep->req = NULL;
3738 ++ep;
3739 }
3740 func->ffs->eps = NULL;
3741 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
3742 kfree(func->eps);
3743 func->eps = NULL;
3744 /*
3745 * eps, descriptors and interfaces_nums are allocated in the
3746 * same chunk so only one free is required.
3747 */
3748 func->function.fs_descriptors = NULL;
3749 func->function.hs_descriptors = NULL;
3750 func->function.ss_descriptors = NULL;
3751 func->interfaces_nums = NULL;
3752
3753 ffs_event_add(ffs, FUNCTIONFS_UNBIND);
3754 }
3755
ffs_func_get_alt(struct usb_function * f,unsigned intf)3756 static int ffs_func_get_alt(struct usb_function *f, unsigned intf)
3757 {
3758 if (intf == 0)
3759 return 0;
3760 return 1;
3761 }
3762
ffs_alloc(struct usb_function_instance * fi)3763 static struct usb_function *ffs_alloc(struct usb_function_instance *fi)
3764 {
3765 struct ffs_function *func = NULL;
3766
3767 ENTER();
3768
3769 func = kzalloc(sizeof(*func), GFP_KERNEL);
3770 if (unlikely(!func))
3771 return ERR_PTR(-ENOMEM);
3772
3773 func->function.name = "FunctionFS Adapter";
3774
3775 func->function.bind = ffs_func_bind;
3776 func->function.unbind = fgeneric_func_unbind;
3777 func->function.set_alt = ffs_func_set_alt;
3778 func->function.get_alt = ffs_func_get_alt;
3779 func->function.disable = ffs_func_disable;
3780 func->function.setup = ffs_func_setup;
3781 func->function.req_match = ffs_func_req_match;
3782 func->function.suspend = ffs_func_suspend;
3783 func->function.resume = ffs_func_resume;
3784 func->function.free_func = ffs_free;
3785
3786 return &func->function;
3787 }
3788
3789 /*
3790 * ffs_lock must be taken by the caller of this function
3791 */
_ffs_alloc_dev(void)3792 static struct ffs_dev *_ffs_alloc_dev(void)
3793 {
3794 struct ffs_dev *dev = NULL;
3795 int ret;
3796
3797 if (_ffs_get_single_dev())
3798 return ERR_PTR(-EBUSY);
3799
3800 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3801 if (!dev)
3802 return ERR_PTR(-ENOMEM);
3803
3804 if (list_empty(&ffs_devices)) {
3805 ret = functionfs_init();
3806 if (ret) {
3807 kfree(dev);
3808 return ERR_PTR(ret);
3809 }
3810 }
3811
3812 list_add(&dev->entry, &ffs_devices);
3813
3814 return dev;
3815 }
3816
ffs_name_dev_adapter(struct ffs_dev * dev,const char * name)3817 int ffs_name_dev_adapter(struct ffs_dev *dev, const char *name)
3818 {
3819 struct ffs_dev *existing = NULL;
3820 int ret = 0;
3821
3822 ffs_dev_lock();
3823
3824 existing = _ffs_do_find_dev(name);
3825 if (!existing)
3826 strlcpy(dev->name, name, ARRAY_SIZE(dev->name));
3827 else if (existing != dev)
3828 ret = -EBUSY;
3829
3830 ffs_dev_unlock();
3831
3832 return ret;
3833 }
3834 EXPORT_SYMBOL_GPL(ffs_name_dev_adapter);
3835
ffs_single_dev_adapter(struct ffs_dev * dev)3836 int ffs_single_dev_adapter(struct ffs_dev *dev)
3837 {
3838 int ret;
3839
3840 ret = 0;
3841 ffs_dev_lock();
3842
3843 if (!list_is_singular(&ffs_devices))
3844 ret = -EBUSY;
3845 else
3846 dev->single = true;
3847
3848 ffs_dev_unlock();
3849 return ret;
3850 }
3851 EXPORT_SYMBOL_GPL(ffs_single_dev_adapter);
3852 /*
3853 * ffs_lock must be taken by the caller of this function
3854 */
_ffs_free_dev(struct ffs_dev * dev)3855 static void _ffs_free_dev(struct ffs_dev *dev)
3856 {
3857 list_del(&dev->entry);
3858
3859 /* Clear the private_data pointer to stop incorrect dev access */
3860 if (dev->ffs_data)
3861 dev->ffs_data->private_data = NULL;
3862
3863 kfree(dev);
3864 if (list_empty(&ffs_devices))
3865 functionfs_cleanup();
3866 }
3867
ffs_acquire_dev(const char * dev_name)3868 static void *ffs_acquire_dev(const char *dev_name)
3869 {
3870 struct ffs_dev *ffs_dev = NULL;
3871
3872 ENTER();
3873 ffs_dev_lock();
3874
3875 ffs_dev = _ffs_find_dev(dev_name);
3876 if (!ffs_dev)
3877 ffs_dev = ERR_PTR(-ENOENT);
3878 else if (ffs_dev->mounted)
3879 ffs_dev = ERR_PTR(-EBUSY);
3880 else if (ffs_dev->ffs_acquire_dev_callback &&
3881 ffs_dev->ffs_acquire_dev_callback(ffs_dev))
3882 ffs_dev = ERR_PTR(-ENOENT);
3883 else
3884 ffs_dev->mounted = true;
3885
3886 ffs_dev_unlock();
3887 return ffs_dev;
3888 }
3889
ffs_release_dev(struct ffs_data * ffs_data)3890 static void ffs_release_dev(struct ffs_data *ffs_data)
3891 {
3892 struct ffs_dev *ffs_dev = NULL;
3893
3894 ENTER();
3895 ffs_dev_lock();
3896
3897 ffs_dev = ffs_data->private_data;
3898 if (ffs_dev) {
3899 ffs_dev->mounted = false;
3900
3901 if (ffs_dev->ffs_release_dev_callback)
3902 ffs_dev->ffs_release_dev_callback(ffs_dev);
3903 }
3904
3905 ffs_dev_unlock();
3906 }
3907
ffs_ready(struct ffs_data * ffs)3908 static int ffs_ready(struct ffs_data *ffs)
3909 {
3910 struct ffs_dev *ffs_obj = NULL;
3911 int ret = 0;
3912
3913 ENTER();
3914 ffs_dev_lock();
3915
3916 ffs_obj = ffs->private_data;
3917 if (!ffs_obj) {
3918 ret = -EINVAL;
3919 goto done;
3920 }
3921 if (WARN_ON(ffs_obj->desc_ready)) {
3922 ret = -EBUSY;
3923 goto done;
3924 }
3925
3926 ffs_obj->desc_ready = true;
3927 ffs_obj->ffs_data = ffs;
3928
3929 if (ffs_obj->ffs_ready_callback) {
3930 ret = ffs_obj->ffs_ready_callback(ffs);
3931 if (ret)
3932 goto done;
3933 }
3934
3935 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags);
3936 done:
3937 ffs_dev_unlock();
3938 return ret;
3939 }
3940
ffs_closed(struct ffs_data * ffs)3941 static void ffs_closed(struct ffs_data *ffs)
3942 {
3943 struct ffs_dev *ffs_obj = NULL;
3944 struct f_fs_opts *opts = NULL;
3945 struct config_item *ci = NULL;
3946
3947 ENTER();
3948 ffs_dev_lock();
3949
3950 ffs_obj = ffs->private_data;
3951 if (!ffs_obj)
3952 goto done;
3953
3954 ffs_obj->desc_ready = false;
3955 ffs_obj->ffs_data = NULL;
3956
3957 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) &&
3958 ffs_obj->ffs_closed_callback)
3959 ffs_obj->ffs_closed_callback(ffs);
3960
3961 if (ffs_obj->opts)
3962 opts = ffs_obj->opts;
3963 else
3964 goto done;
3965
3966 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
3967 || !kref_read(&opts->func_inst.group.cg_item.ci_kref))
3968 goto done;
3969
3970 ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
3971 ffs_dev_unlock();
3972
3973 if (test_bit(FFS_FL_BOUND, &ffs->flags))
3974 unregister_gadget_item(ci);
3975 return;
3976 done:
3977 ffs_dev_unlock();
3978 }
3979
3980 /* Misc helper functions ****************************************************/
ffs_mutex_lock(struct mutex * mutex,unsigned nonblock)3981 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
3982 {
3983 return nonblock
3984 ? likely(mutex_trylock(mutex)) ? 0 : -EAGAIN
3985 : mutex_lock_interruptible(mutex);
3986 }
3987
ffs_prepare_buffer(const char __user * buf,size_t len)3988 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
3989 {
3990 char *data = NULL;
3991
3992 if (unlikely(!len))
3993 return NULL;
3994
3995 data = kmalloc(len, GFP_KERNEL);
3996 if (unlikely(!data))
3997 return ERR_PTR(-ENOMEM);
3998
3999 if (unlikely(copy_from_user(data, buf, len))) {
4000 kfree(data);
4001 return ERR_PTR(-EFAULT);
4002 }
4003
4004 pr_vdebug("Buffer from user space:\n");
4005 ffs_dump_mem("", data, len);
4006
4007 return data;
4008 }
4009
4010 DECLARE_USB_FUNCTION_INIT(f_generic, ffs_alloc_inst, ffs_alloc);
4011 MODULE_LICENSE("GPL");
4012