LXR linux/drivers/usb/gadget/legacy/inode.c

   1/*
   2 * inode.c -- user mode filesystem api for usb gadget controllers
   3 *
   4 * Copyright (C) 2003-2004 David Brownell
   5 * Copyright (C) 2003 Agilent Technologies
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 */
  12
  13
  14/* #define VERBOSE_DEBUG */
  15
  16#include <linux/init.h>
  17#include <linux/module.h>
  18#include <linux/fs.h>
  19#include <linux/pagemap.h>
  20#include <linux/uts.h>
  21#include <linux/wait.h>
  22#include <linux/compiler.h>
  23#include <asm/uaccess.h>
  24#include <linux/sched.h>
  25#include <linux/slab.h>
  26#include <linux/poll.h>
  27#include <linux/mmu_context.h>
  28#include <linux/aio.h>
  29#include <linux/uio.h>
  30
  31#include <linux/device.h>
  32#include <linux/moduleparam.h>
  33
  34#include <linux/usb/gadgetfs.h>
  35#include <linux/usb/gadget.h>
  36
  37
  38/*
  39 * The gadgetfs API maps each endpoint to a file descriptor so that you
  40 * can use standard synchronous read/write calls for I/O.  There's some
  41 * O_NONBLOCK and O_ASYNC/FASYNC style i/o support.  Example usermode
  42 * drivers show how this works in practice.  You can also use AIO to
  43 * eliminate I/O gaps between requests, to help when streaming data.
  44 *
  45 * Key parts that must be USB-specific are protocols defining how the
  46 * read/write operations relate to the hardware state machines.  There
  47 * are two types of files.  One type is for the device, implementing ep0.
  48 * The other type is for each IN or OUT endpoint.  In both cases, the
  49 * user mode driver must configure the hardware before using it.
  50 *
  51 * - First, dev_config() is called when /dev/gadget/$CHIP is configured
  52 *   (by writing configuration and device descriptors).  Afterwards it
  53 *   may serve as a source of device events, used to handle all control
  54 *   requests other than basic enumeration.
  55 *
  56 * - Then, after a SET_CONFIGURATION control request, ep_config() is
  57 *   called when each /dev/gadget/ep* file is configured (by writing
  58 *   endpoint descriptors).  Afterwards these files are used to write()
  59 *   IN data or to read() OUT data.  To halt the endpoint, a "wrong
  60 *   direction" request is issued (like reading an IN endpoint).
  61 *
  62 * Unlike "usbfs" the only ioctl()s are for things that are rare, and maybe
  63 * not possible on all hardware.  For example, precise fault handling with
  64 * respect to data left in endpoint fifos after aborted operations; or
  65 * selective clearing of endpoint halts, to implement SET_INTERFACE.
  66 */
  67
  68#define DRIVER_DESC     "USB Gadget filesystem"
  69#define DRIVER_VERSION  "24 Aug 2004"
  70
  71static const char driver_desc [] = DRIVER_DESC;
  72static const char shortname [] = "gadgetfs";
  73
  74MODULE_DESCRIPTION (DRIVER_DESC);
  75MODULE_AUTHOR ("David Brownell");
  76MODULE_LICENSE ("GPL");
  77
  78static int ep_open(struct inode *, struct file *);
  79
  80
  81/*----------------------------------------------------------------------*/
  82
  83#define GADGETFS_MAGIC          0xaee71ee7
  84
  85/* /dev/gadget/$CHIP represents ep0 and the whole device */
  86enum ep0_state {
  87        /* DISBLED is the initial state.
  88         */
  89        STATE_DEV_DISABLED = 0,
  90
  91        /* Only one open() of /dev/gadget/$CHIP; only one file tracks
  92         * ep0/device i/o modes and binding to the controller.  Driver
  93         * must always write descriptors to initialize the device, then
  94         * the device becomes UNCONNECTED until enumeration.
  95         */
  96        STATE_DEV_OPENED,
  97
  98        /* From then on, ep0 fd is in either of two basic modes:
  99         * - (UN)CONNECTED: read usb_gadgetfs_event(s) from it
 100         * - SETUP: read/write will transfer control data and succeed;
 101         *   or if "wrong direction", performs protocol stall
 102         */
 103        STATE_DEV_UNCONNECTED,
 104        STATE_DEV_CONNECTED,
 105        STATE_DEV_SETUP,
 106
 107        /* UNBOUND means the driver closed ep0, so the device won't be
 108         * accessible again (DEV_DISABLED) until all fds are closed.
 109         */
 110        STATE_DEV_UNBOUND,
 111};
 112
 113/* enough for the whole queue: most events invalidate others */
 114#define N_EVENT                 5
 115
 116struct dev_data {
 117        spinlock_t                      lock;
 118        atomic_t                        count;
 119        enum ep0_state                  state;          /* P: lock */
 120        struct usb_gadgetfs_event       event [N_EVENT];
 121        unsigned                        ev_next;
 122        struct fasync_struct            *fasync;
 123        u8                              current_config;
 124
 125        /* drivers reading ep0 MUST handle control requests (SETUP)
 126         * reported that way; else the host will time out.
 127         */
 128        unsigned                        usermode_setup : 1,
 129                                        setup_in : 1,
 130                                        setup_can_stall : 1,
 131                                        setup_out_ready : 1,
 132                                        setup_out_error : 1,
 133                                        setup_abort : 1;
 134        unsigned                        setup_wLength;
 135
 136        /* the rest is basically write-once */
 137        struct usb_config_descriptor    *config, *hs_config;
 138        struct usb_device_descriptor    *dev;
 139        struct usb_request              *req;
 140        struct usb_gadget               *gadget;
 141        struct list_head                epfiles;
 142        void                            *buf;
 143        wait_queue_head_t               wait;
 144        struct super_block              *sb;
 145        struct dentry                   *dentry;
 146
 147        /* except this scratch i/o buffer for ep0 */
 148        u8                              rbuf [256];
 149};
 150
 151static inline void get_dev (struct dev_data *data)
 152{
 153        atomic_inc (&data->count);
 154}
 155
 156static void put_dev (struct dev_data *data)
 157{
 158        if (likely (!atomic_dec_and_test (&data->count)))
 159                return;
 160        /* needs no more cleanup */
 161        BUG_ON (waitqueue_active (&data->wait));
 162        kfree (data);
 163}
 164
 165static struct dev_data *dev_new (void)
 166{
 167        struct dev_data         *dev;
 168
 169        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
 170        if (!dev)
 171                return NULL;
 172        dev->state = STATE_DEV_DISABLED;
 173        atomic_set (&dev->count, 1);
 174        spin_lock_init (&dev->lock);
 175        INIT_LIST_HEAD (&dev->epfiles);
 176        init_waitqueue_head (&dev->wait);
 177        return dev;
 178}
 179
 180/*----------------------------------------------------------------------*/
 181
 182/* other /dev/gadget/$ENDPOINT files represent endpoints */
 183enum ep_state {
 184        STATE_EP_DISABLED = 0,
 185        STATE_EP_READY,
 186        STATE_EP_ENABLED,
 187        STATE_EP_UNBOUND,
 188};
 189
 190struct ep_data {
 191        struct mutex                    lock;
 192        enum ep_state                   state;
 193        atomic_t                        count;
 194        struct dev_data                 *dev;
 195        /* must hold dev->lock before accessing ep or req */
 196        struct usb_ep                   *ep;
 197        struct usb_request              *req;
 198        ssize_t                         status;
 199        char                            name [16];
 200        struct usb_endpoint_descriptor  desc, hs_desc;
 201        struct list_head                epfiles;
 202        wait_queue_head_t               wait;
 203        struct dentry                   *dentry;
 204};
 205
 206static inline void get_ep (struct ep_data *data)
 207{
 208        atomic_inc (&data->count);
 209}
 210
 211static void put_ep (struct ep_data *data)
 212{
 213        if (likely (!atomic_dec_and_test (&data->count)))
 214                return;
 215        put_dev (data->dev);
 216        /* needs no more cleanup */
 217        BUG_ON (!list_empty (&data->epfiles));
 218        BUG_ON (waitqueue_active (&data->wait));
 219        kfree (data);
 220}
 221
 222/*----------------------------------------------------------------------*/
 223
 224/* most "how to use the hardware" policy choices are in userspace:
 225 * mapping endpoint roles (which the driver needs) to the capabilities
 226 * which the usb controller has.  most of those capabilities are exposed
 227 * implicitly, starting with the driver name and then endpoint names.
 228 */
 229
 230static const char *CHIP;
 231
 232/*----------------------------------------------------------------------*/
 233
 234/* NOTE:  don't use dev_printk calls before binding to the gadget
 235 * at the end of ep0 configuration, or after unbind.
 236 */
 237
 238/* too wordy: dev_printk(level , &(d)->gadget->dev , fmt , ## args) */
 239#define xprintk(d,level,fmt,args...) \
 240        printk(level "%s: " fmt , shortname , ## args)
 241
 242#ifdef DEBUG
 243#define DBG(dev,fmt,args...) \
 244        xprintk(dev , KERN_DEBUG , fmt , ## args)
 245#else
 246#define DBG(dev,fmt,args...) \
 247        do { } while (0)
 248#endif /* DEBUG */
 249
 250#ifdef VERBOSE_DEBUG
 251#define VDEBUG  DBG
 252#else
 253#define VDEBUG(dev,fmt,args...) \
 254        do { } while (0)
 255#endif /* DEBUG */
 256
 257#define ERROR(dev,fmt,args...) \
 258        xprintk(dev , KERN_ERR , fmt , ## args)
 259#define INFO(dev,fmt,args...) \
 260        xprintk(dev , KERN_INFO , fmt , ## args)
 261
 262
 263/*----------------------------------------------------------------------*/
 264
 265/* SYNCHRONOUS ENDPOINT OPERATIONS (bulk/intr/iso)
 266 *
 267 * After opening, configure non-control endpoints.  Then use normal
 268 * stream read() and write() requests; and maybe ioctl() to get more
 269 * precise FIFO status when recovering from cancellation.
 270 */
 271
 272static void epio_complete (struct usb_ep *ep, struct usb_request *req)
 273{
 274        struct ep_data  *epdata = ep->driver_data;
 275
 276        if (!req->context)
 277                return;
 278        if (req->status)
 279                epdata->status = req->status;
 280        else
 281                epdata->status = req->actual;
 282        complete ((struct completion *)req->context);
 283}
 284
 285/* tasklock endpoint, returning when it's connected.
 286 * still need dev->lock to use epdata->ep.
 287 */
 288static int
 289get_ready_ep (unsigned f_flags, struct ep_data *epdata, bool is_write)
 290{
 291        int     val;
 292
 293        if (f_flags & O_NONBLOCK) {
 294                if (!mutex_trylock(&epdata->lock))
 295                        goto nonblock;
 296                if (epdata->state != STATE_EP_ENABLED &&
 297                    (!is_write || epdata->state != STATE_EP_READY)) {
 298                        mutex_unlock(&epdata->lock);
 299nonblock:
 300                        val = -EAGAIN;
 301                } else
 302                        val = 0;
 303                return val;
 304        }
 305
 306        val = mutex_lock_interruptible(&epdata->lock);
 307        if (val < 0)
 308                return val;
 309
 310        switch (epdata->state) {
 311        case STATE_EP_ENABLED:
 312                return 0;
 313        case STATE_EP_READY:                    /* not configured yet */
 314                if (is_write)
 315                        return 0;
 316                // FALLTHRU
 317        case STATE_EP_UNBOUND:                  /* clean disconnect */
 318                break;
 319        // case STATE_EP_DISABLED:              /* "can't happen" */
 320        default:                                /* error! */
 321                pr_debug ("%s: ep %p not available, state %d\n",
 322                                shortname, epdata, epdata->state);
 323        }
 324        mutex_unlock(&epdata->lock);
 325        return -ENODEV;
 326}
 327
 328static ssize_t
 329ep_io (struct ep_data *epdata, void *buf, unsigned len)
 330{
 331        DECLARE_COMPLETION_ONSTACK (done);
 332        int value;
 333
 334        spin_lock_irq (&epdata->dev->lock);
 335        if (likely (epdata->ep != NULL)) {
 336                struct usb_request      *req = epdata->req;
 337
 338                req->context = &done;
 339                req->complete = epio_complete;
 340                req->buf = buf;
 341                req->length = len;
 342                value = usb_ep_queue (epdata->ep, req, GFP_ATOMIC);
 343        } else
 344                value = -ENODEV;
 345        spin_unlock_irq (&epdata->dev->lock);
 346
 347        if (likely (value == 0)) {
 348                value = wait_event_interruptible (done.wait, done.done);
 349                if (value != 0) {
 350                        spin_lock_irq (&epdata->dev->lock);
 351                        if (likely (epdata->ep != NULL)) {
 352                                DBG (epdata->dev, "%s i/o interrupted\n",
 353                                                epdata->name);
 354                                usb_ep_dequeue (epdata->ep, epdata->req);
 355                                spin_unlock_irq (&epdata->dev->lock);
 356
 357                                wait_event (done.wait, done.done);
 358                                if (epdata->status == -ECONNRESET)
 359                                        epdata->status = -EINTR;
 360                        } else {
 361                                spin_unlock_irq (&epdata->dev->lock);
 362
 363                                DBG (epdata->dev, "endpoint gone\n");
 364                                epdata->status = -ENODEV;
 365                        }
 366                }
 367                return epdata->status;
 368        }
 369        return value;
 370}
 371
 372static int
 373ep_release (struct inode *inode, struct file *fd)
 374{
 375        struct ep_data          *data = fd->private_data;
 376        int value;
 377
 378        value = mutex_lock_interruptible(&data->lock);
 379        if (value < 0)
 380                return value;
 381
 382        /* clean up if this can be reopened */
 383        if (data->state != STATE_EP_UNBOUND) {
 384                data->state = STATE_EP_DISABLED;
 385                data->desc.bDescriptorType = 0;
 386                data->hs_desc.bDescriptorType = 0;
 387                usb_ep_disable(data->ep);
 388        }
 389        mutex_unlock(&data->lock);
 390        put_ep (data);
 391        return 0;
 392}
 393
 394static long ep_ioctl(struct file *fd, unsigned code, unsigned long value)
 395{
 396        struct ep_data          *data = fd->private_data;
 397        int                     status;
 398
 399        if ((status = get_ready_ep (fd->f_flags, data, false)) < 0)
 400                return status;
 401
 402        spin_lock_irq (&data->dev->lock);
 403        if (likely (data->ep != NULL)) {
 404                switch (code) {
 405                case GADGETFS_FIFO_STATUS:
 406                        status = usb_ep_fifo_status (data->ep);
 407                        break;
 408                case GADGETFS_FIFO_FLUSH:
 409                        usb_ep_fifo_flush (data->ep);
 410                        break;
 411                case GADGETFS_CLEAR_HALT:
 412                        status = usb_ep_clear_halt (data->ep);
 413                        break;
 414                default:
 415                        status = -ENOTTY;
 416                }
 417        } else
 418                status = -ENODEV;
 419        spin_unlock_irq (&data->dev->lock);
 420        mutex_unlock(&data->lock);
 421        return status;
 422}
 423
 424/*----------------------------------------------------------------------*/
 425
 426/* ASYNCHRONOUS ENDPOINT I/O OPERATIONS (bulk/intr/iso) */
 427
 428struct kiocb_priv {
 429        struct usb_request      *req;
 430        struct ep_data          *epdata;
 431        struct kiocb            *iocb;
 432        struct mm_struct        *mm;
 433        struct work_struct      work;
 434        void                    *buf;
 435        struct iov_iter         to;
 436        const void              *to_free;
 437        unsigned                actual;
 438};
 439
 440static int ep_aio_cancel(struct kiocb *iocb)
 441{
 442        struct kiocb_priv       *priv = iocb->private;
 443        struct ep_data          *epdata;
 444        int                     value;
 445
 446        local_irq_disable();
 447        epdata = priv->epdata;
 448        // spin_lock(&epdata->dev->lock);
 449        if (likely(epdata && epdata->ep && priv->req))
 450                value = usb_ep_dequeue (epdata->ep, priv->req);
 451        else
 452                value = -EINVAL;
 453        // spin_unlock(&epdata->dev->lock);
 454        local_irq_enable();
 455
 456        return value;
 457}
 458
 459static void ep_user_copy_worker(struct work_struct *work)
 460{
 461        struct kiocb_priv *priv = container_of(work, struct kiocb_priv, work);
 462        struct mm_struct *mm = priv->mm;
 463        struct kiocb *iocb = priv->iocb;
 464        size_t ret;
 465
 466        use_mm(mm);
 467        ret = copy_to_iter(priv->buf, priv->actual, &priv->to);
 468        unuse_mm(mm);
 469        if (!ret)
 470                ret = -EFAULT;
 471
 472        /* completing the iocb can drop the ctx and mm, don't touch mm after */
 473        iocb->ki_complete(iocb, ret, ret);
 474
 475        kfree(priv->buf);
 476        kfree(priv->to_free);
 477        kfree(priv);
 478}
 479
 480static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
 481{
 482        struct kiocb            *iocb = req->context;
 483        struct kiocb_priv       *priv = iocb->private;
 484        struct ep_data          *epdata = priv->epdata;
 485
 486        /* lock against disconnect (and ideally, cancel) */
 487        spin_lock(&epdata->dev->lock);
 488        priv->req = NULL;
 489        priv->epdata = NULL;
 490
 491        /* if this was a write or a read returning no data then we
 492         * don't need to copy anything to userspace, so we can
 493         * complete the aio request immediately.
 494         */
 495        if (priv->to_free == NULL || unlikely(req->actual == 0)) {
 496                kfree(req->buf);
 497                kfree(priv->to_free);
 498                kfree(priv);
 499                iocb->private = NULL;
 500                /* aio_complete() reports bytes-transferred _and_ faults */
 501
 502                iocb->ki_complete(iocb, req->actual ? req->actual : req->status,
 503                                req->status);
 504        } else {
 505                /* ep_copy_to_user() won't report both; we hide some faults */
 506                if (unlikely(0 != req->status))
 507                        DBG(epdata->dev, "%s fault %d len %d\n",
 508                                ep->name, req->status, req->actual);
 509
 510                priv->buf = req->buf;
 511                priv->actual = req->actual;
 512                INIT_WORK(&priv->work, ep_user_copy_worker);
 513                schedule_work(&priv->work);
 514        }
 515        spin_unlock(&epdata->dev->lock);
 516
 517        usb_ep_free_request(ep, req);
 518        put_ep(epdata);
 519}
 520
 521static ssize_t ep_aio(struct kiocb *iocb,
 522                      struct kiocb_priv *priv,
 523                      struct ep_data *epdata,
 524                      char *buf,
 525                      size_t len)
 526{
 527        struct usb_request *req;
 528        ssize_t value;
 529
 530        iocb->private = priv;
 531        priv->iocb = iocb;
 532
 533        kiocb_set_cancel_fn(iocb, ep_aio_cancel);
 534        get_ep(epdata);
 535        priv->epdata = epdata;
 536        priv->actual = 0;
 537        priv->mm = current->mm; /* mm teardown waits for iocbs in exit_aio() */
 538
 539        /* each kiocb is coupled to one usb_request, but we can't
 540         * allocate or submit those if the host disconnected.
 541         */
 542        spin_lock_irq(&epdata->dev->lock);
 543        value = -ENODEV;
 544        if (unlikely(epdata->ep))
 545                goto fail;
 546
 547        req = usb_ep_alloc_request(epdata->ep, GFP_ATOMIC);
 548        value = -ENOMEM;
 549        if (unlikely(!req))
 550                goto fail;
 551
 552        priv->req = req;
 553        req->buf = buf;
 554        req->length = len;
 555        req->complete = ep_aio_complete;
 556        req->context = iocb;
 557        value = usb_ep_queue(epdata->ep, req, GFP_ATOMIC);
 558        if (unlikely(0 != value)) {
 559                usb_ep_free_request(epdata->ep, req);
 560                goto fail;
 561        }
 562        spin_unlock_irq(&epdata->dev->lock);
 563        return -EIOCBQUEUED;
 564
 565fail:
 566        spin_unlock_irq(&epdata->dev->lock);
 567        kfree(priv->to_free);
 568        kfree(priv);
 569        put_ep(epdata);
 570        return value;
 571}
 572
 573static ssize_t
 574ep_read_iter(struct kiocb *iocb, struct iov_iter *to)
 575{
 576        struct file *file = iocb->ki_filp;
 577        struct ep_data *epdata = file->private_data;
 578        size_t len = iov_iter_count(to);
 579        ssize_t value;
 580        char *buf;
 581
 582        if ((value = get_ready_ep(file->f_flags, epdata, false)) < 0)
 583                return value;
 584
 585        /* halt any endpoint by doing a "wrong direction" i/o call */
 586        if (usb_endpoint_dir_in(&epdata->desc)) {
 587                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 588                    !is_sync_kiocb(iocb)) {
 589                        mutex_unlock(&epdata->lock);
 590                        return -EINVAL;
 591                }
 592                DBG (epdata->dev, "%s halt\n", epdata->name);
 593                spin_lock_irq(&epdata->dev->lock);
 594                if (likely(epdata->ep != NULL))
 595                        usb_ep_set_halt(epdata->ep);
 596                spin_unlock_irq(&epdata->dev->lock);
 597                mutex_unlock(&epdata->lock);
 598                return -EBADMSG;
 599        }
 600
 601        buf = kmalloc(len, GFP_KERNEL);
 602        if (unlikely(!buf)) {
 603                mutex_unlock(&epdata->lock);
 604                return -ENOMEM;
 605        }
 606        if (is_sync_kiocb(iocb)) {
 607                value = ep_io(epdata, buf, len);
 608                if (value >= 0 && copy_to_iter(buf, value, to))
 609                        value = -EFAULT;
 610        } else {
 611                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 612                value = -ENOMEM;
 613                if (!priv)
 614                        goto fail;
 615                priv->to_free = dup_iter(&priv->to, to, GFP_KERNEL);
 616                if (!priv->to_free) {
 617                        kfree(priv);
 618                        goto fail;
 619                }
 620                value = ep_aio(iocb, priv, epdata, buf, len);
 621                if (value == -EIOCBQUEUED)
 622                        buf = NULL;
 623        }
 624fail:
 625        kfree(buf);
 626        mutex_unlock(&epdata->lock);
 627        return value;
 628}
 629
 630static ssize_t ep_config(struct ep_data *, const char *, size_t);
 631
 632static ssize_t
 633ep_write_iter(struct kiocb *iocb, struct iov_iter *from)
 634{
 635        struct file *file = iocb->ki_filp;
 636        struct ep_data *epdata = file->private_data;
 637        size_t len = iov_iter_count(from);
 638        bool configured;
 639        ssize_t value;
 640        char *buf;
 641
 642        if ((value = get_ready_ep(file->f_flags, epdata, true)) < 0)
 643                return value;
 644
 645        configured = epdata->state == STATE_EP_ENABLED;
 646
 647        /* halt any endpoint by doing a "wrong direction" i/o call */
 648        if (configured && !usb_endpoint_dir_in(&epdata->desc)) {
 649                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 650                    !is_sync_kiocb(iocb)) {
 651                        mutex_unlock(&epdata->lock);
 652                        return -EINVAL;
 653                }
 654                DBG (epdata->dev, "%s halt\n", epdata->name);
 655                spin_lock_irq(&epdata->dev->lock);
 656                if (likely(epdata->ep != NULL))
 657                        usb_ep_set_halt(epdata->ep);
 658                spin_unlock_irq(&epdata->dev->lock);
 659                mutex_unlock(&epdata->lock);
 660                return -EBADMSG;
 661        }
 662
 663        buf = kmalloc(len, GFP_KERNEL);
 664        if (unlikely(!buf)) {
 665                mutex_unlock(&epdata->lock);
 666                return -ENOMEM;
 667        }
 668
 669        if (unlikely(copy_from_iter(buf, len, from) != len)) {
 670                value = -EFAULT;
 671                goto out;
 672        }
 673
 674        if (unlikely(!configured)) {
 675                value = ep_config(epdata, buf, len);
 676        } else if (is_sync_kiocb(iocb)) {
 677                value = ep_io(epdata, buf, len);
 678        } else {
 679                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 680                value = -ENOMEM;
 681                if (priv) {
 682                        value = ep_aio(iocb, priv, epdata, buf, len);
 683                        if (value == -EIOCBQUEUED)
 684                                buf = NULL;
 685                }
 686        }
 687out:
 688        kfree(buf);
 689        mutex_unlock(&epdata->lock);
 690        return value;
 691}
 692
 693/*----------------------------------------------------------------------*/
 694
 695/* used after endpoint configuration */
 696static const struct file_operations ep_io_operations = {
 697        .owner =        THIS_MODULE,
 698
 699        .open =         ep_open,
 700        .release =      ep_release,
 701        .llseek =       no_llseek,
 702        .unlocked_ioctl = ep_ioctl,
 703        .read_iter =    ep_read_iter,
 704        .write_iter =   ep_write_iter,
 705};
 706
 707/* ENDPOINT INITIALIZATION
 708 *
 709 *     fd = open ("/dev/gadget/$ENDPOINT", O_RDWR)
 710 *     status = write (fd, descriptors, sizeof descriptors)
 711 *
 712 * That write establishes the endpoint configuration, configuring
 713 * the controller to process bulk, interrupt, or isochronous transfers
 714 * at the right maxpacket size, and so on.
 715 *
 716 * The descriptors are message type 1, identified by a host order u32
 717 * at the beginning of what's written.  Descriptor order is: full/low
 718 * speed descriptor, then optional high speed descriptor.
 719 */
 720static ssize_t
 721ep_config (struct ep_data *data, const char *buf, size_t len)
 722{
 723        struct usb_ep           *ep;
 724        u32                     tag;
 725        int                     value, length = len;
 726
 727        if (data->state != STATE_EP_READY) {
 728                value = -EL2HLT;
 729                goto fail;
 730        }
 731
 732        value = len;
 733        if (len < USB_DT_ENDPOINT_SIZE + 4)
 734                goto fail0;
 735
 736        /* we might need to change message format someday */
 737        memcpy(&tag, buf, 4);
 738        if (tag != 1) {
 739                DBG(data->dev, "config %s, bad tag %d\n", data->name, tag);
 740                goto fail0;
 741        }
 742        buf += 4;
 743        len -= 4;
 744
 745        /* NOTE:  audio endpoint extensions not accepted here;
 746         * just don't include the extra bytes.
 747         */
 748
 749        /* full/low speed descriptor, then high speed */
 750        memcpy(&data->desc, buf, USB_DT_ENDPOINT_SIZE);
 751        if (data->desc.bLength != USB_DT_ENDPOINT_SIZE
 752                        || data->desc.bDescriptorType != USB_DT_ENDPOINT)
 753                goto fail0;
 754        if (len != USB_DT_ENDPOINT_SIZE) {
 755                if (len != 2 * USB_DT_ENDPOINT_SIZE)
 756                        goto fail0;
 757                memcpy(&data->hs_desc, buf + USB_DT_ENDPOINT_SIZE,
 758                        USB_DT_ENDPOINT_SIZE);
 759                if (data->hs_desc.bLength != USB_DT_ENDPOINT_SIZE
 760                                || data->hs_desc.bDescriptorType
 761                                        != USB_DT_ENDPOINT) {
 762                        DBG(data->dev, "config %s, bad hs length or type\n",
 763                                        data->name);
 764                        goto fail0;
 765                }
 766        }
 767
 768        spin_lock_irq (&data->dev->lock);
 769        if (data->dev->state == STATE_DEV_UNBOUND) {
 770                value = -ENOENT;
 771                goto gone;
 772        } else if ((ep = data->ep) == NULL) {
 773                value = -ENODEV;
 774                goto gone;
 775        }
 776        switch (data->dev->gadget->speed) {
 777        case USB_SPEED_LOW:
 778        case USB_SPEED_FULL:
 779                ep->desc = &data->desc;
 780                break;
 781        case USB_SPEED_HIGH:
 782                /* fails if caller didn't provide that descriptor... */
 783                ep->desc = &data->hs_desc;
 784                break;
 785        default:
 786                DBG(data->dev, "unconnected, %s init abandoned\n",
 787                                data->name);
 788                value = -EINVAL;
 789                goto gone;
 790        }
 791        value = usb_ep_enable(ep);
 792        if (value == 0) {
 793                data->state = STATE_EP_ENABLED;
 794                value = length;
 795        }
 796gone:
 797        spin_unlock_irq (&data->dev->lock);
 798        if (value < 0) {
 799fail:
 800                data->desc.bDescriptorType = 0;
 801                data->hs_desc.bDescriptorType = 0;
 802        }
 803        return value;
 804fail0:
 805        value = -EINVAL;
 806        goto fail;
 807}
 808
 809static int
 810ep_open (struct inode *inode, struct file *fd)
 811{
 812        struct ep_data          *data = inode->i_private;
 813        int                     value = -EBUSY;
 814
 815        if (mutex_lock_interruptible(&data->lock) != 0)
 816                return -EINTR;
 817        spin_lock_irq (&data->dev->lock);
 818        if (data->dev->state == STATE_DEV_UNBOUND)
 819                value = -ENOENT;
 820        else if (data->state == STATE_EP_DISABLED) {
 821                value = 0;
 822                data->state = STATE_EP_READY;
 823                get_ep (data);
 824                fd->private_data = data;
 825                VDEBUG (data->dev, "%s ready\n", data->name);
 826        } else
 827                DBG (data->dev, "%s state %d\n",
 828                        data->name, data->state);
 829        spin_unlock_irq (&data->dev->lock);
 830        mutex_unlock(&data->lock);
 831        return value;
 832}
 833
 834/*----------------------------------------------------------------------*/
 835
 836/* EP0 IMPLEMENTATION can be partly in userspace.
 837 *
 838 * Drivers that use this facility receive various events, including
 839 * control requests the kernel doesn't handle.  Drivers that don't
 840 * use this facility may be too simple-minded for real applications.
 841 */
 842
 843static inline void ep0_readable (struct dev_data *dev)
 844{
 845        wake_up (&dev->wait);
 846        kill_fasync (&dev->fasync, SIGIO, POLL_IN);
 847}
 848
 849static void clean_req (struct usb_ep *ep, struct usb_request *req)
 850{
 851        struct dev_data         *dev = ep->driver_data;
 852
 853        if (req->buf != dev->rbuf) {
 854                kfree(req->buf);
 855                req->buf = dev->rbuf;
 856        }
 857        req->complete = epio_complete;
 858        dev->setup_out_ready = 0;
 859}
 860
 861static void ep0_complete (struct usb_ep *ep, struct usb_request *req)
 862{
 863        struct dev_data         *dev = ep->driver_data;
 864        unsigned long           flags;
 865        int                     free = 1;
 866
 867        /* for control OUT, data must still get to userspace */
 868        spin_lock_irqsave(&dev->lock, flags);
 869        if (!dev->setup_in) {
 870                dev->setup_out_error = (req->status != 0);
 871                if (!dev->setup_out_error)
 872                        free = 0;
 873                dev->setup_out_ready = 1;
 874                ep0_readable (dev);
 875        }
 876
 877        /* clean up as appropriate */
 878        if (free && req->buf != &dev->rbuf)
 879                clean_req (ep, req);
 880        req->complete = epio_complete;
 881        spin_unlock_irqrestore(&dev->lock, flags);
 882}
 883
 884static int setup_req (struct usb_ep *ep, struct usb_request *req, u16 len)
 885{
 886        struct dev_data *dev = ep->driver_data;
 887
 888        if (dev->setup_out_ready) {
 889                DBG (dev, "ep0 request busy!\n");
 890                return -EBUSY;
 891        }
 892        if (len > sizeof (dev->rbuf))
 893                req->buf = kmalloc(len, GFP_ATOMIC);
 894        if (req->buf == NULL) {
 895                req->buf = dev->rbuf;
 896                return -ENOMEM;
 897        }
 898        req->complete = ep0_complete;
 899        req->length = len;
 900        req->zero = 0;
 901        return 0;
 902}
 903
 904static ssize_t
 905ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
 906{
 907        struct dev_data                 *dev = fd->private_data;
 908        ssize_t                         retval;
 909        enum ep0_state                  state;
 910
 911        spin_lock_irq (&dev->lock);
 912        if (dev->state <= STATE_DEV_OPENED) {
 913                retval = -EINVAL;
 914                goto done;
 915        }
 916
 917        /* report fd mode change before acting on it */
 918        if (dev->setup_abort) {
 919                dev->setup_abort = 0;
 920                retval = -EIDRM;
 921                goto done;
 922        }
 923
 924        /* control DATA stage */
 925        if ((state = dev->state) == STATE_DEV_SETUP) {
 926
 927                if (dev->setup_in) {            /* stall IN */
 928                        VDEBUG(dev, "ep0in stall\n");
 929                        (void) usb_ep_set_halt (dev->gadget->ep0);
 930                        retval = -EL2HLT;
 931                        dev->state = STATE_DEV_CONNECTED;
 932
 933                } else if (len == 0) {          /* ack SET_CONFIGURATION etc */
 934                        struct usb_ep           *ep = dev->gadget->ep0;
 935                        struct usb_request      *req = dev->req;
 936
 937                        if ((retval = setup_req (ep, req, 0)) == 0)
 938                                retval = usb_ep_queue (ep, req, GFP_ATOMIC);
 939                        dev->state = STATE_DEV_CONNECTED;
 940
 941                        /* assume that was SET_CONFIGURATION */
 942                        if (dev->current_config) {
 943                                unsigned power;
 944
 945                                if (gadget_is_dualspeed(dev->gadget)
 946                                                && (dev->gadget->speed
 947                                                        == USB_SPEED_HIGH))
 948                                        power = dev->hs_config->bMaxPower;
 949                                else
 950                                        power = dev->config->bMaxPower;
 951                                usb_gadget_vbus_draw(dev->gadget, 2 * power);
 952                        }
 953
 954                } else {                        /* collect OUT data */
 955                        if ((fd->f_flags & O_NONBLOCK) != 0
 956                                        && !dev->setup_out_ready) {
 957                                retval = -EAGAIN;
 958                                goto done;
 959                        }
 960                        spin_unlock_irq (&dev->lock);
 961                        retval = wait_event_interruptible (dev->wait,
 962                                        dev->setup_out_ready != 0);
 963
 964                        /* FIXME state could change from under us */
 965                        spin_lock_irq (&dev->lock);
 966                        if (retval)
 967                                goto done;
 968
 969                        if (dev->state != STATE_DEV_SETUP) {
 970                                retval = -ECANCELED;
 971                                goto done;
 972                        }
 973                        dev->state = STATE_DEV_CONNECTED;
 974
 975                        if (dev->setup_out_error)
 976                                retval = -EIO;
 977                        else {
 978                                len = min (len, (size_t)dev->req->actual);
 979// FIXME don't call this with the spinlock held ...
 980                                if (copy_to_user (buf, dev->req->buf, len))
 981                                        retval = -EFAULT;
 982                                else
 983                                        retval = len;
 984                                clean_req (dev->gadget->ep0, dev->req);
 985                                /* NOTE userspace can't yet choose to stall */
 986                        }
 987                }
 988                goto done;
 989        }
 990
 991        /* else normal: return event data */
 992        if (len < sizeof dev->event [0]) {
 993                retval = -EINVAL;
 994                goto done;
 995        }
 996        len -= len % sizeof (struct usb_gadgetfs_event);
 997        dev->usermode_setup = 1;
 998
 999scan:
1000        /* return queued events right away */

1001        if (dev->ev_next != 0) {
1002                unsigned                i, n;
1003
1004                n = len / sizeof (struct usb_gadgetfs_event);
1005                if (dev->ev_next < n)
1006                        n = dev->ev_next;
1007
1008                /* ep0 i/o has special semantics during STATE_DEV_SETUP */
1009                for (i = 0; i < n; i++) {
1010                        if (dev->event [i].type == GADGETFS_SETUP) {
1011                                dev->state = STATE_DEV_SETUP;
1012                                n = i + 1;
1013                                break;
1014                        }
1015                }
1016                spin_unlock_irq (&dev->lock);
1017                len = n * sizeof (struct usb_gadgetfs_event);
1018                if (copy_to_user (buf, &dev->event, len))
1019                        retval = -EFAULT;
1020                else
1021                        retval = len;
1022                if (len > 0) {
1023                        /* NOTE this doesn't guard against broken drivers;
1024                         * concurrent ep0 readers may lose events.
1025                         */
1026                        spin_lock_irq (&dev->lock);
1027                        if (dev->ev_next > n) {
1028                                memmove(&dev->event[0], &dev->event[n],
1029                                        sizeof (struct usb_gadgetfs_event)
1030                                                * (dev->ev_next - n));
1031                        }
1032                        dev->ev_next -= n;
1033                        spin_unlock_irq (&dev->lock);
1034                }
1035                return retval;
1036        }
1037        if (fd->f_flags & O_NONBLOCK) {
1038                retval = -EAGAIN;
1039                goto done;
1040        }
1041
1042        switch (state) {
1043        default:
1044                DBG (dev, "fail %s, state %d\n", __func__, state);
1045                retval = -ESRCH;
1046                break;
1047        case STATE_DEV_UNCONNECTED:
1048        case STATE_DEV_CONNECTED:
1049                spin_unlock_irq (&dev->lock);
1050                DBG (dev, "%s wait\n", __func__);
1051
1052                /* wait for events */
1053                retval = wait_event_interruptible (dev->wait,
1054                                dev->ev_next != 0);
1055                if (retval < 0)
1056                        return retval;
1057                spin_lock_irq (&dev->lock);
1058                goto scan;
1059        }
1060
1061done:
1062        spin_unlock_irq (&dev->lock);
1063        return retval;
1064}
1065
1066static struct usb_gadgetfs_event *
1067next_event (struct dev_data *dev, enum usb_gadgetfs_event_type type)
1068{
1069        struct usb_gadgetfs_event       *event;
1070        unsigned                        i;
1071
1072        switch (type) {
1073        /* these events purge the queue */
1074        case GADGETFS_DISCONNECT:
1075                if (dev->state == STATE_DEV_SETUP)
1076                        dev->setup_abort = 1;
1077                // FALL THROUGH
1078        case GADGETFS_CONNECT:
1079                dev->ev_next = 0;
1080                break;
1081        case GADGETFS_SETUP:            /* previous request timed out */
1082        case GADGETFS_SUSPEND:          /* same effect */
1083                /* these events can't be repeated */
1084                for (i = 0; i != dev->ev_next; i++) {
1085                        if (dev->event [i].type != type)
1086                                continue;
1087                        DBG(dev, "discard old event[%d] %d\n", i, type);
1088                        dev->ev_next--;
1089                        if (i == dev->ev_next)
1090                                break;
1091                        /* indices start at zero, for simplicity */
1092                        memmove (&dev->event [i], &dev->event [i + 1],
1093                                sizeof (struct usb_gadgetfs_event)
1094                                        * (dev->ev_next - i));
1095                }
1096                break;
1097        default:
1098                BUG ();
1099        }
1100        VDEBUG(dev, "event[%d] = %d\n", dev->ev_next, type);
1101        event = &dev->event [dev->ev_next++];
1102        BUG_ON (dev->ev_next > N_EVENT);
1103        memset (event, 0, sizeof *event);
1104        event->type = type;
1105        return event;
1106}
1107
1108static ssize_t
1109ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1110{
1111        struct dev_data         *dev = fd->private_data;
1112        ssize_t                 retval = -ESRCH;
1113
1114        /* report fd mode change before acting on it */
1115        if (dev->setup_abort) {
1116                dev->setup_abort = 0;
1117                retval = -EIDRM;
1118
1119        /* data and/or status stage for control request */
1120        } else if (dev->state == STATE_DEV_SETUP) {
1121
1122                /* IN DATA+STATUS caller makes len <= wLength */
1123                if (dev->setup_in) {
1124                        retval = setup_req (dev->gadget->ep0, dev->req, len);
1125                        if (retval == 0) {
1126                                dev->state = STATE_DEV_CONNECTED;
1127                                spin_unlock_irq (&dev->lock);
1128                                if (copy_from_user (dev->req->buf, buf, len))
1129                                        retval = -EFAULT;
1130                                else {
1131                                        if (len < dev->setup_wLength)
1132                                                dev->req->zero = 1;
1133                                        retval = usb_ep_queue (
1134                                                dev->gadget->ep0, dev->req,
1135                                                GFP_KERNEL);
1136                                }
1137                                if (retval < 0) {
1138                                        spin_lock_irq (&dev->lock);
1139                                        clean_req (dev->gadget->ep0, dev->req);
1140                                        spin_unlock_irq (&dev->lock);
1141                                } else
1142                                        retval = len;
1143
1144                                return retval;
1145                        }
1146
1147                /* can stall some OUT transfers */
1148                } else if (dev->setup_can_stall) {
1149                        VDEBUG(dev, "ep0out stall\n");
1150                        (void) usb_ep_set_halt (dev->gadget->ep0);
1151                        retval = -EL2HLT;
1152                        dev->state = STATE_DEV_CONNECTED;
1153                } else {
1154                        DBG(dev, "bogus ep0out stall!\n");
1155                }
1156        } else
1157                DBG (dev, "fail %s, state %d\n", __func__, dev->state);
1158
1159        return retval;
1160}
1161
1162static int
1163ep0_fasync (int f, struct file *fd, int on)
1164{
1165        struct dev_data         *dev = fd->private_data;
1166        // caller must F_SETOWN before signal delivery happens
1167        VDEBUG (dev, "%s %s\n", __func__, on ? "on" : "off");
1168        return fasync_helper (f, fd, on, &dev->fasync);
1169}
1170
1171static struct usb_gadget_driver gadgetfs_driver;
1172
1173static int
1174dev_release (struct inode *inode, struct file *fd)
1175{
1176        struct dev_data         *dev = fd->private_data;
1177
1178        /* closing ep0 === shutdown all */
1179
1180        usb_gadget_unregister_driver (&gadgetfs_driver);
1181
1182        /* at this point "good" hardware has disconnected the
1183         * device from USB; the host won't see it any more.
1184         * alternatively, all host requests will time out.
1185         */
1186
1187        kfree (dev->buf);
1188        dev->buf = NULL;
1189
1190        /* other endpoints were all decoupled from this device */
1191        spin_lock_irq(&dev->lock);
1192        dev->state = STATE_DEV_DISABLED;
1193        spin_unlock_irq(&dev->lock);
1194
1195        put_dev (dev);
1196        return 0;
1197}
1198
1199static unsigned int
1200ep0_poll (struct file *fd, poll_table *wait)
1201{
1202       struct dev_data         *dev = fd->private_data;
1203       int                     mask = 0;
1204
1205        if (dev->state <= STATE_DEV_OPENED)
1206                return DEFAULT_POLLMASK;
1207
1208       poll_wait(fd, &dev->wait, wait);
1209
1210       spin_lock_irq (&dev->lock);
1211
1212       /* report fd mode change before acting on it */
1213       if (dev->setup_abort) {
1214               dev->setup_abort = 0;
1215               mask = POLLHUP;
1216               goto out;
1217       }
1218
1219       if (dev->state == STATE_DEV_SETUP) {
1220               if (dev->setup_in || dev->setup_can_stall)
1221                       mask = POLLOUT;
1222       } else {
1223               if (dev->ev_next != 0)
1224                       mask = POLLIN;
1225       }
1226out:
1227       spin_unlock_irq(&dev->lock);
1228       return mask;
1229}
1230
1231static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
1232{
1233        struct dev_data         *dev = fd->private_data;
1234        struct usb_gadget       *gadget = dev->gadget;
1235        long ret = -ENOTTY;
1236
1237        if (gadget->ops->ioctl)
1238                ret = gadget->ops->ioctl (gadget, code, value);
1239
1240        return ret;
1241}
1242
1243/*----------------------------------------------------------------------*/
1244
1245/* The in-kernel gadget driver handles most ep0 issues, in particular
1246 * enumerating the single configuration (as provided from user space).
1247 *
1248 * Unrecognized ep0 requests may be handled in user space.
1249 */
1250
1251static void make_qualifier (struct dev_data *dev)
1252{
1253        struct usb_qualifier_descriptor         qual;
1254        struct usb_device_descriptor            *desc;
1255
1256        qual.bLength = sizeof qual;
1257        qual.bDescriptorType = USB_DT_DEVICE_QUALIFIER;
1258        qual.bcdUSB = cpu_to_le16 (0x0200);
1259
1260        desc = dev->dev;
1261        qual.bDeviceClass = desc->bDeviceClass;
1262        qual.bDeviceSubClass = desc->bDeviceSubClass;
1263        qual.bDeviceProtocol = desc->bDeviceProtocol;
1264
1265        /* assumes ep0 uses the same value for both speeds ... */
1266        qual.bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1267
1268        qual.bNumConfigurations = 1;
1269        qual.bRESERVED = 0;
1270
1271        memcpy (dev->rbuf, &qual, sizeof qual);
1272}
1273
1274static int
1275config_buf (struct dev_data *dev, u8 type, unsigned index)
1276{
1277        int             len;
1278        int             hs = 0;
1279
1280        /* only one configuration */
1281        if (index > 0)
1282                return -EINVAL;
1283
1284        if (gadget_is_dualspeed(dev->gadget)) {
1285                hs = (dev->gadget->speed == USB_SPEED_HIGH);
1286                if (type == USB_DT_OTHER_SPEED_CONFIG)
1287                        hs = !hs;
1288        }
1289        if (hs) {
1290                dev->req->buf = dev->hs_config;
1291                len = le16_to_cpu(dev->hs_config->wTotalLength);
1292        } else {
1293                dev->req->buf = dev->config;
1294                len = le16_to_cpu(dev->config->wTotalLength);
1295        }
1296        ((u8 *)dev->req->buf) [1] = type;
1297        return len;
1298}
1299
1300static int
1301gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
1302{
1303        struct dev_data                 *dev = get_gadget_data (gadget);
1304        struct usb_request              *req = dev->req;
1305        int                             value = -EOPNOTSUPP;
1306        struct usb_gadgetfs_event       *event;
1307        u16                             w_value = le16_to_cpu(ctrl->wValue);
1308        u16                             w_length = le16_to_cpu(ctrl->wLength);
1309
1310        spin_lock (&dev->lock);
1311        dev->setup_abort = 0;
1312        if (dev->state == STATE_DEV_UNCONNECTED) {
1313                if (gadget_is_dualspeed(gadget)
1314                                && gadget->speed == USB_SPEED_HIGH
1315                                && dev->hs_config == NULL) {
1316                        spin_unlock(&dev->lock);
1317                        ERROR (dev, "no high speed config??\n");
1318                        return -EINVAL;
1319                }
1320
1321                dev->state = STATE_DEV_CONNECTED;
1322
1323                INFO (dev, "connected\n");
1324                event = next_event (dev, GADGETFS_CONNECT);
1325                event->u.speed = gadget->speed;
1326                ep0_readable (dev);
1327
1328        /* host may have given up waiting for response.  we can miss control
1329         * requests handled lower down (device/endpoint status and features);
1330         * then ep0_{read,write} will report the wrong status. controller
1331         * driver will have aborted pending i/o.
1332         */
1333        } else if (dev->state == STATE_DEV_SETUP)
1334                dev->setup_abort = 1;
1335
1336        req->buf = dev->rbuf;
1337        req->context = NULL;
1338        value = -EOPNOTSUPP;
1339        switch (ctrl->bRequest) {
1340
1341        case USB_REQ_GET_DESCRIPTOR:
1342                if (ctrl->bRequestType != USB_DIR_IN)
1343                        goto unrecognized;
1344                switch (w_value >> 8) {
1345
1346                case USB_DT_DEVICE:
1347                        value = min (w_length, (u16) sizeof *dev->dev);
1348                        dev->dev->bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1349                        req->buf = dev->dev;
1350                        break;
1351                case USB_DT_DEVICE_QUALIFIER:
1352                        if (!dev->hs_config)
1353                                break;
1354                        value = min (w_length, (u16)
1355                                sizeof (struct usb_qualifier_descriptor));
1356                        make_qualifier (dev);
1357                        break;
1358                case USB_DT_OTHER_SPEED_CONFIG:
1359                        // FALLTHROUGH
1360                case USB_DT_CONFIG:
1361                        value = config_buf (dev,
1362                                        w_value >> 8,
1363                                        w_value & 0xff);
1364                        if (value >= 0)
1365                                value = min (w_length, (u16) value);
1366                        break;
1367                case USB_DT_STRING:
1368                        goto unrecognized;
1369
1370                default:                // all others are errors
1371                        break;
1372                }
1373                break;
1374
1375        /* currently one config, two speeds */
1376        case USB_REQ_SET_CONFIGURATION:
1377                if (ctrl->bRequestType != 0)
1378                        goto unrecognized;
1379                if (0 == (u8) w_value) {
1380                        value = 0;
1381                        dev->current_config = 0;
1382                        usb_gadget_vbus_draw(gadget, 8 /* mA */ );
1383                        // user mode expected to disable endpoints
1384                } else {
1385                        u8      config, power;
1386
1387                        if (gadget_is_dualspeed(gadget)
1388                                        && gadget->speed == USB_SPEED_HIGH) {
1389                                config = dev->hs_config->bConfigurationValue;
1390                                power = dev->hs_config->bMaxPower;
1391                        } else {
1392                                config = dev->config->bConfigurationValue;
1393                                power = dev->config->bMaxPower;
1394                        }
1395
1396                        if (config == (u8) w_value) {
1397                                value = 0;
1398                                dev->current_config = config;
1399                                usb_gadget_vbus_draw(gadget, 2 * power);
1400                        }
1401                }
1402
1403                /* report SET_CONFIGURATION like any other control request,
1404                 * except that usermode may not stall this.  the next
1405                 * request mustn't be allowed start until this finishes:
1406                 * endpoints and threads set up, etc.
1407                 *
1408                 * NOTE:  older PXA hardware (before PXA 255: without UDCCFR)
1409                 * has bad/racey automagic that prevents synchronizing here.
1410                 * even kernel mode drivers often miss them.
1411                 */
1412                if (value == 0) {
1413                        INFO (dev, "configuration #%d\n", dev->current_config);
1414                        usb_gadget_set_state(gadget, USB_STATE_CONFIGURED);
1415                        if (dev->usermode_setup) {
1416                                dev->setup_can_stall = 0;
1417                                goto delegate;
1418                        }
1419                }
1420                break;
1421
1422#ifndef CONFIG_USB_PXA25X
1423        /* PXA automagically handles this request too */
1424        case USB_REQ_GET_CONFIGURATION:
1425                if (ctrl->bRequestType != 0x80)
1426                        goto unrecognized;
1427                *(u8 *)req->buf = dev->current_config;
1428                value = min (w_length, (u16) 1);
1429                break;
1430#endif
1431
1432        default:
1433unrecognized:
1434                VDEBUG (dev, "%s req%02x.%02x v%04x i%04x l%d\n",
1435                        dev->usermode_setup ? "delegate" : "fail",
1436                        ctrl->bRequestType, ctrl->bRequest,
1437                        w_value, le16_to_cpu(ctrl->wIndex), w_length);
1438
1439                /* if there's an ep0 reader, don't stall */
1440                if (dev->usermode_setup) {
1441                        dev->setup_can_stall = 1;
1442delegate:
1443                        dev->setup_in = (ctrl->bRequestType & USB_DIR_IN)
1444                                                ? 1 : 0;
1445                        dev->setup_wLength = w_length;
1446                        dev->setup_out_ready = 0;
1447                        dev->setup_out_error = 0;
1448                        value = 0;
1449
1450                        /* read DATA stage for OUT right away */
1451                        if (unlikely (!dev->setup_in && w_length)) {
1452                                value = setup_req (gadget->ep0, dev->req,
1453                                                        w_length);
1454                                if (value < 0)
1455                                        break;
1456                                value = usb_ep_queue (gadget->ep0, dev->req,
1457                                                        GFP_ATOMIC);
1458                                if (value < 0) {
1459                                        clean_req (gadget->ep0, dev->req);
1460                                        break;
1461                                }
1462
1463                                /* we can't currently stall these */
1464                                dev->setup_can_stall = 0;
1465                        }
1466
1467                        /* state changes when reader collects event */
1468                        event = next_event (dev, GADGETFS_SETUP);
1469                        event->u.setup = *ctrl;
1470                        ep0_readable (dev);
1471                        spin_unlock (&dev->lock);
1472                        return 0;
1473                }
1474        }
1475
1476        /* proceed with data transfer and status phases? */
1477        if (value >= 0 && dev->state != STATE_DEV_SETUP) {
1478                req->length = value;
1479                req->zero = value < w_length;
1480                value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC);
1481                if (value < 0) {
1482                        DBG (dev, "ep_queue --> %d\n", value);
1483                        req->status = 0;
1484                }
1485        }
1486
1487        /* device stalls when value < 0 */
1488        spin_unlock (&dev->lock);
1489        return value;
1490}
1491
1492static void destroy_ep_files (struct dev_data *dev)
1493{
1494        DBG (dev, "%s %d\n", __func__, dev->state);
1495
1496        /* dev->state must prevent interference */
1497        spin_lock_irq (&dev->lock);
1498        while (!list_empty(&dev->epfiles)) {
1499                struct ep_data  *ep;
1500                struct inode    *parent;
1501                struct dentry   *dentry;
1502
1503                /* break link to FS */
1504                ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
1505                list_del_init (&ep->epfiles);
1506                dentry = ep->dentry;
1507                ep->dentry = NULL;
1508                parent = d_inode(dentry->d_parent);
1509
1510                /* break link to controller */
1511                if (ep->state == STATE_EP_ENABLED)
1512                        (void) usb_ep_disable (ep->ep);
1513                ep->state = STATE_EP_UNBOUND;
1514                usb_ep_free_request (ep->ep, ep->req);
1515                ep->ep = NULL;
1516                wake_up (&ep->wait);
1517                put_ep (ep);
1518
1519                spin_unlock_irq (&dev->lock);
1520
1521                /* break link to dcache */
1522                mutex_lock (&parent->i_mutex);
1523                d_delete (dentry);
1524                dput (dentry);
1525                mutex_unlock (&parent->i_mutex);
1526
1527                spin_lock_irq (&dev->lock);
1528        }
1529        spin_unlock_irq (&dev->lock);
1530}
1531
1532
1533static struct dentry *
1534gadgetfs_create_file (struct super_block *sb, char const *name,
1535                void *data, const struct file_operations *fops);
1536
1537static int activate_ep_files (struct dev_data *dev)
1538{
1539        struct usb_ep   *ep;
1540        struct ep_data  *data;
1541
1542        gadget_for_each_ep (ep, dev->gadget) {
1543
1544                data = kzalloc(sizeof(*data), GFP_KERNEL);
1545                if (!data)
1546                        goto enomem0;
1547                data->state = STATE_EP_DISABLED;
1548                mutex_init(&data->lock);
1549                init_waitqueue_head (&data->wait);
1550
1551                strncpy (data->name, ep->name, sizeof (data->name) - 1);
1552                atomic_set (&data->count, 1);
1553                data->dev = dev;
1554                get_dev (dev);
1555
1556                data->ep = ep;
1557                ep->driver_data = data;
1558
1559                data->req = usb_ep_alloc_request (ep, GFP_KERNEL);
1560                if (!data->req)
1561                        goto enomem1;
1562
1563                data->dentry = gadgetfs_create_file (dev->sb, data->name,
1564                                data, &ep_io_operations);
1565                if (!data->dentry)
1566                        goto enomem2;
1567                list_add_tail (&data->epfiles, &dev->epfiles);
1568        }
1569        return 0;
1570
1571enomem2:
1572        usb_ep_free_request (ep, data->req);
1573enomem1:
1574        put_dev (dev);
1575        kfree (data);
1576enomem0:
1577        DBG (dev, "%s enomem\n", __func__);
1578        destroy_ep_files (dev);
1579        return -ENOMEM;
1580}
1581
1582static void
1583gadgetfs_unbind (struct usb_gadget *gadget)
1584{
1585        struct dev_data         *dev = get_gadget_data (gadget);
1586
1587        DBG (dev, "%s\n", __func__);
1588
1589        spin_lock_irq (&dev->lock);
1590        dev->state = STATE_DEV_UNBOUND;
1591        spin_unlock_irq (&dev->lock);
1592
1593        destroy_ep_files (dev);
1594        gadget->ep0->driver_data = NULL;
1595        set_gadget_data (gadget, NULL);
1596
1597        /* we've already been disconnected ... no i/o is active */
1598        if (dev->req)
1599                usb_ep_free_request (gadget->ep0, dev->req);
1600        DBG (dev, "%s done\n", __func__);
1601        put_dev (dev);
1602}
1603
1604static struct dev_data          *the_device;
1605
1606static int gadgetfs_bind(struct usb_gadget *gadget,
1607                struct usb_gadget_driver *driver)
1608{
1609        struct dev_data         *dev = the_device;
1610
1611        if (!dev)
1612                return -ESRCH;
1613        if (0 != strcmp (CHIP, gadget->name)) {
1614                pr_err("%s expected %s controller not %s\n",
1615                        shortname, CHIP, gadget->name);
1616                return -ENODEV;
1617        }
1618
1619        set_gadget_data (gadget, dev);
1620        dev->gadget = gadget;
1621        gadget->ep0->driver_data = dev;
1622
1623        /* preallocate control response and buffer */
1624        dev->req = usb_ep_alloc_request (gadget->ep0, GFP_KERNEL);
1625        if (!dev->req)
1626                goto enomem;
1627        dev->req->context = NULL;
1628        dev->req->complete = epio_complete;
1629
1630        if (activate_ep_files (dev) < 0)
1631                goto enomem;
1632
1633        INFO (dev, "bound to %s driver\n", gadget->name);
1634        spin_lock_irq(&dev->lock);
1635        dev->state = STATE_DEV_UNCONNECTED;
1636        spin_unlock_irq(&dev->lock);
1637        get_dev (dev);
1638        return 0;
1639
1640enomem:
1641        gadgetfs_unbind (gadget);
1642        return -ENOMEM;
1643}
1644
1645static void
1646gadgetfs_disconnect (struct usb_gadget *gadget)
1647{
1648        struct dev_data         *dev = get_gadget_data (gadget);
1649        unsigned long           flags;
1650
1651        spin_lock_irqsave (&dev->lock, flags);
1652        if (dev->state == STATE_DEV_UNCONNECTED)
1653                goto exit;
1654        dev->state = STATE_DEV_UNCONNECTED;
1655
1656        INFO (dev, "disconnected\n");
1657        next_event (dev, GADGETFS_DISCONNECT);
1658        ep0_readable (dev);
1659exit:
1660        spin_unlock_irqrestore (&dev->lock, flags);
1661}
1662
1663static void
1664gadgetfs_suspend (struct usb_gadget *gadget)
1665{
1666        struct dev_data         *dev = get_gadget_data (gadget);
1667
1668        INFO (dev, "suspended from state %d\n", dev->state);
1669        spin_lock (&dev->lock);
1670        switch (dev->state) {
1671        case STATE_DEV_SETUP:           // VERY odd... host died??
1672        case STATE_DEV_CONNECTED:
1673        case STATE_DEV_UNCONNECTED:
1674                next_event (dev, GADGETFS_SUSPEND);
1675                ep0_readable (dev);
1676                /* FALLTHROUGH */
1677        default:
1678                break;
1679        }
1680        spin_unlock (&dev->lock);
1681}
1682
1683static struct usb_gadget_driver gadgetfs_driver = {
1684        .function       = (char *) driver_desc,
1685        .bind           = gadgetfs_bind,
1686        .unbind         = gadgetfs_unbind,
1687        .setup          = gadgetfs_setup,
1688        .reset          = gadgetfs_disconnect,
1689        .disconnect     = gadgetfs_disconnect,
1690        .suspend        = gadgetfs_suspend,
1691
1692        .driver = {
1693                .name           = (char *) shortname,
1694        },
1695};
1696
1697/*----------------------------------------------------------------------*/
1698
1699static void gadgetfs_nop(struct usb_gadget *arg) { }
1700
1701static int gadgetfs_probe(struct usb_gadget *gadget,
1702                struct usb_gadget_driver *driver)
1703{
1704        CHIP = gadget->name;
1705        return -EISNAM;
1706}
1707
1708static struct usb_gadget_driver probe_driver = {
1709        .max_speed      = USB_SPEED_HIGH,
1710        .bind           = gadgetfs_probe,
1711        .unbind         = gadgetfs_nop,
1712        .setup          = (void *)gadgetfs_nop,
1713        .disconnect     = gadgetfs_nop,
1714        .driver = {
1715                .name           = "nop",
1716        },
1717};
1718
1719
1720/* DEVICE INITIALIZATION
1721 *
1722 *     fd = open ("/dev/gadget/$CHIP", O_RDWR)
1723 *     status = write (fd, descriptors, sizeof descriptors)
1724 *
1725 * That write establishes the device configuration, so the kernel can
1726 * bind to the controller ... guaranteeing it can handle enumeration
1727 * at all necessary speeds.  Descriptor order is:
1728 *
1729 * . message tag (u32, host order) ... for now, must be zero; it
1730 *      would change to support features like multi-config devices
1731 * . full/low speed config ... all wTotalLength bytes (with interface,
1732 *      class, altsetting, endpoint, and other descriptors)
1733 * . high speed config ... all descriptors, for high speed operation;
1734 *      this one's optional except for high-speed hardware
1735 * . device descriptor
1736 *
1737 * Endpoints are not yet enabled. Drivers must wait until device
1738 * configuration and interface altsetting changes create
1739 * the need to configure (or unconfigure) them.
1740 *
1741 * After initialization, the device stays active for as long as that
1742 * $CHIP file is open.  Events must then be read from that descriptor,
1743 * such as configuration notifications.
1744 */
1745
1746static int is_valid_config (struct usb_config_descriptor *config)
1747{
1748        return config->bDescriptorType == USB_DT_CONFIG
1749                && config->bLength == USB_DT_CONFIG_SIZE
1750                && config->bConfigurationValue != 0
1751                && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
1752                && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
1753        /* FIXME if gadget->is_otg, _must_ include an otg descriptor */
1754        /* FIXME check lengths: walk to end */
1755}
1756
1757static ssize_t
1758dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1759{
1760        struct dev_data         *dev = fd->private_data;
1761        ssize_t                 value = len, length = len;
1762        unsigned                total;
1763        u32                     tag;
1764        char                    *kbuf;
1765
1766        spin_lock_irq(&dev->lock);
1767        if (dev->state > STATE_DEV_OPENED) {
1768                value = ep0_write(fd, buf, len, ptr);
1769                spin_unlock_irq(&dev->lock);
1770                return value;
1771        }
1772        spin_unlock_irq(&dev->lock);
1773
1774        if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
1775                return -EINVAL;
1776
1777        /* we might need to change message format someday */
1778        if (copy_from_user (&tag, buf, 4))
1779                return -EFAULT;
1780        if (tag != 0)
1781                return -EINVAL;
1782        buf += 4;
1783        length -= 4;
1784
1785        kbuf = memdup_user(buf, length);
1786        if (IS_ERR(kbuf))
1787                return PTR_ERR(kbuf);
1788
1789        spin_lock_irq (&dev->lock);
1790        value = -EINVAL;
1791        if (dev->buf)
1792                goto fail;
1793        dev->buf = kbuf;
1794
1795        /* full or low speed config */
1796        dev->config = (void *) kbuf;
1797        total = le16_to_cpu(dev->config->wTotalLength);
1798        if (!is_valid_config (dev->config) || total >= length)
1799                goto fail;
1800        kbuf += total;
1801        length -= total;
1802
1803        /* optional high speed config */
1804        if (kbuf [1] == USB_DT_CONFIG) {
1805                dev->hs_config = (void *) kbuf;
1806                total = le16_to_cpu(dev->hs_config->wTotalLength);
1807                if (!is_valid_config (dev->hs_config) || total >= length)
1808                        goto fail;
1809                kbuf += total;
1810                length -= total;
1811        }
1812
1813        /* could support multiple configs, using another encoding! */
1814
1815        /* device descriptor (tweaked for paranoia) */
1816        if (length != USB_DT_DEVICE_SIZE)
1817                goto fail;
1818        dev->dev = (void *)kbuf;
1819        if (dev->dev->bLength != USB_DT_DEVICE_SIZE
1820                        || dev->dev->bDescriptorType != USB_DT_DEVICE
1821                        || dev->dev->bNumConfigurations != 1)
1822                goto fail;
1823        dev->dev->bNumConfigurations = 1;
1824        dev->dev->bcdUSB = cpu_to_le16 (0x0200);
1825
1826        /* triggers gadgetfs_bind(); then we can enumerate. */
1827        spin_unlock_irq (&dev->lock);
1828        if (dev->hs_config)
1829                gadgetfs_driver.max_speed = USB_SPEED_HIGH;
1830        else
1831                gadgetfs_driver.max_speed = USB_SPEED_FULL;
1832
1833        value = usb_gadget_probe_driver(&gadgetfs_driver);
1834        if (value != 0) {
1835                kfree (dev->buf);
1836                dev->buf = NULL;
1837        } else {
1838                /* at this point "good" hardware has for the first time
1839                 * let the USB the host see us.  alternatively, if users
1840                 * unplug/replug that will clear all the error state.
1841                 *
1842                 * note:  everything running before here was guaranteed
1843                 * to choke driver model style diagnostics.  from here
1844                 * on, they can work ... except in cleanup paths that
1845                 * kick in after the ep0 descriptor is closed.
1846                 */
1847                value = len;
1848        }
1849        return value;
1850
1851fail:
1852        spin_unlock_irq (&dev->lock);
1853        pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev);
1854        kfree (dev->buf);
1855        dev->buf = NULL;
1856        return value;
1857}
1858
1859static int
1860dev_open (struct inode *inode, struct file *fd)
1861{
1862        struct dev_data         *dev = inode->i_private;
1863        int                     value = -EBUSY;
1864
1865        spin_lock_irq(&dev->lock);
1866        if (dev->state == STATE_DEV_DISABLED) {
1867                dev->ev_next = 0;
1868                dev->state = STATE_DEV_OPENED;
1869                fd->private_data = dev;
1870                get_dev (dev);
1871                value = 0;
1872        }
1873        spin_unlock_irq(&dev->lock);
1874        return value;
1875}
1876
1877static const struct file_operations ep0_operations = {
1878        .llseek =       no_llseek,
1879
1880        .open =         dev_open,
1881        .read =         ep0_read,
1882        .write =        dev_config,
1883        .fasync =       ep0_fasync,
1884        .poll =         ep0_poll,
1885        .unlocked_ioctl = dev_ioctl,
1886        .release =      dev_release,
1887};
1888
1889/*----------------------------------------------------------------------*/
1890
1891/* FILESYSTEM AND SUPERBLOCK OPERATIONS
1892 *
1893 * Mounting the filesystem creates a controller file, used first for
1894 * device configuration then later for event monitoring.
1895 */
1896
1897
1898/* FIXME PAM etc could set this security policy without mount options
1899 * if epfiles inherited ownership and permissons from ep0 ...
1900 */
1901
1902static unsigned default_uid;
1903static unsigned default_gid;
1904static unsigned default_perm = S_IRUSR | S_IWUSR;
1905
1906module_param (default_uid, uint, 0644);
1907module_param (default_gid, uint, 0644);
1908module_param (default_perm, uint, 0644);
1909
1910
1911static struct inode *
1912gadgetfs_make_inode (struct super_block *sb,
1913                void *data, const struct file_operations *fops,
1914                int mode)
1915{
1916        struct inode *inode = new_inode (sb);
1917
1918        if (inode) {
1919                inode->i_ino = get_next_ino();
1920                inode->i_mode = mode;
1921                inode->i_uid = make_kuid(&init_user_ns, default_uid);
1922                inode->i_gid = make_kgid(&init_user_ns, default_gid);
1923                inode->i_atime = inode->i_mtime = inode->i_ctime
1924                                = CURRENT_TIME;
1925                inode->i_private = data;
1926                inode->i_fop = fops;
1927        }
1928        return inode;
1929}
1930
1931/* creates in fs root directory, so non-renamable and non-linkable.
1932 * so inode and dentry are paired, until device reconfig.
1933 */
1934static struct dentry *
1935gadgetfs_create_file (struct super_block *sb, char const *name,
1936                void *data, const struct file_operations *fops)
1937{
1938        struct dentry   *dentry;
1939        struct inode    *inode;
1940
1941        dentry = d_alloc_name(sb->s_root, name);
1942        if (!dentry)
1943                return NULL;
1944
1945        inode = gadgetfs_make_inode (sb, data, fops,
1946                        S_IFREG | (default_perm & S_IRWXUGO));
1947        if (!inode) {
1948                dput(dentry);
1949                return NULL;
1950        }
1951        d_add (dentry, inode);
1952        return dentry;
1953}
1954
1955static const struct super_operations gadget_fs_operations = {
1956        .statfs =       simple_statfs,
1957        .drop_inode =   generic_delete_inode,
1958};
1959
1960static int
1961gadgetfs_fill_super (struct super_block *sb, void *opts, int silent)
1962{
1963        struct inode    *inode;
1964        struct dev_data *dev;
1965
1966        if (the_device)
1967                return -ESRCH;
1968
1969        /* fake probe to determine $CHIP */
1970        CHIP = NULL;
1971        usb_gadget_probe_driver(&probe_driver);
1972        if (!CHIP)
1973                return -ENODEV;
1974
1975        /* superblock */
1976        sb->s_blocksize = PAGE_CACHE_SIZE;
1977        sb->s_blocksize_bits = PAGE_CACHE_SHIFT;
1978        sb->s_magic = GADGETFS_MAGIC;
1979        sb->s_op = &gadget_fs_operations;
1980        sb->s_time_gran = 1;
1981
1982        /* root inode */
1983        inode = gadgetfs_make_inode (sb,
1984                        NULL, &simple_dir_operations,
1985                        S_IFDIR | S_IRUGO | S_IXUGO);
1986        if (!inode)
1987                goto Enomem;
1988        inode->i_op = &simple_dir_inode_operations;
1989        if (!(sb->s_root = d_make_root (inode)))
1990                goto Enomem;
1991
1992        /* the ep0 file is named after the controller we expect;
1993         * user mode code can use it for sanity checks, like we do.
1994         */
1995        dev = dev_new ();
1996        if (!dev)
1997                goto Enomem;
1998
1999        dev->sb = sb;
2000        dev->dentry = gadgetfs_create_file(sb, CHIP, dev, &ep0_operations);

2001        if (!dev->dentry) {
2002                put_dev(dev);
2003                goto Enomem;
2004        }
2005
2006        /* other endpoint files are available after hardware setup,
2007         * from binding to a controller.
2008         */
2009        the_device = dev;
2010        return 0;
2011
2012Enomem:
2013        return -ENOMEM;
2014}
2015
2016/* "mount -t gadgetfs path /dev/gadget" ends up here */
2017static struct dentry *
2018gadgetfs_mount (struct file_system_type *t, int flags,
2019                const char *path, void *opts)
2020{
2021        return mount_single (t, flags, opts, gadgetfs_fill_super);
2022}
2023
2024static void
2025gadgetfs_kill_sb (struct super_block *sb)
2026{
2027        kill_litter_super (sb);
2028        if (the_device) {
2029                put_dev (the_device);
2030                the_device = NULL;
2031        }
2032}
2033
2034/*----------------------------------------------------------------------*/
2035
2036static struct file_system_type gadgetfs_type = {
2037        .owner          = THIS_MODULE,
2038        .name           = shortname,
2039        .mount          = gadgetfs_mount,
2040        .kill_sb        = gadgetfs_kill_sb,
2041};
2042MODULE_ALIAS_FS("gadgetfs");
2043
2044/*----------------------------------------------------------------------*/
2045
2046static int __init init (void)
2047{
2048        int status;
2049
2050        status = register_filesystem (&gadgetfs_type);
2051        if (status == 0)
2052                pr_info ("%s: %s, version " DRIVER_VERSION "\n",
2053                        shortname, driver_desc);
2054        return status;
2055}
2056module_init (init);
2057
2058static void __exit cleanup (void)
2059{
2060        pr_debug ("unregister %s\n", shortname);
2061        unregister_filesystem (&gadgetfs_type);
2062}
2063module_exit (cleanup);
2064
2065