LXR linux/drivers/usb/gadget/legacy/inode.c

   1/*
   2 * inode.c -- user mode filesystem api for usb gadget controllers
   3 *
   4 * Copyright (C) 2003-2004 David Brownell
   5 * Copyright (C) 2003 Agilent Technologies
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 */
  12
  13
  14/* #define VERBOSE_DEBUG */
  15
  16#include <linux/init.h>
  17#include <linux/module.h>
  18#include <linux/fs.h>
  19#include <linux/pagemap.h>
  20#include <linux/uts.h>
  21#include <linux/wait.h>
  22#include <linux/compiler.h>
  23#include <asm/uaccess.h>
  24#include <linux/sched.h>
  25#include <linux/slab.h>
  26#include <linux/poll.h>
  27#include <linux/mmu_context.h>
  28#include <linux/aio.h>
  29#include <linux/uio.h>
  30
  31#include <linux/device.h>
  32#include <linux/moduleparam.h>
  33
  34#include <linux/usb/gadgetfs.h>
  35#include <linux/usb/gadget.h>
  36
  37
  38/*
  39 * The gadgetfs API maps each endpoint to a file descriptor so that you
  40 * can use standard synchronous read/write calls for I/O.  There's some
  41 * O_NONBLOCK and O_ASYNC/FASYNC style i/o support.  Example usermode
  42 * drivers show how this works in practice.  You can also use AIO to
  43 * eliminate I/O gaps between requests, to help when streaming data.
  44 *
  45 * Key parts that must be USB-specific are protocols defining how the
  46 * read/write operations relate to the hardware state machines.  There
  47 * are two types of files.  One type is for the device, implementing ep0.
  48 * The other type is for each IN or OUT endpoint.  In both cases, the
  49 * user mode driver must configure the hardware before using it.
  50 *
  51 * - First, dev_config() is called when /dev/gadget/$CHIP is configured
  52 *   (by writing configuration and device descriptors).  Afterwards it
  53 *   may serve as a source of device events, used to handle all control
  54 *   requests other than basic enumeration.
  55 *
  56 * - Then, after a SET_CONFIGURATION control request, ep_config() is
  57 *   called when each /dev/gadget/ep* file is configured (by writing
  58 *   endpoint descriptors).  Afterwards these files are used to write()
  59 *   IN data or to read() OUT data.  To halt the endpoint, a "wrong
  60 *   direction" request is issued (like reading an IN endpoint).
  61 *
  62 * Unlike "usbfs" the only ioctl()s are for things that are rare, and maybe
  63 * not possible on all hardware.  For example, precise fault handling with
  64 * respect to data left in endpoint fifos after aborted operations; or
  65 * selective clearing of endpoint halts, to implement SET_INTERFACE.
  66 */
  67
  68#define DRIVER_DESC     "USB Gadget filesystem"
  69#define DRIVER_VERSION  "24 Aug 2004"
  70
  71static const char driver_desc [] = DRIVER_DESC;
  72static const char shortname [] = "gadgetfs";
  73
  74MODULE_DESCRIPTION (DRIVER_DESC);
  75MODULE_AUTHOR ("David Brownell");
  76MODULE_LICENSE ("GPL");
  77
  78static int ep_open(struct inode *, struct file *);
  79
  80
  81/*----------------------------------------------------------------------*/
  82
  83#define GADGETFS_MAGIC          0xaee71ee7
  84
  85/* /dev/gadget/$CHIP represents ep0 and the whole device */
  86enum ep0_state {
  87        /* DISBLED is the initial state.
  88         */
  89        STATE_DEV_DISABLED = 0,
  90
  91        /* Only one open() of /dev/gadget/$CHIP; only one file tracks
  92         * ep0/device i/o modes and binding to the controller.  Driver
  93         * must always write descriptors to initialize the device, then
  94         * the device becomes UNCONNECTED until enumeration.
  95         */
  96        STATE_DEV_OPENED,
  97
  98        /* From then on, ep0 fd is in either of two basic modes:
  99         * - (UN)CONNECTED: read usb_gadgetfs_event(s) from it
 100         * - SETUP: read/write will transfer control data and succeed;
 101         *   or if "wrong direction", performs protocol stall
 102         */
 103        STATE_DEV_UNCONNECTED,
 104        STATE_DEV_CONNECTED,
 105        STATE_DEV_SETUP,
 106
 107        /* UNBOUND means the driver closed ep0, so the device won't be
 108         * accessible again (DEV_DISABLED) until all fds are closed.
 109         */
 110        STATE_DEV_UNBOUND,
 111};
 112
 113/* enough for the whole queue: most events invalidate others */
 114#define N_EVENT                 5
 115
 116struct dev_data {
 117        spinlock_t                      lock;
 118        atomic_t                        count;
 119        enum ep0_state                  state;          /* P: lock */
 120        struct usb_gadgetfs_event       event [N_EVENT];
 121        unsigned                        ev_next;
 122        struct fasync_struct            *fasync;
 123        u8                              current_config;
 124
 125        /* drivers reading ep0 MUST handle control requests (SETUP)
 126         * reported that way; else the host will time out.
 127         */
 128        unsigned                        usermode_setup : 1,
 129                                        setup_in : 1,
 130                                        setup_can_stall : 1,
 131                                        setup_out_ready : 1,
 132                                        setup_out_error : 1,
 133                                        setup_abort : 1;
 134        unsigned                        setup_wLength;
 135
 136        /* the rest is basically write-once */
 137        struct usb_config_descriptor    *config, *hs_config;
 138        struct usb_device_descriptor    *dev;
 139        struct usb_request              *req;
 140        struct usb_gadget               *gadget;
 141        struct list_head                epfiles;
 142        void                            *buf;
 143        wait_queue_head_t               wait;
 144        struct super_block              *sb;
 145        struct dentry                   *dentry;
 146
 147        /* except this scratch i/o buffer for ep0 */
 148        u8                              rbuf [256];
 149};
 150
 151static inline void get_dev (struct dev_data *data)
 152{
 153        atomic_inc (&data->count);
 154}
 155
 156static void put_dev (struct dev_data *data)
 157{
 158        if (likely (!atomic_dec_and_test (&data->count)))
 159                return;
 160        /* needs no more cleanup */
 161        BUG_ON (waitqueue_active (&data->wait));
 162        kfree (data);
 163}
 164
 165static struct dev_data *dev_new (void)
 166{
 167        struct dev_data         *dev;
 168
 169        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
 170        if (!dev)
 171                return NULL;
 172        dev->state = STATE_DEV_DISABLED;
 173        atomic_set (&dev->count, 1);
 174        spin_lock_init (&dev->lock);
 175        INIT_LIST_HEAD (&dev->epfiles);
 176        init_waitqueue_head (&dev->wait);
 177        return dev;
 178}
 179
 180/*----------------------------------------------------------------------*/
 181
 182/* other /dev/gadget/$ENDPOINT files represent endpoints */
 183enum ep_state {
 184        STATE_EP_DISABLED = 0,
 185        STATE_EP_READY,
 186        STATE_EP_ENABLED,
 187        STATE_EP_UNBOUND,
 188};
 189
 190struct ep_data {
 191        struct mutex                    lock;
 192        enum ep_state                   state;
 193        atomic_t                        count;
 194        struct dev_data                 *dev;
 195        /* must hold dev->lock before accessing ep or req */
 196        struct usb_ep                   *ep;
 197        struct usb_request              *req;
 198        ssize_t                         status;
 199        char                            name [16];
 200        struct usb_endpoint_descriptor  desc, hs_desc;
 201        struct list_head                epfiles;
 202        wait_queue_head_t               wait;
 203        struct dentry                   *dentry;
 204};
 205
 206static inline void get_ep (struct ep_data *data)
 207{
 208        atomic_inc (&data->count);
 209}
 210
 211static void put_ep (struct ep_data *data)
 212{
 213        if (likely (!atomic_dec_and_test (&data->count)))
 214                return;
 215        put_dev (data->dev);
 216        /* needs no more cleanup */
 217        BUG_ON (!list_empty (&data->epfiles));
 218        BUG_ON (waitqueue_active (&data->wait));
 219        kfree (data);
 220}
 221
 222/*----------------------------------------------------------------------*/
 223
 224/* most "how to use the hardware" policy choices are in userspace:
 225 * mapping endpoint roles (which the driver needs) to the capabilities
 226 * which the usb controller has.  most of those capabilities are exposed
 227 * implicitly, starting with the driver name and then endpoint names.
 228 */
 229
 230static const char *CHIP;
 231
 232/*----------------------------------------------------------------------*/
 233
 234/* NOTE:  don't use dev_printk calls before binding to the gadget
 235 * at the end of ep0 configuration, or after unbind.
 236 */
 237
 238/* too wordy: dev_printk(level , &(d)->gadget->dev , fmt , ## args) */
 239#define xprintk(d,level,fmt,args...) \
 240        printk(level "%s: " fmt , shortname , ## args)
 241
 242#ifdef DEBUG
 243#define DBG(dev,fmt,args...) \
 244        xprintk(dev , KERN_DEBUG , fmt , ## args)
 245#else
 246#define DBG(dev,fmt,args...) \
 247        do { } while (0)
 248#endif /* DEBUG */
 249
 250#ifdef VERBOSE_DEBUG
 251#define VDEBUG  DBG
 252#else
 253#define VDEBUG(dev,fmt,args...) \
 254        do { } while (0)
 255#endif /* DEBUG */
 256
 257#define ERROR(dev,fmt,args...) \
 258        xprintk(dev , KERN_ERR , fmt , ## args)
 259#define INFO(dev,fmt,args...) \
 260        xprintk(dev , KERN_INFO , fmt , ## args)
 261
 262
 263/*----------------------------------------------------------------------*/
 264
 265/* SYNCHRONOUS ENDPOINT OPERATIONS (bulk/intr/iso)
 266 *
 267 * After opening, configure non-control endpoints.  Then use normal
 268 * stream read() and write() requests; and maybe ioctl() to get more
 269 * precise FIFO status when recovering from cancellation.
 270 */
 271
 272static void epio_complete (struct usb_ep *ep, struct usb_request *req)
 273{
 274        struct ep_data  *epdata = ep->driver_data;
 275
 276        if (!req->context)
 277                return;
 278        if (req->status)
 279                epdata->status = req->status;
 280        else
 281                epdata->status = req->actual;
 282        complete ((struct completion *)req->context);
 283}
 284
 285/* tasklock endpoint, returning when it's connected.
 286 * still need dev->lock to use epdata->ep.
 287 */
 288static int
 289get_ready_ep (unsigned f_flags, struct ep_data *epdata, bool is_write)
 290{
 291        int     val;
 292
 293        if (f_flags & O_NONBLOCK) {
 294                if (!mutex_trylock(&epdata->lock))
 295                        goto nonblock;
 296                if (epdata->state != STATE_EP_ENABLED &&
 297                    (!is_write || epdata->state != STATE_EP_READY)) {
 298                        mutex_unlock(&epdata->lock);
 299nonblock:
 300                        val = -EAGAIN;
 301                } else
 302                        val = 0;
 303                return val;
 304        }
 305
 306        val = mutex_lock_interruptible(&epdata->lock);
 307        if (val < 0)
 308                return val;
 309
 310        switch (epdata->state) {
 311        case STATE_EP_ENABLED:
 312                return 0;
 313        case STATE_EP_READY:                    /* not configured yet */
 314                if (is_write)
 315                        return 0;
 316                // FALLTHRU
 317        case STATE_EP_UNBOUND:                  /* clean disconnect */
 318                break;
 319        // case STATE_EP_DISABLED:              /* "can't happen" */
 320        default:                                /* error! */
 321                pr_debug ("%s: ep %p not available, state %d\n",
 322                                shortname, epdata, epdata->state);
 323        }
 324        mutex_unlock(&epdata->lock);
 325        return -ENODEV;
 326}
 327
 328static ssize_t
 329ep_io (struct ep_data *epdata, void *buf, unsigned len)
 330{
 331        DECLARE_COMPLETION_ONSTACK (done);
 332        int value;
 333
 334        spin_lock_irq (&epdata->dev->lock);
 335        if (likely (epdata->ep != NULL)) {
 336                struct usb_request      *req = epdata->req;
 337
 338                req->context = &done;
 339                req->complete = epio_complete;
 340                req->buf = buf;
 341                req->length = len;
 342                value = usb_ep_queue (epdata->ep, req, GFP_ATOMIC);
 343        } else
 344                value = -ENODEV;
 345        spin_unlock_irq (&epdata->dev->lock);
 346
 347        if (likely (value == 0)) {
 348                value = wait_event_interruptible (done.wait, done.done);
 349                if (value != 0) {
 350                        spin_lock_irq (&epdata->dev->lock);
 351                        if (likely (epdata->ep != NULL)) {
 352                                DBG (epdata->dev, "%s i/o interrupted\n",
 353                                                epdata->name);
 354                                usb_ep_dequeue (epdata->ep, epdata->req);
 355                                spin_unlock_irq (&epdata->dev->lock);
 356
 357                                wait_event (done.wait, done.done);
 358                                if (epdata->status == -ECONNRESET)
 359                                        epdata->status = -EINTR;
 360                        } else {
 361                                spin_unlock_irq (&epdata->dev->lock);
 362
 363                                DBG (epdata->dev, "endpoint gone\n");
 364                                epdata->status = -ENODEV;
 365                        }
 366                }
 367                return epdata->status;
 368        }
 369        return value;
 370}
 371
 372static int
 373ep_release (struct inode *inode, struct file *fd)
 374{
 375        struct ep_data          *data = fd->private_data;
 376        int value;
 377
 378        value = mutex_lock_interruptible(&data->lock);
 379        if (value < 0)
 380                return value;
 381
 382        /* clean up if this can be reopened */
 383        if (data->state != STATE_EP_UNBOUND) {
 384                data->state = STATE_EP_DISABLED;
 385                data->desc.bDescriptorType = 0;
 386                data->hs_desc.bDescriptorType = 0;
 387                usb_ep_disable(data->ep);
 388        }
 389        mutex_unlock(&data->lock);
 390        put_ep (data);
 391        return 0;
 392}
 393
 394static long ep_ioctl(struct file *fd, unsigned code, unsigned long value)
 395{
 396        struct ep_data          *data = fd->private_data;
 397        int                     status;
 398
 399        if ((status = get_ready_ep (fd->f_flags, data, false)) < 0)
 400                return status;
 401
 402        spin_lock_irq (&data->dev->lock);
 403        if (likely (data->ep != NULL)) {
 404                switch (code) {
 405                case GADGETFS_FIFO_STATUS:
 406                        status = usb_ep_fifo_status (data->ep);
 407                        break;
 408                case GADGETFS_FIFO_FLUSH:
 409                        usb_ep_fifo_flush (data->ep);
 410                        break;
 411                case GADGETFS_CLEAR_HALT:
 412                        status = usb_ep_clear_halt (data->ep);
 413                        break;
 414                default:
 415                        status = -ENOTTY;
 416                }
 417        } else
 418                status = -ENODEV;
 419        spin_unlock_irq (&data->dev->lock);
 420        mutex_unlock(&data->lock);
 421        return status;
 422}
 423
 424/*----------------------------------------------------------------------*/
 425
 426/* ASYNCHRONOUS ENDPOINT I/O OPERATIONS (bulk/intr/iso) */
 427
 428struct kiocb_priv {
 429        struct usb_request      *req;
 430        struct ep_data          *epdata;
 431        struct kiocb            *iocb;
 432        struct mm_struct        *mm;
 433        struct work_struct      work;
 434        void                    *buf;
 435        struct iov_iter         to;
 436        const void              *to_free;
 437        unsigned                actual;
 438};
 439
 440static int ep_aio_cancel(struct kiocb *iocb)
 441{
 442        struct kiocb_priv       *priv = iocb->private;
 443        struct ep_data          *epdata;
 444        int                     value;
 445
 446        local_irq_disable();
 447        epdata = priv->epdata;
 448        // spin_lock(&epdata->dev->lock);
 449        if (likely(epdata && epdata->ep && priv->req))
 450                value = usb_ep_dequeue (epdata->ep, priv->req);
 451        else
 452                value = -EINVAL;
 453        // spin_unlock(&epdata->dev->lock);
 454        local_irq_enable();
 455
 456        return value;
 457}
 458
 459static void ep_user_copy_worker(struct work_struct *work)
 460{
 461        struct kiocb_priv *priv = container_of(work, struct kiocb_priv, work);
 462        struct mm_struct *mm = priv->mm;
 463        struct kiocb *iocb = priv->iocb;
 464        size_t ret;
 465
 466        use_mm(mm);
 467        ret = copy_to_iter(priv->buf, priv->actual, &priv->to);
 468        unuse_mm(mm);
 469        if (!ret)
 470                ret = -EFAULT;
 471
 472        /* completing the iocb can drop the ctx and mm, don't touch mm after */
 473        iocb->ki_complete(iocb, ret, ret);
 474
 475        kfree(priv->buf);
 476        kfree(priv->to_free);
 477        kfree(priv);
 478}
 479
 480static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
 481{
 482        struct kiocb            *iocb = req->context;
 483        struct kiocb_priv       *priv = iocb->private;
 484        struct ep_data          *epdata = priv->epdata;
 485
 486        /* lock against disconnect (and ideally, cancel) */
 487        spin_lock(&epdata->dev->lock);
 488        priv->req = NULL;
 489        priv->epdata = NULL;
 490
 491        /* if this was a write or a read returning no data then we
 492         * don't need to copy anything to userspace, so we can
 493         * complete the aio request immediately.
 494         */
 495        if (priv->to_free == NULL || unlikely(req->actual == 0)) {
 496                kfree(req->buf);
 497                kfree(priv->to_free);
 498                kfree(priv);
 499                iocb->private = NULL;
 500                /* aio_complete() reports bytes-transferred _and_ faults */
 501
 502                iocb->ki_complete(iocb, req->actual ? req->actual : req->status,
 503                                req->status);
 504        } else {
 505                /* ep_copy_to_user() won't report both; we hide some faults */
 506                if (unlikely(0 != req->status))
 507                        DBG(epdata->dev, "%s fault %d len %d\n",
 508                                ep->name, req->status, req->actual);
 509
 510                priv->buf = req->buf;
 511                priv->actual = req->actual;
 512                INIT_WORK(&priv->work, ep_user_copy_worker);
 513                schedule_work(&priv->work);
 514        }
 515        spin_unlock(&epdata->dev->lock);
 516
 517        usb_ep_free_request(ep, req);
 518        put_ep(epdata);
 519}
 520
 521static ssize_t ep_aio(struct kiocb *iocb,
 522                      struct kiocb_priv *priv,
 523                      struct ep_data *epdata,
 524                      char *buf,
 525                      size_t len)
 526{
 527        struct usb_request *req;
 528        ssize_t value;
 529
 530        iocb->private = priv;
 531        priv->iocb = iocb;
 532
 533        kiocb_set_cancel_fn(iocb, ep_aio_cancel);
 534        get_ep(epdata);
 535        priv->epdata = epdata;
 536        priv->actual = 0;
 537        priv->mm = current->mm; /* mm teardown waits for iocbs in exit_aio() */
 538
 539        /* each kiocb is coupled to one usb_request, but we can't
 540         * allocate or submit those if the host disconnected.
 541         */
 542        spin_lock_irq(&epdata->dev->lock);
 543        value = -ENODEV;
 544        if (unlikely(epdata->ep))
 545                goto fail;
 546
 547        req = usb_ep_alloc_request(epdata->ep, GFP_ATOMIC);
 548        value = -ENOMEM;
 549        if (unlikely(!req))
 550                goto fail;
 551
 552        priv->req = req;
 553        req->buf = buf;
 554        req->length = len;
 555        req->complete = ep_aio_complete;
 556        req->context = iocb;
 557        value = usb_ep_queue(epdata->ep, req, GFP_ATOMIC);
 558        if (unlikely(0 != value)) {
 559                usb_ep_free_request(epdata->ep, req);
 560                goto fail;
 561        }
 562        spin_unlock_irq(&epdata->dev->lock);
 563        return -EIOCBQUEUED;
 564
 565fail:
 566        spin_unlock_irq(&epdata->dev->lock);
 567        kfree(priv->to_free);
 568        kfree(priv);
 569        put_ep(epdata);
 570        return value;
 571}
 572
 573static ssize_t
 574ep_read_iter(struct kiocb *iocb, struct iov_iter *to)
 575{
 576        struct file *file = iocb->ki_filp;
 577        struct ep_data *epdata = file->private_data;
 578        size_t len = iov_iter_count(to);
 579        ssize_t value;
 580        char *buf;
 581
 582        if ((value = get_ready_ep(file->f_flags, epdata, false)) < 0)
 583                return value;
 584
 585        /* halt any endpoint by doing a "wrong direction" i/o call */
 586        if (usb_endpoint_dir_in(&epdata->desc)) {
 587                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 588                    !is_sync_kiocb(iocb)) {
 589                        mutex_unlock(&epdata->lock);
 590                        return -EINVAL;
 591                }
 592                DBG (epdata->dev, "%s halt\n", epdata->name);
 593                spin_lock_irq(&epdata->dev->lock);
 594                if (likely(epdata->ep != NULL))
 595                        usb_ep_set_halt(epdata->ep);
 596                spin_unlock_irq(&epdata->dev->lock);
 597                mutex_unlock(&epdata->lock);
 598                return -EBADMSG;
 599        }
 600
 601        buf = kmalloc(len, GFP_KERNEL);
 602        if (unlikely(!buf)) {
 603                mutex_unlock(&epdata->lock);
 604                return -ENOMEM;
 605        }
 606        if (is_sync_kiocb(iocb)) {
 607                value = ep_io(epdata, buf, len);
 608                if (value >= 0 && copy_to_iter(buf, value, to))
 609                        value = -EFAULT;
 610        } else {
 611                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 612                value = -ENOMEM;
 613                if (!priv)
 614                        goto fail;
 615                priv->to_free = dup_iter(&priv->to, to, GFP_KERNEL);
 616                if (!priv->to_free) {
 617                        kfree(priv);
 618                        goto fail;
 619                }
 620                value = ep_aio(iocb, priv, epdata, buf, len);
 621                if (value == -EIOCBQUEUED)
 622                        buf = NULL;
 623        }
 624fail:
 625        kfree(buf);
 626        mutex_unlock(&epdata->lock);
 627        return value;
 628}
 629
 630static ssize_t ep_config(struct ep_data *, const char *, size_t);
 631
 632static ssize_t
 633ep_write_iter(struct kiocb *iocb, struct iov_iter *from)
 634{
 635        struct file *file = iocb->ki_filp;
 636        struct ep_data *epdata = file->private_data;
 637        size_t len = iov_iter_count(from);
 638        bool configured;
 639        ssize_t value;
 640        char *buf;
 641
 642        if ((value = get_ready_ep(file->f_flags, epdata, true)) < 0)
 643                return value;
 644
 645        configured = epdata->state == STATE_EP_ENABLED;
 646
 647        /* halt any endpoint by doing a "wrong direction" i/o call */
 648        if (configured && !usb_endpoint_dir_in(&epdata->desc)) {
 649                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 650                    !is_sync_kiocb(iocb)) {
 651                        mutex_unlock(&epdata->lock);
 652                        return -EINVAL;
 653                }
 654                DBG (epdata->dev, "%s halt\n", epdata->name);
 655                spin_lock_irq(&epdata->dev->lock);
 656                if (likely(epdata->ep != NULL))
 657                        usb_ep_set_halt(epdata->ep);
 658                spin_unlock_irq(&epdata->dev->lock);
 659                mutex_unlock(&epdata->lock);
 660                return -EBADMSG;
 661        }
 662
 663        buf = kmalloc(len, GFP_KERNEL);
 664        if (unlikely(!buf)) {
 665                mutex_unlock(&epdata->lock);
 666                return -ENOMEM;
 667        }
 668
 669        if (unlikely(copy_from_iter(buf, len, from) != len)) {
 670                value = -EFAULT;
 671                goto out;
 672        }
 673
 674        if (unlikely(!configured)) {
 675                value = ep_config(epdata, buf, len);
 676        } else if (is_sync_kiocb(iocb)) {
 677                value = ep_io(epdata, buf, len);
 678        } else {
 679                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 680                value = -ENOMEM;
 681                if (priv) {
 682                        value = ep_aio(iocb, priv, epdata, buf, len);
 683                        if (value == -EIOCBQUEUED)
 684                                buf = NULL;
 685                }
 686        }
 687out:
 688        kfree(buf);
 689        mutex_unlock(&epdata->lock);
 690        return value;
 691}
 692
 693/*----------------------------------------------------------------------*/
 694
 695/* used after endpoint configuration */
 696static const struct file_operations ep_io_operations = {
 697        .owner =        THIS_MODULE,
 698
 699        .open =         ep_open,
 700        .release =      ep_release,
 701        .llseek =       no_llseek,
 702        .unlocked_ioctl = ep_ioctl,
 703        .read_iter =    ep_read_iter,
 704        .write_iter =   ep_write_iter,
 705};
 706
 707/* ENDPOINT INITIALIZATION
 708 *
 709 *     fd = open ("/dev/gadget/$ENDPOINT", O_RDWR)
 710 *     status = write (fd, descriptors, sizeof descriptors)
 711 *
 712 * That write establishes the endpoint configuration, configuring
 713 * the controller to process bulk, interrupt, or isochronous transfers
 714 * at the right maxpacket size, and so on.
 715 *
 716 * The descriptors are message type 1, identified by a host order u32
 717 * at the beginning of what's written.  Descriptor order is: full/low
 718 * speed descriptor, then optional high speed descriptor.
 719 */
 720static ssize_t
 721ep_config (struct ep_data *data, const char *buf, size_t len)
 722{
 723        struct usb_ep           *ep;
 724        u32                     tag;
 725        int                     value, length = len;
 726
 727        if (data->state != STATE_EP_READY) {
 728                value = -EL2HLT;
 729                goto fail;
 730        }
 731
 732        value = len;
 733        if (len < USB_DT_ENDPOINT_SIZE + 4)
 734                goto fail0;
 735
 736        /* we might need to change message format someday */
 737        memcpy(&tag, buf, 4);
 738        if (tag != 1) {
 739                DBG(data->dev, "config %s, bad tag %d\n", data->name, tag);
 740                goto fail0;
 741        }
 742        buf += 4;
 743        len -= 4;
 744
 745        /* NOTE:  audio endpoint extensions not accepted here;
 746         * just don't include the extra bytes.
 747         */
 748
 749        /* full/low speed descriptor, then high speed */
 750        memcpy(&data->desc, buf, USB_DT_ENDPOINT_SIZE);
 751        if (data->desc.bLength != USB_DT_ENDPOINT_SIZE
 752                        || data->desc.bDescriptorType != USB_DT_ENDPOINT)
 753                goto fail0;
 754        if (len != USB_DT_ENDPOINT_SIZE) {
 755                if (len != 2 * USB_DT_ENDPOINT_SIZE)
 756                        goto fail0;
 757                memcpy(&data->hs_desc, buf + USB_DT_ENDPOINT_SIZE,
 758                        USB_DT_ENDPOINT_SIZE);
 759                if (data->hs_desc.bLength != USB_DT_ENDPOINT_SIZE
 760                                || data->hs_desc.bDescriptorType
 761                                        != USB_DT_ENDPOINT) {
 762                        DBG(data->dev, "config %s, bad hs length or type\n",
 763                                        data->name);
 764                        goto fail0;
 765                }
 766        }
 767
 768        spin_lock_irq (&data->dev->lock);
 769        if (data->dev->state == STATE_DEV_UNBOUND) {
 770                value = -ENOENT;
 771                goto gone;
 772        } else {
 773                ep = data->ep;
 774                if (ep == NULL) {
 775                        value = -ENODEV;
 776                        goto gone;
 777                }
 778        }
 779        switch (data->dev->gadget->speed) {
 780        case USB_SPEED_LOW:
 781        case USB_SPEED_FULL:
 782                ep->desc = &data->desc;
 783                break;
 784        case USB_SPEED_HIGH:
 785                /* fails if caller didn't provide that descriptor... */
 786                ep->desc = &data->hs_desc;
 787                break;
 788        default:
 789                DBG(data->dev, "unconnected, %s init abandoned\n",
 790                                data->name);
 791                value = -EINVAL;
 792                goto gone;
 793        }
 794        value = usb_ep_enable(ep);
 795        if (value == 0) {
 796                data->state = STATE_EP_ENABLED;
 797                value = length;
 798        }
 799gone:
 800        spin_unlock_irq (&data->dev->lock);
 801        if (value < 0) {
 802fail:
 803                data->desc.bDescriptorType = 0;
 804                data->hs_desc.bDescriptorType = 0;
 805        }
 806        return value;
 807fail0:
 808        value = -EINVAL;
 809        goto fail;
 810}
 811
 812static int
 813ep_open (struct inode *inode, struct file *fd)
 814{
 815        struct ep_data          *data = inode->i_private;
 816        int                     value = -EBUSY;
 817
 818        if (mutex_lock_interruptible(&data->lock) != 0)
 819                return -EINTR;
 820        spin_lock_irq (&data->dev->lock);
 821        if (data->dev->state == STATE_DEV_UNBOUND)
 822                value = -ENOENT;
 823        else if (data->state == STATE_EP_DISABLED) {
 824                value = 0;
 825                data->state = STATE_EP_READY;
 826                get_ep (data);
 827                fd->private_data = data;
 828                VDEBUG (data->dev, "%s ready\n", data->name);
 829        } else
 830                DBG (data->dev, "%s state %d\n",
 831                        data->name, data->state);
 832        spin_unlock_irq (&data->dev->lock);
 833        mutex_unlock(&data->lock);
 834        return value;
 835}
 836
 837/*----------------------------------------------------------------------*/
 838
 839/* EP0 IMPLEMENTATION can be partly in userspace.
 840 *
 841 * Drivers that use this facility receive various events, including
 842 * control requests the kernel doesn't handle.  Drivers that don't
 843 * use this facility may be too simple-minded for real applications.
 844 */
 845
 846static inline void ep0_readable (struct dev_data *dev)
 847{
 848        wake_up (&dev->wait);
 849        kill_fasync (&dev->fasync, SIGIO, POLL_IN);
 850}
 851
 852static void clean_req (struct usb_ep *ep, struct usb_request *req)
 853{
 854        struct dev_data         *dev = ep->driver_data;
 855
 856        if (req->buf != dev->rbuf) {
 857                kfree(req->buf);
 858                req->buf = dev->rbuf;
 859        }
 860        req->complete = epio_complete;
 861        dev->setup_out_ready = 0;
 862}
 863
 864static void ep0_complete (struct usb_ep *ep, struct usb_request *req)
 865{
 866        struct dev_data         *dev = ep->driver_data;
 867        unsigned long           flags;
 868        int                     free = 1;
 869
 870        /* for control OUT, data must still get to userspace */
 871        spin_lock_irqsave(&dev->lock, flags);
 872        if (!dev->setup_in) {
 873                dev->setup_out_error = (req->status != 0);
 874                if (!dev->setup_out_error)
 875                        free = 0;
 876                dev->setup_out_ready = 1;
 877                ep0_readable (dev);
 878        }
 879
 880        /* clean up as appropriate */
 881        if (free && req->buf != &dev->rbuf)
 882                clean_req (ep, req);
 883        req->complete = epio_complete;
 884        spin_unlock_irqrestore(&dev->lock, flags);
 885}
 886
 887static int setup_req (struct usb_ep *ep, struct usb_request *req, u16 len)
 888{
 889        struct dev_data *dev = ep->driver_data;
 890
 891        if (dev->setup_out_ready) {
 892                DBG (dev, "ep0 request busy!\n");
 893                return -EBUSY;
 894        }
 895        if (len > sizeof (dev->rbuf))
 896                req->buf = kmalloc(len, GFP_ATOMIC);
 897        if (req->buf == NULL) {
 898                req->buf = dev->rbuf;
 899                return -ENOMEM;
 900        }
 901        req->complete = ep0_complete;
 902        req->length = len;
 903        req->zero = 0;
 904        return 0;
 905}
 906
 907static ssize_t
 908ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
 909{
 910        struct dev_data                 *dev = fd->private_data;
 911        ssize_t                         retval;
 912        enum ep0_state                  state;
 913
 914        spin_lock_irq (&dev->lock);
 915        if (dev->state <= STATE_DEV_OPENED) {
 916                retval = -EINVAL;
 917                goto done;
 918        }
 919
 920        /* report fd mode change before acting on it */
 921        if (dev->setup_abort) {
 922                dev->setup_abort = 0;
 923                retval = -EIDRM;
 924                goto done;
 925        }
 926
 927        /* control DATA stage */
 928        if ((state = dev->state) == STATE_DEV_SETUP) {
 929
 930                if (dev->setup_in) {            /* stall IN */
 931                        VDEBUG(dev, "ep0in stall\n");
 932                        (void) usb_ep_set_halt (dev->gadget->ep0);
 933                        retval = -EL2HLT;
 934                        dev->state = STATE_DEV_CONNECTED;
 935
 936                } else if (len == 0) {          /* ack SET_CONFIGURATION etc */
 937                        struct usb_ep           *ep = dev->gadget->ep0;
 938                        struct usb_request      *req = dev->req;
 939
 940                        if ((retval = setup_req (ep, req, 0)) == 0)
 941                                retval = usb_ep_queue (ep, req, GFP_ATOMIC);
 942                        dev->state = STATE_DEV_CONNECTED;
 943
 944                        /* assume that was SET_CONFIGURATION */
 945                        if (dev->current_config) {
 946                                unsigned power;
 947
 948                                if (gadget_is_dualspeed(dev->gadget)
 949                                                && (dev->gadget->speed
 950                                                        == USB_SPEED_HIGH))
 951                                        power = dev->hs_config->bMaxPower;
 952                                else
 953                                        power = dev->config->bMaxPower;
 954                                usb_gadget_vbus_draw(dev->gadget, 2 * power);
 955                        }
 956
 957                } else {                        /* collect OUT data */
 958                        if ((fd->f_flags & O_NONBLOCK) != 0
 959                                        && !dev->setup_out_ready) {
 960                                retval = -EAGAIN;
 961                                goto done;
 962                        }
 963                        spin_unlock_irq (&dev->lock);
 964                        retval = wait_event_interruptible (dev->wait,
 965                                        dev->setup_out_ready != 0);
 966
 967                        /* FIXME state could change from under us */
 968                        spin_lock_irq (&dev->lock);
 969                        if (retval)
 970                                goto done;
 971
 972                        if (dev->state != STATE_DEV_SETUP) {
 973                                retval = -ECANCELED;
 974                                goto done;
 975                        }
 976                        dev->state = STATE_DEV_CONNECTED;
 977
 978                        if (dev->setup_out_error)
 979                                retval = -EIO;
 980                        else {
 981                                len = min (len, (size_t)dev->req->actual);
 982// FIXME don't call this with the spinlock held ...
 983                                if (copy_to_user (buf, dev->req->buf, len))
 984                                        retval = -EFAULT;
 985                                else
 986                                        retval = len;
 987                                clean_req (dev->gadget->ep0, dev->req);
 988                                /* NOTE userspace can't yet choose to stall */
 989                        }
 990                }
 991                goto done;
 992        }
 993
 994        /* else normal: return event data */
 995        if (len < sizeof dev->event [0]) {
 996                retval = -EINVAL;
 997                goto done;
 998        }
 999        len -= len % sizeof (struct usb_gadgetfs_event);
1000        dev->usermode_setup = 1;

1001
1002scan:
1003        /* return queued events right away */
1004        if (dev->ev_next != 0) {
1005                unsigned                i, n;
1006
1007                n = len / sizeof (struct usb_gadgetfs_event);
1008                if (dev->ev_next < n)
1009                        n = dev->ev_next;
1010
1011                /* ep0 i/o has special semantics during STATE_DEV_SETUP */
1012                for (i = 0; i < n; i++) {
1013                        if (dev->event [i].type == GADGETFS_SETUP) {
1014                                dev->state = STATE_DEV_SETUP;
1015                                n = i + 1;
1016                                break;
1017                        }
1018                }
1019                spin_unlock_irq (&dev->lock);
1020                len = n * sizeof (struct usb_gadgetfs_event);
1021                if (copy_to_user (buf, &dev->event, len))
1022                        retval = -EFAULT;
1023                else
1024                        retval = len;
1025                if (len > 0) {
1026                        /* NOTE this doesn't guard against broken drivers;
1027                         * concurrent ep0 readers may lose events.
1028                         */
1029                        spin_lock_irq (&dev->lock);
1030                        if (dev->ev_next > n) {
1031                                memmove(&dev->event[0], &dev->event[n],
1032                                        sizeof (struct usb_gadgetfs_event)
1033                                                * (dev->ev_next - n));
1034                        }
1035                        dev->ev_next -= n;
1036                        spin_unlock_irq (&dev->lock);
1037                }
1038                return retval;
1039        }
1040        if (fd->f_flags & O_NONBLOCK) {
1041                retval = -EAGAIN;
1042                goto done;
1043        }
1044
1045        switch (state) {
1046        default:
1047                DBG (dev, "fail %s, state %d\n", __func__, state);
1048                retval = -ESRCH;
1049                break;
1050        case STATE_DEV_UNCONNECTED:
1051        case STATE_DEV_CONNECTED:
1052                spin_unlock_irq (&dev->lock);
1053                DBG (dev, "%s wait\n", __func__);
1054
1055                /* wait for events */
1056                retval = wait_event_interruptible (dev->wait,
1057                                dev->ev_next != 0);
1058                if (retval < 0)
1059                        return retval;
1060                spin_lock_irq (&dev->lock);
1061                goto scan;
1062        }
1063
1064done:
1065        spin_unlock_irq (&dev->lock);
1066        return retval;
1067}
1068
1069static struct usb_gadgetfs_event *
1070next_event (struct dev_data *dev, enum usb_gadgetfs_event_type type)
1071{
1072        struct usb_gadgetfs_event       *event;
1073        unsigned                        i;
1074
1075        switch (type) {
1076        /* these events purge the queue */
1077        case GADGETFS_DISCONNECT:
1078                if (dev->state == STATE_DEV_SETUP)
1079                        dev->setup_abort = 1;
1080                // FALL THROUGH
1081        case GADGETFS_CONNECT:
1082                dev->ev_next = 0;
1083                break;
1084        case GADGETFS_SETUP:            /* previous request timed out */
1085        case GADGETFS_SUSPEND:          /* same effect */
1086                /* these events can't be repeated */
1087                for (i = 0; i != dev->ev_next; i++) {
1088                        if (dev->event [i].type != type)
1089                                continue;
1090                        DBG(dev, "discard old event[%d] %d\n", i, type);
1091                        dev->ev_next--;
1092                        if (i == dev->ev_next)
1093                                break;
1094                        /* indices start at zero, for simplicity */
1095                        memmove (&dev->event [i], &dev->event [i + 1],
1096                                sizeof (struct usb_gadgetfs_event)
1097                                        * (dev->ev_next - i));
1098                }
1099                break;
1100        default:
1101                BUG ();
1102        }
1103        VDEBUG(dev, "event[%d] = %d\n", dev->ev_next, type);
1104        event = &dev->event [dev->ev_next++];
1105        BUG_ON (dev->ev_next > N_EVENT);
1106        memset (event, 0, sizeof *event);
1107        event->type = type;
1108        return event;
1109}
1110
1111static ssize_t
1112ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1113{
1114        struct dev_data         *dev = fd->private_data;
1115        ssize_t                 retval = -ESRCH;
1116
1117        /* report fd mode change before acting on it */
1118        if (dev->setup_abort) {
1119                dev->setup_abort = 0;
1120                retval = -EIDRM;
1121
1122        /* data and/or status stage for control request */
1123        } else if (dev->state == STATE_DEV_SETUP) {
1124
1125                /* IN DATA+STATUS caller makes len <= wLength */
1126                if (dev->setup_in) {
1127                        retval = setup_req (dev->gadget->ep0, dev->req, len);
1128                        if (retval == 0) {
1129                                dev->state = STATE_DEV_CONNECTED;
1130                                spin_unlock_irq (&dev->lock);
1131                                if (copy_from_user (dev->req->buf, buf, len))
1132                                        retval = -EFAULT;
1133                                else {
1134                                        if (len < dev->setup_wLength)
1135                                                dev->req->zero = 1;
1136                                        retval = usb_ep_queue (
1137                                                dev->gadget->ep0, dev->req,
1138                                                GFP_KERNEL);
1139                                }
1140                                if (retval < 0) {
1141                                        spin_lock_irq (&dev->lock);
1142                                        clean_req (dev->gadget->ep0, dev->req);
1143                                        spin_unlock_irq (&dev->lock);
1144                                } else
1145                                        retval = len;
1146
1147                                return retval;
1148                        }
1149
1150                /* can stall some OUT transfers */
1151                } else if (dev->setup_can_stall) {
1152                        VDEBUG(dev, "ep0out stall\n");
1153                        (void) usb_ep_set_halt (dev->gadget->ep0);
1154                        retval = -EL2HLT;
1155                        dev->state = STATE_DEV_CONNECTED;
1156                } else {
1157                        DBG(dev, "bogus ep0out stall!\n");
1158                }
1159        } else
1160                DBG (dev, "fail %s, state %d\n", __func__, dev->state);
1161
1162        return retval;
1163}
1164
1165static int
1166ep0_fasync (int f, struct file *fd, int on)
1167{
1168        struct dev_data         *dev = fd->private_data;
1169        // caller must F_SETOWN before signal delivery happens
1170        VDEBUG (dev, "%s %s\n", __func__, on ? "on" : "off");
1171        return fasync_helper (f, fd, on, &dev->fasync);
1172}
1173
1174static struct usb_gadget_driver gadgetfs_driver;
1175
1176static int
1177dev_release (struct inode *inode, struct file *fd)
1178{
1179        struct dev_data         *dev = fd->private_data;
1180
1181        /* closing ep0 === shutdown all */
1182
1183        usb_gadget_unregister_driver (&gadgetfs_driver);
1184
1185        /* at this point "good" hardware has disconnected the
1186         * device from USB; the host won't see it any more.
1187         * alternatively, all host requests will time out.
1188         */
1189
1190        kfree (dev->buf);
1191        dev->buf = NULL;
1192
1193        /* other endpoints were all decoupled from this device */
1194        spin_lock_irq(&dev->lock);
1195        dev->state = STATE_DEV_DISABLED;
1196        spin_unlock_irq(&dev->lock);
1197
1198        put_dev (dev);
1199        return 0;
1200}
1201
1202static unsigned int
1203ep0_poll (struct file *fd, poll_table *wait)
1204{
1205       struct dev_data         *dev = fd->private_data;
1206       int                     mask = 0;
1207
1208        if (dev->state <= STATE_DEV_OPENED)
1209                return DEFAULT_POLLMASK;
1210
1211       poll_wait(fd, &dev->wait, wait);
1212
1213       spin_lock_irq (&dev->lock);
1214
1215       /* report fd mode change before acting on it */
1216       if (dev->setup_abort) {
1217               dev->setup_abort = 0;
1218               mask = POLLHUP;
1219               goto out;
1220       }
1221
1222       if (dev->state == STATE_DEV_SETUP) {
1223               if (dev->setup_in || dev->setup_can_stall)
1224                       mask = POLLOUT;
1225       } else {
1226               if (dev->ev_next != 0)
1227                       mask = POLLIN;
1228       }
1229out:
1230       spin_unlock_irq(&dev->lock);
1231       return mask;
1232}
1233
1234static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
1235{
1236        struct dev_data         *dev = fd->private_data;
1237        struct usb_gadget       *gadget = dev->gadget;
1238        long ret = -ENOTTY;
1239
1240        if (gadget->ops->ioctl)
1241                ret = gadget->ops->ioctl (gadget, code, value);
1242
1243        return ret;
1244}
1245
1246/*----------------------------------------------------------------------*/
1247
1248/* The in-kernel gadget driver handles most ep0 issues, in particular
1249 * enumerating the single configuration (as provided from user space).
1250 *
1251 * Unrecognized ep0 requests may be handled in user space.
1252 */
1253
1254static void make_qualifier (struct dev_data *dev)
1255{
1256        struct usb_qualifier_descriptor         qual;
1257        struct usb_device_descriptor            *desc;
1258
1259        qual.bLength = sizeof qual;
1260        qual.bDescriptorType = USB_DT_DEVICE_QUALIFIER;
1261        qual.bcdUSB = cpu_to_le16 (0x0200);
1262
1263        desc = dev->dev;
1264        qual.bDeviceClass = desc->bDeviceClass;
1265        qual.bDeviceSubClass = desc->bDeviceSubClass;
1266        qual.bDeviceProtocol = desc->bDeviceProtocol;
1267
1268        /* assumes ep0 uses the same value for both speeds ... */
1269        qual.bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1270
1271        qual.bNumConfigurations = 1;
1272        qual.bRESERVED = 0;
1273
1274        memcpy (dev->rbuf, &qual, sizeof qual);
1275}
1276
1277static int
1278config_buf (struct dev_data *dev, u8 type, unsigned index)
1279{
1280        int             len;
1281        int             hs = 0;
1282
1283        /* only one configuration */
1284        if (index > 0)
1285                return -EINVAL;
1286
1287        if (gadget_is_dualspeed(dev->gadget)) {
1288                hs = (dev->gadget->speed == USB_SPEED_HIGH);
1289                if (type == USB_DT_OTHER_SPEED_CONFIG)
1290                        hs = !hs;
1291        }
1292        if (hs) {
1293                dev->req->buf = dev->hs_config;
1294                len = le16_to_cpu(dev->hs_config->wTotalLength);
1295        } else {
1296                dev->req->buf = dev->config;
1297                len = le16_to_cpu(dev->config->wTotalLength);
1298        }
1299        ((u8 *)dev->req->buf) [1] = type;
1300        return len;
1301}
1302
1303static int
1304gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
1305{
1306        struct dev_data                 *dev = get_gadget_data (gadget);
1307        struct usb_request              *req = dev->req;
1308        int                             value = -EOPNOTSUPP;
1309        struct usb_gadgetfs_event       *event;
1310        u16                             w_value = le16_to_cpu(ctrl->wValue);
1311        u16                             w_length = le16_to_cpu(ctrl->wLength);
1312
1313        spin_lock (&dev->lock);
1314        dev->setup_abort = 0;
1315        if (dev->state == STATE_DEV_UNCONNECTED) {
1316                if (gadget_is_dualspeed(gadget)
1317                                && gadget->speed == USB_SPEED_HIGH
1318                                && dev->hs_config == NULL) {
1319                        spin_unlock(&dev->lock);
1320                        ERROR (dev, "no high speed config??\n");
1321                        return -EINVAL;
1322                }
1323
1324                dev->state = STATE_DEV_CONNECTED;
1325
1326                INFO (dev, "connected\n");
1327                event = next_event (dev, GADGETFS_CONNECT);
1328                event->u.speed = gadget->speed;
1329                ep0_readable (dev);
1330
1331        /* host may have given up waiting for response.  we can miss control
1332         * requests handled lower down (device/endpoint status and features);
1333         * then ep0_{read,write} will report the wrong status. controller
1334         * driver will have aborted pending i/o.
1335         */
1336        } else if (dev->state == STATE_DEV_SETUP)
1337                dev->setup_abort = 1;
1338
1339        req->buf = dev->rbuf;
1340        req->context = NULL;
1341        value = -EOPNOTSUPP;
1342        switch (ctrl->bRequest) {
1343
1344        case USB_REQ_GET_DESCRIPTOR:
1345                if (ctrl->bRequestType != USB_DIR_IN)
1346                        goto unrecognized;
1347                switch (w_value >> 8) {
1348
1349                case USB_DT_DEVICE:
1350                        value = min (w_length, (u16) sizeof *dev->dev);
1351                        dev->dev->bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1352                        req->buf = dev->dev;
1353                        break;
1354                case USB_DT_DEVICE_QUALIFIER:
1355                        if (!dev->hs_config)
1356                                break;
1357                        value = min (w_length, (u16)
1358                                sizeof (struct usb_qualifier_descriptor));
1359                        make_qualifier (dev);
1360                        break;
1361                case USB_DT_OTHER_SPEED_CONFIG:
1362                        // FALLTHROUGH
1363                case USB_DT_CONFIG:
1364                        value = config_buf (dev,
1365                                        w_value >> 8,
1366                                        w_value & 0xff);
1367                        if (value >= 0)
1368                                value = min (w_length, (u16) value);
1369                        break;
1370                case USB_DT_STRING:
1371                        goto unrecognized;
1372
1373                default:                // all others are errors
1374                        break;
1375                }
1376                break;
1377
1378        /* currently one config, two speeds */
1379        case USB_REQ_SET_CONFIGURATION:
1380                if (ctrl->bRequestType != 0)
1381                        goto unrecognized;
1382                if (0 == (u8) w_value) {
1383                        value = 0;
1384                        dev->current_config = 0;
1385                        usb_gadget_vbus_draw(gadget, 8 /* mA */ );
1386                        // user mode expected to disable endpoints
1387                } else {
1388                        u8      config, power;
1389
1390                        if (gadget_is_dualspeed(gadget)
1391                                        && gadget->speed == USB_SPEED_HIGH) {
1392                                config = dev->hs_config->bConfigurationValue;
1393                                power = dev->hs_config->bMaxPower;
1394                        } else {
1395                                config = dev->config->bConfigurationValue;
1396                                power = dev->config->bMaxPower;
1397                        }
1398
1399                        if (config == (u8) w_value) {
1400                                value = 0;
1401                                dev->current_config = config;
1402                                usb_gadget_vbus_draw(gadget, 2 * power);
1403                        }
1404                }
1405
1406                /* report SET_CONFIGURATION like any other control request,
1407                 * except that usermode may not stall this.  the next
1408                 * request mustn't be allowed start until this finishes:
1409                 * endpoints and threads set up, etc.
1410                 *
1411                 * NOTE:  older PXA hardware (before PXA 255: without UDCCFR)
1412                 * has bad/racey automagic that prevents synchronizing here.
1413                 * even kernel mode drivers often miss them.
1414                 */
1415                if (value == 0) {
1416                        INFO (dev, "configuration #%d\n", dev->current_config);
1417                        usb_gadget_set_state(gadget, USB_STATE_CONFIGURED);
1418                        if (dev->usermode_setup) {
1419                                dev->setup_can_stall = 0;
1420                                goto delegate;
1421                        }
1422                }
1423                break;
1424
1425#ifndef CONFIG_USB_PXA25X
1426        /* PXA automagically handles this request too */
1427        case USB_REQ_GET_CONFIGURATION:
1428                if (ctrl->bRequestType != 0x80)
1429                        goto unrecognized;
1430                *(u8 *)req->buf = dev->current_config;
1431                value = min (w_length, (u16) 1);
1432                break;
1433#endif
1434
1435        default:
1436unrecognized:
1437                VDEBUG (dev, "%s req%02x.%02x v%04x i%04x l%d\n",
1438                        dev->usermode_setup ? "delegate" : "fail",
1439                        ctrl->bRequestType, ctrl->bRequest,
1440                        w_value, le16_to_cpu(ctrl->wIndex), w_length);
1441
1442                /* if there's an ep0 reader, don't stall */
1443                if (dev->usermode_setup) {
1444                        dev->setup_can_stall = 1;
1445delegate:
1446                        dev->setup_in = (ctrl->bRequestType & USB_DIR_IN)
1447                                                ? 1 : 0;
1448                        dev->setup_wLength = w_length;
1449                        dev->setup_out_ready = 0;
1450                        dev->setup_out_error = 0;
1451                        value = 0;
1452
1453                        /* read DATA stage for OUT right away */
1454                        if (unlikely (!dev->setup_in && w_length)) {
1455                                value = setup_req (gadget->ep0, dev->req,
1456                                                        w_length);
1457                                if (value < 0)
1458                                        break;
1459                                value = usb_ep_queue (gadget->ep0, dev->req,
1460                                                        GFP_ATOMIC);
1461                                if (value < 0) {
1462                                        clean_req (gadget->ep0, dev->req);
1463                                        break;
1464                                }
1465
1466                                /* we can't currently stall these */
1467                                dev->setup_can_stall = 0;
1468                        }
1469
1470                        /* state changes when reader collects event */
1471                        event = next_event (dev, GADGETFS_SETUP);
1472                        event->u.setup = *ctrl;
1473                        ep0_readable (dev);
1474                        spin_unlock (&dev->lock);
1475                        return 0;
1476                }
1477        }
1478
1479        /* proceed with data transfer and status phases? */
1480        if (value >= 0 && dev->state != STATE_DEV_SETUP) {
1481                req->length = value;
1482                req->zero = value < w_length;
1483                value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC);
1484                if (value < 0) {
1485                        DBG (dev, "ep_queue --> %d\n", value);
1486                        req->status = 0;
1487                }
1488        }
1489
1490        /* device stalls when value < 0 */
1491        spin_unlock (&dev->lock);
1492        return value;
1493}
1494
1495static void destroy_ep_files (struct dev_data *dev)
1496{
1497        DBG (dev, "%s %d\n", __func__, dev->state);
1498
1499        /* dev->state must prevent interference */
1500        spin_lock_irq (&dev->lock);
1501        while (!list_empty(&dev->epfiles)) {
1502                struct ep_data  *ep;
1503                struct inode    *parent;
1504                struct dentry   *dentry;
1505
1506                /* break link to FS */
1507                ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
1508                list_del_init (&ep->epfiles);
1509                dentry = ep->dentry;
1510                ep->dentry = NULL;
1511                parent = d_inode(dentry->d_parent);
1512
1513                /* break link to controller */
1514                if (ep->state == STATE_EP_ENABLED)
1515                        (void) usb_ep_disable (ep->ep);
1516                ep->state = STATE_EP_UNBOUND;
1517                usb_ep_free_request (ep->ep, ep->req);
1518                ep->ep = NULL;
1519                wake_up (&ep->wait);
1520                put_ep (ep);
1521
1522                spin_unlock_irq (&dev->lock);
1523
1524                /* break link to dcache */
1525                mutex_lock (&parent->i_mutex);
1526                d_delete (dentry);
1527                dput (dentry);
1528                mutex_unlock (&parent->i_mutex);
1529
1530                spin_lock_irq (&dev->lock);
1531        }
1532        spin_unlock_irq (&dev->lock);
1533}
1534
1535
1536static struct dentry *
1537gadgetfs_create_file (struct super_block *sb, char const *name,
1538                void *data, const struct file_operations *fops);
1539
1540static int activate_ep_files (struct dev_data *dev)
1541{
1542        struct usb_ep   *ep;
1543        struct ep_data  *data;
1544
1545        gadget_for_each_ep (ep, dev->gadget) {
1546
1547                data = kzalloc(sizeof(*data), GFP_KERNEL);
1548                if (!data)
1549                        goto enomem0;
1550                data->state = STATE_EP_DISABLED;
1551                mutex_init(&data->lock);
1552                init_waitqueue_head (&data->wait);
1553
1554                strncpy (data->name, ep->name, sizeof (data->name) - 1);
1555                atomic_set (&data->count, 1);
1556                data->dev = dev;
1557                get_dev (dev);
1558
1559                data->ep = ep;
1560                ep->driver_data = data;
1561
1562                data->req = usb_ep_alloc_request (ep, GFP_KERNEL);
1563                if (!data->req)
1564                        goto enomem1;
1565
1566                data->dentry = gadgetfs_create_file (dev->sb, data->name,
1567                                data, &ep_io_operations);
1568                if (!data->dentry)
1569                        goto enomem2;
1570                list_add_tail (&data->epfiles, &dev->epfiles);
1571        }
1572        return 0;
1573
1574enomem2:
1575        usb_ep_free_request (ep, data->req);
1576enomem1:
1577        put_dev (dev);
1578        kfree (data);
1579enomem0:
1580        DBG (dev, "%s enomem\n", __func__);
1581        destroy_ep_files (dev);
1582        return -ENOMEM;
1583}
1584
1585static void
1586gadgetfs_unbind (struct usb_gadget *gadget)
1587{
1588        struct dev_data         *dev = get_gadget_data (gadget);
1589
1590        DBG (dev, "%s\n", __func__);
1591
1592        spin_lock_irq (&dev->lock);
1593        dev->state = STATE_DEV_UNBOUND;
1594        spin_unlock_irq (&dev->lock);
1595
1596        destroy_ep_files (dev);
1597        gadget->ep0->driver_data = NULL;
1598        set_gadget_data (gadget, NULL);
1599
1600        /* we've already been disconnected ... no i/o is active */
1601        if (dev->req)
1602                usb_ep_free_request (gadget->ep0, dev->req);
1603        DBG (dev, "%s done\n", __func__);
1604        put_dev (dev);
1605}
1606
1607static struct dev_data          *the_device;
1608
1609static int gadgetfs_bind(struct usb_gadget *gadget,
1610                struct usb_gadget_driver *driver)
1611{
1612        struct dev_data         *dev = the_device;
1613
1614        if (!dev)
1615                return -ESRCH;
1616        if (0 != strcmp (CHIP, gadget->name)) {
1617                pr_err("%s expected %s controller not %s\n",
1618                        shortname, CHIP, gadget->name);
1619                return -ENODEV;
1620        }
1621
1622        set_gadget_data (gadget, dev);
1623        dev->gadget = gadget;
1624        gadget->ep0->driver_data = dev;
1625
1626        /* preallocate control response and buffer */
1627        dev->req = usb_ep_alloc_request (gadget->ep0, GFP_KERNEL);
1628        if (!dev->req)
1629                goto enomem;
1630        dev->req->context = NULL;
1631        dev->req->complete = epio_complete;
1632
1633        if (activate_ep_files (dev) < 0)
1634                goto enomem;
1635
1636        INFO (dev, "bound to %s driver\n", gadget->name);
1637        spin_lock_irq(&dev->lock);
1638        dev->state = STATE_DEV_UNCONNECTED;
1639        spin_unlock_irq(&dev->lock);
1640        get_dev (dev);
1641        return 0;
1642
1643enomem:
1644        gadgetfs_unbind (gadget);
1645        return -ENOMEM;
1646}
1647
1648static void
1649gadgetfs_disconnect (struct usb_gadget *gadget)
1650{
1651        struct dev_data         *dev = get_gadget_data (gadget);
1652        unsigned long           flags;
1653
1654        spin_lock_irqsave (&dev->lock, flags);
1655        if (dev->state == STATE_DEV_UNCONNECTED)
1656                goto exit;
1657        dev->state = STATE_DEV_UNCONNECTED;
1658
1659        INFO (dev, "disconnected\n");
1660        next_event (dev, GADGETFS_DISCONNECT);
1661        ep0_readable (dev);
1662exit:
1663        spin_unlock_irqrestore (&dev->lock, flags);
1664}
1665
1666static void
1667gadgetfs_suspend (struct usb_gadget *gadget)
1668{
1669        struct dev_data         *dev = get_gadget_data (gadget);
1670
1671        INFO (dev, "suspended from state %d\n", dev->state);
1672        spin_lock (&dev->lock);
1673        switch (dev->state) {
1674        case STATE_DEV_SETUP:           // VERY odd... host died??
1675        case STATE_DEV_CONNECTED:
1676        case STATE_DEV_UNCONNECTED:
1677                next_event (dev, GADGETFS_SUSPEND);
1678                ep0_readable (dev);
1679                /* FALLTHROUGH */
1680        default:
1681                break;
1682        }
1683        spin_unlock (&dev->lock);
1684}
1685
1686static struct usb_gadget_driver gadgetfs_driver = {
1687        .function       = (char *) driver_desc,
1688        .bind           = gadgetfs_bind,
1689        .unbind         = gadgetfs_unbind,
1690        .setup          = gadgetfs_setup,
1691        .reset          = gadgetfs_disconnect,
1692        .disconnect     = gadgetfs_disconnect,
1693        .suspend        = gadgetfs_suspend,
1694
1695        .driver = {
1696                .name           = (char *) shortname,
1697        },
1698};
1699
1700/*----------------------------------------------------------------------*/
1701
1702static void gadgetfs_nop(struct usb_gadget *arg) { }
1703
1704static int gadgetfs_probe(struct usb_gadget *gadget,
1705                struct usb_gadget_driver *driver)
1706{
1707        CHIP = gadget->name;
1708        return -EISNAM;
1709}
1710
1711static struct usb_gadget_driver probe_driver = {
1712        .max_speed      = USB_SPEED_HIGH,
1713        .bind           = gadgetfs_probe,
1714        .unbind         = gadgetfs_nop,
1715        .setup          = (void *)gadgetfs_nop,
1716        .disconnect     = gadgetfs_nop,
1717        .driver = {
1718                .name           = "nop",
1719        },
1720};
1721
1722
1723/* DEVICE INITIALIZATION
1724 *
1725 *     fd = open ("/dev/gadget/$CHIP", O_RDWR)
1726 *     status = write (fd, descriptors, sizeof descriptors)
1727 *
1728 * That write establishes the device configuration, so the kernel can
1729 * bind to the controller ... guaranteeing it can handle enumeration
1730 * at all necessary speeds.  Descriptor order is:
1731 *
1732 * . message tag (u32, host order) ... for now, must be zero; it
1733 *      would change to support features like multi-config devices
1734 * . full/low speed config ... all wTotalLength bytes (with interface,
1735 *      class, altsetting, endpoint, and other descriptors)
1736 * . high speed config ... all descriptors, for high speed operation;
1737 *      this one's optional except for high-speed hardware
1738 * . device descriptor
1739 *
1740 * Endpoints are not yet enabled. Drivers must wait until device
1741 * configuration and interface altsetting changes create
1742 * the need to configure (or unconfigure) them.
1743 *
1744 * After initialization, the device stays active for as long as that
1745 * $CHIP file is open.  Events must then be read from that descriptor,
1746 * such as configuration notifications.
1747 */
1748
1749static int is_valid_config (struct usb_config_descriptor *config)
1750{
1751        return config->bDescriptorType == USB_DT_CONFIG
1752                && config->bLength == USB_DT_CONFIG_SIZE
1753                && config->bConfigurationValue != 0
1754                && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
1755                && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
1756        /* FIXME if gadget->is_otg, _must_ include an otg descriptor */
1757        /* FIXME check lengths: walk to end */
1758}
1759
1760static ssize_t
1761dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1762{
1763        struct dev_data         *dev = fd->private_data;
1764        ssize_t                 value = len, length = len;
1765        unsigned                total;
1766        u32                     tag;
1767        char                    *kbuf;
1768
1769        spin_lock_irq(&dev->lock);
1770        if (dev->state > STATE_DEV_OPENED) {
1771                value = ep0_write(fd, buf, len, ptr);
1772                spin_unlock_irq(&dev->lock);
1773                return value;
1774        }
1775        spin_unlock_irq(&dev->lock);
1776
1777        if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
1778                return -EINVAL;
1779
1780        /* we might need to change message format someday */
1781        if (copy_from_user (&tag, buf, 4))
1782                return -EFAULT;
1783        if (tag != 0)
1784                return -EINVAL;
1785        buf += 4;
1786        length -= 4;
1787
1788        kbuf = memdup_user(buf, length);
1789        if (IS_ERR(kbuf))
1790                return PTR_ERR(kbuf);
1791
1792        spin_lock_irq (&dev->lock);
1793        value = -EINVAL;
1794        if (dev->buf)
1795                goto fail;
1796        dev->buf = kbuf;
1797
1798        /* full or low speed config */
1799        dev->config = (void *) kbuf;
1800        total = le16_to_cpu(dev->config->wTotalLength);
1801        if (!is_valid_config (dev->config) || total >= length)
1802                goto fail;
1803        kbuf += total;
1804        length -= total;
1805
1806        /* optional high speed config */
1807        if (kbuf [1] == USB_DT_CONFIG) {
1808                dev->hs_config = (void *) kbuf;
1809                total = le16_to_cpu(dev->hs_config->wTotalLength);
1810                if (!is_valid_config (dev->hs_config) || total >= length)
1811                        goto fail;
1812                kbuf += total;
1813                length -= total;
1814        }
1815
1816        /* could support multiple configs, using another encoding! */
1817
1818        /* device descriptor (tweaked for paranoia) */
1819        if (length != USB_DT_DEVICE_SIZE)
1820                goto fail;
1821        dev->dev = (void *)kbuf;
1822        if (dev->dev->bLength != USB_DT_DEVICE_SIZE
1823                        || dev->dev->bDescriptorType != USB_DT_DEVICE
1824                        || dev->dev->bNumConfigurations != 1)
1825                goto fail;
1826        dev->dev->bNumConfigurations = 1;
1827        dev->dev->bcdUSB = cpu_to_le16 (0x0200);
1828
1829        /* triggers gadgetfs_bind(); then we can enumerate. */
1830        spin_unlock_irq (&dev->lock);
1831        if (dev->hs_config)
1832                gadgetfs_driver.max_speed = USB_SPEED_HIGH;
1833        else
1834                gadgetfs_driver.max_speed = USB_SPEED_FULL;
1835
1836        value = usb_gadget_probe_driver(&gadgetfs_driver);
1837        if (value != 0) {
1838                kfree (dev->buf);
1839                dev->buf = NULL;
1840        } else {
1841                /* at this point "good" hardware has for the first time
1842                 * let the USB the host see us.  alternatively, if users
1843                 * unplug/replug that will clear all the error state.
1844                 *
1845                 * note:  everything running before here was guaranteed
1846                 * to choke driver model style diagnostics.  from here
1847                 * on, they can work ... except in cleanup paths that
1848                 * kick in after the ep0 descriptor is closed.
1849                 */
1850                value = len;
1851        }
1852        return value;
1853
1854fail:
1855        spin_unlock_irq (&dev->lock);
1856        pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev);
1857        kfree (dev->buf);
1858        dev->buf = NULL;
1859        return value;
1860}
1861
1862static int
1863dev_open (struct inode *inode, struct file *fd)
1864{
1865        struct dev_data         *dev = inode->i_private;
1866        int                     value = -EBUSY;
1867
1868        spin_lock_irq(&dev->lock);
1869        if (dev->state == STATE_DEV_DISABLED) {
1870                dev->ev_next = 0;
1871                dev->state = STATE_DEV_OPENED;
1872                fd->private_data = dev;
1873                get_dev (dev);
1874                value = 0;
1875        }
1876        spin_unlock_irq(&dev->lock);
1877        return value;
1878}
1879
1880static const struct file_operations ep0_operations = {
1881        .llseek =       no_llseek,
1882
1883        .open =         dev_open,
1884        .read =         ep0_read,
1885        .write =        dev_config,
1886        .fasync =       ep0_fasync,
1887        .poll =         ep0_poll,
1888        .unlocked_ioctl = dev_ioctl,
1889        .release =      dev_release,
1890};
1891
1892/*----------------------------------------------------------------------*/
1893
1894/* FILESYSTEM AND SUPERBLOCK OPERATIONS
1895 *
1896 * Mounting the filesystem creates a controller file, used first for
1897 * device configuration then later for event monitoring.
1898 */
1899
1900
1901/* FIXME PAM etc could set this security policy without mount options
1902 * if epfiles inherited ownership and permissons from ep0 ...
1903 */
1904
1905static unsigned default_uid;
1906static unsigned default_gid;
1907static unsigned default_perm = S_IRUSR | S_IWUSR;
1908
1909module_param (default_uid, uint, 0644);
1910module_param (default_gid, uint, 0644);
1911module_param (default_perm, uint, 0644);
1912
1913
1914static struct inode *
1915gadgetfs_make_inode (struct super_block *sb,
1916                void *data, const struct file_operations *fops,
1917                int mode)
1918{
1919        struct inode *inode = new_inode (sb);
1920
1921        if (inode) {
1922                inode->i_ino = get_next_ino();
1923                inode->i_mode = mode;
1924                inode->i_uid = make_kuid(&init_user_ns, default_uid);
1925                inode->i_gid = make_kgid(&init_user_ns, default_gid);
1926                inode->i_atime = inode->i_mtime = inode->i_ctime
1927                                = CURRENT_TIME;
1928                inode->i_private = data;
1929                inode->i_fop = fops;
1930        }
1931        return inode;
1932}
1933
1934/* creates in fs root directory, so non-renamable and non-linkable.
1935 * so inode and dentry are paired, until device reconfig.
1936 */
1937static struct dentry *
1938gadgetfs_create_file (struct super_block *sb, char const *name,
1939                void *data, const struct file_operations *fops)
1940{
1941        struct dentry   *dentry;
1942        struct inode    *inode;
1943
1944        dentry = d_alloc_name(sb->s_root, name);
1945        if (!dentry)
1946                return NULL;
1947
1948        inode = gadgetfs_make_inode (sb, data, fops,
1949                        S_IFREG | (default_perm & S_IRWXUGO));
1950        if (!inode) {
1951                dput(dentry);
1952                return NULL;
1953        }
1954        d_add (dentry, inode);
1955        return dentry;
1956}
1957
1958static const struct super_operations gadget_fs_operations = {
1959        .statfs =       simple_statfs,
1960        .drop_inode =   generic_delete_inode,
1961};
1962
1963static int
1964gadgetfs_fill_super (struct super_block *sb, void *opts, int silent)
1965{
1966        struct inode    *inode;
1967        struct dev_data *dev;
1968
1969        if (the_device)
1970                return -ESRCH;
1971
1972        /* fake probe to determine $CHIP */
1973        CHIP = NULL;
1974        usb_gadget_probe_driver(&probe_driver);
1975        if (!CHIP)
1976                return -ENODEV;
1977
1978        /* superblock */
1979        sb->s_blocksize = PAGE_CACHE_SIZE;
1980        sb->s_blocksize_bits = PAGE_CACHE_SHIFT;
1981        sb->s_magic = GADGETFS_MAGIC;
1982        sb->s_op = &gadget_fs_operations;
1983        sb->s_time_gran = 1;
1984
1985        /* root inode */
1986        inode = gadgetfs_make_inode (sb,
1987                        NULL, &simple_dir_operations,
1988                        S_IFDIR | S_IRUGO | S_IXUGO);
1989        if (!inode)
1990                goto Enomem;
1991        inode->i_op = &simple_dir_inode_operations;
1992        if (!(sb->s_root = d_make_root (inode)))
1993                goto Enomem;
1994
1995        /* the ep0 file is named after the controller we expect;
1996         * user mode code can use it for sanity checks, like we do.
1997         */
1998        dev = dev_new ();
1999        if (!dev)
2000                goto Enomem;

2001
2002        dev->sb = sb;
2003        dev->dentry = gadgetfs_create_file(sb, CHIP, dev, &ep0_operations);
2004        if (!dev->dentry) {
2005                put_dev(dev);
2006                goto Enomem;
2007        }
2008
2009        /* other endpoint files are available after hardware setup,
2010         * from binding to a controller.
2011         */
2012        the_device = dev;
2013        return 0;
2014
2015Enomem:
2016        return -ENOMEM;
2017}
2018
2019/* "mount -t gadgetfs path /dev/gadget" ends up here */
2020static struct dentry *
2021gadgetfs_mount (struct file_system_type *t, int flags,
2022                const char *path, void *opts)
2023{
2024        return mount_single (t, flags, opts, gadgetfs_fill_super);
2025}
2026
2027static void
2028gadgetfs_kill_sb (struct super_block *sb)
2029{
2030        kill_litter_super (sb);
2031        if (the_device) {
2032                put_dev (the_device);
2033                the_device = NULL;
2034        }
2035}
2036
2037/*----------------------------------------------------------------------*/
2038
2039static struct file_system_type gadgetfs_type = {
2040        .owner          = THIS_MODULE,
2041        .name           = shortname,
2042        .mount          = gadgetfs_mount,
2043        .kill_sb        = gadgetfs_kill_sb,
2044};
2045MODULE_ALIAS_FS("gadgetfs");
2046
2047/*----------------------------------------------------------------------*/
2048
2049static int __init init (void)
2050{
2051        int status;
2052
2053        status = register_filesystem (&gadgetfs_type);
2054        if (status == 0)
2055                pr_info ("%s: %s, version " DRIVER_VERSION "\n",
2056                        shortname, driver_desc);
2057        return status;
2058}
2059module_init (init);
2060
2061static void __exit cleanup (void)
2062{
2063        pr_debug ("unregister %s\n", shortname);
2064        unregister_filesystem (&gadgetfs_type);
2065}
2066module_exit (cleanup);
2067
2068