1
2
3
4
5
6
7
8
9#include <linux/compiler.h>
10#include <linux/ctype.h>
11#include <linux/debugfs.h>
12#include <linux/delay.h>
13#include <linux/kref.h>
14#include <linux/miscdevice.h>
15#include <linux/module.h>
16#include <linux/semaphore.h>
17#include <linux/sched.h>
18#include <linux/slab.h>
19#include <linux/uaccess.h>
20#include <linux/wait.h>
21
22#include <linux/usb.h>
23#include <linux/usb/ch9.h>
24#include <linux/usb/ch11.h>
25#include <linux/usb/gadget.h>
26
27#include <uapi/linux/usb/raw_gadget.h>
28
29#define DRIVER_DESC "USB Raw Gadget"
30#define DRIVER_NAME "raw-gadget"
31
32MODULE_DESCRIPTION(DRIVER_DESC);
33MODULE_AUTHOR("Andrey Konovalov");
34MODULE_LICENSE("GPL");
35
36
37
38#define RAW_EVENT_QUEUE_SIZE 16
39
40struct raw_event_queue {
41
42 spinlock_t lock;
43 struct semaphore sema;
44 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE];
45 int size;
46};
47
48static void raw_event_queue_init(struct raw_event_queue *queue)
49{
50 spin_lock_init(&queue->lock);
51 sema_init(&queue->sema, 0);
52 queue->size = 0;
53}
54
55static int raw_event_queue_add(struct raw_event_queue *queue,
56 enum usb_raw_event_type type, size_t length, const void *data)
57{
58 unsigned long flags;
59 struct usb_raw_event *event;
60
61 spin_lock_irqsave(&queue->lock, flags);
62 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) {
63 spin_unlock_irqrestore(&queue->lock, flags);
64 return -ENOMEM;
65 }
66 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC);
67 if (!event) {
68 spin_unlock_irqrestore(&queue->lock, flags);
69 return -ENOMEM;
70 }
71 event->type = type;
72 event->length = length;
73 if (event->length)
74 memcpy(&event->data[0], data, length);
75 queue->events[queue->size] = event;
76 queue->size++;
77 up(&queue->sema);
78 spin_unlock_irqrestore(&queue->lock, flags);
79 return 0;
80}
81
82static struct usb_raw_event *raw_event_queue_fetch(
83 struct raw_event_queue *queue)
84{
85 int ret;
86 unsigned long flags;
87 struct usb_raw_event *event;
88
89
90
91
92
93
94 ret = down_interruptible(&queue->sema);
95 if (ret)
96 return ERR_PTR(ret);
97 spin_lock_irqsave(&queue->lock, flags);
98
99
100
101
102 if (WARN_ON(!queue->size)) {
103 spin_unlock_irqrestore(&queue->lock, flags);
104 return ERR_PTR(-ENODEV);
105 }
106 event = queue->events[0];
107 queue->size--;
108 memmove(&queue->events[0], &queue->events[1],
109 queue->size * sizeof(queue->events[0]));
110 spin_unlock_irqrestore(&queue->lock, flags);
111 return event;
112}
113
114static void raw_event_queue_destroy(struct raw_event_queue *queue)
115{
116 int i;
117
118 for (i = 0; i < queue->size; i++)
119 kfree(queue->events[i]);
120 queue->size = 0;
121}
122
123
124
125struct raw_dev;
126
127enum ep_state {
128 STATE_EP_DISABLED,
129 STATE_EP_ENABLED,
130};
131
132struct raw_ep {
133 struct raw_dev *dev;
134 enum ep_state state;
135 struct usb_ep *ep;
136 u8 addr;
137 struct usb_request *req;
138 bool urb_queued;
139 bool disabling;
140 ssize_t status;
141};
142
143enum dev_state {
144 STATE_DEV_INVALID = 0,
145 STATE_DEV_OPENED,
146 STATE_DEV_INITIALIZED,
147 STATE_DEV_RUNNING,
148 STATE_DEV_CLOSED,
149 STATE_DEV_FAILED
150};
151
152struct raw_dev {
153 struct kref count;
154 spinlock_t lock;
155
156 const char *udc_name;
157 struct usb_gadget_driver driver;
158
159
160 struct device *dev;
161
162
163 enum dev_state state;
164 bool gadget_registered;
165 struct usb_gadget *gadget;
166 struct usb_request *req;
167 bool ep0_in_pending;
168 bool ep0_out_pending;
169 bool ep0_urb_queued;
170 ssize_t ep0_status;
171 struct raw_ep eps[USB_RAW_EPS_NUM_MAX];
172 int eps_num;
173
174 struct completion ep0_done;
175 struct raw_event_queue queue;
176};
177
178static struct raw_dev *dev_new(void)
179{
180 struct raw_dev *dev;
181
182 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
183 if (!dev)
184 return NULL;
185
186 kref_init(&dev->count);
187 spin_lock_init(&dev->lock);
188 init_completion(&dev->ep0_done);
189 raw_event_queue_init(&dev->queue);
190 return dev;
191}
192
193static void dev_free(struct kref *kref)
194{
195 struct raw_dev *dev = container_of(kref, struct raw_dev, count);
196 int i;
197
198 kfree(dev->udc_name);
199 kfree(dev->driver.udc_name);
200 if (dev->req) {
201 if (dev->ep0_urb_queued)
202 usb_ep_dequeue(dev->gadget->ep0, dev->req);
203 usb_ep_free_request(dev->gadget->ep0, dev->req);
204 }
205 raw_event_queue_destroy(&dev->queue);
206 for (i = 0; i < dev->eps_num; i++) {
207 if (dev->eps[i].state == STATE_EP_DISABLED)
208 continue;
209 usb_ep_disable(dev->eps[i].ep);
210 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
211 kfree(dev->eps[i].ep->desc);
212 dev->eps[i].state = STATE_EP_DISABLED;
213 }
214 kfree(dev);
215}
216
217
218
219static int raw_queue_event(struct raw_dev *dev,
220 enum usb_raw_event_type type, size_t length, const void *data)
221{
222 int ret = 0;
223 unsigned long flags;
224
225 ret = raw_event_queue_add(&dev->queue, type, length, data);
226 if (ret < 0) {
227 spin_lock_irqsave(&dev->lock, flags);
228 dev->state = STATE_DEV_FAILED;
229 spin_unlock_irqrestore(&dev->lock, flags);
230 }
231 return ret;
232}
233
234static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req)
235{
236 struct raw_dev *dev = req->context;
237 unsigned long flags;
238
239 spin_lock_irqsave(&dev->lock, flags);
240 if (req->status)
241 dev->ep0_status = req->status;
242 else
243 dev->ep0_status = req->actual;
244 if (dev->ep0_in_pending)
245 dev->ep0_in_pending = false;
246 else
247 dev->ep0_out_pending = false;
248 spin_unlock_irqrestore(&dev->lock, flags);
249
250 complete(&dev->ep0_done);
251}
252
253static u8 get_ep_addr(const char *name)
254{
255
256
257
258
259
260 if (isdigit(name[2]))
261 return simple_strtoul(&name[2], NULL, 10);
262
263 return USB_RAW_EP_ADDR_ANY;
264}
265
266static int gadget_bind(struct usb_gadget *gadget,
267 struct usb_gadget_driver *driver)
268{
269 int ret = 0, i = 0;
270 struct raw_dev *dev = container_of(driver, struct raw_dev, driver);
271 struct usb_request *req;
272 struct usb_ep *ep;
273 unsigned long flags;
274
275 if (strcmp(gadget->name, dev->udc_name) != 0)
276 return -ENODEV;
277
278 set_gadget_data(gadget, dev);
279 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL);
280 if (!req) {
281 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n");
282 set_gadget_data(gadget, NULL);
283 return -ENOMEM;
284 }
285
286 spin_lock_irqsave(&dev->lock, flags);
287 dev->req = req;
288 dev->req->context = dev;
289 dev->req->complete = gadget_ep0_complete;
290 dev->gadget = gadget;
291 gadget_for_each_ep(ep, dev->gadget) {
292 dev->eps[i].ep = ep;
293 dev->eps[i].addr = get_ep_addr(ep->name);
294 dev->eps[i].state = STATE_EP_DISABLED;
295 i++;
296 }
297 dev->eps_num = i;
298 spin_unlock_irqrestore(&dev->lock, flags);
299
300
301 kref_get(&dev->count);
302
303 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL);
304 if (ret < 0)
305 dev_err(&gadget->dev, "failed to queue event\n");
306
307 return ret;
308}
309
310static void gadget_unbind(struct usb_gadget *gadget)
311{
312 struct raw_dev *dev = get_gadget_data(gadget);
313
314 set_gadget_data(gadget, NULL);
315
316 kref_put(&dev->count, dev_free);
317}
318
319static int gadget_setup(struct usb_gadget *gadget,
320 const struct usb_ctrlrequest *ctrl)
321{
322 int ret = 0;
323 struct raw_dev *dev = get_gadget_data(gadget);
324 unsigned long flags;
325
326 spin_lock_irqsave(&dev->lock, flags);
327 if (dev->state != STATE_DEV_RUNNING) {
328 dev_err(&gadget->dev, "ignoring, device is not running\n");
329 ret = -ENODEV;
330 goto out_unlock;
331 }
332 if (dev->ep0_in_pending || dev->ep0_out_pending) {
333 dev_dbg(&gadget->dev, "stalling, request already pending\n");
334 ret = -EBUSY;
335 goto out_unlock;
336 }
337 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength)
338 dev->ep0_in_pending = true;
339 else
340 dev->ep0_out_pending = true;
341 spin_unlock_irqrestore(&dev->lock, flags);
342
343 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl);
344 if (ret < 0)
345 dev_err(&gadget->dev, "failed to queue event\n");
346 goto out;
347
348out_unlock:
349 spin_unlock_irqrestore(&dev->lock, flags);
350out:
351 return ret;
352}
353
354
355static void gadget_disconnect(struct usb_gadget *gadget) { }
356static void gadget_suspend(struct usb_gadget *gadget) { }
357static void gadget_resume(struct usb_gadget *gadget) { }
358static void gadget_reset(struct usb_gadget *gadget) { }
359
360
361
362static struct miscdevice raw_misc_device;
363
364static int raw_open(struct inode *inode, struct file *fd)
365{
366 struct raw_dev *dev;
367
368
369 if (fd->f_flags & O_NONBLOCK)
370 return -EINVAL;
371
372 dev = dev_new();
373 if (!dev)
374 return -ENOMEM;
375 fd->private_data = dev;
376 dev->state = STATE_DEV_OPENED;
377 dev->dev = raw_misc_device.this_device;
378 return 0;
379}
380
381static int raw_release(struct inode *inode, struct file *fd)
382{
383 int ret = 0;
384 struct raw_dev *dev = fd->private_data;
385 unsigned long flags;
386 bool unregister = false;
387
388 spin_lock_irqsave(&dev->lock, flags);
389 dev->state = STATE_DEV_CLOSED;
390 if (!dev->gadget) {
391 spin_unlock_irqrestore(&dev->lock, flags);
392 goto out_put;
393 }
394 if (dev->gadget_registered)
395 unregister = true;
396 dev->gadget_registered = false;
397 spin_unlock_irqrestore(&dev->lock, flags);
398
399 if (unregister) {
400 ret = usb_gadget_unregister_driver(&dev->driver);
401 if (ret != 0)
402 dev_err(dev->dev,
403 "usb_gadget_unregister_driver() failed with %d\n",
404 ret);
405
406 kref_put(&dev->count, dev_free);
407 }
408
409out_put:
410
411 kref_put(&dev->count, dev_free);
412 return ret;
413}
414
415
416
417static int raw_ioctl_init(struct raw_dev *dev, unsigned long value)
418{
419 int ret = 0;
420 struct usb_raw_init arg;
421 char *udc_driver_name;
422 char *udc_device_name;
423 unsigned long flags;
424
425 if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
426 return -EFAULT;
427
428 switch (arg.speed) {
429 case USB_SPEED_UNKNOWN:
430 arg.speed = USB_SPEED_HIGH;
431 break;
432 case USB_SPEED_LOW:
433 case USB_SPEED_FULL:
434 case USB_SPEED_HIGH:
435 case USB_SPEED_SUPER:
436 break;
437 default:
438 return -EINVAL;
439 }
440
441 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
442 if (!udc_driver_name)
443 return -ENOMEM;
444 ret = strscpy(udc_driver_name, &arg.driver_name[0],
445 UDC_NAME_LENGTH_MAX);
446 if (ret < 0) {
447 kfree(udc_driver_name);
448 return ret;
449 }
450 ret = 0;
451
452 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
453 if (!udc_device_name) {
454 kfree(udc_driver_name);
455 return -ENOMEM;
456 }
457 ret = strscpy(udc_device_name, &arg.device_name[0],
458 UDC_NAME_LENGTH_MAX);
459 if (ret < 0) {
460 kfree(udc_driver_name);
461 kfree(udc_device_name);
462 return ret;
463 }
464 ret = 0;
465
466 spin_lock_irqsave(&dev->lock, flags);
467 if (dev->state != STATE_DEV_OPENED) {
468 dev_dbg(dev->dev, "fail, device is not opened\n");
469 kfree(udc_driver_name);
470 kfree(udc_device_name);
471 ret = -EINVAL;
472 goto out_unlock;
473 }
474 dev->udc_name = udc_driver_name;
475
476 dev->driver.function = DRIVER_DESC;
477 dev->driver.max_speed = arg.speed;
478 dev->driver.setup = gadget_setup;
479 dev->driver.disconnect = gadget_disconnect;
480 dev->driver.bind = gadget_bind;
481 dev->driver.unbind = gadget_unbind;
482 dev->driver.suspend = gadget_suspend;
483 dev->driver.resume = gadget_resume;
484 dev->driver.reset = gadget_reset;
485 dev->driver.driver.name = DRIVER_NAME;
486 dev->driver.udc_name = udc_device_name;
487 dev->driver.match_existing_only = 1;
488
489 dev->state = STATE_DEV_INITIALIZED;
490
491out_unlock:
492 spin_unlock_irqrestore(&dev->lock, flags);
493 return ret;
494}
495
496static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)
497{
498 int ret = 0;
499 unsigned long flags;
500
501 if (value)
502 return -EINVAL;
503
504 spin_lock_irqsave(&dev->lock, flags);
505 if (dev->state != STATE_DEV_INITIALIZED) {
506 dev_dbg(dev->dev, "fail, device is not initialized\n");
507 ret = -EINVAL;
508 goto out_unlock;
509 }
510 spin_unlock_irqrestore(&dev->lock, flags);
511
512 ret = usb_gadget_probe_driver(&dev->driver);
513
514 spin_lock_irqsave(&dev->lock, flags);
515 if (ret) {
516 dev_err(dev->dev,
517 "fail, usb_gadget_probe_driver returned %d\n", ret);
518 dev->state = STATE_DEV_FAILED;
519 goto out_unlock;
520 }
521 dev->gadget_registered = true;
522 dev->state = STATE_DEV_RUNNING;
523
524 kref_get(&dev->count);
525
526out_unlock:
527 spin_unlock_irqrestore(&dev->lock, flags);
528 return ret;
529}
530
531static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
532{
533 struct usb_raw_event arg;
534 unsigned long flags;
535 struct usb_raw_event *event;
536 uint32_t length;
537
538 if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
539 return -EFAULT;
540
541 spin_lock_irqsave(&dev->lock, flags);
542 if (dev->state != STATE_DEV_RUNNING) {
543 dev_dbg(dev->dev, "fail, device is not running\n");
544 spin_unlock_irqrestore(&dev->lock, flags);
545 return -EINVAL;
546 }
547 if (!dev->gadget) {
548 dev_dbg(dev->dev, "fail, gadget is not bound\n");
549 spin_unlock_irqrestore(&dev->lock, flags);
550 return -EBUSY;
551 }
552 spin_unlock_irqrestore(&dev->lock, flags);
553
554 event = raw_event_queue_fetch(&dev->queue);
555 if (PTR_ERR(event) == -EINTR) {
556 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n");
557 return -EINTR;
558 }
559 if (IS_ERR(event)) {
560 dev_err(&dev->gadget->dev, "failed to fetch event\n");
561 spin_lock_irqsave(&dev->lock, flags);
562 dev->state = STATE_DEV_FAILED;
563 spin_unlock_irqrestore(&dev->lock, flags);
564 return -ENODEV;
565 }
566 length = min(arg.length, event->length);
567 if (copy_to_user((void __user *)value, event, sizeof(*event) + length))
568 return -EFAULT;
569
570 return 0;
571}
572
573static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
574 bool get_from_user)
575{
576 void *data;
577
578 if (copy_from_user(io, ptr, sizeof(*io)))
579 return ERR_PTR(-EFAULT);
580 if (io->ep >= USB_RAW_EPS_NUM_MAX)
581 return ERR_PTR(-EINVAL);
582 if (!usb_raw_io_flags_valid(io->flags))
583 return ERR_PTR(-EINVAL);
584 if (io->length > PAGE_SIZE)
585 return ERR_PTR(-EINVAL);
586 if (get_from_user)
587 data = memdup_user(ptr + sizeof(*io), io->length);
588 else {
589 data = kmalloc(io->length, GFP_KERNEL);
590 if (!data)
591 data = ERR_PTR(-ENOMEM);
592 }
593 return data;
594}
595
596static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
597 void *data, bool in)
598{
599 int ret = 0;
600 unsigned long flags;
601
602 spin_lock_irqsave(&dev->lock, flags);
603 if (dev->state != STATE_DEV_RUNNING) {
604 dev_dbg(dev->dev, "fail, device is not running\n");
605 ret = -EINVAL;
606 goto out_unlock;
607 }
608 if (!dev->gadget) {
609 dev_dbg(dev->dev, "fail, gadget is not bound\n");
610 ret = -EBUSY;
611 goto out_unlock;
612 }
613 if (dev->ep0_urb_queued) {
614 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
615 ret = -EBUSY;
616 goto out_unlock;
617 }
618 if ((in && !dev->ep0_in_pending) ||
619 (!in && !dev->ep0_out_pending)) {
620 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n");
621 ret = -EBUSY;
622 goto out_unlock;
623 }
624 if (WARN_ON(in && dev->ep0_out_pending)) {
625 ret = -ENODEV;
626 dev->state = STATE_DEV_FAILED;
627 goto out_done;
628 }
629 if (WARN_ON(!in && dev->ep0_in_pending)) {
630 ret = -ENODEV;
631 dev->state = STATE_DEV_FAILED;
632 goto out_done;
633 }
634
635 dev->req->buf = data;
636 dev->req->length = io->length;
637 dev->req->zero = usb_raw_io_flags_zero(io->flags);
638 dev->ep0_urb_queued = true;
639 spin_unlock_irqrestore(&dev->lock, flags);
640
641 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL);
642 if (ret) {
643 dev_err(&dev->gadget->dev,
644 "fail, usb_ep_queue returned %d\n", ret);
645 spin_lock_irqsave(&dev->lock, flags);
646 dev->state = STATE_DEV_FAILED;
647 goto out_done;
648 }
649
650 ret = wait_for_completion_interruptible(&dev->ep0_done);
651 if (ret) {
652 dev_dbg(&dev->gadget->dev, "wait interrupted\n");
653 usb_ep_dequeue(dev->gadget->ep0, dev->req);
654 wait_for_completion(&dev->ep0_done);
655 spin_lock_irqsave(&dev->lock, flags);
656 goto out_done;
657 }
658
659 spin_lock_irqsave(&dev->lock, flags);
660 ret = dev->ep0_status;
661
662out_done:
663 dev->ep0_urb_queued = false;
664out_unlock:
665 spin_unlock_irqrestore(&dev->lock, flags);
666 return ret;
667}
668
669static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value)
670{
671 int ret = 0;
672 void *data;
673 struct usb_raw_ep_io io;
674
675 data = raw_alloc_io_data(&io, (void __user *)value, true);
676 if (IS_ERR(data))
677 return PTR_ERR(data);
678 ret = raw_process_ep0_io(dev, &io, data, true);
679 kfree(data);
680 return ret;
681}
682
683static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value)
684{
685 int ret = 0;
686 void *data;
687 struct usb_raw_ep_io io;
688 unsigned int length;
689
690 data = raw_alloc_io_data(&io, (void __user *)value, false);
691 if (IS_ERR(data))
692 return PTR_ERR(data);
693 ret = raw_process_ep0_io(dev, &io, data, false);
694 if (ret < 0)
695 goto free;
696
697 length = min(io.length, (unsigned int)ret);
698 if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
699 ret = -EFAULT;
700 else
701 ret = length;
702free:
703 kfree(data);
704 return ret;
705}
706
707static int raw_ioctl_ep0_stall(struct raw_dev *dev, unsigned long value)
708{
709 int ret = 0;
710 unsigned long flags;
711
712 if (value)
713 return -EINVAL;
714 spin_lock_irqsave(&dev->lock, flags);
715 if (dev->state != STATE_DEV_RUNNING) {
716 dev_dbg(dev->dev, "fail, device is not running\n");
717 ret = -EINVAL;
718 goto out_unlock;
719 }
720 if (!dev->gadget) {
721 dev_dbg(dev->dev, "fail, gadget is not bound\n");
722 ret = -EBUSY;
723 goto out_unlock;
724 }
725 if (dev->ep0_urb_queued) {
726 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
727 ret = -EBUSY;
728 goto out_unlock;
729 }
730 if (!dev->ep0_in_pending && !dev->ep0_out_pending) {
731 dev_dbg(&dev->gadget->dev, "fail, no request pending\n");
732 ret = -EBUSY;
733 goto out_unlock;
734 }
735
736 ret = usb_ep_set_halt(dev->gadget->ep0);
737 if (ret < 0)
738 dev_err(&dev->gadget->dev,
739 "fail, usb_ep_set_halt returned %d\n", ret);
740
741 if (dev->ep0_in_pending)
742 dev->ep0_in_pending = false;
743 else
744 dev->ep0_out_pending = false;
745
746out_unlock:
747 spin_unlock_irqrestore(&dev->lock, flags);
748 return ret;
749}
750
751static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value)
752{
753 int ret = 0, i;
754 unsigned long flags;
755 struct usb_endpoint_descriptor *desc;
756 struct raw_ep *ep;
757
758 desc = memdup_user((void __user *)value, sizeof(*desc));
759 if (IS_ERR(desc))
760 return PTR_ERR(desc);
761
762
763
764
765
766 if (usb_endpoint_maxp(desc) == 0) {
767 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n");
768 kfree(desc);
769 return -EINVAL;
770 }
771
772 spin_lock_irqsave(&dev->lock, flags);
773 if (dev->state != STATE_DEV_RUNNING) {
774 dev_dbg(dev->dev, "fail, device is not running\n");
775 ret = -EINVAL;
776 goto out_free;
777 }
778 if (!dev->gadget) {
779 dev_dbg(dev->dev, "fail, gadget is not bound\n");
780 ret = -EBUSY;
781 goto out_free;
782 }
783
784 for (i = 0; i < dev->eps_num; i++) {
785 ep = &dev->eps[i];
786 if (ep->state != STATE_EP_DISABLED)
787 continue;
788 if (ep->addr != usb_endpoint_num(desc) &&
789 ep->addr != USB_RAW_EP_ADDR_ANY)
790 continue;
791 if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep, desc, NULL))
792 continue;
793 ep->ep->desc = desc;
794 ret = usb_ep_enable(ep->ep);
795 if (ret < 0) {
796 dev_err(&dev->gadget->dev,
797 "fail, usb_ep_enable returned %d\n", ret);
798 goto out_free;
799 }
800 ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC);
801 if (!ep->req) {
802 dev_err(&dev->gadget->dev,
803 "fail, usb_ep_alloc_request failed\n");
804 usb_ep_disable(ep->ep);
805 ret = -ENOMEM;
806 goto out_free;
807 }
808 ep->state = STATE_EP_ENABLED;
809 ep->ep->driver_data = ep;
810 ret = i;
811 goto out_unlock;
812 }
813
814 dev_dbg(&dev->gadget->dev, "fail, no gadget endpoints available\n");
815 ret = -EBUSY;
816
817out_free:
818 kfree(desc);
819out_unlock:
820 spin_unlock_irqrestore(&dev->lock, flags);
821 return ret;
822}
823
824static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
825{
826 int ret = 0, i = value;
827 unsigned long flags;
828
829 spin_lock_irqsave(&dev->lock, flags);
830 if (dev->state != STATE_DEV_RUNNING) {
831 dev_dbg(dev->dev, "fail, device is not running\n");
832 ret = -EINVAL;
833 goto out_unlock;
834 }
835 if (!dev->gadget) {
836 dev_dbg(dev->dev, "fail, gadget is not bound\n");
837 ret = -EBUSY;
838 goto out_unlock;
839 }
840 if (i < 0 || i >= dev->eps_num) {
841 dev_dbg(dev->dev, "fail, invalid endpoint\n");
842 ret = -EBUSY;
843 goto out_unlock;
844 }
845 if (dev->eps[i].state == STATE_EP_DISABLED) {
846 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
847 ret = -EINVAL;
848 goto out_unlock;
849 }
850 if (dev->eps[i].disabling) {
851 dev_dbg(&dev->gadget->dev,
852 "fail, disable already in progress\n");
853 ret = -EINVAL;
854 goto out_unlock;
855 }
856 if (dev->eps[i].urb_queued) {
857 dev_dbg(&dev->gadget->dev,
858 "fail, waiting for urb completion\n");
859 ret = -EINVAL;
860 goto out_unlock;
861 }
862 dev->eps[i].disabling = true;
863 spin_unlock_irqrestore(&dev->lock, flags);
864
865 usb_ep_disable(dev->eps[i].ep);
866
867 spin_lock_irqsave(&dev->lock, flags);
868 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
869 kfree(dev->eps[i].ep->desc);
870 dev->eps[i].state = STATE_EP_DISABLED;
871 dev->eps[i].disabling = false;
872
873out_unlock:
874 spin_unlock_irqrestore(&dev->lock, flags);
875 return ret;
876}
877
878static int raw_ioctl_ep_set_clear_halt_wedge(struct raw_dev *dev,
879 unsigned long value, bool set, bool halt)
880{
881 int ret = 0, i = value;
882 unsigned long flags;
883
884 spin_lock_irqsave(&dev->lock, flags);
885 if (dev->state != STATE_DEV_RUNNING) {
886 dev_dbg(dev->dev, "fail, device is not running\n");
887 ret = -EINVAL;
888 goto out_unlock;
889 }
890 if (!dev->gadget) {
891 dev_dbg(dev->dev, "fail, gadget is not bound\n");
892 ret = -EBUSY;
893 goto out_unlock;
894 }
895 if (i < 0 || i >= dev->eps_num) {
896 dev_dbg(dev->dev, "fail, invalid endpoint\n");
897 ret = -EBUSY;
898 goto out_unlock;
899 }
900 if (dev->eps[i].state == STATE_EP_DISABLED) {
901 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
902 ret = -EINVAL;
903 goto out_unlock;
904 }
905 if (dev->eps[i].disabling) {
906 dev_dbg(&dev->gadget->dev,
907 "fail, disable is in progress\n");
908 ret = -EINVAL;
909 goto out_unlock;
910 }
911 if (dev->eps[i].urb_queued) {
912 dev_dbg(&dev->gadget->dev,
913 "fail, waiting for urb completion\n");
914 ret = -EINVAL;
915 goto out_unlock;
916 }
917 if (usb_endpoint_xfer_isoc(dev->eps[i].ep->desc)) {
918 dev_dbg(&dev->gadget->dev,
919 "fail, can't halt/wedge ISO endpoint\n");
920 ret = -EINVAL;
921 goto out_unlock;
922 }
923
924 if (set && halt) {
925 ret = usb_ep_set_halt(dev->eps[i].ep);
926 if (ret < 0)
927 dev_err(&dev->gadget->dev,
928 "fail, usb_ep_set_halt returned %d\n", ret);
929 } else if (!set && halt) {
930 ret = usb_ep_clear_halt(dev->eps[i].ep);
931 if (ret < 0)
932 dev_err(&dev->gadget->dev,
933 "fail, usb_ep_clear_halt returned %d\n", ret);
934 } else if (set && !halt) {
935 ret = usb_ep_set_wedge(dev->eps[i].ep);
936 if (ret < 0)
937 dev_err(&dev->gadget->dev,
938 "fail, usb_ep_set_wedge returned %d\n", ret);
939 }
940
941out_unlock:
942 spin_unlock_irqrestore(&dev->lock, flags);
943 return ret;
944}
945
946static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req)
947{
948 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data;
949 struct raw_dev *dev = r_ep->dev;
950 unsigned long flags;
951
952 spin_lock_irqsave(&dev->lock, flags);
953 if (req->status)
954 r_ep->status = req->status;
955 else
956 r_ep->status = req->actual;
957 spin_unlock_irqrestore(&dev->lock, flags);
958
959 complete((struct completion *)req->context);
960}
961
962static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
963 void *data, bool in)
964{
965 int ret = 0;
966 unsigned long flags;
967 struct raw_ep *ep;
968 DECLARE_COMPLETION_ONSTACK(done);
969
970 spin_lock_irqsave(&dev->lock, flags);
971 if (dev->state != STATE_DEV_RUNNING) {
972 dev_dbg(dev->dev, "fail, device is not running\n");
973 ret = -EINVAL;
974 goto out_unlock;
975 }
976 if (!dev->gadget) {
977 dev_dbg(dev->dev, "fail, gadget is not bound\n");
978 ret = -EBUSY;
979 goto out_unlock;
980 }
981 if (io->ep >= dev->eps_num) {
982 dev_dbg(&dev->gadget->dev, "fail, invalid endpoint\n");
983 ret = -EINVAL;
984 goto out_unlock;
985 }
986 ep = &dev->eps[io->ep];
987 if (ep->state != STATE_EP_ENABLED) {
988 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
989 ret = -EBUSY;
990 goto out_unlock;
991 }
992 if (ep->disabling) {
993 dev_dbg(&dev->gadget->dev,
994 "fail, endpoint is already being disabled\n");
995 ret = -EBUSY;
996 goto out_unlock;
997 }
998 if (ep->urb_queued) {
999 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
1000 ret = -EBUSY;
1001 goto out_unlock;
1002 }
1003 if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) {
1004 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n");
1005 ret = -EINVAL;
1006 goto out_unlock;
1007 }
1008
1009 ep->dev = dev;
1010 ep->req->context = &done;
1011 ep->req->complete = gadget_ep_complete;
1012 ep->req->buf = data;
1013 ep->req->length = io->length;
1014 ep->req->zero = usb_raw_io_flags_zero(io->flags);
1015 ep->urb_queued = true;
1016 spin_unlock_irqrestore(&dev->lock, flags);
1017
1018 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL);
1019 if (ret) {
1020 dev_err(&dev->gadget->dev,
1021 "fail, usb_ep_queue returned %d\n", ret);
1022 spin_lock_irqsave(&dev->lock, flags);
1023 dev->state = STATE_DEV_FAILED;
1024 goto out_done;
1025 }
1026
1027 ret = wait_for_completion_interruptible(&done);
1028 if (ret) {
1029 dev_dbg(&dev->gadget->dev, "wait interrupted\n");
1030 usb_ep_dequeue(ep->ep, ep->req);
1031 wait_for_completion(&done);
1032 spin_lock_irqsave(&dev->lock, flags);
1033 goto out_done;
1034 }
1035
1036 spin_lock_irqsave(&dev->lock, flags);
1037 ret = ep->status;
1038
1039out_done:
1040 ep->urb_queued = false;
1041out_unlock:
1042 spin_unlock_irqrestore(&dev->lock, flags);
1043 return ret;
1044}
1045
1046static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value)
1047{
1048 int ret = 0;
1049 char *data;
1050 struct usb_raw_ep_io io;
1051
1052 data = raw_alloc_io_data(&io, (void __user *)value, true);
1053 if (IS_ERR(data))
1054 return PTR_ERR(data);
1055 ret = raw_process_ep_io(dev, &io, data, true);
1056 kfree(data);
1057 return ret;
1058}
1059
1060static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value)
1061{
1062 int ret = 0;
1063 char *data;
1064 struct usb_raw_ep_io io;
1065 unsigned int length;
1066
1067 data = raw_alloc_io_data(&io, (void __user *)value, false);
1068 if (IS_ERR(data))
1069 return PTR_ERR(data);
1070 ret = raw_process_ep_io(dev, &io, data, false);
1071 if (ret < 0)
1072 goto free;
1073
1074 length = min(io.length, (unsigned int)ret);
1075 if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
1076 ret = -EFAULT;
1077 else
1078 ret = length;
1079free:
1080 kfree(data);
1081 return ret;
1082}
1083
1084static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value)
1085{
1086 int ret = 0;
1087 unsigned long flags;
1088
1089 if (value)
1090 return -EINVAL;
1091 spin_lock_irqsave(&dev->lock, flags);
1092 if (dev->state != STATE_DEV_RUNNING) {
1093 dev_dbg(dev->dev, "fail, device is not running\n");
1094 ret = -EINVAL;
1095 goto out_unlock;
1096 }
1097 if (!dev->gadget) {
1098 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1099 ret = -EBUSY;
1100 goto out_unlock;
1101 }
1102 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED);
1103
1104out_unlock:
1105 spin_unlock_irqrestore(&dev->lock, flags);
1106 return ret;
1107}
1108
1109static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value)
1110{
1111 int ret = 0;
1112 unsigned long flags;
1113
1114 spin_lock_irqsave(&dev->lock, flags);
1115 if (dev->state != STATE_DEV_RUNNING) {
1116 dev_dbg(dev->dev, "fail, device is not running\n");
1117 ret = -EINVAL;
1118 goto out_unlock;
1119 }
1120 if (!dev->gadget) {
1121 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1122 ret = -EBUSY;
1123 goto out_unlock;
1124 }
1125 usb_gadget_vbus_draw(dev->gadget, 2 * value);
1126
1127out_unlock:
1128 spin_unlock_irqrestore(&dev->lock, flags);
1129 return ret;
1130}
1131
1132static void fill_ep_caps(struct usb_ep_caps *caps,
1133 struct usb_raw_ep_caps *raw_caps)
1134{
1135 raw_caps->type_control = caps->type_control;
1136 raw_caps->type_iso = caps->type_iso;
1137 raw_caps->type_bulk = caps->type_bulk;
1138 raw_caps->type_int = caps->type_int;
1139 raw_caps->dir_in = caps->dir_in;
1140 raw_caps->dir_out = caps->dir_out;
1141}
1142
1143static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits)
1144{
1145 limits->maxpacket_limit = ep->maxpacket_limit;
1146 limits->max_streams = ep->max_streams;
1147}
1148
1149static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value)
1150{
1151 int ret = 0, i;
1152 unsigned long flags;
1153 struct usb_raw_eps_info *info;
1154 struct raw_ep *ep;
1155
1156 info = kmalloc(sizeof(*info), GFP_KERNEL);
1157 if (!info) {
1158 ret = -ENOMEM;
1159 goto out;
1160 }
1161
1162 spin_lock_irqsave(&dev->lock, flags);
1163 if (dev->state != STATE_DEV_RUNNING) {
1164 dev_dbg(dev->dev, "fail, device is not running\n");
1165 ret = -EINVAL;
1166 spin_unlock_irqrestore(&dev->lock, flags);
1167 goto out_free;
1168 }
1169 if (!dev->gadget) {
1170 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1171 ret = -EBUSY;
1172 spin_unlock_irqrestore(&dev->lock, flags);
1173 goto out_free;
1174 }
1175
1176 memset(info, 0, sizeof(*info));
1177 for (i = 0; i < dev->eps_num; i++) {
1178 ep = &dev->eps[i];
1179 strscpy(&info->eps[i].name[0], ep->ep->name,
1180 USB_RAW_EP_NAME_MAX);
1181 info->eps[i].addr = ep->addr;
1182 fill_ep_caps(&ep->ep->caps, &info->eps[i].caps);
1183 fill_ep_limits(ep->ep, &info->eps[i].limits);
1184 }
1185 ret = dev->eps_num;
1186 spin_unlock_irqrestore(&dev->lock, flags);
1187
1188 if (copy_to_user((void __user *)value, info, sizeof(*info)))
1189 ret = -EFAULT;
1190
1191out_free:
1192 kfree(info);
1193out:
1194 return ret;
1195}
1196
1197static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
1198{
1199 struct raw_dev *dev = fd->private_data;
1200 int ret = 0;
1201
1202 if (!dev)
1203 return -EBUSY;
1204
1205 switch (cmd) {
1206 case USB_RAW_IOCTL_INIT:
1207 ret = raw_ioctl_init(dev, value);
1208 break;
1209 case USB_RAW_IOCTL_RUN:
1210 ret = raw_ioctl_run(dev, value);
1211 break;
1212 case USB_RAW_IOCTL_EVENT_FETCH:
1213 ret = raw_ioctl_event_fetch(dev, value);
1214 break;
1215 case USB_RAW_IOCTL_EP0_WRITE:
1216 ret = raw_ioctl_ep0_write(dev, value);
1217 break;
1218 case USB_RAW_IOCTL_EP0_READ:
1219 ret = raw_ioctl_ep0_read(dev, value);
1220 break;
1221 case USB_RAW_IOCTL_EP_ENABLE:
1222 ret = raw_ioctl_ep_enable(dev, value);
1223 break;
1224 case USB_RAW_IOCTL_EP_DISABLE:
1225 ret = raw_ioctl_ep_disable(dev, value);
1226 break;
1227 case USB_RAW_IOCTL_EP_WRITE:
1228 ret = raw_ioctl_ep_write(dev, value);
1229 break;
1230 case USB_RAW_IOCTL_EP_READ:
1231 ret = raw_ioctl_ep_read(dev, value);
1232 break;
1233 case USB_RAW_IOCTL_CONFIGURE:
1234 ret = raw_ioctl_configure(dev, value);
1235 break;
1236 case USB_RAW_IOCTL_VBUS_DRAW:
1237 ret = raw_ioctl_vbus_draw(dev, value);
1238 break;
1239 case USB_RAW_IOCTL_EPS_INFO:
1240 ret = raw_ioctl_eps_info(dev, value);
1241 break;
1242 case USB_RAW_IOCTL_EP0_STALL:
1243 ret = raw_ioctl_ep0_stall(dev, value);
1244 break;
1245 case USB_RAW_IOCTL_EP_SET_HALT:
1246 ret = raw_ioctl_ep_set_clear_halt_wedge(
1247 dev, value, true, true);
1248 break;
1249 case USB_RAW_IOCTL_EP_CLEAR_HALT:
1250 ret = raw_ioctl_ep_set_clear_halt_wedge(
1251 dev, value, false, true);
1252 break;
1253 case USB_RAW_IOCTL_EP_SET_WEDGE:
1254 ret = raw_ioctl_ep_set_clear_halt_wedge(
1255 dev, value, true, false);
1256 break;
1257 default:
1258 ret = -EINVAL;
1259 }
1260
1261 return ret;
1262}
1263
1264
1265
1266static const struct file_operations raw_fops = {
1267 .open = raw_open,
1268 .unlocked_ioctl = raw_ioctl,
1269 .compat_ioctl = raw_ioctl,
1270 .release = raw_release,
1271 .llseek = no_llseek,
1272};
1273
1274static struct miscdevice raw_misc_device = {
1275 .minor = MISC_DYNAMIC_MINOR,
1276 .name = DRIVER_NAME,
1277 .fops = &raw_fops,
1278};
1279
1280module_misc_device(raw_misc_device);
1281
