LXR linux/drivers/usb/gadget/legacy/inode.c

   1/*
   2 * inode.c -- user mode filesystem api for usb gadget controllers
   3 *
   4 * Copyright (C) 2003-2004 David Brownell
   5 * Copyright (C) 2003 Agilent Technologies
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 2 of the License, or
  10 * (at your option) any later version.
  11 */
  12
  13
  14/* #define VERBOSE_DEBUG */
  15
  16#include <linux/init.h>
  17#include <linux/module.h>
  18#include <linux/fs.h>
  19#include <linux/pagemap.h>
  20#include <linux/uts.h>
  21#include <linux/wait.h>
  22#include <linux/compiler.h>
  23#include <asm/uaccess.h>
  24#include <linux/sched.h>
  25#include <linux/slab.h>
  26#include <linux/poll.h>
  27#include <linux/mmu_context.h>
  28#include <linux/aio.h>
  29#include <linux/uio.h>
  30
  31#include <linux/device.h>
  32#include <linux/moduleparam.h>
  33
  34#include <linux/usb/gadgetfs.h>
  35#include <linux/usb/gadget.h>
  36
  37
  38/*
  39 * The gadgetfs API maps each endpoint to a file descriptor so that you
  40 * can use standard synchronous read/write calls for I/O.  There's some
  41 * O_NONBLOCK and O_ASYNC/FASYNC style i/o support.  Example usermode
  42 * drivers show how this works in practice.  You can also use AIO to
  43 * eliminate I/O gaps between requests, to help when streaming data.
  44 *
  45 * Key parts that must be USB-specific are protocols defining how the
  46 * read/write operations relate to the hardware state machines.  There
  47 * are two types of files.  One type is for the device, implementing ep0.
  48 * The other type is for each IN or OUT endpoint.  In both cases, the
  49 * user mode driver must configure the hardware before using it.
  50 *
  51 * - First, dev_config() is called when /dev/gadget/$CHIP is configured
  52 *   (by writing configuration and device descriptors).  Afterwards it
  53 *   may serve as a source of device events, used to handle all control
  54 *   requests other than basic enumeration.
  55 *
  56 * - Then, after a SET_CONFIGURATION control request, ep_config() is
  57 *   called when each /dev/gadget/ep* file is configured (by writing
  58 *   endpoint descriptors).  Afterwards these files are used to write()
  59 *   IN data or to read() OUT data.  To halt the endpoint, a "wrong
  60 *   direction" request is issued (like reading an IN endpoint).
  61 *
  62 * Unlike "usbfs" the only ioctl()s are for things that are rare, and maybe
  63 * not possible on all hardware.  For example, precise fault handling with
  64 * respect to data left in endpoint fifos after aborted operations; or
  65 * selective clearing of endpoint halts, to implement SET_INTERFACE.
  66 */
  67
  68#define DRIVER_DESC     "USB Gadget filesystem"
  69#define DRIVER_VERSION  "24 Aug 2004"
  70
  71static const char driver_desc [] = DRIVER_DESC;
  72static const char shortname [] = "gadgetfs";
  73
  74MODULE_DESCRIPTION (DRIVER_DESC);
  75MODULE_AUTHOR ("David Brownell");
  76MODULE_LICENSE ("GPL");
  77
  78static int ep_open(struct inode *, struct file *);
  79
  80
  81/*----------------------------------------------------------------------*/
  82
  83#define GADGETFS_MAGIC          0xaee71ee7
  84
  85/* /dev/gadget/$CHIP represents ep0 and the whole device */
  86enum ep0_state {
  87        /* DISBLED is the initial state.
  88         */
  89        STATE_DEV_DISABLED = 0,
  90
  91        /* Only one open() of /dev/gadget/$CHIP; only one file tracks
  92         * ep0/device i/o modes and binding to the controller.  Driver
  93         * must always write descriptors to initialize the device, then
  94         * the device becomes UNCONNECTED until enumeration.
  95         */
  96        STATE_DEV_OPENED,
  97
  98        /* From then on, ep0 fd is in either of two basic modes:
  99         * - (UN)CONNECTED: read usb_gadgetfs_event(s) from it
 100         * - SETUP: read/write will transfer control data and succeed;
 101         *   or if "wrong direction", performs protocol stall
 102         */
 103        STATE_DEV_UNCONNECTED,
 104        STATE_DEV_CONNECTED,
 105        STATE_DEV_SETUP,
 106
 107        /* UNBOUND means the driver closed ep0, so the device won't be
 108         * accessible again (DEV_DISABLED) until all fds are closed.
 109         */
 110        STATE_DEV_UNBOUND,
 111};
 112
 113/* enough for the whole queue: most events invalidate others */
 114#define N_EVENT                 5
 115
 116struct dev_data {
 117        spinlock_t                      lock;
 118        atomic_t                        count;
 119        enum ep0_state                  state;          /* P: lock */
 120        struct usb_gadgetfs_event       event [N_EVENT];
 121        unsigned                        ev_next;
 122        struct fasync_struct            *fasync;
 123        u8                              current_config;
 124
 125        /* drivers reading ep0 MUST handle control requests (SETUP)
 126         * reported that way; else the host will time out.
 127         */
 128        unsigned                        usermode_setup : 1,
 129                                        setup_in : 1,
 130                                        setup_can_stall : 1,
 131                                        setup_out_ready : 1,
 132                                        setup_out_error : 1,
 133                                        setup_abort : 1,
 134                                        gadget_registered : 1;
 135        unsigned                        setup_wLength;
 136
 137        /* the rest is basically write-once */
 138        struct usb_config_descriptor    *config, *hs_config;
 139        struct usb_device_descriptor    *dev;
 140        struct usb_request              *req;
 141        struct usb_gadget               *gadget;
 142        struct list_head                epfiles;
 143        void                            *buf;
 144        wait_queue_head_t               wait;
 145        struct super_block              *sb;
 146        struct dentry                   *dentry;
 147
 148        /* except this scratch i/o buffer for ep0 */
 149        u8                              rbuf [256];
 150};
 151
 152static inline void get_dev (struct dev_data *data)
 153{
 154        atomic_inc (&data->count);
 155}
 156
 157static void put_dev (struct dev_data *data)
 158{
 159        if (likely (!atomic_dec_and_test (&data->count)))
 160                return;
 161        /* needs no more cleanup */
 162        BUG_ON (waitqueue_active (&data->wait));
 163        kfree (data);
 164}
 165
 166static struct dev_data *dev_new (void)
 167{
 168        struct dev_data         *dev;
 169
 170        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
 171        if (!dev)
 172                return NULL;
 173        dev->state = STATE_DEV_DISABLED;
 174        atomic_set (&dev->count, 1);
 175        spin_lock_init (&dev->lock);
 176        INIT_LIST_HEAD (&dev->epfiles);
 177        init_waitqueue_head (&dev->wait);
 178        return dev;
 179}
 180
 181/*----------------------------------------------------------------------*/
 182
 183/* other /dev/gadget/$ENDPOINT files represent endpoints */
 184enum ep_state {
 185        STATE_EP_DISABLED = 0,
 186        STATE_EP_READY,
 187        STATE_EP_ENABLED,
 188        STATE_EP_UNBOUND,
 189};
 190
 191struct ep_data {
 192        struct mutex                    lock;
 193        enum ep_state                   state;
 194        atomic_t                        count;
 195        struct dev_data                 *dev;
 196        /* must hold dev->lock before accessing ep or req */
 197        struct usb_ep                   *ep;
 198        struct usb_request              *req;
 199        ssize_t                         status;
 200        char                            name [16];
 201        struct usb_endpoint_descriptor  desc, hs_desc;
 202        struct list_head                epfiles;
 203        wait_queue_head_t               wait;
 204        struct dentry                   *dentry;
 205};
 206
 207static inline void get_ep (struct ep_data *data)
 208{
 209        atomic_inc (&data->count);
 210}
 211
 212static void put_ep (struct ep_data *data)
 213{
 214        if (likely (!atomic_dec_and_test (&data->count)))
 215                return;
 216        put_dev (data->dev);
 217        /* needs no more cleanup */
 218        BUG_ON (!list_empty (&data->epfiles));
 219        BUG_ON (waitqueue_active (&data->wait));
 220        kfree (data);
 221}
 222
 223/*----------------------------------------------------------------------*/
 224
 225/* most "how to use the hardware" policy choices are in userspace:
 226 * mapping endpoint roles (which the driver needs) to the capabilities
 227 * which the usb controller has.  most of those capabilities are exposed
 228 * implicitly, starting with the driver name and then endpoint names.
 229 */
 230
 231static const char *CHIP;
 232
 233/*----------------------------------------------------------------------*/
 234
 235/* NOTE:  don't use dev_printk calls before binding to the gadget
 236 * at the end of ep0 configuration, or after unbind.
 237 */
 238
 239/* too wordy: dev_printk(level , &(d)->gadget->dev , fmt , ## args) */
 240#define xprintk(d,level,fmt,args...) \
 241        printk(level "%s: " fmt , shortname , ## args)
 242
 243#ifdef DEBUG
 244#define DBG(dev,fmt,args...) \
 245        xprintk(dev , KERN_DEBUG , fmt , ## args)
 246#else
 247#define DBG(dev,fmt,args...) \
 248        do { } while (0)
 249#endif /* DEBUG */
 250
 251#ifdef VERBOSE_DEBUG
 252#define VDEBUG  DBG
 253#else
 254#define VDEBUG(dev,fmt,args...) \
 255        do { } while (0)
 256#endif /* DEBUG */
 257
 258#define ERROR(dev,fmt,args...) \
 259        xprintk(dev , KERN_ERR , fmt , ## args)
 260#define INFO(dev,fmt,args...) \
 261        xprintk(dev , KERN_INFO , fmt , ## args)
 262
 263
 264/*----------------------------------------------------------------------*/
 265
 266/* SYNCHRONOUS ENDPOINT OPERATIONS (bulk/intr/iso)
 267 *
 268 * After opening, configure non-control endpoints.  Then use normal
 269 * stream read() and write() requests; and maybe ioctl() to get more
 270 * precise FIFO status when recovering from cancellation.
 271 */
 272
 273static void epio_complete (struct usb_ep *ep, struct usb_request *req)
 274{
 275        struct ep_data  *epdata = ep->driver_data;
 276
 277        if (!req->context)
 278                return;
 279        if (req->status)
 280                epdata->status = req->status;
 281        else
 282                epdata->status = req->actual;
 283        complete ((struct completion *)req->context);
 284}
 285
 286/* tasklock endpoint, returning when it's connected.
 287 * still need dev->lock to use epdata->ep.
 288 */
 289static int
 290get_ready_ep (unsigned f_flags, struct ep_data *epdata, bool is_write)
 291{
 292        int     val;
 293
 294        if (f_flags & O_NONBLOCK) {
 295                if (!mutex_trylock(&epdata->lock))
 296                        goto nonblock;
 297                if (epdata->state != STATE_EP_ENABLED &&
 298                    (!is_write || epdata->state != STATE_EP_READY)) {
 299                        mutex_unlock(&epdata->lock);
 300nonblock:
 301                        val = -EAGAIN;
 302                } else
 303                        val = 0;
 304                return val;
 305        }
 306
 307        val = mutex_lock_interruptible(&epdata->lock);
 308        if (val < 0)
 309                return val;
 310
 311        switch (epdata->state) {
 312        case STATE_EP_ENABLED:
 313                return 0;
 314        case STATE_EP_READY:                    /* not configured yet */
 315                if (is_write)
 316                        return 0;
 317                // FALLTHRU
 318        case STATE_EP_UNBOUND:                  /* clean disconnect */
 319                break;
 320        // case STATE_EP_DISABLED:              /* "can't happen" */
 321        default:                                /* error! */
 322                pr_debug ("%s: ep %p not available, state %d\n",
 323                                shortname, epdata, epdata->state);
 324        }
 325        mutex_unlock(&epdata->lock);
 326        return -ENODEV;
 327}
 328
 329static ssize_t
 330ep_io (struct ep_data *epdata, void *buf, unsigned len)
 331{
 332        DECLARE_COMPLETION_ONSTACK (done);
 333        int value;
 334
 335        spin_lock_irq (&epdata->dev->lock);
 336        if (likely (epdata->ep != NULL)) {
 337                struct usb_request      *req = epdata->req;
 338
 339                req->context = &done;
 340                req->complete = epio_complete;
 341                req->buf = buf;
 342                req->length = len;
 343                value = usb_ep_queue (epdata->ep, req, GFP_ATOMIC);
 344        } else
 345                value = -ENODEV;
 346        spin_unlock_irq (&epdata->dev->lock);
 347
 348        if (likely (value == 0)) {
 349                value = wait_event_interruptible (done.wait, done.done);
 350                if (value != 0) {
 351                        spin_lock_irq (&epdata->dev->lock);
 352                        if (likely (epdata->ep != NULL)) {
 353                                DBG (epdata->dev, "%s i/o interrupted\n",
 354                                                epdata->name);
 355                                usb_ep_dequeue (epdata->ep, epdata->req);
 356                                spin_unlock_irq (&epdata->dev->lock);
 357
 358                                wait_event (done.wait, done.done);
 359                                if (epdata->status == -ECONNRESET)
 360                                        epdata->status = -EINTR;
 361                        } else {
 362                                spin_unlock_irq (&epdata->dev->lock);
 363
 364                                DBG (epdata->dev, "endpoint gone\n");
 365                                epdata->status = -ENODEV;
 366                        }
 367                }
 368                return epdata->status;
 369        }
 370        return value;
 371}
 372
 373static int
 374ep_release (struct inode *inode, struct file *fd)
 375{
 376        struct ep_data          *data = fd->private_data;
 377        int value;
 378
 379        value = mutex_lock_interruptible(&data->lock);
 380        if (value < 0)
 381                return value;
 382
 383        /* clean up if this can be reopened */
 384        if (data->state != STATE_EP_UNBOUND) {
 385                data->state = STATE_EP_DISABLED;
 386                data->desc.bDescriptorType = 0;
 387                data->hs_desc.bDescriptorType = 0;
 388                usb_ep_disable(data->ep);
 389        }
 390        mutex_unlock(&data->lock);
 391        put_ep (data);
 392        return 0;
 393}
 394
 395static long ep_ioctl(struct file *fd, unsigned code, unsigned long value)
 396{
 397        struct ep_data          *data = fd->private_data;
 398        int                     status;
 399
 400        if ((status = get_ready_ep (fd->f_flags, data, false)) < 0)
 401                return status;
 402
 403        spin_lock_irq (&data->dev->lock);
 404        if (likely (data->ep != NULL)) {
 405                switch (code) {
 406                case GADGETFS_FIFO_STATUS:
 407                        status = usb_ep_fifo_status (data->ep);
 408                        break;
 409                case GADGETFS_FIFO_FLUSH:
 410                        usb_ep_fifo_flush (data->ep);
 411                        break;
 412                case GADGETFS_CLEAR_HALT:
 413                        status = usb_ep_clear_halt (data->ep);
 414                        break;
 415                default:
 416                        status = -ENOTTY;
 417                }
 418        } else
 419                status = -ENODEV;
 420        spin_unlock_irq (&data->dev->lock);
 421        mutex_unlock(&data->lock);
 422        return status;
 423}
 424
 425/*----------------------------------------------------------------------*/
 426
 427/* ASYNCHRONOUS ENDPOINT I/O OPERATIONS (bulk/intr/iso) */
 428
 429struct kiocb_priv {
 430        struct usb_request      *req;
 431        struct ep_data          *epdata;
 432        struct kiocb            *iocb;
 433        struct mm_struct        *mm;
 434        struct work_struct      work;
 435        void                    *buf;
 436        struct iov_iter         to;
 437        const void              *to_free;
 438        unsigned                actual;
 439};
 440
 441static int ep_aio_cancel(struct kiocb *iocb)
 442{
 443        struct kiocb_priv       *priv = iocb->private;
 444        struct ep_data          *epdata;
 445        int                     value;
 446
 447        local_irq_disable();
 448        epdata = priv->epdata;
 449        // spin_lock(&epdata->dev->lock);
 450        if (likely(epdata && epdata->ep && priv->req))
 451                value = usb_ep_dequeue (epdata->ep, priv->req);
 452        else
 453                value = -EINVAL;
 454        // spin_unlock(&epdata->dev->lock);
 455        local_irq_enable();
 456
 457        return value;
 458}
 459
 460static void ep_user_copy_worker(struct work_struct *work)
 461{
 462        struct kiocb_priv *priv = container_of(work, struct kiocb_priv, work);
 463        struct mm_struct *mm = priv->mm;
 464        struct kiocb *iocb = priv->iocb;
 465        size_t ret;
 466
 467        use_mm(mm);
 468        ret = copy_to_iter(priv->buf, priv->actual, &priv->to);
 469        unuse_mm(mm);
 470        if (!ret)
 471                ret = -EFAULT;
 472
 473        /* completing the iocb can drop the ctx and mm, don't touch mm after */
 474        iocb->ki_complete(iocb, ret, ret);
 475
 476        kfree(priv->buf);
 477        kfree(priv->to_free);
 478        kfree(priv);
 479}
 480
 481static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
 482{
 483        struct kiocb            *iocb = req->context;
 484        struct kiocb_priv       *priv = iocb->private;
 485        struct ep_data          *epdata = priv->epdata;
 486
 487        /* lock against disconnect (and ideally, cancel) */
 488        spin_lock(&epdata->dev->lock);
 489        priv->req = NULL;
 490        priv->epdata = NULL;
 491
 492        /* if this was a write or a read returning no data then we
 493         * don't need to copy anything to userspace, so we can
 494         * complete the aio request immediately.
 495         */
 496        if (priv->to_free == NULL || unlikely(req->actual == 0)) {
 497                kfree(req->buf);
 498                kfree(priv->to_free);
 499                kfree(priv);
 500                iocb->private = NULL;
 501                /* aio_complete() reports bytes-transferred _and_ faults */
 502
 503                iocb->ki_complete(iocb, req->actual ? req->actual : req->status,
 504                                req->status);
 505        } else {
 506                /* ep_copy_to_user() won't report both; we hide some faults */
 507                if (unlikely(0 != req->status))
 508                        DBG(epdata->dev, "%s fault %d len %d\n",
 509                                ep->name, req->status, req->actual);
 510
 511                priv->buf = req->buf;
 512                priv->actual = req->actual;
 513                INIT_WORK(&priv->work, ep_user_copy_worker);
 514                schedule_work(&priv->work);
 515        }
 516        spin_unlock(&epdata->dev->lock);
 517
 518        usb_ep_free_request(ep, req);
 519        put_ep(epdata);
 520}
 521
 522static ssize_t ep_aio(struct kiocb *iocb,
 523                      struct kiocb_priv *priv,
 524                      struct ep_data *epdata,
 525                      char *buf,
 526                      size_t len)
 527{
 528        struct usb_request *req;
 529        ssize_t value;
 530
 531        iocb->private = priv;
 532        priv->iocb = iocb;
 533
 534        kiocb_set_cancel_fn(iocb, ep_aio_cancel);
 535        get_ep(epdata);
 536        priv->epdata = epdata;
 537        priv->actual = 0;
 538        priv->mm = current->mm; /* mm teardown waits for iocbs in exit_aio() */
 539
 540        /* each kiocb is coupled to one usb_request, but we can't
 541         * allocate or submit those if the host disconnected.
 542         */
 543        spin_lock_irq(&epdata->dev->lock);
 544        value = -ENODEV;
 545        if (unlikely(epdata->ep))
 546                goto fail;
 547
 548        req = usb_ep_alloc_request(epdata->ep, GFP_ATOMIC);
 549        value = -ENOMEM;
 550        if (unlikely(!req))
 551                goto fail;
 552
 553        priv->req = req;
 554        req->buf = buf;
 555        req->length = len;
 556        req->complete = ep_aio_complete;
 557        req->context = iocb;
 558        value = usb_ep_queue(epdata->ep, req, GFP_ATOMIC);
 559        if (unlikely(0 != value)) {
 560                usb_ep_free_request(epdata->ep, req);
 561                goto fail;
 562        }
 563        spin_unlock_irq(&epdata->dev->lock);
 564        return -EIOCBQUEUED;
 565
 566fail:
 567        spin_unlock_irq(&epdata->dev->lock);
 568        kfree(priv->to_free);
 569        kfree(priv);
 570        put_ep(epdata);
 571        return value;
 572}
 573
 574static ssize_t
 575ep_read_iter(struct kiocb *iocb, struct iov_iter *to)
 576{
 577        struct file *file = iocb->ki_filp;
 578        struct ep_data *epdata = file->private_data;
 579        size_t len = iov_iter_count(to);
 580        ssize_t value;
 581        char *buf;
 582
 583        if ((value = get_ready_ep(file->f_flags, epdata, false)) < 0)
 584                return value;
 585
 586        /* halt any endpoint by doing a "wrong direction" i/o call */
 587        if (usb_endpoint_dir_in(&epdata->desc)) {
 588                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 589                    !is_sync_kiocb(iocb)) {
 590                        mutex_unlock(&epdata->lock);
 591                        return -EINVAL;
 592                }
 593                DBG (epdata->dev, "%s halt\n", epdata->name);
 594                spin_lock_irq(&epdata->dev->lock);
 595                if (likely(epdata->ep != NULL))
 596                        usb_ep_set_halt(epdata->ep);
 597                spin_unlock_irq(&epdata->dev->lock);
 598                mutex_unlock(&epdata->lock);
 599                return -EBADMSG;
 600        }
 601
 602        buf = kmalloc(len, GFP_KERNEL);
 603        if (unlikely(!buf)) {
 604                mutex_unlock(&epdata->lock);
 605                return -ENOMEM;
 606        }
 607        if (is_sync_kiocb(iocb)) {
 608                value = ep_io(epdata, buf, len);
 609                if (value >= 0 && copy_to_iter(buf, value, to))
 610                        value = -EFAULT;
 611        } else {
 612                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 613                value = -ENOMEM;
 614                if (!priv)
 615                        goto fail;
 616                priv->to_free = dup_iter(&priv->to, to, GFP_KERNEL);
 617                if (!priv->to_free) {
 618                        kfree(priv);
 619                        goto fail;
 620                }
 621                value = ep_aio(iocb, priv, epdata, buf, len);
 622                if (value == -EIOCBQUEUED)
 623                        buf = NULL;
 624        }
 625fail:
 626        kfree(buf);
 627        mutex_unlock(&epdata->lock);
 628        return value;
 629}
 630
 631static ssize_t ep_config(struct ep_data *, const char *, size_t);
 632
 633static ssize_t
 634ep_write_iter(struct kiocb *iocb, struct iov_iter *from)
 635{
 636        struct file *file = iocb->ki_filp;
 637        struct ep_data *epdata = file->private_data;
 638        size_t len = iov_iter_count(from);
 639        bool configured;
 640        ssize_t value;
 641        char *buf;
 642
 643        if ((value = get_ready_ep(file->f_flags, epdata, true)) < 0)
 644                return value;
 645
 646        configured = epdata->state == STATE_EP_ENABLED;
 647
 648        /* halt any endpoint by doing a "wrong direction" i/o call */
 649        if (configured && !usb_endpoint_dir_in(&epdata->desc)) {
 650                if (usb_endpoint_xfer_isoc(&epdata->desc) ||
 651                    !is_sync_kiocb(iocb)) {
 652                        mutex_unlock(&epdata->lock);
 653                        return -EINVAL;
 654                }
 655                DBG (epdata->dev, "%s halt\n", epdata->name);
 656                spin_lock_irq(&epdata->dev->lock);
 657                if (likely(epdata->ep != NULL))
 658                        usb_ep_set_halt(epdata->ep);
 659                spin_unlock_irq(&epdata->dev->lock);
 660                mutex_unlock(&epdata->lock);
 661                return -EBADMSG;
 662        }
 663
 664        buf = kmalloc(len, GFP_KERNEL);
 665        if (unlikely(!buf)) {
 666                mutex_unlock(&epdata->lock);
 667                return -ENOMEM;
 668        }
 669
 670        if (unlikely(copy_from_iter(buf, len, from) != len)) {
 671                value = -EFAULT;
 672                goto out;
 673        }
 674
 675        if (unlikely(!configured)) {
 676                value = ep_config(epdata, buf, len);
 677        } else if (is_sync_kiocb(iocb)) {
 678                value = ep_io(epdata, buf, len);
 679        } else {
 680                struct kiocb_priv *priv = kzalloc(sizeof *priv, GFP_KERNEL);
 681                value = -ENOMEM;
 682                if (priv) {
 683                        value = ep_aio(iocb, priv, epdata, buf, len);
 684                        if (value == -EIOCBQUEUED)
 685                                buf = NULL;
 686                }
 687        }
 688out:
 689        kfree(buf);
 690        mutex_unlock(&epdata->lock);
 691        return value;
 692}
 693
 694/*----------------------------------------------------------------------*/
 695
 696/* used after endpoint configuration */
 697static const struct file_operations ep_io_operations = {
 698        .owner =        THIS_MODULE,
 699
 700        .open =         ep_open,
 701        .release =      ep_release,
 702        .llseek =       no_llseek,
 703        .unlocked_ioctl = ep_ioctl,
 704        .read_iter =    ep_read_iter,
 705        .write_iter =   ep_write_iter,
 706};
 707
 708/* ENDPOINT INITIALIZATION
 709 *
 710 *     fd = open ("/dev/gadget/$ENDPOINT", O_RDWR)
 711 *     status = write (fd, descriptors, sizeof descriptors)
 712 *
 713 * That write establishes the endpoint configuration, configuring
 714 * the controller to process bulk, interrupt, or isochronous transfers
 715 * at the right maxpacket size, and so on.
 716 *
 717 * The descriptors are message type 1, identified by a host order u32
 718 * at the beginning of what's written.  Descriptor order is: full/low
 719 * speed descriptor, then optional high speed descriptor.
 720 */
 721static ssize_t
 722ep_config (struct ep_data *data, const char *buf, size_t len)
 723{
 724        struct usb_ep           *ep;
 725        u32                     tag;
 726        int                     value, length = len;
 727
 728        if (data->state != STATE_EP_READY) {
 729                value = -EL2HLT;
 730                goto fail;
 731        }
 732
 733        value = len;
 734        if (len < USB_DT_ENDPOINT_SIZE + 4)
 735                goto fail0;
 736
 737        /* we might need to change message format someday */
 738        memcpy(&tag, buf, 4);
 739        if (tag != 1) {
 740                DBG(data->dev, "config %s, bad tag %d\n", data->name, tag);
 741                goto fail0;
 742        }
 743        buf += 4;
 744        len -= 4;
 745
 746        /* NOTE:  audio endpoint extensions not accepted here;
 747         * just don't include the extra bytes.
 748         */
 749
 750        /* full/low speed descriptor, then high speed */
 751        memcpy(&data->desc, buf, USB_DT_ENDPOINT_SIZE);
 752        if (data->desc.bLength != USB_DT_ENDPOINT_SIZE
 753                        || data->desc.bDescriptorType != USB_DT_ENDPOINT)
 754                goto fail0;
 755        if (len != USB_DT_ENDPOINT_SIZE) {
 756                if (len != 2 * USB_DT_ENDPOINT_SIZE)
 757                        goto fail0;
 758                memcpy(&data->hs_desc, buf + USB_DT_ENDPOINT_SIZE,
 759                        USB_DT_ENDPOINT_SIZE);
 760                if (data->hs_desc.bLength != USB_DT_ENDPOINT_SIZE
 761                                || data->hs_desc.bDescriptorType
 762                                        != USB_DT_ENDPOINT) {
 763                        DBG(data->dev, "config %s, bad hs length or type\n",
 764                                        data->name);
 765                        goto fail0;
 766                }
 767        }
 768
 769        spin_lock_irq (&data->dev->lock);
 770        if (data->dev->state == STATE_DEV_UNBOUND) {
 771                value = -ENOENT;
 772                goto gone;
 773        } else {
 774                ep = data->ep;
 775                if (ep == NULL) {
 776                        value = -ENODEV;
 777                        goto gone;
 778                }
 779        }
 780        switch (data->dev->gadget->speed) {
 781        case USB_SPEED_LOW:
 782        case USB_SPEED_FULL:
 783                ep->desc = &data->desc;
 784                break;
 785        case USB_SPEED_HIGH:
 786                /* fails if caller didn't provide that descriptor... */
 787                ep->desc = &data->hs_desc;
 788                break;
 789        default:
 790                DBG(data->dev, "unconnected, %s init abandoned\n",
 791                                data->name);
 792                value = -EINVAL;
 793                goto gone;
 794        }
 795        value = usb_ep_enable(ep);
 796        if (value == 0) {
 797                data->state = STATE_EP_ENABLED;
 798                value = length;
 799        }
 800gone:
 801        spin_unlock_irq (&data->dev->lock);
 802        if (value < 0) {
 803fail:
 804                data->desc.bDescriptorType = 0;
 805                data->hs_desc.bDescriptorType = 0;
 806        }
 807        return value;
 808fail0:
 809        value = -EINVAL;
 810        goto fail;
 811}
 812
 813static int
 814ep_open (struct inode *inode, struct file *fd)
 815{
 816        struct ep_data          *data = inode->i_private;
 817        int                     value = -EBUSY;
 818
 819        if (mutex_lock_interruptible(&data->lock) != 0)
 820                return -EINTR;
 821        spin_lock_irq (&data->dev->lock);
 822        if (data->dev->state == STATE_DEV_UNBOUND)
 823                value = -ENOENT;
 824        else if (data->state == STATE_EP_DISABLED) {
 825                value = 0;
 826                data->state = STATE_EP_READY;
 827                get_ep (data);
 828                fd->private_data = data;
 829                VDEBUG (data->dev, "%s ready\n", data->name);
 830        } else
 831                DBG (data->dev, "%s state %d\n",
 832                        data->name, data->state);
 833        spin_unlock_irq (&data->dev->lock);
 834        mutex_unlock(&data->lock);
 835        return value;
 836}
 837
 838/*----------------------------------------------------------------------*/
 839
 840/* EP0 IMPLEMENTATION can be partly in userspace.
 841 *
 842 * Drivers that use this facility receive various events, including
 843 * control requests the kernel doesn't handle.  Drivers that don't
 844 * use this facility may be too simple-minded for real applications.
 845 */
 846
 847static inline void ep0_readable (struct dev_data *dev)
 848{
 849        wake_up (&dev->wait);
 850        kill_fasync (&dev->fasync, SIGIO, POLL_IN);
 851}
 852
 853static void clean_req (struct usb_ep *ep, struct usb_request *req)
 854{
 855        struct dev_data         *dev = ep->driver_data;
 856
 857        if (req->buf != dev->rbuf) {
 858                kfree(req->buf);
 859                req->buf = dev->rbuf;
 860        }
 861        req->complete = epio_complete;
 862        dev->setup_out_ready = 0;
 863}
 864
 865static void ep0_complete (struct usb_ep *ep, struct usb_request *req)
 866{
 867        struct dev_data         *dev = ep->driver_data;
 868        unsigned long           flags;
 869        int                     free = 1;
 870
 871        /* for control OUT, data must still get to userspace */
 872        spin_lock_irqsave(&dev->lock, flags);
 873        if (!dev->setup_in) {
 874                dev->setup_out_error = (req->status != 0);
 875                if (!dev->setup_out_error)
 876                        free = 0;
 877                dev->setup_out_ready = 1;
 878                ep0_readable (dev);
 879        }
 880
 881        /* clean up as appropriate */
 882        if (free && req->buf != &dev->rbuf)
 883                clean_req (ep, req);
 884        req->complete = epio_complete;
 885        spin_unlock_irqrestore(&dev->lock, flags);
 886}
 887
 888static int setup_req (struct usb_ep *ep, struct usb_request *req, u16 len)
 889{
 890        struct dev_data *dev = ep->driver_data;
 891
 892        if (dev->setup_out_ready) {
 893                DBG (dev, "ep0 request busy!\n");
 894                return -EBUSY;
 895        }
 896        if (len > sizeof (dev->rbuf))
 897                req->buf = kmalloc(len, GFP_ATOMIC);
 898        if (req->buf == NULL) {
 899                req->buf = dev->rbuf;
 900                return -ENOMEM;
 901        }
 902        req->complete = ep0_complete;
 903        req->length = len;
 904        req->zero = 0;
 905        return 0;
 906}
 907
 908static ssize_t
 909ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
 910{
 911        struct dev_data                 *dev = fd->private_data;
 912        ssize_t                         retval;
 913        enum ep0_state                  state;
 914
 915        spin_lock_irq (&dev->lock);
 916        if (dev->state <= STATE_DEV_OPENED) {
 917                retval = -EINVAL;
 918                goto done;
 919        }
 920
 921        /* report fd mode change before acting on it */
 922        if (dev->setup_abort) {
 923                dev->setup_abort = 0;
 924                retval = -EIDRM;
 925                goto done;
 926        }
 927
 928        /* control DATA stage */
 929        if ((state = dev->state) == STATE_DEV_SETUP) {
 930
 931                if (dev->setup_in) {            /* stall IN */
 932                        VDEBUG(dev, "ep0in stall\n");
 933                        (void) usb_ep_set_halt (dev->gadget->ep0);
 934                        retval = -EL2HLT;
 935                        dev->state = STATE_DEV_CONNECTED;
 936
 937                } else if (len == 0) {          /* ack SET_CONFIGURATION etc */
 938                        struct usb_ep           *ep = dev->gadget->ep0;
 939                        struct usb_request      *req = dev->req;
 940
 941                        if ((retval = setup_req (ep, req, 0)) == 0)
 942                                retval = usb_ep_queue (ep, req, GFP_ATOMIC);
 943                        dev->state = STATE_DEV_CONNECTED;
 944
 945                        /* assume that was SET_CONFIGURATION */
 946                        if (dev->current_config) {
 947                                unsigned power;
 948
 949                                if (gadget_is_dualspeed(dev->gadget)
 950                                                && (dev->gadget->speed
 951                                                        == USB_SPEED_HIGH))
 952                                        power = dev->hs_config->bMaxPower;
 953                                else
 954                                        power = dev->config->bMaxPower;
 955                                usb_gadget_vbus_draw(dev->gadget, 2 * power);
 956                        }
 957
 958                } else {                        /* collect OUT data */
 959                        if ((fd->f_flags & O_NONBLOCK) != 0
 960                                        && !dev->setup_out_ready) {
 961                                retval = -EAGAIN;
 962                                goto done;
 963                        }
 964                        spin_unlock_irq (&dev->lock);
 965                        retval = wait_event_interruptible (dev->wait,
 966                                        dev->setup_out_ready != 0);
 967
 968                        /* FIXME state could change from under us */
 969                        spin_lock_irq (&dev->lock);
 970                        if (retval)
 971                                goto done;
 972
 973                        if (dev->state != STATE_DEV_SETUP) {
 974                                retval = -ECANCELED;
 975                                goto done;
 976                        }
 977                        dev->state = STATE_DEV_CONNECTED;
 978
 979                        if (dev->setup_out_error)
 980                                retval = -EIO;
 981                        else {
 982                                len = min (len, (size_t)dev->req->actual);
 983// FIXME don't call this with the spinlock held ...
 984                                if (copy_to_user (buf, dev->req->buf, len))
 985                                        retval = -EFAULT;
 986                                else
 987                                        retval = len;
 988                                clean_req (dev->gadget->ep0, dev->req);
 989                                /* NOTE userspace can't yet choose to stall */
 990                        }
 991                }
 992                goto done;
 993        }
 994
 995        /* else normal: return event data */
 996        if (len < sizeof dev->event [0]) {
 997                retval = -EINVAL;
 998                goto done;
 999        }
1000        len -= len % sizeof (struct usb_gadgetfs_event);

1001        dev->usermode_setup = 1;
1002
1003scan:
1004        /* return queued events right away */
1005        if (dev->ev_next != 0) {
1006                unsigned                i, n;
1007
1008                n = len / sizeof (struct usb_gadgetfs_event);
1009                if (dev->ev_next < n)
1010                        n = dev->ev_next;
1011
1012                /* ep0 i/o has special semantics during STATE_DEV_SETUP */
1013                for (i = 0; i < n; i++) {
1014                        if (dev->event [i].type == GADGETFS_SETUP) {
1015                                dev->state = STATE_DEV_SETUP;
1016                                n = i + 1;
1017                                break;
1018                        }
1019                }
1020                spin_unlock_irq (&dev->lock);
1021                len = n * sizeof (struct usb_gadgetfs_event);
1022                if (copy_to_user (buf, &dev->event, len))
1023                        retval = -EFAULT;
1024                else
1025                        retval = len;
1026                if (len > 0) {
1027                        /* NOTE this doesn't guard against broken drivers;
1028                         * concurrent ep0 readers may lose events.
1029                         */
1030                        spin_lock_irq (&dev->lock);
1031                        if (dev->ev_next > n) {
1032                                memmove(&dev->event[0], &dev->event[n],
1033                                        sizeof (struct usb_gadgetfs_event)
1034                                                * (dev->ev_next - n));
1035                        }
1036                        dev->ev_next -= n;
1037                        spin_unlock_irq (&dev->lock);
1038                }
1039                return retval;
1040        }
1041        if (fd->f_flags & O_NONBLOCK) {
1042                retval = -EAGAIN;
1043                goto done;
1044        }
1045
1046        switch (state) {
1047        default:
1048                DBG (dev, "fail %s, state %d\n", __func__, state);
1049                retval = -ESRCH;
1050                break;
1051        case STATE_DEV_UNCONNECTED:
1052        case STATE_DEV_CONNECTED:
1053                spin_unlock_irq (&dev->lock);
1054                DBG (dev, "%s wait\n", __func__);
1055
1056                /* wait for events */
1057                retval = wait_event_interruptible (dev->wait,
1058                                dev->ev_next != 0);
1059                if (retval < 0)
1060                        return retval;
1061                spin_lock_irq (&dev->lock);
1062                goto scan;
1063        }
1064
1065done:
1066        spin_unlock_irq (&dev->lock);
1067        return retval;
1068}
1069
1070static struct usb_gadgetfs_event *
1071next_event (struct dev_data *dev, enum usb_gadgetfs_event_type type)
1072{
1073        struct usb_gadgetfs_event       *event;
1074        unsigned                        i;
1075
1076        switch (type) {
1077        /* these events purge the queue */
1078        case GADGETFS_DISCONNECT:
1079                if (dev->state == STATE_DEV_SETUP)
1080                        dev->setup_abort = 1;
1081                // FALL THROUGH
1082        case GADGETFS_CONNECT:
1083                dev->ev_next = 0;
1084                break;
1085        case GADGETFS_SETUP:            /* previous request timed out */
1086        case GADGETFS_SUSPEND:          /* same effect */
1087                /* these events can't be repeated */
1088                for (i = 0; i != dev->ev_next; i++) {
1089                        if (dev->event [i].type != type)
1090                                continue;
1091                        DBG(dev, "discard old event[%d] %d\n", i, type);
1092                        dev->ev_next--;
1093                        if (i == dev->ev_next)
1094                                break;
1095                        /* indices start at zero, for simplicity */
1096                        memmove (&dev->event [i], &dev->event [i + 1],
1097                                sizeof (struct usb_gadgetfs_event)
1098                                        * (dev->ev_next - i));
1099                }
1100                break;
1101        default:
1102                BUG ();
1103        }
1104        VDEBUG(dev, "event[%d] = %d\n", dev->ev_next, type);
1105        event = &dev->event [dev->ev_next++];
1106        BUG_ON (dev->ev_next > N_EVENT);
1107        memset (event, 0, sizeof *event);
1108        event->type = type;
1109        return event;
1110}
1111
1112static ssize_t
1113ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1114{
1115        struct dev_data         *dev = fd->private_data;
1116        ssize_t                 retval = -ESRCH;
1117
1118        /* report fd mode change before acting on it */
1119        if (dev->setup_abort) {
1120                dev->setup_abort = 0;
1121                retval = -EIDRM;
1122
1123        /* data and/or status stage for control request */
1124        } else if (dev->state == STATE_DEV_SETUP) {
1125
1126                /* IN DATA+STATUS caller makes len <= wLength */
1127                if (dev->setup_in) {
1128                        retval = setup_req (dev->gadget->ep0, dev->req, len);
1129                        if (retval == 0) {
1130                                dev->state = STATE_DEV_CONNECTED;
1131                                spin_unlock_irq (&dev->lock);
1132                                if (copy_from_user (dev->req->buf, buf, len))
1133                                        retval = -EFAULT;
1134                                else {
1135                                        if (len < dev->setup_wLength)
1136                                                dev->req->zero = 1;
1137                                        retval = usb_ep_queue (
1138                                                dev->gadget->ep0, dev->req,
1139                                                GFP_KERNEL);
1140                                }
1141                                spin_lock_irq(&dev->lock);
1142                                if (retval < 0) {
1143                                        clean_req (dev->gadget->ep0, dev->req);
1144                                } else
1145                                        retval = len;
1146
1147                                return retval;
1148                        }
1149
1150                /* can stall some OUT transfers */
1151                } else if (dev->setup_can_stall) {
1152                        VDEBUG(dev, "ep0out stall\n");
1153                        (void) usb_ep_set_halt (dev->gadget->ep0);
1154                        retval = -EL2HLT;
1155                        dev->state = STATE_DEV_CONNECTED;
1156                } else {
1157                        DBG(dev, "bogus ep0out stall!\n");
1158                }
1159        } else
1160                DBG (dev, "fail %s, state %d\n", __func__, dev->state);
1161
1162        return retval;
1163}
1164
1165static int
1166ep0_fasync (int f, struct file *fd, int on)
1167{
1168        struct dev_data         *dev = fd->private_data;
1169        // caller must F_SETOWN before signal delivery happens
1170        VDEBUG (dev, "%s %s\n", __func__, on ? "on" : "off");
1171        return fasync_helper (f, fd, on, &dev->fasync);
1172}
1173
1174static struct usb_gadget_driver gadgetfs_driver;
1175
1176static int
1177dev_release (struct inode *inode, struct file *fd)
1178{
1179        struct dev_data         *dev = fd->private_data;
1180
1181        /* closing ep0 === shutdown all */
1182
1183        if (dev->gadget_registered)
1184                usb_gadget_unregister_driver (&gadgetfs_driver);
1185
1186        /* at this point "good" hardware has disconnected the
1187         * device from USB; the host won't see it any more.
1188         * alternatively, all host requests will time out.
1189         */
1190
1191        kfree (dev->buf);
1192        dev->buf = NULL;
1193
1194        /* other endpoints were all decoupled from this device */
1195        spin_lock_irq(&dev->lock);
1196        dev->state = STATE_DEV_DISABLED;
1197        spin_unlock_irq(&dev->lock);
1198
1199        put_dev (dev);
1200        return 0;
1201}
1202
1203static unsigned int
1204ep0_poll (struct file *fd, poll_table *wait)
1205{
1206       struct dev_data         *dev = fd->private_data;
1207       int                     mask = 0;
1208
1209        if (dev->state <= STATE_DEV_OPENED)
1210                return DEFAULT_POLLMASK;
1211
1212       poll_wait(fd, &dev->wait, wait);
1213
1214       spin_lock_irq (&dev->lock);
1215
1216       /* report fd mode change before acting on it */
1217       if (dev->setup_abort) {
1218               dev->setup_abort = 0;
1219               mask = POLLHUP;
1220               goto out;
1221       }
1222
1223       if (dev->state == STATE_DEV_SETUP) {
1224               if (dev->setup_in || dev->setup_can_stall)
1225                       mask = POLLOUT;
1226       } else {
1227               if (dev->ev_next != 0)
1228                       mask = POLLIN;
1229       }
1230out:
1231       spin_unlock_irq(&dev->lock);
1232       return mask;
1233}
1234
1235static long dev_ioctl (struct file *fd, unsigned code, unsigned long value)
1236{
1237        struct dev_data         *dev = fd->private_data;
1238        struct usb_gadget       *gadget = dev->gadget;
1239        long ret = -ENOTTY;
1240
1241        if (gadget->ops->ioctl)
1242                ret = gadget->ops->ioctl (gadget, code, value);
1243
1244        return ret;
1245}
1246
1247/*----------------------------------------------------------------------*/
1248
1249/* The in-kernel gadget driver handles most ep0 issues, in particular
1250 * enumerating the single configuration (as provided from user space).
1251 *
1252 * Unrecognized ep0 requests may be handled in user space.
1253 */
1254
1255static void make_qualifier (struct dev_data *dev)
1256{
1257        struct usb_qualifier_descriptor         qual;
1258        struct usb_device_descriptor            *desc;
1259
1260        qual.bLength = sizeof qual;
1261        qual.bDescriptorType = USB_DT_DEVICE_QUALIFIER;
1262        qual.bcdUSB = cpu_to_le16 (0x0200);
1263
1264        desc = dev->dev;
1265        qual.bDeviceClass = desc->bDeviceClass;
1266        qual.bDeviceSubClass = desc->bDeviceSubClass;
1267        qual.bDeviceProtocol = desc->bDeviceProtocol;
1268
1269        /* assumes ep0 uses the same value for both speeds ... */
1270        qual.bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1271
1272        qual.bNumConfigurations = 1;
1273        qual.bRESERVED = 0;
1274
1275        memcpy (dev->rbuf, &qual, sizeof qual);
1276}
1277
1278static int
1279config_buf (struct dev_data *dev, u8 type, unsigned index)
1280{
1281        int             len;
1282        int             hs = 0;
1283
1284        /* only one configuration */
1285        if (index > 0)
1286                return -EINVAL;
1287
1288        if (gadget_is_dualspeed(dev->gadget)) {
1289                hs = (dev->gadget->speed == USB_SPEED_HIGH);
1290                if (type == USB_DT_OTHER_SPEED_CONFIG)
1291                        hs = !hs;
1292        }
1293        if (hs) {
1294                dev->req->buf = dev->hs_config;
1295                len = le16_to_cpu(dev->hs_config->wTotalLength);
1296        } else {
1297                dev->req->buf = dev->config;
1298                len = le16_to_cpu(dev->config->wTotalLength);
1299        }
1300        ((u8 *)dev->req->buf) [1] = type;
1301        return len;
1302}
1303
1304static int
1305gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
1306{
1307        struct dev_data                 *dev = get_gadget_data (gadget);
1308        struct usb_request              *req = dev->req;
1309        int                             value = -EOPNOTSUPP;
1310        struct usb_gadgetfs_event       *event;
1311        u16                             w_value = le16_to_cpu(ctrl->wValue);
1312        u16                             w_length = le16_to_cpu(ctrl->wLength);
1313
1314        spin_lock (&dev->lock);
1315        dev->setup_abort = 0;
1316        if (dev->state == STATE_DEV_UNCONNECTED) {
1317                if (gadget_is_dualspeed(gadget)
1318                                && gadget->speed == USB_SPEED_HIGH
1319                                && dev->hs_config == NULL) {
1320                        spin_unlock(&dev->lock);
1321                        ERROR (dev, "no high speed config??\n");
1322                        return -EINVAL;
1323                }
1324
1325                dev->state = STATE_DEV_CONNECTED;
1326
1327                INFO (dev, "connected\n");
1328                event = next_event (dev, GADGETFS_CONNECT);
1329                event->u.speed = gadget->speed;
1330                ep0_readable (dev);
1331
1332        /* host may have given up waiting for response.  we can miss control
1333         * requests handled lower down (device/endpoint status and features);
1334         * then ep0_{read,write} will report the wrong status. controller
1335         * driver will have aborted pending i/o.
1336         */
1337        } else if (dev->state == STATE_DEV_SETUP)
1338                dev->setup_abort = 1;
1339
1340        req->buf = dev->rbuf;
1341        req->context = NULL;
1342        value = -EOPNOTSUPP;
1343        switch (ctrl->bRequest) {
1344
1345        case USB_REQ_GET_DESCRIPTOR:
1346                if (ctrl->bRequestType != USB_DIR_IN)
1347                        goto unrecognized;
1348                switch (w_value >> 8) {
1349
1350                case USB_DT_DEVICE:
1351                        value = min (w_length, (u16) sizeof *dev->dev);
1352                        dev->dev->bMaxPacketSize0 = dev->gadget->ep0->maxpacket;
1353                        req->buf = dev->dev;
1354                        break;
1355                case USB_DT_DEVICE_QUALIFIER:
1356                        if (!dev->hs_config)
1357                                break;
1358                        value = min (w_length, (u16)
1359                                sizeof (struct usb_qualifier_descriptor));
1360                        make_qualifier (dev);
1361                        break;
1362                case USB_DT_OTHER_SPEED_CONFIG:
1363                        // FALLTHROUGH
1364                case USB_DT_CONFIG:
1365                        value = config_buf (dev,
1366                                        w_value >> 8,
1367                                        w_value & 0xff);
1368                        if (value >= 0)
1369                                value = min (w_length, (u16) value);
1370                        break;
1371                case USB_DT_STRING:
1372                        goto unrecognized;
1373
1374                default:                // all others are errors
1375                        break;
1376                }
1377                break;
1378
1379        /* currently one config, two speeds */
1380        case USB_REQ_SET_CONFIGURATION:
1381                if (ctrl->bRequestType != 0)
1382                        goto unrecognized;
1383                if (0 == (u8) w_value) {
1384                        value = 0;
1385                        dev->current_config = 0;
1386                        usb_gadget_vbus_draw(gadget, 8 /* mA */ );
1387                        // user mode expected to disable endpoints
1388                } else {
1389                        u8      config, power;
1390
1391                        if (gadget_is_dualspeed(gadget)
1392                                        && gadget->speed == USB_SPEED_HIGH) {
1393                                config = dev->hs_config->bConfigurationValue;
1394                                power = dev->hs_config->bMaxPower;
1395                        } else {
1396                                config = dev->config->bConfigurationValue;
1397                                power = dev->config->bMaxPower;
1398                        }
1399
1400                        if (config == (u8) w_value) {
1401                                value = 0;
1402                                dev->current_config = config;
1403                                usb_gadget_vbus_draw(gadget, 2 * power);
1404                        }
1405                }
1406
1407                /* report SET_CONFIGURATION like any other control request,
1408                 * except that usermode may not stall this.  the next
1409                 * request mustn't be allowed start until this finishes:
1410                 * endpoints and threads set up, etc.
1411                 *
1412                 * NOTE:  older PXA hardware (before PXA 255: without UDCCFR)
1413                 * has bad/racey automagic that prevents synchronizing here.
1414                 * even kernel mode drivers often miss them.
1415                 */
1416                if (value == 0) {
1417                        INFO (dev, "configuration #%d\n", dev->current_config);
1418                        usb_gadget_set_state(gadget, USB_STATE_CONFIGURED);
1419                        if (dev->usermode_setup) {
1420                                dev->setup_can_stall = 0;
1421                                goto delegate;
1422                        }
1423                }
1424                break;
1425
1426#ifndef CONFIG_USB_PXA25X
1427        /* PXA automagically handles this request too */
1428        case USB_REQ_GET_CONFIGURATION:
1429                if (ctrl->bRequestType != 0x80)
1430                        goto unrecognized;
1431                *(u8 *)req->buf = dev->current_config;
1432                value = min (w_length, (u16) 1);
1433                break;
1434#endif
1435
1436        default:
1437unrecognized:
1438                VDEBUG (dev, "%s req%02x.%02x v%04x i%04x l%d\n",
1439                        dev->usermode_setup ? "delegate" : "fail",
1440                        ctrl->bRequestType, ctrl->bRequest,
1441                        w_value, le16_to_cpu(ctrl->wIndex), w_length);
1442
1443                /* if there's an ep0 reader, don't stall */
1444                if (dev->usermode_setup) {
1445                        dev->setup_can_stall = 1;
1446delegate:
1447                        dev->setup_in = (ctrl->bRequestType & USB_DIR_IN)
1448                                                ? 1 : 0;
1449                        dev->setup_wLength = w_length;
1450                        dev->setup_out_ready = 0;
1451                        dev->setup_out_error = 0;
1452                        value = 0;
1453
1454                        /* read DATA stage for OUT right away */
1455                        if (unlikely (!dev->setup_in && w_length)) {
1456                                value = setup_req (gadget->ep0, dev->req,
1457                                                        w_length);
1458                                if (value < 0)
1459                                        break;
1460                                value = usb_ep_queue (gadget->ep0, dev->req,
1461                                                        GFP_ATOMIC);
1462                                if (value < 0) {
1463                                        clean_req (gadget->ep0, dev->req);
1464                                        break;
1465                                }
1466
1467                                /* we can't currently stall these */
1468                                dev->setup_can_stall = 0;
1469                        }
1470
1471                        /* state changes when reader collects event */
1472                        event = next_event (dev, GADGETFS_SETUP);
1473                        event->u.setup = *ctrl;
1474                        ep0_readable (dev);
1475                        spin_unlock (&dev->lock);
1476                        return 0;
1477                }
1478        }
1479
1480        /* proceed with data transfer and status phases? */
1481        if (value >= 0 && dev->state != STATE_DEV_SETUP) {
1482                req->length = value;
1483                req->zero = value < w_length;
1484                value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC);
1485                if (value < 0) {
1486                        DBG (dev, "ep_queue --> %d\n", value);
1487                        req->status = 0;
1488                }
1489        }
1490
1491        /* device stalls when value < 0 */
1492        spin_unlock (&dev->lock);
1493        return value;
1494}
1495
1496static void destroy_ep_files (struct dev_data *dev)
1497{
1498        DBG (dev, "%s %d\n", __func__, dev->state);
1499
1500        /* dev->state must prevent interference */
1501        spin_lock_irq (&dev->lock);
1502        while (!list_empty(&dev->epfiles)) {
1503                struct ep_data  *ep;
1504                struct inode    *parent;
1505                struct dentry   *dentry;
1506
1507                /* break link to FS */
1508                ep = list_first_entry (&dev->epfiles, struct ep_data, epfiles);
1509                list_del_init (&ep->epfiles);
1510                dentry = ep->dentry;
1511                ep->dentry = NULL;
1512                parent = d_inode(dentry->d_parent);
1513
1514                /* break link to controller */
1515                if (ep->state == STATE_EP_ENABLED)
1516                        (void) usb_ep_disable (ep->ep);
1517                ep->state = STATE_EP_UNBOUND;
1518                usb_ep_free_request (ep->ep, ep->req);
1519                ep->ep = NULL;
1520                wake_up (&ep->wait);
1521                put_ep (ep);
1522
1523                spin_unlock_irq (&dev->lock);
1524
1525                /* break link to dcache */
1526                inode_lock(parent);
1527                d_delete (dentry);
1528                dput (dentry);
1529                inode_unlock(parent);
1530
1531                spin_lock_irq (&dev->lock);
1532        }
1533        spin_unlock_irq (&dev->lock);
1534}
1535
1536
1537static struct dentry *
1538gadgetfs_create_file (struct super_block *sb, char const *name,
1539                void *data, const struct file_operations *fops);
1540
1541static int activate_ep_files (struct dev_data *dev)
1542{
1543        struct usb_ep   *ep;
1544        struct ep_data  *data;
1545
1546        gadget_for_each_ep (ep, dev->gadget) {
1547
1548                data = kzalloc(sizeof(*data), GFP_KERNEL);
1549                if (!data)
1550                        goto enomem0;
1551                data->state = STATE_EP_DISABLED;
1552                mutex_init(&data->lock);
1553                init_waitqueue_head (&data->wait);
1554
1555                strncpy (data->name, ep->name, sizeof (data->name) - 1);
1556                atomic_set (&data->count, 1);
1557                data->dev = dev;
1558                get_dev (dev);
1559
1560                data->ep = ep;
1561                ep->driver_data = data;
1562
1563                data->req = usb_ep_alloc_request (ep, GFP_KERNEL);
1564                if (!data->req)
1565                        goto enomem1;
1566
1567                data->dentry = gadgetfs_create_file (dev->sb, data->name,
1568                                data, &ep_io_operations);
1569                if (!data->dentry)
1570                        goto enomem2;
1571                list_add_tail (&data->epfiles, &dev->epfiles);
1572        }
1573        return 0;
1574
1575enomem2:
1576        usb_ep_free_request (ep, data->req);
1577enomem1:
1578        put_dev (dev);
1579        kfree (data);
1580enomem0:
1581        DBG (dev, "%s enomem\n", __func__);
1582        destroy_ep_files (dev);
1583        return -ENOMEM;
1584}
1585
1586static void
1587gadgetfs_unbind (struct usb_gadget *gadget)
1588{
1589        struct dev_data         *dev = get_gadget_data (gadget);
1590
1591        DBG (dev, "%s\n", __func__);
1592
1593        spin_lock_irq (&dev->lock);
1594        dev->state = STATE_DEV_UNBOUND;
1595        spin_unlock_irq (&dev->lock);
1596
1597        destroy_ep_files (dev);
1598        gadget->ep0->driver_data = NULL;
1599        set_gadget_data (gadget, NULL);
1600
1601        /* we've already been disconnected ... no i/o is active */
1602        if (dev->req)
1603                usb_ep_free_request (gadget->ep0, dev->req);
1604        DBG (dev, "%s done\n", __func__);
1605        put_dev (dev);
1606}
1607
1608static struct dev_data          *the_device;
1609
1610static int gadgetfs_bind(struct usb_gadget *gadget,
1611                struct usb_gadget_driver *driver)
1612{
1613        struct dev_data         *dev = the_device;
1614
1615        if (!dev)
1616                return -ESRCH;
1617        if (0 != strcmp (CHIP, gadget->name)) {
1618                pr_err("%s expected %s controller not %s\n",
1619                        shortname, CHIP, gadget->name);
1620                return -ENODEV;
1621        }
1622
1623        set_gadget_data (gadget, dev);
1624        dev->gadget = gadget;
1625        gadget->ep0->driver_data = dev;
1626
1627        /* preallocate control response and buffer */
1628        dev->req = usb_ep_alloc_request (gadget->ep0, GFP_KERNEL);
1629        if (!dev->req)
1630                goto enomem;
1631        dev->req->context = NULL;
1632        dev->req->complete = epio_complete;
1633
1634        if (activate_ep_files (dev) < 0)
1635                goto enomem;
1636
1637        INFO (dev, "bound to %s driver\n", gadget->name);
1638        spin_lock_irq(&dev->lock);
1639        dev->state = STATE_DEV_UNCONNECTED;
1640        spin_unlock_irq(&dev->lock);
1641        get_dev (dev);
1642        return 0;
1643
1644enomem:
1645        gadgetfs_unbind (gadget);
1646        return -ENOMEM;
1647}
1648
1649static void
1650gadgetfs_disconnect (struct usb_gadget *gadget)
1651{
1652        struct dev_data         *dev = get_gadget_data (gadget);
1653        unsigned long           flags;
1654
1655        spin_lock_irqsave (&dev->lock, flags);
1656        if (dev->state == STATE_DEV_UNCONNECTED)
1657                goto exit;
1658        dev->state = STATE_DEV_UNCONNECTED;
1659
1660        INFO (dev, "disconnected\n");
1661        next_event (dev, GADGETFS_DISCONNECT);
1662        ep0_readable (dev);
1663exit:
1664        spin_unlock_irqrestore (&dev->lock, flags);
1665}
1666
1667static void
1668gadgetfs_suspend (struct usb_gadget *gadget)
1669{
1670        struct dev_data         *dev = get_gadget_data (gadget);
1671
1672        INFO (dev, "suspended from state %d\n", dev->state);
1673        spin_lock (&dev->lock);
1674        switch (dev->state) {
1675        case STATE_DEV_SETUP:           // VERY odd... host died??
1676        case STATE_DEV_CONNECTED:
1677        case STATE_DEV_UNCONNECTED:
1678                next_event (dev, GADGETFS_SUSPEND);
1679                ep0_readable (dev);
1680                /* FALLTHROUGH */
1681        default:
1682                break;
1683        }
1684        spin_unlock (&dev->lock);
1685}
1686
1687static struct usb_gadget_driver gadgetfs_driver = {
1688        .function       = (char *) driver_desc,
1689        .bind           = gadgetfs_bind,
1690        .unbind         = gadgetfs_unbind,
1691        .setup          = gadgetfs_setup,
1692        .reset          = gadgetfs_disconnect,
1693        .disconnect     = gadgetfs_disconnect,
1694        .suspend        = gadgetfs_suspend,
1695
1696        .driver = {
1697                .name           = (char *) shortname,
1698        },
1699};
1700
1701/*----------------------------------------------------------------------*/
1702/* DEVICE INITIALIZATION
1703 *
1704 *     fd = open ("/dev/gadget/$CHIP", O_RDWR)
1705 *     status = write (fd, descriptors, sizeof descriptors)
1706 *
1707 * That write establishes the device configuration, so the kernel can
1708 * bind to the controller ... guaranteeing it can handle enumeration
1709 * at all necessary speeds.  Descriptor order is:
1710 *
1711 * . message tag (u32, host order) ... for now, must be zero; it
1712 *      would change to support features like multi-config devices
1713 * . full/low speed config ... all wTotalLength bytes (with interface,
1714 *      class, altsetting, endpoint, and other descriptors)
1715 * . high speed config ... all descriptors, for high speed operation;
1716 *      this one's optional except for high-speed hardware
1717 * . device descriptor
1718 *
1719 * Endpoints are not yet enabled. Drivers must wait until device
1720 * configuration and interface altsetting changes create
1721 * the need to configure (or unconfigure) them.
1722 *
1723 * After initialization, the device stays active for as long as that
1724 * $CHIP file is open.  Events must then be read from that descriptor,
1725 * such as configuration notifications.
1726 */
1727
1728static int is_valid_config (struct usb_config_descriptor *config)
1729{
1730        return config->bDescriptorType == USB_DT_CONFIG
1731                && config->bLength == USB_DT_CONFIG_SIZE
1732                && config->bConfigurationValue != 0
1733                && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
1734                && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
1735        /* FIXME if gadget->is_otg, _must_ include an otg descriptor */
1736        /* FIXME check lengths: walk to end */
1737}
1738
1739static ssize_t
1740dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
1741{
1742        struct dev_data         *dev = fd->private_data;
1743        ssize_t                 value = len, length = len;
1744        unsigned                total;
1745        u32                     tag;
1746        char                    *kbuf;
1747
1748        spin_lock_irq(&dev->lock);
1749        if (dev->state > STATE_DEV_OPENED) {
1750                value = ep0_write(fd, buf, len, ptr);
1751                spin_unlock_irq(&dev->lock);
1752                return value;
1753        }
1754        spin_unlock_irq(&dev->lock);
1755
1756        if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
1757                return -EINVAL;
1758
1759        /* we might need to change message format someday */
1760        if (copy_from_user (&tag, buf, 4))
1761                return -EFAULT;
1762        if (tag != 0)
1763                return -EINVAL;
1764        buf += 4;
1765        length -= 4;
1766
1767        kbuf = memdup_user(buf, length);
1768        if (IS_ERR(kbuf))
1769                return PTR_ERR(kbuf);
1770
1771        spin_lock_irq (&dev->lock);
1772        value = -EINVAL;
1773        if (dev->buf)
1774                goto fail;
1775        dev->buf = kbuf;
1776
1777        /* full or low speed config */
1778        dev->config = (void *) kbuf;
1779        total = le16_to_cpu(dev->config->wTotalLength);
1780        if (!is_valid_config (dev->config) || total >= length)
1781                goto fail;
1782        kbuf += total;
1783        length -= total;
1784
1785        /* optional high speed config */
1786        if (kbuf [1] == USB_DT_CONFIG) {
1787                dev->hs_config = (void *) kbuf;
1788                total = le16_to_cpu(dev->hs_config->wTotalLength);
1789                if (!is_valid_config (dev->hs_config) || total >= length)
1790                        goto fail;
1791                kbuf += total;
1792                length -= total;
1793        }
1794
1795        /* could support multiple configs, using another encoding! */
1796
1797        /* device descriptor (tweaked for paranoia) */
1798        if (length != USB_DT_DEVICE_SIZE)
1799                goto fail;
1800        dev->dev = (void *)kbuf;
1801        if (dev->dev->bLength != USB_DT_DEVICE_SIZE
1802                        || dev->dev->bDescriptorType != USB_DT_DEVICE
1803                        || dev->dev->bNumConfigurations != 1)
1804                goto fail;
1805        dev->dev->bNumConfigurations = 1;
1806        dev->dev->bcdUSB = cpu_to_le16 (0x0200);
1807
1808        /* triggers gadgetfs_bind(); then we can enumerate. */
1809        spin_unlock_irq (&dev->lock);
1810        if (dev->hs_config)
1811                gadgetfs_driver.max_speed = USB_SPEED_HIGH;
1812        else
1813                gadgetfs_driver.max_speed = USB_SPEED_FULL;
1814
1815        value = usb_gadget_probe_driver(&gadgetfs_driver);
1816        if (value != 0) {
1817                kfree (dev->buf);
1818                dev->buf = NULL;
1819        } else {
1820                /* at this point "good" hardware has for the first time
1821                 * let the USB the host see us.  alternatively, if users
1822                 * unplug/replug that will clear all the error state.
1823                 *
1824                 * note:  everything running before here was guaranteed
1825                 * to choke driver model style diagnostics.  from here
1826                 * on, they can work ... except in cleanup paths that
1827                 * kick in after the ep0 descriptor is closed.
1828                 */
1829                value = len;
1830                dev->gadget_registered = true;
1831        }
1832        return value;
1833
1834fail:
1835        spin_unlock_irq (&dev->lock);
1836        pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev);
1837        kfree (dev->buf);
1838        dev->buf = NULL;
1839        return value;
1840}
1841
1842static int
1843dev_open (struct inode *inode, struct file *fd)
1844{
1845        struct dev_data         *dev = inode->i_private;
1846        int                     value = -EBUSY;
1847
1848        spin_lock_irq(&dev->lock);
1849        if (dev->state == STATE_DEV_DISABLED) {
1850                dev->ev_next = 0;
1851                dev->state = STATE_DEV_OPENED;
1852                fd->private_data = dev;
1853                get_dev (dev);
1854                value = 0;
1855        }
1856        spin_unlock_irq(&dev->lock);
1857        return value;
1858}
1859
1860static const struct file_operations ep0_operations = {
1861        .llseek =       no_llseek,
1862
1863        .open =         dev_open,
1864        .read =         ep0_read,
1865        .write =        dev_config,
1866        .fasync =       ep0_fasync,
1867        .poll =         ep0_poll,
1868        .unlocked_ioctl = dev_ioctl,
1869        .release =      dev_release,
1870};
1871
1872/*----------------------------------------------------------------------*/
1873
1874/* FILESYSTEM AND SUPERBLOCK OPERATIONS
1875 *
1876 * Mounting the filesystem creates a controller file, used first for
1877 * device configuration then later for event monitoring.
1878 */
1879
1880
1881/* FIXME PAM etc could set this security policy without mount options
1882 * if epfiles inherited ownership and permissons from ep0 ...
1883 */
1884
1885static unsigned default_uid;
1886static unsigned default_gid;
1887static unsigned default_perm = S_IRUSR | S_IWUSR;
1888
1889module_param (default_uid, uint, 0644);
1890module_param (default_gid, uint, 0644);
1891module_param (default_perm, uint, 0644);
1892
1893
1894static struct inode *
1895gadgetfs_make_inode (struct super_block *sb,
1896                void *data, const struct file_operations *fops,
1897                int mode)
1898{
1899        struct inode *inode = new_inode (sb);
1900
1901        if (inode) {
1902                inode->i_ino = get_next_ino();
1903                inode->i_mode = mode;
1904                inode->i_uid = make_kuid(&init_user_ns, default_uid);
1905                inode->i_gid = make_kgid(&init_user_ns, default_gid);
1906                inode->i_atime = inode->i_mtime = inode->i_ctime
1907                                = CURRENT_TIME;
1908                inode->i_private = data;
1909                inode->i_fop = fops;
1910        }
1911        return inode;
1912}
1913
1914/* creates in fs root directory, so non-renamable and non-linkable.
1915 * so inode and dentry are paired, until device reconfig.
1916 */
1917static struct dentry *
1918gadgetfs_create_file (struct super_block *sb, char const *name,
1919                void *data, const struct file_operations *fops)
1920{
1921        struct dentry   *dentry;
1922        struct inode    *inode;
1923
1924        dentry = d_alloc_name(sb->s_root, name);
1925        if (!dentry)
1926                return NULL;
1927
1928        inode = gadgetfs_make_inode (sb, data, fops,
1929                        S_IFREG | (default_perm & S_IRWXUGO));
1930        if (!inode) {
1931                dput(dentry);
1932                return NULL;
1933        }
1934        d_add (dentry, inode);
1935        return dentry;
1936}
1937
1938static const struct super_operations gadget_fs_operations = {
1939        .statfs =       simple_statfs,
1940        .drop_inode =   generic_delete_inode,
1941};
1942
1943static int
1944gadgetfs_fill_super (struct super_block *sb, void *opts, int silent)
1945{
1946        struct inode    *inode;
1947        struct dev_data *dev;
1948
1949        if (the_device)
1950                return -ESRCH;
1951
1952        CHIP = usb_get_gadget_udc_name();
1953        if (!CHIP)
1954                return -ENODEV;
1955
1956        /* superblock */
1957        sb->s_blocksize = PAGE_SIZE;
1958        sb->s_blocksize_bits = PAGE_SHIFT;
1959        sb->s_magic = GADGETFS_MAGIC;
1960        sb->s_op = &gadget_fs_operations;
1961        sb->s_time_gran = 1;
1962
1963        /* root inode */
1964        inode = gadgetfs_make_inode (sb,
1965                        NULL, &simple_dir_operations,
1966                        S_IFDIR | S_IRUGO | S_IXUGO);
1967        if (!inode)
1968                goto Enomem;
1969        inode->i_op = &simple_dir_inode_operations;
1970        if (!(sb->s_root = d_make_root (inode)))
1971                goto Enomem;
1972
1973        /* the ep0 file is named after the controller we expect;
1974         * user mode code can use it for sanity checks, like we do.
1975         */
1976        dev = dev_new ();
1977        if (!dev)
1978                goto Enomem;
1979
1980        dev->sb = sb;
1981        dev->dentry = gadgetfs_create_file(sb, CHIP, dev, &ep0_operations);
1982        if (!dev->dentry) {
1983                put_dev(dev);
1984                goto Enomem;
1985        }
1986
1987        /* other endpoint files are available after hardware setup,
1988         * from binding to a controller.
1989         */
1990        the_device = dev;
1991        return 0;
1992
1993Enomem:
1994        return -ENOMEM;
1995}
1996
1997/* "mount -t gadgetfs path /dev/gadget" ends up here */
1998static struct dentry *
1999gadgetfs_mount (struct file_system_type *t, int flags,
2000                const char *path, void *opts)

2001{
2002        return mount_single (t, flags, opts, gadgetfs_fill_super);
2003}
2004
2005static void
2006gadgetfs_kill_sb (struct super_block *sb)
2007{
2008        kill_litter_super (sb);
2009        if (the_device) {
2010                put_dev (the_device);
2011                the_device = NULL;
2012        }
2013        kfree(CHIP);
2014        CHIP = NULL;
2015}
2016
2017/*----------------------------------------------------------------------*/
2018
2019static struct file_system_type gadgetfs_type = {
2020        .owner          = THIS_MODULE,
2021        .name           = shortname,
2022        .mount          = gadgetfs_mount,
2023        .kill_sb        = gadgetfs_kill_sb,
2024};
2025MODULE_ALIAS_FS("gadgetfs");
2026
2027/*----------------------------------------------------------------------*/
2028
2029static int __init init (void)
2030{
2031        int status;
2032
2033        status = register_filesystem (&gadgetfs_type);
2034        if (status == 0)
2035                pr_info ("%s: %s, version " DRIVER_VERSION "\n",
2036                        shortname, driver_desc);
2037        return status;
2038}
2039module_init (init);
2040
2041static void __exit cleanup (void)
2042{
2043        pr_debug ("unregister %s\n", shortname);
2044        unregister_filesystem (&gadgetfs_type);
2045}
2046module_exit (cleanup);
2047
2048