1
2
3
4
5
6
7
8
9#include <linux/compiler.h>
10#include <linux/ctype.h>
11#include <linux/debugfs.h>
12#include <linux/delay.h>
13#include <linux/kref.h>
14#include <linux/miscdevice.h>
15#include <linux/module.h>
16#include <linux/semaphore.h>
17#include <linux/sched.h>
18#include <linux/slab.h>
19#include <linux/uaccess.h>
20#include <linux/wait.h>
21
22#include <linux/usb.h>
23#include <linux/usb/ch9.h>
24#include <linux/usb/ch11.h>
25#include <linux/usb/gadget.h>
26
27#include <uapi/linux/usb/raw_gadget.h>
28
29#define DRIVER_DESC "USB Raw Gadget"
30#define DRIVER_NAME "raw-gadget"
31
32MODULE_DESCRIPTION(DRIVER_DESC);
33MODULE_AUTHOR("Andrey Konovalov");
34MODULE_LICENSE("GPL");
35
36
37
38#define RAW_EVENT_QUEUE_SIZE 16
39
40struct raw_event_queue {
41
42 spinlock_t lock;
43 struct semaphore sema;
44 struct usb_raw_event *events[RAW_EVENT_QUEUE_SIZE];
45 int size;
46};
47
48static void raw_event_queue_init(struct raw_event_queue *queue)
49{
50 spin_lock_init(&queue->lock);
51 sema_init(&queue->sema, 0);
52 queue->size = 0;
53}
54
55static int raw_event_queue_add(struct raw_event_queue *queue,
56 enum usb_raw_event_type type, size_t length, const void *data)
57{
58 unsigned long flags;
59 struct usb_raw_event *event;
60
61 spin_lock_irqsave(&queue->lock, flags);
62 if (WARN_ON(queue->size >= RAW_EVENT_QUEUE_SIZE)) {
63 spin_unlock_irqrestore(&queue->lock, flags);
64 return -ENOMEM;
65 }
66 event = kmalloc(sizeof(*event) + length, GFP_ATOMIC);
67 if (!event) {
68 spin_unlock_irqrestore(&queue->lock, flags);
69 return -ENOMEM;
70 }
71 event->type = type;
72 event->length = length;
73 if (event->length)
74 memcpy(&event->data[0], data, length);
75 queue->events[queue->size] = event;
76 queue->size++;
77 up(&queue->sema);
78 spin_unlock_irqrestore(&queue->lock, flags);
79 return 0;
80}
81
82static struct usb_raw_event *raw_event_queue_fetch(
83 struct raw_event_queue *queue)
84{
85 int ret;
86 unsigned long flags;
87 struct usb_raw_event *event;
88
89
90
91
92
93
94 ret = down_interruptible(&queue->sema);
95 if (ret)
96 return ERR_PTR(ret);
97 spin_lock_irqsave(&queue->lock, flags);
98
99
100
101
102 if (WARN_ON(!queue->size)) {
103 spin_unlock_irqrestore(&queue->lock, flags);
104 return ERR_PTR(-ENODEV);
105 }
106 event = queue->events[0];
107 queue->size--;
108 memmove(&queue->events[0], &queue->events[1],
109 queue->size * sizeof(queue->events[0]));
110 spin_unlock_irqrestore(&queue->lock, flags);
111 return event;
112}
113
114static void raw_event_queue_destroy(struct raw_event_queue *queue)
115{
116 int i;
117
118 for (i = 0; i < queue->size; i++)
119 kfree(queue->events[i]);
120 queue->size = 0;
121}
122
123
124
125struct raw_dev;
126
127enum ep_state {
128 STATE_EP_DISABLED,
129 STATE_EP_ENABLED,
130};
131
132struct raw_ep {
133 struct raw_dev *dev;
134 enum ep_state state;
135 struct usb_ep *ep;
136 u8 addr;
137 struct usb_request *req;
138 bool urb_queued;
139 bool disabling;
140 ssize_t status;
141};
142
143enum dev_state {
144 STATE_DEV_INVALID = 0,
145 STATE_DEV_OPENED,
146 STATE_DEV_INITIALIZED,
147 STATE_DEV_RUNNING,
148 STATE_DEV_CLOSED,
149 STATE_DEV_FAILED
150};
151
152struct raw_dev {
153 struct kref count;
154 spinlock_t lock;
155
156 const char *udc_name;
157 struct usb_gadget_driver driver;
158
159
160 struct device *dev;
161
162
163 enum dev_state state;
164 bool gadget_registered;
165 struct usb_gadget *gadget;
166 struct usb_request *req;
167 bool ep0_in_pending;
168 bool ep0_out_pending;
169 bool ep0_urb_queued;
170 ssize_t ep0_status;
171 struct raw_ep eps[USB_RAW_EPS_NUM_MAX];
172 int eps_num;
173
174 struct completion ep0_done;
175 struct raw_event_queue queue;
176};
177
178static struct raw_dev *dev_new(void)
179{
180 struct raw_dev *dev;
181
182 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
183 if (!dev)
184 return NULL;
185
186 kref_init(&dev->count);
187 spin_lock_init(&dev->lock);
188 init_completion(&dev->ep0_done);
189 raw_event_queue_init(&dev->queue);
190 return dev;
191}
192
193static void dev_free(struct kref *kref)
194{
195 struct raw_dev *dev = container_of(kref, struct raw_dev, count);
196 int i;
197
198 kfree(dev->udc_name);
199 kfree(dev->driver.udc_name);
200 if (dev->req) {
201 if (dev->ep0_urb_queued)
202 usb_ep_dequeue(dev->gadget->ep0, dev->req);
203 usb_ep_free_request(dev->gadget->ep0, dev->req);
204 }
205 raw_event_queue_destroy(&dev->queue);
206 for (i = 0; i < dev->eps_num; i++) {
207 if (dev->eps[i].state == STATE_EP_DISABLED)
208 continue;
209 usb_ep_disable(dev->eps[i].ep);
210 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
211 kfree(dev->eps[i].ep->desc);
212 dev->eps[i].state = STATE_EP_DISABLED;
213 }
214 kfree(dev);
215}
216
217
218
219static int raw_queue_event(struct raw_dev *dev,
220 enum usb_raw_event_type type, size_t length, const void *data)
221{
222 int ret = 0;
223 unsigned long flags;
224
225 ret = raw_event_queue_add(&dev->queue, type, length, data);
226 if (ret < 0) {
227 spin_lock_irqsave(&dev->lock, flags);
228 dev->state = STATE_DEV_FAILED;
229 spin_unlock_irqrestore(&dev->lock, flags);
230 }
231 return ret;
232}
233
234static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req)
235{
236 struct raw_dev *dev = req->context;
237 unsigned long flags;
238
239 spin_lock_irqsave(&dev->lock, flags);
240 if (req->status)
241 dev->ep0_status = req->status;
242 else
243 dev->ep0_status = req->actual;
244 if (dev->ep0_in_pending)
245 dev->ep0_in_pending = false;
246 else
247 dev->ep0_out_pending = false;
248 spin_unlock_irqrestore(&dev->lock, flags);
249
250 complete(&dev->ep0_done);
251}
252
253static u8 get_ep_addr(const char *name)
254{
255
256
257
258
259
260 if (isdigit(name[2]))
261 return simple_strtoul(&name[2], NULL, 10);
262
263 return USB_RAW_EP_ADDR_ANY;
264}
265
266static int gadget_bind(struct usb_gadget *gadget,
267 struct usb_gadget_driver *driver)
268{
269 int ret = 0, i = 0;
270 struct raw_dev *dev = container_of(driver, struct raw_dev, driver);
271 struct usb_request *req;
272 struct usb_ep *ep;
273 unsigned long flags;
274
275 if (strcmp(gadget->name, dev->udc_name) != 0)
276 return -ENODEV;
277
278 set_gadget_data(gadget, dev);
279 req = usb_ep_alloc_request(gadget->ep0, GFP_KERNEL);
280 if (!req) {
281 dev_err(&gadget->dev, "usb_ep_alloc_request failed\n");
282 set_gadget_data(gadget, NULL);
283 return -ENOMEM;
284 }
285
286 spin_lock_irqsave(&dev->lock, flags);
287 dev->req = req;
288 dev->req->context = dev;
289 dev->req->complete = gadget_ep0_complete;
290 dev->gadget = gadget;
291 gadget_for_each_ep(ep, dev->gadget) {
292 dev->eps[i].ep = ep;
293 dev->eps[i].addr = get_ep_addr(ep->name);
294 dev->eps[i].state = STATE_EP_DISABLED;
295 i++;
296 }
297 dev->eps_num = i;
298 spin_unlock_irqrestore(&dev->lock, flags);
299
300
301 kref_get(&dev->count);
302
303 ret = raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL);
304 if (ret < 0)
305 dev_err(&gadget->dev, "failed to queue event\n");
306
307 return ret;
308}
309
310static void gadget_unbind(struct usb_gadget *gadget)
311{
312 struct raw_dev *dev = get_gadget_data(gadget);
313
314 set_gadget_data(gadget, NULL);
315
316 kref_put(&dev->count, dev_free);
317}
318
319static int gadget_setup(struct usb_gadget *gadget,
320 const struct usb_ctrlrequest *ctrl)
321{
322 int ret = 0;
323 struct raw_dev *dev = get_gadget_data(gadget);
324 unsigned long flags;
325
326 spin_lock_irqsave(&dev->lock, flags);
327 if (dev->state != STATE_DEV_RUNNING) {
328 dev_err(&gadget->dev, "ignoring, device is not running\n");
329 ret = -ENODEV;
330 goto out_unlock;
331 }
332 if (dev->ep0_in_pending || dev->ep0_out_pending) {
333 dev_dbg(&gadget->dev, "stalling, request already pending\n");
334 ret = -EBUSY;
335 goto out_unlock;
336 }
337 if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength)
338 dev->ep0_in_pending = true;
339 else
340 dev->ep0_out_pending = true;
341 spin_unlock_irqrestore(&dev->lock, flags);
342
343 ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl);
344 if (ret < 0)
345 dev_err(&gadget->dev, "failed to queue event\n");
346 goto out;
347
348out_unlock:
349 spin_unlock_irqrestore(&dev->lock, flags);
350out:
351 return ret;
352}
353
354
355static void gadget_disconnect(struct usb_gadget *gadget) { }
356static void gadget_suspend(struct usb_gadget *gadget) { }
357static void gadget_resume(struct usb_gadget *gadget) { }
358static void gadget_reset(struct usb_gadget *gadget) { }
359
360
361
362static struct miscdevice raw_misc_device;
363
364static int raw_open(struct inode *inode, struct file *fd)
365{
366 struct raw_dev *dev;
367
368
369 if (fd->f_flags & O_NONBLOCK)
370 return -EINVAL;
371
372 dev = dev_new();
373 if (!dev)
374 return -ENOMEM;
375 fd->private_data = dev;
376 dev->state = STATE_DEV_OPENED;
377 dev->dev = raw_misc_device.this_device;
378 return 0;
379}
380
381static int raw_release(struct inode *inode, struct file *fd)
382{
383 int ret = 0;
384 struct raw_dev *dev = fd->private_data;
385 unsigned long flags;
386 bool unregister = false;
387
388 spin_lock_irqsave(&dev->lock, flags);
389 dev->state = STATE_DEV_CLOSED;
390 if (!dev->gadget) {
391 spin_unlock_irqrestore(&dev->lock, flags);
392 goto out_put;
393 }
394 if (dev->gadget_registered)
395 unregister = true;
396 dev->gadget_registered = false;
397 spin_unlock_irqrestore(&dev->lock, flags);
398
399 if (unregister) {
400 ret = usb_gadget_unregister_driver(&dev->driver);
401 if (ret != 0)
402 dev_err(dev->dev,
403 "usb_gadget_unregister_driver() failed with %d\n",
404 ret);
405
406 kref_put(&dev->count, dev_free);
407 }
408
409out_put:
410
411 kref_put(&dev->count, dev_free);
412 return ret;
413}
414
415
416
417static int raw_ioctl_init(struct raw_dev *dev, unsigned long value)
418{
419 int ret = 0;
420 struct usb_raw_init arg;
421 char *udc_driver_name;
422 char *udc_device_name;
423 unsigned long flags;
424
425 if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
426 return -EFAULT;
427
428 switch (arg.speed) {
429 case USB_SPEED_UNKNOWN:
430 arg.speed = USB_SPEED_HIGH;
431 break;
432 case USB_SPEED_LOW:
433 case USB_SPEED_FULL:
434 case USB_SPEED_HIGH:
435 case USB_SPEED_SUPER:
436 break;
437 default:
438 return -EINVAL;
439 }
440
441 udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
442 if (!udc_driver_name)
443 return -ENOMEM;
444 ret = strscpy(udc_driver_name, &arg.driver_name[0],
445 UDC_NAME_LENGTH_MAX);
446 if (ret < 0) {
447 kfree(udc_driver_name);
448 return ret;
449 }
450 ret = 0;
451
452 udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
453 if (!udc_device_name) {
454 kfree(udc_driver_name);
455 return -ENOMEM;
456 }
457 ret = strscpy(udc_device_name, &arg.device_name[0],
458 UDC_NAME_LENGTH_MAX);
459 if (ret < 0) {
460 kfree(udc_driver_name);
461 kfree(udc_device_name);
462 return ret;
463 }
464 ret = 0;
465
466 spin_lock_irqsave(&dev->lock, flags);
467 if (dev->state != STATE_DEV_OPENED) {
468 dev_dbg(dev->dev, "fail, device is not opened\n");
469 kfree(udc_driver_name);
470 kfree(udc_device_name);
471 ret = -EINVAL;
472 goto out_unlock;
473 }
474 dev->udc_name = udc_driver_name;
475
476 dev->driver.function = DRIVER_DESC;
477 dev->driver.max_speed = arg.speed;
478 dev->driver.setup = gadget_setup;
479 dev->driver.disconnect = gadget_disconnect;
480 dev->driver.bind = gadget_bind;
481 dev->driver.unbind = gadget_unbind;
482 dev->driver.suspend = gadget_suspend;
483 dev->driver.resume = gadget_resume;
484 dev->driver.reset = gadget_reset;
485 dev->driver.driver.name = DRIVER_NAME;
486 dev->driver.udc_name = udc_device_name;
487 dev->driver.match_existing_only = 1;
488
489 dev->state = STATE_DEV_INITIALIZED;
490
491out_unlock:
492 spin_unlock_irqrestore(&dev->lock, flags);
493 return ret;
494}
495
496static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)
497{
498 int ret = 0;
499 unsigned long flags;
500
501 if (value)
502 return -EINVAL;
503
504 spin_lock_irqsave(&dev->lock, flags);
505 if (dev->state != STATE_DEV_INITIALIZED) {
506 dev_dbg(dev->dev, "fail, device is not initialized\n");
507 ret = -EINVAL;
508 goto out_unlock;
509 }
510 spin_unlock_irqrestore(&dev->lock, flags);
511
512 ret = usb_gadget_probe_driver(&dev->driver);
513
514 spin_lock_irqsave(&dev->lock, flags);
515 if (ret) {
516 dev_err(dev->dev,
517 "fail, usb_gadget_probe_driver returned %d\n", ret);
518 dev->state = STATE_DEV_FAILED;
519 goto out_unlock;
520 }
521 dev->gadget_registered = true;
522 dev->state = STATE_DEV_RUNNING;
523
524 kref_get(&dev->count);
525
526out_unlock:
527 spin_unlock_irqrestore(&dev->lock, flags);
528 return ret;
529}
530
531static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
532{
533 struct usb_raw_event arg;
534 unsigned long flags;
535 struct usb_raw_event *event;
536 uint32_t length;
537
538 if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
539 return -EFAULT;
540
541 spin_lock_irqsave(&dev->lock, flags);
542 if (dev->state != STATE_DEV_RUNNING) {
543 dev_dbg(dev->dev, "fail, device is not running\n");
544 spin_unlock_irqrestore(&dev->lock, flags);
545 return -EINVAL;
546 }
547 if (!dev->gadget) {
548 dev_dbg(dev->dev, "fail, gadget is not bound\n");
549 spin_unlock_irqrestore(&dev->lock, flags);
550 return -EBUSY;
551 }
552 spin_unlock_irqrestore(&dev->lock, flags);
553
554 event = raw_event_queue_fetch(&dev->queue);
555 if (PTR_ERR(event) == -EINTR) {
556 dev_dbg(&dev->gadget->dev, "event fetching interrupted\n");
557 return -EINTR;
558 }
559 if (IS_ERR(event)) {
560 dev_err(&dev->gadget->dev, "failed to fetch event\n");
561 spin_lock_irqsave(&dev->lock, flags);
562 dev->state = STATE_DEV_FAILED;
563 spin_unlock_irqrestore(&dev->lock, flags);
564 return -ENODEV;
565 }
566 length = min(arg.length, event->length);
567 if (copy_to_user((void __user *)value, event, sizeof(*event) + length)) {
568 kfree(event);
569 return -EFAULT;
570 }
571
572 kfree(event);
573 return 0;
574}
575
576static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
577 bool get_from_user)
578{
579 void *data;
580
581 if (copy_from_user(io, ptr, sizeof(*io)))
582 return ERR_PTR(-EFAULT);
583 if (io->ep >= USB_RAW_EPS_NUM_MAX)
584 return ERR_PTR(-EINVAL);
585 if (!usb_raw_io_flags_valid(io->flags))
586 return ERR_PTR(-EINVAL);
587 if (io->length > PAGE_SIZE)
588 return ERR_PTR(-EINVAL);
589 if (get_from_user)
590 data = memdup_user(ptr + sizeof(*io), io->length);
591 else {
592 data = kmalloc(io->length, GFP_KERNEL);
593 if (!data)
594 data = ERR_PTR(-ENOMEM);
595 }
596 return data;
597}
598
599static int raw_process_ep0_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
600 void *data, bool in)
601{
602 int ret = 0;
603 unsigned long flags;
604
605 spin_lock_irqsave(&dev->lock, flags);
606 if (dev->state != STATE_DEV_RUNNING) {
607 dev_dbg(dev->dev, "fail, device is not running\n");
608 ret = -EINVAL;
609 goto out_unlock;
610 }
611 if (!dev->gadget) {
612 dev_dbg(dev->dev, "fail, gadget is not bound\n");
613 ret = -EBUSY;
614 goto out_unlock;
615 }
616 if (dev->ep0_urb_queued) {
617 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
618 ret = -EBUSY;
619 goto out_unlock;
620 }
621 if ((in && !dev->ep0_in_pending) ||
622 (!in && !dev->ep0_out_pending)) {
623 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n");
624 ret = -EBUSY;
625 goto out_unlock;
626 }
627 if (WARN_ON(in && dev->ep0_out_pending)) {
628 ret = -ENODEV;
629 dev->state = STATE_DEV_FAILED;
630 goto out_done;
631 }
632 if (WARN_ON(!in && dev->ep0_in_pending)) {
633 ret = -ENODEV;
634 dev->state = STATE_DEV_FAILED;
635 goto out_done;
636 }
637
638 dev->req->buf = data;
639 dev->req->length = io->length;
640 dev->req->zero = usb_raw_io_flags_zero(io->flags);
641 dev->ep0_urb_queued = true;
642 spin_unlock_irqrestore(&dev->lock, flags);
643
644 ret = usb_ep_queue(dev->gadget->ep0, dev->req, GFP_KERNEL);
645 if (ret) {
646 dev_err(&dev->gadget->dev,
647 "fail, usb_ep_queue returned %d\n", ret);
648 spin_lock_irqsave(&dev->lock, flags);
649 dev->state = STATE_DEV_FAILED;
650 goto out_done;
651 }
652
653 ret = wait_for_completion_interruptible(&dev->ep0_done);
654 if (ret) {
655 dev_dbg(&dev->gadget->dev, "wait interrupted\n");
656 usb_ep_dequeue(dev->gadget->ep0, dev->req);
657 wait_for_completion(&dev->ep0_done);
658 spin_lock_irqsave(&dev->lock, flags);
659 goto out_done;
660 }
661
662 spin_lock_irqsave(&dev->lock, flags);
663 ret = dev->ep0_status;
664
665out_done:
666 dev->ep0_urb_queued = false;
667out_unlock:
668 spin_unlock_irqrestore(&dev->lock, flags);
669 return ret;
670}
671
672static int raw_ioctl_ep0_write(struct raw_dev *dev, unsigned long value)
673{
674 int ret = 0;
675 void *data;
676 struct usb_raw_ep_io io;
677
678 data = raw_alloc_io_data(&io, (void __user *)value, true);
679 if (IS_ERR(data))
680 return PTR_ERR(data);
681 ret = raw_process_ep0_io(dev, &io, data, true);
682 kfree(data);
683 return ret;
684}
685
686static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value)
687{
688 int ret = 0;
689 void *data;
690 struct usb_raw_ep_io io;
691 unsigned int length;
692
693 data = raw_alloc_io_data(&io, (void __user *)value, false);
694 if (IS_ERR(data))
695 return PTR_ERR(data);
696 ret = raw_process_ep0_io(dev, &io, data, false);
697 if (ret < 0)
698 goto free;
699
700 length = min(io.length, (unsigned int)ret);
701 if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
702 ret = -EFAULT;
703 else
704 ret = length;
705free:
706 kfree(data);
707 return ret;
708}
709
710static int raw_ioctl_ep0_stall(struct raw_dev *dev, unsigned long value)
711{
712 int ret = 0;
713 unsigned long flags;
714
715 if (value)
716 return -EINVAL;
717 spin_lock_irqsave(&dev->lock, flags);
718 if (dev->state != STATE_DEV_RUNNING) {
719 dev_dbg(dev->dev, "fail, device is not running\n");
720 ret = -EINVAL;
721 goto out_unlock;
722 }
723 if (!dev->gadget) {
724 dev_dbg(dev->dev, "fail, gadget is not bound\n");
725 ret = -EBUSY;
726 goto out_unlock;
727 }
728 if (dev->ep0_urb_queued) {
729 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
730 ret = -EBUSY;
731 goto out_unlock;
732 }
733 if (!dev->ep0_in_pending && !dev->ep0_out_pending) {
734 dev_dbg(&dev->gadget->dev, "fail, no request pending\n");
735 ret = -EBUSY;
736 goto out_unlock;
737 }
738
739 ret = usb_ep_set_halt(dev->gadget->ep0);
740 if (ret < 0)
741 dev_err(&dev->gadget->dev,
742 "fail, usb_ep_set_halt returned %d\n", ret);
743
744 if (dev->ep0_in_pending)
745 dev->ep0_in_pending = false;
746 else
747 dev->ep0_out_pending = false;
748
749out_unlock:
750 spin_unlock_irqrestore(&dev->lock, flags);
751 return ret;
752}
753
754static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value)
755{
756 int ret = 0, i;
757 unsigned long flags;
758 struct usb_endpoint_descriptor *desc;
759 struct raw_ep *ep;
760
761 desc = memdup_user((void __user *)value, sizeof(*desc));
762 if (IS_ERR(desc))
763 return PTR_ERR(desc);
764
765
766
767
768
769 if (usb_endpoint_maxp(desc) == 0) {
770 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n");
771 kfree(desc);
772 return -EINVAL;
773 }
774
775 spin_lock_irqsave(&dev->lock, flags);
776 if (dev->state != STATE_DEV_RUNNING) {
777 dev_dbg(dev->dev, "fail, device is not running\n");
778 ret = -EINVAL;
779 goto out_free;
780 }
781 if (!dev->gadget) {
782 dev_dbg(dev->dev, "fail, gadget is not bound\n");
783 ret = -EBUSY;
784 goto out_free;
785 }
786
787 for (i = 0; i < dev->eps_num; i++) {
788 ep = &dev->eps[i];
789 if (ep->state != STATE_EP_DISABLED)
790 continue;
791 if (ep->addr != usb_endpoint_num(desc) &&
792 ep->addr != USB_RAW_EP_ADDR_ANY)
793 continue;
794 if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep, desc, NULL))
795 continue;
796 ep->ep->desc = desc;
797 ret = usb_ep_enable(ep->ep);
798 if (ret < 0) {
799 dev_err(&dev->gadget->dev,
800 "fail, usb_ep_enable returned %d\n", ret);
801 goto out_free;
802 }
803 ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC);
804 if (!ep->req) {
805 dev_err(&dev->gadget->dev,
806 "fail, usb_ep_alloc_request failed\n");
807 usb_ep_disable(ep->ep);
808 ret = -ENOMEM;
809 goto out_free;
810 }
811 ep->state = STATE_EP_ENABLED;
812 ep->ep->driver_data = ep;
813 ret = i;
814 goto out_unlock;
815 }
816
817 dev_dbg(&dev->gadget->dev, "fail, no gadget endpoints available\n");
818 ret = -EBUSY;
819
820out_free:
821 kfree(desc);
822out_unlock:
823 spin_unlock_irqrestore(&dev->lock, flags);
824 return ret;
825}
826
827static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
828{
829 int ret = 0, i = value;
830 unsigned long flags;
831
832 spin_lock_irqsave(&dev->lock, flags);
833 if (dev->state != STATE_DEV_RUNNING) {
834 dev_dbg(dev->dev, "fail, device is not running\n");
835 ret = -EINVAL;
836 goto out_unlock;
837 }
838 if (!dev->gadget) {
839 dev_dbg(dev->dev, "fail, gadget is not bound\n");
840 ret = -EBUSY;
841 goto out_unlock;
842 }
843 if (i < 0 || i >= dev->eps_num) {
844 dev_dbg(dev->dev, "fail, invalid endpoint\n");
845 ret = -EBUSY;
846 goto out_unlock;
847 }
848 if (dev->eps[i].state == STATE_EP_DISABLED) {
849 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
850 ret = -EINVAL;
851 goto out_unlock;
852 }
853 if (dev->eps[i].disabling) {
854 dev_dbg(&dev->gadget->dev,
855 "fail, disable already in progress\n");
856 ret = -EINVAL;
857 goto out_unlock;
858 }
859 if (dev->eps[i].urb_queued) {
860 dev_dbg(&dev->gadget->dev,
861 "fail, waiting for urb completion\n");
862 ret = -EINVAL;
863 goto out_unlock;
864 }
865 dev->eps[i].disabling = true;
866 spin_unlock_irqrestore(&dev->lock, flags);
867
868 usb_ep_disable(dev->eps[i].ep);
869
870 spin_lock_irqsave(&dev->lock, flags);
871 usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
872 kfree(dev->eps[i].ep->desc);
873 dev->eps[i].state = STATE_EP_DISABLED;
874 dev->eps[i].disabling = false;
875
876out_unlock:
877 spin_unlock_irqrestore(&dev->lock, flags);
878 return ret;
879}
880
881static int raw_ioctl_ep_set_clear_halt_wedge(struct raw_dev *dev,
882 unsigned long value, bool set, bool halt)
883{
884 int ret = 0, i = value;
885 unsigned long flags;
886
887 spin_lock_irqsave(&dev->lock, flags);
888 if (dev->state != STATE_DEV_RUNNING) {
889 dev_dbg(dev->dev, "fail, device is not running\n");
890 ret = -EINVAL;
891 goto out_unlock;
892 }
893 if (!dev->gadget) {
894 dev_dbg(dev->dev, "fail, gadget is not bound\n");
895 ret = -EBUSY;
896 goto out_unlock;
897 }
898 if (i < 0 || i >= dev->eps_num) {
899 dev_dbg(dev->dev, "fail, invalid endpoint\n");
900 ret = -EBUSY;
901 goto out_unlock;
902 }
903 if (dev->eps[i].state == STATE_EP_DISABLED) {
904 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
905 ret = -EINVAL;
906 goto out_unlock;
907 }
908 if (dev->eps[i].disabling) {
909 dev_dbg(&dev->gadget->dev,
910 "fail, disable is in progress\n");
911 ret = -EINVAL;
912 goto out_unlock;
913 }
914 if (dev->eps[i].urb_queued) {
915 dev_dbg(&dev->gadget->dev,
916 "fail, waiting for urb completion\n");
917 ret = -EINVAL;
918 goto out_unlock;
919 }
920 if (usb_endpoint_xfer_isoc(dev->eps[i].ep->desc)) {
921 dev_dbg(&dev->gadget->dev,
922 "fail, can't halt/wedge ISO endpoint\n");
923 ret = -EINVAL;
924 goto out_unlock;
925 }
926
927 if (set && halt) {
928 ret = usb_ep_set_halt(dev->eps[i].ep);
929 if (ret < 0)
930 dev_err(&dev->gadget->dev,
931 "fail, usb_ep_set_halt returned %d\n", ret);
932 } else if (!set && halt) {
933 ret = usb_ep_clear_halt(dev->eps[i].ep);
934 if (ret < 0)
935 dev_err(&dev->gadget->dev,
936 "fail, usb_ep_clear_halt returned %d\n", ret);
937 } else if (set && !halt) {
938 ret = usb_ep_set_wedge(dev->eps[i].ep);
939 if (ret < 0)
940 dev_err(&dev->gadget->dev,
941 "fail, usb_ep_set_wedge returned %d\n", ret);
942 }
943
944out_unlock:
945 spin_unlock_irqrestore(&dev->lock, flags);
946 return ret;
947}
948
949static void gadget_ep_complete(struct usb_ep *ep, struct usb_request *req)
950{
951 struct raw_ep *r_ep = (struct raw_ep *)ep->driver_data;
952 struct raw_dev *dev = r_ep->dev;
953 unsigned long flags;
954
955 spin_lock_irqsave(&dev->lock, flags);
956 if (req->status)
957 r_ep->status = req->status;
958 else
959 r_ep->status = req->actual;
960 spin_unlock_irqrestore(&dev->lock, flags);
961
962 complete((struct completion *)req->context);
963}
964
965static int raw_process_ep_io(struct raw_dev *dev, struct usb_raw_ep_io *io,
966 void *data, bool in)
967{
968 int ret = 0;
969 unsigned long flags;
970 struct raw_ep *ep;
971 DECLARE_COMPLETION_ONSTACK(done);
972
973 spin_lock_irqsave(&dev->lock, flags);
974 if (dev->state != STATE_DEV_RUNNING) {
975 dev_dbg(dev->dev, "fail, device is not running\n");
976 ret = -EINVAL;
977 goto out_unlock;
978 }
979 if (!dev->gadget) {
980 dev_dbg(dev->dev, "fail, gadget is not bound\n");
981 ret = -EBUSY;
982 goto out_unlock;
983 }
984 if (io->ep >= dev->eps_num) {
985 dev_dbg(&dev->gadget->dev, "fail, invalid endpoint\n");
986 ret = -EINVAL;
987 goto out_unlock;
988 }
989 ep = &dev->eps[io->ep];
990 if (ep->state != STATE_EP_ENABLED) {
991 dev_dbg(&dev->gadget->dev, "fail, endpoint is not enabled\n");
992 ret = -EBUSY;
993 goto out_unlock;
994 }
995 if (ep->disabling) {
996 dev_dbg(&dev->gadget->dev,
997 "fail, endpoint is already being disabled\n");
998 ret = -EBUSY;
999 goto out_unlock;
1000 }
1001 if (ep->urb_queued) {
1002 dev_dbg(&dev->gadget->dev, "fail, urb already queued\n");
1003 ret = -EBUSY;
1004 goto out_unlock;
1005 }
1006 if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) {
1007 dev_dbg(&dev->gadget->dev, "fail, wrong direction\n");
1008 ret = -EINVAL;
1009 goto out_unlock;
1010 }
1011
1012 ep->dev = dev;
1013 ep->req->context = &done;
1014 ep->req->complete = gadget_ep_complete;
1015 ep->req->buf = data;
1016 ep->req->length = io->length;
1017 ep->req->zero = usb_raw_io_flags_zero(io->flags);
1018 ep->urb_queued = true;
1019 spin_unlock_irqrestore(&dev->lock, flags);
1020
1021 ret = usb_ep_queue(ep->ep, ep->req, GFP_KERNEL);
1022 if (ret) {
1023 dev_err(&dev->gadget->dev,
1024 "fail, usb_ep_queue returned %d\n", ret);
1025 spin_lock_irqsave(&dev->lock, flags);
1026 dev->state = STATE_DEV_FAILED;
1027 goto out_done;
1028 }
1029
1030 ret = wait_for_completion_interruptible(&done);
1031 if (ret) {
1032 dev_dbg(&dev->gadget->dev, "wait interrupted\n");
1033 usb_ep_dequeue(ep->ep, ep->req);
1034 wait_for_completion(&done);
1035 spin_lock_irqsave(&dev->lock, flags);
1036 goto out_done;
1037 }
1038
1039 spin_lock_irqsave(&dev->lock, flags);
1040 ret = ep->status;
1041
1042out_done:
1043 ep->urb_queued = false;
1044out_unlock:
1045 spin_unlock_irqrestore(&dev->lock, flags);
1046 return ret;
1047}
1048
1049static int raw_ioctl_ep_write(struct raw_dev *dev, unsigned long value)
1050{
1051 int ret = 0;
1052 char *data;
1053 struct usb_raw_ep_io io;
1054
1055 data = raw_alloc_io_data(&io, (void __user *)value, true);
1056 if (IS_ERR(data))
1057 return PTR_ERR(data);
1058 ret = raw_process_ep_io(dev, &io, data, true);
1059 kfree(data);
1060 return ret;
1061}
1062
1063static int raw_ioctl_ep_read(struct raw_dev *dev, unsigned long value)
1064{
1065 int ret = 0;
1066 char *data;
1067 struct usb_raw_ep_io io;
1068 unsigned int length;
1069
1070 data = raw_alloc_io_data(&io, (void __user *)value, false);
1071 if (IS_ERR(data))
1072 return PTR_ERR(data);
1073 ret = raw_process_ep_io(dev, &io, data, false);
1074 if (ret < 0)
1075 goto free;
1076
1077 length = min(io.length, (unsigned int)ret);
1078 if (copy_to_user((void __user *)(value + sizeof(io)), data, length))
1079 ret = -EFAULT;
1080 else
1081 ret = length;
1082free:
1083 kfree(data);
1084 return ret;
1085}
1086
1087static int raw_ioctl_configure(struct raw_dev *dev, unsigned long value)
1088{
1089 int ret = 0;
1090 unsigned long flags;
1091
1092 if (value)
1093 return -EINVAL;
1094 spin_lock_irqsave(&dev->lock, flags);
1095 if (dev->state != STATE_DEV_RUNNING) {
1096 dev_dbg(dev->dev, "fail, device is not running\n");
1097 ret = -EINVAL;
1098 goto out_unlock;
1099 }
1100 if (!dev->gadget) {
1101 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1102 ret = -EBUSY;
1103 goto out_unlock;
1104 }
1105 usb_gadget_set_state(dev->gadget, USB_STATE_CONFIGURED);
1106
1107out_unlock:
1108 spin_unlock_irqrestore(&dev->lock, flags);
1109 return ret;
1110}
1111
1112static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value)
1113{
1114 int ret = 0;
1115 unsigned long flags;
1116
1117 spin_lock_irqsave(&dev->lock, flags);
1118 if (dev->state != STATE_DEV_RUNNING) {
1119 dev_dbg(dev->dev, "fail, device is not running\n");
1120 ret = -EINVAL;
1121 goto out_unlock;
1122 }
1123 if (!dev->gadget) {
1124 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1125 ret = -EBUSY;
1126 goto out_unlock;
1127 }
1128 usb_gadget_vbus_draw(dev->gadget, 2 * value);
1129
1130out_unlock:
1131 spin_unlock_irqrestore(&dev->lock, flags);
1132 return ret;
1133}
1134
1135static void fill_ep_caps(struct usb_ep_caps *caps,
1136 struct usb_raw_ep_caps *raw_caps)
1137{
1138 raw_caps->type_control = caps->type_control;
1139 raw_caps->type_iso = caps->type_iso;
1140 raw_caps->type_bulk = caps->type_bulk;
1141 raw_caps->type_int = caps->type_int;
1142 raw_caps->dir_in = caps->dir_in;
1143 raw_caps->dir_out = caps->dir_out;
1144}
1145
1146static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits)
1147{
1148 limits->maxpacket_limit = ep->maxpacket_limit;
1149 limits->max_streams = ep->max_streams;
1150}
1151
1152static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value)
1153{
1154 int ret = 0, i;
1155 unsigned long flags;
1156 struct usb_raw_eps_info *info;
1157 struct raw_ep *ep;
1158
1159 info = kmalloc(sizeof(*info), GFP_KERNEL);
1160 if (!info) {
1161 ret = -ENOMEM;
1162 goto out;
1163 }
1164
1165 spin_lock_irqsave(&dev->lock, flags);
1166 if (dev->state != STATE_DEV_RUNNING) {
1167 dev_dbg(dev->dev, "fail, device is not running\n");
1168 ret = -EINVAL;
1169 spin_unlock_irqrestore(&dev->lock, flags);
1170 goto out_free;
1171 }
1172 if (!dev->gadget) {
1173 dev_dbg(dev->dev, "fail, gadget is not bound\n");
1174 ret = -EBUSY;
1175 spin_unlock_irqrestore(&dev->lock, flags);
1176 goto out_free;
1177 }
1178
1179 memset(info, 0, sizeof(*info));
1180 for (i = 0; i < dev->eps_num; i++) {
1181 ep = &dev->eps[i];
1182 strscpy(&info->eps[i].name[0], ep->ep->name,
1183 USB_RAW_EP_NAME_MAX);
1184 info->eps[i].addr = ep->addr;
1185 fill_ep_caps(&ep->ep->caps, &info->eps[i].caps);
1186 fill_ep_limits(ep->ep, &info->eps[i].limits);
1187 }
1188 ret = dev->eps_num;
1189 spin_unlock_irqrestore(&dev->lock, flags);
1190
1191 if (copy_to_user((void __user *)value, info, sizeof(*info)))
1192 ret = -EFAULT;
1193
1194out_free:
1195 kfree(info);
1196out:
1197 return ret;
1198}
1199
1200static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
1201{
1202 struct raw_dev *dev = fd->private_data;
1203 int ret = 0;
1204
1205 if (!dev)
1206 return -EBUSY;
1207
1208 switch (cmd) {
1209 case USB_RAW_IOCTL_INIT:
1210 ret = raw_ioctl_init(dev, value);
1211 break;
1212 case USB_RAW_IOCTL_RUN:
1213 ret = raw_ioctl_run(dev, value);
1214 break;
1215 case USB_RAW_IOCTL_EVENT_FETCH:
1216 ret = raw_ioctl_event_fetch(dev, value);
1217 break;
1218 case USB_RAW_IOCTL_EP0_WRITE:
1219 ret = raw_ioctl_ep0_write(dev, value);
1220 break;
1221 case USB_RAW_IOCTL_EP0_READ:
1222 ret = raw_ioctl_ep0_read(dev, value);
1223 break;
1224 case USB_RAW_IOCTL_EP_ENABLE:
1225 ret = raw_ioctl_ep_enable(dev, value);
1226 break;
1227 case USB_RAW_IOCTL_EP_DISABLE:
1228 ret = raw_ioctl_ep_disable(dev, value);
1229 break;
1230 case USB_RAW_IOCTL_EP_WRITE:
1231 ret = raw_ioctl_ep_write(dev, value);
1232 break;
1233 case USB_RAW_IOCTL_EP_READ:
1234 ret = raw_ioctl_ep_read(dev, value);
1235 break;
1236 case USB_RAW_IOCTL_CONFIGURE:
1237 ret = raw_ioctl_configure(dev, value);
1238 break;
1239 case USB_RAW_IOCTL_VBUS_DRAW:
1240 ret = raw_ioctl_vbus_draw(dev, value);
1241 break;
1242 case USB_RAW_IOCTL_EPS_INFO:
1243 ret = raw_ioctl_eps_info(dev, value);
1244 break;
1245 case USB_RAW_IOCTL_EP0_STALL:
1246 ret = raw_ioctl_ep0_stall(dev, value);
1247 break;
1248 case USB_RAW_IOCTL_EP_SET_HALT:
1249 ret = raw_ioctl_ep_set_clear_halt_wedge(
1250 dev, value, true, true);
1251 break;
1252 case USB_RAW_IOCTL_EP_CLEAR_HALT:
1253 ret = raw_ioctl_ep_set_clear_halt_wedge(
1254 dev, value, false, true);
1255 break;
1256 case USB_RAW_IOCTL_EP_SET_WEDGE:
1257 ret = raw_ioctl_ep_set_clear_halt_wedge(
1258 dev, value, true, false);
1259 break;
1260 default:
1261 ret = -EINVAL;
1262 }
1263
1264 return ret;
1265}
1266
1267
1268
1269static const struct file_operations raw_fops = {
1270 .open = raw_open,
1271 .unlocked_ioctl = raw_ioctl,
1272 .compat_ioctl = raw_ioctl,
1273 .release = raw_release,
1274 .llseek = no_llseek,
1275};
1276
1277static struct miscdevice raw_misc_device = {
1278 .minor = MISC_DYNAMIC_MINOR,
1279 .name = DRIVER_NAME,
1280 .fops = &raw_fops,
1281};
1282
1283module_misc_device(raw_misc_device);
1284
