original development tree for Linux kernel GTP module; now long in mainline.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2130 lines
52 KiB

USB: gadgetfs: gadgetfs_disconnect: fix inconsistent lock state Under certain circumstances lockdep finds an inconsistent lock state in gadgetfs. The problem can be reproduced with a hardware using the ci13xxx_udc driver and the gadgetfs test program (needs a patch to support the ci13xxx_udc, though): http://www.linux-usb.org/gadget/usb.c Start the test program, wait to initialize, then press Ctrl+c. This patch fixes the following problem by using spin_lock_irqsave() instead of spin_lock(). ================================= [ INFO: inconsistent lock state ] 3.1.0-rc6+ #158 --------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. usb/113 [HC0[0]:SC0[0]:HE1:SE1] takes: (&(&dev->lock)->rlock){?.....}, at: [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] {IN-HARDIRQ-W} state was registered at: [<c00596b8>] mark_irqflags+0x14c/0x1ac [<c0059bf8>] __lock_acquire+0x4e0/0x8f0 [<c005a698>] lock_acquire+0x98/0x1a8 [<c02f10e0>] _raw_spin_lock+0x54/0x8c [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] [<c0229104>] _gadget_stop_activity+0xd4/0x154 [<c022b130>] isr_reset_handler+0x34/0x1c0 [<c022c320>] udc_irq+0x204/0x228 [<c0069018>] handle_irq_event_percpu+0x64/0x3a0 [<c0069390>] handle_irq_event+0x3c/0x5c [<c006ae5c>] handle_level_irq+0x8c/0x10c [<c0068a34>] generic_handle_irq+0x30/0x44 [<c0009b2c>] handle_IRQ+0x30/0x84 [<c0008ef8>] __irq_svc+0x38/0x60 [<c0009c58>] default_idle+0x30/0x34 [<c0009e30>] cpu_idle+0x9c/0xd8 [<c04056f4>] start_kernel+0x278/0x2bc irq event stamp: 6412 hardirqs last enabled at (6412): [<c02f1cd0>] _raw_spin_unlock_irqrestore+0x30/0x5c hardirqs last disabled at (6411): [<c02f1278>] _raw_spin_lock_irqsave+0x20/0xa0 softirqs last enabled at (6381): [<c002833c>] irq_exit+0xa0/0xa8 softirqs last disabled at (6372): [<c002833c>] irq_exit+0xa0/0xa8 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&dev->lock)->rlock); <Interrupt> lock(&(&dev->lock)->rlock); *** DEADLOCK *** 1 lock held by usb/113: #0: (udc_lock#2){+.+.+.}, at: [<c02286c0>] usb_gadget_unregister_driver+0x34/0x88 stack backtrace: [<c000d41c>] (unwind_backtrace+0x0/0xf0) from [<c0058e98>] (print_usage_bug+0x144/0x1c4) [<c0058e98>] (print_usage_bug+0x144/0x1c4) from [<c0059144>] (mark_lock_irq+0x22c/0x274) [<c0059144>] (mark_lock_irq+0x22c/0x274) from [<c00592d4>] (mark_lock+0x148/0x3e0) [<c00592d4>] (mark_lock+0x148/0x3e0) from [<c0059668>] (mark_irqflags+0xfc/0x1ac) [<c0059668>] (mark_irqflags+0xfc/0x1ac) from [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) from [<c005a698>] (lock_acquire+0x98/0x1a8) [<c005a698>] (lock_acquire+0x98/0x1a8) from [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) from [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) from [<c0229104>] (_gadget_stop_activity+0xd4/0x154) [<c0229104>] (_gadget_stop_activity+0xd4/0x154) from [<c0229240>] (ci13xxx_stop+0xbc/0x17c) [<c0229240>] (ci13xxx_stop+0xbc/0x17c) from [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) from [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) from [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) from [<c00cc158>] (__fput+0xa4/0x1f0) [<c00cc158>] (__fput+0xa4/0x1f0) from [<c00c7f28>] (filp_close+0x5c/0x74) [<c00c7f28>] (filp_close+0x5c/0x74) from [<c00c7fe8>] (sys_close+0xa8/0x150) [<c00c7fe8>] (sys_close+0xa8/0x150) from [<c00092a0>] (ret_fast_syscall+0x0/0x38) Tested-by: Pavankumar Kondeti <pkondeti@codeaurora.org> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
10 years ago
USB: gadgetfs: gadgetfs_disconnect: fix inconsistent lock state Under certain circumstances lockdep finds an inconsistent lock state in gadgetfs. The problem can be reproduced with a hardware using the ci13xxx_udc driver and the gadgetfs test program (needs a patch to support the ci13xxx_udc, though): http://www.linux-usb.org/gadget/usb.c Start the test program, wait to initialize, then press Ctrl+c. This patch fixes the following problem by using spin_lock_irqsave() instead of spin_lock(). ================================= [ INFO: inconsistent lock state ] 3.1.0-rc6+ #158 --------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. usb/113 [HC0[0]:SC0[0]:HE1:SE1] takes: (&(&dev->lock)->rlock){?.....}, at: [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] {IN-HARDIRQ-W} state was registered at: [<c00596b8>] mark_irqflags+0x14c/0x1ac [<c0059bf8>] __lock_acquire+0x4e0/0x8f0 [<c005a698>] lock_acquire+0x98/0x1a8 [<c02f10e0>] _raw_spin_lock+0x54/0x8c [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] [<c0229104>] _gadget_stop_activity+0xd4/0x154 [<c022b130>] isr_reset_handler+0x34/0x1c0 [<c022c320>] udc_irq+0x204/0x228 [<c0069018>] handle_irq_event_percpu+0x64/0x3a0 [<c0069390>] handle_irq_event+0x3c/0x5c [<c006ae5c>] handle_level_irq+0x8c/0x10c [<c0068a34>] generic_handle_irq+0x30/0x44 [<c0009b2c>] handle_IRQ+0x30/0x84 [<c0008ef8>] __irq_svc+0x38/0x60 [<c0009c58>] default_idle+0x30/0x34 [<c0009e30>] cpu_idle+0x9c/0xd8 [<c04056f4>] start_kernel+0x278/0x2bc irq event stamp: 6412 hardirqs last enabled at (6412): [<c02f1cd0>] _raw_spin_unlock_irqrestore+0x30/0x5c hardirqs last disabled at (6411): [<c02f1278>] _raw_spin_lock_irqsave+0x20/0xa0 softirqs last enabled at (6381): [<c002833c>] irq_exit+0xa0/0xa8 softirqs last disabled at (6372): [<c002833c>] irq_exit+0xa0/0xa8 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&dev->lock)->rlock); <Interrupt> lock(&(&dev->lock)->rlock); *** DEADLOCK *** 1 lock held by usb/113: #0: (udc_lock#2){+.+.+.}, at: [<c02286c0>] usb_gadget_unregister_driver+0x34/0x88 stack backtrace: [<c000d41c>] (unwind_backtrace+0x0/0xf0) from [<c0058e98>] (print_usage_bug+0x144/0x1c4) [<c0058e98>] (print_usage_bug+0x144/0x1c4) from [<c0059144>] (mark_lock_irq+0x22c/0x274) [<c0059144>] (mark_lock_irq+0x22c/0x274) from [<c00592d4>] (mark_lock+0x148/0x3e0) [<c00592d4>] (mark_lock+0x148/0x3e0) from [<c0059668>] (mark_irqflags+0xfc/0x1ac) [<c0059668>] (mark_irqflags+0xfc/0x1ac) from [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) from [<c005a698>] (lock_acquire+0x98/0x1a8) [<c005a698>] (lock_acquire+0x98/0x1a8) from [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) from [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) from [<c0229104>] (_gadget_stop_activity+0xd4/0x154) [<c0229104>] (_gadget_stop_activity+0xd4/0x154) from [<c0229240>] (ci13xxx_stop+0xbc/0x17c) [<c0229240>] (ci13xxx_stop+0xbc/0x17c) from [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) from [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) from [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) from [<c00cc158>] (__fput+0xa4/0x1f0) [<c00cc158>] (__fput+0xa4/0x1f0) from [<c00c7f28>] (filp_close+0x5c/0x74) [<c00c7f28>] (filp_close+0x5c/0x74) from [<c00c7fe8>] (sys_close+0xa8/0x150) [<c00c7fe8>] (sys_close+0xa8/0x150) from [<c00092a0>] (ret_fast_syscall+0x0/0x38) Tested-by: Pavankumar Kondeti <pkondeti@codeaurora.org> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
10 years ago
USB: gadgetfs: gadgetfs_disconnect: fix inconsistent lock state Under certain circumstances lockdep finds an inconsistent lock state in gadgetfs. The problem can be reproduced with a hardware using the ci13xxx_udc driver and the gadgetfs test program (needs a patch to support the ci13xxx_udc, though): http://www.linux-usb.org/gadget/usb.c Start the test program, wait to initialize, then press Ctrl+c. This patch fixes the following problem by using spin_lock_irqsave() instead of spin_lock(). ================================= [ INFO: inconsistent lock state ] 3.1.0-rc6+ #158 --------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. usb/113 [HC0[0]:SC0[0]:HE1:SE1] takes: (&(&dev->lock)->rlock){?.....}, at: [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] {IN-HARDIRQ-W} state was registered at: [<c00596b8>] mark_irqflags+0x14c/0x1ac [<c0059bf8>] __lock_acquire+0x4e0/0x8f0 [<c005a698>] lock_acquire+0x98/0x1a8 [<c02f10e0>] _raw_spin_lock+0x54/0x8c [<bf000340>] gadgetfs_disconnect+0x14/0x80 [gadgetfs] [<c0229104>] _gadget_stop_activity+0xd4/0x154 [<c022b130>] isr_reset_handler+0x34/0x1c0 [<c022c320>] udc_irq+0x204/0x228 [<c0069018>] handle_irq_event_percpu+0x64/0x3a0 [<c0069390>] handle_irq_event+0x3c/0x5c [<c006ae5c>] handle_level_irq+0x8c/0x10c [<c0068a34>] generic_handle_irq+0x30/0x44 [<c0009b2c>] handle_IRQ+0x30/0x84 [<c0008ef8>] __irq_svc+0x38/0x60 [<c0009c58>] default_idle+0x30/0x34 [<c0009e30>] cpu_idle+0x9c/0xd8 [<c04056f4>] start_kernel+0x278/0x2bc irq event stamp: 6412 hardirqs last enabled at (6412): [<c02f1cd0>] _raw_spin_unlock_irqrestore+0x30/0x5c hardirqs last disabled at (6411): [<c02f1278>] _raw_spin_lock_irqsave+0x20/0xa0 softirqs last enabled at (6381): [<c002833c>] irq_exit+0xa0/0xa8 softirqs last disabled at (6372): [<c002833c>] irq_exit+0xa0/0xa8 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&dev->lock)->rlock); <Interrupt> lock(&(&dev->lock)->rlock); *** DEADLOCK *** 1 lock held by usb/113: #0: (udc_lock#2){+.+.+.}, at: [<c02286c0>] usb_gadget_unregister_driver+0x34/0x88 stack backtrace: [<c000d41c>] (unwind_backtrace+0x0/0xf0) from [<c0058e98>] (print_usage_bug+0x144/0x1c4) [<c0058e98>] (print_usage_bug+0x144/0x1c4) from [<c0059144>] (mark_lock_irq+0x22c/0x274) [<c0059144>] (mark_lock_irq+0x22c/0x274) from [<c00592d4>] (mark_lock+0x148/0x3e0) [<c00592d4>] (mark_lock+0x148/0x3e0) from [<c0059668>] (mark_irqflags+0xfc/0x1ac) [<c0059668>] (mark_irqflags+0xfc/0x1ac) from [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) [<c0059bf8>] (__lock_acquire+0x4e0/0x8f0) from [<c005a698>] (lock_acquire+0x98/0x1a8) [<c005a698>] (lock_acquire+0x98/0x1a8) from [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) [<c02f10e0>] (_raw_spin_lock+0x54/0x8c) from [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) [<bf000340>] (gadgetfs_disconnect+0x14/0x80 [gadgetfs]) from [<c0229104>] (_gadget_stop_activity+0xd4/0x154) [<c0229104>] (_gadget_stop_activity+0xd4/0x154) from [<c0229240>] (ci13xxx_stop+0xbc/0x17c) [<c0229240>] (ci13xxx_stop+0xbc/0x17c) from [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) [<c022867c>] (usb_gadget_remove_driver+0x88/0x98) from [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) [<c02286f4>] (usb_gadget_unregister_driver+0x68/0x88) from [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) [<bf0003e8>] (dev_release+0x14/0x48 [gadgetfs]) from [<c00cc158>] (__fput+0xa4/0x1f0) [<c00cc158>] (__fput+0xa4/0x1f0) from [<c00c7f28>] (filp_close+0x5c/0x74) [<c00c7f28>] (filp_close+0x5c/0x74) from [<c00c7fe8>] (sys_close+0xa8/0x150) [<c00c7fe8>] (sys_close+0xa8/0x150) from [<c00092a0>] (ret_fast_syscall+0x0/0x38) Tested-by: Pavankumar Kondeti <pkondeti@codeaurora.org> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
10 years ago
fs: Limit sys_mount to only request filesystem modules. Modify the request_module to prefix the file system type with "fs-" and add aliases to all of the filesystems that can be built as modules to match. A common practice is to build all of the kernel code and leave code that is not commonly needed as modules, with the result that many users are exposed to any bug anywhere in the kernel. Looking for filesystems with a fs- prefix limits the pool of possible modules that can be loaded by mount to just filesystems trivially making things safer with no real cost. Using aliases means user space can control the policy of which filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf with blacklist and alias directives. Allowing simple, safe, well understood work-arounds to known problematic software. This also addresses a rare but unfortunate problem where the filesystem name is not the same as it's module name and module auto-loading would not work. While writing this patch I saw a handful of such cases. The most significant being autofs that lives in the module autofs4. This is relevant to user namespaces because we can reach the request module in get_fs_type() without having any special permissions, and people get uncomfortable when a user specified string (in this case the filesystem type) goes all of the way to request_module. After having looked at this issue I don't think there is any particular reason to perform any filtering or permission checks beyond making it clear in the module request that we want a filesystem module. The common pattern in the kernel is to call request_module() without regards to the users permissions. In general all a filesystem module does once loaded is call register_filesystem() and go to sleep. Which means there is not much attack surface exposed by loading a filesytem module unless the filesystem is mounted. In a user namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT, which most filesystems do not set today. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Reported-by: Kees Cook <keescook@google.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
9 years ago
  1. /*
  2. * inode.c -- user mode filesystem api for usb gadget controllers
  3. *
  4. * Copyright (C) 2003-2004 David Brownell
  5. * Copyright (C) 2003 Agilent Technologies
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. */
  12. /* #define VERBOSE_DEBUG */
  13. #include <linux/init.h>
  14. #include <linux/module.h>
  15. #include <linux/fs.h>
  16. #include <linux/pagemap.h>
  17. #include <linux/uts.h>
  18. #include <linux/wait.h>
  19. #include <linux/compiler.h>
  20. #include <asm/uaccess.h>
  21. #include <linux/sched.h>
  22. #include <linux/slab.h>
  23. #include <linux/poll.h>
  24. #include <linux/device.h>
  25. #include <linux/moduleparam.h>
  26. #include <linux/usb/gadgetfs.h>
  27. #include <linux/usb/gadget.h>
  28. /*
  29. * The gadgetfs API maps each endpoint to a file descriptor so that you
  30. * can use standard synchronous read/write calls for I/O. There's some
  31. * O_NONBLOCK and O_ASYNC/FASYNC style i/o support. Example usermode
  32. * drivers show how this works in practice. You can also use AIO to
  33. * eliminate I/O gaps between requests, to help when streaming data.
  34. *
  35. * Key parts that must be USB-specific are protocols defining how the
  36. * read/write operations relate to the hardware state machines. There
  37. * are two types of files. One type is for the device, implementing ep0.
  38. * The other type is for each IN or OUT endpoint. In both cases, the
  39. * user mode driver must configure the hardware before using it.
  40. *
  41. * - First, dev_config() is called when /dev/gadget/$CHIP is configured
  42. * (by writing configuration and device descriptors). Afterwards it
  43. * may serve as a source of device events, used to handle all control
  44. * requests other than basic enumeration.
  45. *
  46. * - Then, after a SET_CONFIGURATION control request, ep_config() is
  47. * called when each /dev/gadget/ep* file is configured (by writing
  48. * endpoint descriptors). Afterwards these files are used to write()
  49. * IN data or to read() OUT data. To halt the endpoint, a "wrong
  50. * direction" request is issued (like reading an IN endpoint).
  51. *
  52. * Unlike "usbfs" the only ioctl()s are for things that are rare, and maybe
  53. * not possible on all hardware. For example, precise fault handling with
  54. * respect to data left in endpoint fifos after aborted operations; or
  55. * selective clearing of endpoint halts, to implement SET_INTERFACE.
  56. */
  57. #define DRIVER_DESC "USB Gadget filesystem"
  58. #define DRIVER_VERSION "24 Aug 2004"
  59. static const char driver_desc [] = DRIVER_DESC;
  60. static const char shortname [] = "gadgetfs";
  61. MODULE_DESCRIPTION (DRIVER_DESC);
  62. MODULE_AUTHOR ("David Brownell");
  63. MODULE_LICENSE ("GPL");
  64. /*----------------------------------------------------------------------*/
  65. #define GADGETFS_MAGIC 0xaee71ee7
  66. /* /dev/gadget/$CHIP represents ep0 and the whole device */
  67. enum ep0_state {
  68. /* DISBLED is the initial state.
  69. */
  70. STATE_DEV_DISABLED = 0,
  71. /* Only one open() of /dev/gadget/$CHIP; only one file tracks
  72. * ep0/device i/o modes and binding to the controller. Driver
  73. * must always write descriptors to initialize the device, then
  74. * the device becomes UNCONNECTED until enumeration.
  75. */
  76. STATE_DEV_OPENED,
  77. /* From then on, ep0 fd is in either of two basic modes:
  78. * - (UN)CONNECTED: read usb_gadgetfs_event(s) from it
  79. * - SETUP: read/write will transfer control data and succeed;
  80. * or if "wrong direction", performs protocol stall
  81. */
  82. STATE_DEV_UNCONNECTED,
  83. STATE_DEV_CONNECTED,
  84. STATE_DEV_SETUP,
  85. /* UNBOUND means the driver closed ep0, so the device won't be
  86. * accessible again (DEV_DISABLED) until all fds are closed.
  87. */
  88. STATE_DEV_UNBOUND,
  89. };
  90. /* enough for the whole queue: most events invalidate others */
  91. #define N_EVENT 5
  92. struct dev_data {
  93. spinlock_t lock;
  94. atomic_t count;
  95. enum ep0_state state; /* P: lock */
  96. struct usb_gadgetfs_event event [N_EVENT];
  97. unsigned ev_next;
  98. struct fasync_struct *fasync;
  99. u8 current_config;
  100. /* drivers reading ep0 MUST handle control requests (SETUP)
  101. * reported that way; else the host will time out.
  102. */
  103. unsigned usermode_setup : 1,
  104. setup_in : 1,
  105. setup_can_stall : 1,
  106. setup_out_ready : 1,
  107. setup_out_error : 1,
  108. setup_abort : 1;
  109. unsigned setup_wLength;
  110. /* the rest is basically write-once */
  111. struct usb_config_descriptor *config, *hs_config;
  112. struct usb_device_descriptor *dev;
  113. struct usb_request *req;
  114. struct usb_gadget *gadget;
  115. struct list_head epfiles;
  116. void *buf;
  117. wait_queue_head_t wait;
  118. struct super_block *sb;
  119. struct dentry *dentry;
  120. /* except this scratch i/o buffer for ep0 */
  121. u8 rbuf [256];
  122. };
  123. static inline void get_dev (struct dev_data *data)
  124. {
  125. atomic_inc (&data->count);
  126. }
  127. static void put_dev (struct dev_data *data)
  128. {
  129. if (likely (!atomic_dec_and_test (&data->count)))
  130. return;
  131. /* needs no more cleanup */
  132. BUG_ON (waitqueue_active (&data->wait));
  133. kfree (data);
  134. }
  135. static struct dev_data *dev_new (void)
  136. {
  137. struct dev_data *dev;
  138. dev = kzalloc(sizeof(*dev), GFP_KERNEL);
  139. if (!dev)
  140. return NULL;
  141. dev->state = STATE_DEV_DISABLED;
  142. atomic_set (&dev->count, 1);
  143. spin_lock_init (&dev->lock);
  144. INIT_LIST_HEAD (&dev->epfiles);
  145. init_waitqueue_head (&dev->wait);
  146. return dev;
  147. }
  148. /*----------------------------------------------------------------------*/
  149. /* other /dev/gadget/$ENDPOINT files represent endpoints */
  150. enum ep_state {
  151. STATE_EP_DISABLED = 0,
  152. STATE_EP_READY,
  153. STATE_EP_ENABLED,
  154. STATE_EP_UNBOUND,
  155. };
  156. struct ep_data {
  157. struct mutex lock;
  158. enum ep_state state;
  159. atomic_t count;
  160. struct dev_data *dev;
  161. /* must hold dev->lock before accessing ep or req */
  162. struct usb_ep *ep;
  163. struct usb_request *req;
  164. ssize_t status;
  165. char name [16];
  166. struct usb_endpoint_descriptor desc, hs_desc;
  167. struct list_head epfiles;
  168. wait_queue_head_t wait;
  169. struct dentry *dentry;
  170. struct inode *inode;
  171. };
  172. static inline void get_ep (struct ep_data *data)
  173. {
  174. atomic_inc (&data->count);
  175. }
  176. static void put_ep (struct ep_data *data)
  177. {
  178. if (likely (!atomic_dec_and_test (&data->count)))
  179. return;
  180. put_dev (data->dev);
  181. /* needs no more cleanup */
  182. BUG_ON (!list_empty (&data->epfiles));
  183. BUG_ON (waitqueue_active (&data->wait));
  184. kfree (data);
  185. }
  186. /*----------------------------------------------------------------------*/
  187. /* most "how to use the hardware" policy choices are in userspace:
  188. * mapping endpoint roles (which the driver needs) to the capabilities
  189. * which the usb controller has. most of those capabilities are exposed
  190. * implicitly, starting with the driver name and then endpoint names.
  191. */
  192. static const char *CHIP;
  193. /*----------------------------------------------------------------------*/
  194. /* NOTE: don't use dev_printk calls before binding to the gadget
  195. * at the end of ep0 configuration, or after unbind.
  196. */
  197. /* too wordy: dev_printk(level , &(d)->gadget->dev , fmt , ## args) */
  198. #define xprintk(d,level,fmt,args...) \
  199. printk(level "%s: " fmt , shortname , ## args)
  200. #ifdef DEBUG
  201. #define DBG(dev,fmt,args...) \
  202. xprintk(dev , KERN_DEBUG , fmt , ## args)
  203. #else
  204. #define DBG(dev,fmt,args...) \
  205. do { } while (0)
  206. #endif /* DEBUG */
  207. #ifdef VERBOSE_DEBUG
  208. #define VDEBUG DBG
  209. #else
  210. #define VDEBUG(dev,fmt,args...) \
  211. do { } while (0)
  212. #endif /* DEBUG */
  213. #define ERROR(dev,fmt,args...) \
  214. xprintk(dev , KERN_ERR , fmt , ## args)
  215. #define INFO(dev,fmt,args...) \
  216. xprintk(dev , KERN_INFO , fmt , ## args)
  217. /*----------------------------------------------------------------------*/
  218. /* SYNCHRONOUS ENDPOINT OPERATIONS (bulk/intr/iso)
  219. *
  220. * After opening, configure non-control endpoints. Then use normal
  221. * stream read() and write() requests; and maybe ioctl() to get more
  222. * precise FIFO status when recovering from cancellation.
  223. */
  224. static void epio_complete (struct usb_ep *ep, struct usb_request *req)
  225. {
  226. struct ep_data *epdata = ep->driver_data;
  227. if (!req->context)
  228. return;
  229. if (req->status)
  230. epdata->status = req->status;
  231. else
  232. epdata->status = req->actual;
  233. complete ((struct completion *)req->context);
  234. }
  235. /* tasklock endpoint, returning when it's connected.
  236. * still need dev->lock to use epdata->ep.
  237. */
  238. static int
  239. get_ready_ep (unsigned f_flags, struct ep_data *epdata)
  240. {
  241. int val;
  242. if (f_flags & O_NONBLOCK) {
  243. if (!mutex_trylock(&epdata->lock))
  244. goto nonblock;
  245. if (epdata->state != STATE_EP_ENABLED) {
  246. mutex_unlock(&epdata->lock);
  247. nonblock:
  248. val = -EAGAIN;
  249. } else
  250. val = 0;
  251. return val;
  252. }
  253. val = mutex_lock_interruptible(&epdata->lock);
  254. if (val < 0)
  255. return val;
  256. switch (epdata->state) {
  257. case STATE_EP_ENABLED:
  258. break;
  259. // case STATE_EP_DISABLED: /* "can't happen" */
  260. // case STATE_EP_READY: /* "can't happen" */
  261. default: /* error! */
  262. pr_debug ("%s: ep %p not available, state %d\n",
  263. shortname, epdata, epdata->state);
  264. // FALLTHROUGH
  265. case STATE_EP_UNBOUND: /* clean disconnect */
  266. val = -ENODEV;
  267. mutex_unlock(&epdata->lock);
  268. }
  269. return val;
  270. }
  271. static ssize_t
  272. ep_io (struct ep_data *epdata, void *buf, unsigned len)
  273. {
  274. DECLARE_COMPLETION_ONSTACK (done);
  275. int value;
  276. spin_lock_irq (&epdata->dev->lock);
  277. if (likely (epdata->ep != NULL)) {
  278. struct usb_request *req = epdata->req;
  279. req->context = &done;
  280. req->complete = epio_complete;
  281. req->buf = buf;
  282. req->length = len;
  283. value = usb_ep_queue (epdata->ep, req, GFP_ATOMIC);
  284. } else
  285. value = -ENODEV;
  286. spin_unlock_irq (&epdata->dev->lock);
  287. if (likely (value == 0)) {
  288. value = wait_event_interruptible (done.wait, done.done);
  289. if (value != 0) {
  290. spin_lock_irq (&epdata->dev->lock);
  291. if (likely (epdata->ep != NULL)) {
  292. DBG (epdata->dev, "%s i/o interrupted\n",
  293. epdata->name);
  294. usb_ep_dequeue (epdata->ep, epdata->req);
  295. spin_unlock_irq (&epdata->dev->lock);
  296. wait_event (done.wait, done.done);
  297. if (epdata->status == -ECONNRESET)
  298. epdata->status = -EINTR;
  299. } else {
  300. spin_unlock_irq (&epdata->dev->lock);
  301. DBG (epdata->dev, "endpoint gone\n");
  302. epdata->status = -ENODEV;
  303. }
  304. }
  305. return epdata->status;
  306. }
  307. return value;
  308. }
  309. /* handle a synchronous OUT bulk/intr/iso transfer */
  310. static ssize_t
  311. ep_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
  312. {
  313. struct ep_data *data = fd->private_data;
  314. void *kbuf;
  315. ssize_t value;
  316. if ((value = get_ready_ep (fd->f_flags, data)) < 0)
  317. return value;
  318. /* halt any endpoint by doing a "wrong direction" i/o call */
  319. if (usb_endpoint_dir_in(&data->desc)) {
  320. if (usb_endpoint_xfer_isoc(&data->desc)) {
  321. mutex_unlock(&data->lock);
  322. return -EINVAL;
  323. }
  324. DBG (data->dev, "%s halt\n", data->name);
  325. spin_lock_irq (&data->dev->lock);
  326. if (likely (data->ep != NULL))
  327. usb_ep_set_halt (data->ep);
  328. spin_unlock_irq (&data->dev->lock);
  329. mutex_unlock(&data->lock);
  330. return -EBADMSG;
  331. }
  332. /* FIXME readahead for O_NONBLOCK and poll(); careful with ZLPs */
  333. value = -ENOMEM;
  334. kbuf = kmalloc (len, GFP_KERNEL);
  335. if (unlikely (!kbuf))
  336. goto free1;
  337. value = ep_io (data, kbuf, len);
  338. VDEBUG (data->dev, "%s read %zu OUT, status %d\n",
  339. data->name, len, (int) value);
  340. if (value >= 0 && copy_to_user (buf, kbuf, value))
  341. value = -EFAULT;
  342. free1:
  343. mutex_unlock(&data->lock);
  344. kfree (kbuf);
  345. return value;
  346. }
  347. /* handle a synchronous IN bulk/intr/iso transfer */
  348. static ssize_t
  349. ep_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
  350. {
  351. struct ep_data *data = fd->private_data;
  352. void *kbuf;
  353. ssize_t value;
  354. if ((value = get_ready_ep (fd->f_flags, data)) < 0)
  355. return value;
  356. /* halt any endpoint by doing a "wrong direction" i/o call */
  357. if (!usb_endpoint_dir_in(&data->desc)) {
  358. if (usb_endpoint_xfer_isoc(&data->desc)) {
  359. mutex_unlock(&data->lock);
  360. return -EINVAL;
  361. }
  362. DBG (data->dev, "%s halt\n", data->name);
  363. spin_lock_irq (&data->dev->lock);
  364. if (likely (data->ep != NULL))
  365. usb_ep_set_halt (data->ep);
  366. spin_unlock_irq (&data->dev->lock);
  367. mutex_unlock(&data->lock);
  368. return -EBADMSG;
  369. }
  370. /* FIXME writebehind for O_NONBLOCK and poll(), qlen = 1 */
  371. value = -ENOMEM;
  372. kbuf = kmalloc (len, GFP_KERNEL);
  373. if (!kbuf)
  374. goto free1;
  375. if (copy_from_user (kbuf, buf, len)) {
  376. value = -EFAULT;
  377. goto free1;
  378. }
  379. value = ep_io (data, kbuf, len);
  380. VDEBUG (data->dev, "%s write %zu IN, status %d\n",
  381. data->name, len, (int) value);
  382. free1:
  383. mutex_unlock(&data->lock);
  384. kfree (kbuf);
  385. return value;
  386. }
  387. static int
  388. ep_release (struct inode *inode, struct file *fd)
  389. {
  390. struct ep_data *data = fd->private_data;
  391. int value;
  392. value = mutex_lock_interruptible(&data->lock);
  393. if (value < 0)
  394. return value;
  395. /* clean up if this can be reopened */
  396. if (data->state != STATE_EP_UNBOUND) {
  397. data->state = STATE_EP_DISABLED;
  398. data->desc.bDescriptorType = 0;
  399. data->hs_desc.bDescriptorType = 0;
  400. usb_ep_disable(data->ep);
  401. }
  402. mutex_unlock(&data->lock);
  403. put_ep (data);
  404. return 0;
  405. }
  406. static long ep_ioctl(struct file *fd, unsigned code, unsigned long value)
  407. {
  408. struct ep_data *data = fd->private_data;
  409. int status;
  410. if ((status = get_ready_ep (fd->f_flags, data)) < 0)
  411. return status;
  412. spin_lock_irq (&data->dev->lock);
  413. if (likely (data->ep != NULL)) {
  414. switch (code) {
  415. case GADGETFS_FIFO_STATUS:
  416. status = usb_ep_fifo_status (data->ep);
  417. break;
  418. case GADGETFS_FIFO_FLUSH:
  419. usb_ep_fifo_flush (data->ep);
  420. break;
  421. case GADGETFS_CLEAR_HALT:
  422. status = usb_ep_clear_halt (data->ep);
  423. break;
  424. default:
  425. status = -ENOTTY;
  426. }
  427. } else
  428. status = -ENODEV;
  429. spin_unlock_irq (&data->dev->lock);
  430. mutex_unlock(&data->lock);
  431. return status;
  432. }
  433. /*----------------------------------------------------------------------*/
  434. /* ASYNCHRONOUS ENDPOINT I/O OPERATIONS (bulk/intr/iso) */
  435. struct kiocb_priv {
  436. struct usb_request *req;
  437. struct ep_data *epdata;
  438. void *buf;
  439. const struct iovec *iv;
  440. unsigned long nr_segs;
  441. unsigned actual;
  442. };
  443. static int ep_aio_cancel(struct kiocb *iocb, struct io_event *e)
  444. {
  445. struct kiocb_priv *priv = iocb->private;
  446. struct ep_data *epdata;
  447. int value;
  448. local_irq_disable();
  449. epdata = priv->epdata;
  450. // spin_lock(&epdata->dev->lock);
  451. kiocbSetCancelled(iocb);
  452. if (likely(epdata && epdata->ep && priv->req))
  453. value = usb_ep_dequeue (epdata->ep, priv->req);
  454. else
  455. value = -EINVAL;
  456. // spin_unlock(&epdata->dev->lock);
  457. local_irq_enable();
  458. aio_put_req(iocb);
  459. return value;
  460. }
  461. static ssize_t ep_aio_read_retry(struct kiocb *iocb)
  462. {
  463. struct kiocb_priv *priv = iocb->private;
  464. ssize_t len, total;
  465. void *to_copy;
  466. int i;
  467. /* we "retry" to get the right mm context for this: */
  468. /* copy stuff into user buffers */
  469. total = priv->actual;
  470. len = 0;
  471. to_copy = priv->buf;
  472. for (i=0; i < priv->nr_segs; i++) {
  473. ssize_t this = min((ssize_t)(priv->iv[i].iov_len), total);
  474. if (copy_to_user(priv->iv[i].iov_base, to_copy, this)) {
  475. if (len == 0)
  476. len = -EFAULT;
  477. break;
  478. }
  479. total -= this;
  480. len += this;
  481. to_copy += this;
  482. if (total == 0)
  483. break;
  484. }
  485. kfree(priv->buf);
  486. kfree(priv);
  487. return len;
  488. }
  489. static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
  490. {
  491. struct kiocb *iocb = req->context;
  492. struct kiocb_priv *priv = iocb->private;
  493. struct ep_data *epdata = priv->epdata;
  494. /* lock against disconnect (and ideally, cancel) */
  495. spin_lock(&epdata->dev->lock);
  496. priv->req = NULL;
  497. priv->epdata = NULL;
  498. /* if this was a write or a read returning no data then we
  499. * don't need to copy anything to userspace, so we can
  500. * complete the aio request immediately.
  501. */
  502. if (priv->iv == NULL || unlikely(req->actual == 0)) {
  503. kfree(req->buf);
  504. kfree(priv);
  505. iocb->private = NULL;
  506. /* aio_complete() reports bytes-transferred _and_ faults */
  507. aio_complete(iocb, req->actual ? req->actual : req->status,
  508. req->status);
  509. } else {
  510. /* retry() won't report both; so we hide some faults */
  511. if (unlikely(0 != req->status))
  512. DBG(epdata->dev, "%s fault %d len %d\n",
  513. ep->name, req->status, req->actual);
  514. priv->buf = req->buf;
  515. priv->actual = req->actual;
  516. kick_iocb(iocb);
  517. }
  518. spin_unlock(&epdata->dev->lock);
  519. usb_ep_free_request(ep, req);
  520. put_ep(epdata);
  521. }
  522. static ssize_t
  523. ep_aio_rwtail(
  524. struct kiocb *iocb,
  525. char *buf,
  526. size_t len,
  527. struct ep_data *epdata,
  528. const struct iovec *iv,
  529. unsigned long nr_segs
  530. )
  531. {
  532. struct kiocb_priv *priv;
  533. struct usb_request *req;
  534. ssize_t value;
  535. priv = kmalloc(sizeof *priv, GFP_KERNEL);
  536. if (!priv) {
  537. value = -ENOMEM;
  538. fail:
  539. kfree(buf);
  540. return value;
  541. }
  542. iocb->private = priv;
  543. priv->iv = iv;
  544. priv->nr_segs = nr_segs;
  545. value = get_ready_ep(iocb->ki_filp->f_flags, epdata);
  546. if (unlikely(value < 0)) {
  547. kfree(priv);
  548. goto fail;
  549. }
  550. iocb->ki_cancel = ep_aio_cancel;
  551. get_ep(epdata);
  552. priv->epdata = epdata;
  553. priv->actual = 0;
  554. /* each kiocb is coupled to one usb_request, but we can't
  555. * allocate or submit those if the host disconnected.
  556. */
  557. spin_lock_irq(&epdata->dev->lock);
  558. if (likely(epdata->ep)) {
  559. req = usb_ep_alloc_request(epdata->ep, GFP_ATOMIC);
  560. if (likely(req)) {
  561. priv->req = req;
  562. req->buf = buf;
  563. req->length = len;
  564. req->complete = ep_aio_complete;
  565. req->context = iocb;
  566. value = usb_ep_queue(epdata->ep, req, GFP_ATOMIC);
  567. if (unlikely(0 != value))
  568. usb_ep_free_request(epdata->ep, req);
  569. } else
  570. value = -EAGAIN;
  571. } else
  572. value = -ENODEV;
  573. spin_unlock_irq(&epdata->dev->lock);
  574. mutex_unlock(&epdata->lock);
  575. if (unlikely(value)) {
  576. kfree(priv);
  577. put_ep(epdata);
  578. } else
  579. value = (iv ? -EIOCBRETRY : -EIOCBQUEUED);
  580. return value;
  581. }
  582. static ssize_t
  583. ep_aio_read(struct kiocb *iocb, const struct iovec *iov,
  584. unsigned long nr_segs, loff_t o)
  585. {
  586. struct ep_data *epdata = iocb->ki_filp->private_data;
  587. char *buf;
  588. if (unlikely(usb_endpoint_dir_in(&epdata->desc)))
  589. return -EINVAL;
  590. buf = kmalloc(iocb->ki_left, GFP_KERNEL);
  591. if (unlikely(!buf))
  592. return -ENOMEM;
  593. iocb->ki_retry = ep_aio_read_retry;
  594. return ep_aio_rwtail(iocb, buf, iocb->ki_left, epdata, iov, nr_segs);
  595. }
  596. static ssize_t
  597. ep_aio_write(struct kiocb *iocb, const struct iovec *iov,
  598. unsigned long nr_segs, loff_t o)
  599. {
  600. struct ep_data *epdata = iocb->ki_filp->private_data;
  601. char *buf;
  602. size_t len = 0;
  603. int i = 0;
  604. if (unlikely(!usb_endpoint_dir_in(&epdata->desc)))
  605. return -EINVAL;
  606. buf = kmalloc(iocb->ki_left, GFP_KERNEL);
  607. if (unlikely(!buf))
  608. return -ENOMEM;
  609. for (i=0; i < nr_segs; i++) {
  610. if (unlikely(copy_from_user(&buf[len], iov[i].iov_base,
  611. iov[i].iov_len) != 0)) {
  612. kfree(buf);
  613. return -EFAULT;
  614. }
  615. len += iov[i].iov_len;
  616. }
  617. return ep_aio_rwtail(iocb, buf, len, epdata, NULL, 0);
  618. }
  619. /*----------------------------------------------------------------------*/
  620. /* used after endpoint configuration */
  621. static const struct file_operations ep_io_operations = {
  622. .owner = THIS_MODULE,
  623. .llseek = no_llseek,
  624. .read = ep_read,
  625. .write = ep_write,
  626. .unlocked_ioctl = ep_ioctl,
  627. .release = ep_release,
  628. .aio_read = ep_aio_read,
  629. .aio_write = ep_aio_write,
  630. };
  631. /* ENDPOINT INITIALIZATION
  632. *
  633. * fd = open ("/dev/gadget/$ENDPOINT", O_RDWR)
  634. * status = write (fd, descriptors, sizeof descriptors)
  635. *
  636. * That write establishes the endpoint configuration, configuring
  637. * the controller to process bulk, interrupt, or isochronous transfers
  638. * at the right maxpacket size, and so on.
  639. *
  640. * The descriptors are message type 1, identified by a host order u32
  641. * at the beginning of what's written. Descriptor order is: full/low
  642. * speed descriptor, then optional high speed descriptor.
  643. */
  644. static ssize_t
  645. ep_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
  646. {
  647. struct ep_data *data = fd->private_data;
  648. struct usb_ep *ep;
  649. u32 tag;
  650. int value, length = len;
  651. value = mutex_lock_interruptible(&data->lock);
  652. if (value < 0)
  653. return value;
  654. if (data->state != STATE_EP_READY) {
  655. value = -EL2HLT;
  656. goto fail;
  657. }
  658. value = len;
  659. if (len < USB_DT_ENDPOINT_SIZE + 4)
  660. goto fail0;
  661. /* we might need to change message format someday */
  662. if (copy_from_user (&tag, buf, 4)) {
  663. goto fail1;
  664. }
  665. if (tag != 1) {
  666. DBG(data->dev, "config %s, bad tag %d\n", data->name, tag);
  667. goto fail0;
  668. }
  669. buf += 4;
  670. len -= 4;
  671. /* NOTE: audio endpoint extensions not accepted here;
  672. * just don't include the extra bytes.
  673. */
  674. /* full/low speed descriptor, then high speed */
  675. if (copy_from_user (&data->desc, buf, USB_DT_ENDPOINT_SIZE)) {
  676. goto fail1;
  677. }
  678. if (data->desc.bLength != USB_DT_ENDPOINT_SIZE
  679. || data->desc.bDescriptorType != USB_DT_ENDPOINT)
  680. goto fail0;
  681. if (len != USB_DT_ENDPOINT_SIZE) {
  682. if (len != 2 * USB_DT_ENDPOINT_SIZE)
  683. goto fail0;
  684. if (copy_from_user (&data->hs_desc, buf + USB_DT_ENDPOINT_SIZE,
  685. USB_DT_ENDPOINT_SIZE)) {
  686. goto fail1;
  687. }
  688. if (data->hs_desc.bLength != USB_DT_ENDPOINT_SIZE
  689. || data->hs_desc.bDescriptorType
  690. != USB_DT_ENDPOINT) {
  691. DBG(data->dev, "config %s, bad hs length or type\n",
  692. data->name);
  693. goto fail0;
  694. }
  695. }
  696. spin_lock_irq (&data->dev->lock);
  697. if (data->dev->state == STATE_DEV_UNBOUND) {
  698. value = -ENOENT;
  699. goto gone;
  700. } else if ((ep = data->ep) == NULL) {
  701. value = -ENODEV;
  702. goto gone;
  703. }
  704. switch (data->dev->gadget->speed) {
  705. case USB_SPEED_LOW:
  706. case USB_SPEED_FULL:
  707. ep->desc = &data->desc;
  708. value = usb_ep_enable(ep);
  709. if (value == 0)
  710. data->state = STATE_EP_ENABLED;
  711. break;
  712. case USB_SPEED_HIGH:
  713. /* fails if caller didn't provide that descriptor... */
  714. ep->desc = &data->hs_desc;
  715. value = usb_ep_enable(ep);
  716. if (value == 0)
  717. data->state = STATE_EP_ENABLED;
  718. break;
  719. default:
  720. DBG(data->dev, "unconnected, %s init abandoned\n",
  721. data->name);
  722. value = -EINVAL;
  723. }
  724. if (value == 0) {
  725. fd->f_op = &ep_io_operations;
  726. value = length;
  727. }
  728. gone:
  729. spin_unlock_irq (&data->dev->lock);
  730. if (value < 0) {
  731. fail:
  732. data->desc.bDescriptorType = 0;
  733. data->hs_desc.bDescriptorType = 0;
  734. }
  735. mutex_unlock(&data->lock);
  736. return value;
  737. fail0:
  738. value = -EINVAL;
  739. goto fail;
  740. fail1:
  741. value = -EFAULT;
  742. goto fail;
  743. }
  744. static int
  745. ep_open (struct inode *inode, struct file *fd)
  746. {
  747. struct ep_data *data = inode->i_private;
  748. int value = -EBUSY;
  749. if (mutex_lock_interruptible(&data->lock) != 0)
  750. return -EINTR;
  751. spin_lock_irq (&data->dev->lock);
  752. if (data->dev->state == STATE_DEV_UNBOUND)
  753. value = -ENOENT;
  754. else if (data->state == STATE_EP_DISABLED) {
  755. value = 0;
  756. data->state = STATE_EP_READY;
  757. get_ep (data);
  758. fd->private_data = data;
  759. VDEBUG (data->dev, "%s ready\n", data->name);
  760. } else
  761. DBG (data->dev, "%s state %d\n",
  762. data->name, data->state);
  763. spin_unlock_irq (&data->dev->lock);
  764. mutex_unlock(&data->lock);
  765. return value;
  766. }
  767. /* used before endpoint configuration */
  768. static const struct file_operations ep_config_operations = {
  769. .owner = THIS_MODULE,
  770. .llseek = no_llseek,
  771. .open = ep_open,
  772. .write = ep_config,
  773. .release = ep_release,
  774. };
  775. /*----------------------------------------------------------------------*/
  776. /* EP0 IMPLEMENTATION can be partly in userspace.
  777. *
  778. * Drivers that use this facility receive various events, including
  779. * control requests the kernel doesn't handle. Drivers that don't
  780. * use this facility may be too simple-minded for real applications.
  781. */
  782. static inline void ep0_readable (struct dev_data *dev)
  783. {
  784. wake_up (&dev->wait);
  785. kill_fasync (&dev->fasync, SIGIO, POLL_IN);
  786. }
  787. static void clean_req (struct usb_ep *ep, struct usb_request *req)
  788. {
  789. struct dev_data *dev = ep->driver_data;
  790. if (req->buf != dev->rbuf) {
  791. kfree(req->buf);
  792. req->buf = dev->rbuf;
  793. }
  794. req->complete = epio_complete;
  795. dev->setup_out_ready = 0;
  796. }
  797. static void ep0_complete (struct usb_ep *ep, struct usb_request *req)
  798. {
  799. struct dev_data *dev = ep->driver_data;
  800. unsigned long flags;
  801. int free = 1;
  802. /* for control OUT, data must still get to userspace */
  803. spin_lock_irqsave(&dev->lock, flags);
  804. if (!dev->setup_in) {
  805. dev->setup_out_error = (req->status != 0);
  806. if (!dev->setup_out_error)
  807. free = 0;
  808. dev->setup_out_ready = 1;
  809. ep0_readable (dev);
  810. }
  811. /* clean up as appropriate */
  812. if (free && req->buf != &dev->rbuf)
  813. clean_req (ep, req);
  814. req->complete = epio_complete;
  815. spin_unlock_irqrestore(&dev->lock, flags);
  816. }
  817. static int setup_req (struct usb_ep *ep, struct usb_request *req, u16 len)
  818. {
  819. struct dev_data *dev = ep->driver_data;
  820. if (dev->setup_out_ready) {
  821. DBG (dev, "ep0 request busy!\n");
  822. return -EBUSY;
  823. }
  824. if (len > sizeof (dev->rbuf))
  825. req->buf = kmalloc(len, GFP_ATOMIC);
  826. if (req->buf == NULL) {
  827. req->buf = dev->rbuf;
  828. return -ENOMEM;
  829. }
  830. req->complete = ep0_complete;
  831. req->length = len;
  832. req->zero = 0;
  833. return 0;
  834. }
  835. static ssize_t
  836. ep0_read (struct file *fd, char __user *buf, size_t len, loff_t *ptr)
  837. {
  838. struct dev_data *dev = fd->private_data;
  839. ssize_t retval;
  840. enum ep0_state state;
  841. spin_lock_irq (&dev->lock);
  842. /* report fd mode change before acting on it */
  843. if (dev->setup_abort) {
  844. dev->setup_abort = 0;
  845. retval = -EIDRM;
  846. goto done;
  847. }
  848. /* control DATA stage */
  849. if ((state = dev->state) == STATE_DEV_SETUP) {
  850. if (dev->setup_in) { /* stall IN */
  851. VDEBUG(dev, "ep0in stall\n");
  852. (void) usb_ep_set_halt (dev->gadget->ep0);
  853. retval = -EL2HLT;
  854. dev->state = STATE_DEV_CONNECTED;
  855. } else if (len == 0) { /* ack SET_CONFIGURATION etc */
  856. struct usb_ep *ep = dev->gadget->ep0;
  857. struct usb_request *req = dev->req;
  858. if ((retval = setup_req (ep, req, 0)) == 0)
  859. retval = usb_ep_queue (ep, req, GFP_ATOMIC);
  860. dev->state = STATE_DEV_CONNECTED;
  861. /* assume that was SET_CONFIGURATION */
  862. if (dev->current_config) {
  863. unsigned power;
  864. if (gadget_is_dualspeed(dev->gadget)
  865. && (dev->gadget->speed
  866. == USB_SPEED_HIGH))
  867. power = dev->hs_config->bMaxPower;
  868. else
  869. power = dev->config->bMaxPower;
  870. usb_gadget_vbus_draw(dev->gadget, 2 * power);
  871. }
  872. } else { /* collect OUT data */
  873. if ((fd->f_flags & O_NONBLOCK) != 0
  874. && !dev->setup_out_ready) {
  875. retval = -EAGAIN;
  876. goto done;
  877. }
  878. spin_unlock_irq (&dev->lock);
  879. retval = wait_event_interruptible (dev->wait,
  880. dev->setup_out_ready != 0);
  881. /* FIXME state could change from under us */
  882. spin_lock_irq (&dev->lock);
  883. if (retval)
  884. goto done;
  885. if (dev->state != STATE_DEV_SETUP) {
  886. retval = -ECANCELED;
  887. goto done;
  888. }
  889. dev->state = STATE_DEV_CONNECTED;
  890. if (dev->setup_out_error)
  891. retval = -EIO;
  892. else {
  893. len = min (len, (size_t)dev->req->actual);
  894. // FIXME don't call this with the spinlock held ...
  895. if (copy_to_user (buf, dev->req->buf, len))
  896. retval = -EFAULT;
  897. else
  898. retval = len;
  899. clean_req (dev->gadget->ep0, dev->req);
  900. /* NOTE userspace can't yet choose to stall */
  901. }
  902. }
  903. goto done;
  904. }
  905. /* else normal: return event data */
  906. if (len < sizeof dev->event [0]) {
  907. retval = -EINVAL;
  908. goto done;
  909. }
  910. len -= len % sizeof (struct usb_gadgetfs_event);
  911. dev->usermode_setup = 1;
  912. scan:
  913. /* return queued events right away */
  914. if (dev->ev_next != 0) {
  915. unsigned i, n;
  916. n = len