bpf: Prevent memory disambiguation attack
[linux/fpc-iii.git] / drivers / usb / wusbcore / wa-rpipe.c
blobd0f1a66984607dd0a5ddbfb5d0969709565dc0ea
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * WUSB Wire Adapter
4 * rpipe management
6 * Copyright (C) 2005-2006 Intel Corporation
7 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
9 * FIXME: docs
11 * RPIPE
13 * Targeted at different downstream endpoints
15 * Descriptor: use to config the remote pipe.
17 * The number of blocks could be dynamic (wBlocks in descriptor is
18 * 0)--need to schedule them then.
20 * Each bit in wa->rpipe_bm represents if an rpipe is being used or
21 * not. Rpipes are represented with a 'struct wa_rpipe' that is
22 * attached to the hcpriv member of a 'struct usb_host_endpoint'.
24 * When you need to xfer data to an endpoint, you get an rpipe for it
25 * with wa_ep_rpipe_get(), which gives you a reference to the rpipe
26 * and keeps a single one (the first one) with the endpoint. When you
27 * are done transferring, you drop that reference. At the end the
28 * rpipe is always allocated and bound to the endpoint. There it might
29 * be recycled when not used.
31 * Addresses:
33 * We use a 1:1 mapping mechanism between port address (0 based
34 * index, actually) and the address. The USB stack knows about this.
36 * USB Stack port number 4 (1 based)
37 * WUSB code port index 3 (0 based)
38 * USB Address 5 (2 based -- 0 is for default, 1 for root hub)
40 * Now, because we don't use the concept as default address exactly
41 * like the (wired) USB code does, we need to kind of skip it. So we
42 * never take addresses from the urb->pipe, but from the
43 * urb->dev->devnum, to make sure that we always have the right
44 * destination address.
46 #include <linux/atomic.h>
47 #include <linux/bitmap.h>
48 #include <linux/slab.h>
49 #include <linux/export.h>
51 #include "wusbhc.h"
52 #include "wa-hc.h"
54 static int __rpipe_get_descr(struct wahc *wa,
55 struct usb_rpipe_descriptor *descr, u16 index)
57 ssize_t result;
58 struct device *dev = &wa->usb_iface->dev;
60 /* Get the RPIPE descriptor -- we cannot use the usb_get_descriptor()
61 * function because the arguments are different.
63 result = usb_control_msg(
64 wa->usb_dev, usb_rcvctrlpipe(wa->usb_dev, 0),
65 USB_REQ_GET_DESCRIPTOR,
66 USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_RPIPE,
67 USB_DT_RPIPE<<8, index, descr, sizeof(*descr),
68 USB_CTRL_GET_TIMEOUT);
69 if (result < 0) {
70 dev_err(dev, "rpipe %u: get descriptor failed: %d\n",
71 index, (int)result);
72 goto error;
74 if (result < sizeof(*descr)) {
75 dev_err(dev, "rpipe %u: got short descriptor "
76 "(%zd vs %zd bytes needed)\n",
77 index, result, sizeof(*descr));
78 result = -EINVAL;
79 goto error;
81 result = 0;
83 error:
84 return result;
89 * The descriptor is assumed to be properly initialized (ie: you got
90 * it through __rpipe_get_descr()).
92 static int __rpipe_set_descr(struct wahc *wa,
93 struct usb_rpipe_descriptor *descr, u16 index)
95 ssize_t result;
96 struct device *dev = &wa->usb_iface->dev;
98 /* we cannot use the usb_get_descriptor() function because the
99 * arguments are different.
101 result = usb_control_msg(
102 wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
103 USB_REQ_SET_DESCRIPTOR,
104 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_RPIPE,
105 USB_DT_RPIPE<<8, index, descr, sizeof(*descr),
106 USB_CTRL_SET_TIMEOUT);
107 if (result < 0) {
108 dev_err(dev, "rpipe %u: set descriptor failed: %d\n",
109 index, (int)result);
110 goto error;
112 if (result < sizeof(*descr)) {
113 dev_err(dev, "rpipe %u: sent short descriptor "
114 "(%zd vs %zd bytes required)\n",
115 index, result, sizeof(*descr));
116 result = -EINVAL;
117 goto error;
119 result = 0;
121 error:
122 return result;
126 static void rpipe_init(struct wa_rpipe *rpipe)
128 kref_init(&rpipe->refcnt);
129 spin_lock_init(&rpipe->seg_lock);
130 INIT_LIST_HEAD(&rpipe->seg_list);
131 INIT_LIST_HEAD(&rpipe->list_node);
134 static unsigned rpipe_get_idx(struct wahc *wa, unsigned rpipe_idx)
136 unsigned long flags;
138 spin_lock_irqsave(&wa->rpipe_lock, flags);
139 rpipe_idx = find_next_zero_bit(wa->rpipe_bm, wa->rpipes, rpipe_idx);
140 if (rpipe_idx < wa->rpipes)
141 set_bit(rpipe_idx, wa->rpipe_bm);
142 spin_unlock_irqrestore(&wa->rpipe_lock, flags);
144 return rpipe_idx;
147 static void rpipe_put_idx(struct wahc *wa, unsigned rpipe_idx)
149 unsigned long flags;
151 spin_lock_irqsave(&wa->rpipe_lock, flags);
152 clear_bit(rpipe_idx, wa->rpipe_bm);
153 spin_unlock_irqrestore(&wa->rpipe_lock, flags);
156 void rpipe_destroy(struct kref *_rpipe)
158 struct wa_rpipe *rpipe = container_of(_rpipe, struct wa_rpipe, refcnt);
159 u8 index = le16_to_cpu(rpipe->descr.wRPipeIndex);
161 if (rpipe->ep)
162 rpipe->ep->hcpriv = NULL;
163 rpipe_put_idx(rpipe->wa, index);
164 wa_put(rpipe->wa);
165 kfree(rpipe);
167 EXPORT_SYMBOL_GPL(rpipe_destroy);
170 * Locate an idle rpipe, create an structure for it and return it
172 * @wa is referenced and unlocked
173 * @crs enum rpipe_attr, required endpoint characteristics
175 * The rpipe can be used only sequentially (not in parallel).
177 * The rpipe is moved into the "ready" state.
179 static int rpipe_get_idle(struct wa_rpipe **prpipe, struct wahc *wa, u8 crs,
180 gfp_t gfp)
182 int result;
183 unsigned rpipe_idx;
184 struct wa_rpipe *rpipe;
185 struct device *dev = &wa->usb_iface->dev;
187 rpipe = kzalloc(sizeof(*rpipe), gfp);
188 if (rpipe == NULL)
189 return -ENOMEM;
190 rpipe_init(rpipe);
192 /* Look for an idle pipe */
193 for (rpipe_idx = 0; rpipe_idx < wa->rpipes; rpipe_idx++) {
194 rpipe_idx = rpipe_get_idx(wa, rpipe_idx);
195 if (rpipe_idx >= wa->rpipes) /* no more pipes :( */
196 break;
197 result = __rpipe_get_descr(wa, &rpipe->descr, rpipe_idx);
198 if (result < 0)
199 dev_err(dev, "Can't get descriptor for rpipe %u: %d\n",
200 rpipe_idx, result);
201 else if ((rpipe->descr.bmCharacteristics & crs) != 0)
202 goto found;
203 rpipe_put_idx(wa, rpipe_idx);
205 *prpipe = NULL;
206 kfree(rpipe);
207 return -ENXIO;
209 found:
210 set_bit(rpipe_idx, wa->rpipe_bm);
211 rpipe->wa = wa_get(wa);
212 *prpipe = rpipe;
213 return 0;
216 static int __rpipe_reset(struct wahc *wa, unsigned index)
218 int result;
219 struct device *dev = &wa->usb_iface->dev;
221 result = usb_control_msg(
222 wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
223 USB_REQ_RPIPE_RESET,
224 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_RPIPE,
225 0, index, NULL, 0, USB_CTRL_SET_TIMEOUT);
226 if (result < 0)
227 dev_err(dev, "rpipe %u: reset failed: %d\n",
228 index, result);
229 return result;
233 * Fake companion descriptor for ep0
235 * See WUSB1.0[7.4.4], most of this is zero for bulk/int/ctl
237 static struct usb_wireless_ep_comp_descriptor epc0 = {
238 .bLength = sizeof(epc0),
239 .bDescriptorType = USB_DT_WIRELESS_ENDPOINT_COMP,
240 .bMaxBurst = 1,
241 .bMaxSequence = 2,
245 * Look for EP companion descriptor
247 * Get there, look for Inara in the endpoint's extra descriptors
249 static struct usb_wireless_ep_comp_descriptor *rpipe_epc_find(
250 struct device *dev, struct usb_host_endpoint *ep)
252 void *itr;
253 size_t itr_size;
254 struct usb_descriptor_header *hdr;
255 struct usb_wireless_ep_comp_descriptor *epcd;
257 if (ep->desc.bEndpointAddress == 0) {
258 epcd = &epc0;
259 goto out;
261 itr = ep->extra;
262 itr_size = ep->extralen;
263 epcd = NULL;
264 while (itr_size > 0) {
265 if (itr_size < sizeof(*hdr)) {
266 dev_err(dev, "HW Bug? ep 0x%02x: extra descriptors "
267 "at offset %zu: only %zu bytes left\n",
268 ep->desc.bEndpointAddress,
269 itr - (void *) ep->extra, itr_size);
270 break;
272 hdr = itr;
273 if (hdr->bDescriptorType == USB_DT_WIRELESS_ENDPOINT_COMP) {
274 epcd = itr;
275 break;
277 if (hdr->bLength > itr_size) {
278 dev_err(dev, "HW Bug? ep 0x%02x: extra descriptor "
279 "at offset %zu (type 0x%02x) "
280 "length %d but only %zu bytes left\n",
281 ep->desc.bEndpointAddress,
282 itr - (void *) ep->extra, hdr->bDescriptorType,
283 hdr->bLength, itr_size);
284 break;
286 itr += hdr->bLength;
287 itr_size -= hdr->bLength;
289 out:
290 return epcd;
294 * Aim an rpipe to its device & endpoint destination
296 * Make sure we change the address to unauthenticated if the device
297 * is WUSB and it is not authenticated.
299 static int rpipe_aim(struct wa_rpipe *rpipe, struct wahc *wa,
300 struct usb_host_endpoint *ep, struct urb *urb, gfp_t gfp)
302 int result = -ENOMSG; /* better code for lack of companion? */
303 struct device *dev = &wa->usb_iface->dev;
304 struct usb_device *usb_dev = urb->dev;
305 struct usb_wireless_ep_comp_descriptor *epcd;
306 u32 ack_window, epcd_max_sequence;
307 u8 unauth;
309 epcd = rpipe_epc_find(dev, ep);
310 if (epcd == NULL) {
311 dev_err(dev, "ep 0x%02x: can't find companion descriptor\n",
312 ep->desc.bEndpointAddress);
313 goto error;
315 unauth = usb_dev->wusb && !usb_dev->authenticated ? 0x80 : 0;
316 __rpipe_reset(wa, le16_to_cpu(rpipe->descr.wRPipeIndex));
317 atomic_set(&rpipe->segs_available,
318 le16_to_cpu(rpipe->descr.wRequests));
319 /* FIXME: block allocation system; request with queuing and timeout */
320 /* FIXME: compute so seg_size > ep->maxpktsize */
321 rpipe->descr.wBlocks = cpu_to_le16(16); /* given */
322 /* ep0 maxpktsize is 0x200 (WUSB1.0[4.8.1]) */
323 if (usb_endpoint_xfer_isoc(&ep->desc))
324 rpipe->descr.wMaxPacketSize = epcd->wOverTheAirPacketSize;
325 else
326 rpipe->descr.wMaxPacketSize = ep->desc.wMaxPacketSize;
328 rpipe->descr.hwa_bMaxBurst = max(min_t(unsigned int,
329 epcd->bMaxBurst, 16U), 1U);
330 rpipe->descr.hwa_bDeviceInfoIndex =
331 wusb_port_no_to_idx(urb->dev->portnum);
332 /* FIXME: use maximum speed as supported or recommended by device */
333 rpipe->descr.bSpeed = usb_pipeendpoint(urb->pipe) == 0 ?
334 UWB_PHY_RATE_53 : UWB_PHY_RATE_200;
336 dev_dbg(dev, "addr %u (0x%02x) rpipe #%u ep# %u speed %d\n",
337 urb->dev->devnum, urb->dev->devnum | unauth,
338 le16_to_cpu(rpipe->descr.wRPipeIndex),
339 usb_pipeendpoint(urb->pipe), rpipe->descr.bSpeed);
341 rpipe->descr.hwa_reserved = 0;
343 rpipe->descr.bEndpointAddress = ep->desc.bEndpointAddress;
344 /* FIXME: bDataSequence */
345 rpipe->descr.bDataSequence = 0;
347 /* start with base window of hwa_bMaxBurst bits starting at 0. */
348 ack_window = 0xFFFFFFFF >> (32 - rpipe->descr.hwa_bMaxBurst);
349 rpipe->descr.dwCurrentWindow = cpu_to_le32(ack_window);
350 epcd_max_sequence = max(min_t(unsigned int,
351 epcd->bMaxSequence, 32U), 2U);
352 rpipe->descr.bMaxDataSequence = epcd_max_sequence - 1;
353 rpipe->descr.bInterval = ep->desc.bInterval;
354 if (usb_endpoint_xfer_isoc(&ep->desc))
355 rpipe->descr.bOverTheAirInterval = epcd->bOverTheAirInterval;
356 else
357 rpipe->descr.bOverTheAirInterval = 0; /* 0 if not isoc */
358 /* FIXME: xmit power & preamble blah blah */
359 rpipe->descr.bmAttribute = (ep->desc.bmAttributes &
360 USB_ENDPOINT_XFERTYPE_MASK);
361 /* rpipe->descr.bmCharacteristics RO */
362 rpipe->descr.bmRetryOptions = (wa->wusb->retry_count & 0xF);
363 /* FIXME: use for assessing link quality? */
364 rpipe->descr.wNumTransactionErrors = 0;
365 result = __rpipe_set_descr(wa, &rpipe->descr,
366 le16_to_cpu(rpipe->descr.wRPipeIndex));
367 if (result < 0) {
368 dev_err(dev, "Cannot aim rpipe: %d\n", result);
369 goto error;
371 result = 0;
372 error:
373 return result;
377 * Check an aimed rpipe to make sure it points to where we want
379 * We use bit 19 of the Linux USB pipe bitmap for unauth vs auth
380 * space; when it is like that, we or 0x80 to make an unauth address.
382 static int rpipe_check_aim(const struct wa_rpipe *rpipe, const struct wahc *wa,
383 const struct usb_host_endpoint *ep,
384 const struct urb *urb, gfp_t gfp)
386 int result = 0;
387 struct device *dev = &wa->usb_iface->dev;
388 u8 portnum = wusb_port_no_to_idx(urb->dev->portnum);
390 #define AIM_CHECK(rdf, val, text) \
391 do { \
392 if (rpipe->descr.rdf != (val)) { \
393 dev_err(dev, \
394 "rpipe aim discrepancy: " #rdf " " text "\n", \
395 rpipe->descr.rdf, (val)); \
396 result = -EINVAL; \
397 WARN_ON(1); \
399 } while (0)
400 AIM_CHECK(hwa_bDeviceInfoIndex, portnum, "(%u vs %u)");
401 AIM_CHECK(bSpeed, usb_pipeendpoint(urb->pipe) == 0 ?
402 UWB_PHY_RATE_53 : UWB_PHY_RATE_200,
403 "(%u vs %u)");
404 AIM_CHECK(bEndpointAddress, ep->desc.bEndpointAddress, "(%u vs %u)");
405 AIM_CHECK(bInterval, ep->desc.bInterval, "(%u vs %u)");
406 AIM_CHECK(bmAttribute, ep->desc.bmAttributes & 0x03, "(%u vs %u)");
407 #undef AIM_CHECK
408 return result;
411 #ifndef CONFIG_BUG
412 #define CONFIG_BUG 0
413 #endif
416 * Make sure there is an rpipe allocated for an endpoint
418 * If already allocated, we just refcount it; if not, we get an
419 * idle one, aim it to the right location and take it.
421 * Attaches to ep->hcpriv and rpipe->ep to ep.
423 int rpipe_get_by_ep(struct wahc *wa, struct usb_host_endpoint *ep,
424 struct urb *urb, gfp_t gfp)
426 int result = 0;
427 struct device *dev = &wa->usb_iface->dev;
428 struct wa_rpipe *rpipe;
429 u8 eptype;
431 mutex_lock(&wa->rpipe_mutex);
432 rpipe = ep->hcpriv;
433 if (rpipe != NULL) {
434 if (CONFIG_BUG == 1) {
435 result = rpipe_check_aim(rpipe, wa, ep, urb, gfp);
436 if (result < 0)
437 goto error;
439 __rpipe_get(rpipe);
440 dev_dbg(dev, "ep 0x%02x: reusing rpipe %u\n",
441 ep->desc.bEndpointAddress,
442 le16_to_cpu(rpipe->descr.wRPipeIndex));
443 } else {
444 /* hmm, assign idle rpipe, aim it */
445 result = -ENOBUFS;
446 eptype = ep->desc.bmAttributes & 0x03;
447 result = rpipe_get_idle(&rpipe, wa, 1 << eptype, gfp);
448 if (result < 0)
449 goto error;
450 result = rpipe_aim(rpipe, wa, ep, urb, gfp);
451 if (result < 0) {
452 rpipe_put(rpipe);
453 goto error;
455 ep->hcpriv = rpipe;
456 rpipe->ep = ep;
457 __rpipe_get(rpipe); /* for caching into ep->hcpriv */
458 dev_dbg(dev, "ep 0x%02x: using rpipe %u\n",
459 ep->desc.bEndpointAddress,
460 le16_to_cpu(rpipe->descr.wRPipeIndex));
462 error:
463 mutex_unlock(&wa->rpipe_mutex);
464 return result;
468 * Allocate the bitmap for each rpipe.
470 int wa_rpipes_create(struct wahc *wa)
472 wa->rpipes = le16_to_cpu(wa->wa_descr->wNumRPipes);
473 wa->rpipe_bm = kzalloc(BITS_TO_LONGS(wa->rpipes)*sizeof(unsigned long),
474 GFP_KERNEL);
475 if (wa->rpipe_bm == NULL)
476 return -ENOMEM;
477 return 0;
480 void wa_rpipes_destroy(struct wahc *wa)
482 struct device *dev = &wa->usb_iface->dev;
484 if (!bitmap_empty(wa->rpipe_bm, wa->rpipes)) {
485 WARN_ON(1);
486 dev_err(dev, "BUG: pipes not released on exit: %*pb\n",
487 wa->rpipes, wa->rpipe_bm);
489 kfree(wa->rpipe_bm);
493 * Release resources allocated for an endpoint
495 * If there is an associated rpipe to this endpoint, Abort any pending
496 * transfers and put it. If the rpipe ends up being destroyed,
497 * __rpipe_destroy() will cleanup ep->hcpriv.
499 * This is called before calling hcd->stop(), so you don't need to do
500 * anything else in there.
502 void rpipe_ep_disable(struct wahc *wa, struct usb_host_endpoint *ep)
504 struct wa_rpipe *rpipe;
506 mutex_lock(&wa->rpipe_mutex);
507 rpipe = ep->hcpriv;
508 if (rpipe != NULL) {
509 u16 index = le16_to_cpu(rpipe->descr.wRPipeIndex);
511 usb_control_msg(
512 wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
513 USB_REQ_RPIPE_ABORT,
514 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_RPIPE,
515 0, index, NULL, 0, USB_CTRL_SET_TIMEOUT);
516 rpipe_put(rpipe);
518 mutex_unlock(&wa->rpipe_mutex);
520 EXPORT_SYMBOL_GPL(rpipe_ep_disable);
522 /* Clear the stalled status of an RPIPE. */
523 void rpipe_clear_feature_stalled(struct wahc *wa, struct usb_host_endpoint *ep)
525 struct wa_rpipe *rpipe;
527 mutex_lock(&wa->rpipe_mutex);
528 rpipe = ep->hcpriv;
529 if (rpipe != NULL) {
530 u16 index = le16_to_cpu(rpipe->descr.wRPipeIndex);
532 usb_control_msg(
533 wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
534 USB_REQ_CLEAR_FEATURE,
535 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_RPIPE,
536 RPIPE_STALL, index, NULL, 0, USB_CTRL_SET_TIMEOUT);
538 mutex_unlock(&wa->rpipe_mutex);
540 EXPORT_SYMBOL_GPL(rpipe_clear_feature_stalled);