net: DCB: Validate DCB_ATTR_DCB_BUFFER argument
[linux/fpc-iii.git] / drivers / usb / usbip / vudc_transfer.c
blobc9db846ee4f6f1e19efedf82f6365925dcf4e0d2
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (C) 2015 Karol Kosik <karo9@interia.eu>
4 * Copyright (C) 2015-2016 Samsung Electronics
5 * Igor Kotrasinski <i.kotrasinsk@samsung.com>
7 * Based on dummy_hcd.c, which is:
8 * Copyright (C) 2003 David Brownell
9 * Copyright (C) 2003-2005 Alan Stern
12 #include <linux/usb.h>
13 #include <linux/timer.h>
14 #include <linux/usb/ch9.h>
16 #include "vudc.h"
18 #define DEV_REQUEST (USB_TYPE_STANDARD | USB_RECIP_DEVICE)
19 #define DEV_INREQUEST (DEV_REQUEST | USB_DIR_IN)
20 #define INTF_REQUEST (USB_TYPE_STANDARD | USB_RECIP_INTERFACE)
21 #define INTF_INREQUEST (INTF_REQUEST | USB_DIR_IN)
22 #define EP_REQUEST (USB_TYPE_STANDARD | USB_RECIP_ENDPOINT)
23 #define EP_INREQUEST (EP_REQUEST | USB_DIR_IN)
25 static int get_frame_limit(enum usb_device_speed speed)
27 switch (speed) {
28 case USB_SPEED_LOW:
29 return 8 /*bytes*/ * 12 /*packets*/;
30 case USB_SPEED_FULL:
31 return 64 /*bytes*/ * 19 /*packets*/;
32 case USB_SPEED_HIGH:
33 return 512 /*bytes*/ * 13 /*packets*/ * 8 /*uframes*/;
34 case USB_SPEED_SUPER:
35 /* Bus speed is 500000 bytes/ms, so use a little less */
36 return 490000;
37 default:
38 /* error */
39 return -1;
45 * handle_control_request() - handles all control transfers
46 * @udc: pointer to vudc
47 * @urb: the urb request to handle
48 * @setup: pointer to the setup data for a USB device control
49 * request
50 * @status: pointer to request handling status
52 * Return 0 - if the request was handled
53 * 1 - if the request wasn't handles
54 * error code on error
56 * Adapted from drivers/usb/gadget/udc/dummy_hcd.c
58 static int handle_control_request(struct vudc *udc, struct urb *urb,
59 struct usb_ctrlrequest *setup,
60 int *status)
62 struct vep *ep2;
63 int ret_val = 1;
64 unsigned int w_index;
65 unsigned int w_value;
67 w_index = le16_to_cpu(setup->wIndex);
68 w_value = le16_to_cpu(setup->wValue);
69 switch (setup->bRequest) {
70 case USB_REQ_SET_ADDRESS:
71 if (setup->bRequestType != DEV_REQUEST)
72 break;
73 udc->address = w_value;
74 ret_val = 0;
75 *status = 0;
76 break;
77 case USB_REQ_SET_FEATURE:
78 if (setup->bRequestType == DEV_REQUEST) {
79 ret_val = 0;
80 switch (w_value) {
81 case USB_DEVICE_REMOTE_WAKEUP:
82 break;
83 case USB_DEVICE_B_HNP_ENABLE:
84 udc->gadget.b_hnp_enable = 1;
85 break;
86 case USB_DEVICE_A_HNP_SUPPORT:
87 udc->gadget.a_hnp_support = 1;
88 break;
89 case USB_DEVICE_A_ALT_HNP_SUPPORT:
90 udc->gadget.a_alt_hnp_support = 1;
91 break;
92 default:
93 ret_val = -EOPNOTSUPP;
95 if (ret_val == 0) {
96 udc->devstatus |= (1 << w_value);
97 *status = 0;
99 } else if (setup->bRequestType == EP_REQUEST) {
100 /* endpoint halt */
101 ep2 = vudc_find_endpoint(udc, w_index);
102 if (!ep2 || ep2->ep.name == udc->ep[0].ep.name) {
103 ret_val = -EOPNOTSUPP;
104 break;
106 ep2->halted = 1;
107 ret_val = 0;
108 *status = 0;
110 break;
111 case USB_REQ_CLEAR_FEATURE:
112 if (setup->bRequestType == DEV_REQUEST) {
113 ret_val = 0;
114 switch (w_value) {
115 case USB_DEVICE_REMOTE_WAKEUP:
116 w_value = USB_DEVICE_REMOTE_WAKEUP;
117 break;
119 case USB_DEVICE_U1_ENABLE:
120 case USB_DEVICE_U2_ENABLE:
121 case USB_DEVICE_LTM_ENABLE:
122 ret_val = -EOPNOTSUPP;
123 break;
124 default:
125 ret_val = -EOPNOTSUPP;
126 break;
128 if (ret_val == 0) {
129 udc->devstatus &= ~(1 << w_value);
130 *status = 0;
132 } else if (setup->bRequestType == EP_REQUEST) {
133 /* endpoint halt */
134 ep2 = vudc_find_endpoint(udc, w_index);
135 if (!ep2) {
136 ret_val = -EOPNOTSUPP;
137 break;
139 if (!ep2->wedged)
140 ep2->halted = 0;
141 ret_val = 0;
142 *status = 0;
144 break;
145 case USB_REQ_GET_STATUS:
146 if (setup->bRequestType == DEV_INREQUEST
147 || setup->bRequestType == INTF_INREQUEST
148 || setup->bRequestType == EP_INREQUEST) {
149 char *buf;
151 * device: remote wakeup, selfpowered
152 * interface: nothing
153 * endpoint: halt
155 buf = (char *)urb->transfer_buffer;
156 if (urb->transfer_buffer_length > 0) {
157 if (setup->bRequestType == EP_INREQUEST) {
158 ep2 = vudc_find_endpoint(udc, w_index);
159 if (!ep2) {
160 ret_val = -EOPNOTSUPP;
161 break;
163 buf[0] = ep2->halted;
164 } else if (setup->bRequestType ==
165 DEV_INREQUEST) {
166 buf[0] = (u8)udc->devstatus;
167 } else
168 buf[0] = 0;
170 if (urb->transfer_buffer_length > 1)
171 buf[1] = 0;
172 urb->actual_length = min_t(u32, 2,
173 urb->transfer_buffer_length);
174 ret_val = 0;
175 *status = 0;
177 break;
179 return ret_val;
182 /* Adapted from dummy_hcd.c ; caller must hold lock */
183 static int transfer(struct vudc *udc,
184 struct urb *urb, struct vep *ep, int limit)
186 struct vrequest *req;
187 int sent = 0;
188 top:
189 /* if there's no request queued, the device is NAKing; return */
190 list_for_each_entry(req, &ep->req_queue, req_entry) {
191 unsigned int host_len, dev_len, len;
192 void *ubuf_pos, *rbuf_pos;
193 int is_short, to_host;
194 int rescan = 0;
197 * 1..N packets of ep->ep.maxpacket each ... the last one
198 * may be short (including zero length).
200 * writer can send a zlp explicitly (length 0) or implicitly
201 * (length mod maxpacket zero, and 'zero' flag); they always
202 * terminate reads.
204 host_len = urb->transfer_buffer_length - urb->actual_length;
205 dev_len = req->req.length - req->req.actual;
206 len = min(host_len, dev_len);
208 to_host = usb_pipein(urb->pipe);
209 if (unlikely(len == 0))
210 is_short = 1;
211 else {
212 /* send multiple of maxpacket first, then remainder */
213 if (len >= ep->ep.maxpacket) {
214 is_short = 0;
215 if (len % ep->ep.maxpacket > 0)
216 rescan = 1;
217 len -= len % ep->ep.maxpacket;
218 } else {
219 is_short = 1;
222 ubuf_pos = urb->transfer_buffer + urb->actual_length;
223 rbuf_pos = req->req.buf + req->req.actual;
225 if (urb->pipe & USB_DIR_IN)
226 memcpy(ubuf_pos, rbuf_pos, len);
227 else
228 memcpy(rbuf_pos, ubuf_pos, len);
230 urb->actual_length += len;
231 req->req.actual += len;
232 sent += len;
236 * short packets terminate, maybe with overflow/underflow.
237 * it's only really an error to write too much.
239 * partially filling a buffer optionally blocks queue advances
240 * (so completion handlers can clean up the queue) but we don't
241 * need to emulate such data-in-flight.
243 if (is_short) {
244 if (host_len == dev_len) {
245 req->req.status = 0;
246 urb->status = 0;
247 } else if (to_host) {
248 req->req.status = 0;
249 if (dev_len > host_len)
250 urb->status = -EOVERFLOW;
251 else
252 urb->status = 0;
253 } else {
254 urb->status = 0;
255 if (host_len > dev_len)
256 req->req.status = -EOVERFLOW;
257 else
258 req->req.status = 0;
261 /* many requests terminate without a short packet */
262 /* also check if we need to send zlp */
263 } else {
264 if (req->req.length == req->req.actual) {
265 if (req->req.zero && to_host)
266 rescan = 1;
267 else
268 req->req.status = 0;
270 if (urb->transfer_buffer_length == urb->actual_length) {
271 if (urb->transfer_flags & URB_ZERO_PACKET &&
272 !to_host)
273 rescan = 1;
274 else
275 urb->status = 0;
279 /* device side completion --> continuable */
280 if (req->req.status != -EINPROGRESS) {
282 list_del_init(&req->req_entry);
283 spin_unlock(&udc->lock);
284 usb_gadget_giveback_request(&ep->ep, &req->req);
285 spin_lock(&udc->lock);
287 /* requests might have been unlinked... */
288 rescan = 1;
291 /* host side completion --> terminate */
292 if (urb->status != -EINPROGRESS)
293 break;
295 /* rescan to continue with any other queued i/o */
296 if (rescan)
297 goto top;
299 return sent;
302 static void v_timer(struct timer_list *t)
304 struct vudc *udc = from_timer(udc, t, tr_timer.timer);
305 struct transfer_timer *timer = &udc->tr_timer;
306 struct urbp *urb_p, *tmp;
307 unsigned long flags;
308 struct usb_ep *_ep;
309 struct vep *ep;
310 int ret = 0;
311 int total, limit;
313 spin_lock_irqsave(&udc->lock, flags);
315 total = get_frame_limit(udc->gadget.speed);
316 if (total < 0) { /* unknown speed, or not set yet */
317 timer->state = VUDC_TR_IDLE;
318 spin_unlock_irqrestore(&udc->lock, flags);
319 return;
321 /* is it next frame now? */
322 if (time_after(jiffies, timer->frame_start + msecs_to_jiffies(1))) {
323 timer->frame_limit = total;
324 /* FIXME: how to make it accurate? */
325 timer->frame_start = jiffies;
326 } else {
327 total = timer->frame_limit;
330 /* We have to clear ep0 flags separately as it's not on the list */
331 udc->ep[0].already_seen = 0;
332 list_for_each_entry(_ep, &udc->gadget.ep_list, ep_list) {
333 ep = to_vep(_ep);
334 ep->already_seen = 0;
337 restart:
338 list_for_each_entry_safe(urb_p, tmp, &udc->urb_queue, urb_entry) {
339 struct urb *urb = urb_p->urb;
341 ep = urb_p->ep;
342 if (urb->unlinked)
343 goto return_urb;
344 if (timer->state != VUDC_TR_RUNNING)
345 continue;
347 if (!ep) {
348 urb->status = -EPROTO;
349 goto return_urb;
352 /* Used up bandwidth? */
353 if (total <= 0 && ep->type == USB_ENDPOINT_XFER_BULK)
354 continue;
356 if (ep->already_seen)
357 continue;
358 ep->already_seen = 1;
359 if (ep == &udc->ep[0] && urb_p->new) {
360 ep->setup_stage = 1;
361 urb_p->new = 0;
363 if (ep->halted && !ep->setup_stage) {
364 urb->status = -EPIPE;
365 goto return_urb;
368 if (ep == &udc->ep[0] && ep->setup_stage) {
369 /* TODO - flush any stale requests */
370 ep->setup_stage = 0;
371 ep->halted = 0;
373 ret = handle_control_request(udc, urb,
374 (struct usb_ctrlrequest *) urb->setup_packet,
375 (&urb->status));
376 if (ret > 0) {
377 spin_unlock(&udc->lock);
378 ret = udc->driver->setup(&udc->gadget,
379 (struct usb_ctrlrequest *)
380 urb->setup_packet);
381 spin_lock(&udc->lock);
383 if (ret >= 0) {
384 /* no delays (max 64kb data stage) */
385 limit = 64 * 1024;
386 goto treat_control_like_bulk;
387 } else {
388 urb->status = -EPIPE;
389 urb->actual_length = 0;
390 goto return_urb;
394 limit = total;
395 switch (ep->type) {
396 case USB_ENDPOINT_XFER_ISOC:
397 /* TODO: support */
398 urb->status = -EXDEV;
399 break;
401 case USB_ENDPOINT_XFER_INT:
403 * TODO: figure out bandwidth guarantees
404 * for now, give unlimited bandwidth
406 limit += urb->transfer_buffer_length;
407 /* fallthrough */
408 default:
409 treat_control_like_bulk:
410 total -= transfer(udc, urb, ep, limit);
412 if (urb->status == -EINPROGRESS)
413 continue;
415 return_urb:
416 if (ep)
417 ep->already_seen = ep->setup_stage = 0;
419 spin_lock(&udc->lock_tx);
420 list_del(&urb_p->urb_entry);
421 if (!urb->unlinked) {
422 v_enqueue_ret_submit(udc, urb_p);
423 } else {
424 v_enqueue_ret_unlink(udc, urb_p->seqnum,
425 urb->unlinked);
426 free_urbp_and_urb(urb_p);
428 wake_up(&udc->tx_waitq);
429 spin_unlock(&udc->lock_tx);
431 goto restart;
434 /* TODO - also wait on empty usb_request queues? */
435 if (list_empty(&udc->urb_queue))
436 timer->state = VUDC_TR_IDLE;
437 else
438 mod_timer(&timer->timer,
439 timer->frame_start + msecs_to_jiffies(1));
441 spin_unlock_irqrestore(&udc->lock, flags);
444 /* All timer functions are run with udc->lock held */
446 void v_init_timer(struct vudc *udc)
448 struct transfer_timer *t = &udc->tr_timer;
450 timer_setup(&t->timer, v_timer, 0);
451 t->state = VUDC_TR_STOPPED;
454 void v_start_timer(struct vudc *udc)
456 struct transfer_timer *t = &udc->tr_timer;
458 dev_dbg(&udc->pdev->dev, "timer start");
459 switch (t->state) {
460 case VUDC_TR_RUNNING:
461 return;
462 case VUDC_TR_IDLE:
463 return v_kick_timer(udc, jiffies);
464 case VUDC_TR_STOPPED:
465 t->state = VUDC_TR_IDLE;
466 t->frame_start = jiffies;
467 t->frame_limit = get_frame_limit(udc->gadget.speed);
468 return v_kick_timer(udc, jiffies);
472 void v_kick_timer(struct vudc *udc, unsigned long time)
474 struct transfer_timer *t = &udc->tr_timer;
476 dev_dbg(&udc->pdev->dev, "timer kick");
477 switch (t->state) {
478 case VUDC_TR_RUNNING:
479 return;
480 case VUDC_TR_IDLE:
481 t->state = VUDC_TR_RUNNING;
482 /* fallthrough */
483 case VUDC_TR_STOPPED:
484 /* we may want to kick timer to unqueue urbs */
485 mod_timer(&t->timer, time);
489 void v_stop_timer(struct vudc *udc)
491 struct transfer_timer *t = &udc->tr_timer;
493 /* timer itself will take care of stopping */
494 dev_dbg(&udc->pdev->dev, "timer stop");
495 t->state = VUDC_TR_STOPPED;