search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dm writecache: fix incorrect flush sequence when doing SSD mode commit
[linux/fpc-iii.git] / drivers / usb / gadget / function / f_fs.c
blob0bbccac94d6c5eea78050d67bbf42dcf5f028842
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * f_fs.c -- user mode file system API for USB composite function controllers
4 *
5 * Copyright (C) 2010 Samsung Electronics
6 * Author: Michal Nazarewicz <mina86@mina86.com>
7 *
8 * Based on inode.c (GadgetFS) which was:
9 * Copyright (C) 2003-2004 David Brownell
10 * Copyright (C) 2003 Agilent Technologies
11 */
12
13
14 /* #define DEBUG */
15 /* #define VERBOSE_DEBUG */
16
17 #include <linux/blkdev.h>
18 #include <linux/pagemap.h>
19 #include <linux/export.h>
20 #include <linux/fs_parser.h>
21 #include <linux/hid.h>
22 #include <linux/mm.h>
23 #include <linux/module.h>
24 #include <linux/scatterlist.h>
25 #include <linux/sched/signal.h>
26 #include <linux/uio.h>
27 #include <linux/vmalloc.h>
28 #include <asm/unaligned.h>
29
30 #include <linux/usb/ccid.h>
31 #include <linux/usb/composite.h>
32 #include <linux/usb/functionfs.h>
33
34 #include <linux/aio.h>
35 #include <linux/mmu_context.h>
36 #include <linux/poll.h>
37 #include <linux/eventfd.h>
38
39 #include "u_fs.h"
40 #include "u_f.h"
41 #include "u_os_desc.h"
42 #include "configfs.h"
43
44 #define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */
45
46 /* Reference counter handling */
47 static void ffs_data_get(struct ffs_data *ffs);
48 static void ffs_data_put(struct ffs_data *ffs);
49 /* Creates new ffs_data object. */
50 static struct ffs_data *__must_check ffs_data_new(const char *dev_name)
51 __attribute__((malloc));
52
53 /* Opened counter handling. */
54 static void ffs_data_opened(struct ffs_data *ffs);
55 static void ffs_data_closed(struct ffs_data *ffs);
56
57 /* Called with ffs->mutex held; take over ownership of data. */
58 static int __must_check
59 __ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len);
60 static int __must_check
61 __ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len);
62
63
64 /* The function structure ***************************************************/
65
66 struct ffs_ep;
67
68 struct ffs_function {
69 struct usb_configuration *conf;
70 struct usb_gadget *gadget;
71 struct ffs_data *ffs;
72
73 struct ffs_ep *eps;
74 u8 eps_revmap[16];
75 short *interfaces_nums;
76
77 struct usb_function function;
78 };
79
80
81 static struct ffs_function *ffs_func_from_usb(struct usb_function *f)
82 {
83 return container_of(f, struct ffs_function, function);
84 }
85
86
87 static inline enum ffs_setup_state
88 ffs_setup_state_clear_cancelled(struct ffs_data *ffs)
89 {
90 return (enum ffs_setup_state)
91 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP);
92 }
93
94
95 static void ffs_func_eps_disable(struct ffs_function *func);
96 static int __must_check ffs_func_eps_enable(struct ffs_function *func);
97
98 static int ffs_func_bind(struct usb_configuration *,
99 struct usb_function *);
100 static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned);
101 static void ffs_func_disable(struct usb_function *);
102 static int ffs_func_setup(struct usb_function *,
103 const struct usb_ctrlrequest *);
104 static bool ffs_func_req_match(struct usb_function *,
105 const struct usb_ctrlrequest *,
106 bool config0);
107 static void ffs_func_suspend(struct usb_function *);
108 static void ffs_func_resume(struct usb_function *);
109
110
111 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num);
112 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf);
113
114
115 /* The endpoints structures *************************************************/
116
117 struct ffs_ep {
118 struct usb_ep *ep; /* P: ffs->eps_lock */
119 struct usb_request *req; /* P: epfile->mutex */
120
121 /* [0]: full speed, [1]: high speed, [2]: super speed */
122 struct usb_endpoint_descriptor *descs[3];
123
124 u8 num;
125
126 int status; /* P: epfile->mutex */
127 };
128
129 struct ffs_epfile {
130 /* Protects ep->ep and ep->req. */
131 struct mutex mutex;
132
133 struct ffs_data *ffs;
134 struct ffs_ep *ep; /* P: ffs->eps_lock */
135
136 struct dentry *dentry;
137
138 /*
139 * Buffer for holding data from partial reads which may happen since
140 * we’re rounding user read requests to a multiple of a max packet size.
141 *
142 * The pointer is initialised with NULL value and may be set by
143 * __ffs_epfile_read_data function to point to a temporary buffer.
144 *
145 * In normal operation, calls to __ffs_epfile_read_buffered will consume
146 * data from said buffer and eventually free it. Importantly, while the
147 * function is using the buffer, it sets the pointer to NULL. This is
148 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered
149 * can never run concurrently (they are synchronised by epfile->mutex)
150 * so the latter will not assign a new value to the pointer.
151 *
152 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is
153 * valid) and sets the pointer to READ_BUFFER_DROP value. This special
154 * value is crux of the synchronisation between ffs_func_eps_disable and
155 * __ffs_epfile_read_data.
156 *
157 * Once __ffs_epfile_read_data is about to finish it will try to set the
158 * pointer back to its old value (as described above), but seeing as the
159 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free
160 * the buffer.
161 *
162 * == State transitions ==
163 *
164 * • ptr == NULL: (initial state)
165 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP
166 * ◦ __ffs_epfile_read_buffered: nop
167 * ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf
168 * ◦ reading finishes: n/a, not in ‘and reading’ state
169 * • ptr == DROP:
170 * ◦ __ffs_epfile_read_buffer_free: nop
171 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL
172 * ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop
173 * ◦ reading finishes: n/a, not in ‘and reading’ state
174 * • ptr == buf:
175 * ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP
176 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL and reading
177 * ◦ __ffs_epfile_read_data: n/a, __ffs_epfile_read_buffered
178 * is always called first
179 * ◦ reading finishes: n/a, not in ‘and reading’ state
180 * • ptr == NULL and reading:
181 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading
182 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
183 * ◦ __ffs_epfile_read_data: n/a, mutex is held
184 * ◦ reading finishes and …
185 * … all data read: free buf, go to ptr == NULL
186 * … otherwise: go to ptr == buf and reading
187 * • ptr == DROP and reading:
188 * ◦ __ffs_epfile_read_buffer_free: nop
189 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
190 * ◦ __ffs_epfile_read_data: n/a, mutex is held
191 * ◦ reading finishes: free buf, go to ptr == DROP
192 */
193 struct ffs_buffer *read_buffer;
194 #define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN))
195
196 char name[5];
197
198 unsigned char in; /* P: ffs->eps_lock */
199 unsigned char isoc; /* P: ffs->eps_lock */
200
201 unsigned char _pad;
202 };
203
204 struct ffs_buffer {
205 size_t length;
206 char *data;
207 char storage[];
208 };
209
210 /* ffs_io_data structure ***************************************************/
211
212 struct ffs_io_data {
213 bool aio;
214 bool read;
215
216 struct kiocb *kiocb;
217 struct iov_iter data;
218 const void *to_free;
219 char *buf;
220
221 struct mm_struct *mm;
222 struct work_struct work;
223
224 struct usb_ep *ep;
225 struct usb_request *req;
226 struct sg_table sgt;
227 bool use_sg;
228
229 struct ffs_data *ffs;
230 };
231
232 struct ffs_desc_helper {
233 struct ffs_data *ffs;
234 unsigned interfaces_count;
235 unsigned eps_count;
236 };
237
238 static int __must_check ffs_epfiles_create(struct ffs_data *ffs);
239 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count);
240
241 static struct dentry *
242 ffs_sb_create_file(struct super_block *sb, const char *name, void *data,
243 const struct file_operations *fops);
244
245 /* Devices management *******************************************************/
246
247 DEFINE_MUTEX(ffs_lock);
248 EXPORT_SYMBOL_GPL(ffs_lock);
249
250 static struct ffs_dev *_ffs_find_dev(const char *name);
251 static struct ffs_dev *_ffs_alloc_dev(void);
252 static void _ffs_free_dev(struct ffs_dev *dev);
253 static void *ffs_acquire_dev(const char *dev_name);
254 static void ffs_release_dev(struct ffs_data *ffs_data);
255 static int ffs_ready(struct ffs_data *ffs);
256 static void ffs_closed(struct ffs_data *ffs);
257
258 /* Misc helper functions ****************************************************/
259
260 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
261 __attribute__((warn_unused_result, nonnull));
262 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
263 __attribute__((warn_unused_result, nonnull));
264
265
266 /* Control file aka ep0 *****************************************************/
267
268 static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req)
269 {
270 struct ffs_data *ffs = req->context;
271
272 complete(&ffs->ep0req_completion);
273 }
274
275 static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
276 __releases(&ffs->ev.waitq.lock)
277 {
278 struct usb_request *req = ffs->ep0req;
279 int ret;
280
281 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
282
283 spin_unlock_irq(&ffs->ev.waitq.lock);
284
285 req->buf = data;
286 req->length = len;
287
288 /*
289 * UDC layer requires to provide a buffer even for ZLP, but should
290 * not use it at all. Let's provide some poisoned pointer to catch
291 * possible bug in the driver.
292 */
293 if (req->buf == NULL)
294 req->buf = (void *)0xDEADBABE;
295
296 reinit_completion(&ffs->ep0req_completion);
297
298 ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);
299 if (unlikely(ret < 0))
300 return ret;
301
302 ret = wait_for_completion_interruptible(&ffs->ep0req_completion);
303 if (unlikely(ret)) {
304 usb_ep_dequeue(ffs->gadget->ep0, req);
305 return -EINTR;
306 }
307
308 ffs->setup_state = FFS_NO_SETUP;
309 return req->status ? req->status : req->actual;
310 }
311
312 static int __ffs_ep0_stall(struct ffs_data *ffs)
313 {
314 if (ffs->ev.can_stall) {
315 pr_vdebug("ep0 stall\n");
316 usb_ep_set_halt(ffs->gadget->ep0);
317 ffs->setup_state = FFS_NO_SETUP;
318 return -EL2HLT;
319 } else {
320 pr_debug("bogus ep0 stall!\n");
321 return -ESRCH;
322 }
323 }
324
325 static ssize_t ffs_ep0_write(struct file *file, const char __user *buf,
326 size_t len, loff_t *ptr)
327 {
328 struct ffs_data *ffs = file->private_data;
329 ssize_t ret;
330 char *data;
331
332 ENTER();
333
334 /* Fast check if setup was canceled */
335 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
336 return -EIDRM;
337
338 /* Acquire mutex */
339 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
340 if (unlikely(ret < 0))
341 return ret;
342
343 /* Check state */
344 switch (ffs->state) {
345 case FFS_READ_DESCRIPTORS:
346 case FFS_READ_STRINGS:
347 /* Copy data */
348 if (unlikely(len < 16)) {
349 ret = -EINVAL;
350 break;
351 }
352
353 data = ffs_prepare_buffer(buf, len);
354 if (IS_ERR(data)) {
355 ret = PTR_ERR(data);
356 break;
357 }
358
359 /* Handle data */
360 if (ffs->state == FFS_READ_DESCRIPTORS) {
361 pr_info("read descriptors\n");
362 ret = __ffs_data_got_descs(ffs, data, len);
363 if (unlikely(ret < 0))
364 break;
365
366 ffs->state = FFS_READ_STRINGS;
367 ret = len;
368 } else {
369 pr_info("read strings\n");
370 ret = __ffs_data_got_strings(ffs, data, len);
371 if (unlikely(ret < 0))
372 break;
373
374 ret = ffs_epfiles_create(ffs);
375 if (unlikely(ret)) {
376 ffs->state = FFS_CLOSING;
377 break;
378 }
379
380 ffs->state = FFS_ACTIVE;
381 mutex_unlock(&ffs->mutex);
382
383 ret = ffs_ready(ffs);
384 if (unlikely(ret < 0)) {
385 ffs->state = FFS_CLOSING;
386 return ret;
387 }
388
389 return len;
390 }
391 break;
392
393 case FFS_ACTIVE:
394 data = NULL;
395 /*
396 * We're called from user space, we can use _irq
397 * rather then _irqsave
398 */
399 spin_lock_irq(&ffs->ev.waitq.lock);
400 switch (ffs_setup_state_clear_cancelled(ffs)) {
401 case FFS_SETUP_CANCELLED:
402 ret = -EIDRM;
403 goto done_spin;
404
405 case FFS_NO_SETUP:
406 ret = -ESRCH;
407 goto done_spin;
408
409 case FFS_SETUP_PENDING:
410 break;
411 }
412
413 /* FFS_SETUP_PENDING */
414 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) {
415 spin_unlock_irq(&ffs->ev.waitq.lock);
416 ret = __ffs_ep0_stall(ffs);
417 break;
418 }
419
420 /* FFS_SETUP_PENDING and not stall */
421 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
422
423 spin_unlock_irq(&ffs->ev.waitq.lock);
424
425 data = ffs_prepare_buffer(buf, len);
426 if (IS_ERR(data)) {
427 ret = PTR_ERR(data);
428 break;
429 }
430
431 spin_lock_irq(&ffs->ev.waitq.lock);
432
433 /*
434 * We are guaranteed to be still in FFS_ACTIVE state
435 * but the state of setup could have changed from
436 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need
437 * to check for that. If that happened we copied data
438 * from user space in vain but it's unlikely.
439 *
440 * For sure we are not in FFS_NO_SETUP since this is
441 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP
442 * transition can be performed and it's protected by
443 * mutex.
444 */
445 if (ffs_setup_state_clear_cancelled(ffs) ==
446 FFS_SETUP_CANCELLED) {
447 ret = -EIDRM;
448 done_spin:
449 spin_unlock_irq(&ffs->ev.waitq.lock);
450 } else {
451 /* unlocks spinlock */
452 ret = __ffs_ep0_queue_wait(ffs, data, len);
453 }
454 kfree(data);
455 break;
456
457 default:
458 ret = -EBADFD;
459 break;
460 }
461
462 mutex_unlock(&ffs->mutex);
463 return ret;
464 }
465
466 /* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */
467 static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf,
468 size_t n)
469 __releases(&ffs->ev.waitq.lock)
470 {
471 /*
472 * n cannot be bigger than ffs->ev.count, which cannot be bigger than
473 * size of ffs->ev.types array (which is four) so that's how much space
474 * we reserve.
475 */
476 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)];
477 const size_t size = n * sizeof *events;
478 unsigned i = 0;
479
480 memset(events, 0, size);
481
482 do {
483 events[i].type = ffs->ev.types[i];
484 if (events[i].type == FUNCTIONFS_SETUP) {
485 events[i].u.setup = ffs->ev.setup;
486 ffs->setup_state = FFS_SETUP_PENDING;
487 }
488 } while (++i < n);
489
490 ffs->ev.count -= n;
491 if (ffs->ev.count)
492 memmove(ffs->ev.types, ffs->ev.types + n,
493 ffs->ev.count * sizeof *ffs->ev.types);
494
495 spin_unlock_irq(&ffs->ev.waitq.lock);
496 mutex_unlock(&ffs->mutex);
497
498 return unlikely(copy_to_user(buf, events, size)) ? -EFAULT : size;
499 }
500
501 static ssize_t ffs_ep0_read(struct file *file, char __user *buf,
502 size_t len, loff_t *ptr)
503 {
504 struct ffs_data *ffs = file->private_data;
505 char *data = NULL;
506 size_t n;
507 int ret;
508
509 ENTER();
510
511 /* Fast check if setup was canceled */
512 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
513 return -EIDRM;
514
515 /* Acquire mutex */
516 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
517 if (unlikely(ret < 0))
518 return ret;
519
520 /* Check state */
521 if (ffs->state != FFS_ACTIVE) {
522 ret = -EBADFD;
523 goto done_mutex;
524 }
525
526 /*
527 * We're called from user space, we can use _irq rather then
528 * _irqsave
529 */
530 spin_lock_irq(&ffs->ev.waitq.lock);
531
532 switch (ffs_setup_state_clear_cancelled(ffs)) {
533 case FFS_SETUP_CANCELLED:
534 ret = -EIDRM;
535 break;
536
537 case FFS_NO_SETUP:
538 n = len / sizeof(struct usb_functionfs_event);
539 if (unlikely(!n)) {
540 ret = -EINVAL;
541 break;
542 }
543
544 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) {
545 ret = -EAGAIN;
546 break;
547 }
548
549 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq,
550 ffs->ev.count)) {
551 ret = -EINTR;
552 break;
553 }
554
555 /* unlocks spinlock */
556 return __ffs_ep0_read_events(ffs, buf,
557 min(n, (size_t)ffs->ev.count));
558
559 case FFS_SETUP_PENDING:
560 if (ffs->ev.setup.bRequestType & USB_DIR_IN) {
561 spin_unlock_irq(&ffs->ev.waitq.lock);
562 ret = __ffs_ep0_stall(ffs);
563 goto done_mutex;
564 }
565
566 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
567
568 spin_unlock_irq(&ffs->ev.waitq.lock);
569
570 if (likely(len)) {
571 data = kmalloc(len, GFP_KERNEL);
572 if (unlikely(!data)) {
573 ret = -ENOMEM;
574 goto done_mutex;
575 }
576 }
577
578 spin_lock_irq(&ffs->ev.waitq.lock);
579
580 /* See ffs_ep0_write() */
581 if (ffs_setup_state_clear_cancelled(ffs) ==
582 FFS_SETUP_CANCELLED) {
583 ret = -EIDRM;
584 break;
585 }
586
587 /* unlocks spinlock */
588 ret = __ffs_ep0_queue_wait(ffs, data, len);
589 if (likely(ret > 0) && unlikely(copy_to_user(buf, data, len)))
590 ret = -EFAULT;
591 goto done_mutex;
592
593 default:
594 ret = -EBADFD;
595 break;
596 }
597
598 spin_unlock_irq(&ffs->ev.waitq.lock);
599 done_mutex:
600 mutex_unlock(&ffs->mutex);
601 kfree(data);
602 return ret;
603 }
604
605 static int ffs_ep0_open(struct inode *inode, struct file *file)
606 {
607 struct ffs_data *ffs = inode->i_private;
608
609 ENTER();
610
611 if (unlikely(ffs->state == FFS_CLOSING))
612 return -EBUSY;
613
614 file->private_data = ffs;
615 ffs_data_opened(ffs);
616
617 return 0;
618 }
619
620 static int ffs_ep0_release(struct inode *inode, struct file *file)
621 {
622 struct ffs_data *ffs = file->private_data;
623
624 ENTER();
625
626 ffs_data_closed(ffs);
627
628 return 0;
629 }
630
631 static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value)
632 {
633 struct ffs_data *ffs = file->private_data;
634 struct usb_gadget *gadget = ffs->gadget;
635 long ret;
636
637 ENTER();
638
639 if (code == FUNCTIONFS_INTERFACE_REVMAP) {
640 struct ffs_function *func = ffs->func;
641 ret = func ? ffs_func_revmap_intf(func, value) : -ENODEV;
642 } else if (gadget && gadget->ops->ioctl) {
643 ret = gadget->ops->ioctl(gadget, code, value);
644 } else {
645 ret = -ENOTTY;
646 }
647
648 return ret;
649 }
650
651 static __poll_t ffs_ep0_poll(struct file *file, poll_table *wait)
652 {
653 struct ffs_data *ffs = file->private_data;
654 __poll_t mask = EPOLLWRNORM;
655 int ret;
656
657 poll_wait(file, &ffs->ev.waitq, wait);
658
659 ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
660 if (unlikely(ret < 0))
661 return mask;
662
663 switch (ffs->state) {
664 case FFS_READ_DESCRIPTORS:
665 case FFS_READ_STRINGS:
666 mask |= EPOLLOUT;
667 break;
668
669 case FFS_ACTIVE:
670 switch (ffs->setup_state) {
671 case FFS_NO_SETUP:
672 if (ffs->ev.count)
673 mask |= EPOLLIN;
674 break;
675
676 case FFS_SETUP_PENDING:
677 case FFS_SETUP_CANCELLED:
678 mask |= (EPOLLIN | EPOLLOUT);
679 break;
680 }
681 case FFS_CLOSING:
682 break;
683 case FFS_DEACTIVATED:
684 break;
685 }
686
687 mutex_unlock(&ffs->mutex);
688
689 return mask;
690 }
691
692 static const struct file_operations ffs_ep0_operations = {
693 .llseek = no_llseek,
694
695 .open = ffs_ep0_open,
696 .write = ffs_ep0_write,
697 .read = ffs_ep0_read,
698 .release = ffs_ep0_release,
699 .unlocked_ioctl = ffs_ep0_ioctl,
700 .poll = ffs_ep0_poll,
701 };
702
703
704 /* "Normal" endpoints operations ********************************************/
705
706 static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
707 {
708 ENTER();
709 if (likely(req->context)) {
710 struct ffs_ep *ep = _ep->driver_data;
711 ep->status = req->status ? req->status : req->actual;
712 complete(req->context);
713 }
714 }
715
716 static ssize_t ffs_copy_to_iter(void *data, int data_len, struct iov_iter *iter)
717 {
718 ssize_t ret = copy_to_iter(data, data_len, iter);
719 if (likely(ret == data_len))
720 return ret;
721
722 if (unlikely(iov_iter_count(iter)))
723 return -EFAULT;
724
725 /*
726 * Dear user space developer!
727 *
728 * TL;DR: To stop getting below error message in your kernel log, change
729 * user space code using functionfs to align read buffers to a max
730 * packet size.
731 *
732 * Some UDCs (e.g. dwc3) require request sizes to be a multiple of a max
733 * packet size. When unaligned buffer is passed to functionfs, it
734 * internally uses a larger, aligned buffer so that such UDCs are happy.
735 *
736 * Unfortunately, this means that host may send more data than was
737 * requested in read(2) system call. f_fs doesn’t know what to do with
738 * that excess data so it simply drops it.
739 *
740 * Was the buffer aligned in the first place, no such problem would
741 * happen.
742 *
743 * Data may be dropped only in AIO reads. Synchronous reads are handled
744 * by splitting a request into multiple parts. This splitting may still
745 * be a problem though so it’s likely best to align the buffer
746 * regardless of it being AIO or not..
747 *
748 * This only affects OUT endpoints, i.e. reading data with a read(2),
749 * aio_read(2) etc. system calls. Writing data to an IN endpoint is not
750 * affected.
751 */
752 pr_err("functionfs read size %d > requested size %zd, dropping excess data. "
753 "Align read buffer size to max packet size to avoid the problem.\n",
754 data_len, ret);
755
756 return ret;
757 }
758
759 /*
760 * allocate a virtually contiguous buffer and create a scatterlist describing it
761 * @sg_table - pointer to a place to be filled with sg_table contents
762 * @size - required buffer size
763 */
764 static void *ffs_build_sg_list(struct sg_table *sgt, size_t sz)
765 {
766 struct page **pages;
767 void *vaddr, *ptr;
768 unsigned int n_pages;
769 int i;
770
771 vaddr = vmalloc(sz);
772 if (!vaddr)
773 return NULL;
774
775 n_pages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
776 pages = kvmalloc_array(n_pages, sizeof(struct page *), GFP_KERNEL);
777 if (!pages) {
778 vfree(vaddr);
779
780 return NULL;
781 }
782 for (i = 0, ptr = vaddr; i < n_pages; ++i, ptr += PAGE_SIZE)
783 pages[i] = vmalloc_to_page(ptr);
784
785 if (sg_alloc_table_from_pages(sgt, pages, n_pages, 0, sz, GFP_KERNEL)) {
786 kvfree(pages);
787 vfree(vaddr);
788
789 return NULL;
790 }
791 kvfree(pages);
792
793 return vaddr;
794 }
795
796 static inline void *ffs_alloc_buffer(struct ffs_io_data *io_data,
797 size_t data_len)
798 {
799 if (io_data->use_sg)
800 return ffs_build_sg_list(&io_data->sgt, data_len);
801
802 return kmalloc(data_len, GFP_KERNEL);
803 }
804
805 static inline void ffs_free_buffer(struct ffs_io_data *io_data)
806 {
807 if (!io_data->buf)
808 return;
809
810 if (io_data->use_sg) {
811 sg_free_table(&io_data->sgt);
812 vfree(io_data->buf);
813 } else {
814 kfree(io_data->buf);
815 }
816 }
817
818 static void ffs_user_copy_worker(struct work_struct *work)
819 {
820 struct ffs_io_data *io_data = container_of(work, struct ffs_io_data,
821 work);
822 int ret = io_data->req->status ? io_data->req->status :
823 io_data->req->actual;
824 bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
825
826 if (io_data->read && ret > 0) {
827 mm_segment_t oldfs = get_fs();
828
829 set_fs(USER_DS);
830 use_mm(io_data->mm);
831 ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
832 unuse_mm(io_data->mm);
833 set_fs(oldfs);
834 }
835
836 io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
837
838 if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
839 eventfd_signal(io_data->ffs->ffs_eventfd, 1);
840
841 usb_ep_free_request(io_data->ep, io_data->req);
842
843 if (io_data->read)
844 kfree(io_data->to_free);
845 ffs_free_buffer(io_data);
846 kfree(io_data);
847 }
848
849 static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
850 struct usb_request *req)
851 {
852 struct ffs_io_data *io_data = req->context;
853 struct ffs_data *ffs = io_data->ffs;
854
855 ENTER();
856
857 INIT_WORK(&io_data->work, ffs_user_copy_worker);
858 queue_work(ffs->io_completion_wq, &io_data->work);
859 }
860
861 static void __ffs_epfile_read_buffer_free(struct ffs_epfile *epfile)
862 {
863 /*
864 * See comment in struct ffs_epfile for full read_buffer pointer
865 * synchronisation story.
866 */
867 struct ffs_buffer *buf = xchg(&epfile->read_buffer, READ_BUFFER_DROP);
868 if (buf && buf != READ_BUFFER_DROP)
869 kfree(buf);
870 }
871
872 /* Assumes epfile->mutex is held. */
873 static ssize_t __ffs_epfile_read_buffered(struct ffs_epfile *epfile,
874 struct iov_iter *iter)
875 {
876 /*
877 * Null out epfile->read_buffer so ffs_func_eps_disable does not free
878 * the buffer while we are using it. See comment in struct ffs_epfile
879 * for full read_buffer pointer synchronisation story.
880 */
881 struct ffs_buffer *buf = xchg(&epfile->read_buffer, NULL);
882 ssize_t ret;
883 if (!buf || buf == READ_BUFFER_DROP)
884 return 0;
885
886 ret = copy_to_iter(buf->data, buf->length, iter);
887 if (buf->length == ret) {
888 kfree(buf);
889 return ret;
890 }
891
892 if (unlikely(iov_iter_count(iter))) {
893 ret = -EFAULT;
894 } else {
895 buf->length -= ret;
896 buf->data += ret;
897 }
898
899 if (cmpxchg(&epfile->read_buffer, NULL, buf))
900 kfree(buf);
901
902 return ret;
903 }
904
905 /* Assumes epfile->mutex is held. */
906 static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
907 void *data, int data_len,
908 struct iov_iter *iter)
909 {
910 struct ffs_buffer *buf;
911
912 ssize_t ret = copy_to_iter(data, data_len, iter);
913 if (likely(data_len == ret))
914 return ret;
915
916 if (unlikely(iov_iter_count(iter)))
917 return -EFAULT;
918
919 /* See ffs_copy_to_iter for more context. */
920 pr_warn("functionfs read size %d > requested size %zd, splitting request into multiple reads.",
921 data_len, ret);
922
923 data_len -= ret;
924 buf = kmalloc(sizeof(*buf) + data_len, GFP_KERNEL);
925 if (!buf)
926 return -ENOMEM;
927 buf->length = data_len;
928 buf->data = buf->storage;
929 memcpy(buf->storage, data + ret, data_len);
930
931 /*
932 * At this point read_buffer is NULL or READ_BUFFER_DROP (if
933 * ffs_func_eps_disable has been called in the meanwhile). See comment
934 * in struct ffs_epfile for full read_buffer pointer synchronisation
935 * story.
936 */
937 if (unlikely(cmpxchg(&epfile->read_buffer, NULL, buf)))
938 kfree(buf);
939
940 return ret;
941 }
942
943 static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
944 {
945 struct ffs_epfile *epfile = file->private_data;
946 struct usb_request *req;
947 struct ffs_ep *ep;
948 char *data = NULL;
949 ssize_t ret, data_len = -EINVAL;
950 int halt;
951
952 /* Are we still active? */
953 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
954 return -ENODEV;
955
956 /* Wait for endpoint to be enabled */
957 ep = epfile->ep;
958 if (!ep) {
959 if (file->f_flags & O_NONBLOCK)
960 return -EAGAIN;
961
962 ret = wait_event_interruptible(
963 epfile->ffs->wait, (ep = epfile->ep));
964 if (ret)
965 return -EINTR;
966 }
967
968 /* Do we halt? */
969 halt = (!io_data->read == !epfile->in);
970 if (halt && epfile->isoc)
971 return -EINVAL;
972
973 /* We will be using request and read_buffer */
974 ret = ffs_mutex_lock(&epfile->mutex, file->f_flags & O_NONBLOCK);
975 if (unlikely(ret))
976 goto error;
977
978 /* Allocate & copy */
979 if (!halt) {
980 struct usb_gadget *gadget;
981
982 /*
983 * Do we have buffered data from previous partial read? Check
984 * that for synchronous case only because we do not have
985 * facility to ‘wake up’ a pending asynchronous read and push
986 * buffered data to it which we would need to make things behave
987 * consistently.
988 */
989 if (!io_data->aio && io_data->read) {
990 ret = __ffs_epfile_read_buffered(epfile, &io_data->data);
991 if (ret)
992 goto error_mutex;
993 }
994
995 /*
996 * if we _do_ wait above, the epfile->ffs->gadget might be NULL
997 * before the waiting completes, so do not assign to 'gadget'
998 * earlier
999 */
1000 gadget = epfile->ffs->gadget;
1001
1002 spin_lock_irq(&epfile->ffs->eps_lock);
1003 /* In the meantime, endpoint got disabled or changed. */
1004 if (epfile->ep != ep) {
1005 ret = -ESHUTDOWN;
1006 goto error_lock;
1007 }
1008 data_len = iov_iter_count(&io_data->data);
1009 /*
1010 * Controller may require buffer size to be aligned to
1011 * maxpacketsize of an out endpoint.
1012 */
1013 if (io_data->read)
1014 data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);
1015
1016 io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
1017 spin_unlock_irq(&epfile->ffs->eps_lock);
1018
1019 data = ffs_alloc_buffer(io_data, data_len);
1020 if (unlikely(!data)) {
1021 ret = -ENOMEM;
1022 goto error_mutex;
1023 }
1024 if (!io_data->read &&
1025 !copy_from_iter_full(data, data_len, &io_data->data)) {
1026 ret = -EFAULT;
1027 goto error_mutex;
1028 }
1029 }
1030
1031 spin_lock_irq(&epfile->ffs->eps_lock);
1032
1033 if (epfile->ep != ep) {
1034 /* In the meantime, endpoint got disabled or changed. */
1035 ret = -ESHUTDOWN;
1036 } else if (halt) {
1037 ret = usb_ep_set_halt(ep->ep);
1038 if (!ret)
1039 ret = -EBADMSG;
1040 } else if (unlikely(data_len == -EINVAL)) {
1041 /*
1042 * Sanity Check: even though data_len can't be used
1043 * uninitialized at the time I write this comment, some
1044 * compilers complain about this situation.
1045 * In order to keep the code clean from warnings, data_len is
1046 * being initialized to -EINVAL during its declaration, which
1047 * means we can't rely on compiler anymore to warn no future
1048 * changes won't result in data_len being used uninitialized.
1049 * For such reason, we're adding this redundant sanity check
1050 * here.
1051 */
1052 WARN(1, "%s: data_len == -EINVAL\n", __func__);
1053 ret = -EINVAL;
1054 } else if (!io_data->aio) {
1055 DECLARE_COMPLETION_ONSTACK(done);
1056 bool interrupted = false;
1057
1058 req = ep->req;
1059 if (io_data->use_sg) {
1060 req->buf = NULL;
1061 req->sg = io_data->sgt.sgl;
1062 req->num_sgs = io_data->sgt.nents;
1063 } else {
1064 req->buf = data;
1065 }
1066 req->length = data_len;
1067
1068 io_data->buf = data;
1069
1070 req->context = &done;
1071 req->complete = ffs_epfile_io_complete;
1072
1073 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1074 if (unlikely(ret < 0))
1075 goto error_lock;
1076
1077 spin_unlock_irq(&epfile->ffs->eps_lock);
1078
1079 if (unlikely(wait_for_completion_interruptible(&done))) {
1080 /*
1081 * To avoid race condition with ffs_epfile_io_complete,
1082 * dequeue the request first then check
1083 * status. usb_ep_dequeue API should guarantee no race
1084 * condition with req->complete callback.
1085 */
1086 usb_ep_dequeue(ep->ep, req);
1087 wait_for_completion(&done);
1088 interrupted = ep->status < 0;
1089 }
1090
1091 if (interrupted)
1092 ret = -EINTR;
1093 else if (io_data->read && ep->status > 0)
1094 ret = __ffs_epfile_read_data(epfile, data, ep->status,
1095 &io_data->data);
1096 else
1097 ret = ep->status;
1098 goto error_mutex;
1099 } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
1100 ret = -ENOMEM;
1101 } else {
1102 if (io_data->use_sg) {
1103 req->buf = NULL;
1104 req->sg = io_data->sgt.sgl;
1105 req->num_sgs = io_data->sgt.nents;
1106 } else {
1107 req->buf = data;
1108 }
1109 req->length = data_len;
1110
1111 io_data->buf = data;
1112 io_data->ep = ep->ep;
1113 io_data->req = req;
1114 io_data->ffs = epfile->ffs;
1115
1116 req->context = io_data;
1117 req->complete = ffs_epfile_async_io_complete;
1118
1119 ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
1120 if (unlikely(ret)) {
1121 usb_ep_free_request(ep->ep, req);
1122 goto error_lock;
1123 }
1124
1125 ret = -EIOCBQUEUED;
1126 /*
1127 * Do not kfree the buffer in this function. It will be freed
1128 * by ffs_user_copy_worker.
1129 */
1130 data = NULL;
1131 }
1132
1133 error_lock:
1134 spin_unlock_irq(&epfile->ffs->eps_lock);
1135 error_mutex:
1136 mutex_unlock(&epfile->mutex);
1137 error:
1138 if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
1139 ffs_free_buffer(io_data);
1140 return ret;
1141 }
1142
1143 static int
1144 ffs_epfile_open(struct inode *inode, struct file *file)
1145 {
1146 struct ffs_epfile *epfile = inode->i_private;
1147
1148 ENTER();
1149
1150 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1151 return -ENODEV;
1152
1153 file->private_data = epfile;
1154 ffs_data_opened(epfile->ffs);
1155
1156 return 0;
1157 }
1158
1159 static int ffs_aio_cancel(struct kiocb *kiocb)
1160 {
1161 struct ffs_io_data *io_data = kiocb->private;
1162 struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
1163 int value;
1164
1165 ENTER();
1166
1167 spin_lock_irq(&epfile->ffs->eps_lock);
1168
1169 if (likely(io_data && io_data->ep && io_data->req))
1170 value = usb_ep_dequeue(io_data->ep, io_data->req);
1171 else
1172 value = -EINVAL;
1173
1174 spin_unlock_irq(&epfile->ffs->eps_lock);
1175
1176 return value;
1177 }
1178
1179 static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from)
1180 {
1181 struct ffs_io_data io_data, *p = &io_data;
1182 ssize_t res;
1183
1184 ENTER();
1185
1186 if (!is_sync_kiocb(kiocb)) {
1187 p = kzalloc(sizeof(io_data), GFP_KERNEL);
1188 if (unlikely(!p))
1189 return -ENOMEM;
1190 p->aio = true;
1191 } else {
1192 memset(p, 0, sizeof(*p));
1193 p->aio = false;
1194 }
1195
1196 p->read = false;
1197 p->kiocb = kiocb;
1198 p->data = *from;
1199 p->mm = current->mm;
1200
1201 kiocb->private = p;
1202
1203 if (p->aio)
1204 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
1205
1206 res = ffs_epfile_io(kiocb->ki_filp, p);
1207 if (res == -EIOCBQUEUED)
1208 return res;
1209 if (p->aio)
1210 kfree(p);
1211 else
1212 *from = p->data;
1213 return res;
1214 }
1215
1216 static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to)
1217 {
1218 struct ffs_io_data io_data, *p = &io_data;
1219 ssize_t res;
1220
1221 ENTER();
1222
1223 if (!is_sync_kiocb(kiocb)) {
1224 p = kzalloc(sizeof(io_data), GFP_KERNEL);
1225 if (unlikely(!p))
1226 return -ENOMEM;
1227 p->aio = true;
1228 } else {
1229 memset(p, 0, sizeof(*p));
1230 p->aio = false;
1231 }
1232
1233 p->read = true;
1234 p->kiocb = kiocb;
1235 if (p->aio) {
1236 p->to_free = dup_iter(&p->data, to, GFP_KERNEL);
1237 if (!p->to_free) {
1238 kfree(p);
1239 return -ENOMEM;
1240 }
1241 } else {
1242 p->data = *to;
1243 p->to_free = NULL;
1244 }
1245 p->mm = current->mm;
1246
1247 kiocb->private = p;
1248
1249 if (p->aio)
1250 kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
1251
1252 res = ffs_epfile_io(kiocb->ki_filp, p);
1253 if (res == -EIOCBQUEUED)
1254 return res;
1255
1256 if (p->aio) {
1257 kfree(p->to_free);
1258 kfree(p);
1259 } else {
1260 *to = p->data;
1261 }
1262 return res;
1263 }
1264
1265 static int
1266 ffs_epfile_release(struct inode *inode, struct file *file)
1267 {
1268 struct ffs_epfile *epfile = inode->i_private;
1269
1270 ENTER();
1271
1272 __ffs_epfile_read_buffer_free(epfile);
1273 ffs_data_closed(epfile->ffs);
1274
1275 return 0;
1276 }
1277
1278 static long ffs_epfile_ioctl(struct file *file, unsigned code,
1279 unsigned long value)
1280 {
1281 struct ffs_epfile *epfile = file->private_data;
1282 struct ffs_ep *ep;
1283 int ret;
1284
1285 ENTER();
1286
1287 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1288 return -ENODEV;
1289
1290 /* Wait for endpoint to be enabled */
1291 ep = epfile->ep;
1292 if (!ep) {
1293 if (file->f_flags & O_NONBLOCK)
1294 return -EAGAIN;
1295
1296 ret = wait_event_interruptible(
1297 epfile->ffs->wait, (ep = epfile->ep));
1298 if (ret)
1299 return -EINTR;
1300 }
1301
1302 spin_lock_irq(&epfile->ffs->eps_lock);
1303
1304 /* In the meantime, endpoint got disabled or changed. */
1305 if (epfile->ep != ep) {
1306 spin_unlock_irq(&epfile->ffs->eps_lock);
1307 return -ESHUTDOWN;
1308 }
1309
1310 switch (code) {
1311 case FUNCTIONFS_FIFO_STATUS:
1312 ret = usb_ep_fifo_status(epfile->ep->ep);
1313 break;
1314 case FUNCTIONFS_FIFO_FLUSH:
1315 usb_ep_fifo_flush(epfile->ep->ep);
1316 ret = 0;
1317 break;
1318 case FUNCTIONFS_CLEAR_HALT:
1319 ret = usb_ep_clear_halt(epfile->ep->ep);
1320 break;
1321 case FUNCTIONFS_ENDPOINT_REVMAP:
1322 ret = epfile->ep->num;
1323 break;
1324 case FUNCTIONFS_ENDPOINT_DESC:
1325 {
1326 int desc_idx;
1327 struct usb_endpoint_descriptor *desc;
1328
1329 switch (epfile->ffs->gadget->speed) {
1330 case USB_SPEED_SUPER:
1331 desc_idx = 2;
1332 break;
1333 case USB_SPEED_HIGH:
1334 desc_idx = 1;
1335 break;
1336 default:
1337 desc_idx = 0;
1338 }
1339 desc = epfile->ep->descs[desc_idx];
1340
1341 spin_unlock_irq(&epfile->ffs->eps_lock);
1342 ret = copy_to_user((void __user *)value, desc, desc->bLength);
1343 if (ret)
1344 ret = -EFAULT;
1345 return ret;
1346 }
1347 default:
1348 ret = -ENOTTY;
1349 }
1350 spin_unlock_irq(&epfile->ffs->eps_lock);
1351
1352 return ret;
1353 }
1354
1355 static const struct file_operations ffs_epfile_operations = {
1356 .llseek = no_llseek,
1357
1358 .open = ffs_epfile_open,
1359 .write_iter = ffs_epfile_write_iter,
1360 .read_iter = ffs_epfile_read_iter,
1361 .release = ffs_epfile_release,
1362 .unlocked_ioctl = ffs_epfile_ioctl,
1363 .compat_ioctl = compat_ptr_ioctl,
1364 };
1365
1366
1367 /* File system and super block operations ***********************************/
1368
1369 /*
1370 * Mounting the file system creates a controller file, used first for
1371 * function configuration then later for event monitoring.
1372 */
1373
1374 static struct inode *__must_check
1375 ffs_sb_make_inode(struct super_block *sb, void *data,
1376 const struct file_operations *fops,
1377 const struct inode_operations *iops,
1378 struct ffs_file_perms *perms)
1379 {
1380 struct inode *inode;
1381
1382 ENTER();
1383
1384 inode = new_inode(sb);
1385
1386 if (likely(inode)) {
1387 struct timespec64 ts = current_time(inode);
1388
1389 inode->i_ino = get_next_ino();
1390 inode->i_mode = perms->mode;
1391 inode->i_uid = perms->uid;
1392 inode->i_gid = perms->gid;
1393 inode->i_atime = ts;
1394 inode->i_mtime = ts;
1395 inode->i_ctime = ts;
1396 inode->i_private = data;
1397 if (fops)
1398 inode->i_fop = fops;
1399 if (iops)
1400 inode->i_op = iops;
1401 }
1402
1403 return inode;
1404 }
1405
1406 /* Create "regular" file */
1407 static struct dentry *ffs_sb_create_file(struct super_block *sb,
1408 const char *name, void *data,
1409 const struct file_operations *fops)
1410 {
1411 struct ffs_data *ffs = sb->s_fs_info;
1412 struct dentry *dentry;
1413 struct inode *inode;
1414
1415 ENTER();
1416
1417 dentry = d_alloc_name(sb->s_root, name);
1418 if (unlikely(!dentry))
1419 return NULL;
1420
1421 inode = ffs_sb_make_inode(sb, data, fops, NULL, &ffs->file_perms);
1422 if (unlikely(!inode)) {
1423 dput(dentry);
1424 return NULL;
1425 }
1426
1427 d_add(dentry, inode);
1428 return dentry;
1429 }
1430
1431 /* Super block */
1432 static const struct super_operations ffs_sb_operations = {
1433 .statfs = simple_statfs,
1434 .drop_inode = generic_delete_inode,
1435 };
1436
1437 struct ffs_sb_fill_data {
1438 struct ffs_file_perms perms;
1439 umode_t root_mode;
1440 const char *dev_name;
1441 bool no_disconnect;
1442 struct ffs_data *ffs_data;
1443 };
1444
1445 static int ffs_sb_fill(struct super_block *sb, struct fs_context *fc)
1446 {
1447 struct ffs_sb_fill_data *data = fc->fs_private;
1448 struct inode *inode;
1449 struct ffs_data *ffs = data->ffs_data;
1450
1451 ENTER();
1452
1453 ffs->sb = sb;
1454 data->ffs_data = NULL;
1455 sb->s_fs_info = ffs;
1456 sb->s_blocksize = PAGE_SIZE;
1457 sb->s_blocksize_bits = PAGE_SHIFT;
1458 sb->s_magic = FUNCTIONFS_MAGIC;
1459 sb->s_op = &ffs_sb_operations;
1460 sb->s_time_gran = 1;
1461
1462 /* Root inode */
1463 data->perms.mode = data->root_mode;
1464 inode = ffs_sb_make_inode(sb, NULL,
1465 &simple_dir_operations,
1466 &simple_dir_inode_operations,
1467 &data->perms);
1468 sb->s_root = d_make_root(inode);
1469 if (unlikely(!sb->s_root))
1470 return -ENOMEM;
1471
1472 /* EP0 file */
1473 if (unlikely(!ffs_sb_create_file(sb, "ep0", ffs,
1474 &ffs_ep0_operations)))
1475 return -ENOMEM;
1476
1477 return 0;
1478 }
1479
1480 enum {
1481 Opt_no_disconnect,
1482 Opt_rmode,
1483 Opt_fmode,
1484 Opt_mode,
1485 Opt_uid,
1486 Opt_gid,
1487 };
1488
1489 static const struct fs_parameter_spec ffs_fs_param_specs[] = {
1490 fsparam_bool ("no_disconnect", Opt_no_disconnect),
1491 fsparam_u32 ("rmode", Opt_rmode),
1492 fsparam_u32 ("fmode", Opt_fmode),
1493 fsparam_u32 ("mode", Opt_mode),
1494 fsparam_u32 ("uid", Opt_uid),
1495 fsparam_u32 ("gid", Opt_gid),
1496 {}
1497 };
1498
1499 static const struct fs_parameter_description ffs_fs_fs_parameters = {
1500 .name = "kAFS",
1501 .specs = ffs_fs_param_specs,
1502 };
1503
1504 static int ffs_fs_parse_param(struct fs_context *fc, struct fs_parameter *param)
1505 {
1506 struct ffs_sb_fill_data *data = fc->fs_private;
1507 struct fs_parse_result result;
1508 int opt;
1509
1510 ENTER();
1511
1512 opt = fs_parse(fc, &ffs_fs_fs_parameters, param, &result);
1513 if (opt < 0)
1514 return opt;
1515
1516 switch (opt) {
1517 case Opt_no_disconnect:
1518 data->no_disconnect = result.boolean;
1519 break;
1520 case Opt_rmode:
1521 data->root_mode = (result.uint_32 & 0555) | S_IFDIR;
1522 break;
1523 case Opt_fmode:
1524 data->perms.mode = (result.uint_32 & 0666) | S_IFREG;
1525 break;
1526 case Opt_mode:
1527 data->root_mode = (result.uint_32 & 0555) | S_IFDIR;
1528 data->perms.mode = (result.uint_32 & 0666) | S_IFREG;
1529 break;
1530
1531 case Opt_uid:
1532 data->perms.uid = make_kuid(current_user_ns(), result.uint_32);
1533 if (!uid_valid(data->perms.uid))
1534 goto unmapped_value;
1535 break;
1536 case Opt_gid:
1537 data->perms.gid = make_kgid(current_user_ns(), result.uint_32);
1538 if (!gid_valid(data->perms.gid))
1539 goto unmapped_value;
1540 break;
1541
1542 default:
1543 return -ENOPARAM;
1544 }
1545
1546 return 0;
1547
1548 unmapped_value:
1549 return invalf(fc, "%s: unmapped value: %u", param->key, result.uint_32);
1550 }
1551
1552 /*
1553 * Set up the superblock for a mount.
1554 */
1555 static int ffs_fs_get_tree(struct fs_context *fc)
1556 {
1557 struct ffs_sb_fill_data *ctx = fc->fs_private;
1558 void *ffs_dev;
1559 struct ffs_data *ffs;
1560
1561 ENTER();
1562
1563 if (!fc->source)
1564 return invalf(fc, "No source specified");
1565
1566 ffs = ffs_data_new(fc->source);
1567 if (unlikely(!ffs))
1568 return -ENOMEM;
1569 ffs->file_perms = ctx->perms;
1570 ffs->no_disconnect = ctx->no_disconnect;
1571
1572 ffs->dev_name = kstrdup(fc->source, GFP_KERNEL);
1573 if (unlikely(!ffs->dev_name)) {
1574 ffs_data_put(ffs);
1575 return -ENOMEM;
1576 }
1577
1578 ffs_dev = ffs_acquire_dev(ffs->dev_name);
1579 if (IS_ERR(ffs_dev)) {
1580 ffs_data_put(ffs);
1581 return PTR_ERR(ffs_dev);
1582 }
1583
1584 ffs->private_data = ffs_dev;
1585 ctx->ffs_data = ffs;
1586 return get_tree_nodev(fc, ffs_sb_fill);
1587 }
1588
1589 static void ffs_fs_free_fc(struct fs_context *fc)
1590 {
1591 struct ffs_sb_fill_data *ctx = fc->fs_private;
1592
1593 if (ctx) {
1594 if (ctx->ffs_data) {
1595 ffs_release_dev(ctx->ffs_data);
1596 ffs_data_put(ctx->ffs_data);
1597 }
1598
1599 kfree(ctx);
1600 }
1601 }
1602
1603 static const struct fs_context_operations ffs_fs_context_ops = {
1604 .free = ffs_fs_free_fc,
1605 .parse_param = ffs_fs_parse_param,
1606 .get_tree = ffs_fs_get_tree,
1607 };
1608
1609 static int ffs_fs_init_fs_context(struct fs_context *fc)
1610 {
1611 struct ffs_sb_fill_data *ctx;
1612
1613 ctx = kzalloc(sizeof(struct ffs_sb_fill_data), GFP_KERNEL);
1614 if (!ctx)
1615 return -ENOMEM;
1616
1617 ctx->perms.mode = S_IFREG | 0600;
1618 ctx->perms.uid = GLOBAL_ROOT_UID;
1619 ctx->perms.gid = GLOBAL_ROOT_GID;
1620 ctx->root_mode = S_IFDIR | 0500;
1621 ctx->no_disconnect = false;
1622
1623 fc->fs_private = ctx;
1624 fc->ops = &ffs_fs_context_ops;
1625 return 0;
1626 }
1627
1628 static void
1629 ffs_fs_kill_sb(struct super_block *sb)
1630 {
1631 ENTER();
1632
1633 kill_litter_super(sb);
1634 if (sb->s_fs_info) {
1635 ffs_release_dev(sb->s_fs_info);
1636 ffs_data_closed(sb->s_fs_info);
1637 }
1638 }
1639
1640 static struct file_system_type ffs_fs_type = {
1641 .owner = THIS_MODULE,
1642 .name = "functionfs",
1643 .init_fs_context = ffs_fs_init_fs_context,
1644 .parameters = &ffs_fs_fs_parameters,
1645 .kill_sb = ffs_fs_kill_sb,
1646 };
1647 MODULE_ALIAS_FS("functionfs");
1648
1649
1650 /* Driver's main init/cleanup functions *************************************/
1651
1652 static int functionfs_init(void)
1653 {
1654 int ret;
1655
1656 ENTER();
1657
1658 ret = register_filesystem(&ffs_fs_type);
1659 if (likely(!ret))
1660 pr_info("file system registered\n");
1661 else
1662 pr_err("failed registering file system (%d)\n", ret);
1663
1664 return ret;
1665 }
1666
1667 static void functionfs_cleanup(void)
1668 {
1669 ENTER();
1670
1671 pr_info("unloading\n");
1672 unregister_filesystem(&ffs_fs_type);
1673 }
1674
1675
1676 /* ffs_data and ffs_function construction and destruction code **************/
1677
1678 static void ffs_data_clear(struct ffs_data *ffs);
1679 static void ffs_data_reset(struct ffs_data *ffs);
1680
1681 static void ffs_data_get(struct ffs_data *ffs)
1682 {
1683 ENTER();
1684
1685 refcount_inc(&ffs->ref);
1686 }
1687
1688 static void ffs_data_opened(struct ffs_data *ffs)
1689 {
1690 ENTER();
1691
1692 refcount_inc(&ffs->ref);
1693 if (atomic_add_return(1, &ffs->opened) == 1 &&
1694 ffs->state == FFS_DEACTIVATED) {
1695 ffs->state = FFS_CLOSING;
1696 ffs_data_reset(ffs);
1697 }
1698 }
1699
1700 static void ffs_data_put(struct ffs_data *ffs)
1701 {
1702 ENTER();
1703
1704 if (unlikely(refcount_dec_and_test(&ffs->ref))) {
1705 pr_info("%s(): freeing\n", __func__);
1706 ffs_data_clear(ffs);
1707 BUG_ON(waitqueue_active(&ffs->ev.waitq) ||
1708 waitqueue_active(&ffs->ep0req_completion.wait) ||
1709 waitqueue_active(&ffs->wait));
1710 destroy_workqueue(ffs->io_completion_wq);
1711 kfree(ffs->dev_name);
1712 kfree(ffs);
1713 }
1714 }
1715
1716 static void ffs_data_closed(struct ffs_data *ffs)
1717 {
1718 ENTER();
1719
1720 if (atomic_dec_and_test(&ffs->opened)) {
1721 if (ffs->no_disconnect) {
1722 ffs->state = FFS_DEACTIVATED;
1723 if (ffs->epfiles) {
1724 ffs_epfiles_destroy(ffs->epfiles,
1725 ffs->eps_count);
1726 ffs->epfiles = NULL;
1727 }
1728 if (ffs->setup_state == FFS_SETUP_PENDING)
1729 __ffs_ep0_stall(ffs);
1730 } else {
1731 ffs->state = FFS_CLOSING;
1732 ffs_data_reset(ffs);
1733 }
1734 }
1735 if (atomic_read(&ffs->opened) < 0) {
1736 ffs->state = FFS_CLOSING;
1737 ffs_data_reset(ffs);
1738 }
1739
1740 ffs_data_put(ffs);
1741 }
1742
1743 static struct ffs_data *ffs_data_new(const char *dev_name)
1744 {
1745 struct ffs_data *ffs = kzalloc(sizeof *ffs, GFP_KERNEL);
1746 if (unlikely(!ffs))
1747 return NULL;
1748
1749 ENTER();
1750
1751 ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name);
1752 if (!ffs->io_completion_wq) {
1753 kfree(ffs);
1754 return NULL;
1755 }
1756
1757 refcount_set(&ffs->ref, 1);
1758 atomic_set(&ffs->opened, 0);
1759 ffs->state = FFS_READ_DESCRIPTORS;
1760 mutex_init(&ffs->mutex);
1761 spin_lock_init(&ffs->eps_lock);
1762 init_waitqueue_head(&ffs->ev.waitq);
1763 init_waitqueue_head(&ffs->wait);
1764 init_completion(&ffs->ep0req_completion);
1765
1766 /* XXX REVISIT need to update it in some places, or do we? */
1767 ffs->ev.can_stall = 1;
1768
1769 return ffs;
1770 }
1771
1772 static void ffs_data_clear(struct ffs_data *ffs)
1773 {
1774 ENTER();
1775
1776 ffs_closed(ffs);
1777
1778 BUG_ON(ffs->gadget);
1779
1780 if (ffs->epfiles)
1781 ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
1782
1783 if (ffs->ffs_eventfd)
1784 eventfd_ctx_put(ffs->ffs_eventfd);
1785
1786 kfree(ffs->raw_descs_data);
1787 kfree(ffs->raw_strings);
1788 kfree(ffs->stringtabs);
1789 }
1790
1791 static void ffs_data_reset(struct ffs_data *ffs)
1792 {
1793 ENTER();
1794
1795 ffs_data_clear(ffs);
1796
1797 ffs->epfiles = NULL;
1798 ffs->raw_descs_data = NULL;
1799 ffs->raw_descs = NULL;
1800 ffs->raw_strings = NULL;
1801 ffs->stringtabs = NULL;
1802
1803 ffs->raw_descs_length = 0;
1804 ffs->fs_descs_count = 0;
1805 ffs->hs_descs_count = 0;
1806 ffs->ss_descs_count = 0;
1807
1808 ffs->strings_count = 0;
1809 ffs->interfaces_count = 0;
1810 ffs->eps_count = 0;
1811
1812 ffs->ev.count = 0;
1813
1814 ffs->state = FFS_READ_DESCRIPTORS;
1815 ffs->setup_state = FFS_NO_SETUP;
1816 ffs->flags = 0;
1817 }
1818
1819
1820 static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
1821 {
1822 struct usb_gadget_strings **lang;
1823 int first_id;
1824
1825 ENTER();
1826
1827 if (WARN_ON(ffs->state != FFS_ACTIVE
1828 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
1829 return -EBADFD;
1830
1831 first_id = usb_string_ids_n(cdev, ffs->strings_count);
1832 if (unlikely(first_id < 0))
1833 return first_id;
1834
1835 ffs->ep0req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
1836 if (unlikely(!ffs->ep0req))
1837 return -ENOMEM;
1838 ffs->ep0req->complete = ffs_ep0_complete;
1839 ffs->ep0req->context = ffs;
1840
1841 lang = ffs->stringtabs;
1842 if (lang) {
1843 for (; *lang; ++lang) {
1844 struct usb_string *str = (*lang)->strings;
1845 int id = first_id;
1846 for (; str->s; ++id, ++str)
1847 str->id = id;
1848 }
1849 }
1850
1851 ffs->gadget = cdev->gadget;
1852 ffs_data_get(ffs);
1853 return 0;
1854 }
1855
1856 static void functionfs_unbind(struct ffs_data *ffs)
1857 {
1858 ENTER();
1859
1860 if (!WARN_ON(!ffs->gadget)) {
1861 usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
1862 ffs->ep0req = NULL;
1863 ffs->gadget = NULL;
1864 clear_bit(FFS_FL_BOUND, &ffs->flags);
1865 ffs_data_put(ffs);
1866 }
1867 }
1868
1869 static int ffs_epfiles_create(struct ffs_data *ffs)
1870 {
1871 struct ffs_epfile *epfile, *epfiles;
1872 unsigned i, count;
1873
1874 ENTER();
1875
1876 count = ffs->eps_count;
1877 epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
1878 if (!epfiles)
1879 return -ENOMEM;
1880
1881 epfile = epfiles;
1882 for (i = 1; i <= count; ++i, ++epfile) {
1883 epfile->ffs = ffs;
1884 mutex_init(&epfile->mutex);
1885 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
1886 sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
1887 else
1888 sprintf(epfile->name, "ep%u", i);
1889 epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name,
1890 epfile,
1891 &ffs_epfile_operations);
1892 if (unlikely(!epfile->dentry)) {
1893 ffs_epfiles_destroy(epfiles, i - 1);
1894 return -ENOMEM;
1895 }
1896 }
1897
1898 ffs->epfiles = epfiles;
1899 return 0;
1900 }
1901
1902 static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
1903 {
1904 struct ffs_epfile *epfile = epfiles;
1905
1906 ENTER();
1907
1908 for (; count; --count, ++epfile) {
1909 BUG_ON(mutex_is_locked(&epfile->mutex));
1910 if (epfile->dentry) {
1911 d_delete(epfile->dentry);
1912 dput(epfile->dentry);
1913 epfile->dentry = NULL;
1914 }
1915 }
1916
1917 kfree(epfiles);
1918 }
1919
1920 static void ffs_func_eps_disable(struct ffs_function *func)
1921 {
1922 struct ffs_ep *ep = func->eps;
1923 struct ffs_epfile *epfile = func->ffs->epfiles;
1924 unsigned count = func->ffs->eps_count;
1925 unsigned long flags;
1926
1927 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1928 while (count--) {
1929 /* pending requests get nuked */
1930 if (likely(ep->ep))
1931 usb_ep_disable(ep->ep);
1932 ++ep;
1933
1934 if (epfile) {
1935 epfile->ep = NULL;
1936 __ffs_epfile_read_buffer_free(epfile);
1937 ++epfile;
1938 }
1939 }
1940 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
1941 }
1942
1943 static int ffs_func_eps_enable(struct ffs_function *func)
1944 {
1945 struct ffs_data *ffs = func->ffs;
1946 struct ffs_ep *ep = func->eps;
1947 struct ffs_epfile *epfile = ffs->epfiles;
1948 unsigned count = ffs->eps_count;
1949 unsigned long flags;
1950 int ret = 0;
1951
1952 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1953 while(count--) {
1954 ep->ep->driver_data = ep;
1955
1956 ret = config_ep_by_speed(func->gadget, &func->function, ep->ep);
1957 if (ret) {
1958 pr_err("%s: config_ep_by_speed(%s) returned %d\n",
1959 __func__, ep->ep->name, ret);
1960 break;
1961 }
1962
1963 ret = usb_ep_enable(ep->ep);
1964 if (likely(!ret)) {
1965 epfile->ep = ep;
1966 epfile->in = usb_endpoint_dir_in(ep->ep->desc);
1967 epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc);
1968 } else {
1969 break;
1970 }
1971
1972 ++ep;
1973 ++epfile;
1974 }
1975
1976 wake_up_interruptible(&ffs->wait);
1977 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
1978
1979 return ret;
1980 }
1981
1982
1983 /* Parsing and building descriptors and strings *****************************/
1984
1985 /*
1986 * This validates if data pointed by data is a valid USB descriptor as
1987 * well as record how many interfaces, endpoints and strings are
1988 * required by given configuration. Returns address after the
1989 * descriptor or NULL if data is invalid.
1990 */
1991
1992 enum ffs_entity_type {
1993 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT
1994 };
1995
1996 enum ffs_os_desc_type {
1997 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP
1998 };
1999
2000 typedef int (*ffs_entity_callback)(enum ffs_entity_type entity,
2001 u8 *valuep,
2002 struct usb_descriptor_header *desc,
2003 void *priv);
2004
2005 typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity,
2006 struct usb_os_desc_header *h, void *data,
2007 unsigned len, void *priv);
2008
2009 static int __must_check ffs_do_single_desc(char *data, unsigned len,
2010 ffs_entity_callback entity,
2011 void *priv, int *current_class)
2012 {
2013 struct usb_descriptor_header *_ds = (void *)data;
2014 u8 length;
2015 int ret;
2016
2017 ENTER();
2018
2019 /* At least two bytes are required: length and type */
2020 if (len < 2) {
2021 pr_vdebug("descriptor too short\n");
2022 return -EINVAL;
2023 }
2024
2025 /* If we have at least as many bytes as the descriptor takes? */
2026 length = _ds->bLength;
2027 if (len < length) {
2028 pr_vdebug("descriptor longer then available data\n");
2029 return -EINVAL;
2030 }
2031
2032 #define __entity_check_INTERFACE(val) 1
2033 #define __entity_check_STRING(val) (val)
2034 #define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK)
2035 #define __entity(type, val) do { \
2036 pr_vdebug("entity " #type "(%02x)\n", (val)); \
2037 if (unlikely(!__entity_check_ ##type(val))) { \
2038 pr_vdebug("invalid entity's value\n"); \
2039 return -EINVAL; \
2040 } \
2041 ret = entity(FFS_ ##type, &val, _ds, priv); \
2042 if (unlikely(ret < 0)) { \
2043 pr_debug("entity " #type "(%02x); ret = %d\n", \
2044 (val), ret); \
2045 return ret; \
2046 } \
2047 } while (0)
2048
2049 /* Parse descriptor depending on type. */
2050 switch (_ds->bDescriptorType) {
2051 case USB_DT_DEVICE:
2052 case USB_DT_CONFIG:
2053 case USB_DT_STRING:
2054 case USB_DT_DEVICE_QUALIFIER:
2055 /* function can't have any of those */
2056 pr_vdebug("descriptor reserved for gadget: %d\n",
2057 _ds->bDescriptorType);
2058 return -EINVAL;
2059
2060 case USB_DT_INTERFACE: {
2061 struct usb_interface_descriptor *ds = (void *)_ds;
2062 pr_vdebug("interface descriptor\n");
2063 if (length != sizeof *ds)
2064 goto inv_length;
2065
2066 __entity(INTERFACE, ds->bInterfaceNumber);
2067 if (ds->iInterface)
2068 __entity(STRING, ds->iInterface);
2069 *current_class = ds->bInterfaceClass;
2070 }
2071 break;
2072
2073 case USB_DT_ENDPOINT: {
2074 struct usb_endpoint_descriptor *ds = (void *)_ds;
2075 pr_vdebug("endpoint descriptor\n");
2076 if (length != USB_DT_ENDPOINT_SIZE &&
2077 length != USB_DT_ENDPOINT_AUDIO_SIZE)
2078 goto inv_length;
2079 __entity(ENDPOINT, ds->bEndpointAddress);
2080 }
2081 break;
2082
2083 case USB_TYPE_CLASS | 0x01:
2084 if (*current_class == USB_INTERFACE_CLASS_HID) {
2085 pr_vdebug("hid descriptor\n");
2086 if (length != sizeof(struct hid_descriptor))
2087 goto inv_length;
2088 break;
2089 } else if (*current_class == USB_INTERFACE_CLASS_CCID) {
2090 pr_vdebug("ccid descriptor\n");
2091 if (length != sizeof(struct ccid_descriptor))
2092 goto inv_length;
2093 break;
2094 } else {
2095 pr_vdebug("unknown descriptor: %d for class %d\n",
2096 _ds->bDescriptorType, *current_class);
2097 return -EINVAL;
2098 }
2099
2100 case USB_DT_OTG:
2101 if (length != sizeof(struct usb_otg_descriptor))
2102 goto inv_length;
2103 break;
2104
2105 case USB_DT_INTERFACE_ASSOCIATION: {
2106 struct usb_interface_assoc_descriptor *ds = (void *)_ds;
2107 pr_vdebug("interface association descriptor\n");
2108 if (length != sizeof *ds)
2109 goto inv_length;
2110 if (ds->iFunction)
2111 __entity(STRING, ds->iFunction);
2112 }
2113 break;
2114
2115 case USB_DT_SS_ENDPOINT_COMP:
2116 pr_vdebug("EP SS companion descriptor\n");
2117 if (length != sizeof(struct usb_ss_ep_comp_descriptor))
2118 goto inv_length;
2119 break;
2120
2121 case USB_DT_OTHER_SPEED_CONFIG:
2122 case USB_DT_INTERFACE_POWER:
2123 case USB_DT_DEBUG:
2124 case USB_DT_SECURITY:
2125 case USB_DT_CS_RADIO_CONTROL:
2126 /* TODO */
2127 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType);
2128 return -EINVAL;
2129
2130 default:
2131 /* We should never be here */
2132 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType);
2133 return -EINVAL;
2134
2135 inv_length:
2136 pr_vdebug("invalid length: %d (descriptor %d)\n",
2137 _ds->bLength, _ds->bDescriptorType);
2138 return -EINVAL;
2139 }
2140
2141 #undef __entity
2142 #undef __entity_check_DESCRIPTOR
2143 #undef __entity_check_INTERFACE
2144 #undef __entity_check_STRING
2145 #undef __entity_check_ENDPOINT
2146
2147 return length;
2148 }
2149
2150 static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len,
2151 ffs_entity_callback entity, void *priv)
2152 {
2153 const unsigned _len = len;
2154 unsigned long num = 0;
2155 int current_class = -1;
2156
2157 ENTER();
2158
2159 for (;;) {
2160 int ret;
2161
2162 if (num == count)
2163 data = NULL;
2164
2165 /* Record "descriptor" entity */
2166 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv);
2167 if (unlikely(ret < 0)) {
2168 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n",
2169 num, ret);
2170 return ret;
2171 }
2172
2173 if (!data)
2174 return _len - len;
2175
2176 ret = ffs_do_single_desc(data, len, entity, priv,
2177 &current_class);
2178 if (unlikely(ret < 0)) {
2179 pr_debug("%s returns %d\n", __func__, ret);
2180 return ret;
2181 }
2182
2183 len -= ret;
2184 data += ret;
2185 ++num;
2186 }
2187 }
2188
2189 static int __ffs_data_do_entity(enum ffs_entity_type type,
2190 u8 *valuep, struct usb_descriptor_header *desc,
2191 void *priv)
2192 {
2193 struct ffs_desc_helper *helper = priv;
2194 struct usb_endpoint_descriptor *d;
2195
2196 ENTER();
2197
2198 switch (type) {
2199 case FFS_DESCRIPTOR:
2200 break;
2201
2202 case FFS_INTERFACE:
2203 /*
2204 * Interfaces are indexed from zero so if we
2205 * encountered interface "n" then there are at least
2206 * "n+1" interfaces.
2207 */
2208 if (*valuep >= helper->interfaces_count)
2209 helper->interfaces_count = *valuep + 1;
2210 break;
2211
2212 case FFS_STRING:
2213 /*
2214 * Strings are indexed from 1 (0 is reserved
2215 * for languages list)
2216 */
2217 if (*valuep > helper->ffs->strings_count)
2218 helper->ffs->strings_count = *valuep;
2219 break;
2220
2221 case FFS_ENDPOINT:
2222 d = (void *)desc;
2223 helper->eps_count++;
2224 if (helper->eps_count >= FFS_MAX_EPS_COUNT)
2225 return -EINVAL;
2226 /* Check if descriptors for any speed were already parsed */
2227 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count)
2228 helper->ffs->eps_addrmap[helper->eps_count] =
2229 d->bEndpointAddress;
2230 else if (helper->ffs->eps_addrmap[helper->eps_count] !=
2231 d->bEndpointAddress)
2232 return -EINVAL;
2233 break;
2234 }
2235
2236 return 0;
2237 }
2238
2239 static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type,
2240 struct usb_os_desc_header *desc)
2241 {
2242 u16 bcd_version = le16_to_cpu(desc->bcdVersion);
2243 u16 w_index = le16_to_cpu(desc->wIndex);
2244
2245 if (bcd_version != 1) {
2246 pr_vdebug("unsupported os descriptors version: %d",
2247 bcd_version);
2248 return -EINVAL;
2249 }
2250 switch (w_index) {
2251 case 0x4:
2252 *next_type = FFS_OS_DESC_EXT_COMPAT;
2253 break;
2254 case 0x5:
2255 *next_type = FFS_OS_DESC_EXT_PROP;
2256 break;
2257 default:
2258 pr_vdebug("unsupported os descriptor type: %d", w_index);
2259 return -EINVAL;
2260 }
2261
2262 return sizeof(*desc);
2263 }
2264
2265 /*
2266 * Process all extended compatibility/extended property descriptors
2267 * of a feature descriptor
2268 */
2269 static int __must_check ffs_do_single_os_desc(char *data, unsigned len,
2270 enum ffs_os_desc_type type,
2271 u16 feature_count,
2272 ffs_os_desc_callback entity,
2273 void *priv,
2274 struct usb_os_desc_header *h)
2275 {
2276 int ret;
2277 const unsigned _len = len;
2278
2279 ENTER();
2280
2281 /* loop over all ext compat/ext prop descriptors */
2282 while (feature_count--) {
2283 ret = entity(type, h, data, len, priv);
2284 if (unlikely(ret < 0)) {
2285 pr_debug("bad OS descriptor, type: %d\n", type);
2286 return ret;
2287 }
2288 data += ret;
2289 len -= ret;
2290 }
2291 return _len - len;
2292 }
2293
2294 /* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */
2295 static int __must_check ffs_do_os_descs(unsigned count,
2296 char *data, unsigned len,
2297 ffs_os_desc_callback entity, void *priv)
2298 {
2299 const unsigned _len = len;
2300 unsigned long num = 0;
2301
2302 ENTER();
2303
2304 for (num = 0; num < count; ++num) {
2305 int ret;
2306 enum ffs_os_desc_type type;
2307 u16 feature_count;
2308 struct usb_os_desc_header *desc = (void *)data;
2309
2310 if (len < sizeof(*desc))
2311 return -EINVAL;
2312
2313 /*
2314 * Record "descriptor" entity.
2315 * Process dwLength, bcdVersion, wIndex, get b/wCount.
2316 * Move the data pointer to the beginning of extended
2317 * compatibilities proper or extended properties proper
2318 * portions of the data
2319 */
2320 if (le32_to_cpu(desc->dwLength) > len)
2321 return -EINVAL;
2322
2323 ret = __ffs_do_os_desc_header(&type, desc);
2324 if (unlikely(ret < 0)) {
2325 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n",
2326 num, ret);
2327 return ret;
2328 }
2329 /*
2330 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??"
2331 */
2332 feature_count = le16_to_cpu(desc->wCount);
2333 if (type == FFS_OS_DESC_EXT_COMPAT &&
2334 (feature_count > 255 || desc->Reserved))
2335 return -EINVAL;
2336 len -= ret;
2337 data += ret;
2338
2339 /*
2340 * Process all function/property descriptors
2341 * of this Feature Descriptor
2342 */
2343 ret = ffs_do_single_os_desc(data, len, type,
2344 feature_count, entity, priv, desc);
2345 if (unlikely(ret < 0)) {
2346 pr_debug("%s returns %d\n", __func__, ret);
2347 return ret;
2348 }
2349
2350 len -= ret;
2351 data += ret;
2352 }
2353 return _len - len;
2354 }
2355
2356 /**
2357 * Validate contents of the buffer from userspace related to OS descriptors.
2358 */
2359 static int __ffs_data_do_os_desc(enum ffs_os_desc_type type,
2360 struct usb_os_desc_header *h, void *data,
2361 unsigned len, void *priv)
2362 {
2363 struct ffs_data *ffs = priv;
2364 u8 length;
2365
2366 ENTER();
2367
2368 switch (type) {
2369 case FFS_OS_DESC_EXT_COMPAT: {
2370 struct usb_ext_compat_desc *d = data;
2371 int i;
2372
2373 if (len < sizeof(*d) ||
2374 d->bFirstInterfaceNumber >= ffs->interfaces_count)
2375 return -EINVAL;
2376 if (d->Reserved1 != 1) {
2377 /*
2378 * According to the spec, Reserved1 must be set to 1
2379 * but older kernels incorrectly rejected non-zero
2380 * values. We fix it here to avoid returning EINVAL
2381 * in response to values we used to accept.
2382 */
2383 pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
2384 d->Reserved1 = 1;
2385 }
2386 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
2387 if (d->Reserved2[i])
2388 return -EINVAL;
2389
2390 length = sizeof(struct usb_ext_compat_desc);
2391 }
2392 break;
2393 case FFS_OS_DESC_EXT_PROP: {
2394 struct usb_ext_prop_desc *d = data;
2395 u32 type, pdl;
2396 u16 pnl;
2397
2398 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count)
2399 return -EINVAL;
2400 length = le32_to_cpu(d->dwSize);
2401 if (len < length)
2402 return -EINVAL;
2403 type = le32_to_cpu(d->dwPropertyDataType);
2404 if (type < USB_EXT_PROP_UNICODE ||
2405 type > USB_EXT_PROP_UNICODE_MULTI) {
2406 pr_vdebug("unsupported os descriptor property type: %d",
2407 type);
2408 return -EINVAL;
2409 }
2410 pnl = le16_to_cpu(d->wPropertyNameLength);
2411 if (length < 14 + pnl) {
2412 pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n",
2413 length, pnl, type);
2414 return -EINVAL;
2415 }
2416 pdl = le32_to_cpu(*(__le32 *)((u8 *)data + 10 + pnl));
2417 if (length != 14 + pnl + pdl) {
2418 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n",
2419 length, pnl, pdl, type);
2420 return -EINVAL;
2421 }
2422 ++ffs->ms_os_descs_ext_prop_count;
2423 /* property name reported to the host as "WCHAR"s */
2424 ffs->ms_os_descs_ext_prop_name_len += pnl * 2;
2425 ffs->ms_os_descs_ext_prop_data_len += pdl;
2426 }
2427 break;
2428 default:
2429 pr_vdebug("unknown descriptor: %d\n", type);
2430 return -EINVAL;
2431 }
2432 return length;
2433 }
2434
2435 static int __ffs_data_got_descs(struct ffs_data *ffs,
2436 char *const _data, size_t len)
2437 {
2438 char *data = _data, *raw_descs;
2439 unsigned os_descs_count = 0, counts[3], flags;
2440 int ret = -EINVAL, i;
2441 struct ffs_desc_helper helper;
2442
2443 ENTER();
2444
2445 if (get_unaligned_le32(data + 4) != len)
2446 goto error;
2447
2448 switch (get_unaligned_le32(data)) {
2449 case FUNCTIONFS_DESCRIPTORS_MAGIC:
2450 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC;
2451 data += 8;
2452 len -= 8;
2453 break;
2454 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2:
2455 flags = get_unaligned_le32(data + 8);
2456 ffs->user_flags = flags;
2457 if (flags & ~(FUNCTIONFS_HAS_FS_DESC |
2458 FUNCTIONFS_HAS_HS_DESC |
2459 FUNCTIONFS_HAS_SS_DESC |
2460 FUNCTIONFS_HAS_MS_OS_DESC |
2461 FUNCTIONFS_VIRTUAL_ADDR |
2462 FUNCTIONFS_EVENTFD |
2463 FUNCTIONFS_ALL_CTRL_RECIP |
2464 FUNCTIONFS_CONFIG0_SETUP)) {
2465 ret = -ENOSYS;
2466 goto error;
2467 }
2468 data += 12;
2469 len -= 12;
2470 break;
2471 default:
2472 goto error;
2473 }
2474
2475 if (flags & FUNCTIONFS_EVENTFD) {
2476 if (len < 4)
2477 goto error;
2478 ffs->ffs_eventfd =
2479 eventfd_ctx_fdget((int)get_unaligned_le32(data));
2480 if (IS_ERR(ffs->ffs_eventfd)) {
2481 ret = PTR_ERR(ffs->ffs_eventfd);
2482 ffs->ffs_eventfd = NULL;
2483 goto error;
2484 }
2485 data += 4;
2486 len -= 4;
2487 }
2488
2489 /* Read fs_count, hs_count and ss_count (if present) */
2490 for (i = 0; i < 3; ++i) {
2491 if (!(flags & (1 << i))) {
2492 counts[i] = 0;
2493 } else if (len < 4) {
2494 goto error;
2495 } else {
2496 counts[i] = get_unaligned_le32(data);
2497 data += 4;
2498 len -= 4;
2499 }
2500 }
2501 if (flags & (1 << i)) {
2502 if (len < 4) {
2503 goto error;
2504 }
2505 os_descs_count = get_unaligned_le32(data);
2506 data += 4;
2507 len -= 4;
2508 };
2509
2510 /* Read descriptors */
2511 raw_descs = data;
2512 helper.ffs = ffs;
2513 for (i = 0; i < 3; ++i) {
2514 if (!counts[i])
2515 continue;
2516 helper.interfaces_count = 0;
2517 helper.eps_count = 0;
2518 ret = ffs_do_descs(counts[i], data, len,
2519 __ffs_data_do_entity, &helper);
2520 if (ret < 0)
2521 goto error;
2522 if (!ffs->eps_count && !ffs->interfaces_count) {
2523 ffs->eps_count = helper.eps_count;
2524 ffs->interfaces_count = helper.interfaces_count;
2525 } else {
2526 if (ffs->eps_count != helper.eps_count) {
2527 ret = -EINVAL;
2528 goto error;
2529 }
2530 if (ffs->interfaces_count != helper.interfaces_count) {
2531 ret = -EINVAL;
2532 goto error;
2533 }
2534 }
2535 data += ret;
2536 len -= ret;
2537 }
2538 if (os_descs_count) {
2539 ret = ffs_do_os_descs(os_descs_count, data, len,
2540 __ffs_data_do_os_desc, ffs);
2541 if (ret < 0)
2542 goto error;
2543 data += ret;
2544 len -= ret;
2545 }
2546
2547 if (raw_descs == data || len) {
2548 ret = -EINVAL;
2549 goto error;
2550 }
2551
2552 ffs->raw_descs_data = _data;
2553 ffs->raw_descs = raw_descs;
2554 ffs->raw_descs_length = data - raw_descs;
2555 ffs->fs_descs_count = counts[0];
2556 ffs->hs_descs_count = counts[1];
2557 ffs->ss_descs_count = counts[2];
2558 ffs->ms_os_descs_count = os_descs_count;
2559
2560 return 0;
2561
2562 error:
2563 kfree(_data);
2564 return ret;
2565 }
2566
2567 static int __ffs_data_got_strings(struct ffs_data *ffs,
2568 char *const _data, size_t len)
2569 {
2570 u32 str_count, needed_count, lang_count;
2571 struct usb_gadget_strings **stringtabs, *t;
2572 const char *data = _data;
2573 struct usb_string *s;
2574
2575 ENTER();
2576
2577 if (unlikely(len < 16 ||
2578 get_unaligned_le32(data) != FUNCTIONFS_STRINGS_MAGIC ||
2579 get_unaligned_le32(data + 4) != len))
2580 goto error;
2581 str_count = get_unaligned_le32(data + 8);
2582 lang_count = get_unaligned_le32(data + 12);
2583
2584 /* if one is zero the other must be zero */
2585 if (unlikely(!str_count != !lang_count))
2586 goto error;
2587
2588 /* Do we have at least as many strings as descriptors need? */
2589 needed_count = ffs->strings_count;
2590 if (unlikely(str_count < needed_count))
2591 goto error;
2592
2593 /*
2594 * If we don't need any strings just return and free all
2595 * memory.
2596 */
2597 if (!needed_count) {
2598 kfree(_data);
2599 return 0;
2600 }
2601
2602 /* Allocate everything in one chunk so there's less maintenance. */
2603 {
2604 unsigned i = 0;
2605 vla_group(d);
2606 vla_item(d, struct usb_gadget_strings *, stringtabs,
2607 lang_count + 1);
2608 vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
2609 vla_item(d, struct usb_string, strings,
2610 lang_count*(needed_count+1));
2611
2612 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
2613
2614 if (unlikely(!vlabuf)) {
2615 kfree(_data);
2616 return -ENOMEM;
2617 }
2618
2619 /* Initialize the VLA pointers */
2620 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2621 t = vla_ptr(vlabuf, d, stringtab);
2622 i = lang_count;
2623 do {
2624 *stringtabs++ = t++;
2625 } while (--i);
2626 *stringtabs = NULL;
2627
2628 /* stringtabs = vlabuf = d_stringtabs for later kfree */
2629 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2630 t = vla_ptr(vlabuf, d, stringtab);
2631 s = vla_ptr(vlabuf, d, strings);
2632 }
2633
2634 /* For each language */
2635 data += 16;
2636 len -= 16;
2637
2638 do { /* lang_count > 0 so we can use do-while */
2639 unsigned needed = needed_count;
2640
2641 if (unlikely(len < 3))
2642 goto error_free;
2643 t->language = get_unaligned_le16(data);
2644 t->strings = s;
2645 ++t;
2646
2647 data += 2;
2648 len -= 2;
2649
2650 /* For each string */
2651 do { /* str_count > 0 so we can use do-while */
2652 size_t length = strnlen(data, len);
2653
2654 if (unlikely(length == len))
2655 goto error_free;
2656
2657 /*
2658 * User may provide more strings then we need,
2659 * if that's the case we simply ignore the
2660 * rest
2661 */
2662 if (likely(needed)) {
2663 /*
2664 * s->id will be set while adding
2665 * function to configuration so for
2666 * now just leave garbage here.
2667 */
2668 s->s = data;
2669 --needed;
2670 ++s;
2671 }
2672
2673 data += length + 1;
2674 len -= length + 1;
2675 } while (--str_count);
2676
2677 s->id = 0; /* terminator */
2678 s->s = NULL;
2679 ++s;
2680
2681 } while (--lang_count);
2682
2683 /* Some garbage left? */
2684 if (unlikely(len))
2685 goto error_free;
2686
2687 /* Done! */
2688 ffs->stringtabs = stringtabs;
2689 ffs->raw_strings = _data;
2690
2691 return 0;
2692
2693 error_free:
2694 kfree(stringtabs);
2695 error:
2696 kfree(_data);
2697 return -EINVAL;
2698 }
2699
2700
2701 /* Events handling and management *******************************************/
2702
2703 static void __ffs_event_add(struct ffs_data *ffs,
2704 enum usb_functionfs_event_type type)
2705 {
2706 enum usb_functionfs_event_type rem_type1, rem_type2 = type;
2707 int neg = 0;
2708
2709 /*
2710 * Abort any unhandled setup
2711 *
2712 * We do not need to worry about some cmpxchg() changing value
2713 * of ffs->setup_state without holding the lock because when
2714 * state is FFS_SETUP_PENDING cmpxchg() in several places in
2715 * the source does nothing.
2716 */
2717 if (ffs->setup_state == FFS_SETUP_PENDING)
2718 ffs->setup_state = FFS_SETUP_CANCELLED;
2719
2720 /*
2721 * Logic of this function guarantees that there are at most four pending
2722 * evens on ffs->ev.types queue. This is important because the queue
2723 * has space for four elements only and __ffs_ep0_read_events function
2724 * depends on that limit as well. If more event types are added, those
2725 * limits have to be revisited or guaranteed to still hold.
2726 */
2727 switch (type) {
2728 case FUNCTIONFS_RESUME:
2729 rem_type2 = FUNCTIONFS_SUSPEND;
2730 /* FALL THROUGH */
2731 case FUNCTIONFS_SUSPEND:
2732 case FUNCTIONFS_SETUP:
2733 rem_type1 = type;
2734 /* Discard all similar events */
2735 break;
2736
2737 case FUNCTIONFS_BIND:
2738 case FUNCTIONFS_UNBIND:
2739 case FUNCTIONFS_DISABLE:
2740 case FUNCTIONFS_ENABLE:
2741 /* Discard everything other then power management. */
2742 rem_type1 = FUNCTIONFS_SUSPEND;
2743 rem_type2 = FUNCTIONFS_RESUME;
2744 neg = 1;
2745 break;
2746
2747 default:
2748 WARN(1, "%d: unknown event, this should not happen\n", type);
2749 return;
2750 }
2751
2752 {
2753 u8 *ev = ffs->ev.types, *out = ev;
2754 unsigned n = ffs->ev.count;
2755 for (; n; --n, ++ev)
2756 if ((*ev == rem_type1 || *ev == rem_type2) == neg)
2757 *out++ = *ev;
2758 else
2759 pr_vdebug("purging event %d\n", *ev);
2760 ffs->ev.count = out - ffs->ev.types;
2761 }
2762
2763 pr_vdebug("adding event %d\n", type);
2764 ffs->ev.types[ffs->ev.count++] = type;
2765 wake_up_locked(&ffs->ev.waitq);
2766 if (ffs->ffs_eventfd)
2767 eventfd_signal(ffs->ffs_eventfd, 1);
2768 }
2769
2770 static void ffs_event_add(struct ffs_data *ffs,
2771 enum usb_functionfs_event_type type)
2772 {
2773 unsigned long flags;
2774 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
2775 __ffs_event_add(ffs, type);
2776 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
2777 }
2778
2779 /* Bind/unbind USB function hooks *******************************************/
2780
2781 static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address)
2782 {
2783 int i;
2784
2785 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i)
2786 if (ffs->eps_addrmap[i] == endpoint_address)
2787 return i;
2788 return -ENOENT;
2789 }
2790
2791 static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
2792 struct usb_descriptor_header *desc,
2793 void *priv)
2794 {
2795 struct usb_endpoint_descriptor *ds = (void *)desc;
2796 struct ffs_function *func = priv;
2797 struct ffs_ep *ffs_ep;
2798 unsigned ep_desc_id;
2799 int idx;
2800 static const char *speed_names[] = { "full", "high", "super" };
2801
2802 if (type != FFS_DESCRIPTOR)
2803 return 0;
2804
2805 /*
2806 * If ss_descriptors is not NULL, we are reading super speed
2807 * descriptors; if hs_descriptors is not NULL, we are reading high
2808 * speed descriptors; otherwise, we are reading full speed
2809 * descriptors.
2810 */
2811 if (func->function.ss_descriptors) {
2812 ep_desc_id = 2;
2813 func->function.ss_descriptors[(long)valuep] = desc;
2814 } else if (func->function.hs_descriptors) {
2815 ep_desc_id = 1;
2816 func->function.hs_descriptors[(long)valuep] = desc;
2817 } else {
2818 ep_desc_id = 0;
2819 func->function.fs_descriptors[(long)valuep] = desc;
2820 }
2821
2822 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT)
2823 return 0;
2824
2825 idx = ffs_ep_addr2idx(func->ffs, ds->bEndpointAddress) - 1;
2826 if (idx < 0)
2827 return idx;
2828
2829 ffs_ep = func->eps + idx;
2830
2831 if (unlikely(ffs_ep->descs[ep_desc_id])) {
2832 pr_err("two %sspeed descriptors for EP %d\n",
2833 speed_names[ep_desc_id],
2834 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
2835 return -EINVAL;
2836 }
2837 ffs_ep->descs[ep_desc_id] = ds;
2838
2839 ffs_dump_mem(": Original ep desc", ds, ds->bLength);
2840 if (ffs_ep->ep) {
2841 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress;
2842 if (!ds->wMaxPacketSize)
2843 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize;
2844 } else {
2845 struct usb_request *req;
2846 struct usb_ep *ep;
2847 u8 bEndpointAddress;
2848 u16 wMaxPacketSize;
2849
2850 /*
2851 * We back up bEndpointAddress because autoconfig overwrites
2852 * it with physical endpoint address.
2853 */
2854 bEndpointAddress = ds->bEndpointAddress;
2855 /*
2856 * We back up wMaxPacketSize because autoconfig treats
2857 * endpoint descriptors as if they were full speed.
2858 */
2859 wMaxPacketSize = ds->wMaxPacketSize;
2860 pr_vdebug("autoconfig\n");
2861 ep = usb_ep_autoconfig(func->gadget, ds);
2862 if (unlikely(!ep))
2863 return -ENOTSUPP;
2864 ep->driver_data = func->eps + idx;
2865
2866 req = usb_ep_alloc_request(ep, GFP_KERNEL);
2867 if (unlikely(!req))
2868 return -ENOMEM;
2869
2870 ffs_ep->ep = ep;
2871 ffs_ep->req = req;
2872 func->eps_revmap[ds->bEndpointAddress &
2873 USB_ENDPOINT_NUMBER_MASK] = idx + 1;
2874 /*
2875 * If we use virtual address mapping, we restore
2876 * original bEndpointAddress value.
2877 */
2878 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
2879 ds->bEndpointAddress = bEndpointAddress;
2880 /*
2881 * Restore wMaxPacketSize which was potentially
2882 * overwritten by autoconfig.
2883 */
2884 ds->wMaxPacketSize = wMaxPacketSize;
2885 }
2886 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength);
2887
2888 return 0;
2889 }
2890
2891 static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep,
2892 struct usb_descriptor_header *desc,
2893 void *priv)
2894 {
2895 struct ffs_function *func = priv;
2896 unsigned idx;
2897 u8 newValue;
2898
2899 switch (type) {
2900 default:
2901 case FFS_DESCRIPTOR:
2902 /* Handled in previous pass by __ffs_func_bind_do_descs() */
2903 return 0;
2904
2905 case FFS_INTERFACE:
2906 idx = *valuep;
2907 if (func->interfaces_nums[idx] < 0) {
2908 int id = usb_interface_id(func->conf, &func->function);
2909 if (unlikely(id < 0))
2910 return id;
2911 func->interfaces_nums[idx] = id;
2912 }
2913 newValue = func->interfaces_nums[idx];
2914 break;
2915
2916 case FFS_STRING:
2917 /* String' IDs are allocated when fsf_data is bound to cdev */
2918 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id;
2919 break;
2920
2921 case FFS_ENDPOINT:
2922 /*
2923 * USB_DT_ENDPOINT are handled in
2924 * __ffs_func_bind_do_descs().
2925 */
2926 if (desc->bDescriptorType == USB_DT_ENDPOINT)
2927 return 0;
2928
2929 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1;
2930 if (unlikely(!func->eps[idx].ep))
2931 return -EINVAL;
2932
2933 {
2934 struct usb_endpoint_descriptor **descs;
2935 descs = func->eps[idx].descs;
2936 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress;
2937 }
2938 break;
2939 }
2940
2941 pr_vdebug("%02x -> %02x\n", *valuep, newValue);
2942 *valuep = newValue;
2943 return 0;
2944 }
2945
2946 static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
2947 struct usb_os_desc_header *h, void *data,
2948 unsigned len, void *priv)
2949 {
2950 struct ffs_function *func = priv;
2951 u8 length = 0;
2952
2953 switch (type) {
2954 case FFS_OS_DESC_EXT_COMPAT: {
2955 struct usb_ext_compat_desc *desc = data;
2956 struct usb_os_desc_table *t;
2957
2958 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber];
2959 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber];
2960 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID,
2961 ARRAY_SIZE(desc->CompatibleID) +
2962 ARRAY_SIZE(desc->SubCompatibleID));
2963 length = sizeof(*desc);
2964 }
2965 break;
2966 case FFS_OS_DESC_EXT_PROP: {
2967 struct usb_ext_prop_desc *desc = data;
2968 struct usb_os_desc_table *t;
2969 struct usb_os_desc_ext_prop *ext_prop;
2970 char *ext_prop_name;
2971 char *ext_prop_data;
2972
2973 t = &func->function.os_desc_table[h->interface];
2974 t->if_id = func->interfaces_nums[h->interface];
2975
2976 ext_prop = func->ffs->ms_os_descs_ext_prop_avail;
2977 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop);
2978
2979 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
2980 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
2981 ext_prop->data_len = le32_to_cpu(*(__le32 *)
2982 usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
2983 length = ext_prop->name_len + ext_prop->data_len + 14;
2984
2985 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail;
2986 func->ffs->ms_os_descs_ext_prop_name_avail +=
2987 ext_prop->name_len;
2988
2989 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail;
2990 func->ffs->ms_os_descs_ext_prop_data_avail +=
2991 ext_prop->data_len;
2992 memcpy(ext_prop_data,
2993 usb_ext_prop_data_ptr(data, ext_prop->name_len),
2994 ext_prop->data_len);
2995 /* unicode data reported to the host as "WCHAR"s */
2996 switch (ext_prop->type) {
2997 case USB_EXT_PROP_UNICODE:
2998 case USB_EXT_PROP_UNICODE_ENV:
2999 case USB_EXT_PROP_UNICODE_LINK:
3000 case USB_EXT_PROP_UNICODE_MULTI:
3001 ext_prop->data_len *= 2;
3002 break;
3003 }
3004 ext_prop->data = ext_prop_data;
3005
3006 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data),
3007 ext_prop->name_len);
3008 /* property name reported to the host as "WCHAR"s */
3009 ext_prop->name_len *= 2;
3010 ext_prop->name = ext_prop_name;
3011
3012 t->os_desc->ext_prop_len +=
3013 ext_prop->name_len + ext_prop->data_len + 14;
3014 ++t->os_desc->ext_prop_count;
3015 list_add_tail(&ext_prop->entry, &t->os_desc->ext_prop);
3016 }
3017 break;
3018 default:
3019 pr_vdebug("unknown descriptor: %d\n", type);
3020 }
3021
3022 return length;
3023 }
3024
3025 static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
3026 struct usb_configuration *c)
3027 {
3028 struct ffs_function *func = ffs_func_from_usb(f);
3029 struct f_fs_opts *ffs_opts =
3030 container_of(f->fi, struct f_fs_opts, func_inst);
3031 int ret;
3032
3033 ENTER();
3034
3035 /*
3036 * Legacy gadget triggers binding in functionfs_ready_callback,
3037 * which already uses locking; taking the same lock here would
3038 * cause a deadlock.
3039 *
3040 * Configfs-enabled gadgets however do need ffs_dev_lock.
3041 */
3042 if (!ffs_opts->no_configfs)
3043 ffs_dev_lock();
3044 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV;
3045 func->ffs = ffs_opts->dev->ffs_data;
3046 if (!ffs_opts->no_configfs)
3047 ffs_dev_unlock();
3048 if (ret)
3049 return ERR_PTR(ret);
3050
3051 func->conf = c;
3052 func->gadget = c->cdev->gadget;
3053
3054 /*
3055 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
3056 * configurations are bound in sequence with list_for_each_entry,
3057 * in each configuration its functions are bound in sequence
3058 * with list_for_each_entry, so we assume no race condition
3059 * with regard to ffs_opts->bound access
3060 */
3061 if (!ffs_opts->refcnt) {
3062 ret = functionfs_bind(func->ffs, c->cdev);
3063 if (ret)
3064 return ERR_PTR(ret);
3065 }
3066 ffs_opts->refcnt++;
3067 func->function.strings = func->ffs->stringtabs;
3068
3069 return ffs_opts;
3070 }
3071
3072 static int _ffs_func_bind(struct usb_configuration *c,
3073 struct usb_function *f)
3074 {
3075 struct ffs_function *func = ffs_func_from_usb(f);
3076 struct ffs_data *ffs = func->ffs;
3077
3078 const int full = !!func->ffs->fs_descs_count;
3079 const int high = !!func->ffs->hs_descs_count;
3080 const int super = !!func->ffs->ss_descs_count;
3081
3082 int fs_len, hs_len, ss_len, ret, i;
3083 struct ffs_ep *eps_ptr;
3084
3085 /* Make it a single chunk, less management later on */
3086 vla_group(d);
3087 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count);
3088 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs,
3089 full ? ffs->fs_descs_count + 1 : 0);
3090 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs,
3091 high ? ffs->hs_descs_count + 1 : 0);
3092 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs,
3093 super ? ffs->ss_descs_count + 1 : 0);
3094 vla_item_with_sz(d, short, inums, ffs->interfaces_count);
3095 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table,
3096 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3097 vla_item_with_sz(d, char[16], ext_compat,
3098 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3099 vla_item_with_sz(d, struct usb_os_desc, os_desc,
3100 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3101 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop,
3102 ffs->ms_os_descs_ext_prop_count);
3103 vla_item_with_sz(d, char, ext_prop_name,
3104 ffs->ms_os_descs_ext_prop_name_len);
3105 vla_item_with_sz(d, char, ext_prop_data,
3106 ffs->ms_os_descs_ext_prop_data_len);
3107 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length);
3108 char *vlabuf;
3109
3110 ENTER();
3111
3112 /* Has descriptors only for speeds gadget does not support */
3113 if (unlikely(!(full | high | super)))
3114 return -ENOTSUPP;
3115
3116 /* Allocate a single chunk, less management later on */
3117 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL);
3118 if (unlikely(!vlabuf))
3119 return -ENOMEM;
3120
3121 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop);
3122 ffs->ms_os_descs_ext_prop_name_avail =
3123 vla_ptr(vlabuf, d, ext_prop_name);
3124 ffs->ms_os_descs_ext_prop_data_avail =
3125 vla_ptr(vlabuf, d, ext_prop_data);
3126
3127 /* Copy descriptors */
3128 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs,
3129 ffs->raw_descs_length);
3130
3131 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
3132 eps_ptr = vla_ptr(vlabuf, d, eps);
3133 for (i = 0; i < ffs->eps_count; i++)
3134 eps_ptr[i].num = -1;
3135
3136 /* Save pointers
3137 * d_eps == vlabuf, func->eps used to kfree vlabuf later
3138 */
3139 func->eps = vla_ptr(vlabuf, d, eps);
3140 func->interfaces_nums = vla_ptr(vlabuf, d, inums);
3141
3142 /*
3143 * Go through all the endpoint descriptors and allocate
3144 * endpoints first, so that later we can rewrite the endpoint
3145 * numbers without worrying that it may be described later on.
3146 */
3147 if (likely(full)) {
3148 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs);
3149 fs_len = ffs_do_descs(ffs->fs_descs_count,
3150 vla_ptr(vlabuf, d, raw_descs),
3151 d_raw_descs__sz,
3152 __ffs_func_bind_do_descs, func);
3153 if (unlikely(fs_len < 0)) {
3154 ret = fs_len;
3155 goto error;
3156 }
3157 } else {
3158 fs_len = 0;
3159 }
3160
3161 if (likely(high)) {
3162 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs);
3163 hs_len = ffs_do_descs(ffs->hs_descs_count,
3164 vla_ptr(vlabuf, d, raw_descs) + fs_len,
3165 d_raw_descs__sz - fs_len,
3166 __ffs_func_bind_do_descs, func);
3167 if (unlikely(hs_len < 0)) {
3168 ret = hs_len;
3169 goto error;
3170 }
3171 } else {
3172 hs_len = 0;
3173 }
3174
3175 if (likely(super)) {
3176 func->function.ss_descriptors = vla_ptr(vlabuf, d, ss_descs);
3177 ss_len = ffs_do_descs(ffs->ss_descs_count,
3178 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len,
3179 d_raw_descs__sz - fs_len - hs_len,
3180 __ffs_func_bind_do_descs, func);
3181 if (unlikely(ss_len < 0)) {
3182 ret = ss_len;
3183 goto error;
3184 }
3185 } else {
3186 ss_len = 0;
3187 }
3188
3189 /*
3190 * Now handle interface numbers allocation and interface and
3191 * endpoint numbers rewriting. We can do that in one go
3192 * now.
3193 */
3194 ret = ffs_do_descs(ffs->fs_descs_count +
3195 (high ? ffs->hs_descs_count : 0) +
3196 (super ? ffs->ss_descs_count : 0),
3197 vla_ptr(vlabuf, d, raw_descs), d_raw_descs__sz,
3198 __ffs_func_bind_do_nums, func);
3199 if (unlikely(ret < 0))
3200 goto error;
3201
3202 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table);
3203 if (c->cdev->use_os_string) {
3204 for (i = 0; i < ffs->interfaces_count; ++i) {
3205 struct usb_os_desc *desc;
3206
3207 desc = func->function.os_desc_table[i].os_desc =
3208 vla_ptr(vlabuf, d, os_desc) +
3209 i * sizeof(struct usb_os_desc);
3210 desc->ext_compat_id =
3211 vla_ptr(vlabuf, d, ext_compat) + i * 16;
3212 INIT_LIST_HEAD(&desc->ext_prop);
3213 }
3214 ret = ffs_do_os_descs(ffs->ms_os_descs_count,
3215 vla_ptr(vlabuf, d, raw_descs) +
3216 fs_len + hs_len + ss_len,
3217 d_raw_descs__sz - fs_len - hs_len -
3218 ss_len,
3219 __ffs_func_bind_do_os_desc, func);
3220 if (unlikely(ret < 0))
3221 goto error;
3222 }
3223 func->function.os_desc_n =
3224 c->cdev->use_os_string ? ffs->interfaces_count : 0;
3225
3226 /* And we're done */
3227 ffs_event_add(ffs, FUNCTIONFS_BIND);
3228 return 0;
3229
3230 error:
3231 /* XXX Do we need to release all claimed endpoints here? */
3232 return ret;
3233 }
3234
3235 static int ffs_func_bind(struct usb_configuration *c,
3236 struct usb_function *f)
3237 {
3238 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c);
3239 struct ffs_function *func = ffs_func_from_usb(f);
3240 int ret;
3241
3242 if (IS_ERR(ffs_opts))
3243 return PTR_ERR(ffs_opts);
3244
3245 ret = _ffs_func_bind(c, f);
3246 if (ret && !--ffs_opts->refcnt)
3247 functionfs_unbind(func->ffs);
3248
3249 return ret;
3250 }
3251
3252
3253 /* Other USB function hooks *************************************************/
3254
3255 static void ffs_reset_work(struct work_struct *work)
3256 {
3257 struct ffs_data *ffs = container_of(work,
3258 struct ffs_data, reset_work);
3259 ffs_data_reset(ffs);
3260 }
3261
3262 static int ffs_func_set_alt(struct usb_function *f,
3263 unsigned interface, unsigned alt)
3264 {
3265 struct ffs_function *func = ffs_func_from_usb(f);
3266 struct ffs_data *ffs = func->ffs;
3267 int ret = 0, intf;
3268
3269 if (alt != (unsigned)-1) {
3270 intf = ffs_func_revmap_intf(func, interface);
3271 if (unlikely(intf < 0))
3272 return intf;
3273 }
3274
3275 if (ffs->func)
3276 ffs_func_eps_disable(ffs->func);
3277
3278 if (ffs->state == FFS_DEACTIVATED) {
3279 ffs->state = FFS_CLOSING;
3280 INIT_WORK(&ffs->reset_work, ffs_reset_work);
3281 schedule_work(&ffs->reset_work);
3282 return -ENODEV;
3283 }
3284
3285 if (ffs->state != FFS_ACTIVE)
3286 return -ENODEV;
3287
3288 if (alt == (unsigned)-1) {
3289 ffs->func = NULL;
3290 ffs_event_add(ffs, FUNCTIONFS_DISABLE);
3291 return 0;
3292 }
3293
3294 ffs->func = func;
3295 ret = ffs_func_eps_enable(func);
3296 if (likely(ret >= 0))
3297 ffs_event_add(ffs, FUNCTIONFS_ENABLE);
3298 return ret;
3299 }
3300
3301 static void ffs_func_disable(struct usb_function *f)
3302 {
3303 ffs_func_set_alt(f, 0, (unsigned)-1);
3304 }
3305
3306 static int ffs_func_setup(struct usb_function *f,
3307 const struct usb_ctrlrequest *creq)
3308 {
3309 struct ffs_function *func = ffs_func_from_usb(f);
3310 struct ffs_data *ffs = func->ffs;
3311 unsigned long flags;
3312 int ret;
3313
3314 ENTER();
3315
3316 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType);
3317 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest);
3318 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue));
3319 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex));
3320 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength));
3321
3322 /*
3323 * Most requests directed to interface go through here
3324 * (notable exceptions are set/get interface) so we need to
3325 * handle them. All other either handled by composite or
3326 * passed to usb_configuration->setup() (if one is set). No
3327 * matter, we will handle requests directed to endpoint here
3328 * as well (as it's straightforward). Other request recipient
3329 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP
3330 * is being used.
3331 */
3332 if (ffs->state != FFS_ACTIVE)
3333 return -ENODEV;
3334
3335 switch (creq->bRequestType & USB_RECIP_MASK) {
3336 case USB_RECIP_INTERFACE:
3337 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex));
3338 if (unlikely(ret < 0))
3339 return ret;
3340 break;
3341
3342 case USB_RECIP_ENDPOINT:
3343 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex));
3344 if (unlikely(ret < 0))
3345 return ret;
3346 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
3347 ret = func->ffs->eps_addrmap[ret];
3348 break;
3349
3350 default:
3351 if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP)
3352 ret = le16_to_cpu(creq->wIndex);
3353 else
3354 return -EOPNOTSUPP;
3355 }
3356
3357 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
3358 ffs->ev.setup = *creq;
3359 ffs->ev.setup.wIndex = cpu_to_le16(ret);
3360 __ffs_event_add(ffs, FUNCTIONFS_SETUP);
3361 spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags);
3362
3363 return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
3364 }
3365
3366 static bool ffs_func_req_match(struct usb_function *f,
3367 const struct usb_ctrlrequest *creq,
3368 bool config0)
3369 {
3370 struct ffs_function *func = ffs_func_from_usb(f);
3371
3372 if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP))
3373 return false;
3374
3375 switch (creq->bRequestType & USB_RECIP_MASK) {
3376 case USB_RECIP_INTERFACE:
3377 return (ffs_func_revmap_intf(func,
3378 le16_to_cpu(creq->wIndex)) >= 0);
3379 case USB_RECIP_ENDPOINT:
3380 return (ffs_func_revmap_ep(func,
3381 le16_to_cpu(creq->wIndex)) >= 0);
3382 default:
3383 return (bool) (func->ffs->user_flags &
3384 FUNCTIONFS_ALL_CTRL_RECIP);
3385 }
3386 }
3387
3388 static void ffs_func_suspend(struct usb_function *f)
3389 {
3390 ENTER();
3391 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_SUSPEND);
3392 }
3393
3394 static void ffs_func_resume(struct usb_function *f)
3395 {
3396 ENTER();
3397 ffs_event_add(ffs_func_from_usb(f)->ffs, FUNCTIONFS_RESUME);
3398 }
3399
3400
3401 /* Endpoint and interface numbers reverse mapping ***************************/
3402
3403 static int ffs_func_revmap_ep(struct ffs_function *func, u8 num)
3404 {
3405 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK];
3406 return num ? num : -EDOM;
3407 }
3408
3409 static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf)
3410 {
3411 short *nums = func->interfaces_nums;
3412 unsigned count = func->ffs->interfaces_count;
3413
3414 for (; count; --count, ++nums) {
3415 if (*nums >= 0 && *nums == intf)
3416 return nums - func->interfaces_nums;
3417 }
3418
3419 return -EDOM;
3420 }
3421
3422
3423 /* Devices management *******************************************************/
3424
3425 static LIST_HEAD(ffs_devices);
3426
3427 static struct ffs_dev *_ffs_do_find_dev(const char *name)
3428 {
3429 struct ffs_dev *dev;
3430
3431 if (!name)
3432 return NULL;
3433
3434 list_for_each_entry(dev, &ffs_devices, entry) {
3435 if (strcmp(dev->name, name) == 0)
3436 return dev;
3437 }
3438
3439 return NULL;
3440 }
3441
3442 /*
3443 * ffs_lock must be taken by the caller of this function
3444 */
3445 static struct ffs_dev *_ffs_get_single_dev(void)
3446 {
3447 struct ffs_dev *dev;
3448
3449 if (list_is_singular(&ffs_devices)) {
3450 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry);
3451 if (dev->single)
3452 return dev;
3453 }
3454
3455 return NULL;
3456 }
3457
3458 /*
3459 * ffs_lock must be taken by the caller of this function
3460 */
3461 static struct ffs_dev *_ffs_find_dev(const char *name)
3462 {
3463 struct ffs_dev *dev;
3464
3465 dev = _ffs_get_single_dev();
3466 if (dev)
3467 return dev;
3468
3469 return _ffs_do_find_dev(name);
3470 }
3471
3472 /* Configfs support *********************************************************/
3473
3474 static inline struct f_fs_opts *to_ffs_opts(struct config_item *item)
3475 {
3476 return container_of(to_config_group(item), struct f_fs_opts,
3477 func_inst.group);
3478 }
3479
3480 static void ffs_attr_release(struct config_item *item)
3481 {
3482 struct f_fs_opts *opts = to_ffs_opts(item);
3483
3484 usb_put_function_instance(&opts->func_inst);
3485 }
3486
3487 static struct configfs_item_operations ffs_item_ops = {
3488 .release = ffs_attr_release,
3489 };
3490
3491 static const struct config_item_type ffs_func_type = {
3492 .ct_item_ops = &ffs_item_ops,
3493 .ct_owner = THIS_MODULE,
3494 };
3495
3496
3497 /* Function registration interface ******************************************/
3498
3499 static void ffs_free_inst(struct usb_function_instance *f)
3500 {
3501 struct f_fs_opts *opts;
3502
3503 opts = to_f_fs_opts(f);
3504 ffs_dev_lock();
3505 _ffs_free_dev(opts->dev);
3506 ffs_dev_unlock();
3507 kfree(opts);
3508 }
3509
3510 static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name)
3511 {
3512 if (strlen(name) >= sizeof_field(struct ffs_dev, name))
3513 return -ENAMETOOLONG;
3514 return ffs_name_dev(to_f_fs_opts(fi)->dev, name);
3515 }
3516
3517 static struct usb_function_instance *ffs_alloc_inst(void)
3518 {
3519 struct f_fs_opts *opts;
3520 struct ffs_dev *dev;
3521
3522 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
3523 if (!opts)
3524 return ERR_PTR(-ENOMEM);
3525
3526 opts->func_inst.set_inst_name = ffs_set_inst_name;
3527 opts->func_inst.free_func_inst = ffs_free_inst;
3528 ffs_dev_lock();
3529 dev = _ffs_alloc_dev();
3530 ffs_dev_unlock();
3531 if (IS_ERR(dev)) {
3532 kfree(opts);
3533 return ERR_CAST(dev);
3534 }
3535 opts->dev = dev;
3536 dev->opts = opts;
3537
3538 config_group_init_type_name(&opts->func_inst.group, "",
3539 &ffs_func_type);
3540 return &opts->func_inst;
3541 }
3542
3543 static void ffs_free(struct usb_function *f)
3544 {
3545 kfree(ffs_func_from_usb(f));
3546 }
3547
3548 static void ffs_func_unbind(struct usb_configuration *c,
3549 struct usb_function *f)
3550 {
3551 struct ffs_function *func = ffs_func_from_usb(f);
3552 struct ffs_data *ffs = func->ffs;
3553 struct f_fs_opts *opts =
3554 container_of(f->fi, struct f_fs_opts, func_inst);
3555 struct ffs_ep *ep = func->eps;
3556 unsigned count = ffs->eps_count;
3557 unsigned long flags;
3558
3559 ENTER();
3560 if (ffs->func == func) {
3561 ffs_func_eps_disable(func);
3562 ffs->func = NULL;
3563 }
3564
3565 if (!--opts->refcnt)
3566 functionfs_unbind(ffs);
3567
3568 /* cleanup after autoconfig */
3569 spin_lock_irqsave(&func->ffs->eps_lock, flags);
3570 while (count--) {
3571 if (ep->ep && ep->req)
3572 usb_ep_free_request(ep->ep, ep->req);
3573 ep->req = NULL;
3574 ++ep;
3575 }
3576 spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
3577 kfree(func->eps);
3578 func->eps = NULL;
3579 /*
3580 * eps, descriptors and interfaces_nums are allocated in the
3581 * same chunk so only one free is required.
3582 */
3583 func->function.fs_descriptors = NULL;
3584 func->function.hs_descriptors = NULL;
3585 func->function.ss_descriptors = NULL;
3586 func->interfaces_nums = NULL;
3587
3588 ffs_event_add(ffs, FUNCTIONFS_UNBIND);
3589 }
3590
3591 static struct usb_function *ffs_alloc(struct usb_function_instance *fi)
3592 {
3593 struct ffs_function *func;
3594
3595 ENTER();
3596
3597 func = kzalloc(sizeof(*func), GFP_KERNEL);
3598 if (unlikely(!func))
3599 return ERR_PTR(-ENOMEM);
3600
3601 func->function.name = "Function FS Gadget";
3602
3603 func->function.bind = ffs_func_bind;
3604 func->function.unbind = ffs_func_unbind;
3605 func->function.set_alt = ffs_func_set_alt;
3606 func->function.disable = ffs_func_disable;
3607 func->function.setup = ffs_func_setup;
3608 func->function.req_match = ffs_func_req_match;
3609 func->function.suspend = ffs_func_suspend;
3610 func->function.resume = ffs_func_resume;
3611 func->function.free_func = ffs_free;
3612
3613 return &func->function;
3614 }
3615
3616 /*
3617 * ffs_lock must be taken by the caller of this function
3618 */
3619 static struct ffs_dev *_ffs_alloc_dev(void)
3620 {
3621 struct ffs_dev *dev;
3622 int ret;
3623
3624 if (_ffs_get_single_dev())
3625 return ERR_PTR(-EBUSY);
3626
3627 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
3628 if (!dev)
3629 return ERR_PTR(-ENOMEM);
3630
3631 if (list_empty(&ffs_devices)) {
3632 ret = functionfs_init();
3633 if (ret) {
3634 kfree(dev);
3635 return ERR_PTR(ret);
3636 }
3637 }
3638
3639 list_add(&dev->entry, &ffs_devices);
3640
3641 return dev;
3642 }
3643
3644 int ffs_name_dev(struct ffs_dev *dev, const char *name)
3645 {
3646 struct ffs_dev *existing;
3647 int ret = 0;
3648
3649 ffs_dev_lock();
3650
3651 existing = _ffs_do_find_dev(name);
3652 if (!existing)
3653 strlcpy(dev->name, name, ARRAY_SIZE(dev->name));
3654 else if (existing != dev)
3655 ret = -EBUSY;
3656
3657 ffs_dev_unlock();
3658
3659 return ret;
3660 }
3661 EXPORT_SYMBOL_GPL(ffs_name_dev);
3662
3663 int ffs_single_dev(struct ffs_dev *dev)
3664 {
3665 int ret;
3666
3667 ret = 0;
3668 ffs_dev_lock();
3669
3670 if (!list_is_singular(&ffs_devices))
3671 ret = -EBUSY;
3672 else
3673 dev->single = true;
3674
3675 ffs_dev_unlock();
3676 return ret;
3677 }
3678 EXPORT_SYMBOL_GPL(ffs_single_dev);
3679
3680 /*
3681 * ffs_lock must be taken by the caller of this function
3682 */
3683 static void _ffs_free_dev(struct ffs_dev *dev)
3684 {
3685 list_del(&dev->entry);
3686
3687 /* Clear the private_data pointer to stop incorrect dev access */
3688 if (dev->ffs_data)
3689 dev->ffs_data->private_data = NULL;
3690
3691 kfree(dev);
3692 if (list_empty(&ffs_devices))
3693 functionfs_cleanup();
3694 }
3695
3696 static void *ffs_acquire_dev(const char *dev_name)
3697 {
3698 struct ffs_dev *ffs_dev;
3699
3700 ENTER();
3701 ffs_dev_lock();
3702
3703 ffs_dev = _ffs_find_dev(dev_name);
3704 if (!ffs_dev)
3705 ffs_dev = ERR_PTR(-ENOENT);
3706 else if (ffs_dev->mounted)
3707 ffs_dev = ERR_PTR(-EBUSY);
3708 else if (ffs_dev->ffs_acquire_dev_callback &&
3709 ffs_dev->ffs_acquire_dev_callback(ffs_dev))
3710 ffs_dev = ERR_PTR(-ENOENT);
3711 else
3712 ffs_dev->mounted = true;
3713
3714 ffs_dev_unlock();
3715 return ffs_dev;
3716 }
3717
3718 static void ffs_release_dev(struct ffs_data *ffs_data)
3719 {
3720 struct ffs_dev *ffs_dev;
3721
3722 ENTER();
3723 ffs_dev_lock();
3724
3725 ffs_dev = ffs_data->private_data;
3726 if (ffs_dev) {
3727 ffs_dev->mounted = false;
3728
3729 if (ffs_dev->ffs_release_dev_callback)
3730 ffs_dev->ffs_release_dev_callback(ffs_dev);
3731 }
3732
3733 ffs_dev_unlock();
3734 }
3735
3736 static int ffs_ready(struct ffs_data *ffs)
3737 {
3738 struct ffs_dev *ffs_obj;
3739 int ret = 0;
3740
3741 ENTER();
3742 ffs_dev_lock();
3743
3744 ffs_obj = ffs->private_data;
3745 if (!ffs_obj) {
3746 ret = -EINVAL;
3747 goto done;
3748 }
3749 if (WARN_ON(ffs_obj->desc_ready)) {
3750 ret = -EBUSY;
3751 goto done;
3752 }
3753
3754 ffs_obj->desc_ready = true;
3755 ffs_obj->ffs_data = ffs;
3756
3757 if (ffs_obj->ffs_ready_callback) {
3758 ret = ffs_obj->ffs_ready_callback(ffs);
3759 if (ret)
3760 goto done;
3761 }
3762
3763 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags);
3764 done:
3765 ffs_dev_unlock();
3766 return ret;
3767 }
3768
3769 static void ffs_closed(struct ffs_data *ffs)
3770 {
3771 struct ffs_dev *ffs_obj;
3772 struct f_fs_opts *opts;
3773 struct config_item *ci;
3774
3775 ENTER();
3776 ffs_dev_lock();
3777
3778 ffs_obj = ffs->private_data;
3779 if (!ffs_obj)
3780 goto done;
3781
3782 ffs_obj->desc_ready = false;
3783 ffs_obj->ffs_data = NULL;
3784
3785 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) &&
3786 ffs_obj->ffs_closed_callback)
3787 ffs_obj->ffs_closed_callback(ffs);
3788
3789 if (ffs_obj->opts)
3790 opts = ffs_obj->opts;
3791 else
3792 goto done;
3793
3794 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
3795 || !kref_read(&opts->func_inst.group.cg_item.ci_kref))
3796 goto done;
3797
3798 ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
3799 ffs_dev_unlock();
3800
3801 if (test_bit(FFS_FL_BOUND, &ffs->flags))
3802 unregister_gadget_item(ci);
3803 return;
3804 done:
3805 ffs_dev_unlock();
3806 }
3807
3808 /* Misc helper functions ****************************************************/
3809
3810 static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
3811 {
3812 return nonblock
3813 ? likely(mutex_trylock(mutex)) ? 0 : -EAGAIN
3814 : mutex_lock_interruptible(mutex);
3815 }
3816
3817 static char *ffs_prepare_buffer(const char __user *buf, size_t len)
3818 {
3819 char *data;
3820
3821 if (unlikely(!len))
3822 return NULL;
3823
3824 data = kmalloc(len, GFP_KERNEL);
3825 if (unlikely(!data))
3826 return ERR_PTR(-ENOMEM);
3827
3828 if (unlikely(copy_from_user(data, buf, len))) {
3829 kfree(data);
3830 return ERR_PTR(-EFAULT);
3831 }
3832
3833 pr_vdebug("Buffer from user space:\n");
3834 ffs_dump_mem("", data, len);
3835
3836 return data;
3837 }
3838
3839 DECLARE_USB_FUNCTION_INIT(ffs, ffs_alloc_inst, ffs_alloc);
3840 MODULE_LICENSE("GPL");
3841 MODULE_AUTHOR("Michal Nazarewicz");
Linux with added FPC-III support