Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / usb / gadget / f_hid.c
blobb2113420b8066c54bbe57be16a596ecdf13568a9
1 /*
2 * f_hid.c -- USB HID function driver
4 * Copyright (C) 2010 Fabien Chouteau <fabien.chouteau@barco.com>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
12 #include <linux/kernel.h>
13 #include <linux/utsname.h>
14 #include <linux/module.h>
15 #include <linux/hid.h>
16 #include <linux/cdev.h>
17 #include <linux/mutex.h>
18 #include <linux/poll.h>
19 #include <linux/uaccess.h>
20 #include <linux/wait.h>
21 #include <linux/usb/g_hid.h>
23 static int major, minors;
24 static struct class *hidg_class;
26 /*-------------------------------------------------------------------------*/
27 /* HID gadget struct */
29 struct f_hidg {
30 /* configuration */
31 unsigned char bInterfaceSubClass;
32 unsigned char bInterfaceProtocol;
33 unsigned short report_desc_length;
34 char *report_desc;
35 unsigned short report_length;
37 /* recv report */
38 char *set_report_buff;
39 unsigned short set_report_length;
40 spinlock_t spinlock;
41 wait_queue_head_t read_queue;
43 /* send report */
44 struct mutex lock;
45 bool write_pending;
46 wait_queue_head_t write_queue;
47 struct usb_request *req;
49 int minor;
50 struct cdev cdev;
51 struct usb_function func;
52 struct usb_ep *in_ep;
55 static inline struct f_hidg *func_to_hidg(struct usb_function *f)
57 return container_of(f, struct f_hidg, func);
60 /*-------------------------------------------------------------------------*/
61 /* Static descriptors */
63 static struct usb_interface_descriptor hidg_interface_desc = {
64 .bLength = sizeof hidg_interface_desc,
65 .bDescriptorType = USB_DT_INTERFACE,
66 /* .bInterfaceNumber = DYNAMIC */
67 .bAlternateSetting = 0,
68 .bNumEndpoints = 1,
69 .bInterfaceClass = USB_CLASS_HID,
70 /* .bInterfaceSubClass = DYNAMIC */
71 /* .bInterfaceProtocol = DYNAMIC */
72 /* .iInterface = DYNAMIC */
75 static struct hid_descriptor hidg_desc = {
76 .bLength = sizeof hidg_desc,
77 .bDescriptorType = HID_DT_HID,
78 .bcdHID = 0x0101,
79 .bCountryCode = 0x00,
80 .bNumDescriptors = 0x1,
81 /*.desc[0].bDescriptorType = DYNAMIC */
82 /*.desc[0].wDescriptorLenght = DYNAMIC */
85 /* High-Speed Support */
87 static struct usb_endpoint_descriptor hidg_hs_in_ep_desc = {
88 .bLength = USB_DT_ENDPOINT_SIZE,
89 .bDescriptorType = USB_DT_ENDPOINT,
90 .bEndpointAddress = USB_DIR_IN,
91 .bmAttributes = USB_ENDPOINT_XFER_INT,
92 /*.wMaxPacketSize = DYNAMIC */
93 .bInterval = 4, /* FIXME: Add this field in the
94 * HID gadget configuration?
95 * (struct hidg_func_descriptor)
99 static struct usb_descriptor_header *hidg_hs_descriptors[] = {
100 (struct usb_descriptor_header *)&hidg_interface_desc,
101 (struct usb_descriptor_header *)&hidg_desc,
102 (struct usb_descriptor_header *)&hidg_hs_in_ep_desc,
103 NULL,
106 /* Full-Speed Support */
108 static struct usb_endpoint_descriptor hidg_fs_in_ep_desc = {
109 .bLength = USB_DT_ENDPOINT_SIZE,
110 .bDescriptorType = USB_DT_ENDPOINT,
111 .bEndpointAddress = USB_DIR_IN,
112 .bmAttributes = USB_ENDPOINT_XFER_INT,
113 /*.wMaxPacketSize = DYNAMIC */
114 .bInterval = 10, /* FIXME: Add this field in the
115 * HID gadget configuration?
116 * (struct hidg_func_descriptor)
120 static struct usb_descriptor_header *hidg_fs_descriptors[] = {
121 (struct usb_descriptor_header *)&hidg_interface_desc,
122 (struct usb_descriptor_header *)&hidg_desc,
123 (struct usb_descriptor_header *)&hidg_fs_in_ep_desc,
124 NULL,
127 /*-------------------------------------------------------------------------*/
128 /* Char Device */
130 static ssize_t f_hidg_read(struct file *file, char __user *buffer,
131 size_t count, loff_t *ptr)
133 struct f_hidg *hidg = file->private_data;
134 char *tmp_buff = NULL;
135 unsigned long flags;
137 if (!count)
138 return 0;
140 if (!access_ok(VERIFY_WRITE, buffer, count))
141 return -EFAULT;
143 spin_lock_irqsave(&hidg->spinlock, flags);
145 #define READ_COND (hidg->set_report_buff != NULL)
147 while (!READ_COND) {
148 spin_unlock_irqrestore(&hidg->spinlock, flags);
149 if (file->f_flags & O_NONBLOCK)
150 return -EAGAIN;
152 if (wait_event_interruptible(hidg->read_queue, READ_COND))
153 return -ERESTARTSYS;
155 spin_lock_irqsave(&hidg->spinlock, flags);
159 count = min_t(unsigned, count, hidg->set_report_length);
160 tmp_buff = hidg->set_report_buff;
161 hidg->set_report_buff = NULL;
163 spin_unlock_irqrestore(&hidg->spinlock, flags);
165 if (tmp_buff != NULL) {
166 /* copy to user outside spinlock */
167 count -= copy_to_user(buffer, tmp_buff, count);
168 kfree(tmp_buff);
169 } else
170 count = -ENOMEM;
172 return count;
175 static void f_hidg_req_complete(struct usb_ep *ep, struct usb_request *req)
177 struct f_hidg *hidg = (struct f_hidg *)ep->driver_data;
179 if (req->status != 0) {
180 ERROR(hidg->func.config->cdev,
181 "End Point Request ERROR: %d\n", req->status);
184 hidg->write_pending = 0;
185 wake_up(&hidg->write_queue);
188 static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
189 size_t count, loff_t *offp)
191 struct f_hidg *hidg = file->private_data;
192 ssize_t status = -ENOMEM;
194 if (!access_ok(VERIFY_READ, buffer, count))
195 return -EFAULT;
197 mutex_lock(&hidg->lock);
199 #define WRITE_COND (!hidg->write_pending)
201 /* write queue */
202 while (!WRITE_COND) {
203 mutex_unlock(&hidg->lock);
204 if (file->f_flags & O_NONBLOCK)
205 return -EAGAIN;
207 if (wait_event_interruptible_exclusive(
208 hidg->write_queue, WRITE_COND))
209 return -ERESTARTSYS;
211 mutex_lock(&hidg->lock);
214 count = min_t(unsigned, count, hidg->report_length);
215 status = copy_from_user(hidg->req->buf, buffer, count);
217 if (status != 0) {
218 ERROR(hidg->func.config->cdev,
219 "copy_from_user error\n");
220 mutex_unlock(&hidg->lock);
221 return -EINVAL;
224 hidg->req->status = 0;
225 hidg->req->zero = 0;
226 hidg->req->length = count;
227 hidg->req->complete = f_hidg_req_complete;
228 hidg->req->context = hidg;
229 hidg->write_pending = 1;
231 status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC);
232 if (status < 0) {
233 ERROR(hidg->func.config->cdev,
234 "usb_ep_queue error on int endpoint %zd\n", status);
235 hidg->write_pending = 0;
236 wake_up(&hidg->write_queue);
237 } else {
238 status = count;
241 mutex_unlock(&hidg->lock);
243 return status;
246 static unsigned int f_hidg_poll(struct file *file, poll_table *wait)
248 struct f_hidg *hidg = file->private_data;
249 unsigned int ret = 0;
251 poll_wait(file, &hidg->read_queue, wait);
252 poll_wait(file, &hidg->write_queue, wait);
254 if (WRITE_COND)
255 ret |= POLLOUT | POLLWRNORM;
257 if (READ_COND)
258 ret |= POLLIN | POLLRDNORM;
260 return ret;
263 #undef WRITE_COND
264 #undef READ_COND
266 static int f_hidg_release(struct inode *inode, struct file *fd)
268 fd->private_data = NULL;
269 return 0;
272 static int f_hidg_open(struct inode *inode, struct file *fd)
274 struct f_hidg *hidg =
275 container_of(inode->i_cdev, struct f_hidg, cdev);
277 fd->private_data = hidg;
279 return 0;
282 /*-------------------------------------------------------------------------*/
283 /* usb_function */
285 static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req)
287 struct f_hidg *hidg = (struct f_hidg *)req->context;
289 if (req->status != 0 || req->buf == NULL || req->actual == 0) {
290 ERROR(hidg->func.config->cdev, "%s FAILED\n", __func__);
291 return;
294 spin_lock(&hidg->spinlock);
296 hidg->set_report_buff = krealloc(hidg->set_report_buff,
297 req->actual, GFP_ATOMIC);
299 if (hidg->set_report_buff == NULL) {
300 spin_unlock(&hidg->spinlock);
301 return;
303 hidg->set_report_length = req->actual;
304 memcpy(hidg->set_report_buff, req->buf, req->actual);
306 spin_unlock(&hidg->spinlock);
308 wake_up(&hidg->read_queue);
311 static int hidg_setup(struct usb_function *f,
312 const struct usb_ctrlrequest *ctrl)
314 struct f_hidg *hidg = func_to_hidg(f);
315 struct usb_composite_dev *cdev = f->config->cdev;
316 struct usb_request *req = cdev->req;
317 int status = 0;
318 __u16 value, length;
320 value = __le16_to_cpu(ctrl->wValue);
321 length = __le16_to_cpu(ctrl->wLength);
323 VDBG(cdev, "hid_setup crtl_request : bRequestType:0x%x bRequest:0x%x "
324 "Value:0x%x\n", ctrl->bRequestType, ctrl->bRequest, value);
326 switch ((ctrl->bRequestType << 8) | ctrl->bRequest) {
327 case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
328 | HID_REQ_GET_REPORT):
329 VDBG(cdev, "get_report\n");
331 /* send an empty report */
332 length = min_t(unsigned, length, hidg->report_length);
333 memset(req->buf, 0x0, length);
335 goto respond;
336 break;
338 case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
339 | HID_REQ_GET_PROTOCOL):
340 VDBG(cdev, "get_protocol\n");
341 goto stall;
342 break;
344 case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
345 | HID_REQ_SET_REPORT):
346 VDBG(cdev, "set_report | wLenght=%d\n", ctrl->wLength);
347 req->context = hidg;
348 req->complete = hidg_set_report_complete;
349 goto respond;
350 break;
352 case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
353 | HID_REQ_SET_PROTOCOL):
354 VDBG(cdev, "set_protocol\n");
355 goto stall;
356 break;
358 case ((USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_INTERFACE) << 8
359 | USB_REQ_GET_DESCRIPTOR):
360 switch (value >> 8) {
361 case HID_DT_HID:
362 VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
363 length = min_t(unsigned short, length,
364 hidg_desc.bLength);
365 memcpy(req->buf, &hidg_desc, length);
366 goto respond;
367 break;
368 case HID_DT_REPORT:
369 VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: REPORT\n");
370 length = min_t(unsigned short, length,
371 hidg->report_desc_length);
372 memcpy(req->buf, hidg->report_desc, length);
373 goto respond;
374 break;
376 default:
377 VDBG(cdev, "Unknown decriptor request 0x%x\n",
378 value >> 8);
379 goto stall;
380 break;
382 break;
384 default:
385 VDBG(cdev, "Unknown request 0x%x\n",
386 ctrl->bRequest);
387 goto stall;
388 break;
391 stall:
392 return -EOPNOTSUPP;
394 respond:
395 req->zero = 0;
396 req->length = length;
397 status = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
398 if (status < 0)
399 ERROR(cdev, "usb_ep_queue error on ep0 %d\n", value);
400 return status;
403 static void hidg_disable(struct usb_function *f)
405 struct f_hidg *hidg = func_to_hidg(f);
407 usb_ep_disable(hidg->in_ep);
408 hidg->in_ep->driver_data = NULL;
411 static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
413 struct usb_composite_dev *cdev = f->config->cdev;
414 struct f_hidg *hidg = func_to_hidg(f);
415 int status = 0;
417 VDBG(cdev, "hidg_set_alt intf:%d alt:%d\n", intf, alt);
419 if (hidg->in_ep != NULL) {
420 /* restart endpoint */
421 if (hidg->in_ep->driver_data != NULL)
422 usb_ep_disable(hidg->in_ep);
424 status = config_ep_by_speed(f->config->cdev->gadget, f,
425 hidg->in_ep);
426 if (status) {
427 ERROR(cdev, "config_ep_by_speed FAILED!\n");
428 goto fail;
430 status = usb_ep_enable(hidg->in_ep);
431 if (status < 0) {
432 ERROR(cdev, "Enable endpoint FAILED!\n");
433 goto fail;
435 hidg->in_ep->driver_data = hidg;
437 fail:
438 return status;
441 const struct file_operations f_hidg_fops = {
442 .owner = THIS_MODULE,
443 .open = f_hidg_open,
444 .release = f_hidg_release,
445 .write = f_hidg_write,
446 .read = f_hidg_read,
447 .poll = f_hidg_poll,
448 .llseek = noop_llseek,
451 static int __init hidg_bind(struct usb_configuration *c, struct usb_function *f)
453 struct usb_ep *ep;
454 struct f_hidg *hidg = func_to_hidg(f);
455 int status;
456 dev_t dev;
458 /* allocate instance-specific interface IDs, and patch descriptors */
459 status = usb_interface_id(c, f);
460 if (status < 0)
461 goto fail;
462 hidg_interface_desc.bInterfaceNumber = status;
465 /* allocate instance-specific endpoints */
466 status = -ENODEV;
467 ep = usb_ep_autoconfig(c->cdev->gadget, &hidg_fs_in_ep_desc);
468 if (!ep)
469 goto fail;
470 ep->driver_data = c->cdev; /* claim */
471 hidg->in_ep = ep;
473 /* preallocate request and buffer */
474 status = -ENOMEM;
475 hidg->req = usb_ep_alloc_request(hidg->in_ep, GFP_KERNEL);
476 if (!hidg->req)
477 goto fail;
480 hidg->req->buf = kmalloc(hidg->report_length, GFP_KERNEL);
481 if (!hidg->req->buf)
482 goto fail;
484 /* set descriptor dynamic values */
485 hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass;
486 hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol;
487 hidg_hs_in_ep_desc.wMaxPacketSize = cpu_to_le16(hidg->report_length);
488 hidg_fs_in_ep_desc.wMaxPacketSize = cpu_to_le16(hidg->report_length);
489 hidg_desc.desc[0].bDescriptorType = HID_DT_REPORT;
490 hidg_desc.desc[0].wDescriptorLength =
491 cpu_to_le16(hidg->report_desc_length);
493 hidg->set_report_buff = NULL;
495 /* copy descriptors */
496 f->descriptors = usb_copy_descriptors(hidg_fs_descriptors);
497 if (!f->descriptors)
498 goto fail;
500 if (gadget_is_dualspeed(c->cdev->gadget)) {
501 hidg_hs_in_ep_desc.bEndpointAddress =
502 hidg_fs_in_ep_desc.bEndpointAddress;
503 f->hs_descriptors = usb_copy_descriptors(hidg_hs_descriptors);
504 if (!f->hs_descriptors)
505 goto fail;
508 mutex_init(&hidg->lock);
509 spin_lock_init(&hidg->spinlock);
510 init_waitqueue_head(&hidg->write_queue);
511 init_waitqueue_head(&hidg->read_queue);
513 /* create char device */
514 cdev_init(&hidg->cdev, &f_hidg_fops);
515 dev = MKDEV(major, hidg->minor);
516 status = cdev_add(&hidg->cdev, dev, 1);
517 if (status)
518 goto fail;
520 device_create(hidg_class, NULL, dev, NULL, "%s%d", "hidg", hidg->minor);
522 return 0;
524 fail:
525 ERROR(f->config->cdev, "hidg_bind FAILED\n");
526 if (hidg->req != NULL) {
527 kfree(hidg->req->buf);
528 if (hidg->in_ep != NULL)
529 usb_ep_free_request(hidg->in_ep, hidg->req);
532 usb_free_descriptors(f->hs_descriptors);
533 usb_free_descriptors(f->descriptors);
535 return status;
538 static void hidg_unbind(struct usb_configuration *c, struct usb_function *f)
540 struct f_hidg *hidg = func_to_hidg(f);
542 device_destroy(hidg_class, MKDEV(major, hidg->minor));
543 cdev_del(&hidg->cdev);
545 /* disable/free request and end point */
546 usb_ep_disable(hidg->in_ep);
547 usb_ep_dequeue(hidg->in_ep, hidg->req);
548 kfree(hidg->req->buf);
549 usb_ep_free_request(hidg->in_ep, hidg->req);
551 /* free descriptors copies */
552 usb_free_descriptors(f->hs_descriptors);
553 usb_free_descriptors(f->descriptors);
555 kfree(hidg->report_desc);
556 kfree(hidg->set_report_buff);
557 kfree(hidg);
560 /*-------------------------------------------------------------------------*/
561 /* Strings */
563 #define CT_FUNC_HID_IDX 0
565 static struct usb_string ct_func_string_defs[] = {
566 [CT_FUNC_HID_IDX].s = "HID Interface",
567 {}, /* end of list */
570 static struct usb_gadget_strings ct_func_string_table = {
571 .language = 0x0409, /* en-US */
572 .strings = ct_func_string_defs,
575 static struct usb_gadget_strings *ct_func_strings[] = {
576 &ct_func_string_table,
577 NULL,
580 /*-------------------------------------------------------------------------*/
581 /* usb_configuration */
583 int __init hidg_bind_config(struct usb_configuration *c,
584 struct hidg_func_descriptor *fdesc, int index)
586 struct f_hidg *hidg;
587 int status;
589 if (index >= minors)
590 return -ENOENT;
592 /* maybe allocate device-global string IDs, and patch descriptors */
593 if (ct_func_string_defs[CT_FUNC_HID_IDX].id == 0) {
594 status = usb_string_id(c->cdev);
595 if (status < 0)
596 return status;
597 ct_func_string_defs[CT_FUNC_HID_IDX].id = status;
598 hidg_interface_desc.iInterface = status;
601 /* allocate and initialize one new instance */
602 hidg = kzalloc(sizeof *hidg, GFP_KERNEL);
603 if (!hidg)
604 return -ENOMEM;
606 hidg->minor = index;
607 hidg->bInterfaceSubClass = fdesc->subclass;
608 hidg->bInterfaceProtocol = fdesc->protocol;
609 hidg->report_length = fdesc->report_length;
610 hidg->report_desc_length = fdesc->report_desc_length;
611 hidg->report_desc = kmemdup(fdesc->report_desc,
612 fdesc->report_desc_length,
613 GFP_KERNEL);
614 if (!hidg->report_desc) {
615 kfree(hidg);
616 return -ENOMEM;
619 hidg->func.name = "hid";
620 hidg->func.strings = ct_func_strings;
621 hidg->func.bind = hidg_bind;
622 hidg->func.unbind = hidg_unbind;
623 hidg->func.set_alt = hidg_set_alt;
624 hidg->func.disable = hidg_disable;
625 hidg->func.setup = hidg_setup;
627 status = usb_add_function(c, &hidg->func);
628 if (status)
629 kfree(hidg);
631 return status;
634 int __init ghid_setup(struct usb_gadget *g, int count)
636 int status;
637 dev_t dev;
639 hidg_class = class_create(THIS_MODULE, "hidg");
641 status = alloc_chrdev_region(&dev, 0, count, "hidg");
642 if (!status) {
643 major = MAJOR(dev);
644 minors = count;
647 return status;
650 void ghid_cleanup(void)
652 if (major) {
653 unregister_chrdev_region(MKDEV(major, 0), minors);
654 major = minors = 0;
657 class_destroy(hidg_class);
658 hidg_class = NULL;