1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * f_fs.c -- user mode file system API for USB composite function controllers
4 *
5 * Copyright (C) 2010 Samsung Electronics
6 * Author: Michal Nazarewicz <mina86@mina86.com>
7 *
8 * Based on inode.c (GadgetFS) which was:
9 * Copyright (C) 2003-2004 David Brownell
10 * Copyright (C) 2003 Agilent Technologies
11 */
12
13
14/* #define DEBUG */
15/* #define VERBOSE_DEBUG */
16
17#include <linux/blkdev.h>
18#include <linux/pagemap.h>
19#include <linux/export.h>
20#include <linux/fs_parser.h>
21#include <linux/hid.h>
22#include <linux/mm.h>
23#include <linux/module.h>
24#include <linux/scatterlist.h>
25#include <linux/sched/signal.h>
26#include <linux/uio.h>
27#include <linux/vmalloc.h>
28#include <asm/unaligned.h>
29
30#include <linux/usb/ccid.h>
31#include <linux/usb/composite.h>
32#include <linux/usb/functionfs.h>
33
34#include <linux/aio.h>
35#include <linux/kthread.h>
36#include <linux/poll.h>
37#include <linux/eventfd.h>
38
39#include "u_fs.h"
40#include "u_f.h"
41#include "u_os_desc.h"
42#include "configfs.h"
43
44#define FUNCTIONFS_MAGIC 0xa647361 /* Chosen by a honest dice roll ;) */
45
46/* Reference counter handling */
47static void ffs_data_get(struct ffs_data *ffs);
48static void ffs_data_put(struct ffs_data *ffs);
49/* Creates new ffs_data object. */
50static struct ffs_data *__must_check ffs_data_new(const char *dev_name)
51 __attribute__((malloc));
52
53/* Opened counter handling. */
54static void ffs_data_opened(struct ffs_data *ffs);
55static void ffs_data_closed(struct ffs_data *ffs);
56
57/* Called with ffs->mutex held; take over ownership of data. */
58static int __must_check
59__ffs_data_got_descs(struct ffs_data *ffs, char *data, size_t len);
60static int __must_check
61__ffs_data_got_strings(struct ffs_data *ffs, char *data, size_t len);
62
63
64/* The function structure ***************************************************/
65
66struct ffs_ep;
67
68struct ffs_function {
69 struct usb_configuration *conf;
70 struct usb_gadget *gadget;
71 struct ffs_data *ffs;
72
73 struct ffs_ep *eps;
74 u8 eps_revmap[16];
75 short *interfaces_nums;
76
77 struct usb_function function;
78};
79
80
81static struct ffs_function *ffs_func_from_usb(struct usb_function *f)
82{
83 return container_of(f, struct ffs_function, function);
84}
85
86
87static inline enum ffs_setup_state
88ffs_setup_state_clear_cancelled(struct ffs_data *ffs)
89{
90 return (enum ffs_setup_state)
91 cmpxchg(&ffs->setup_state, FFS_SETUP_CANCELLED, FFS_NO_SETUP);
92}
93
94
95static void ffs_func_eps_disable(struct ffs_function *func);
96static int __must_check ffs_func_eps_enable(struct ffs_function *func);
97
98static int ffs_func_bind(struct usb_configuration *,
99 struct usb_function *);
100static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned);
101static void ffs_func_disable(struct usb_function *);
102static int ffs_func_setup(struct usb_function *,
103 const struct usb_ctrlrequest *);
104static bool ffs_func_req_match(struct usb_function *,
105 const struct usb_ctrlrequest *,
106 bool config0);
107static void ffs_func_suspend(struct usb_function *);
108static void ffs_func_resume(struct usb_function *);
109
110
111static int ffs_func_revmap_ep(struct ffs_function *func, u8 num);
112static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf);
113
114
115/* The endpoints structures *************************************************/
116
117struct ffs_ep {
118 struct usb_ep *ep; /* P: ffs->eps_lock */
119 struct usb_request *req; /* P: epfile->mutex */
120
121 /* [0]: full speed, [1]: high speed, [2]: super speed */
122 struct usb_endpoint_descriptor *descs[3];
123
124 u8 num;
125};
126
127struct ffs_epfile {
128 /* Protects ep->ep and ep->req. */
129 struct mutex mutex;
130
131 struct ffs_data *ffs;
132 struct ffs_ep *ep; /* P: ffs->eps_lock */
133
134 struct dentry *dentry;
135
136 /*
137 * Buffer for holding data from partial reads which may happen since
138 * we’re rounding user read requests to a multiple of a max packet size.
139 *
140 * The pointer is initialised with NULL value and may be set by
141 * __ffs_epfile_read_data function to point to a temporary buffer.
142 *
143 * In normal operation, calls to __ffs_epfile_read_buffered will consume
144 * data from said buffer and eventually free it. Importantly, while the
145 * function is using the buffer, it sets the pointer to NULL. This is
146 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered
147 * can never run concurrently (they are synchronised by epfile->mutex)
148 * so the latter will not assign a new value to the pointer.
149 *
150 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is
151 * valid) and sets the pointer to READ_BUFFER_DROP value. This special
152 * value is crux of the synchronisation between ffs_func_eps_disable and
153 * __ffs_epfile_read_data.
154 *
155 * Once __ffs_epfile_read_data is about to finish it will try to set the
156 * pointer back to its old value (as described above), but seeing as the
157 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free
158 * the buffer.
159 *
160 * == State transitions ==
161 *
162 * • ptr == NULL: (initial state)
163 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP
164 * ◦ __ffs_epfile_read_buffered: nop
165 * ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf
166 * ◦ reading finishes: n/a, not in ‘and reading’ state
167 * • ptr == DROP:
168 * ◦ __ffs_epfile_read_buffer_free: nop
169 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL
170 * ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop
171 * ◦ reading finishes: n/a, not in ‘and reading’ state
172 * • ptr == buf:
173 * ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP
174 * ◦ __ffs_epfile_read_buffered: go to ptr == NULL and reading
175 * ◦ __ffs_epfile_read_data: n/a, __ffs_epfile_read_buffered
176 * is always called first
177 * ◦ reading finishes: n/a, not in ‘and reading’ state
178 * • ptr == NULL and reading:
179 * ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading
180 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
181 * ◦ __ffs_epfile_read_data: n/a, mutex is held
182 * ◦ reading finishes and …
183 * … all data read: free buf, go to ptr == NULL
184 * … otherwise: go to ptr == buf and reading
185 * • ptr == DROP and reading:
186 * ◦ __ffs_epfile_read_buffer_free: nop
187 * ◦ __ffs_epfile_read_buffered: n/a, mutex is held
188 * ◦ __ffs_epfile_read_data: n/a, mutex is held
189 * ◦ reading finishes: free buf, go to ptr == DROP
190 */
191 struct ffs_buffer *read_buffer;
192#define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN))
193
194 char name[5];
195
196 unsigned char in; /* P: ffs->eps_lock */
197 unsigned char isoc; /* P: ffs->eps_lock */
198
199 unsigned char _pad;
200};
201
202struct ffs_buffer {
203 size_t length;
204 char *data;
205 char storage[] __counted_by(length);
206};
207
208/* ffs_io_data structure ***************************************************/
209
210struct ffs_io_data {
211 bool aio;
212 bool read;
213
214 struct kiocb *kiocb;
215 struct iov_iter data;
216 const void *to_free;
217 char *buf;
218
219 struct mm_struct *mm;
220 struct work_struct work;
221
222 struct usb_ep *ep;
223 struct usb_request *req;
224 struct sg_table sgt;
225 bool use_sg;
226
227 struct ffs_data *ffs;
228
229 int status;
230 struct completion done;
231};
232
233struct ffs_desc_helper {
234 struct ffs_data *ffs;
235 unsigned interfaces_count;
236 unsigned eps_count;
237};
238
239static int __must_check ffs_epfiles_create(struct ffs_data *ffs);
240static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count);
241
242static struct dentry *
243ffs_sb_create_file(struct super_block *sb, const char *name, void *data,
244 const struct file_operations *fops);
245
246/* Devices management *******************************************************/
247
248DEFINE_MUTEX(ffs_lock);
249EXPORT_SYMBOL_GPL(ffs_lock);
250
251static struct ffs_dev *_ffs_find_dev(const char *name);
252static struct ffs_dev *_ffs_alloc_dev(void);
253static void _ffs_free_dev(struct ffs_dev *dev);
254static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data);
255static void ffs_release_dev(struct ffs_dev *ffs_dev);
256static int ffs_ready(struct ffs_data *ffs);
257static void ffs_closed(struct ffs_data *ffs);
258
259/* Misc helper functions ****************************************************/
260
261static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
262 __attribute__((warn_unused_result, nonnull));
263static char *ffs_prepare_buffer(const char __user *buf, size_t len)
264 __attribute__((warn_unused_result, nonnull));
265
266
267/* Control file aka ep0 *****************************************************/
268
269static void ffs_ep0_complete(struct usb_ep *ep, struct usb_request *req)
270{
271 struct ffs_data *ffs = req->context;
272
273 complete(&ffs->ep0req_completion);
274}
275
276static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
277 __releases(&ffs->ev.waitq.lock)
278{
279 struct usb_request *req = ffs->ep0req;
280 int ret;
281
282 if (!req) {
283 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
284 return -EINVAL;
285 }
286
287 req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
288
289 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
290
291 req->buf = data;
292 req->length = len;
293
294 /*
295 * UDC layer requires to provide a buffer even for ZLP, but should
296 * not use it at all. Let's provide some poisoned pointer to catch
297 * possible bug in the driver.
298 */
299 if (req->buf == NULL)
300 req->buf = (void *)0xDEADBABE;
301
302 reinit_completion(x: &ffs->ep0req_completion);
303
304 ret = usb_ep_queue(ep: ffs->gadget->ep0, req, GFP_ATOMIC);
305 if (ret < 0)
306 return ret;
307
308 ret = wait_for_completion_interruptible(x: &ffs->ep0req_completion);
309 if (ret) {
310 usb_ep_dequeue(ep: ffs->gadget->ep0, req);
311 return -EINTR;
312 }
313
314 ffs->setup_state = FFS_NO_SETUP;
315 return req->status ? req->status : req->actual;
316}
317
318static int __ffs_ep0_stall(struct ffs_data *ffs)
319{
320 if (ffs->ev.can_stall) {
321 pr_vdebug("ep0 stall\n");
322 usb_ep_set_halt(ep: ffs->gadget->ep0);
323 ffs->setup_state = FFS_NO_SETUP;
324 return -EL2HLT;
325 } else {
326 pr_debug("bogus ep0 stall!\n");
327 return -ESRCH;
328 }
329}
330
331static ssize_t ffs_ep0_write(struct file *file, const char __user *buf,
332 size_t len, loff_t *ptr)
333{
334 struct ffs_data *ffs = file->private_data;
335 ssize_t ret;
336 char *data;
337
338 /* Fast check if setup was canceled */
339 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
340 return -EIDRM;
341
342 /* Acquire mutex */
343 ret = ffs_mutex_lock(mutex: &ffs->mutex, nonblock: file->f_flags & O_NONBLOCK);
344 if (ret < 0)
345 return ret;
346
347 /* Check state */
348 switch (ffs->state) {
349 case FFS_READ_DESCRIPTORS:
350 case FFS_READ_STRINGS:
351 /* Copy data */
352 if (len < 16) {
353 ret = -EINVAL;
354 break;
355 }
356
357 data = ffs_prepare_buffer(buf, len);
358 if (IS_ERR(ptr: data)) {
359 ret = PTR_ERR(ptr: data);
360 break;
361 }
362
363 /* Handle data */
364 if (ffs->state == FFS_READ_DESCRIPTORS) {
365 pr_info("read descriptors\n");
366 ret = __ffs_data_got_descs(ffs, data, len);
367 if (ret < 0)
368 break;
369
370 ffs->state = FFS_READ_STRINGS;
371 ret = len;
372 } else {
373 pr_info("read strings\n");
374 ret = __ffs_data_got_strings(ffs, data, len);
375 if (ret < 0)
376 break;
377
378 ret = ffs_epfiles_create(ffs);
379 if (ret) {
380 ffs->state = FFS_CLOSING;
381 break;
382 }
383
384 ffs->state = FFS_ACTIVE;
385 mutex_unlock(lock: &ffs->mutex);
386
387 ret = ffs_ready(ffs);
388 if (ret < 0) {
389 ffs->state = FFS_CLOSING;
390 return ret;
391 }
392
393 return len;
394 }
395 break;
396
397 case FFS_ACTIVE:
398 data = NULL;
399 /*
400 * We're called from user space, we can use _irq
401 * rather then _irqsave
402 */
403 spin_lock_irq(lock: &ffs->ev.waitq.lock);
404 switch (ffs_setup_state_clear_cancelled(ffs)) {
405 case FFS_SETUP_CANCELLED:
406 ret = -EIDRM;
407 goto done_spin;
408
409 case FFS_NO_SETUP:
410 ret = -ESRCH;
411 goto done_spin;
412
413 case FFS_SETUP_PENDING:
414 break;
415 }
416
417 /* FFS_SETUP_PENDING */
418 if (!(ffs->ev.setup.bRequestType & USB_DIR_IN)) {
419 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
420 ret = __ffs_ep0_stall(ffs);
421 break;
422 }
423
424 /* FFS_SETUP_PENDING and not stall */
425 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
426
427 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
428
429 data = ffs_prepare_buffer(buf, len);
430 if (IS_ERR(ptr: data)) {
431 ret = PTR_ERR(ptr: data);
432 break;
433 }
434
435 spin_lock_irq(lock: &ffs->ev.waitq.lock);
436
437 /*
438 * We are guaranteed to be still in FFS_ACTIVE state
439 * but the state of setup could have changed from
440 * FFS_SETUP_PENDING to FFS_SETUP_CANCELLED so we need
441 * to check for that. If that happened we copied data
442 * from user space in vain but it's unlikely.
443 *
444 * For sure we are not in FFS_NO_SETUP since this is
445 * the only place FFS_SETUP_PENDING -> FFS_NO_SETUP
446 * transition can be performed and it's protected by
447 * mutex.
448 */
449 if (ffs_setup_state_clear_cancelled(ffs) ==
450 FFS_SETUP_CANCELLED) {
451 ret = -EIDRM;
452done_spin:
453 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
454 } else {
455 /* unlocks spinlock */
456 ret = __ffs_ep0_queue_wait(ffs, data, len);
457 }
458 kfree(objp: data);
459 break;
460
461 default:
462 ret = -EBADFD;
463 break;
464 }
465
466 mutex_unlock(lock: &ffs->mutex);
467 return ret;
468}
469
470/* Called with ffs->ev.waitq.lock and ffs->mutex held, both released on exit. */
471static ssize_t __ffs_ep0_read_events(struct ffs_data *ffs, char __user *buf,
472 size_t n)
473 __releases(&ffs->ev.waitq.lock)
474{
475 /*
476 * n cannot be bigger than ffs->ev.count, which cannot be bigger than
477 * size of ffs->ev.types array (which is four) so that's how much space
478 * we reserve.
479 */
480 struct usb_functionfs_event events[ARRAY_SIZE(ffs->ev.types)];
481 const size_t size = n * sizeof *events;
482 unsigned i = 0;
483
484 memset(events, 0, size);
485
486 do {
487 events[i].type = ffs->ev.types[i];
488 if (events[i].type == FUNCTIONFS_SETUP) {
489 events[i].u.setup = ffs->ev.setup;
490 ffs->setup_state = FFS_SETUP_PENDING;
491 }
492 } while (++i < n);
493
494 ffs->ev.count -= n;
495 if (ffs->ev.count)
496 memmove(ffs->ev.types, ffs->ev.types + n,
497 ffs->ev.count * sizeof *ffs->ev.types);
498
499 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
500 mutex_unlock(lock: &ffs->mutex);
501
502 return copy_to_user(to: buf, from: events, n: size) ? -EFAULT : size;
503}
504
505static ssize_t ffs_ep0_read(struct file *file, char __user *buf,
506 size_t len, loff_t *ptr)
507{
508 struct ffs_data *ffs = file->private_data;
509 char *data = NULL;
510 size_t n;
511 int ret;
512
513 /* Fast check if setup was canceled */
514 if (ffs_setup_state_clear_cancelled(ffs) == FFS_SETUP_CANCELLED)
515 return -EIDRM;
516
517 /* Acquire mutex */
518 ret = ffs_mutex_lock(mutex: &ffs->mutex, nonblock: file->f_flags & O_NONBLOCK);
519 if (ret < 0)
520 return ret;
521
522 /* Check state */
523 if (ffs->state != FFS_ACTIVE) {
524 ret = -EBADFD;
525 goto done_mutex;
526 }
527
528 /*
529 * We're called from user space, we can use _irq rather then
530 * _irqsave
531 */
532 spin_lock_irq(lock: &ffs->ev.waitq.lock);
533
534 switch (ffs_setup_state_clear_cancelled(ffs)) {
535 case FFS_SETUP_CANCELLED:
536 ret = -EIDRM;
537 break;
538
539 case FFS_NO_SETUP:
540 n = len / sizeof(struct usb_functionfs_event);
541 if (!n) {
542 ret = -EINVAL;
543 break;
544 }
545
546 if ((file->f_flags & O_NONBLOCK) && !ffs->ev.count) {
547 ret = -EAGAIN;
548 break;
549 }
550
551 if (wait_event_interruptible_exclusive_locked_irq(ffs->ev.waitq,
552 ffs->ev.count)) {
553 ret = -EINTR;
554 break;
555 }
556
557 /* unlocks spinlock */
558 return __ffs_ep0_read_events(ffs, buf,
559 min(n, (size_t)ffs->ev.count));
560
561 case FFS_SETUP_PENDING:
562 if (ffs->ev.setup.bRequestType & USB_DIR_IN) {
563 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
564 ret = __ffs_ep0_stall(ffs);
565 goto done_mutex;
566 }
567
568 len = min(len, (size_t)le16_to_cpu(ffs->ev.setup.wLength));
569
570 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
571
572 if (len) {
573 data = kmalloc(size: len, GFP_KERNEL);
574 if (!data) {
575 ret = -ENOMEM;
576 goto done_mutex;
577 }
578 }
579
580 spin_lock_irq(lock: &ffs->ev.waitq.lock);
581
582 /* See ffs_ep0_write() */
583 if (ffs_setup_state_clear_cancelled(ffs) ==
584 FFS_SETUP_CANCELLED) {
585 ret = -EIDRM;
586 break;
587 }
588
589 /* unlocks spinlock */
590 ret = __ffs_ep0_queue_wait(ffs, data, len);
591 if ((ret > 0) && (copy_to_user(to: buf, from: data, n: len)))
592 ret = -EFAULT;
593 goto done_mutex;
594
595 default:
596 ret = -EBADFD;
597 break;
598 }
599
600 spin_unlock_irq(lock: &ffs->ev.waitq.lock);
601done_mutex:
602 mutex_unlock(lock: &ffs->mutex);
603 kfree(objp: data);
604 return ret;
605}
606
607static int ffs_ep0_open(struct inode *inode, struct file *file)
608{
609 struct ffs_data *ffs = inode->i_private;
610
611 if (ffs->state == FFS_CLOSING)
612 return -EBUSY;
613
614 file->private_data = ffs;
615 ffs_data_opened(ffs);
616
617 return stream_open(inode, filp: file);
618}
619
620static int ffs_ep0_release(struct inode *inode, struct file *file)
621{
622 struct ffs_data *ffs = file->private_data;
623
624 ffs_data_closed(ffs);
625
626 return 0;
627}
628
629static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value)
630{
631 struct ffs_data *ffs = file->private_data;
632 struct usb_gadget *gadget = ffs->gadget;
633 long ret;
634
635 if (code == FUNCTIONFS_INTERFACE_REVMAP) {
636 struct ffs_function *func = ffs->func;
637 ret = func ? ffs_func_revmap_intf(func, intf: value) : -ENODEV;
638 } else if (gadget && gadget->ops->ioctl) {
639 ret = gadget->ops->ioctl(gadget, code, value);
640 } else {
641 ret = -ENOTTY;
642 }
643
644 return ret;
645}
646
647static __poll_t ffs_ep0_poll(struct file *file, poll_table *wait)
648{
649 struct ffs_data *ffs = file->private_data;
650 __poll_t mask = EPOLLWRNORM;
651 int ret;
652
653 poll_wait(filp: file, wait_address: &ffs->ev.waitq, p: wait);
654
655 ret = ffs_mutex_lock(mutex: &ffs->mutex, nonblock: file->f_flags & O_NONBLOCK);
656 if (ret < 0)
657 return mask;
658
659 switch (ffs->state) {
660 case FFS_READ_DESCRIPTORS:
661 case FFS_READ_STRINGS:
662 mask |= EPOLLOUT;
663 break;
664
665 case FFS_ACTIVE:
666 switch (ffs->setup_state) {
667 case FFS_NO_SETUP:
668 if (ffs->ev.count)
669 mask |= EPOLLIN;
670 break;
671
672 case FFS_SETUP_PENDING:
673 case FFS_SETUP_CANCELLED:
674 mask |= (EPOLLIN | EPOLLOUT);
675 break;
676 }
677 break;
678
679 case FFS_CLOSING:
680 break;
681 case FFS_DEACTIVATED:
682 break;
683 }
684
685 mutex_unlock(lock: &ffs->mutex);
686
687 return mask;
688}
689
690static const struct file_operations ffs_ep0_operations = {
691 .llseek = no_llseek,
692
693 .open = ffs_ep0_open,
694 .write = ffs_ep0_write,
695 .read = ffs_ep0_read,
696 .release = ffs_ep0_release,
697 .unlocked_ioctl = ffs_ep0_ioctl,
698 .poll = ffs_ep0_poll,
699};
700
701
702/* "Normal" endpoints operations ********************************************/
703
704static void ffs_epfile_io_complete(struct usb_ep *_ep, struct usb_request *req)
705{
706 struct ffs_io_data *io_data = req->context;
707
708 if (req->status)
709 io_data->status = req->status;
710 else
711 io_data->status = req->actual;
712
713 complete(&io_data->done);
714}
715
716static ssize_t ffs_copy_to_iter(void *data, int data_len, struct iov_iter *iter)
717{
718 ssize_t ret = copy_to_iter(addr: data, bytes: data_len, i: iter);
719 if (ret == data_len)
720 return ret;
721
722 if (iov_iter_count(i: iter))
723 return -EFAULT;
724
725 /*
726 * Dear user space developer!
727 *
728 * TL;DR: To stop getting below error message in your kernel log, change
729 * user space code using functionfs to align read buffers to a max
730 * packet size.
731 *
732 * Some UDCs (e.g. dwc3) require request sizes to be a multiple of a max
733 * packet size. When unaligned buffer is passed to functionfs, it
734 * internally uses a larger, aligned buffer so that such UDCs are happy.
735 *
736 * Unfortunately, this means that host may send more data than was
737 * requested in read(2) system call. f_fs doesn’t know what to do with
738 * that excess data so it simply drops it.
739 *
740 * Was the buffer aligned in the first place, no such problem would
741 * happen.
742 *
743 * Data may be dropped only in AIO reads. Synchronous reads are handled
744 * by splitting a request into multiple parts. This splitting may still
745 * be a problem though so it’s likely best to align the buffer
746 * regardless of it being AIO or not..
747 *
748 * This only affects OUT endpoints, i.e. reading data with a read(2),
749 * aio_read(2) etc. system calls. Writing data to an IN endpoint is not
750 * affected.
751 */
752 pr_err("functionfs read size %d > requested size %zd, dropping excess data. "
753 "Align read buffer size to max packet size to avoid the problem.\n",
754 data_len, ret);
755
756 return ret;
757}
758
759/*
760 * allocate a virtually contiguous buffer and create a scatterlist describing it
761 * @sg_table - pointer to a place to be filled with sg_table contents
762 * @size - required buffer size
763 */
764static void *ffs_build_sg_list(struct sg_table *sgt, size_t sz)
765{
766 struct page **pages;
767 void *vaddr, *ptr;
768 unsigned int n_pages;
769 int i;
770
771 vaddr = vmalloc(size: sz);
772 if (!vaddr)
773 return NULL;
774
775 n_pages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
776 pages = kvmalloc_array(n: n_pages, size: sizeof(struct page *), GFP_KERNEL);
777 if (!pages) {
778 vfree(addr: vaddr);
779
780 return NULL;
781 }
782 for (i = 0, ptr = vaddr; i < n_pages; ++i, ptr += PAGE_SIZE)
783 pages[i] = vmalloc_to_page(addr: ptr);
784
785 if (sg_alloc_table_from_pages(sgt, pages, n_pages, offset: 0, size: sz, GFP_KERNEL)) {
786 kvfree(addr: pages);
787 vfree(addr: vaddr);
788
789 return NULL;
790 }
791 kvfree(addr: pages);
792
793 return vaddr;
794}
795
796static inline void *ffs_alloc_buffer(struct ffs_io_data *io_data,
797 size_t data_len)
798{
799 if (io_data->use_sg)
800 return ffs_build_sg_list(sgt: &io_data->sgt, sz: data_len);
801
802 return kmalloc(size: data_len, GFP_KERNEL);
803}
804
805static inline void ffs_free_buffer(struct ffs_io_data *io_data)
806{
807 if (!io_data->buf)
808 return;
809
810 if (io_data->use_sg) {
811 sg_free_table(&io_data->sgt);
812 vfree(addr: io_data->buf);
813 } else {
814 kfree(objp: io_data->buf);
815 }
816}
817
818static void ffs_user_copy_worker(struct work_struct *work)
819{
820 struct ffs_io_data *io_data = container_of(work, struct ffs_io_data,
821 work);
822 int ret = io_data->status;
823 bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
824
825 if (io_data->read && ret > 0) {
826 kthread_use_mm(mm: io_data->mm);
827 ret = ffs_copy_to_iter(data: io_data->buf, data_len: ret, iter: &io_data->data);
828 kthread_unuse_mm(mm: io_data->mm);
829 }
830
831 io_data->kiocb->ki_complete(io_data->kiocb, ret);
832
833 if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
834 eventfd_signal(ctx: io_data->ffs->ffs_eventfd, n: 1);
835
836 if (io_data->read)
837 kfree(objp: io_data->to_free);
838 ffs_free_buffer(io_data);
839 kfree(objp: io_data);
840}
841
842static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
843 struct usb_request *req)
844{
845 struct ffs_io_data *io_data = req->context;
846 struct ffs_data *ffs = io_data->ffs;
847
848 io_data->status = req->status ? req->status : req->actual;
849 usb_ep_free_request(ep: _ep, req);
850
851 INIT_WORK(&io_data->work, ffs_user_copy_worker);
852 queue_work(wq: ffs->io_completion_wq, work: &io_data->work);
853}
854
855static void __ffs_epfile_read_buffer_free(struct ffs_epfile *epfile)
856{
857 /*
858 * See comment in struct ffs_epfile for full read_buffer pointer
859 * synchronisation story.
860 */
861 struct ffs_buffer *buf = xchg(&epfile->read_buffer, READ_BUFFER_DROP);
862 if (buf && buf != READ_BUFFER_DROP)
863 kfree(objp: buf);
864}
865
866/* Assumes epfile->mutex is held. */
867static ssize_t __ffs_epfile_read_buffered(struct ffs_epfile *epfile,
868 struct iov_iter *iter)
869{
870 /*
871 * Null out epfile->read_buffer so ffs_func_eps_disable does not free
872 * the buffer while we are using it. See comment in struct ffs_epfile
873 * for full read_buffer pointer synchronisation story.
874 */
875 struct ffs_buffer *buf = xchg(&epfile->read_buffer, NULL);
876 ssize_t ret;
877 if (!buf || buf == READ_BUFFER_DROP)
878 return 0;
879
880 ret = copy_to_iter(addr: buf->data, bytes: buf->length, i: iter);
881 if (buf->length == ret) {
882 kfree(objp: buf);
883 return ret;
884 }
885
886 if (iov_iter_count(i: iter)) {
887 ret = -EFAULT;
888 } else {
889 buf->length -= ret;
890 buf->data += ret;
891 }
892
893 if (cmpxchg(&epfile->read_buffer, NULL, buf))
894 kfree(objp: buf);
895
896 return ret;
897}
898
899/* Assumes epfile->mutex is held. */
900static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
901 void *data, int data_len,
902 struct iov_iter *iter)
903{
904 struct ffs_buffer *buf;
905
906 ssize_t ret = copy_to_iter(addr: data, bytes: data_len, i: iter);
907 if (data_len == ret)
908 return ret;
909
910 if (iov_iter_count(i: iter))
911 return -EFAULT;
912
913 /* See ffs_copy_to_iter for more context. */
914 pr_warn("functionfs read size %d > requested size %zd, splitting request into multiple reads.",
915 data_len, ret);
916
917 data_len -= ret;
918 buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL);
919 if (!buf)
920 return -ENOMEM;
921 buf->length = data_len;
922 buf->data = buf->storage;
923 memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len));
924
925 /*
926 * At this point read_buffer is NULL or READ_BUFFER_DROP (if
927 * ffs_func_eps_disable has been called in the meanwhile). See comment
928 * in struct ffs_epfile for full read_buffer pointer synchronisation
929 * story.
930 */
931 if (cmpxchg(&epfile->read_buffer, NULL, buf))
932 kfree(objp: buf);
933
934 return ret;
935}
936
937static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
938{
939 struct ffs_epfile *epfile = file->private_data;
940 struct usb_request *req;
941 struct ffs_ep *ep;
942 char *data = NULL;
943 ssize_t ret, data_len = -EINVAL;
944 int halt;
945
946 /* Are we still active? */
947 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
948 return -ENODEV;
949
950 /* Wait for endpoint to be enabled */
951 ep = epfile->ep;
952 if (!ep) {
953 if (file->f_flags & O_NONBLOCK)
954 return -EAGAIN;
955
956 ret = wait_event_interruptible(
957 epfile->ffs->wait, (ep = epfile->ep));
958 if (ret)
959 return -EINTR;
960 }
961
962 /* Do we halt? */
963 halt = (!io_data->read == !epfile->in);
964 if (halt && epfile->isoc)
965 return -EINVAL;
966
967 /* We will be using request and read_buffer */
968 ret = ffs_mutex_lock(mutex: &epfile->mutex, nonblock: file->f_flags & O_NONBLOCK);
969 if (ret)
970 goto error;
971
972 /* Allocate & copy */
973 if (!halt) {
974 struct usb_gadget *gadget;
975
976 /*
977 * Do we have buffered data from previous partial read? Check
978 * that for synchronous case only because we do not have
979 * facility to ‘wake up’ a pending asynchronous read and push
980 * buffered data to it which we would need to make things behave
981 * consistently.
982 */
983 if (!io_data->aio && io_data->read) {
984 ret = __ffs_epfile_read_buffered(epfile, iter: &io_data->data);
985 if (ret)
986 goto error_mutex;
987 }
988
989 /*
990 * if we _do_ wait above, the epfile->ffs->gadget might be NULL
991 * before the waiting completes, so do not assign to 'gadget'
992 * earlier
993 */
994 gadget = epfile->ffs->gadget;
995
996 spin_lock_irq(lock: &epfile->ffs->eps_lock);
997 /* In the meantime, endpoint got disabled or changed. */
998 if (epfile->ep != ep) {
999 ret = -ESHUTDOWN;
1000 goto error_lock;
1001 }
1002 data_len = iov_iter_count(i: &io_data->data);
1003 /*
1004 * Controller may require buffer size to be aligned to
1005 * maxpacketsize of an out endpoint.
1006 */
1007 if (io_data->read)
1008 data_len = usb_ep_align_maybe(g: gadget, ep: ep->ep, len: data_len);
1009
1010 io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
1011 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1012
1013 data = ffs_alloc_buffer(io_data, data_len);
1014 if (!data) {
1015 ret = -ENOMEM;
1016 goto error_mutex;
1017 }
1018 if (!io_data->read &&
1019 !copy_from_iter_full(addr: data, bytes: data_len, i: &io_data->data)) {
1020 ret = -EFAULT;
1021 goto error_mutex;
1022 }
1023 }
1024
1025 spin_lock_irq(lock: &epfile->ffs->eps_lock);
1026
1027 if (epfile->ep != ep) {
1028 /* In the meantime, endpoint got disabled or changed. */
1029 ret = -ESHUTDOWN;
1030 } else if (halt) {
1031 ret = usb_ep_set_halt(ep: ep->ep);
1032 if (!ret)
1033 ret = -EBADMSG;
1034 } else if (data_len == -EINVAL) {
1035 /*
1036 * Sanity Check: even though data_len can't be used
1037 * uninitialized at the time I write this comment, some
1038 * compilers complain about this situation.
1039 * In order to keep the code clean from warnings, data_len is
1040 * being initialized to -EINVAL during its declaration, which
1041 * means we can't rely on compiler anymore to warn no future
1042 * changes won't result in data_len being used uninitialized.
1043 * For such reason, we're adding this redundant sanity check
1044 * here.
1045 */
1046 WARN(1, "%s: data_len == -EINVAL\n", __func__);
1047 ret = -EINVAL;
1048 } else if (!io_data->aio) {
1049 bool interrupted = false;
1050
1051 req = ep->req;
1052 if (io_data->use_sg) {
1053 req->buf = NULL;
1054 req->sg = io_data->sgt.sgl;
1055 req->num_sgs = io_data->sgt.nents;
1056 } else {
1057 req->buf = data;
1058 req->num_sgs = 0;
1059 }
1060 req->length = data_len;
1061
1062 io_data->buf = data;
1063
1064 init_completion(x: &io_data->done);
1065 req->context = io_data;
1066 req->complete = ffs_epfile_io_complete;
1067
1068 ret = usb_ep_queue(ep: ep->ep, req, GFP_ATOMIC);
1069 if (ret < 0)
1070 goto error_lock;
1071
1072 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1073
1074 if (wait_for_completion_interruptible(x: &io_data->done)) {
1075 spin_lock_irq(lock: &epfile->ffs->eps_lock);
1076 if (epfile->ep != ep) {
1077 ret = -ESHUTDOWN;
1078 goto error_lock;
1079 }
1080 /*
1081 * To avoid race condition with ffs_epfile_io_complete,
1082 * dequeue the request first then check
1083 * status. usb_ep_dequeue API should guarantee no race
1084 * condition with req->complete callback.
1085 */
1086 usb_ep_dequeue(ep: ep->ep, req);
1087 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1088 wait_for_completion(&io_data->done);
1089 interrupted = io_data->status < 0;
1090 }
1091
1092 if (interrupted)
1093 ret = -EINTR;
1094 else if (io_data->read && io_data->status > 0)
1095 ret = __ffs_epfile_read_data(epfile, data, data_len: io_data->status,
1096 iter: &io_data->data);
1097 else
1098 ret = io_data->status;
1099 goto error_mutex;
1100 } else if (!(req = usb_ep_alloc_request(ep: ep->ep, GFP_ATOMIC))) {
1101 ret = -ENOMEM;
1102 } else {
1103 if (io_data->use_sg) {
1104 req->buf = NULL;
1105 req->sg = io_data->sgt.sgl;
1106 req->num_sgs = io_data->sgt.nents;
1107 } else {
1108 req->buf = data;
1109 req->num_sgs = 0;
1110 }
1111 req->length = data_len;
1112
1113 io_data->buf = data;
1114 io_data->ep = ep->ep;
1115 io_data->req = req;
1116 io_data->ffs = epfile->ffs;
1117
1118 req->context = io_data;
1119 req->complete = ffs_epfile_async_io_complete;
1120
1121 ret = usb_ep_queue(ep: ep->ep, req, GFP_ATOMIC);
1122 if (ret) {
1123 io_data->req = NULL;
1124 usb_ep_free_request(ep: ep->ep, req);
1125 goto error_lock;
1126 }
1127
1128 ret = -EIOCBQUEUED;
1129 /*
1130 * Do not kfree the buffer in this function. It will be freed
1131 * by ffs_user_copy_worker.
1132 */
1133 data = NULL;
1134 }
1135
1136error_lock:
1137 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1138error_mutex:
1139 mutex_unlock(lock: &epfile->mutex);
1140error:
1141 if (ret != -EIOCBQUEUED) /* don't free if there is iocb queued */
1142 ffs_free_buffer(io_data);
1143 return ret;
1144}
1145
1146static int
1147ffs_epfile_open(struct inode *inode, struct file *file)
1148{
1149 struct ffs_epfile *epfile = inode->i_private;
1150
1151 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1152 return -ENODEV;
1153
1154 file->private_data = epfile;
1155 ffs_data_opened(ffs: epfile->ffs);
1156
1157 return stream_open(inode, filp: file);
1158}
1159
1160static int ffs_aio_cancel(struct kiocb *kiocb)
1161{
1162 struct ffs_io_data *io_data = kiocb->private;
1163 struct ffs_epfile *epfile = kiocb->ki_filp->private_data;
1164 unsigned long flags;
1165 int value;
1166
1167 spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
1168
1169 if (io_data && io_data->ep && io_data->req)
1170 value = usb_ep_dequeue(ep: io_data->ep, req: io_data->req);
1171 else
1172 value = -EINVAL;
1173
1174 spin_unlock_irqrestore(lock: &epfile->ffs->eps_lock, flags);
1175
1176 return value;
1177}
1178
1179static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from)
1180{
1181 struct ffs_io_data io_data, *p = &io_data;
1182 ssize_t res;
1183
1184 if (!is_sync_kiocb(kiocb)) {
1185 p = kzalloc(size: sizeof(io_data), GFP_KERNEL);
1186 if (!p)
1187 return -ENOMEM;
1188 p->aio = true;
1189 } else {
1190 memset(p, 0, sizeof(*p));
1191 p->aio = false;
1192 }
1193
1194 p->read = false;
1195 p->kiocb = kiocb;
1196 p->data = *from;
1197 p->mm = current->mm;
1198
1199 kiocb->private = p;
1200
1201 if (p->aio)
1202 kiocb_set_cancel_fn(req: kiocb, cancel: ffs_aio_cancel);
1203
1204 res = ffs_epfile_io(file: kiocb->ki_filp, io_data: p);
1205 if (res == -EIOCBQUEUED)
1206 return res;
1207 if (p->aio)
1208 kfree(objp: p);
1209 else
1210 *from = p->data;
1211 return res;
1212}
1213
1214static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to)
1215{
1216 struct ffs_io_data io_data, *p = &io_data;
1217 ssize_t res;
1218
1219 if (!is_sync_kiocb(kiocb)) {
1220 p = kzalloc(size: sizeof(io_data), GFP_KERNEL);
1221 if (!p)
1222 return -ENOMEM;
1223 p->aio = true;
1224 } else {
1225 memset(p, 0, sizeof(*p));
1226 p->aio = false;
1227 }
1228
1229 p->read = true;
1230 p->kiocb = kiocb;
1231 if (p->aio) {
1232 p->to_free = dup_iter(new: &p->data, old: to, GFP_KERNEL);
1233 if (!iter_is_ubuf(i: &p->data) && !p->to_free) {
1234 kfree(objp: p);
1235 return -ENOMEM;
1236 }
1237 } else {
1238 p->data = *to;
1239 p->to_free = NULL;
1240 }
1241 p->mm = current->mm;
1242
1243 kiocb->private = p;
1244
1245 if (p->aio)
1246 kiocb_set_cancel_fn(req: kiocb, cancel: ffs_aio_cancel);
1247
1248 res = ffs_epfile_io(file: kiocb->ki_filp, io_data: p);
1249 if (res == -EIOCBQUEUED)
1250 return res;
1251
1252 if (p->aio) {
1253 kfree(objp: p->to_free);
1254 kfree(objp: p);
1255 } else {
1256 *to = p->data;
1257 }
1258 return res;
1259}
1260
1261static int
1262ffs_epfile_release(struct inode *inode, struct file *file)
1263{
1264 struct ffs_epfile *epfile = inode->i_private;
1265
1266 __ffs_epfile_read_buffer_free(epfile);
1267 ffs_data_closed(ffs: epfile->ffs);
1268
1269 return 0;
1270}
1271
1272static long ffs_epfile_ioctl(struct file *file, unsigned code,
1273 unsigned long value)
1274{
1275 struct ffs_epfile *epfile = file->private_data;
1276 struct ffs_ep *ep;
1277 int ret;
1278
1279 if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
1280 return -ENODEV;
1281
1282 /* Wait for endpoint to be enabled */
1283 ep = epfile->ep;
1284 if (!ep) {
1285 if (file->f_flags & O_NONBLOCK)
1286 return -EAGAIN;
1287
1288 ret = wait_event_interruptible(
1289 epfile->ffs->wait, (ep = epfile->ep));
1290 if (ret)
1291 return -EINTR;
1292 }
1293
1294 spin_lock_irq(lock: &epfile->ffs->eps_lock);
1295
1296 /* In the meantime, endpoint got disabled or changed. */
1297 if (epfile->ep != ep) {
1298 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1299 return -ESHUTDOWN;
1300 }
1301
1302 switch (code) {
1303 case FUNCTIONFS_FIFO_STATUS:
1304 ret = usb_ep_fifo_status(ep: epfile->ep->ep);
1305 break;
1306 case FUNCTIONFS_FIFO_FLUSH:
1307 usb_ep_fifo_flush(ep: epfile->ep->ep);
1308 ret = 0;
1309 break;
1310 case FUNCTIONFS_CLEAR_HALT:
1311 ret = usb_ep_clear_halt(ep: epfile->ep->ep);
1312 break;
1313 case FUNCTIONFS_ENDPOINT_REVMAP:
1314 ret = epfile->ep->num;
1315 break;
1316 case FUNCTIONFS_ENDPOINT_DESC:
1317 {
1318 int desc_idx;
1319 struct usb_endpoint_descriptor desc1, *desc;
1320
1321 switch (epfile->ffs->gadget->speed) {
1322 case USB_SPEED_SUPER:
1323 case USB_SPEED_SUPER_PLUS:
1324 desc_idx = 2;
1325 break;
1326 case USB_SPEED_HIGH:
1327 desc_idx = 1;
1328 break;
1329 default:
1330 desc_idx = 0;
1331 }
1332
1333 desc = epfile->ep->descs[desc_idx];
1334 memcpy(&desc1, desc, desc->bLength);
1335
1336 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1337 ret = copy_to_user(to: (void __user *)value, from: &desc1, n: desc1.bLength);
1338 if (ret)
1339 ret = -EFAULT;
1340 return ret;
1341 }
1342 default:
1343 ret = -ENOTTY;
1344 }
1345 spin_unlock_irq(lock: &epfile->ffs->eps_lock);
1346
1347 return ret;
1348}
1349
1350static const struct file_operations ffs_epfile_operations = {
1351 .llseek = no_llseek,
1352
1353 .open = ffs_epfile_open,
1354 .write_iter = ffs_epfile_write_iter,
1355 .read_iter = ffs_epfile_read_iter,
1356 .release = ffs_epfile_release,
1357 .unlocked_ioctl = ffs_epfile_ioctl,
1358 .compat_ioctl = compat_ptr_ioctl,
1359};
1360
1361
1362/* File system and super block operations ***********************************/
1363
1364/*
1365 * Mounting the file system creates a controller file, used first for
1366 * function configuration then later for event monitoring.
1367 */
1368
1369static struct inode *__must_check
1370ffs_sb_make_inode(struct super_block *sb, void *data,
1371 const struct file_operations *fops,
1372 const struct inode_operations *iops,
1373 struct ffs_file_perms *perms)
1374{
1375 struct inode *inode;
1376
1377 inode = new_inode(sb);
1378
1379 if (inode) {
1380 struct timespec64 ts = inode_set_ctime_current(inode);
1381
1382 inode->i_ino = get_next_ino();
1383 inode->i_mode = perms->mode;
1384 inode->i_uid = perms->uid;
1385 inode->i_gid = perms->gid;
1386 inode_set_atime_to_ts(inode, ts);
1387 inode_set_mtime_to_ts(inode, ts);
1388 inode->i_private = data;
1389 if (fops)
1390 inode->i_fop = fops;
1391 if (iops)
1392 inode->i_op = iops;
1393 }
1394
1395 return inode;
1396}
1397
1398/* Create "regular" file */
1399static struct dentry *ffs_sb_create_file(struct super_block *sb,
1400 const char *name, void *data,
1401 const struct file_operations *fops)
1402{
1403 struct ffs_data *ffs = sb->s_fs_info;
1404 struct dentry *dentry;
1405 struct inode *inode;
1406
1407 dentry = d_alloc_name(sb->s_root, name);
1408 if (!dentry)
1409 return NULL;
1410
1411 inode = ffs_sb_make_inode(sb, data, fops, NULL, perms: &ffs->file_perms);
1412 if (!inode) {
1413 dput(dentry);
1414 return NULL;
1415 }
1416
1417 d_add(dentry, inode);
1418 return dentry;
1419}
1420
1421/* Super block */
1422static const struct super_operations ffs_sb_operations = {
1423 .statfs = simple_statfs,
1424 .drop_inode = generic_delete_inode,
1425};
1426
1427struct ffs_sb_fill_data {
1428 struct ffs_file_perms perms;
1429 umode_t root_mode;
1430 const char *dev_name;
1431 bool no_disconnect;
1432 struct ffs_data *ffs_data;
1433};
1434
1435static int ffs_sb_fill(struct super_block *sb, struct fs_context *fc)
1436{
1437 struct ffs_sb_fill_data *data = fc->fs_private;
1438 struct inode *inode;
1439 struct ffs_data *ffs = data->ffs_data;
1440
1441 ffs->sb = sb;
1442 data->ffs_data = NULL;
1443 sb->s_fs_info = ffs;
1444 sb->s_blocksize = PAGE_SIZE;
1445 sb->s_blocksize_bits = PAGE_SHIFT;
1446 sb->s_magic = FUNCTIONFS_MAGIC;
1447 sb->s_op = &ffs_sb_operations;
1448 sb->s_time_gran = 1;
1449
1450 /* Root inode */
1451 data->perms.mode = data->root_mode;
1452 inode = ffs_sb_make_inode(sb, NULL,
1453 fops: &simple_dir_operations,
1454 iops: &simple_dir_inode_operations,
1455 perms: &data->perms);
1456 sb->s_root = d_make_root(inode);
1457 if (!sb->s_root)
1458 return -ENOMEM;
1459
1460 /* EP0 file */
1461 if (!ffs_sb_create_file(sb, name: "ep0", data: ffs, fops: &ffs_ep0_operations))
1462 return -ENOMEM;
1463
1464 return 0;
1465}
1466
1467enum {
1468 Opt_no_disconnect,
1469 Opt_rmode,
1470 Opt_fmode,
1471 Opt_mode,
1472 Opt_uid,
1473 Opt_gid,
1474};
1475
1476static const struct fs_parameter_spec ffs_fs_fs_parameters[] = {
1477 fsparam_bool ("no_disconnect", Opt_no_disconnect),
1478 fsparam_u32 ("rmode", Opt_rmode),
1479 fsparam_u32 ("fmode", Opt_fmode),
1480 fsparam_u32 ("mode", Opt_mode),
1481 fsparam_u32 ("uid", Opt_uid),
1482 fsparam_u32 ("gid", Opt_gid),
1483 {}
1484};
1485
1486static int ffs_fs_parse_param(struct fs_context *fc, struct fs_parameter *param)
1487{
1488 struct ffs_sb_fill_data *data = fc->fs_private;
1489 struct fs_parse_result result;
1490 int opt;
1491
1492 opt = fs_parse(fc, desc: ffs_fs_fs_parameters, param, result: &result);
1493 if (opt < 0)
1494 return opt;
1495
1496 switch (opt) {
1497 case Opt_no_disconnect:
1498 data->no_disconnect = result.boolean;
1499 break;
1500 case Opt_rmode:
1501 data->root_mode = (result.uint_32 & 0555) | S_IFDIR;
1502 break;
1503 case Opt_fmode:
1504 data->perms.mode = (result.uint_32 & 0666) | S_IFREG;
1505 break;
1506 case Opt_mode:
1507 data->root_mode = (result.uint_32 & 0555) | S_IFDIR;
1508 data->perms.mode = (result.uint_32 & 0666) | S_IFREG;
1509 break;
1510
1511 case Opt_uid:
1512 data->perms.uid = make_kuid(current_user_ns(), uid: result.uint_32);
1513 if (!uid_valid(uid: data->perms.uid))
1514 goto unmapped_value;
1515 break;
1516 case Opt_gid:
1517 data->perms.gid = make_kgid(current_user_ns(), gid: result.uint_32);
1518 if (!gid_valid(gid: data->perms.gid))
1519 goto unmapped_value;
1520 break;
1521
1522 default:
1523 return -ENOPARAM;
1524 }
1525
1526 return 0;
1527
1528unmapped_value:
1529 return invalf(fc, "%s: unmapped value: %u", param->key, result.uint_32);
1530}
1531
1532/*
1533 * Set up the superblock for a mount.
1534 */
1535static int ffs_fs_get_tree(struct fs_context *fc)
1536{
1537 struct ffs_sb_fill_data *ctx = fc->fs_private;
1538 struct ffs_data *ffs;
1539 int ret;
1540
1541 if (!fc->source)
1542 return invalf(fc, "No source specified");
1543
1544 ffs = ffs_data_new(dev_name: fc->source);
1545 if (!ffs)
1546 return -ENOMEM;
1547 ffs->file_perms = ctx->perms;
1548 ffs->no_disconnect = ctx->no_disconnect;
1549
1550 ffs->dev_name = kstrdup(s: fc->source, GFP_KERNEL);
1551 if (!ffs->dev_name) {
1552 ffs_data_put(ffs);
1553 return -ENOMEM;
1554 }
1555
1556 ret = ffs_acquire_dev(dev_name: ffs->dev_name, ffs_data: ffs);
1557 if (ret) {
1558 ffs_data_put(ffs);
1559 return ret;
1560 }
1561
1562 ctx->ffs_data = ffs;
1563 return get_tree_nodev(fc, fill_super: ffs_sb_fill);
1564}
1565
1566static void ffs_fs_free_fc(struct fs_context *fc)
1567{
1568 struct ffs_sb_fill_data *ctx = fc->fs_private;
1569
1570 if (ctx) {
1571 if (ctx->ffs_data) {
1572 ffs_data_put(ffs: ctx->ffs_data);
1573 }
1574
1575 kfree(objp: ctx);
1576 }
1577}
1578
1579static const struct fs_context_operations ffs_fs_context_ops = {
1580 .free = ffs_fs_free_fc,
1581 .parse_param = ffs_fs_parse_param,
1582 .get_tree = ffs_fs_get_tree,
1583};
1584
1585static int ffs_fs_init_fs_context(struct fs_context *fc)
1586{
1587 struct ffs_sb_fill_data *ctx;
1588
1589 ctx = kzalloc(size: sizeof(struct ffs_sb_fill_data), GFP_KERNEL);
1590 if (!ctx)
1591 return -ENOMEM;
1592
1593 ctx->perms.mode = S_IFREG | 0600;
1594 ctx->perms.uid = GLOBAL_ROOT_UID;
1595 ctx->perms.gid = GLOBAL_ROOT_GID;
1596 ctx->root_mode = S_IFDIR | 0500;
1597 ctx->no_disconnect = false;
1598
1599 fc->fs_private = ctx;
1600 fc->ops = &ffs_fs_context_ops;
1601 return 0;
1602}
1603
1604static void
1605ffs_fs_kill_sb(struct super_block *sb)
1606{
1607 kill_litter_super(sb);
1608 if (sb->s_fs_info)
1609 ffs_data_closed(ffs: sb->s_fs_info);
1610}
1611
1612static struct file_system_type ffs_fs_type = {
1613 .owner = THIS_MODULE,
1614 .name = "functionfs",
1615 .init_fs_context = ffs_fs_init_fs_context,
1616 .parameters = ffs_fs_fs_parameters,
1617 .kill_sb = ffs_fs_kill_sb,
1618};
1619MODULE_ALIAS_FS("functionfs");
1620
1621
1622/* Driver's main init/cleanup functions *************************************/
1623
1624static int functionfs_init(void)
1625{
1626 int ret;
1627
1628 ret = register_filesystem(&ffs_fs_type);
1629 if (!ret)
1630 pr_info("file system registered\n");
1631 else
1632 pr_err("failed registering file system (%d)\n", ret);
1633
1634 return ret;
1635}
1636
1637static void functionfs_cleanup(void)
1638{
1639 pr_info("unloading\n");
1640 unregister_filesystem(&ffs_fs_type);
1641}
1642
1643
1644/* ffs_data and ffs_function construction and destruction code **************/
1645
1646static void ffs_data_clear(struct ffs_data *ffs);
1647static void ffs_data_reset(struct ffs_data *ffs);
1648
1649static void ffs_data_get(struct ffs_data *ffs)
1650{
1651 refcount_inc(r: &ffs->ref);
1652}
1653
1654static void ffs_data_opened(struct ffs_data *ffs)
1655{
1656 refcount_inc(r: &ffs->ref);
1657 if (atomic_add_return(i: 1, v: &ffs->opened) == 1 &&
1658 ffs->state == FFS_DEACTIVATED) {
1659 ffs->state = FFS_CLOSING;
1660 ffs_data_reset(ffs);
1661 }
1662}
1663
1664static void ffs_data_put(struct ffs_data *ffs)
1665{
1666 if (refcount_dec_and_test(r: &ffs->ref)) {
1667 pr_info("%s(): freeing\n", __func__);
1668 ffs_data_clear(ffs);
1669 ffs_release_dev(ffs_dev: ffs->private_data);
1670 BUG_ON(waitqueue_active(&ffs->ev.waitq) ||
1671 swait_active(&ffs->ep0req_completion.wait) ||
1672 waitqueue_active(&ffs->wait));
1673 destroy_workqueue(wq: ffs->io_completion_wq);
1674 kfree(objp: ffs->dev_name);
1675 kfree(objp: ffs);
1676 }
1677}
1678
1679static void ffs_data_closed(struct ffs_data *ffs)
1680{
1681 struct ffs_epfile *epfiles;
1682 unsigned long flags;
1683
1684 if (atomic_dec_and_test(v: &ffs->opened)) {
1685 if (ffs->no_disconnect) {
1686 ffs->state = FFS_DEACTIVATED;
1687 spin_lock_irqsave(&ffs->eps_lock, flags);
1688 epfiles = ffs->epfiles;
1689 ffs->epfiles = NULL;
1690 spin_unlock_irqrestore(lock: &ffs->eps_lock,
1691 flags);
1692
1693 if (epfiles)
1694 ffs_epfiles_destroy(epfiles,
1695 count: ffs->eps_count);
1696
1697 if (ffs->setup_state == FFS_SETUP_PENDING)
1698 __ffs_ep0_stall(ffs);
1699 } else {
1700 ffs->state = FFS_CLOSING;
1701 ffs_data_reset(ffs);
1702 }
1703 }
1704 if (atomic_read(v: &ffs->opened) < 0) {
1705 ffs->state = FFS_CLOSING;
1706 ffs_data_reset(ffs);
1707 }
1708
1709 ffs_data_put(ffs);
1710}
1711
1712static struct ffs_data *ffs_data_new(const char *dev_name)
1713{
1714 struct ffs_data *ffs = kzalloc(size: sizeof *ffs, GFP_KERNEL);
1715 if (!ffs)
1716 return NULL;
1717
1718 ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name);
1719 if (!ffs->io_completion_wq) {
1720 kfree(objp: ffs);
1721 return NULL;
1722 }
1723
1724 refcount_set(r: &ffs->ref, n: 1);
1725 atomic_set(v: &ffs->opened, i: 0);
1726 ffs->state = FFS_READ_DESCRIPTORS;
1727 mutex_init(&ffs->mutex);
1728 spin_lock_init(&ffs->eps_lock);
1729 init_waitqueue_head(&ffs->ev.waitq);
1730 init_waitqueue_head(&ffs->wait);
1731 init_completion(x: &ffs->ep0req_completion);
1732
1733 /* XXX REVISIT need to update it in some places, or do we? */
1734 ffs->ev.can_stall = 1;
1735
1736 return ffs;
1737}
1738
1739static void ffs_data_clear(struct ffs_data *ffs)
1740{
1741 struct ffs_epfile *epfiles;
1742 unsigned long flags;
1743
1744 ffs_closed(ffs);
1745
1746 BUG_ON(ffs->gadget);
1747
1748 spin_lock_irqsave(&ffs->eps_lock, flags);
1749 epfiles = ffs->epfiles;
1750 ffs->epfiles = NULL;
1751 spin_unlock_irqrestore(lock: &ffs->eps_lock, flags);
1752
1753 /*
1754 * potential race possible between ffs_func_eps_disable
1755 * & ffs_epfile_release therefore maintaining a local
1756 * copy of epfile will save us from use-after-free.
1757 */
1758 if (epfiles) {
1759 ffs_epfiles_destroy(epfiles, count: ffs->eps_count);
1760 ffs->epfiles = NULL;
1761 }
1762
1763 if (ffs->ffs_eventfd) {
1764 eventfd_ctx_put(ctx: ffs->ffs_eventfd);
1765 ffs->ffs_eventfd = NULL;
1766 }
1767
1768 kfree(objp: ffs->raw_descs_data);
1769 kfree(objp: ffs->raw_strings);
1770 kfree(objp: ffs->stringtabs);
1771}
1772
1773static void ffs_data_reset(struct ffs_data *ffs)
1774{
1775 ffs_data_clear(ffs);
1776
1777 ffs->raw_descs_data = NULL;
1778 ffs->raw_descs = NULL;
1779 ffs->raw_strings = NULL;
1780 ffs->stringtabs = NULL;
1781
1782 ffs->raw_descs_length = 0;
1783 ffs->fs_descs_count = 0;
1784 ffs->hs_descs_count = 0;
1785 ffs->ss_descs_count = 0;
1786
1787 ffs->strings_count = 0;
1788 ffs->interfaces_count = 0;
1789 ffs->eps_count = 0;
1790
1791 ffs->ev.count = 0;
1792
1793 ffs->state = FFS_READ_DESCRIPTORS;
1794 ffs->setup_state = FFS_NO_SETUP;
1795 ffs->flags = 0;
1796
1797 ffs->ms_os_descs_ext_prop_count = 0;
1798 ffs->ms_os_descs_ext_prop_name_len = 0;
1799 ffs->ms_os_descs_ext_prop_data_len = 0;
1800}
1801
1802
1803static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
1804{
1805 struct usb_gadget_strings **lang;
1806 int first_id;
1807
1808 if (WARN_ON(ffs->state != FFS_ACTIVE
1809 || test_and_set_bit(FFS_FL_BOUND, &ffs->flags)))
1810 return -EBADFD;
1811
1812 first_id = usb_string_ids_n(c: cdev, n: ffs->strings_count);
1813 if (first_id < 0)
1814 return first_id;
1815
1816 ffs->ep0req = usb_ep_alloc_request(ep: cdev->gadget->ep0, GFP_KERNEL);
1817 if (!ffs->ep0req)
1818 return -ENOMEM;
1819 ffs->ep0req->complete = ffs_ep0_complete;
1820 ffs->ep0req->context = ffs;
1821
1822 lang = ffs->stringtabs;
1823 if (lang) {
1824 for (; *lang; ++lang) {
1825 struct usb_string *str = (*lang)->strings;
1826 int id = first_id;
1827 for (; str->s; ++id, ++str)
1828 str->id = id;
1829 }
1830 }
1831
1832 ffs->gadget = cdev->gadget;
1833 ffs_data_get(ffs);
1834 return 0;
1835}
1836
1837static void functionfs_unbind(struct ffs_data *ffs)
1838{
1839 if (!WARN_ON(!ffs->gadget)) {
1840 /* dequeue before freeing ep0req */
1841 usb_ep_dequeue(ep: ffs->gadget->ep0, req: ffs->ep0req);
1842 mutex_lock(&ffs->mutex);
1843 usb_ep_free_request(ep: ffs->gadget->ep0, req: ffs->ep0req);
1844 ffs->ep0req = NULL;
1845 ffs->gadget = NULL;
1846 clear_bit(FFS_FL_BOUND, addr: &ffs->flags);
1847 mutex_unlock(lock: &ffs->mutex);
1848 ffs_data_put(ffs);
1849 }
1850}
1851
1852static int ffs_epfiles_create(struct ffs_data *ffs)
1853{
1854 struct ffs_epfile *epfile, *epfiles;
1855 unsigned i, count;
1856
1857 count = ffs->eps_count;
1858 epfiles = kcalloc(n: count, size: sizeof(*epfiles), GFP_KERNEL);
1859 if (!epfiles)
1860 return -ENOMEM;
1861
1862 epfile = epfiles;
1863 for (i = 1; i <= count; ++i, ++epfile) {
1864 epfile->ffs = ffs;
1865 mutex_init(&epfile->mutex);
1866 if (ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
1867 sprintf(buf: epfile->name, fmt: "ep%02x", ffs->eps_addrmap[i]);
1868 else
1869 sprintf(buf: epfile->name, fmt: "ep%u", i);
1870 epfile->dentry = ffs_sb_create_file(sb: ffs->sb, name: epfile->name,
1871 data: epfile,
1872 fops: &ffs_epfile_operations);
1873 if (!epfile->dentry) {
1874 ffs_epfiles_destroy(epfiles, count: i - 1);
1875 return -ENOMEM;
1876 }
1877 }
1878
1879 ffs->epfiles = epfiles;
1880 return 0;
1881}
1882
1883static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
1884{
1885 struct ffs_epfile *epfile = epfiles;
1886
1887 for (; count; --count, ++epfile) {
1888 BUG_ON(mutex_is_locked(&epfile->mutex));
1889 if (epfile->dentry) {
1890 d_delete(epfile->dentry);
1891 dput(epfile->dentry);
1892 epfile->dentry = NULL;
1893 }
1894 }
1895
1896 kfree(objp: epfiles);
1897}
1898
1899static void ffs_func_eps_disable(struct ffs_function *func)
1900{
1901 struct ffs_ep *ep;
1902 struct ffs_epfile *epfile;
1903 unsigned short count;
1904 unsigned long flags;
1905
1906 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1907 count = func->ffs->eps_count;
1908 epfile = func->ffs->epfiles;
1909 ep = func->eps;
1910 while (count--) {
1911 /* pending requests get nuked */
1912 if (ep->ep)
1913 usb_ep_disable(ep: ep->ep);
1914 ++ep;
1915
1916 if (epfile) {
1917 epfile->ep = NULL;
1918 __ffs_epfile_read_buffer_free(epfile);
1919 ++epfile;
1920 }
1921 }
1922 spin_unlock_irqrestore(lock: &func->ffs->eps_lock, flags);
1923}
1924
1925static int ffs_func_eps_enable(struct ffs_function *func)
1926{
1927 struct ffs_data *ffs;
1928 struct ffs_ep *ep;
1929 struct ffs_epfile *epfile;
1930 unsigned short count;
1931 unsigned long flags;
1932 int ret = 0;
1933
1934 spin_lock_irqsave(&func->ffs->eps_lock, flags);
1935 ffs = func->ffs;
1936 ep = func->eps;
1937 epfile = ffs->epfiles;
1938 count = ffs->eps_count;
1939 while(count--) {
1940 ep->ep->driver_data = ep;
1941
1942 ret = config_ep_by_speed(g: func->gadget, f: &func->function, ep: ep->ep);
1943 if (ret) {
1944 pr_err("%s: config_ep_by_speed(%s) returned %d\n",
1945 __func__, ep->ep->name, ret);
1946 break;
1947 }
1948
1949 ret = usb_ep_enable(ep: ep->ep);
1950 if (!ret) {
1951 epfile->ep = ep;
1952 epfile->in = usb_endpoint_dir_in(epd: ep->ep->desc);
1953 epfile->isoc = usb_endpoint_xfer_isoc(epd: ep->ep->desc);
1954 } else {
1955 break;
1956 }
1957
1958 ++ep;
1959 ++epfile;
1960 }
1961
1962 wake_up_interruptible(&ffs->wait);
1963 spin_unlock_irqrestore(lock: &func->ffs->eps_lock, flags);
1964
1965 return ret;
1966}
1967
1968
1969/* Parsing and building descriptors and strings *****************************/
1970
1971/*
1972 * This validates if data pointed by data is a valid USB descriptor as
1973 * well as record how many interfaces, endpoints and strings are
1974 * required by given configuration. Returns address after the
1975 * descriptor or NULL if data is invalid.
1976 */
1977
1978enum ffs_entity_type {
1979 FFS_DESCRIPTOR, FFS_INTERFACE, FFS_STRING, FFS_ENDPOINT
1980};
1981
1982enum ffs_os_desc_type {
1983 FFS_OS_DESC, FFS_OS_DESC_EXT_COMPAT, FFS_OS_DESC_EXT_PROP
1984};
1985
1986typedef int (*ffs_entity_callback)(enum ffs_entity_type entity,
1987 u8 *valuep,
1988 struct usb_descriptor_header *desc,
1989 void *priv);
1990
1991typedef int (*ffs_os_desc_callback)(enum ffs_os_desc_type entity,
1992 struct usb_os_desc_header *h, void *data,
1993 unsigned len, void *priv);
1994
1995static int __must_check ffs_do_single_desc(char *data, unsigned len,
1996 ffs_entity_callback entity,
1997 void *priv, int *current_class)
1998{
1999 struct usb_descriptor_header *_ds = (void *)data;
2000 u8 length;
2001 int ret;
2002
2003 /* At least two bytes are required: length and type */
2004 if (len < 2) {
2005 pr_vdebug("descriptor too short\n");
2006 return -EINVAL;
2007 }
2008
2009 /* If we have at least as many bytes as the descriptor takes? */
2010 length = _ds->bLength;
2011 if (len < length) {
2012 pr_vdebug("descriptor longer then available data\n");
2013 return -EINVAL;
2014 }
2015
2016#define __entity_check_INTERFACE(val) 1
2017#define __entity_check_STRING(val) (val)
2018#define __entity_check_ENDPOINT(val) ((val) & USB_ENDPOINT_NUMBER_MASK)
2019#define __entity(type, val) do { \
2020 pr_vdebug("entity " #type "(%02x)\n", (val)); \
2021 if (!__entity_check_ ##type(val)) { \
2022 pr_vdebug("invalid entity's value\n"); \
2023 return -EINVAL; \
2024 } \
2025 ret = entity(FFS_ ##type, &val, _ds, priv); \
2026 if (ret < 0) { \
2027 pr_debug("entity " #type "(%02x); ret = %d\n", \
2028 (val), ret); \
2029 return ret; \
2030 } \
2031 } while (0)
2032
2033 /* Parse descriptor depending on type. */
2034 switch (_ds->bDescriptorType) {
2035 case USB_DT_DEVICE:
2036 case USB_DT_CONFIG:
2037 case USB_DT_STRING:
2038 case USB_DT_DEVICE_QUALIFIER:
2039 /* function can't have any of those */
2040 pr_vdebug("descriptor reserved for gadget: %d\n",
2041 _ds->bDescriptorType);
2042 return -EINVAL;
2043
2044 case USB_DT_INTERFACE: {
2045 struct usb_interface_descriptor *ds = (void *)_ds;
2046 pr_vdebug("interface descriptor\n");
2047 if (length != sizeof *ds)
2048 goto inv_length;
2049
2050 __entity(INTERFACE, ds->bInterfaceNumber);
2051 if (ds->iInterface)
2052 __entity(STRING, ds->iInterface);
2053 *current_class = ds->bInterfaceClass;
2054 }
2055 break;
2056
2057 case USB_DT_ENDPOINT: {
2058 struct usb_endpoint_descriptor *ds = (void *)_ds;
2059 pr_vdebug("endpoint descriptor\n");
2060 if (length != USB_DT_ENDPOINT_SIZE &&
2061 length != USB_DT_ENDPOINT_AUDIO_SIZE)
2062 goto inv_length;
2063 __entity(ENDPOINT, ds->bEndpointAddress);
2064 }
2065 break;
2066
2067 case USB_TYPE_CLASS | 0x01:
2068 if (*current_class == USB_INTERFACE_CLASS_HID) {
2069 pr_vdebug("hid descriptor\n");
2070 if (length != sizeof(struct hid_descriptor))
2071 goto inv_length;
2072 break;
2073 } else if (*current_class == USB_INTERFACE_CLASS_CCID) {
2074 pr_vdebug("ccid descriptor\n");
2075 if (length != sizeof(struct ccid_descriptor))
2076 goto inv_length;
2077 break;
2078 } else {
2079 pr_vdebug("unknown descriptor: %d for class %d\n",
2080 _ds->bDescriptorType, *current_class);
2081 return -EINVAL;
2082 }
2083
2084 case USB_DT_OTG:
2085 if (length != sizeof(struct usb_otg_descriptor))
2086 goto inv_length;
2087 break;
2088
2089 case USB_DT_INTERFACE_ASSOCIATION: {
2090 struct usb_interface_assoc_descriptor *ds = (void *)_ds;
2091 pr_vdebug("interface association descriptor\n");
2092 if (length != sizeof *ds)
2093 goto inv_length;
2094 if (ds->iFunction)
2095 __entity(STRING, ds->iFunction);
2096 }
2097 break;
2098
2099 case USB_DT_SS_ENDPOINT_COMP:
2100 pr_vdebug("EP SS companion descriptor\n");
2101 if (length != sizeof(struct usb_ss_ep_comp_descriptor))
2102 goto inv_length;
2103 break;
2104
2105 case USB_DT_OTHER_SPEED_CONFIG:
2106 case USB_DT_INTERFACE_POWER:
2107 case USB_DT_DEBUG:
2108 case USB_DT_SECURITY:
2109 case USB_DT_CS_RADIO_CONTROL:
2110 /* TODO */
2111 pr_vdebug("unimplemented descriptor: %d\n", _ds->bDescriptorType);
2112 return -EINVAL;
2113
2114 default:
2115 /* We should never be here */
2116 pr_vdebug("unknown descriptor: %d\n", _ds->bDescriptorType);
2117 return -EINVAL;
2118
2119inv_length:
2120 pr_vdebug("invalid length: %d (descriptor %d)\n",
2121 _ds->bLength, _ds->bDescriptorType);
2122 return -EINVAL;
2123 }
2124
2125#undef __entity
2126#undef __entity_check_DESCRIPTOR
2127#undef __entity_check_INTERFACE
2128#undef __entity_check_STRING
2129#undef __entity_check_ENDPOINT
2130
2131 return length;
2132}
2133
2134static int __must_check ffs_do_descs(unsigned count, char *data, unsigned len,
2135 ffs_entity_callback entity, void *priv)
2136{
2137 const unsigned _len = len;
2138 unsigned long num = 0;
2139 int current_class = -1;
2140
2141 for (;;) {
2142 int ret;
2143
2144 if (num == count)
2145 data = NULL;
2146
2147 /* Record "descriptor" entity */
2148 ret = entity(FFS_DESCRIPTOR, (u8 *)num, (void *)data, priv);
2149 if (ret < 0) {
2150 pr_debug("entity DESCRIPTOR(%02lx); ret = %d\n",
2151 num, ret);
2152 return ret;
2153 }
2154
2155 if (!data)
2156 return _len - len;
2157
2158 ret = ffs_do_single_desc(data, len, entity, priv,
2159 current_class: &current_class);
2160 if (ret < 0) {
2161 pr_debug("%s returns %d\n", __func__, ret);
2162 return ret;
2163 }
2164
2165 len -= ret;
2166 data += ret;
2167 ++num;
2168 }
2169}
2170
2171static int __ffs_data_do_entity(enum ffs_entity_type type,
2172 u8 *valuep, struct usb_descriptor_header *desc,
2173 void *priv)
2174{
2175 struct ffs_desc_helper *helper = priv;
2176 struct usb_endpoint_descriptor *d;
2177
2178 switch (type) {
2179 case FFS_DESCRIPTOR:
2180 break;
2181
2182 case FFS_INTERFACE:
2183 /*
2184 * Interfaces are indexed from zero so if we
2185 * encountered interface "n" then there are at least
2186 * "n+1" interfaces.
2187 */
2188 if (*valuep >= helper->interfaces_count)
2189 helper->interfaces_count = *valuep + 1;
2190 break;
2191
2192 case FFS_STRING:
2193 /*
2194 * Strings are indexed from 1 (0 is reserved
2195 * for languages list)
2196 */
2197 if (*valuep > helper->ffs->strings_count)
2198 helper->ffs->strings_count = *valuep;
2199 break;
2200
2201 case FFS_ENDPOINT:
2202 d = (void *)desc;
2203 helper->eps_count++;
2204 if (helper->eps_count >= FFS_MAX_EPS_COUNT)
2205 return -EINVAL;
2206 /* Check if descriptors for any speed were already parsed */
2207 if (!helper->ffs->eps_count && !helper->ffs->interfaces_count)
2208 helper->ffs->eps_addrmap[helper->eps_count] =
2209 d->bEndpointAddress;
2210 else if (helper->ffs->eps_addrmap[helper->eps_count] !=
2211 d->bEndpointAddress)
2212 return -EINVAL;
2213 break;
2214 }
2215
2216 return 0;
2217}
2218
2219static int __ffs_do_os_desc_header(enum ffs_os_desc_type *next_type,
2220 struct usb_os_desc_header *desc)
2221{
2222 u16 bcd_version = le16_to_cpu(desc->bcdVersion);
2223 u16 w_index = le16_to_cpu(desc->wIndex);
2224
2225 if (bcd_version == 0x1) {
2226 pr_warn("bcdVersion must be 0x0100, stored in Little Endian order. "
2227 "Userspace driver should be fixed, accepting 0x0001 for compatibility.\n");
2228 } else if (bcd_version != 0x100) {
2229 pr_vdebug("unsupported os descriptors version: 0x%x\n",
2230 bcd_version);
2231 return -EINVAL;
2232 }
2233 switch (w_index) {
2234 case 0x4:
2235 *next_type = FFS_OS_DESC_EXT_COMPAT;
2236 break;
2237 case 0x5:
2238 *next_type = FFS_OS_DESC_EXT_PROP;
2239 break;
2240 default:
2241 pr_vdebug("unsupported os descriptor type: %d", w_index);
2242 return -EINVAL;
2243 }
2244
2245 return sizeof(*desc);
2246}
2247
2248/*
2249 * Process all extended compatibility/extended property descriptors
2250 * of a feature descriptor
2251 */
2252static int __must_check ffs_do_single_os_desc(char *data, unsigned len,
2253 enum ffs_os_desc_type type,
2254 u16 feature_count,
2255 ffs_os_desc_callback entity,
2256 void *priv,
2257 struct usb_os_desc_header *h)
2258{
2259 int ret;
2260 const unsigned _len = len;
2261
2262 /* loop over all ext compat/ext prop descriptors */
2263 while (feature_count--) {
2264 ret = entity(type, h, data, len, priv);
2265 if (ret < 0) {
2266 pr_debug("bad OS descriptor, type: %d\n", type);
2267 return ret;
2268 }
2269 data += ret;
2270 len -= ret;
2271 }
2272 return _len - len;
2273}
2274
2275/* Process a number of complete Feature Descriptors (Ext Compat or Ext Prop) */
2276static int __must_check ffs_do_os_descs(unsigned count,
2277 char *data, unsigned len,
2278 ffs_os_desc_callback entity, void *priv)
2279{
2280 const unsigned _len = len;
2281 unsigned long num = 0;
2282
2283 for (num = 0; num < count; ++num) {
2284 int ret;
2285 enum ffs_os_desc_type type;
2286 u16 feature_count;
2287 struct usb_os_desc_header *desc = (void *)data;
2288
2289 if (len < sizeof(*desc))
2290 return -EINVAL;
2291
2292 /*
2293 * Record "descriptor" entity.
2294 * Process dwLength, bcdVersion, wIndex, get b/wCount.
2295 * Move the data pointer to the beginning of extended
2296 * compatibilities proper or extended properties proper
2297 * portions of the data
2298 */
2299 if (le32_to_cpu(desc->dwLength) > len)
2300 return -EINVAL;
2301
2302 ret = __ffs_do_os_desc_header(next_type: &type, desc);
2303 if (ret < 0) {
2304 pr_debug("entity OS_DESCRIPTOR(%02lx); ret = %d\n",
2305 num, ret);
2306 return ret;
2307 }
2308 /*
2309 * 16-bit hex "?? 00" Little Endian looks like 8-bit hex "??"
2310 */
2311 feature_count = le16_to_cpu(desc->wCount);
2312 if (type == FFS_OS_DESC_EXT_COMPAT &&
2313 (feature_count > 255 || desc->Reserved))
2314 return -EINVAL;
2315 len -= ret;
2316 data += ret;
2317
2318 /*
2319 * Process all function/property descriptors
2320 * of this Feature Descriptor
2321 */
2322 ret = ffs_do_single_os_desc(data, len, type,
2323 feature_count, entity, priv, h: desc);
2324 if (ret < 0) {
2325 pr_debug("%s returns %d\n", __func__, ret);
2326 return ret;
2327 }
2328
2329 len -= ret;
2330 data += ret;
2331 }
2332 return _len - len;
2333}
2334
2335/*
2336 * Validate contents of the buffer from userspace related to OS descriptors.
2337 */
2338static int __ffs_data_do_os_desc(enum ffs_os_desc_type type,
2339 struct usb_os_desc_header *h, void *data,
2340 unsigned len, void *priv)
2341{
2342 struct ffs_data *ffs = priv;
2343 u8 length;
2344
2345 switch (type) {
2346 case FFS_OS_DESC_EXT_COMPAT: {
2347 struct usb_ext_compat_desc *d = data;
2348 int i;
2349
2350 if (len < sizeof(*d) ||
2351 d->bFirstInterfaceNumber >= ffs->interfaces_count)
2352 return -EINVAL;
2353 if (d->Reserved1 != 1) {
2354 /*
2355 * According to the spec, Reserved1 must be set to 1
2356 * but older kernels incorrectly rejected non-zero
2357 * values. We fix it here to avoid returning EINVAL
2358 * in response to values we used to accept.
2359 */
2360 pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
2361 d->Reserved1 = 1;
2362 }
2363 for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
2364 if (d->Reserved2[i])
2365 return -EINVAL;
2366
2367 length = sizeof(struct usb_ext_compat_desc);
2368 }
2369 break;
2370 case FFS_OS_DESC_EXT_PROP: {
2371 struct usb_ext_prop_desc *d = data;
2372 u32 type, pdl;
2373 u16 pnl;
2374
2375 if (len < sizeof(*d) || h->interface >= ffs->interfaces_count)
2376 return -EINVAL;
2377 length = le32_to_cpu(d->dwSize);
2378 if (len < length)
2379 return -EINVAL;
2380 type = le32_to_cpu(d->dwPropertyDataType);
2381 if (type < USB_EXT_PROP_UNICODE ||
2382 type > USB_EXT_PROP_UNICODE_MULTI) {
2383 pr_vdebug("unsupported os descriptor property type: %d",
2384 type);
2385 return -EINVAL;
2386 }
2387 pnl = le16_to_cpu(d->wPropertyNameLength);
2388 if (length < 14 + pnl) {
2389 pr_vdebug("invalid os descriptor length: %d pnl:%d (descriptor %d)\n",
2390 length, pnl, type);
2391 return -EINVAL;
2392 }
2393 pdl = le32_to_cpu(*(__le32 *)((u8 *)data + 10 + pnl));
2394 if (length != 14 + pnl + pdl) {
2395 pr_vdebug("invalid os descriptor length: %d pnl:%d pdl:%d (descriptor %d)\n",
2396 length, pnl, pdl, type);
2397 return -EINVAL;
2398 }
2399 ++ffs->ms_os_descs_ext_prop_count;
2400 /* property name reported to the host as "WCHAR"s */
2401 ffs->ms_os_descs_ext_prop_name_len += pnl * 2;
2402 ffs->ms_os_descs_ext_prop_data_len += pdl;
2403 }
2404 break;
2405 default:
2406 pr_vdebug("unknown descriptor: %d\n", type);
2407 return -EINVAL;
2408 }
2409 return length;
2410}
2411
2412static int __ffs_data_got_descs(struct ffs_data *ffs,
2413 char *const _data, size_t len)
2414{
2415 char *data = _data, *raw_descs;
2416 unsigned os_descs_count = 0, counts[3], flags;
2417 int ret = -EINVAL, i;
2418 struct ffs_desc_helper helper;
2419
2420 if (get_unaligned_le32(p: data + 4) != len)
2421 goto error;
2422
2423 switch (get_unaligned_le32(p: data)) {
2424 case FUNCTIONFS_DESCRIPTORS_MAGIC:
2425 flags = FUNCTIONFS_HAS_FS_DESC | FUNCTIONFS_HAS_HS_DESC;
2426 data += 8;
2427 len -= 8;
2428 break;
2429 case FUNCTIONFS_DESCRIPTORS_MAGIC_V2:
2430 flags = get_unaligned_le32(p: data + 8);
2431 ffs->user_flags = flags;
2432 if (flags & ~(FUNCTIONFS_HAS_FS_DESC |
2433 FUNCTIONFS_HAS_HS_DESC |
2434 FUNCTIONFS_HAS_SS_DESC |
2435 FUNCTIONFS_HAS_MS_OS_DESC |
2436 FUNCTIONFS_VIRTUAL_ADDR |
2437 FUNCTIONFS_EVENTFD |
2438 FUNCTIONFS_ALL_CTRL_RECIP |
2439 FUNCTIONFS_CONFIG0_SETUP)) {
2440 ret = -ENOSYS;
2441 goto error;
2442 }
2443 data += 12;
2444 len -= 12;
2445 break;
2446 default:
2447 goto error;
2448 }
2449
2450 if (flags & FUNCTIONFS_EVENTFD) {
2451 if (len < 4)
2452 goto error;
2453 ffs->ffs_eventfd =
2454 eventfd_ctx_fdget(fd: (int)get_unaligned_le32(p: data));
2455 if (IS_ERR(ptr: ffs->ffs_eventfd)) {
2456 ret = PTR_ERR(ptr: ffs->ffs_eventfd);
2457 ffs->ffs_eventfd = NULL;
2458 goto error;
2459 }
2460 data += 4;
2461 len -= 4;
2462 }
2463
2464 /* Read fs_count, hs_count and ss_count (if present) */
2465 for (i = 0; i < 3; ++i) {
2466 if (!(flags & (1 << i))) {
2467 counts[i] = 0;
2468 } else if (len < 4) {
2469 goto error;
2470 } else {
2471 counts[i] = get_unaligned_le32(p: data);
2472 data += 4;
2473 len -= 4;
2474 }
2475 }
2476 if (flags & (1 << i)) {
2477 if (len < 4) {
2478 goto error;
2479 }
2480 os_descs_count = get_unaligned_le32(p: data);
2481 data += 4;
2482 len -= 4;
2483 }
2484
2485 /* Read descriptors */
2486 raw_descs = data;
2487 helper.ffs = ffs;
2488 for (i = 0; i < 3; ++i) {
2489 if (!counts[i])
2490 continue;
2491 helper.interfaces_count = 0;
2492 helper.eps_count = 0;
2493 ret = ffs_do_descs(count: counts[i], data, len,
2494 entity: __ffs_data_do_entity, priv: &helper);
2495 if (ret < 0)
2496 goto error;
2497 if (!ffs->eps_count && !ffs->interfaces_count) {
2498 ffs->eps_count = helper.eps_count;
2499 ffs->interfaces_count = helper.interfaces_count;
2500 } else {
2501 if (ffs->eps_count != helper.eps_count) {
2502 ret = -EINVAL;
2503 goto error;
2504 }
2505 if (ffs->interfaces_count != helper.interfaces_count) {
2506 ret = -EINVAL;
2507 goto error;
2508 }
2509 }
2510 data += ret;
2511 len -= ret;
2512 }
2513 if (os_descs_count) {
2514 ret = ffs_do_os_descs(count: os_descs_count, data, len,
2515 entity: __ffs_data_do_os_desc, priv: ffs);
2516 if (ret < 0)
2517 goto error;
2518 data += ret;
2519 len -= ret;
2520 }
2521
2522 if (raw_descs == data || len) {
2523 ret = -EINVAL;
2524 goto error;
2525 }
2526
2527 ffs->raw_descs_data = _data;
2528 ffs->raw_descs = raw_descs;
2529 ffs->raw_descs_length = data - raw_descs;
2530 ffs->fs_descs_count = counts[0];
2531 ffs->hs_descs_count = counts[1];
2532 ffs->ss_descs_count = counts[2];
2533 ffs->ms_os_descs_count = os_descs_count;
2534
2535 return 0;
2536
2537error:
2538 kfree(objp: _data);
2539 return ret;
2540}
2541
2542static int __ffs_data_got_strings(struct ffs_data *ffs,
2543 char *const _data, size_t len)
2544{
2545 u32 str_count, needed_count, lang_count;
2546 struct usb_gadget_strings **stringtabs, *t;
2547 const char *data = _data;
2548 struct usb_string *s;
2549
2550 if (len < 16 ||
2551 get_unaligned_le32(p: data) != FUNCTIONFS_STRINGS_MAGIC ||
2552 get_unaligned_le32(p: data + 4) != len)
2553 goto error;
2554 str_count = get_unaligned_le32(p: data + 8);
2555 lang_count = get_unaligned_le32(p: data + 12);
2556
2557 /* if one is zero the other must be zero */
2558 if (!str_count != !lang_count)
2559 goto error;
2560
2561 /* Do we have at least as many strings as descriptors need? */
2562 needed_count = ffs->strings_count;
2563 if (str_count < needed_count)
2564 goto error;
2565
2566 /*
2567 * If we don't need any strings just return and free all
2568 * memory.
2569 */
2570 if (!needed_count) {
2571 kfree(objp: _data);
2572 return 0;
2573 }
2574
2575 /* Allocate everything in one chunk so there's less maintenance. */
2576 {
2577 unsigned i = 0;
2578 vla_group(d);
2579 vla_item(d, struct usb_gadget_strings *, stringtabs,
2580 size_add(lang_count, 1));
2581 vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
2582 vla_item(d, struct usb_string, strings,
2583 size_mul(lang_count, (needed_count + 1)));
2584
2585 char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
2586
2587 if (!vlabuf) {
2588 kfree(objp: _data);
2589 return -ENOMEM;
2590 }
2591
2592 /* Initialize the VLA pointers */
2593 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2594 t = vla_ptr(vlabuf, d, stringtab);
2595 i = lang_count;
2596 do {
2597 *stringtabs++ = t++;
2598 } while (--i);
2599 *stringtabs = NULL;
2600
2601 /* stringtabs = vlabuf = d_stringtabs for later kfree */
2602 stringtabs = vla_ptr(vlabuf, d, stringtabs);
2603 t = vla_ptr(vlabuf, d, stringtab);
2604 s = vla_ptr(vlabuf, d, strings);
2605 }
2606
2607 /* For each language */
2608 data += 16;
2609 len -= 16;
2610
2611 do { /* lang_count > 0 so we can use do-while */
2612 unsigned needed = needed_count;
2613 u32 str_per_lang = str_count;
2614
2615 if (len < 3)
2616 goto error_free;
2617 t->language = get_unaligned_le16(p: data);
2618 t->strings = s;
2619 ++t;
2620
2621 data += 2;
2622 len -= 2;
2623
2624 /* For each string */
2625 do { /* str_count > 0 so we can use do-while */
2626 size_t length = strnlen(p: data, maxlen: len);
2627
2628 if (length == len)
2629 goto error_free;
2630
2631 /*
2632 * User may provide more strings then we need,
2633 * if that's the case we simply ignore the
2634 * rest
2635 */
2636 if (needed) {
2637 /*
2638 * s->id will be set while adding
2639 * function to configuration so for
2640 * now just leave garbage here.
2641 */
2642 s->s = data;
2643 --needed;
2644 ++s;
2645 }
2646
2647 data += length + 1;
2648 len -= length + 1;
2649 } while (--str_per_lang);
2650
2651 s->id = 0; /* terminator */
2652 s->s = NULL;
2653 ++s;
2654
2655 } while (--lang_count);
2656
2657 /* Some garbage left? */
2658 if (len)
2659 goto error_free;
2660
2661 /* Done! */
2662 ffs->stringtabs = stringtabs;
2663 ffs->raw_strings = _data;
2664
2665 return 0;
2666
2667error_free:
2668 kfree(objp: stringtabs);
2669error:
2670 kfree(objp: _data);
2671 return -EINVAL;
2672}
2673
2674
2675/* Events handling and management *******************************************/
2676
2677static void __ffs_event_add(struct ffs_data *ffs,
2678 enum usb_functionfs_event_type type)
2679{
2680 enum usb_functionfs_event_type rem_type1, rem_type2 = type;
2681 int neg = 0;
2682
2683 /*
2684 * Abort any unhandled setup
2685 *
2686 * We do not need to worry about some cmpxchg() changing value
2687 * of ffs->setup_state without holding the lock because when
2688 * state is FFS_SETUP_PENDING cmpxchg() in several places in
2689 * the source does nothing.
2690 */
2691 if (ffs->setup_state == FFS_SETUP_PENDING)
2692 ffs->setup_state = FFS_SETUP_CANCELLED;
2693
2694 /*
2695 * Logic of this function guarantees that there are at most four pending
2696 * evens on ffs->ev.types queue. This is important because the queue
2697 * has space for four elements only and __ffs_ep0_read_events function
2698 * depends on that limit as well. If more event types are added, those
2699 * limits have to be revisited or guaranteed to still hold.
2700 */
2701 switch (type) {
2702 case FUNCTIONFS_RESUME:
2703 rem_type2 = FUNCTIONFS_SUSPEND;
2704 fallthrough;
2705 case FUNCTIONFS_SUSPEND:
2706 case FUNCTIONFS_SETUP:
2707 rem_type1 = type;
2708 /* Discard all similar events */
2709 break;
2710
2711 case FUNCTIONFS_BIND:
2712 case FUNCTIONFS_UNBIND:
2713 case FUNCTIONFS_DISABLE:
2714 case FUNCTIONFS_ENABLE:
2715 /* Discard everything other then power management. */
2716 rem_type1 = FUNCTIONFS_SUSPEND;
2717 rem_type2 = FUNCTIONFS_RESUME;
2718 neg = 1;
2719 break;
2720
2721 default:
2722 WARN(1, "%d: unknown event, this should not happen\n", type);
2723 return;
2724 }
2725
2726 {
2727 u8 *ev = ffs->ev.types, *out = ev;
2728 unsigned n = ffs->ev.count;
2729 for (; n; --n, ++ev)
2730 if ((*ev == rem_type1 || *ev == rem_type2) == neg)
2731 *out++ = *ev;
2732 else
2733 pr_vdebug("purging event %d\n", *ev);
2734 ffs->ev.count = out - ffs->ev.types;
2735 }
2736
2737 pr_vdebug("adding event %d\n", type);
2738 ffs->ev.types[ffs->ev.count++] = type;
2739 wake_up_locked(&ffs->ev.waitq);
2740 if (ffs->ffs_eventfd)
2741 eventfd_signal(ctx: ffs->ffs_eventfd, n: 1);
2742}
2743
2744static void ffs_event_add(struct ffs_data *ffs,
2745 enum usb_functionfs_event_type type)
2746{
2747 unsigned long flags;
2748 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
2749 __ffs_event_add(ffs, type);
2750 spin_unlock_irqrestore(lock: &ffs->ev.waitq.lock, flags);
2751}
2752
2753/* Bind/unbind USB function hooks *******************************************/
2754
2755static int ffs_ep_addr2idx(struct ffs_data *ffs, u8 endpoint_address)
2756{
2757 int i;
2758
2759 for (i = 1; i < ARRAY_SIZE(ffs->eps_addrmap); ++i)
2760 if (ffs->eps_addrmap[i] == endpoint_address)
2761 return i;
2762 return -ENOENT;
2763}
2764
2765static int __ffs_func_bind_do_descs(enum ffs_entity_type type, u8 *valuep,
2766 struct usb_descriptor_header *desc,
2767 void *priv)
2768{
2769 struct usb_endpoint_descriptor *ds = (void *)desc;
2770 struct ffs_function *func = priv;
2771 struct ffs_ep *ffs_ep;
2772 unsigned ep_desc_id;
2773 int idx;
2774 static const char *speed_names[] = { "full", "high", "super" };
2775
2776 if (type != FFS_DESCRIPTOR)
2777 return 0;
2778
2779 /*
2780 * If ss_descriptors is not NULL, we are reading super speed
2781 * descriptors; if hs_descriptors is not NULL, we are reading high
2782 * speed descriptors; otherwise, we are reading full speed
2783 * descriptors.
2784 */
2785 if (func->function.ss_descriptors) {
2786 ep_desc_id = 2;
2787 func->function.ss_descriptors[(long)valuep] = desc;
2788 } else if (func->function.hs_descriptors) {
2789 ep_desc_id = 1;
2790 func->function.hs_descriptors[(long)valuep] = desc;
2791 } else {
2792 ep_desc_id = 0;
2793 func->function.fs_descriptors[(long)valuep] = desc;
2794 }
2795
2796 if (!desc || desc->bDescriptorType != USB_DT_ENDPOINT)
2797 return 0;
2798
2799 idx = ffs_ep_addr2idx(ffs: func->ffs, endpoint_address: ds->bEndpointAddress) - 1;
2800 if (idx < 0)
2801 return idx;
2802
2803 ffs_ep = func->eps + idx;
2804
2805 if (ffs_ep->descs[ep_desc_id]) {
2806 pr_err("two %sspeed descriptors for EP %d\n",
2807 speed_names[ep_desc_id],
2808 ds->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
2809 return -EINVAL;
2810 }
2811 ffs_ep->descs[ep_desc_id] = ds;
2812
2813 ffs_dump_mem(": Original ep desc", ds, ds->bLength);
2814 if (ffs_ep->ep) {
2815 ds->bEndpointAddress = ffs_ep->descs[0]->bEndpointAddress;
2816 if (!ds->wMaxPacketSize)
2817 ds->wMaxPacketSize = ffs_ep->descs[0]->wMaxPacketSize;
2818 } else {
2819 struct usb_request *req;
2820 struct usb_ep *ep;
2821 u8 bEndpointAddress;
2822 u16 wMaxPacketSize;
2823
2824 /*
2825 * We back up bEndpointAddress because autoconfig overwrites
2826 * it with physical endpoint address.
2827 */
2828 bEndpointAddress = ds->bEndpointAddress;
2829 /*
2830 * We back up wMaxPacketSize because autoconfig treats
2831 * endpoint descriptors as if they were full speed.
2832 */
2833 wMaxPacketSize = ds->wMaxPacketSize;
2834 pr_vdebug("autoconfig\n");
2835 ep = usb_ep_autoconfig(func->gadget, ds);
2836 if (!ep)
2837 return -ENOTSUPP;
2838 ep->driver_data = func->eps + idx;
2839
2840 req = usb_ep_alloc_request(ep, GFP_KERNEL);
2841 if (!req)
2842 return -ENOMEM;
2843
2844 ffs_ep->ep = ep;
2845 ffs_ep->req = req;
2846 func->eps_revmap[ds->bEndpointAddress &
2847 USB_ENDPOINT_NUMBER_MASK] = idx + 1;
2848 /*
2849 * If we use virtual address mapping, we restore
2850 * original bEndpointAddress value.
2851 */
2852 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
2853 ds->bEndpointAddress = bEndpointAddress;
2854 /*
2855 * Restore wMaxPacketSize which was potentially
2856 * overwritten by autoconfig.
2857 */
2858 ds->wMaxPacketSize = wMaxPacketSize;
2859 }
2860 ffs_dump_mem(": Rewritten ep desc", ds, ds->bLength);
2861
2862 return 0;
2863}
2864
2865static int __ffs_func_bind_do_nums(enum ffs_entity_type type, u8 *valuep,
2866 struct usb_descriptor_header *desc,
2867 void *priv)
2868{
2869 struct ffs_function *func = priv;
2870 unsigned idx;
2871 u8 newValue;
2872
2873 switch (type) {
2874 default:
2875 case FFS_DESCRIPTOR:
2876 /* Handled in previous pass by __ffs_func_bind_do_descs() */
2877 return 0;
2878
2879 case FFS_INTERFACE:
2880 idx = *valuep;
2881 if (func->interfaces_nums[idx] < 0) {
2882 int id = usb_interface_id(func->conf, &func->function);
2883 if (id < 0)
2884 return id;
2885 func->interfaces_nums[idx] = id;
2886 }
2887 newValue = func->interfaces_nums[idx];
2888 break;
2889
2890 case FFS_STRING:
2891 /* String' IDs are allocated when fsf_data is bound to cdev */
2892 newValue = func->ffs->stringtabs[0]->strings[*valuep - 1].id;
2893 break;
2894
2895 case FFS_ENDPOINT:
2896 /*
2897 * USB_DT_ENDPOINT are handled in
2898 * __ffs_func_bind_do_descs().
2899 */
2900 if (desc->bDescriptorType == USB_DT_ENDPOINT)
2901 return 0;
2902
2903 idx = (*valuep & USB_ENDPOINT_NUMBER_MASK) - 1;
2904 if (!func->eps[idx].ep)
2905 return -EINVAL;
2906
2907 {
2908 struct usb_endpoint_descriptor **descs;
2909 descs = func->eps[idx].descs;
2910 newValue = descs[descs[0] ? 0 : 1]->bEndpointAddress;
2911 }
2912 break;
2913 }
2914
2915 pr_vdebug("%02x -> %02x\n", *valuep, newValue);
2916 *valuep = newValue;
2917 return 0;
2918}
2919
2920static int __ffs_func_bind_do_os_desc(enum ffs_os_desc_type type,
2921 struct usb_os_desc_header *h, void *data,
2922 unsigned len, void *priv)
2923{
2924 struct ffs_function *func = priv;
2925 u8 length = 0;
2926
2927 switch (type) {
2928 case FFS_OS_DESC_EXT_COMPAT: {
2929 struct usb_ext_compat_desc *desc = data;
2930 struct usb_os_desc_table *t;
2931
2932 t = &func->function.os_desc_table[desc->bFirstInterfaceNumber];
2933 t->if_id = func->interfaces_nums[desc->bFirstInterfaceNumber];
2934 memcpy(t->os_desc->ext_compat_id, &desc->CompatibleID,
2935 ARRAY_SIZE(desc->CompatibleID) +
2936 ARRAY_SIZE(desc->SubCompatibleID));
2937 length = sizeof(*desc);
2938 }
2939 break;
2940 case FFS_OS_DESC_EXT_PROP: {
2941 struct usb_ext_prop_desc *desc = data;
2942 struct usb_os_desc_table *t;
2943 struct usb_os_desc_ext_prop *ext_prop;
2944 char *ext_prop_name;
2945 char *ext_prop_data;
2946
2947 t = &func->function.os_desc_table[h->interface];
2948 t->if_id = func->interfaces_nums[h->interface];
2949
2950 ext_prop = func->ffs->ms_os_descs_ext_prop_avail;
2951 func->ffs->ms_os_descs_ext_prop_avail += sizeof(*ext_prop);
2952
2953 ext_prop->type = le32_to_cpu(desc->dwPropertyDataType);
2954 ext_prop->name_len = le16_to_cpu(desc->wPropertyNameLength);
2955 ext_prop->data_len = le32_to_cpu(*(__le32 *)
2956 usb_ext_prop_data_len_ptr(data, ext_prop->name_len));
2957 length = ext_prop->name_len + ext_prop->data_len + 14;
2958
2959 ext_prop_name = func->ffs->ms_os_descs_ext_prop_name_avail;
2960 func->ffs->ms_os_descs_ext_prop_name_avail +=
2961 ext_prop->name_len;
2962
2963 ext_prop_data = func->ffs->ms_os_descs_ext_prop_data_avail;
2964 func->ffs->ms_os_descs_ext_prop_data_avail +=
2965 ext_prop->data_len;
2966 memcpy(ext_prop_data,
2967 usb_ext_prop_data_ptr(data, ext_prop->name_len),
2968 ext_prop->data_len);
2969 /* unicode data reported to the host as "WCHAR"s */
2970 switch (ext_prop->type) {
2971 case USB_EXT_PROP_UNICODE:
2972 case USB_EXT_PROP_UNICODE_ENV:
2973 case USB_EXT_PROP_UNICODE_LINK:
2974 case USB_EXT_PROP_UNICODE_MULTI:
2975 ext_prop->data_len *= 2;
2976 break;
2977 }
2978 ext_prop->data = ext_prop_data;
2979
2980 memcpy(ext_prop_name, usb_ext_prop_name_ptr(data),
2981 ext_prop->name_len);
2982 /* property name reported to the host as "WCHAR"s */
2983 ext_prop->name_len *= 2;
2984 ext_prop->name = ext_prop_name;
2985
2986 t->os_desc->ext_prop_len +=
2987 ext_prop->name_len + ext_prop->data_len + 14;
2988 ++t->os_desc->ext_prop_count;
2989 list_add_tail(new: &ext_prop->entry, head: &t->os_desc->ext_prop);
2990 }
2991 break;
2992 default:
2993 pr_vdebug("unknown descriptor: %d\n", type);
2994 }
2995
2996 return length;
2997}
2998
2999static inline struct f_fs_opts *ffs_do_functionfs_bind(struct usb_function *f,
3000 struct usb_configuration *c)
3001{
3002 struct ffs_function *func = ffs_func_from_usb(f);
3003 struct f_fs_opts *ffs_opts =
3004 container_of(f->fi, struct f_fs_opts, func_inst);
3005 struct ffs_data *ffs_data;
3006 int ret;
3007
3008 /*
3009 * Legacy gadget triggers binding in functionfs_ready_callback,
3010 * which already uses locking; taking the same lock here would
3011 * cause a deadlock.
3012 *
3013 * Configfs-enabled gadgets however do need ffs_dev_lock.
3014 */
3015 if (!ffs_opts->no_configfs)
3016 ffs_dev_lock();
3017 ret = ffs_opts->dev->desc_ready ? 0 : -ENODEV;
3018 ffs_data = ffs_opts->dev->ffs_data;
3019 if (!ffs_opts->no_configfs)
3020 ffs_dev_unlock();
3021 if (ret)
3022 return ERR_PTR(error: ret);
3023
3024 func->ffs = ffs_data;
3025 func->conf = c;
3026 func->gadget = c->cdev->gadget;
3027
3028 /*
3029 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
3030 * configurations are bound in sequence with list_for_each_entry,
3031 * in each configuration its functions are bound in sequence
3032 * with list_for_each_entry, so we assume no race condition
3033 * with regard to ffs_opts->bound access
3034 */
3035 if (!ffs_opts->refcnt) {
3036 ret = functionfs_bind(ffs: func->ffs, cdev: c->cdev);
3037 if (ret)
3038 return ERR_PTR(error: ret);
3039 }
3040 ffs_opts->refcnt++;
3041 func->function.strings = func->ffs->stringtabs;
3042
3043 return ffs_opts;
3044}
3045
3046static int _ffs_func_bind(struct usb_configuration *c,
3047 struct usb_function *f)
3048{
3049 struct ffs_function *func = ffs_func_from_usb(f);
3050 struct ffs_data *ffs = func->ffs;
3051
3052 const int full = !!func->ffs->fs_descs_count;
3053 const int high = !!func->ffs->hs_descs_count;
3054 const int super = !!func->ffs->ss_descs_count;
3055
3056 int fs_len, hs_len, ss_len, ret, i;
3057 struct ffs_ep *eps_ptr;
3058
3059 /* Make it a single chunk, less management later on */
3060 vla_group(d);
3061 vla_item_with_sz(d, struct ffs_ep, eps, ffs->eps_count);
3062 vla_item_with_sz(d, struct usb_descriptor_header *, fs_descs,
3063 full ? ffs->fs_descs_count + 1 : 0);
3064 vla_item_with_sz(d, struct usb_descriptor_header *, hs_descs,
3065 high ? ffs->hs_descs_count + 1 : 0);
3066 vla_item_with_sz(d, struct usb_descriptor_header *, ss_descs,
3067 super ? ffs->ss_descs_count + 1 : 0);
3068 vla_item_with_sz(d, short, inums, ffs->interfaces_count);
3069 vla_item_with_sz(d, struct usb_os_desc_table, os_desc_table,
3070 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3071 vla_item_with_sz(d, char[16], ext_compat,
3072 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3073 vla_item_with_sz(d, struct usb_os_desc, os_desc,
3074 c->cdev->use_os_string ? ffs->interfaces_count : 0);
3075 vla_item_with_sz(d, struct usb_os_desc_ext_prop, ext_prop,
3076 ffs->ms_os_descs_ext_prop_count);
3077 vla_item_with_sz(d, char, ext_prop_name,
3078 ffs->ms_os_descs_ext_prop_name_len);
3079 vla_item_with_sz(d, char, ext_prop_data,
3080 ffs->ms_os_descs_ext_prop_data_len);
3081 vla_item_with_sz(d, char, raw_descs, ffs->raw_descs_length);
3082 char *vlabuf;
3083
3084 /* Has descriptors only for speeds gadget does not support */
3085 if (!(full | high | super))
3086 return -ENOTSUPP;
3087
3088 /* Allocate a single chunk, less management later on */
3089 vlabuf = kzalloc(vla_group_size(d), GFP_KERNEL);
3090 if (!vlabuf)
3091 return -ENOMEM;
3092
3093 ffs->ms_os_descs_ext_prop_avail = vla_ptr(vlabuf, d, ext_prop);
3094 ffs->ms_os_descs_ext_prop_name_avail =
3095 vla_ptr(vlabuf, d, ext_prop_name);
3096 ffs->ms_os_descs_ext_prop_data_avail =
3097 vla_ptr(vlabuf, d, ext_prop_data);
3098
3099 /* Copy descriptors */
3100 memcpy(vla_ptr(vlabuf, d, raw_descs), ffs->raw_descs,
3101 ffs->raw_descs_length);
3102
3103 memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
3104 eps_ptr = vla_ptr(vlabuf, d, eps);
3105 for (i = 0; i < ffs->eps_count; i++)
3106 eps_ptr[i].num = -1;
3107
3108 /* Save pointers
3109 * d_eps == vlabuf, func->eps used to kfree vlabuf later
3110 */
3111 func->eps = vla_ptr(vlabuf, d, eps);
3112 func->interfaces_nums = vla_ptr(vlabuf, d, inums);
3113
3114 /*
3115 * Go through all the endpoint descriptors and allocate
3116 * endpoints first, so that later we can rewrite the endpoint
3117 * numbers without worrying that it may be described later on.
3118 */
3119 if (full) {
3120 func->function.fs_descriptors = vla_ptr(vlabuf, d, fs_descs);
3121 fs_len = ffs_do_descs(count: ffs->fs_descs_count,
3122 vla_ptr(vlabuf, d, raw_descs),
3123 len: d_raw_descs__sz,
3124 entity: __ffs_func_bind_do_descs, priv: func);
3125 if (fs_len < 0) {
3126 ret = fs_len;
3127 goto error;
3128 }
3129 } else {
3130 fs_len = 0;
3131 }
3132
3133 if (high) {
3134 func->function.hs_descriptors = vla_ptr(vlabuf, d, hs_descs);
3135 hs_len = ffs_do_descs(count: ffs->hs_descs_count,
3136 vla_ptr(vlabuf, d, raw_descs) + fs_len,
3137 len: d_raw_descs__sz - fs_len,
3138 entity: __ffs_func_bind_do_descs, priv: func);
3139 if (hs_len < 0) {
3140 ret = hs_len;
3141 goto error;
3142 }
3143 } else {
3144 hs_len = 0;
3145 }
3146
3147 if (super) {
3148 func->function.ss_descriptors = func->function.ssp_descriptors =
3149 vla_ptr(vlabuf, d, ss_descs);
3150 ss_len = ffs_do_descs(count: ffs->ss_descs_count,
3151 vla_ptr(vlabuf, d, raw_descs) + fs_len + hs_len,
3152 len: d_raw_descs__sz - fs_len - hs_len,
3153 entity: __ffs_func_bind_do_descs, priv: func);
3154 if (ss_len < 0) {
3155 ret = ss_len;
3156 goto error;
3157 }
3158 } else {
3159 ss_len = 0;
3160 }
3161
3162 /*
3163 * Now handle interface numbers allocation and interface and
3164 * endpoint numbers rewriting. We can do that in one go
3165 * now.
3166 */
3167 ret = ffs_do_descs(count: ffs->fs_descs_count +
3168 (high ? ffs->hs_descs_count : 0) +
3169 (super ? ffs->ss_descs_count : 0),
3170 vla_ptr(vlabuf, d, raw_descs), len: d_raw_descs__sz,
3171 entity: __ffs_func_bind_do_nums, priv: func);
3172 if (ret < 0)
3173 goto error;
3174
3175 func->function.os_desc_table = vla_ptr(vlabuf, d, os_desc_table);
3176 if (c->cdev->use_os_string) {
3177 for (i = 0; i < ffs->interfaces_count; ++i) {
3178 struct usb_os_desc *desc;
3179
3180 desc = func->function.os_desc_table[i].os_desc =
3181 vla_ptr(vlabuf, d, os_desc) +
3182 i * sizeof(struct usb_os_desc);
3183 desc->ext_compat_id =
3184 vla_ptr(vlabuf, d, ext_compat) + i * 16;
3185 INIT_LIST_HEAD(list: &desc->ext_prop);
3186 }
3187 ret = ffs_do_os_descs(count: ffs->ms_os_descs_count,
3188 vla_ptr(vlabuf, d, raw_descs) +
3189 fs_len + hs_len + ss_len,
3190 len: d_raw_descs__sz - fs_len - hs_len -
3191 ss_len,
3192 entity: __ffs_func_bind_do_os_desc, priv: func);
3193 if (ret < 0)
3194 goto error;
3195 }
3196 func->function.os_desc_n =
3197 c->cdev->use_os_string ? ffs->interfaces_count : 0;
3198
3199 /* And we're done */
3200 ffs_event_add(ffs, type: FUNCTIONFS_BIND);
3201 return 0;
3202
3203error:
3204 /* XXX Do we need to release all claimed endpoints here? */
3205 return ret;
3206}
3207
3208static int ffs_func_bind(struct usb_configuration *c,
3209 struct usb_function *f)
3210{
3211 struct f_fs_opts *ffs_opts = ffs_do_functionfs_bind(f, c);
3212 struct ffs_function *func = ffs_func_from_usb(f);
3213 int ret;
3214
3215 if (IS_ERR(ptr: ffs_opts))
3216 return PTR_ERR(ptr: ffs_opts);
3217
3218 ret = _ffs_func_bind(c, f);
3219 if (ret && !--ffs_opts->refcnt)
3220 functionfs_unbind(ffs: func->ffs);
3221
3222 return ret;
3223}
3224
3225
3226/* Other USB function hooks *************************************************/
3227
3228static void ffs_reset_work(struct work_struct *work)
3229{
3230 struct ffs_data *ffs = container_of(work,
3231 struct ffs_data, reset_work);
3232 ffs_data_reset(ffs);
3233}
3234
3235static int ffs_func_set_alt(struct usb_function *f,
3236 unsigned interface, unsigned alt)
3237{
3238 struct ffs_function *func = ffs_func_from_usb(f);
3239 struct ffs_data *ffs = func->ffs;
3240 int ret = 0, intf;
3241
3242 if (alt != (unsigned)-1) {
3243 intf = ffs_func_revmap_intf(func, intf: interface);
3244 if (intf < 0)
3245 return intf;
3246 }
3247
3248 if (ffs->func)
3249 ffs_func_eps_disable(func: ffs->func);
3250
3251 if (ffs->state == FFS_DEACTIVATED) {
3252 ffs->state = FFS_CLOSING;
3253 INIT_WORK(&ffs->reset_work, ffs_reset_work);
3254 schedule_work(work: &ffs->reset_work);
3255 return -ENODEV;
3256 }
3257
3258 if (ffs->state != FFS_ACTIVE)
3259 return -ENODEV;
3260
3261 if (alt == (unsigned)-1) {
3262 ffs->func = NULL;
3263 ffs_event_add(ffs, type: FUNCTIONFS_DISABLE);
3264 return 0;
3265 }
3266
3267 ffs->func = func;
3268 ret = ffs_func_eps_enable(func);
3269 if (ret >= 0)
3270 ffs_event_add(ffs, type: FUNCTIONFS_ENABLE);
3271 return ret;
3272}
3273
3274static void ffs_func_disable(struct usb_function *f)
3275{
3276 ffs_func_set_alt(f, interface: 0, alt: (unsigned)-1);
3277}
3278
3279static int ffs_func_setup(struct usb_function *f,
3280 const struct usb_ctrlrequest *creq)
3281{
3282 struct ffs_function *func = ffs_func_from_usb(f);
3283 struct ffs_data *ffs = func->ffs;
3284 unsigned long flags;
3285 int ret;
3286
3287 pr_vdebug("creq->bRequestType = %02x\n", creq->bRequestType);
3288 pr_vdebug("creq->bRequest = %02x\n", creq->bRequest);
3289 pr_vdebug("creq->wValue = %04x\n", le16_to_cpu(creq->wValue));
3290 pr_vdebug("creq->wIndex = %04x\n", le16_to_cpu(creq->wIndex));
3291 pr_vdebug("creq->wLength = %04x\n", le16_to_cpu(creq->wLength));
3292
3293 /*
3294 * Most requests directed to interface go through here
3295 * (notable exceptions are set/get interface) so we need to
3296 * handle them. All other either handled by composite or
3297 * passed to usb_configuration->setup() (if one is set). No
3298 * matter, we will handle requests directed to endpoint here
3299 * as well (as it's straightforward). Other request recipient
3300 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP
3301 * is being used.
3302 */
3303 if (ffs->state != FFS_ACTIVE)
3304 return -ENODEV;
3305
3306 switch (creq->bRequestType & USB_RECIP_MASK) {
3307 case USB_RECIP_INTERFACE:
3308 ret = ffs_func_revmap_intf(func, le16_to_cpu(creq->wIndex));
3309 if (ret < 0)
3310 return ret;
3311 break;
3312
3313 case USB_RECIP_ENDPOINT:
3314 ret = ffs_func_revmap_ep(func, le16_to_cpu(creq->wIndex));
3315 if (ret < 0)
3316 return ret;
3317 if (func->ffs->user_flags & FUNCTIONFS_VIRTUAL_ADDR)
3318 ret = func->ffs->eps_addrmap[ret];
3319 break;
3320
3321 default:
3322 if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP)
3323 ret = le16_to_cpu(creq->wIndex);
3324 else
3325 return -EOPNOTSUPP;
3326 }
3327
3328 spin_lock_irqsave(&ffs->ev.waitq.lock, flags);
3329 ffs->ev.setup = *creq;
3330 ffs->ev.setup.wIndex = cpu_to_le16(ret);
3331 __ffs_event_add(ffs, type: FUNCTIONFS_SETUP);
3332 spin_unlock_irqrestore(lock: &ffs->ev.waitq.lock, flags);
3333
3334 return creq->wLength == 0 ? USB_GADGET_DELAYED_STATUS : 0;
3335}
3336
3337static bool ffs_func_req_match(struct usb_function *f,
3338 const struct usb_ctrlrequest *creq,
3339 bool config0)
3340{
3341 struct ffs_function *func = ffs_func_from_usb(f);
3342
3343 if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP))
3344 return false;
3345
3346 switch (creq->bRequestType & USB_RECIP_MASK) {
3347 case USB_RECIP_INTERFACE:
3348 return (ffs_func_revmap_intf(func,
3349 le16_to_cpu(creq->wIndex)) >= 0);
3350 case USB_RECIP_ENDPOINT:
3351 return (ffs_func_revmap_ep(func,
3352 le16_to_cpu(creq->wIndex)) >= 0);
3353 default:
3354 return (bool) (func->ffs->user_flags &
3355 FUNCTIONFS_ALL_CTRL_RECIP);
3356 }
3357}
3358
3359static void ffs_func_suspend(struct usb_function *f)
3360{
3361 ffs_event_add(ffs: ffs_func_from_usb(f)->ffs, type: FUNCTIONFS_SUSPEND);
3362}
3363
3364static void ffs_func_resume(struct usb_function *f)
3365{
3366 ffs_event_add(ffs: ffs_func_from_usb(f)->ffs, type: FUNCTIONFS_RESUME);
3367}
3368
3369
3370/* Endpoint and interface numbers reverse mapping ***************************/
3371
3372static int ffs_func_revmap_ep(struct ffs_function *func, u8 num)
3373{
3374 num = func->eps_revmap[num & USB_ENDPOINT_NUMBER_MASK];
3375 return num ? num : -EDOM;
3376}
3377
3378static int ffs_func_revmap_intf(struct ffs_function *func, u8 intf)
3379{
3380 short *nums = func->interfaces_nums;
3381 unsigned count = func->ffs->interfaces_count;
3382
3383 for (; count; --count, ++nums) {
3384 if (*nums >= 0 && *nums == intf)
3385 return nums - func->interfaces_nums;
3386 }
3387
3388 return -EDOM;
3389}
3390
3391
3392/* Devices management *******************************************************/
3393
3394static LIST_HEAD(ffs_devices);
3395
3396static struct ffs_dev *_ffs_do_find_dev(const char *name)
3397{
3398 struct ffs_dev *dev;
3399
3400 if (!name)
3401 return NULL;
3402
3403 list_for_each_entry(dev, &ffs_devices, entry) {
3404 if (strcmp(dev->name, name) == 0)
3405 return dev;
3406 }
3407
3408 return NULL;
3409}
3410
3411/*
3412 * ffs_lock must be taken by the caller of this function
3413 */
3414static struct ffs_dev *_ffs_get_single_dev(void)
3415{
3416 struct ffs_dev *dev;
3417
3418 if (list_is_singular(head: &ffs_devices)) {
3419 dev = list_first_entry(&ffs_devices, struct ffs_dev, entry);
3420 if (dev->single)
3421 return dev;
3422 }
3423
3424 return NULL;
3425}
3426
3427/*
3428 * ffs_lock must be taken by the caller of this function
3429 */
3430static struct ffs_dev *_ffs_find_dev(const char *name)
3431{
3432 struct ffs_dev *dev;
3433
3434 dev = _ffs_get_single_dev();
3435 if (dev)
3436 return dev;
3437
3438 return _ffs_do_find_dev(name);
3439}
3440
3441/* Configfs support *********************************************************/
3442
3443static inline struct f_fs_opts *to_ffs_opts(struct config_item *item)
3444{
3445 return container_of(to_config_group(item), struct f_fs_opts,
3446 func_inst.group);
3447}
3448
3449static void ffs_attr_release(struct config_item *item)
3450{
3451 struct f_fs_opts *opts = to_ffs_opts(item);
3452
3453 usb_put_function_instance(fi: &opts->func_inst);
3454}
3455
3456static struct configfs_item_operations ffs_item_ops = {
3457 .release = ffs_attr_release,
3458};
3459
3460static const struct config_item_type ffs_func_type = {
3461 .ct_item_ops = &ffs_item_ops,
3462 .ct_owner = THIS_MODULE,
3463};
3464
3465
3466/* Function registration interface ******************************************/
3467
3468static void ffs_free_inst(struct usb_function_instance *f)
3469{
3470 struct f_fs_opts *opts;
3471
3472 opts = to_f_fs_opts(fi: f);
3473 ffs_release_dev(ffs_dev: opts->dev);
3474 ffs_dev_lock();
3475 _ffs_free_dev(dev: opts->dev);
3476 ffs_dev_unlock();
3477 kfree(objp: opts);
3478}
3479
3480static int ffs_set_inst_name(struct usb_function_instance *fi, const char *name)
3481{
3482 if (strlen(name) >= sizeof_field(struct ffs_dev, name))
3483 return -ENAMETOOLONG;
3484 return ffs_name_dev(dev: to_f_fs_opts(fi)->dev, name);
3485}
3486
3487static struct usb_function_instance *ffs_alloc_inst(void)
3488{
3489 struct f_fs_opts *opts;
3490 struct ffs_dev *dev;
3491
3492 opts = kzalloc(size: sizeof(*opts), GFP_KERNEL);
3493 if (!opts)
3494 return ERR_PTR(error: -ENOMEM);
3495
3496 opts->func_inst.set_inst_name = ffs_set_inst_name;
3497 opts->func_inst.free_func_inst = ffs_free_inst;
3498 ffs_dev_lock();
3499 dev = _ffs_alloc_dev();
3500 ffs_dev_unlock();
3501 if (IS_ERR(ptr: dev)) {
3502 kfree(objp: opts);
3503 return ERR_CAST(ptr: dev);
3504 }
3505 opts->dev = dev;
3506 dev->opts = opts;
3507
3508 config_group_init_type_name(group: &opts->func_inst.group, name: "",
3509 type: &ffs_func_type);
3510 return &opts->func_inst;
3511}
3512
3513static void ffs_free(struct usb_function *f)
3514{
3515 kfree(objp: ffs_func_from_usb(f));
3516}
3517
3518static void ffs_func_unbind(struct usb_configuration *c,
3519 struct usb_function *f)
3520{
3521 struct ffs_function *func = ffs_func_from_usb(f);
3522 struct ffs_data *ffs = func->ffs;
3523 struct f_fs_opts *opts =
3524 container_of(f->fi, struct f_fs_opts, func_inst);
3525 struct ffs_ep *ep = func->eps;
3526 unsigned count = ffs->eps_count;
3527 unsigned long flags;
3528
3529 if (ffs->func == func) {
3530 ffs_func_eps_disable(func);
3531 ffs->func = NULL;
3532 }
3533
3534 /* Drain any pending AIO completions */
3535 drain_workqueue(wq: ffs->io_completion_wq);
3536
3537 ffs_event_add(ffs, type: FUNCTIONFS_UNBIND);
3538 if (!--opts->refcnt)
3539 functionfs_unbind(ffs);
3540
3541 /* cleanup after autoconfig */
3542 spin_lock_irqsave(&func->ffs->eps_lock, flags);
3543 while (count--) {
3544 if (ep->ep && ep->req)
3545 usb_ep_free_request(ep: ep->ep, req: ep->req);
3546 ep->req = NULL;
3547 ++ep;
3548 }
3549 spin_unlock_irqrestore(lock: &func->ffs->eps_lock, flags);
3550 kfree(objp: func->eps);
3551 func->eps = NULL;
3552 /*
3553 * eps, descriptors and interfaces_nums are allocated in the
3554 * same chunk so only one free is required.
3555 */
3556 func->function.fs_descriptors = NULL;
3557 func->function.hs_descriptors = NULL;
3558 func->function.ss_descriptors = NULL;
3559 func->function.ssp_descriptors = NULL;
3560 func->interfaces_nums = NULL;
3561
3562}
3563
3564static struct usb_function *ffs_alloc(struct usb_function_instance *fi)
3565{
3566 struct ffs_function *func;
3567
3568 func = kzalloc(size: sizeof(*func), GFP_KERNEL);
3569 if (!func)
3570 return ERR_PTR(error: -ENOMEM);
3571
3572 func->function.name = "Function FS Gadget";
3573
3574 func->function.bind = ffs_func_bind;
3575 func->function.unbind = ffs_func_unbind;
3576 func->function.set_alt = ffs_func_set_alt;
3577 func->function.disable = ffs_func_disable;
3578 func->function.setup = ffs_func_setup;
3579 func->function.req_match = ffs_func_req_match;
3580 func->function.suspend = ffs_func_suspend;
3581 func->function.resume = ffs_func_resume;
3582 func->function.free_func = ffs_free;
3583
3584 return &func->function;
3585}
3586
3587/*
3588 * ffs_lock must be taken by the caller of this function
3589 */
3590static struct ffs_dev *_ffs_alloc_dev(void)
3591{
3592 struct ffs_dev *dev;
3593 int ret;
3594
3595 if (_ffs_get_single_dev())
3596 return ERR_PTR(error: -EBUSY);
3597
3598 dev = kzalloc(size: sizeof(*dev), GFP_KERNEL);
3599 if (!dev)
3600 return ERR_PTR(error: -ENOMEM);
3601
3602 if (list_empty(head: &ffs_devices)) {
3603 ret = functionfs_init();
3604 if (ret) {
3605 kfree(objp: dev);
3606 return ERR_PTR(error: ret);
3607 }
3608 }
3609
3610 list_add(new: &dev->entry, head: &ffs_devices);
3611
3612 return dev;
3613}
3614
3615int ffs_name_dev(struct ffs_dev *dev, const char *name)
3616{
3617 struct ffs_dev *existing;
3618 int ret = 0;
3619
3620 ffs_dev_lock();
3621
3622 existing = _ffs_do_find_dev(name);
3623 if (!existing)
3624 strscpy(p: dev->name, q: name, ARRAY_SIZE(dev->name));
3625 else if (existing != dev)
3626 ret = -EBUSY;
3627
3628 ffs_dev_unlock();
3629
3630 return ret;
3631}
3632EXPORT_SYMBOL_GPL(ffs_name_dev);
3633
3634int ffs_single_dev(struct ffs_dev *dev)
3635{
3636 int ret;
3637
3638 ret = 0;
3639 ffs_dev_lock();
3640
3641 if (!list_is_singular(head: &ffs_devices))
3642 ret = -EBUSY;
3643 else
3644 dev->single = true;
3645
3646 ffs_dev_unlock();
3647 return ret;
3648}
3649EXPORT_SYMBOL_GPL(ffs_single_dev);
3650
3651/*
3652 * ffs_lock must be taken by the caller of this function
3653 */
3654static void _ffs_free_dev(struct ffs_dev *dev)
3655{
3656 list_del(entry: &dev->entry);
3657
3658 kfree(objp: dev);
3659 if (list_empty(head: &ffs_devices))
3660 functionfs_cleanup();
3661}
3662
3663static int ffs_acquire_dev(const char *dev_name, struct ffs_data *ffs_data)
3664{
3665 int ret = 0;
3666 struct ffs_dev *ffs_dev;
3667
3668 ffs_dev_lock();
3669
3670 ffs_dev = _ffs_find_dev(name: dev_name);
3671 if (!ffs_dev) {
3672 ret = -ENOENT;
3673 } else if (ffs_dev->mounted) {
3674 ret = -EBUSY;
3675 } else if (ffs_dev->ffs_acquire_dev_callback &&
3676 ffs_dev->ffs_acquire_dev_callback(ffs_dev)) {
3677 ret = -ENOENT;
3678 } else {
3679 ffs_dev->mounted = true;
3680 ffs_dev->ffs_data = ffs_data;
3681 ffs_data->private_data = ffs_dev;
3682 }
3683
3684 ffs_dev_unlock();
3685 return ret;
3686}
3687
3688static void ffs_release_dev(struct ffs_dev *ffs_dev)
3689{
3690 ffs_dev_lock();
3691
3692 if (ffs_dev && ffs_dev->mounted) {
3693 ffs_dev->mounted = false;
3694 if (ffs_dev->ffs_data) {
3695 ffs_dev->ffs_data->private_data = NULL;
3696 ffs_dev->ffs_data = NULL;
3697 }
3698
3699 if (ffs_dev->ffs_release_dev_callback)
3700 ffs_dev->ffs_release_dev_callback(ffs_dev);
3701 }
3702
3703 ffs_dev_unlock();
3704}
3705
3706static int ffs_ready(struct ffs_data *ffs)
3707{
3708 struct ffs_dev *ffs_obj;
3709 int ret = 0;
3710
3711 ffs_dev_lock();
3712
3713 ffs_obj = ffs->private_data;
3714 if (!ffs_obj) {
3715 ret = -EINVAL;
3716 goto done;
3717 }
3718 if (WARN_ON(ffs_obj->desc_ready)) {
3719 ret = -EBUSY;
3720 goto done;
3721 }
3722
3723 ffs_obj->desc_ready = true;
3724
3725 if (ffs_obj->ffs_ready_callback) {
3726 ret = ffs_obj->ffs_ready_callback(ffs);
3727 if (ret)
3728 goto done;
3729 }
3730
3731 set_bit(FFS_FL_CALL_CLOSED_CALLBACK, addr: &ffs->flags);
3732done:
3733 ffs_dev_unlock();
3734 return ret;
3735}
3736
3737static void ffs_closed(struct ffs_data *ffs)
3738{
3739 struct ffs_dev *ffs_obj;
3740 struct f_fs_opts *opts;
3741 struct config_item *ci;
3742
3743 ffs_dev_lock();
3744
3745 ffs_obj = ffs->private_data;
3746 if (!ffs_obj)
3747 goto done;
3748
3749 ffs_obj->desc_ready = false;
3750
3751 if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, addr: &ffs->flags) &&
3752 ffs_obj->ffs_closed_callback)
3753 ffs_obj->ffs_closed_callback(ffs);
3754
3755 if (ffs_obj->opts)
3756 opts = ffs_obj->opts;
3757 else
3758 goto done;
3759
3760 if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
3761 || !kref_read(kref: &opts->func_inst.group.cg_item.ci_kref))
3762 goto done;
3763
3764 ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
3765 ffs_dev_unlock();
3766
3767 if (test_bit(FFS_FL_BOUND, &ffs->flags))
3768 unregister_gadget_item(item: ci);
3769 return;
3770done:
3771 ffs_dev_unlock();
3772}
3773
3774/* Misc helper functions ****************************************************/
3775
3776static int ffs_mutex_lock(struct mutex *mutex, unsigned nonblock)
3777{
3778 return nonblock
3779 ? mutex_trylock(lock: mutex) ? 0 : -EAGAIN
3780 : mutex_lock_interruptible(mutex);
3781}
3782
3783static char *ffs_prepare_buffer(const char __user *buf, size_t len)
3784{
3785 char *data;
3786
3787 if (!len)
3788 return NULL;
3789
3790 data = memdup_user(buf, len);
3791 if (IS_ERR(ptr: data))
3792 return data;
3793
3794 pr_vdebug("Buffer from user space:\n");
3795 ffs_dump_mem("", data, len);
3796
3797 return data;
3798}
3799
3800DECLARE_USB_FUNCTION_INIT(ffs, ffs_alloc_inst, ffs_alloc);
3801MODULE_LICENSE("GPL");
3802MODULE_AUTHOR("Michal Nazarewicz");
3803

source code of linux/drivers/usb/gadget/function/f_fs.c