diff options
Diffstat (limited to 'drivers/usb/gadget/function/f_fs.c')
| -rw-r--r-- | drivers/usb/gadget/function/f_fs.c | 160 | 
1 files changed, 137 insertions, 23 deletions
| diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 5c8429f23a89..e40d47d47d82 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -98,6 +98,9 @@ static int ffs_func_set_alt(struct usb_function *, unsigned, unsigned);  static void ffs_func_disable(struct usb_function *);  static int ffs_func_setup(struct usb_function *,  			  const struct usb_ctrlrequest *); +static bool ffs_func_req_match(struct usb_function *, +			       const struct usb_ctrlrequest *, +			       bool config0);  static void ffs_func_suspend(struct usb_function *);  static void ffs_func_resume(struct usb_function *); @@ -133,8 +136,60 @@ struct ffs_epfile {  	/*  	 * Buffer for holding data from partial reads which may happen since  	 * we’re rounding user read requests to a multiple of a max packet size. +	 * +	 * The pointer is initialised with NULL value and may be set by +	 * __ffs_epfile_read_data function to point to a temporary buffer. +	 * +	 * In normal operation, calls to __ffs_epfile_read_buffered will consume +	 * data from said buffer and eventually free it.  Importantly, while the +	 * function is using the buffer, it sets the pointer to NULL.  This is +	 * all right since __ffs_epfile_read_data and __ffs_epfile_read_buffered +	 * can never run concurrently (they are synchronised by epfile->mutex) +	 * so the latter will not assign a new value to the pointer. +	 * +	 * Meanwhile ffs_func_eps_disable frees the buffer (if the pointer is +	 * valid) and sets the pointer to READ_BUFFER_DROP value.  This special +	 * value is crux of the synchronisation between ffs_func_eps_disable and +	 * __ffs_epfile_read_data. +	 * +	 * Once __ffs_epfile_read_data is about to finish it will try to set the +	 * pointer back to its old value (as described above), but seeing as the +	 * pointer is not-NULL (namely READ_BUFFER_DROP) it will instead free +	 * the buffer. +	 * +	 * == State transitions == +	 * +	 * • ptr == NULL:  (initial state) +	 *   ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP +	 *   ◦ __ffs_epfile_read_buffered:    nop +	 *   ◦ __ffs_epfile_read_data allocates temp buffer: go to ptr == buf +	 *   ◦ reading finishes:              n/a, not in ‘and reading’ state +	 * • ptr == DROP: +	 *   ◦ __ffs_epfile_read_buffer_free: nop +	 *   ◦ __ffs_epfile_read_buffered:    go to ptr == NULL +	 *   ◦ __ffs_epfile_read_data allocates temp buffer: free buf, nop +	 *   ◦ reading finishes:              n/a, not in ‘and reading’ state +	 * • ptr == buf: +	 *   ◦ __ffs_epfile_read_buffer_free: free buf, go to ptr == DROP +	 *   ◦ __ffs_epfile_read_buffered:    go to ptr == NULL and reading +	 *   ◦ __ffs_epfile_read_data:        n/a, __ffs_epfile_read_buffered +	 *                                    is always called first +	 *   ◦ reading finishes:              n/a, not in ‘and reading’ state +	 * • ptr == NULL and reading: +	 *   ◦ __ffs_epfile_read_buffer_free: go to ptr == DROP and reading +	 *   ◦ __ffs_epfile_read_buffered:    n/a, mutex is held +	 *   ◦ __ffs_epfile_read_data:        n/a, mutex is held +	 *   ◦ reading finishes and … +	 *     … all data read:               free buf, go to ptr == NULL +	 *     … otherwise:                   go to ptr == buf and reading +	 * • ptr == DROP and reading: +	 *   ◦ __ffs_epfile_read_buffer_free: nop +	 *   ◦ __ffs_epfile_read_buffered:    n/a, mutex is held +	 *   ◦ __ffs_epfile_read_data:        n/a, mutex is held +	 *   ◦ reading finishes:              free buf, go to ptr == DROP  	 */ -	struct ffs_buffer		*read_buffer;	/* P: epfile->mutex */ +	struct ffs_buffer		*read_buffer; +#define READ_BUFFER_DROP ((struct ffs_buffer *)ERR_PTR(-ESHUTDOWN))  	char				name[5]; @@ -733,25 +788,47 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,  	schedule_work(&io_data->work);  } +static void __ffs_epfile_read_buffer_free(struct ffs_epfile *epfile) +{ +	/* +	 * See comment in struct ffs_epfile for full read_buffer pointer +	 * synchronisation story. +	 */ +	struct ffs_buffer *buf = xchg(&epfile->read_buffer, READ_BUFFER_DROP); +	if (buf && buf != READ_BUFFER_DROP) +		kfree(buf); +} +  /* Assumes epfile->mutex is held. */  static ssize_t __ffs_epfile_read_buffered(struct ffs_epfile *epfile,  					  struct iov_iter *iter)  { -	struct ffs_buffer *buf = epfile->read_buffer; +	/* +	 * Null out epfile->read_buffer so ffs_func_eps_disable does not free +	 * the buffer while we are using it.  See comment in struct ffs_epfile +	 * for full read_buffer pointer synchronisation story. +	 */ +	struct ffs_buffer *buf = xchg(&epfile->read_buffer, NULL);  	ssize_t ret; -	if (!buf) +	if (!buf || buf == READ_BUFFER_DROP)  		return 0;  	ret = copy_to_iter(buf->data, buf->length, iter);  	if (buf->length == ret) {  		kfree(buf); -		epfile->read_buffer = NULL; -	} else if (unlikely(iov_iter_count(iter))) { +		return ret; +	} + +	if (unlikely(iov_iter_count(iter))) {  		ret = -EFAULT;  	} else {  		buf->length -= ret;  		buf->data += ret;  	} + +	if (cmpxchg(&epfile->read_buffer, NULL, buf)) +		kfree(buf); +  	return ret;  } @@ -780,7 +857,15 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,  	buf->length = data_len;  	buf->data = buf->storage;  	memcpy(buf->storage, data + ret, data_len); -	epfile->read_buffer = buf; + +	/* +	 * At this point read_buffer is NULL or READ_BUFFER_DROP (if +	 * ffs_func_eps_disable has been called in the meanwhile).  See comment +	 * in struct ffs_epfile for full read_buffer pointer synchronisation +	 * story. +	 */ +	if (unlikely(cmpxchg(&epfile->read_buffer, NULL, buf))) +		kfree(buf);  	return ret;  } @@ -1094,8 +1179,7 @@ ffs_epfile_release(struct inode *inode, struct file *file)  	ENTER(); -	kfree(epfile->read_buffer); -	epfile->read_buffer = NULL; +	__ffs_epfile_read_buffer_free(epfile);  	ffs_data_closed(epfile->ffs);  	return 0; @@ -1193,15 +1277,15 @@ ffs_sb_make_inode(struct super_block *sb, void *data,  	inode = new_inode(sb);  	if (likely(inode)) { -		struct timespec current_time = CURRENT_TIME; +		struct timespec ts = current_time(inode);  		inode->i_ino	 = get_next_ino();  		inode->i_mode    = perms->mode;  		inode->i_uid     = perms->uid;  		inode->i_gid     = perms->gid; -		inode->i_atime   = current_time; -		inode->i_mtime   = current_time; -		inode->i_ctime   = current_time; +		inode->i_atime   = ts; +		inode->i_mtime   = ts; +		inode->i_ctime   = ts;  		inode->i_private = data;  		if (fops)  			inode->i_fop = fops; @@ -1721,24 +1805,20 @@ static void ffs_func_eps_disable(struct ffs_function *func)  	unsigned count            = func->ffs->eps_count;  	unsigned long flags; +	spin_lock_irqsave(&func->ffs->eps_lock, flags);  	do { -		if (epfile) -			mutex_lock(&epfile->mutex); -		spin_lock_irqsave(&func->ffs->eps_lock, flags);  		/* pending requests get nuked */  		if (likely(ep->ep))  			usb_ep_disable(ep->ep);  		++ep; -		spin_unlock_irqrestore(&func->ffs->eps_lock, flags);  		if (epfile) {  			epfile->ep = NULL; -			kfree(epfile->read_buffer); -			epfile->read_buffer = NULL; -			mutex_unlock(&epfile->mutex); +			__ffs_epfile_read_buffer_free(epfile);  			++epfile;  		}  	} while (--count); +	spin_unlock_irqrestore(&func->ffs->eps_lock, flags);  }  static int ffs_func_eps_enable(struct ffs_function *func) @@ -2243,7 +2323,9 @@ static int __ffs_data_got_descs(struct ffs_data *ffs,  			      FUNCTIONFS_HAS_SS_DESC |  			      FUNCTIONFS_HAS_MS_OS_DESC |  			      FUNCTIONFS_VIRTUAL_ADDR | -			      FUNCTIONFS_EVENTFD)) { +			      FUNCTIONFS_EVENTFD | +			      FUNCTIONFS_ALL_CTRL_RECIP | +			      FUNCTIONFS_CONFIG0_SETUP)) {  			ret = -ENOSYS;  			goto error;  		} @@ -3094,8 +3176,9 @@ static int ffs_func_setup(struct usb_function *f,  	 * handle them.  All other either handled by composite or  	 * passed to usb_configuration->setup() (if one is set).  No  	 * matter, we will handle requests directed to endpoint here -	 * as well (as it's straightforward) but what to do with any -	 * other request? +	 * as well (as it's straightforward).  Other request recipient +	 * types are only handled when the user flag FUNCTIONFS_ALL_CTRL_RECIP +	 * is being used.  	 */  	if (ffs->state != FFS_ACTIVE)  		return -ENODEV; @@ -3116,7 +3199,10 @@ static int ffs_func_setup(struct usb_function *f,  		break;  	default: -		return -EOPNOTSUPP; +		if (func->ffs->user_flags & FUNCTIONFS_ALL_CTRL_RECIP) +			ret = le16_to_cpu(creq->wIndex); +		else +			return -EOPNOTSUPP;  	}  	spin_lock_irqsave(&ffs->ev.waitq.lock, flags); @@ -3128,6 +3214,28 @@ static int ffs_func_setup(struct usb_function *f,  	return 0;  } +static bool ffs_func_req_match(struct usb_function *f, +			       const struct usb_ctrlrequest *creq, +			       bool config0) +{ +	struct ffs_function *func = ffs_func_from_usb(f); + +	if (config0 && !(func->ffs->user_flags & FUNCTIONFS_CONFIG0_SETUP)) +		return false; + +	switch (creq->bRequestType & USB_RECIP_MASK) { +	case USB_RECIP_INTERFACE: +		return ffs_func_revmap_intf(func, +					    le16_to_cpu(creq->wIndex) >= 0); +	case USB_RECIP_ENDPOINT: +		return ffs_func_revmap_ep(func, +					  le16_to_cpu(creq->wIndex) >= 0); +	default: +		return (bool) (func->ffs->user_flags & +			       FUNCTIONFS_ALL_CTRL_RECIP); +	} +} +  static void ffs_func_suspend(struct usb_function *f)  {  	ENTER(); @@ -3378,6 +3486,7 @@ static struct usb_function *ffs_alloc(struct usb_function_instance *fi)  	func->function.set_alt = ffs_func_set_alt;  	func->function.disable = ffs_func_disable;  	func->function.setup   = ffs_func_setup; +	func->function.req_match = ffs_func_req_match;  	func->function.suspend = ffs_func_suspend;  	func->function.resume  = ffs_func_resume;  	func->function.free_func = ffs_free; @@ -3470,6 +3579,11 @@ static void _ffs_free_dev(struct ffs_dev *dev)  	list_del(&dev->entry);  	if (dev->name_allocated)  		kfree(dev->name); + +	/* Clear the private_data pointer to stop incorrect dev access */ +	if (dev->ffs_data) +		dev->ffs_data->private_data = NULL; +  	kfree(dev);  	if (list_empty(&ffs_devices))  		functionfs_cleanup(); |