]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - drivers/usb/misc/iowarrior.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
USB: iowarrior: fix use-after-free on disconnect
[mirror_ubuntu-bionic-kernel.git] / drivers / usb / misc / iowarrior.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Native support for the I/O-Warrior USB devices
4 *
5 * Copyright (c) 2003-2005 Code Mercenaries GmbH
6 * written by Christian Lucht <lucht@codemercs.com>
7 *
8 * based on
9
10 * usb-skeleton.c by Greg Kroah-Hartman <greg@kroah.com>
11 * brlvger.c by Stephane Dalton <sdalton@videotron.ca>
12 * and St�hane Doyon <s.doyon@videotron.ca>
13 *
14 * Released under the GPLv2.
15 */
16
17 #include <linux/module.h>
18 #include <linux/usb.h>
19 #include <linux/slab.h>
20 #include <linux/sched.h>
21 #include <linux/mutex.h>
22 #include <linux/poll.h>
23 #include <linux/usb/iowarrior.h>
24
25 #define DRIVER_AUTHOR "Christian Lucht <lucht@codemercs.com>"
26 #define DRIVER_DESC "USB IO-Warrior driver"
27
28 #define USB_VENDOR_ID_CODEMERCS 1984
29 /* low speed iowarrior */
30 #define USB_DEVICE_ID_CODEMERCS_IOW40 0x1500
31 #define USB_DEVICE_ID_CODEMERCS_IOW24 0x1501
32 #define USB_DEVICE_ID_CODEMERCS_IOWPV1 0x1511
33 #define USB_DEVICE_ID_CODEMERCS_IOWPV2 0x1512
34 /* full speed iowarrior */
35 #define USB_DEVICE_ID_CODEMERCS_IOW56 0x1503
36
37 /* Get a minor range for your devices from the usb maintainer */
38 #ifdef CONFIG_USB_DYNAMIC_MINORS
39 #define IOWARRIOR_MINOR_BASE 0
40 #else
41 #define IOWARRIOR_MINOR_BASE 208 // SKELETON_MINOR_BASE 192 + 16, not official yet
42 #endif
43
44 /* interrupt input queue size */
45 #define MAX_INTERRUPT_BUFFER 16
46 /*
47 maximum number of urbs that are submitted for writes at the same time,
48 this applies to the IOWarrior56 only!
49 IOWarrior24 and IOWarrior40 use synchronous usb_control_msg calls.
50 */
51 #define MAX_WRITES_IN_FLIGHT 4
52
53 MODULE_AUTHOR(DRIVER_AUTHOR);
54 MODULE_DESCRIPTION(DRIVER_DESC);
55 MODULE_LICENSE("GPL");
56
57 /* Module parameters */
58 static DEFINE_MUTEX(iowarrior_mutex);
59
60 static struct usb_driver iowarrior_driver;
61 static DEFINE_MUTEX(iowarrior_open_disc_lock);
62
63 /*--------------*/
64 /* data */
65 /*--------------*/
66
67 /* Structure to hold all of our device specific stuff */
68 struct iowarrior {
69 struct mutex mutex; /* locks this structure */
70 struct usb_device *udev; /* save off the usb device pointer */
71 struct usb_interface *interface; /* the interface for this device */
72 unsigned char minor; /* the starting minor number for this device */
73 struct usb_endpoint_descriptor *int_out_endpoint; /* endpoint for reading (needed for IOW56 only) */
74 struct usb_endpoint_descriptor *int_in_endpoint; /* endpoint for reading */
75 struct urb *int_in_urb; /* the urb for reading data */
76 unsigned char *int_in_buffer; /* buffer for data to be read */
77 unsigned char serial_number; /* to detect lost packages */
78 unsigned char *read_queue; /* size is MAX_INTERRUPT_BUFFER * packet size */
79 wait_queue_head_t read_wait;
80 wait_queue_head_t write_wait; /* wait-queue for writing to the device */
81 atomic_t write_busy; /* number of write-urbs submitted */
82 atomic_t read_idx;
83 atomic_t intr_idx;
84 spinlock_t intr_idx_lock; /* protects intr_idx */
85 atomic_t overflow_flag; /* signals an index 'rollover' */
86 int present; /* this is 1 as long as the device is connected */
87 int opened; /* this is 1 if the device is currently open */
88 char chip_serial[9]; /* the serial number string of the chip connected */
89 int report_size; /* number of bytes in a report */
90 u16 product_id;
91 };
92
93 /*--------------*/
94 /* globals */
95 /*--------------*/
96
97 /*
98 * USB spec identifies 5 second timeouts.
99 */
100 #define GET_TIMEOUT 5
101 #define USB_REQ_GET_REPORT 0x01
102 //#if 0
103 static int usb_get_report(struct usb_device *dev,
104 struct usb_host_interface *inter, unsigned char type,
105 unsigned char id, void *buf, int size)
106 {
107 return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
108 USB_REQ_GET_REPORT,
109 USB_DIR_IN | USB_TYPE_CLASS |
110 USB_RECIP_INTERFACE, (type << 8) + id,
111 inter->desc.bInterfaceNumber, buf, size,
112 GET_TIMEOUT*HZ);
113 }
114 //#endif
115
116 #define USB_REQ_SET_REPORT 0x09
117
118 static int usb_set_report(struct usb_interface *intf, unsigned char type,
119 unsigned char id, void *buf, int size)
120 {
121 return usb_control_msg(interface_to_usbdev(intf),
122 usb_sndctrlpipe(interface_to_usbdev(intf), 0),
123 USB_REQ_SET_REPORT,
124 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
125 (type << 8) + id,
126 intf->cur_altsetting->desc.bInterfaceNumber, buf,
127 size, HZ);
128 }
129
130 /*---------------------*/
131 /* driver registration */
132 /*---------------------*/
133 /* table of devices that work with this driver */
134 static const struct usb_device_id iowarrior_ids[] = {
135 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW40)},
136 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW24)},
137 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOWPV1)},
138 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOWPV2)},
139 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW56)},
140 {} /* Terminating entry */
141 };
142 MODULE_DEVICE_TABLE(usb, iowarrior_ids);
143
144 /*
145 * USB callback handler for reading data
146 */
147 static void iowarrior_callback(struct urb *urb)
148 {
149 struct iowarrior *dev = urb->context;
150 int intr_idx;
151 int read_idx;
152 int aux_idx;
153 int offset;
154 int status = urb->status;
155 int retval;
156
157 switch (status) {
158 case 0:
159 /* success */
160 break;
161 case -ECONNRESET:
162 case -ENOENT:
163 case -ESHUTDOWN:
164 return;
165 default:
166 goto exit;
167 }
168
169 spin_lock(&dev->intr_idx_lock);
170 intr_idx = atomic_read(&dev->intr_idx);
171 /* aux_idx become previous intr_idx */
172 aux_idx = (intr_idx == 0) ? (MAX_INTERRUPT_BUFFER - 1) : (intr_idx - 1);
173 read_idx = atomic_read(&dev->read_idx);
174
175 /* queue is not empty and it's interface 0 */
176 if ((intr_idx != read_idx)
177 && (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0)) {
178 /* + 1 for serial number */
179 offset = aux_idx * (dev->report_size + 1);
180 if (!memcmp
181 (dev->read_queue + offset, urb->transfer_buffer,
182 dev->report_size)) {
183 /* equal values on interface 0 will be ignored */
184 spin_unlock(&dev->intr_idx_lock);
185 goto exit;
186 }
187 }
188
189 /* aux_idx become next intr_idx */
190 aux_idx = (intr_idx == (MAX_INTERRUPT_BUFFER - 1)) ? 0 : (intr_idx + 1);
191 if (read_idx == aux_idx) {
192 /* queue full, dropping oldest input */
193 read_idx = (++read_idx == MAX_INTERRUPT_BUFFER) ? 0 : read_idx;
194 atomic_set(&dev->read_idx, read_idx);
195 atomic_set(&dev->overflow_flag, 1);
196 }
197
198 /* +1 for serial number */
199 offset = intr_idx * (dev->report_size + 1);
200 memcpy(dev->read_queue + offset, urb->transfer_buffer,
201 dev->report_size);
202 *(dev->read_queue + offset + (dev->report_size)) = dev->serial_number++;
203
204 atomic_set(&dev->intr_idx, aux_idx);
205 spin_unlock(&dev->intr_idx_lock);
206 /* tell the blocking read about the new data */
207 wake_up_interruptible(&dev->read_wait);
208
209 exit:
210 retval = usb_submit_urb(urb, GFP_ATOMIC);
211 if (retval)
212 dev_err(&dev->interface->dev, "%s - usb_submit_urb failed with result %d\n",
213 __func__, retval);
214
215 }
216
217 /*
218 * USB Callback handler for write-ops
219 */
220 static void iowarrior_write_callback(struct urb *urb)
221 {
222 struct iowarrior *dev;
223 int status = urb->status;
224
225 dev = urb->context;
226 /* sync/async unlink faults aren't errors */
227 if (status &&
228 !(status == -ENOENT ||
229 status == -ECONNRESET || status == -ESHUTDOWN)) {
230 dev_dbg(&dev->interface->dev,
231 "nonzero write bulk status received: %d\n", status);
232 }
233 /* free up our allocated buffer */
234 usb_free_coherent(urb->dev, urb->transfer_buffer_length,
235 urb->transfer_buffer, urb->transfer_dma);
236 /* tell a waiting writer the interrupt-out-pipe is available again */
237 atomic_dec(&dev->write_busy);
238 wake_up_interruptible(&dev->write_wait);
239 }
240
241 /**
242 * iowarrior_delete
243 */
244 static inline void iowarrior_delete(struct iowarrior *dev)
245 {
246 dev_dbg(&dev->interface->dev, "minor %d\n", dev->minor);
247 kfree(dev->int_in_buffer);
248 usb_free_urb(dev->int_in_urb);
249 kfree(dev->read_queue);
250 kfree(dev);
251 }
252
253 /*---------------------*/
254 /* fops implementation */
255 /*---------------------*/
256
257 static int read_index(struct iowarrior *dev)
258 {
259 int intr_idx, read_idx;
260
261 read_idx = atomic_read(&dev->read_idx);
262 intr_idx = atomic_read(&dev->intr_idx);
263
264 return (read_idx == intr_idx ? -1 : read_idx);
265 }
266
267 /**
268 * iowarrior_read
269 */
270 static ssize_t iowarrior_read(struct file *file, char __user *buffer,
271 size_t count, loff_t *ppos)
272 {
273 struct iowarrior *dev;
274 int read_idx;
275 int offset;
276
277 dev = file->private_data;
278
279 /* verify that the device wasn't unplugged */
280 if (!dev || !dev->present)
281 return -ENODEV;
282
283 dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
284 dev->minor, count);
285
286 /* read count must be packet size (+ time stamp) */
287 if ((count != dev->report_size)
288 && (count != (dev->report_size + 1)))
289 return -EINVAL;
290
291 /* repeat until no buffer overrun in callback handler occur */
292 do {
293 atomic_set(&dev->overflow_flag, 0);
294 if ((read_idx = read_index(dev)) == -1) {
295 /* queue empty */
296 if (file->f_flags & O_NONBLOCK)
297 return -EAGAIN;
298 else {
299 //next line will return when there is either new data, or the device is unplugged
300 int r = wait_event_interruptible(dev->read_wait,
301 (!dev->present
302 || (read_idx =
303 read_index
304 (dev)) !=
305 -1));
306 if (r) {
307 //we were interrupted by a signal
308 return -ERESTART;
309 }
310 if (!dev->present) {
311 //The device was unplugged
312 return -ENODEV;
313 }
314 if (read_idx == -1) {
315 // Can this happen ???
316 return 0;
317 }
318 }
319 }
320
321 offset = read_idx * (dev->report_size + 1);
322 if (copy_to_user(buffer, dev->read_queue + offset, count)) {
323 return -EFAULT;
324 }
325 } while (atomic_read(&dev->overflow_flag));
326
327 read_idx = ++read_idx == MAX_INTERRUPT_BUFFER ? 0 : read_idx;
328 atomic_set(&dev->read_idx, read_idx);
329 return count;
330 }
331
332 /*
333 * iowarrior_write
334 */
335 static ssize_t iowarrior_write(struct file *file,
336 const char __user *user_buffer,
337 size_t count, loff_t *ppos)
338 {
339 struct iowarrior *dev;
340 int retval = 0;
341 char *buf = NULL; /* for IOW24 and IOW56 we need a buffer */
342 struct urb *int_out_urb = NULL;
343
344 dev = file->private_data;
345
346 mutex_lock(&dev->mutex);
347 /* verify that the device wasn't unplugged */
348 if (!dev->present) {
349 retval = -ENODEV;
350 goto exit;
351 }
352 dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
353 dev->minor, count);
354 /* if count is 0 we're already done */
355 if (count == 0) {
356 retval = 0;
357 goto exit;
358 }
359 /* We only accept full reports */
360 if (count != dev->report_size) {
361 retval = -EINVAL;
362 goto exit;
363 }
364 switch (dev->product_id) {
365 case USB_DEVICE_ID_CODEMERCS_IOW24:
366 case USB_DEVICE_ID_CODEMERCS_IOWPV1:
367 case USB_DEVICE_ID_CODEMERCS_IOWPV2:
368 case USB_DEVICE_ID_CODEMERCS_IOW40:
369 /* IOW24 and IOW40 use a synchronous call */
370 buf = memdup_user(user_buffer, count);
371 if (IS_ERR(buf)) {
372 retval = PTR_ERR(buf);
373 goto exit;
374 }
375 retval = usb_set_report(dev->interface, 2, 0, buf, count);
376 kfree(buf);
377 goto exit;
378 break;
379 case USB_DEVICE_ID_CODEMERCS_IOW56:
380 /* The IOW56 uses asynchronous IO and more urbs */
381 if (atomic_read(&dev->write_busy) == MAX_WRITES_IN_FLIGHT) {
382 /* Wait until we are below the limit for submitted urbs */
383 if (file->f_flags & O_NONBLOCK) {
384 retval = -EAGAIN;
385 goto exit;
386 } else {
387 retval = wait_event_interruptible(dev->write_wait,
388 (!dev->present || (atomic_read (&dev-> write_busy) < MAX_WRITES_IN_FLIGHT)));
389 if (retval) {
390 /* we were interrupted by a signal */
391 retval = -ERESTART;
392 goto exit;
393 }
394 if (!dev->present) {
395 /* The device was unplugged */
396 retval = -ENODEV;
397 goto exit;
398 }
399 if (!dev->opened) {
400 /* We were closed while waiting for an URB */
401 retval = -ENODEV;
402 goto exit;
403 }
404 }
405 }
406 atomic_inc(&dev->write_busy);
407 int_out_urb = usb_alloc_urb(0, GFP_KERNEL);
408 if (!int_out_urb) {
409 retval = -ENOMEM;
410 goto error_no_urb;
411 }
412 buf = usb_alloc_coherent(dev->udev, dev->report_size,
413 GFP_KERNEL, &int_out_urb->transfer_dma);
414 if (!buf) {
415 retval = -ENOMEM;
416 dev_dbg(&dev->interface->dev,
417 "Unable to allocate buffer\n");
418 goto error_no_buffer;
419 }
420 usb_fill_int_urb(int_out_urb, dev->udev,
421 usb_sndintpipe(dev->udev,
422 dev->int_out_endpoint->bEndpointAddress),
423 buf, dev->report_size,
424 iowarrior_write_callback, dev,
425 dev->int_out_endpoint->bInterval);
426 int_out_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
427 if (copy_from_user(buf, user_buffer, count)) {
428 retval = -EFAULT;
429 goto error;
430 }
431 retval = usb_submit_urb(int_out_urb, GFP_KERNEL);
432 if (retval) {
433 dev_dbg(&dev->interface->dev,
434 "submit error %d for urb nr.%d\n",
435 retval, atomic_read(&dev->write_busy));
436 goto error;
437 }
438 /* submit was ok */
439 retval = count;
440 usb_free_urb(int_out_urb);
441 goto exit;
442 break;
443 default:
444 /* what do we have here ? An unsupported Product-ID ? */
445 dev_err(&dev->interface->dev, "%s - not supported for product=0x%x\n",
446 __func__, dev->product_id);
447 retval = -EFAULT;
448 goto exit;
449 break;
450 }
451 error:
452 usb_free_coherent(dev->udev, dev->report_size, buf,
453 int_out_urb->transfer_dma);
454 error_no_buffer:
455 usb_free_urb(int_out_urb);
456 error_no_urb:
457 atomic_dec(&dev->write_busy);
458 wake_up_interruptible(&dev->write_wait);
459 exit:
460 mutex_unlock(&dev->mutex);
461 return retval;
462 }
463
464 /**
465 * iowarrior_ioctl
466 */
467 static long iowarrior_ioctl(struct file *file, unsigned int cmd,
468 unsigned long arg)
469 {
470 struct iowarrior *dev = NULL;
471 __u8 *buffer;
472 __u8 __user *user_buffer;
473 int retval;
474 int io_res; /* checks for bytes read/written and copy_to/from_user results */
475
476 dev = file->private_data;
477 if (!dev)
478 return -ENODEV;
479
480 buffer = kzalloc(dev->report_size, GFP_KERNEL);
481 if (!buffer)
482 return -ENOMEM;
483
484 /* lock this object */
485 mutex_lock(&iowarrior_mutex);
486 mutex_lock(&dev->mutex);
487
488 /* verify that the device wasn't unplugged */
489 if (!dev->present) {
490 retval = -ENODEV;
491 goto error_out;
492 }
493
494 dev_dbg(&dev->interface->dev, "minor %d, cmd 0x%.4x, arg %ld\n",
495 dev->minor, cmd, arg);
496
497 retval = 0;
498 io_res = 0;
499 switch (cmd) {
500 case IOW_WRITE:
501 if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW24 ||
502 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOWPV1 ||
503 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOWPV2 ||
504 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW40) {
505 user_buffer = (__u8 __user *)arg;
506 io_res = copy_from_user(buffer, user_buffer,
507 dev->report_size);
508 if (io_res) {
509 retval = -EFAULT;
510 } else {
511 io_res = usb_set_report(dev->interface, 2, 0,
512 buffer,
513 dev->report_size);
514 if (io_res < 0)
515 retval = io_res;
516 }
517 } else {
518 retval = -EINVAL;
519 dev_err(&dev->interface->dev,
520 "ioctl 'IOW_WRITE' is not supported for product=0x%x.\n",
521 dev->product_id);
522 }
523 break;
524 case IOW_READ:
525 user_buffer = (__u8 __user *)arg;
526 io_res = usb_get_report(dev->udev,
527 dev->interface->cur_altsetting, 1, 0,
528 buffer, dev->report_size);
529 if (io_res < 0)
530 retval = io_res;
531 else {
532 io_res = copy_to_user(user_buffer, buffer, dev->report_size);
533 if (io_res)
534 retval = -EFAULT;
535 }
536 break;
537 case IOW_GETINFO:
538 {
539 /* Report available information for the device */
540 struct iowarrior_info info;
541 /* needed for power consumption */
542 struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
543
544 memset(&info, 0, sizeof(info));
545 /* directly from the descriptor */
546 info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
547 info.product = dev->product_id;
548 info.revision = le16_to_cpu(dev->udev->descriptor.bcdDevice);
549
550 /* 0==UNKNOWN, 1==LOW(usb1.1) ,2=FULL(usb1.1), 3=HIGH(usb2.0) */
551 info.speed = dev->udev->speed;
552 info.if_num = dev->interface->cur_altsetting->desc.bInterfaceNumber;
553 info.report_size = dev->report_size;
554
555 /* serial number string has been read earlier 8 chars or empty string */
556 memcpy(info.serial, dev->chip_serial,
557 sizeof(dev->chip_serial));
558 if (cfg_descriptor == NULL) {
559 info.power = -1; /* no information available */
560 } else {
561 /* the MaxPower is stored in units of 2mA to make it fit into a byte-value */
562 info.power = cfg_descriptor->bMaxPower * 2;
563 }
564 io_res = copy_to_user((struct iowarrior_info __user *)arg, &info,
565 sizeof(struct iowarrior_info));
566 if (io_res)
567 retval = -EFAULT;
568 break;
569 }
570 default:
571 /* return that we did not understand this ioctl call */
572 retval = -ENOTTY;
573 break;
574 }
575 error_out:
576 /* unlock the device */
577 mutex_unlock(&dev->mutex);
578 mutex_unlock(&iowarrior_mutex);
579 kfree(buffer);
580 return retval;
581 }
582
583 /**
584 * iowarrior_open
585 */
586 static int iowarrior_open(struct inode *inode, struct file *file)
587 {
588 struct iowarrior *dev = NULL;
589 struct usb_interface *interface;
590 int subminor;
591 int retval = 0;
592
593 mutex_lock(&iowarrior_mutex);
594 subminor = iminor(inode);
595
596 interface = usb_find_interface(&iowarrior_driver, subminor);
597 if (!interface) {
598 mutex_unlock(&iowarrior_mutex);
599 printk(KERN_ERR "%s - error, can't find device for minor %d\n",
600 __func__, subminor);
601 return -ENODEV;
602 }
603
604 mutex_lock(&iowarrior_open_disc_lock);
605 dev = usb_get_intfdata(interface);
606 if (!dev) {
607 mutex_unlock(&iowarrior_open_disc_lock);
608 mutex_unlock(&iowarrior_mutex);
609 return -ENODEV;
610 }
611
612 mutex_lock(&dev->mutex);
613 mutex_unlock(&iowarrior_open_disc_lock);
614
615 /* Only one process can open each device, no sharing. */
616 if (dev->opened) {
617 retval = -EBUSY;
618 goto out;
619 }
620
621 /* setup interrupt handler for receiving values */
622 if ((retval = usb_submit_urb(dev->int_in_urb, GFP_KERNEL)) < 0) {
623 dev_err(&interface->dev, "Error %d while submitting URB\n", retval);
624 retval = -EFAULT;
625 goto out;
626 }
627 /* increment our usage count for the driver */
628 ++dev->opened;
629 /* save our object in the file's private structure */
630 file->private_data = dev;
631 retval = 0;
632
633 out:
634 mutex_unlock(&dev->mutex);
635 mutex_unlock(&iowarrior_mutex);
636 return retval;
637 }
638
639 /**
640 * iowarrior_release
641 */
642 static int iowarrior_release(struct inode *inode, struct file *file)
643 {
644 struct iowarrior *dev;
645 int retval = 0;
646
647 dev = file->private_data;
648 if (!dev)
649 return -ENODEV;
650
651 dev_dbg(&dev->interface->dev, "minor %d\n", dev->minor);
652
653 /* lock our device */
654 mutex_lock(&dev->mutex);
655
656 if (dev->opened <= 0) {
657 retval = -ENODEV; /* close called more than once */
658 mutex_unlock(&dev->mutex);
659 } else {
660 dev->opened = 0; /* we're closing now */
661 retval = 0;
662 if (dev->present) {
663 /*
664 The device is still connected so we only shutdown
665 pending read-/write-ops.
666 */
667 usb_kill_urb(dev->int_in_urb);
668 wake_up_interruptible(&dev->read_wait);
669 wake_up_interruptible(&dev->write_wait);
670 mutex_unlock(&dev->mutex);
671 } else {
672 /* The device was unplugged, cleanup resources */
673 mutex_unlock(&dev->mutex);
674 iowarrior_delete(dev);
675 }
676 }
677 return retval;
678 }
679
680 static unsigned iowarrior_poll(struct file *file, poll_table * wait)
681 {
682 struct iowarrior *dev = file->private_data;
683 unsigned int mask = 0;
684
685 if (!dev->present)
686 return POLLERR | POLLHUP;
687
688 poll_wait(file, &dev->read_wait, wait);
689 poll_wait(file, &dev->write_wait, wait);
690
691 if (!dev->present)
692 return POLLERR | POLLHUP;
693
694 if (read_index(dev) != -1)
695 mask |= POLLIN | POLLRDNORM;
696
697 if (atomic_read(&dev->write_busy) < MAX_WRITES_IN_FLIGHT)
698 mask |= POLLOUT | POLLWRNORM;
699 return mask;
700 }
701
702 /*
703 * File operations needed when we register this driver.
704 * This assumes that this driver NEEDS file operations,
705 * of course, which means that the driver is expected
706 * to have a node in the /dev directory. If the USB
707 * device were for a network interface then the driver
708 * would use "struct net_driver" instead, and a serial
709 * device would use "struct tty_driver".
710 */
711 static const struct file_operations iowarrior_fops = {
712 .owner = THIS_MODULE,
713 .write = iowarrior_write,
714 .read = iowarrior_read,
715 .unlocked_ioctl = iowarrior_ioctl,
716 .open = iowarrior_open,
717 .release = iowarrior_release,
718 .poll = iowarrior_poll,
719 .llseek = noop_llseek,
720 };
721
722 static char *iowarrior_devnode(struct device *dev, umode_t *mode)
723 {
724 return kasprintf(GFP_KERNEL, "usb/%s", dev_name(dev));
725 }
726
727 /*
728 * usb class driver info in order to get a minor number from the usb core,
729 * and to have the device registered with devfs and the driver core
730 */
731 static struct usb_class_driver iowarrior_class = {
732 .name = "iowarrior%d",
733 .devnode = iowarrior_devnode,
734 .fops = &iowarrior_fops,
735 .minor_base = IOWARRIOR_MINOR_BASE,
736 };
737
738 /*---------------------------------*/
739 /* probe and disconnect functions */
740 /*---------------------------------*/
741 /**
742 * iowarrior_probe
743 *
744 * Called by the usb core when a new device is connected that it thinks
745 * this driver might be interested in.
746 */
747 static int iowarrior_probe(struct usb_interface *interface,
748 const struct usb_device_id *id)
749 {
750 struct usb_device *udev = interface_to_usbdev(interface);
751 struct iowarrior *dev = NULL;
752 struct usb_host_interface *iface_desc;
753 int retval = -ENOMEM;
754 int res;
755
756 /* allocate memory for our device state and initialize it */
757 dev = kzalloc(sizeof(struct iowarrior), GFP_KERNEL);
758 if (!dev)
759 return retval;
760
761 mutex_init(&dev->mutex);
762
763 atomic_set(&dev->intr_idx, 0);
764 atomic_set(&dev->read_idx, 0);
765 spin_lock_init(&dev->intr_idx_lock);
766 atomic_set(&dev->overflow_flag, 0);
767 init_waitqueue_head(&dev->read_wait);
768 atomic_set(&dev->write_busy, 0);
769 init_waitqueue_head(&dev->write_wait);
770
771 dev->udev = udev;
772 dev->interface = interface;
773
774 iface_desc = interface->cur_altsetting;
775 dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
776
777 res = usb_find_last_int_in_endpoint(iface_desc, &dev->int_in_endpoint);
778 if (res) {
779 dev_err(&interface->dev, "no interrupt-in endpoint found\n");
780 retval = res;
781 goto error;
782 }
783
784 if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) {
785 res = usb_find_last_int_out_endpoint(iface_desc,
786 &dev->int_out_endpoint);
787 if (res) {
788 dev_err(&interface->dev, "no interrupt-out endpoint found\n");
789 retval = res;
790 goto error;
791 }
792 }
793
794 /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
795 dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
796 if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
797 (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56))
798 /* IOWarrior56 has wMaxPacketSize different from report size */
799 dev->report_size = 7;
800
801 /* create the urb and buffer for reading */
802 dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL);
803 if (!dev->int_in_urb)
804 goto error;
805 dev->int_in_buffer = kmalloc(dev->report_size, GFP_KERNEL);
806 if (!dev->int_in_buffer)
807 goto error;
808 usb_fill_int_urb(dev->int_in_urb, dev->udev,
809 usb_rcvintpipe(dev->udev,
810 dev->int_in_endpoint->bEndpointAddress),
811 dev->int_in_buffer, dev->report_size,
812 iowarrior_callback, dev,
813 dev->int_in_endpoint->bInterval);
814 /* create an internal buffer for interrupt data from the device */
815 dev->read_queue =
816 kmalloc(((dev->report_size + 1) * MAX_INTERRUPT_BUFFER),
817 GFP_KERNEL);
818 if (!dev->read_queue)
819 goto error;
820 /* Get the serial-number of the chip */
821 memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
822 usb_string(udev, udev->descriptor.iSerialNumber, dev->chip_serial,
823 sizeof(dev->chip_serial));
824 if (strlen(dev->chip_serial) != 8)
825 memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
826
827 /* Set the idle timeout to 0, if this is interface 0 */
828 if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) {
829 usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
830 0x0A,
831 USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0,
832 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
833 }
834 /* allow device read and ioctl */
835 dev->present = 1;
836
837 /* we can register the device now, as it is ready */
838 usb_set_intfdata(interface, dev);
839
840 retval = usb_register_dev(interface, &iowarrior_class);
841 if (retval) {
842 /* something prevented us from registering this driver */
843 dev_err(&interface->dev, "Not able to get a minor for this device.\n");
844 usb_set_intfdata(interface, NULL);
845 goto error;
846 }
847
848 dev->minor = interface->minor;
849
850 /* let the user know what node this device is now attached to */
851 dev_info(&interface->dev, "IOWarrior product=0x%x, serial=%s interface=%d "
852 "now attached to iowarrior%d\n", dev->product_id, dev->chip_serial,
853 iface_desc->desc.bInterfaceNumber, dev->minor - IOWARRIOR_MINOR_BASE);
854 return retval;
855
856 error:
857 iowarrior_delete(dev);
858 return retval;
859 }
860
861 /**
862 * iowarrior_disconnect
863 *
864 * Called by the usb core when the device is removed from the system.
865 */
866 static void iowarrior_disconnect(struct usb_interface *interface)
867 {
868 struct iowarrior *dev;
869 int minor;
870
871 dev = usb_get_intfdata(interface);
872 mutex_lock(&iowarrior_open_disc_lock);
873 usb_set_intfdata(interface, NULL);
874
875 minor = dev->minor;
876 mutex_unlock(&iowarrior_open_disc_lock);
877 /* give back our minor - this will call close() locks need to be dropped at this point*/
878
879 usb_deregister_dev(interface, &iowarrior_class);
880
881 mutex_lock(&dev->mutex);
882
883 /* prevent device read, write and ioctl */
884 dev->present = 0;
885
886 if (dev->opened) {
887 /* There is a process that holds a filedescriptor to the device ,
888 so we only shutdown read-/write-ops going on.
889 Deleting the device is postponed until close() was called.
890 */
891 usb_kill_urb(dev->int_in_urb);
892 wake_up_interruptible(&dev->read_wait);
893 wake_up_interruptible(&dev->write_wait);
894 mutex_unlock(&dev->mutex);
895 } else {
896 /* no process is using the device, cleanup now */
897 mutex_unlock(&dev->mutex);
898 iowarrior_delete(dev);
899 }
900
901 dev_info(&interface->dev, "I/O-Warror #%d now disconnected\n",
902 minor - IOWARRIOR_MINOR_BASE);
903 }
904
905 /* usb specific object needed to register this driver with the usb subsystem */
906 static struct usb_driver iowarrior_driver = {
907 .name = "iowarrior",
908 .probe = iowarrior_probe,
909 .disconnect = iowarrior_disconnect,
910 .id_table = iowarrior_ids,
911 };
912
913 module_usb_driver(iowarrior_driver);
ubuntu-bionic-kernel mirror