blob: 1638977a54105cea6783509d4812b03d0e9f90d5 [file] [log] [blame]
Benoit Gobyf0fbc482011-12-19 14:37:50 -08001/*
2 * Gadget Function Driver for MTP
3 *
4 * Copyright (C) 2010 Google, Inc.
5 * Author: Mike Lockwood <lockwood@android.com>
6 *
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 */
17
18/* #define DEBUG */
19/* #define VERBOSE_DEBUG */
20
21#include <linux/module.h>
22#include <linux/init.h>
23#include <linux/poll.h>
24#include <linux/delay.h>
25#include <linux/wait.h>
26#include <linux/err.h>
27#include <linux/interrupt.h>
28
29#include <linux/types.h>
30#include <linux/file.h>
31#include <linux/device.h>
32#include <linux/miscdevice.h>
33
34#include <linux/usb.h>
35#include <linux/usb_usual.h>
36#include <linux/usb/ch9.h>
37#include <linux/usb/f_mtp.h>
38
39#define MTP_BULK_BUFFER_SIZE 16384
40#define INTR_BUFFER_SIZE 28
41
42/* String IDs */
43#define INTERFACE_STRING_INDEX 0
44
45/* values for mtp_dev.state */
46#define STATE_OFFLINE 0 /* initial state, disconnected */
47#define STATE_READY 1 /* ready for userspace calls */
48#define STATE_BUSY 2 /* processing userspace calls */
49#define STATE_CANCELED 3 /* transaction canceled by host */
50#define STATE_ERROR 4 /* error from completion routine */
51
52/* number of tx and rx requests to allocate */
53#define TX_REQ_MAX 4
54#define RX_REQ_MAX 2
55#define INTR_REQ_MAX 5
56
57/* ID for Microsoft MTP OS String */
58#define MTP_OS_STRING_ID 0xEE
59
60/* MTP class reqeusts */
61#define MTP_REQ_CANCEL 0x64
62#define MTP_REQ_GET_EXT_EVENT_DATA 0x65
63#define MTP_REQ_RESET 0x66
64#define MTP_REQ_GET_DEVICE_STATUS 0x67
65
66/* constants for device status */
67#define MTP_RESPONSE_OK 0x2001
68#define MTP_RESPONSE_DEVICE_BUSY 0x2019
69
70static const char mtp_shortname[] = "mtp_usb";
71
72struct mtp_dev {
73 struct usb_function function;
74 struct usb_composite_dev *cdev;
75 spinlock_t lock;
76
77 struct usb_ep *ep_in;
78 struct usb_ep *ep_out;
79 struct usb_ep *ep_intr;
80
81 int state;
82
83 /* synchronize access to our device file */
84 atomic_t open_excl;
85 /* to enforce only one ioctl at a time */
86 atomic_t ioctl_excl;
87
88 struct list_head tx_idle;
89 struct list_head intr_idle;
90
91 wait_queue_head_t read_wq;
92 wait_queue_head_t write_wq;
93 wait_queue_head_t intr_wq;
94 struct usb_request *rx_req[RX_REQ_MAX];
95 int rx_done;
96
97 /* for processing MTP_SEND_FILE, MTP_RECEIVE_FILE and
98 * MTP_SEND_FILE_WITH_HEADER ioctls on a work queue
99 */
100 struct workqueue_struct *wq;
101 struct work_struct send_file_work;
102 struct work_struct receive_file_work;
103 struct file *xfer_file;
104 loff_t xfer_file_offset;
105 int64_t xfer_file_length;
106 unsigned xfer_send_header;
107 uint16_t xfer_command;
108 uint32_t xfer_transaction_id;
109 int xfer_result;
110};
111
112static struct usb_interface_descriptor mtp_interface_desc = {
113 .bLength = USB_DT_INTERFACE_SIZE,
114 .bDescriptorType = USB_DT_INTERFACE,
115 .bInterfaceNumber = 0,
116 .bNumEndpoints = 3,
117 .bInterfaceClass = USB_CLASS_VENDOR_SPEC,
118 .bInterfaceSubClass = USB_SUBCLASS_VENDOR_SPEC,
119 .bInterfaceProtocol = 0,
120};
121
122static struct usb_interface_descriptor ptp_interface_desc = {
123 .bLength = USB_DT_INTERFACE_SIZE,
124 .bDescriptorType = USB_DT_INTERFACE,
125 .bInterfaceNumber = 0,
126 .bNumEndpoints = 3,
127 .bInterfaceClass = USB_CLASS_STILL_IMAGE,
128 .bInterfaceSubClass = 1,
129 .bInterfaceProtocol = 1,
130};
131
132static struct usb_endpoint_descriptor mtp_highspeed_in_desc = {
133 .bLength = USB_DT_ENDPOINT_SIZE,
134 .bDescriptorType = USB_DT_ENDPOINT,
135 .bEndpointAddress = USB_DIR_IN,
136 .bmAttributes = USB_ENDPOINT_XFER_BULK,
137 .wMaxPacketSize = __constant_cpu_to_le16(512),
138};
139
140static struct usb_endpoint_descriptor mtp_highspeed_out_desc = {
141 .bLength = USB_DT_ENDPOINT_SIZE,
142 .bDescriptorType = USB_DT_ENDPOINT,
143 .bEndpointAddress = USB_DIR_OUT,
144 .bmAttributes = USB_ENDPOINT_XFER_BULK,
145 .wMaxPacketSize = __constant_cpu_to_le16(512),
146};
147
148static struct usb_endpoint_descriptor mtp_fullspeed_in_desc = {
149 .bLength = USB_DT_ENDPOINT_SIZE,
150 .bDescriptorType = USB_DT_ENDPOINT,
151 .bEndpointAddress = USB_DIR_IN,
152 .bmAttributes = USB_ENDPOINT_XFER_BULK,
153};
154
155static struct usb_endpoint_descriptor mtp_fullspeed_out_desc = {
156 .bLength = USB_DT_ENDPOINT_SIZE,
157 .bDescriptorType = USB_DT_ENDPOINT,
158 .bEndpointAddress = USB_DIR_OUT,
159 .bmAttributes = USB_ENDPOINT_XFER_BULK,
160};
161
162static struct usb_endpoint_descriptor mtp_intr_desc = {
163 .bLength = USB_DT_ENDPOINT_SIZE,
164 .bDescriptorType = USB_DT_ENDPOINT,
165 .bEndpointAddress = USB_DIR_IN,
166 .bmAttributes = USB_ENDPOINT_XFER_INT,
167 .wMaxPacketSize = __constant_cpu_to_le16(INTR_BUFFER_SIZE),
168 .bInterval = 6,
169};
170
171static struct usb_descriptor_header *fs_mtp_descs[] = {
172 (struct usb_descriptor_header *) &mtp_interface_desc,
173 (struct usb_descriptor_header *) &mtp_fullspeed_in_desc,
174 (struct usb_descriptor_header *) &mtp_fullspeed_out_desc,
175 (struct usb_descriptor_header *) &mtp_intr_desc,
176 NULL,
177};
178
179static struct usb_descriptor_header *hs_mtp_descs[] = {
180 (struct usb_descriptor_header *) &mtp_interface_desc,
181 (struct usb_descriptor_header *) &mtp_highspeed_in_desc,
182 (struct usb_descriptor_header *) &mtp_highspeed_out_desc,
183 (struct usb_descriptor_header *) &mtp_intr_desc,
184 NULL,
185};
186
187static struct usb_descriptor_header *fs_ptp_descs[] = {
188 (struct usb_descriptor_header *) &ptp_interface_desc,
189 (struct usb_descriptor_header *) &mtp_fullspeed_in_desc,
190 (struct usb_descriptor_header *) &mtp_fullspeed_out_desc,
191 (struct usb_descriptor_header *) &mtp_intr_desc,
192 NULL,
193};
194
195static struct usb_descriptor_header *hs_ptp_descs[] = {
196 (struct usb_descriptor_header *) &ptp_interface_desc,
197 (struct usb_descriptor_header *) &mtp_highspeed_in_desc,
198 (struct usb_descriptor_header *) &mtp_highspeed_out_desc,
199 (struct usb_descriptor_header *) &mtp_intr_desc,
200 NULL,
201};
202
203static struct usb_string mtp_string_defs[] = {
204 /* Naming interface "MTP" so libmtp will recognize us */
205 [INTERFACE_STRING_INDEX].s = "MTP",
206 { }, /* end of list */
207};
208
209static struct usb_gadget_strings mtp_string_table = {
210 .language = 0x0409, /* en-US */
211 .strings = mtp_string_defs,
212};
213
214static struct usb_gadget_strings *mtp_strings[] = {
215 &mtp_string_table,
216 NULL,
217};
218
219/* Microsoft MTP OS String */
220static u8 mtp_os_string[] = {
221 18, /* sizeof(mtp_os_string) */
222 USB_DT_STRING,
223 /* Signature field: "MSFT100" */
224 'M', 0, 'S', 0, 'F', 0, 'T', 0, '1', 0, '0', 0, '0', 0,
225 /* vendor code */
226 1,
227 /* padding */
228 0
229};
230
231/* Microsoft Extended Configuration Descriptor Header Section */
232struct mtp_ext_config_desc_header {
233 __le32 dwLength;
234 __u16 bcdVersion;
235 __le16 wIndex;
236 __u8 bCount;
237 __u8 reserved[7];
238};
239
240/* Microsoft Extended Configuration Descriptor Function Section */
241struct mtp_ext_config_desc_function {
242 __u8 bFirstInterfaceNumber;
243 __u8 bInterfaceCount;
244 __u8 compatibleID[8];
245 __u8 subCompatibleID[8];
246 __u8 reserved[6];
247};
248
249/* MTP Extended Configuration Descriptor */
250struct {
251 struct mtp_ext_config_desc_header header;
252 struct mtp_ext_config_desc_function function;
253} mtp_ext_config_desc = {
254 .header = {
255 .dwLength = __constant_cpu_to_le32(sizeof(mtp_ext_config_desc)),
256 .bcdVersion = __constant_cpu_to_le16(0x0100),
257 .wIndex = __constant_cpu_to_le16(4),
258 .bCount = __constant_cpu_to_le16(1),
259 },
260 .function = {
261 .bFirstInterfaceNumber = 0,
262 .bInterfaceCount = 1,
263 .compatibleID = { 'M', 'T', 'P' },
264 },
265};
266
267struct mtp_device_status {
268 __le16 wLength;
269 __le16 wCode;
270};
271
272/* temporary variable used between mtp_open() and mtp_gadget_bind() */
273static struct mtp_dev *_mtp_dev;
274
275static inline struct mtp_dev *func_to_mtp(struct usb_function *f)
276{
277 return container_of(f, struct mtp_dev, function);
278}
279
280static struct usb_request *mtp_request_new(struct usb_ep *ep, int buffer_size)
281{
282 struct usb_request *req = usb_ep_alloc_request(ep, GFP_KERNEL);
283 if (!req)
284 return NULL;
285
286 /* now allocate buffers for the requests */
287 req->buf = kmalloc(buffer_size, GFP_KERNEL);
288 if (!req->buf) {
289 usb_ep_free_request(ep, req);
290 return NULL;
291 }
292
293 return req;
294}
295
296static void mtp_request_free(struct usb_request *req, struct usb_ep *ep)
297{
298 if (req) {
299 kfree(req->buf);
300 usb_ep_free_request(ep, req);
301 }
302}
303
304static inline int mtp_lock(atomic_t *excl)
305{
306 if (atomic_inc_return(excl) == 1) {
307 return 0;
308 } else {
309 atomic_dec(excl);
310 return -1;
311 }
312}
313
314static inline void mtp_unlock(atomic_t *excl)
315{
316 atomic_dec(excl);
317}
318
319/* add a request to the tail of a list */
320static void mtp_req_put(struct mtp_dev *dev, struct list_head *head,
321 struct usb_request *req)
322{
323 unsigned long flags;
324
325 spin_lock_irqsave(&dev->lock, flags);
326 list_add_tail(&req->list, head);
327 spin_unlock_irqrestore(&dev->lock, flags);
328}
329
330/* remove a request from the head of a list */
331static struct usb_request
332*mtp_req_get(struct mtp_dev *dev, struct list_head *head)
333{
334 unsigned long flags;
335 struct usb_request *req;
336
337 spin_lock_irqsave(&dev->lock, flags);
338 if (list_empty(head)) {
339 req = 0;
340 } else {
341 req = list_first_entry(head, struct usb_request, list);
342 list_del(&req->list);
343 }
344 spin_unlock_irqrestore(&dev->lock, flags);
345 return req;
346}
347
348static void mtp_complete_in(struct usb_ep *ep, struct usb_request *req)
349{
350 struct mtp_dev *dev = _mtp_dev;
351
352 if (req->status != 0)
353 dev->state = STATE_ERROR;
354
355 mtp_req_put(dev, &dev->tx_idle, req);
356
357 wake_up(&dev->write_wq);
358}
359
360static void mtp_complete_out(struct usb_ep *ep, struct usb_request *req)
361{
362 struct mtp_dev *dev = _mtp_dev;
363
364 dev->rx_done = 1;
365 if (req->status != 0)
366 dev->state = STATE_ERROR;
367
368 wake_up(&dev->read_wq);
369}
370
371static void mtp_complete_intr(struct usb_ep *ep, struct usb_request *req)
372{
373 struct mtp_dev *dev = _mtp_dev;
374
375 if (req->status != 0)
376 dev->state = STATE_ERROR;
377
378 mtp_req_put(dev, &dev->intr_idle, req);
379
380 wake_up(&dev->intr_wq);
381}
382
383static int mtp_create_bulk_endpoints(struct mtp_dev *dev,
384 struct usb_endpoint_descriptor *in_desc,
385 struct usb_endpoint_descriptor *out_desc,
386 struct usb_endpoint_descriptor *intr_desc)
387{
388 struct usb_composite_dev *cdev = dev->cdev;
389 struct usb_request *req;
390 struct usb_ep *ep;
391 int i;
392
393 DBG(cdev, "create_bulk_endpoints dev: %p\n", dev);
394
395 ep = usb_ep_autoconfig(cdev->gadget, in_desc);
396 if (!ep) {
397 DBG(cdev, "usb_ep_autoconfig for ep_in failed\n");
398 return -ENODEV;
399 }
400 DBG(cdev, "usb_ep_autoconfig for ep_in got %s\n", ep->name);
401 ep->driver_data = dev; /* claim the endpoint */
402 dev->ep_in = ep;
403
404 ep = usb_ep_autoconfig(cdev->gadget, out_desc);
405 if (!ep) {
406 DBG(cdev, "usb_ep_autoconfig for ep_out failed\n");
407 return -ENODEV;
408 }
409 DBG(cdev, "usb_ep_autoconfig for mtp ep_out got %s\n", ep->name);
410 ep->driver_data = dev; /* claim the endpoint */
411 dev->ep_out = ep;
412
413 ep = usb_ep_autoconfig(cdev->gadget, out_desc);
414 if (!ep) {
415 DBG(cdev, "usb_ep_autoconfig for ep_out failed\n");
416 return -ENODEV;
417 }
418 DBG(cdev, "usb_ep_autoconfig for mtp ep_out got %s\n", ep->name);
419 ep->driver_data = dev; /* claim the endpoint */
420 dev->ep_out = ep;
421
422 ep = usb_ep_autoconfig(cdev->gadget, intr_desc);
423 if (!ep) {
424 DBG(cdev, "usb_ep_autoconfig for ep_intr failed\n");
425 return -ENODEV;
426 }
427 DBG(cdev, "usb_ep_autoconfig for mtp ep_intr got %s\n", ep->name);
428 ep->driver_data = dev; /* claim the endpoint */
429 dev->ep_intr = ep;
430
431 /* now allocate requests for our endpoints */
432 for (i = 0; i < TX_REQ_MAX; i++) {
433 req = mtp_request_new(dev->ep_in, MTP_BULK_BUFFER_SIZE);
434 if (!req)
435 goto fail;
436 req->complete = mtp_complete_in;
437 mtp_req_put(dev, &dev->tx_idle, req);
438 }
439 for (i = 0; i < RX_REQ_MAX; i++) {
440 req = mtp_request_new(dev->ep_out, MTP_BULK_BUFFER_SIZE);
441 if (!req)
442 goto fail;
443 req->complete = mtp_complete_out;
444 dev->rx_req[i] = req;
445 }
446 for (i = 0; i < INTR_REQ_MAX; i++) {
447 req = mtp_request_new(dev->ep_intr, INTR_BUFFER_SIZE);
448 if (!req)
449 goto fail;
450 req->complete = mtp_complete_intr;
451 mtp_req_put(dev, &dev->intr_idle, req);
452 }
453
454 return 0;
455
456fail:
457 printk(KERN_ERR "mtp_bind() could not allocate requests\n");
458 return -1;
459}
460
461static ssize_t mtp_read(struct file *fp, char __user *buf,
462 size_t count, loff_t *pos)
463{
464 struct mtp_dev *dev = fp->private_data;
465 struct usb_composite_dev *cdev = dev->cdev;
466 struct usb_request *req;
467 int r = count, xfer;
468 int ret = 0;
469
470 DBG(cdev, "mtp_read(%d)\n", count);
471
472 if (count > MTP_BULK_BUFFER_SIZE)
473 return -EINVAL;
474
475 /* we will block until we're online */
476 DBG(cdev, "mtp_read: waiting for online state\n");
477 ret = wait_event_interruptible(dev->read_wq,
478 dev->state != STATE_OFFLINE);
479 if (ret < 0) {
480 r = ret;
481 goto done;
482 }
483 spin_lock_irq(&dev->lock);
484 if (dev->state == STATE_CANCELED) {
485 /* report cancelation to userspace */
486 dev->state = STATE_READY;
487 spin_unlock_irq(&dev->lock);
488 return -ECANCELED;
489 }
490 dev->state = STATE_BUSY;
491 spin_unlock_irq(&dev->lock);
492
493requeue_req:
494 /* queue a request */
495 req = dev->rx_req[0];
496 req->length = count;
497 dev->rx_done = 0;
498 ret = usb_ep_queue(dev->ep_out, req, GFP_KERNEL);
499 if (ret < 0) {
500 r = -EIO;
501 goto done;
502 } else {
503 DBG(cdev, "rx %p queue\n", req);
504 }
505
506 /* wait for a request to complete */
507 ret = wait_event_interruptible(dev->read_wq, dev->rx_done);
508 if (ret < 0) {
509 r = ret;
510 usb_ep_dequeue(dev->ep_out, req);
511 goto done;
512 }
513 if (dev->state == STATE_BUSY) {
514 /* If we got a 0-len packet, throw it back and try again. */
515 if (req->actual == 0)
516 goto requeue_req;
517
518 DBG(cdev, "rx %p %d\n", req, req->actual);
519 xfer = (req->actual < count) ? req->actual : count;
520 r = xfer;
521 if (copy_to_user(buf, req->buf, xfer))
522 r = -EFAULT;
523 } else
524 r = -EIO;
525
526done:
527 spin_lock_irq(&dev->lock);
528 if (dev->state == STATE_CANCELED)
529 r = -ECANCELED;
530 else if (dev->state != STATE_OFFLINE)
531 dev->state = STATE_READY;
532 spin_unlock_irq(&dev->lock);
533
534 DBG(cdev, "mtp_read returning %d\n", r);
535 return r;
536}
537
538static ssize_t mtp_write(struct file *fp, const char __user *buf,
539 size_t count, loff_t *pos)
540{
541 struct mtp_dev *dev = fp->private_data;
542 struct usb_composite_dev *cdev = dev->cdev;
543 struct usb_request *req = 0;
544 int r = count, xfer;
545 int sendZLP = 0;
546 int ret;
547
548 DBG(cdev, "mtp_write(%d)\n", count);
549
550 spin_lock_irq(&dev->lock);
551 if (dev->state == STATE_CANCELED) {
552 /* report cancelation to userspace */
553 dev->state = STATE_READY;
554 spin_unlock_irq(&dev->lock);
555 return -ECANCELED;
556 }
557 if (dev->state == STATE_OFFLINE) {
558 spin_unlock_irq(&dev->lock);
559 return -ENODEV;
560 }
561 dev->state = STATE_BUSY;
562 spin_unlock_irq(&dev->lock);
563
564 /* we need to send a zero length packet to signal the end of transfer
565 * if the transfer size is aligned to a packet boundary.
566 */
567 if ((count & (dev->ep_in->maxpacket - 1)) == 0)
568 sendZLP = 1;
569
570 while (count > 0 || sendZLP) {
571 /* so we exit after sending ZLP */
572 if (count == 0)
573 sendZLP = 0;
574
575 if (dev->state != STATE_BUSY) {
576 DBG(cdev, "mtp_write dev->error\n");
577 r = -EIO;
578 break;
579 }
580
581 /* get an idle tx request to use */
582 req = 0;
583 ret = wait_event_interruptible(dev->write_wq,
584 ((req = mtp_req_get(dev, &dev->tx_idle))
585 || dev->state != STATE_BUSY));
586 if (!req) {
587 r = ret;
588 break;
589 }
590
591 if (count > MTP_BULK_BUFFER_SIZE)
592 xfer = MTP_BULK_BUFFER_SIZE;
593 else
594 xfer = count;
595 if (xfer && copy_from_user(req->buf, buf, xfer)) {
596 r = -EFAULT;
597 break;
598 }
599
600 req->length = xfer;
601 ret = usb_ep_queue(dev->ep_in, req, GFP_KERNEL);
602 if (ret < 0) {
603 DBG(cdev, "mtp_write: xfer error %d\n", ret);
604 r = -EIO;
605 break;
606 }
607
608 buf += xfer;
609 count -= xfer;
610
611 /* zero this so we don't try to free it on error exit */
612 req = 0;
613 }
614
615 if (req)
616 mtp_req_put(dev, &dev->tx_idle, req);
617
618 spin_lock_irq(&dev->lock);
619 if (dev->state == STATE_CANCELED)
620 r = -ECANCELED;
621 else if (dev->state != STATE_OFFLINE)
622 dev->state = STATE_READY;
623 spin_unlock_irq(&dev->lock);
624
625 DBG(cdev, "mtp_write returning %d\n", r);
626 return r;
627}
628
629/* read from a local file and write to USB */
630static void send_file_work(struct work_struct *data)
631{
632 struct mtp_dev *dev = container_of(data, struct mtp_dev,
633 send_file_work);
634 struct usb_composite_dev *cdev = dev->cdev;
635 struct usb_request *req = 0;
636 struct mtp_data_header *header;
637 struct file *filp;
638 loff_t offset;
639 int64_t count;
640 int xfer, ret, hdr_size;
641 int r = 0;
642 int sendZLP = 0;
643
644 /* read our parameters */
645 smp_rmb();
646 filp = dev->xfer_file;
647 offset = dev->xfer_file_offset;
648 count = dev->xfer_file_length;
649
650 DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);
651
652 if (dev->xfer_send_header) {
653 hdr_size = sizeof(struct mtp_data_header);
654 count += hdr_size;
655 } else {
656 hdr_size = 0;
657 }
658
659 /* we need to send a zero length packet to signal the end of transfer
660 * if the transfer size is aligned to a packet boundary.
661 */
662 if ((count & (dev->ep_in->maxpacket - 1)) == 0)
663 sendZLP = 1;
664
665 while (count > 0 || sendZLP) {
666 /* so we exit after sending ZLP */
667 if (count == 0)
668 sendZLP = 0;
669
670 /* get an idle tx request to use */
671 req = 0;
672 ret = wait_event_interruptible(dev->write_wq,
673 (req = mtp_req_get(dev, &dev->tx_idle))
674 || dev->state != STATE_BUSY);
675 if (dev->state == STATE_CANCELED) {
676 r = -ECANCELED;
677 break;
678 }
679 if (!req) {
680 r = ret;
681 break;
682 }
683
684 if (count > MTP_BULK_BUFFER_SIZE)
685 xfer = MTP_BULK_BUFFER_SIZE;
686 else
687 xfer = count;
688
689 if (hdr_size) {
690 /* prepend MTP data header */
691 header = (struct mtp_data_header *)req->buf;
692 header->length = __cpu_to_le32(count);
693 header->type = __cpu_to_le16(2); /* data packet */
694 header->command = __cpu_to_le16(dev->xfer_command);
695 header->transaction_id =
696 __cpu_to_le32(dev->xfer_transaction_id);
697 }
698
699 ret = vfs_read(filp, req->buf + hdr_size, xfer - hdr_size,
700 &offset);
701 if (ret < 0) {
702 r = ret;
703 break;
704 }
705 xfer = ret + hdr_size;
706 hdr_size = 0;
707
708 req->length = xfer;
709 ret = usb_ep_queue(dev->ep_in, req, GFP_KERNEL);
710 if (ret < 0) {
711 DBG(cdev, "send_file_work: xfer error %d\n", ret);
712 dev->state = STATE_ERROR;
713 r = -EIO;
714 break;
715 }
716
717 count -= xfer;
718
719 /* zero this so we don't try to free it on error exit */
720 req = 0;
721 }
722
723 if (req)
724 mtp_req_put(dev, &dev->tx_idle, req);
725
726 DBG(cdev, "send_file_work returning %d\n", r);
727 /* write the result */
728 dev->xfer_result = r;
729 smp_wmb();
730}
731
732/* read from USB and write to a local file */
733static void receive_file_work(struct work_struct *data)
734{
735 struct mtp_dev *dev = container_of(data, struct mtp_dev,
736 receive_file_work);
737 struct usb_composite_dev *cdev = dev->cdev;
738 struct usb_request *read_req = NULL, *write_req = NULL;
739 struct file *filp;
740 loff_t offset;
741 int64_t count;
742 int ret, cur_buf = 0;
743 int r = 0;
744
745 /* read our parameters */
746 smp_rmb();
747 filp = dev->xfer_file;
748 offset = dev->xfer_file_offset;
749 count = dev->xfer_file_length;
750
751 DBG(cdev, "receive_file_work(%lld)\n", count);
752
753 while (count > 0 || write_req) {
754 if (count > 0) {
755 /* queue a request */
756 read_req = dev->rx_req[cur_buf];
757 cur_buf = (cur_buf + 1) % RX_REQ_MAX;
758
759 read_req->length = (count > MTP_BULK_BUFFER_SIZE
760 ? MTP_BULK_BUFFER_SIZE : count);
761 dev->rx_done = 0;
762 ret = usb_ep_queue(dev->ep_out, read_req, GFP_KERNEL);
763 if (ret < 0) {
764 r = -EIO;
765 dev->state = STATE_ERROR;
766 break;
767 }
768 }
769
770 if (write_req) {
771 DBG(cdev, "rx %p %d\n", write_req, write_req->actual);
772 ret = vfs_write(filp, write_req->buf, write_req->actual,
773 &offset);
774 DBG(cdev, "vfs_write %d\n", ret);
775 if (ret != write_req->actual) {
776 r = -EIO;
777 dev->state = STATE_ERROR;
778 break;
779 }
780 write_req = NULL;
781 }
782
783 if (read_req) {
784 /* wait for our last read to complete */
785 ret = wait_event_interruptible(dev->read_wq,
786 dev->rx_done || dev->state != STATE_BUSY);
787 if (dev->state == STATE_CANCELED) {
788 r = -ECANCELED;
789 if (!dev->rx_done)
790 usb_ep_dequeue(dev->ep_out, read_req);
791 break;
792 }
793 /* if xfer_file_length is 0xFFFFFFFF, then we read until
794 * we get a zero length packet
795 */
796 if (count != 0xFFFFFFFF)
797 count -= read_req->actual;
798 if (read_req->actual < read_req->length) {
799 /*
800 * short packet is used to signal EOF for
801 * sizes > 4 gig
802 */
803 DBG(cdev, "got short packet\n");
804 count = 0;
805 }
806
807 write_req = read_req;
808 read_req = NULL;
809 }
810 }
811
812 DBG(cdev, "receive_file_work returning %d\n", r);
813 /* write the result */
814 dev->xfer_result = r;
815 smp_wmb();
816}
817
818static int mtp_send_event(struct mtp_dev *dev, struct mtp_event *event)
819{
820 struct usb_request *req = NULL;
821 int ret;
822 int length = event->length;
823
824 DBG(dev->cdev, "mtp_send_event(%d)\n", event->length);
825
826 if (length < 0 || length > INTR_BUFFER_SIZE)
827 return -EINVAL;
828 if (dev->state == STATE_OFFLINE)
829 return -ENODEV;
830
831 ret = wait_event_interruptible_timeout(dev->intr_wq,
832 (req = mtp_req_get(dev, &dev->intr_idle)),
833 msecs_to_jiffies(1000));
834 if (!req)
835 return -ETIME;
836
837 if (copy_from_user(req->buf, (void __user *)event->data, length)) {
838 mtp_req_put(dev, &dev->intr_idle, req);
839 return -EFAULT;
840 }
841 req->length = length;
842 ret = usb_ep_queue(dev->ep_intr, req, GFP_KERNEL);
843 if (ret)
844 mtp_req_put(dev, &dev->intr_idle, req);
845
846 return ret;
847}
848
849static long mtp_ioctl(struct file *fp, unsigned code, unsigned long value)
850{
851 struct mtp_dev *dev = fp->private_data;
852 struct file *filp = NULL;
853 int ret = -EINVAL;
854
855 if (mtp_lock(&dev->ioctl_excl))
856 return -EBUSY;
857
858 switch (code) {
859 case MTP_SEND_FILE:
860 case MTP_RECEIVE_FILE:
861 case MTP_SEND_FILE_WITH_HEADER:
862 {
863 struct mtp_file_range mfr;
864 struct work_struct *work;
865
866 spin_lock_irq(&dev->lock);
867 if (dev->state == STATE_CANCELED) {
868 /* report cancelation to userspace */
869 dev->state = STATE_READY;
870 spin_unlock_irq(&dev->lock);
871 ret = -ECANCELED;
872 goto out;
873 }
874 if (dev->state == STATE_OFFLINE) {
875 spin_unlock_irq(&dev->lock);
876 ret = -ENODEV;
877 goto out;
878 }
879 dev->state = STATE_BUSY;
880 spin_unlock_irq(&dev->lock);
881
882 if (copy_from_user(&mfr, (void __user *)value, sizeof(mfr))) {
883 ret = -EFAULT;
884 goto fail;
885 }
886 /* hold a reference to the file while we are working with it */
887 filp = fget(mfr.fd);
888 if (!filp) {
889 ret = -EBADF;
890 goto fail;
891 }
892
893 /* write the parameters */
894 dev->xfer_file = filp;
895 dev->xfer_file_offset = mfr.offset;
896 dev->xfer_file_length = mfr.length;
897 smp_wmb();
898
899 if (code == MTP_SEND_FILE_WITH_HEADER) {
900 work = &dev->send_file_work;
901 dev->xfer_send_header = 1;
902 dev->xfer_command = mfr.command;
903 dev->xfer_transaction_id = mfr.transaction_id;
904 } else if (code == MTP_SEND_FILE) {
905 work = &dev->send_file_work;
906 dev->xfer_send_header = 0;
907 } else {
908 work = &dev->receive_file_work;
909 }
910
911 /* We do the file transfer on a work queue so it will run
912 * in kernel context, which is necessary for vfs_read and
913 * vfs_write to use our buffers in the kernel address space.
914 */
915 queue_work(dev->wq, work);
916 /* wait for operation to complete */
917 flush_workqueue(dev->wq);
918 fput(filp);
919
920 /* read the result */
921 smp_rmb();
922 ret = dev->xfer_result;
923 break;
924 }
925 case MTP_SEND_EVENT:
926 {
927 struct mtp_event event;
928 /* return here so we don't change dev->state below,
929 * which would interfere with bulk transfer state.
930 */
931 if (copy_from_user(&event, (void __user *)value, sizeof(event)))
932 ret = -EFAULT;
933 else
934 ret = mtp_send_event(dev, &event);
935 goto out;
936 }
937 }
938
939fail:
940 spin_lock_irq(&dev->lock);
941 if (dev->state == STATE_CANCELED)
942 ret = -ECANCELED;
943 else if (dev->state != STATE_OFFLINE)
944 dev->state = STATE_READY;
945 spin_unlock_irq(&dev->lock);
946out:
947 mtp_unlock(&dev->ioctl_excl);
948 DBG(dev->cdev, "ioctl returning %d\n", ret);
949 return ret;
950}
951
952static int mtp_open(struct inode *ip, struct file *fp)
953{
954 printk(KERN_INFO "mtp_open\n");
955 if (mtp_lock(&_mtp_dev->open_excl))
956 return -EBUSY;
957
958 /* clear any error condition */
959 if (_mtp_dev->state != STATE_OFFLINE)
960 _mtp_dev->state = STATE_READY;
961
962 fp->private_data = _mtp_dev;
963 return 0;
964}
965
966static int mtp_release(struct inode *ip, struct file *fp)
967{
968 printk(KERN_INFO "mtp_release\n");
969
970 mtp_unlock(&_mtp_dev->open_excl);
971 return 0;
972}
973
974/* file operations for /dev/mtp_usb */
975static const struct file_operations mtp_fops = {
976 .owner = THIS_MODULE,
977 .read = mtp_read,
978 .write = mtp_write,
979 .unlocked_ioctl = mtp_ioctl,
980 .open = mtp_open,
981 .release = mtp_release,
982};
983
984static struct miscdevice mtp_device = {
985 .minor = MISC_DYNAMIC_MINOR,
986 .name = mtp_shortname,
987 .fops = &mtp_fops,
988};
989
990static int mtp_ctrlrequest(struct usb_composite_dev *cdev,
991 const struct usb_ctrlrequest *ctrl)
992{
993 struct mtp_dev *dev = _mtp_dev;
994 int value = -EOPNOTSUPP;
995 u16 w_index = le16_to_cpu(ctrl->wIndex);
996 u16 w_value = le16_to_cpu(ctrl->wValue);
997 u16 w_length = le16_to_cpu(ctrl->wLength);
998 unsigned long flags;
999
1000 VDBG(cdev, "mtp_ctrlrequest "
1001 "%02x.%02x v%04x i%04x l%u\n",
1002 ctrl->bRequestType, ctrl->bRequest,
1003 w_value, w_index, w_length);
1004
1005 /* Handle MTP OS string */
1006 if (ctrl->bRequestType ==
1007 (USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE)
1008 && ctrl->bRequest == USB_REQ_GET_DESCRIPTOR
1009 && (w_value >> 8) == USB_DT_STRING
1010 && (w_value & 0xFF) == MTP_OS_STRING_ID) {
1011 value = (w_length < sizeof(mtp_os_string)
1012 ? w_length : sizeof(mtp_os_string));
1013 memcpy(cdev->req->buf, mtp_os_string, value);
1014 } else if ((ctrl->bRequestType & USB_TYPE_MASK) == USB_TYPE_VENDOR) {
1015 /* Handle MTP OS descriptor */
1016 DBG(cdev, "vendor request: %d index: %d value: %d length: %d\n",
1017 ctrl->bRequest, w_index, w_value, w_length);
1018
1019 if (ctrl->bRequest == 1
1020 && (ctrl->bRequestType & USB_DIR_IN)
1021 && (w_index == 4 || w_index == 5)) {
1022 value = (w_length < sizeof(mtp_ext_config_desc) ?
1023 w_length : sizeof(mtp_ext_config_desc));
1024 memcpy(cdev->req->buf, &mtp_ext_config_desc, value);
1025 }
1026 } else if ((ctrl->bRequestType & USB_TYPE_MASK) == USB_TYPE_CLASS) {
1027 DBG(cdev, "class request: %d index: %d value: %d length: %d\n",
1028 ctrl->bRequest, w_index, w_value, w_length);
1029
1030 if (ctrl->bRequest == MTP_REQ_CANCEL && w_index == 0
1031 && w_value == 0) {
1032 DBG(cdev, "MTP_REQ_CANCEL\n");
1033
1034 spin_lock_irqsave(&dev->lock, flags);
1035 if (dev->state == STATE_BUSY) {
1036 dev->state = STATE_CANCELED;
1037 wake_up(&dev->read_wq);
1038 wake_up(&dev->write_wq);
1039 }
1040 spin_unlock_irqrestore(&dev->lock, flags);
1041
1042 /* We need to queue a request to read the remaining
1043 * bytes, but we don't actually need to look at
1044 * the contents.
1045 */
1046 value = w_length;
1047 } else if (ctrl->bRequest == MTP_REQ_GET_DEVICE_STATUS
1048 && w_index == 0 && w_value == 0) {
1049 struct mtp_device_status *status = cdev->req->buf;
1050 status->wLength =
1051 __constant_cpu_to_le16(sizeof(*status));
1052
1053 DBG(cdev, "MTP_REQ_GET_DEVICE_STATUS\n");
1054 spin_lock_irqsave(&dev->lock, flags);
1055 /* device status is "busy" until we report
1056 * the cancelation to userspace
1057 */
1058 if (dev->state == STATE_CANCELED)
1059 status->wCode =
1060 __cpu_to_le16(MTP_RESPONSE_DEVICE_BUSY);
1061 else
1062 status->wCode =
1063 __cpu_to_le16(MTP_RESPONSE_OK);
1064 spin_unlock_irqrestore(&dev->lock, flags);
1065 value = sizeof(*status);
1066 }
1067 }
1068
1069 /* respond with data transfer or status phase? */
1070 if (value >= 0) {
1071 int rc;
1072 cdev->req->zero = value < w_length;
1073 cdev->req->length = value;
1074 rc = usb_ep_queue(cdev->gadget->ep0, cdev->req, GFP_ATOMIC);
1075 if (rc < 0)
1076 ERROR(cdev, "%s: response queue error\n", __func__);
1077 }
1078 return value;
1079}
1080
1081static int
1082mtp_function_bind(struct usb_configuration *c, struct usb_function *f)
1083{
1084 struct usb_composite_dev *cdev = c->cdev;
1085 struct mtp_dev *dev = func_to_mtp(f);
1086 int id;
1087 int ret;
1088
1089 dev->cdev = cdev;
1090 DBG(cdev, "mtp_function_bind dev: %p\n", dev);
1091
1092 /* allocate interface ID(s) */
1093 id = usb_interface_id(c, f);
1094 if (id < 0)
1095 return id;
1096 mtp_interface_desc.bInterfaceNumber = id;
1097
1098 /* allocate endpoints */
1099 ret = mtp_create_bulk_endpoints(dev, &mtp_fullspeed_in_desc,
1100 &mtp_fullspeed_out_desc, &mtp_intr_desc);
1101 if (ret)
1102 return ret;
1103
1104 /* support high speed hardware */
1105 if (gadget_is_dualspeed(c->cdev->gadget)) {
1106 mtp_highspeed_in_desc.bEndpointAddress =
1107 mtp_fullspeed_in_desc.bEndpointAddress;
1108 mtp_highspeed_out_desc.bEndpointAddress =
1109 mtp_fullspeed_out_desc.bEndpointAddress;
1110 }
1111
1112 DBG(cdev, "%s speed %s: IN/%s, OUT/%s\n",
1113 gadget_is_dualspeed(c->cdev->gadget) ? "dual" : "full",
1114 f->name, dev->ep_in->name, dev->ep_out->name);
1115 return 0;
1116}
1117
1118static void
1119mtp_function_unbind(struct usb_configuration *c, struct usb_function *f)
1120{
1121 struct mtp_dev *dev = func_to_mtp(f);
1122 struct usb_request *req;
1123 int i;
1124
1125 while ((req = mtp_req_get(dev, &dev->tx_idle)))
1126 mtp_request_free(req, dev->ep_in);
1127 for (i = 0; i < RX_REQ_MAX; i++)
1128 mtp_request_free(dev->rx_req[i], dev->ep_out);
1129 while ((req = mtp_req_get(dev, &dev->intr_idle)))
1130 mtp_request_free(req, dev->ep_intr);
1131 dev->state = STATE_OFFLINE;
1132}
1133
1134static int mtp_function_set_alt(struct usb_function *f,
1135 unsigned intf, unsigned alt)
1136{
1137 struct mtp_dev *dev = func_to_mtp(f);
1138 struct usb_composite_dev *cdev = f->config->cdev;
1139 int ret;
1140
1141 DBG(cdev, "mtp_function_set_alt intf: %d alt: %d\n", intf, alt);
1142
1143 ret = config_ep_by_speed(cdev->gadget, f, dev->ep_in);
1144 if (ret)
1145 return ret;
1146
1147 ret = usb_ep_enable(dev->ep_in);
1148 if (ret)
1149 return ret;
1150
1151 ret = config_ep_by_speed(cdev->gadget, f, dev->ep_out);
1152 if (ret)
1153 return ret;
1154
1155 ret = usb_ep_enable(dev->ep_out);
1156 if (ret) {
1157 usb_ep_disable(dev->ep_in);
1158 return ret;
1159 }
1160
1161 ret = config_ep_by_speed(cdev->gadget, f, dev->ep_intr);
1162 if (ret)
1163 return ret;
1164
1165 ret = usb_ep_enable(dev->ep_intr);
1166 if (ret) {
1167 usb_ep_disable(dev->ep_out);
1168 usb_ep_disable(dev->ep_in);
1169 return ret;
1170 }
1171 dev->state = STATE_READY;
1172
1173 /* readers may be blocked waiting for us to go online */
1174 wake_up(&dev->read_wq);
1175 return 0;
1176}
1177
1178static void mtp_function_disable(struct usb_function *f)
1179{
1180 struct mtp_dev *dev = func_to_mtp(f);
1181 struct usb_composite_dev *cdev = dev->cdev;
1182
1183 DBG(cdev, "mtp_function_disable\n");
1184 dev->state = STATE_OFFLINE;
1185 usb_ep_disable(dev->ep_in);
1186 usb_ep_disable(dev->ep_out);
1187 usb_ep_disable(dev->ep_intr);
1188
1189 /* readers may be blocked waiting for us to go online */
1190 wake_up(&dev->read_wq);
1191
1192 VDBG(cdev, "%s disabled\n", dev->function.name);
1193}
1194
1195static int mtp_bind_config(struct usb_configuration *c, bool ptp_config)
1196{
1197 struct mtp_dev *dev = _mtp_dev;
1198 int ret = 0;
1199
1200 printk(KERN_INFO "mtp_bind_config\n");
1201
1202 /* allocate a string ID for our interface */
1203 if (mtp_string_defs[INTERFACE_STRING_INDEX].id == 0) {
1204 ret = usb_string_id(c->cdev);
1205 if (ret < 0)
1206 return ret;
1207 mtp_string_defs[INTERFACE_STRING_INDEX].id = ret;
1208 mtp_interface_desc.iInterface = ret;
1209 }
1210
1211 dev->cdev = c->cdev;
1212 dev->function.name = "mtp";
1213 dev->function.strings = mtp_strings;
1214 if (ptp_config) {
1215 dev->function.descriptors = fs_ptp_descs;
1216 dev->function.hs_descriptors = hs_ptp_descs;
1217 } else {
1218 dev->function.descriptors = fs_mtp_descs;
1219 dev->function.hs_descriptors = hs_mtp_descs;
1220 }
1221 dev->function.bind = mtp_function_bind;
1222 dev->function.unbind = mtp_function_unbind;
1223 dev->function.set_alt = mtp_function_set_alt;
1224 dev->function.disable = mtp_function_disable;
1225
1226 return usb_add_function(c, &dev->function);
1227}
1228
1229static int mtp_setup(void)
1230{
1231 struct mtp_dev *dev;
1232 int ret;
1233
1234 dev = kzalloc(sizeof(*dev), GFP_KERNEL);
1235 if (!dev)
1236 return -ENOMEM;
1237
1238 spin_lock_init(&dev->lock);
1239 init_waitqueue_head(&dev->read_wq);
1240 init_waitqueue_head(&dev->write_wq);
1241 init_waitqueue_head(&dev->intr_wq);
1242 atomic_set(&dev->open_excl, 0);
1243 atomic_set(&dev->ioctl_excl, 0);
1244 INIT_LIST_HEAD(&dev->tx_idle);
1245 INIT_LIST_HEAD(&dev->intr_idle);
1246
1247 dev->wq = create_singlethread_workqueue("f_mtp");
1248 if (!dev->wq) {
1249 ret = -ENOMEM;
1250 goto err1;
1251 }
1252 INIT_WORK(&dev->send_file_work, send_file_work);
1253 INIT_WORK(&dev->receive_file_work, receive_file_work);
1254
1255 _mtp_dev = dev;
1256
1257 ret = misc_register(&mtp_device);
1258 if (ret)
1259 goto err2;
1260
1261 return 0;
1262
1263err2:
1264 destroy_workqueue(dev->wq);
1265err1:
1266 _mtp_dev = NULL;
1267 kfree(dev);
1268 printk(KERN_ERR "mtp gadget driver failed to initialize\n");
1269 return ret;
1270}
1271
1272static void mtp_cleanup(void)
1273{
1274 struct mtp_dev *dev = _mtp_dev;
1275
1276 if (!dev)
1277 return;
1278
1279 misc_deregister(&mtp_device);
1280 destroy_workqueue(dev->wq);
1281 _mtp_dev = NULL;
1282 kfree(dev);
1283}