projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
USB: iowarrior: fix use-after-free after driver unbind
[linux-block.git] / drivers / usb / misc / iowarrior.c
CommitLineData
5fd54ace 1// SPDX-License-Identifier: GPL-2.0
946b960d
GKH		 2/*
3 * Native support for the I/O-Warrior USB devices
4 *
5 * Copyright (c) 2003-2005 Code Mercenaries GmbH
6 * written by Christian Lucht <lucht@codemercs.com>
7 *
8 * based on
9
10 * usb-skeleton.c by Greg Kroah-Hartman <greg@kroah.com>
11 * brlvger.c by Stephane Dalton <sdalton@videotron.ca>
12 * and St�hane Doyon <s.doyon@videotron.ca>
13 *
14 * Released under the GPLv2.
15 */
16
17#include <linux/module.h>
18#include <linux/usb.h>
946b960d
GKH		 19#include <linux/slab.h>
20#include <linux/sched.h>
925ce689 21#include <linux/mutex.h>
946b960d 22#include <linux/poll.h>
946b960d
GKH		 23#include <linux/usb/iowarrior.h>
24
946b960d 25#define DRIVER_AUTHOR "Christian Lucht <lucht@codemercs.com>"
c35c376f 26#define DRIVER_DESC "USB IO-Warrior driver"
946b960d
GKH		 27
28#define USB_VENDOR_ID_CODEMERCS 1984
29/* low speed iowarrior */
30#define USB_DEVICE_ID_CODEMERCS_IOW40 0x1500
31#define USB_DEVICE_ID_CODEMERCS_IOW24 0x1501
32#define USB_DEVICE_ID_CODEMERCS_IOWPV1 0x1511
33#define USB_DEVICE_ID_CODEMERCS_IOWPV2 0x1512
34/* full speed iowarrior */
35#define USB_DEVICE_ID_CODEMERCS_IOW56 0x1503
36
37/* Get a minor range for your devices from the usb maintainer */
38#ifdef CONFIG_USB_DYNAMIC_MINORS
39#define IOWARRIOR_MINOR_BASE 0
40#else
25985edc 41#define IOWARRIOR_MINOR_BASE 208 // SKELETON_MINOR_BASE 192 + 16, not official yet
946b960d
GKH		 42#endif
43
44/* interrupt input queue size */
45#define MAX_INTERRUPT_BUFFER 16
46/*
47 maximum number of urbs that are submitted for writes at the same time,
48 this applies to the IOWarrior56 only!
49 IOWarrior24 and IOWarrior40 use synchronous usb_control_msg calls.
50*/
51#define MAX_WRITES_IN_FLIGHT 4
52
946b960d
GKH		 53MODULE_AUTHOR(DRIVER_AUTHOR);
54MODULE_DESCRIPTION(DRIVER_DESC);
55MODULE_LICENSE("GPL");
56
57/* Module parameters */
925ce689 58static DEFINE_MUTEX(iowarrior_mutex);
946b960d
GKH		 59
60static struct usb_driver iowarrior_driver;
03f36e88 61static DEFINE_MUTEX(iowarrior_open_disc_lock);
946b960d
GKH		 62
63/*--------------*/
64/* data */
65/*--------------*/
66
67/* Structure to hold all of our device specific stuff */
68struct iowarrior {
69 struct mutex mutex; /* locks this structure */
70 struct usb_device *udev; /* save off the usb device pointer */
71 struct usb_interface *interface; /* the interface for this device */
72 unsigned char minor; /* the starting minor number for this device */
73 struct usb_endpoint_descriptor *int_out_endpoint; /* endpoint for reading (needed for IOW56 only) */
74 struct usb_endpoint_descriptor *int_in_endpoint; /* endpoint for reading */
75 struct urb *int_in_urb; /* the urb for reading data */
76 unsigned char *int_in_buffer; /* buffer for data to be read */
77 unsigned char serial_number; /* to detect lost packages */
78 unsigned char *read_queue; /* size is MAX_INTERRUPT_BUFFER * packet size */
79 wait_queue_head_t read_wait;
80 wait_queue_head_t write_wait; /* wait-queue for writing to the device */
81 atomic_t write_busy; /* number of write-urbs submitted */
82 atomic_t read_idx;
83 atomic_t intr_idx;
946b960d
GKH		 84 atomic_t overflow_flag; /* signals an index 'rollover' */
85 int present; /* this is 1 as long as the device is connected */
86 int opened; /* this is 1 if the device is currently open */
87 char chip_serial[9]; /* the serial number string of the chip connected */
88 int report_size; /* number of bytes in a report */
89 u16 product_id;
b5f8d468 90 struct usb_anchor submitted;
946b960d
GKH		 91};
92
93/*--------------*/
94/* globals */
95/*--------------*/
946b960d
GKH		 96
97/*
98 * USB spec identifies 5 second timeouts.
99 */
100#define GET_TIMEOUT 5
101#define USB_REQ_GET_REPORT 0x01
102//#if 0
103static int usb_get_report(struct usb_device *dev,
104 struct usb_host_interface *inter, unsigned char type,
105 unsigned char id, void *buf, int size)
106{
107 return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
108 USB_REQ_GET_REPORT,
109 USB_DIR_IN | USB_TYPE_CLASS |
110 USB_RECIP_INTERFACE, (type << 8) + id,
111 inter->desc.bInterfaceNumber, buf, size,
147c5a17 112 GET_TIMEOUT*HZ);
946b960d
GKH		 113}
114//#endif
115
116#define USB_REQ_SET_REPORT 0x09
117
118static int usb_set_report(struct usb_interface *intf, unsigned char type,
119 unsigned char id, void *buf, int size)
120{
121 return usb_control_msg(interface_to_usbdev(intf),
122 usb_sndctrlpipe(interface_to_usbdev(intf), 0),
123 USB_REQ_SET_REPORT,
124 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
125 (type << 8) + id,
126 intf->cur_altsetting->desc.bInterfaceNumber, buf,
147c5a17 127 size, HZ);
946b960d
GKH		 128}
129
130/*---------------------*/
131/* driver registration */
132/*---------------------*/
133/* table of devices that work with this driver */
33b9e162 134static const struct usb_device_id iowarrior_ids[] = {
946b960d
GKH		 135 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW40)},
136 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW24)},
137 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOWPV1)},
138 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOWPV2)},
139 {USB_DEVICE(USB_VENDOR_ID_CODEMERCS, USB_DEVICE_ID_CODEMERCS_IOW56)},
140 {} /* Terminating entry */
141};
142MODULE_DEVICE_TABLE(usb, iowarrior_ids);
143
144/*
145 * USB callback handler for reading data
146 */
147static void iowarrior_callback(struct urb *urb)
148{
cdc97792 149 struct iowarrior *dev = urb->context;
946b960d
GKH		 150 int intr_idx;
151 int read_idx;
152 int aux_idx;
153 int offset;
fb3abee6
GKH		 154 int status = urb->status;
155 int retval;
946b960d 156
fb3abee6 157 switch (status) {
946b960d
GKH		 158 case 0:
159 /* success */
160 break;
161 case -ECONNRESET:
162 case -ENOENT:
163 case -ESHUTDOWN:
164 return;
165 default:
166 goto exit;
167 }
168
946b960d
GKH		 169 intr_idx = atomic_read(&dev->intr_idx);
170 /* aux_idx become previous intr_idx */
171 aux_idx = (intr_idx == 0) ? (MAX_INTERRUPT_BUFFER - 1) : (intr_idx - 1);
172 read_idx = atomic_read(&dev->read_idx);
173
174 /* queue is not empty and it's interface 0 */
175 if ((intr_idx != read_idx)
176 && (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0)) {
177 /* + 1 for serial number */
178 offset = aux_idx * (dev->report_size + 1);
179 if (!memcmp
180 (dev->read_queue + offset, urb->transfer_buffer,
181 dev->report_size)) {
182 /* equal values on interface 0 will be ignored */
946b960d
GKH		 183 goto exit;
184 }
185 }
186
187 /* aux_idx become next intr_idx */
188 aux_idx = (intr_idx == (MAX_INTERRUPT_BUFFER - 1)) ? 0 : (intr_idx + 1);
189 if (read_idx == aux_idx) {
190 /* queue full, dropping oldest input */
191 read_idx = (++read_idx == MAX_INTERRUPT_BUFFER) ? 0 : read_idx;
192 atomic_set(&dev->read_idx, read_idx);
193 atomic_set(&dev->overflow_flag, 1);
194 }
195
196 /* +1 for serial number */
197 offset = intr_idx * (dev->report_size + 1);
198 memcpy(dev->read_queue + offset, urb->transfer_buffer,
199 dev->report_size);
200 *(dev->read_queue + offset + (dev->report_size)) = dev->serial_number++;
201
202 atomic_set(&dev->intr_idx, aux_idx);
946b960d
GKH		 203 /* tell the blocking read about the new data */
204 wake_up_interruptible(&dev->read_wait);
205
206exit:
fb3abee6
GKH		 207 retval = usb_submit_urb(urb, GFP_ATOMIC);
208 if (retval)
898eb71c 209 dev_err(&dev->interface->dev, "%s - usb_submit_urb failed with result %d\n",
441b62c1 210 __func__, retval);
946b960d
GKH		 211
212}
213
214/*
215 * USB Callback handler for write-ops
216 */
217static void iowarrior_write_callback(struct urb *urb)
218{
219 struct iowarrior *dev;
fb3abee6
GKH		 220 int status = urb->status;
221
cdc97792 222 dev = urb->context;
946b960d 223 /* sync/async unlink faults aren't errors */
fb3abee6
GKH		 224 if (status &&
225 !(status == -ENOENT ||
226 status == -ECONNRESET || status == -ESHUTDOWN)) {
549e8350
JP		 227 dev_dbg(&dev->interface->dev,
228 "nonzero write bulk status received: %d\n", status);
946b960d
GKH		 229 }
230 /* free up our allocated buffer */
997ea58e
DM		 231 usb_free_coherent(urb->dev, urb->transfer_buffer_length,
232 urb->transfer_buffer, urb->transfer_dma);
946b960d
GKH		 233 /* tell a waiting writer the interrupt-out-pipe is available again */
234 atomic_dec(&dev->write_busy);
235 wake_up_interruptible(&dev->write_wait);
236}
237
238/**
239 * iowarrior_delete
240 */
241static inline void iowarrior_delete(struct iowarrior *dev)
242{
549e8350 243 dev_dbg(&dev->interface->dev, "minor %d\n", dev->minor);
946b960d
GKH		 244 kfree(dev->int_in_buffer);
245 usb_free_urb(dev->int_in_urb);
246 kfree(dev->read_queue);
80cd5479 247 usb_put_intf(dev->interface);
946b960d
GKH		 248 kfree(dev);
249}
250
251/*---------------------*/
252/* fops implementation */
253/*---------------------*/
254
255static int read_index(struct iowarrior *dev)
256{
257 int intr_idx, read_idx;
258
259 read_idx = atomic_read(&dev->read_idx);
260 intr_idx = atomic_read(&dev->intr_idx);
261
262 return (read_idx == intr_idx ? -1 : read_idx);
263}
264
265/**
266 * iowarrior_read
267 */
268static ssize_t iowarrior_read(struct file *file, char __user *buffer,
269 size_t count, loff_t *ppos)
270{
271 struct iowarrior *dev;
272 int read_idx;
273 int offset;
274
5bd6e8b3 275 dev = file->private_data;
946b960d
GKH		 276
277 /* verify that the device wasn't unplugged */
3cfb4842 278 if (!dev || !dev->present)
946b960d
GKH		 279 return -ENODEV;
280
549e8350
JP		 281 dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
282 dev->minor, count);
946b960d
GKH		 283
284 /* read count must be packet size (+ time stamp) */
285 if ((count != dev->report_size)
286 && (count != (dev->report_size + 1)))
287 return -EINVAL;
288
289 /* repeat until no buffer overrun in callback handler occur */
290 do {
291 atomic_set(&dev->overflow_flag, 0);
292 if ((read_idx = read_index(dev)) == -1) {
f38f1418 293 /* queue empty */
946b960d
GKH		 294 if (file->f_flags & O_NONBLOCK)
295 return -EAGAIN;
296 else {
297 //next line will return when there is either new data, or the device is unplugged
298 int r = wait_event_interruptible(dev->read_wait,
299 (!dev->present
300 || (read_idx =
301 read_index
302 (dev)) !=
303 -1));
304 if (r) {
305 //we were interrupted by a signal
306 return -ERESTART;
307 }
308 if (!dev->present) {
309 //The device was unplugged
310 return -ENODEV;
311 }
312 if (read_idx == -1) {
313 // Can this happen ???
314 return 0;
315 }
316 }
317 }
318
319 offset = read_idx * (dev->report_size + 1);
320 if (copy_to_user(buffer, dev->read_queue + offset, count)) {
321 return -EFAULT;
322 }
323 } while (atomic_read(&dev->overflow_flag));
324
325 read_idx = ++read_idx == MAX_INTERRUPT_BUFFER ? 0 : read_idx;
326 atomic_set(&dev->read_idx, read_idx);
327 return count;
328}
329
330/*
331 * iowarrior_write
332 */
333static ssize_t iowarrior_write(struct file *file,
334 const char __user *user_buffer,
335 size_t count, loff_t *ppos)
336{
337 struct iowarrior *dev;
338 int retval = 0;
339 char *buf = NULL; /* for IOW24 and IOW56 we need a buffer */
340 struct urb *int_out_urb = NULL;
341
5bd6e8b3 342 dev = file->private_data;
946b960d
GKH		 343
344 mutex_lock(&dev->mutex);
345 /* verify that the device wasn't unplugged */
e28c6a77 346 if (!dev->present) {
946b960d
GKH		 347 retval = -ENODEV;
348 goto exit;
349 }
549e8350
JP		 350 dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
351 dev->minor, count);
946b960d
GKH		 352 /* if count is 0 we're already done */
353 if (count == 0) {
354 retval = 0;
355 goto exit;
356 }
357 /* We only accept full reports */
358 if (count != dev->report_size) {
359 retval = -EINVAL;
360 goto exit;
361 }
362 switch (dev->product_id) {
363 case USB_DEVICE_ID_CODEMERCS_IOW24:
364 case USB_DEVICE_ID_CODEMERCS_IOWPV1:
365 case USB_DEVICE_ID_CODEMERCS_IOWPV2:
366 case USB_DEVICE_ID_CODEMERCS_IOW40:
367 /* IOW24 and IOW40 use a synchronous call */
ca2ef0d5
GT		 368 buf = memdup_user(user_buffer, count);
369 if (IS_ERR(buf)) {
370 retval = PTR_ERR(buf);
946b960d
GKH		 371 goto exit;
372 }
373 retval = usb_set_report(dev->interface, 2, 0, buf, count);
374 kfree(buf);
375 goto exit;
376 break;
377 case USB_DEVICE_ID_CODEMERCS_IOW56:
378 /* The IOW56 uses asynchronous IO and more urbs */
379 if (atomic_read(&dev->write_busy) == MAX_WRITES_IN_FLIGHT) {
380 /* Wait until we are below the limit for submitted urbs */
381 if (file->f_flags & O_NONBLOCK) {
382 retval = -EAGAIN;
383 goto exit;
384 } else {
385 retval = wait_event_interruptible(dev->write_wait,
386 (!dev->present || (atomic_read (&dev-> write_busy) < MAX_WRITES_IN_FLIGHT)));
387 if (retval) {
388 /* we were interrupted by a signal */
389 retval = -ERESTART;
390 goto exit;
391 }
392 if (!dev->present) {
393 /* The device was unplugged */
394 retval = -ENODEV;
395 goto exit;
396 }
397 if (!dev->opened) {
398 /* We were closed while waiting for an URB */
399 retval = -ENODEV;
400 goto exit;
401 }
402 }
403 }
404 atomic_inc(&dev->write_busy);
405 int_out_urb = usb_alloc_urb(0, GFP_KERNEL);
406 if (!int_out_urb) {
407 retval = -ENOMEM;
f81ee4d5 408 goto error_no_urb;
946b960d 409 }
997ea58e
DM		 410 buf = usb_alloc_coherent(dev->udev, dev->report_size,
411 GFP_KERNEL, &int_out_urb->transfer_dma);
946b960d
GKH		 412 if (!buf) {
413 retval = -ENOMEM;
549e8350
JP		 414 dev_dbg(&dev->interface->dev,
415 "Unable to allocate buffer\n");
f81ee4d5 416 goto error_no_buffer;
946b960d
GKH		 417 }
418 usb_fill_int_urb(int_out_urb, dev->udev,
419 usb_sndintpipe(dev->udev,
420 dev->int_out_endpoint->bEndpointAddress),
421 buf, dev->report_size,
422 iowarrior_write_callback, dev,
423 dev->int_out_endpoint->bInterval);
424 int_out_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
425 if (copy_from_user(buf, user_buffer, count)) {
426 retval = -EFAULT;
427 goto error;
428 }
b5f8d468 429 usb_anchor_urb(int_out_urb, &dev->submitted);
946b960d
GKH		 430 retval = usb_submit_urb(int_out_urb, GFP_KERNEL);
431 if (retval) {
549e8350
JP		 432 dev_dbg(&dev->interface->dev,
433 "submit error %d for urb nr.%d\n",
434 retval, atomic_read(&dev->write_busy));
b5f8d468 435 usb_unanchor_urb(int_out_urb);
946b960d
GKH		 436 goto error;
437 }
438 /* submit was ok */
439 retval = count;
440 usb_free_urb(int_out_urb);
441 goto exit;
442 break;
443 default:
444 /* what do we have here ? An unsupported Product-ID ? */
898eb71c 445 dev_err(&dev->interface->dev, "%s - not supported for product=0x%x\n",
441b62c1 446 __func__, dev->product_id);
946b960d
GKH		 447 retval = -EFAULT;
448 goto exit;
449 break;
450 }
451error:
997ea58e
DM		 452 usb_free_coherent(dev->udev, dev->report_size, buf,
453 int_out_urb->transfer_dma);
f81ee4d5 454error_no_buffer:
946b960d 455 usb_free_urb(int_out_urb);
f81ee4d5 456error_no_urb:
946b960d
GKH		 457 atomic_dec(&dev->write_busy);
458 wake_up_interruptible(&dev->write_wait);
459exit:
460 mutex_unlock(&dev->mutex);
461 return retval;
462}
463
464/**
465 * iowarrior_ioctl
466 */
824f16fd
AC		 467static long iowarrior_ioctl(struct file *file, unsigned int cmd,
468 unsigned long arg)
946b960d
GKH		 469{
470 struct iowarrior *dev = NULL;
471 __u8 *buffer;
472 __u8 __user *user_buffer;
473 int retval;
474 int io_res; /* checks for bytes read/written and copy_to/from_user results */
475
5bd6e8b3 476 dev = file->private_data;
3cfb4842 477 if (!dev)
946b960d 478 return -ENODEV;
946b960d
GKH		 479
480 buffer = kzalloc(dev->report_size, GFP_KERNEL);
481 if (!buffer)
482 return -ENOMEM;
483
484 /* lock this object */
925ce689 485 mutex_lock(&iowarrior_mutex);
946b960d
GKH		 486 mutex_lock(&dev->mutex);
487
488 /* verify that the device wasn't unplugged */
489 if (!dev->present) {
fc0f8fc9
ON		 490 retval = -ENODEV;
491 goto error_out;
946b960d
GKH		 492 }
493
549e8350
JP		 494 dev_dbg(&dev->interface->dev, "minor %d, cmd 0x%.4x, arg %ld\n",
495 dev->minor, cmd, arg);
946b960d
GKH		 496
497 retval = 0;
498 io_res = 0;
499 switch (cmd) {
500 case IOW_WRITE:
501 if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW24 ||
502 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOWPV1 ||
503 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOWPV2 ||
504 dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW40) {
505 user_buffer = (__u8 __user *)arg;
506 io_res = copy_from_user(buffer, user_buffer,
507 dev->report_size);
508 if (io_res) {
509 retval = -EFAULT;
510 } else {
511 io_res = usb_set_report(dev->interface, 2, 0,
512 buffer,
513 dev->report_size);
514 if (io_res < 0)
515 retval = io_res;
516 }
517 } else {
518 retval = -EINVAL;
519 dev_err(&dev->interface->dev,
898eb71c 520 "ioctl 'IOW_WRITE' is not supported for product=0x%x.\n",
946b960d
GKH		 521 dev->product_id);
522 }
523 break;
524 case IOW_READ:
525 user_buffer = (__u8 __user *)arg;
526 io_res = usb_get_report(dev->udev,
527 dev->interface->cur_altsetting, 1, 0,
528 buffer, dev->report_size);
529 if (io_res < 0)
530 retval = io_res;
531 else {
532 io_res = copy_to_user(user_buffer, buffer, dev->report_size);
6d4d4554 533 if (io_res)
946b960d
GKH		 534 retval = -EFAULT;
535 }
536 break;
537 case IOW_GETINFO:
538 {
539 /* Report available information for the device */
540 struct iowarrior_info info;
541 /* needed for power consumption */
542 struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
543
eca67aae 544 memset(&info, 0, sizeof(info));
946b960d
GKH		 545 /* directly from the descriptor */
546 info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
547 info.product = dev->product_id;
548 info.revision = le16_to_cpu(dev->udev->descriptor.bcdDevice);
549
550 /* 0==UNKNOWN, 1==LOW(usb1.1) ,2=FULL(usb1.1), 3=HIGH(usb2.0) */
dd5ca753 551 info.speed = dev->udev->speed;
946b960d
GKH		 552 info.if_num = dev->interface->cur_altsetting->desc.bInterfaceNumber;
553 info.report_size = dev->report_size;
554
555 /* serial number string has been read earlier 8 chars or empty string */
556 memcpy(info.serial, dev->chip_serial,
557 sizeof(dev->chip_serial));
558 if (cfg_descriptor == NULL) {
559 info.power = -1; /* no information available */
560 } else {
561 /* the MaxPower is stored in units of 2mA to make it fit into a byte-value */
562 info.power = cfg_descriptor->bMaxPower * 2;
563 }
564 io_res = copy_to_user((struct iowarrior_info __user *)arg, &info,
565 sizeof(struct iowarrior_info));
6d4d4554 566 if (io_res)
946b960d
GKH		 567 retval = -EFAULT;
568 break;
569 }
570 default:
571 /* return that we did not understand this ioctl call */
572 retval = -ENOTTY;
573 break;
574 }
fc0f8fc9 575error_out:
946b960d
GKH		 576 /* unlock the device */
577 mutex_unlock(&dev->mutex);
925ce689 578 mutex_unlock(&iowarrior_mutex);
fc0f8fc9 579 kfree(buffer);
946b960d
GKH		 580 return retval;
581}
582
583/**
584 * iowarrior_open
585 */
586static int iowarrior_open(struct inode *inode, struct file *file)
587{
588 struct iowarrior *dev = NULL;
589 struct usb_interface *interface;
590 int subminor;
591 int retval = 0;
592
925ce689 593 mutex_lock(&iowarrior_mutex);
946b960d
GKH		 594 subminor = iminor(inode);
595
946b960d
GKH		 596 interface = usb_find_interface(&iowarrior_driver, subminor);
597 if (!interface) {
925ce689 598 mutex_unlock(&iowarrior_mutex);
1c2eef03
GKH		 599 printk(KERN_ERR "%s - error, can't find device for minor %d\n",
600 __func__, subminor);
d4ead16f 601 return -ENODEV;
946b960d
GKH		 602 }
603
03f36e88 604 mutex_lock(&iowarrior_open_disc_lock);
946b960d 605 dev = usb_get_intfdata(interface);
03f36e88
ON		 606 if (!dev) {
607 mutex_unlock(&iowarrior_open_disc_lock);
925ce689 608 mutex_unlock(&iowarrior_mutex);
d4ead16f 609 return -ENODEV;
03f36e88 610 }
d4ead16f
AS		 611
612 mutex_lock(&dev->mutex);
03f36e88 613 mutex_unlock(&iowarrior_open_disc_lock);
946b960d
GKH		 614
615 /* Only one process can open each device, no sharing. */
616 if (dev->opened) {
617 retval = -EBUSY;
618 goto out;
619 }
620
621 /* setup interrupt handler for receiving values */
622 if ((retval = usb_submit_urb(dev->int_in_urb, GFP_KERNEL)) < 0) {
623 dev_err(&interface->dev, "Error %d while submitting URB\n", retval);
624 retval = -EFAULT;
625 goto out;
626 }
627 /* increment our usage count for the driver */
628 ++dev->opened;
629 /* save our object in the file's private structure */
630 file->private_data = dev;
631 retval = 0;
632
633out:
d4ead16f 634 mutex_unlock(&dev->mutex);
925ce689 635 mutex_unlock(&iowarrior_mutex);
946b960d
GKH		 636 return retval;
637}
638
639/**
640 * iowarrior_release
641 */
642static int iowarrior_release(struct inode *inode, struct file *file)
643{
644 struct iowarrior *dev;
645 int retval = 0;
646
5bd6e8b3 647 dev = file->private_data;
3cfb4842 648 if (!dev)
946b960d 649 return -ENODEV;
946b960d 650
549e8350 651 dev_dbg(&dev->interface->dev, "minor %d\n", dev->minor);
946b960d
GKH		 652
653 /* lock our device */
654 mutex_lock(&dev->mutex);
655
656 if (dev->opened <= 0) {
657 retval = -ENODEV; /* close called more than once */
658 mutex_unlock(&dev->mutex);
659 } else {
a895d57d 660 dev->opened = 0; /* we're closing now */
946b960d
GKH		 661 retval = 0;
662 if (dev->present) {
663 /*
664 The device is still connected so we only shutdown
665 pending read-/write-ops.
666 */
667 usb_kill_urb(dev->int_in_urb);
668 wake_up_interruptible(&dev->read_wait);
669 wake_up_interruptible(&dev->write_wait);
670 mutex_unlock(&dev->mutex);
671 } else {
672 /* The device was unplugged, cleanup resources */
673 mutex_unlock(&dev->mutex);
674 iowarrior_delete(dev);
675 }
676 }
677 return retval;
678}
679
afc9a42b 680static __poll_t iowarrior_poll(struct file *file, poll_table * wait)
946b960d
GKH		 681{
682 struct iowarrior *dev = file->private_data;
afc9a42b 683 __poll_t mask = 0;
946b960d
GKH		 684
685 if (!dev->present)
a9a08845 686 return EPOLLERR | EPOLLHUP;
946b960d
GKH		 687
688 poll_wait(file, &dev->read_wait, wait);
689 poll_wait(file, &dev->write_wait, wait);
690
691 if (!dev->present)
a9a08845 692 return EPOLLERR | EPOLLHUP;
946b960d
GKH		 693
694 if (read_index(dev) != -1)
a9a08845 695 mask |= EPOLLIN | EPOLLRDNORM;
946b960d
GKH		 696
697 if (atomic_read(&dev->write_busy) < MAX_WRITES_IN_FLIGHT)
a9a08845 698 mask |= EPOLLOUT | EPOLLWRNORM;
946b960d
GKH		 699 return mask;
700}
701
702/*
703 * File operations needed when we register this driver.
704 * This assumes that this driver NEEDS file operations,
705 * of course, which means that the driver is expected
706 * to have a node in the /dev directory. If the USB
707 * device were for a network interface then the driver
708 * would use "struct net_driver" instead, and a serial
709 * device would use "struct tty_driver".
710 */
0b3f5fe6 711static const struct file_operations iowarrior_fops = {
946b960d
GKH		 712 .owner = THIS_MODULE,
713 .write = iowarrior_write,
714 .read = iowarrior_read,
824f16fd 715 .unlocked_ioctl = iowarrior_ioctl,
946b960d
GKH		 716 .open = iowarrior_open,
717 .release = iowarrior_release,
718 .poll = iowarrior_poll,
6038f373 719 .llseek = noop_llseek,
946b960d
GKH		 720};
721
2c9ede55 722static char *iowarrior_devnode(struct device *dev, umode_t *mode)
f7a386c5
KS		 723{
724 return kasprintf(GFP_KERNEL, "usb/%s", dev_name(dev));
725}
726
946b960d
GKH		 727/*
728 * usb class driver info in order to get a minor number from the usb core,
729 * and to have the device registered with devfs and the driver core
730 */
731static struct usb_class_driver iowarrior_class = {
732 .name = "iowarrior%d",
e454cea2 733 .devnode = iowarrior_devnode,
946b960d
GKH		 734 .fops = &iowarrior_fops,
735 .minor_base = IOWARRIOR_MINOR_BASE,
736};
737
738/*---------------------------------*/
739/* probe and disconnect functions */
740/*---------------------------------*/
741/**
742 * iowarrior_probe
743 *
744 * Called by the usb core when a new device is connected that it thinks
745 * this driver might be interested in.
746 */
747static int iowarrior_probe(struct usb_interface *interface,
748 const struct usb_device_id *id)
749{
750 struct usb_device *udev = interface_to_usbdev(interface);
751 struct iowarrior *dev = NULL;
752 struct usb_host_interface *iface_desc;
946b960d 753 int retval = -ENOMEM;
920df8d7 754 int res;
946b960d 755
b595076a 756 /* allocate memory for our device state and initialize it */
946b960d 757 dev = kzalloc(sizeof(struct iowarrior), GFP_KERNEL);
3cfb4842 758 if (!dev)
946b960d 759 return retval;
946b960d
GKH		 760
761 mutex_init(&dev->mutex);
762
763 atomic_set(&dev->intr_idx, 0);
764 atomic_set(&dev->read_idx, 0);
946b960d
GKH		 765 atomic_set(&dev->overflow_flag, 0);
766 init_waitqueue_head(&dev->read_wait);
767 atomic_set(&dev->write_busy, 0);
768 init_waitqueue_head(&dev->write_wait);
769
770 dev->udev = udev;
80cd5479 771 dev->interface = usb_get_intf(interface);
946b960d
GKH		 772
773 iface_desc = interface->cur_altsetting;
774 dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
775
b5f8d468
JH		 776 init_usb_anchor(&dev->submitted);
777
920df8d7
JH		 778 res = usb_find_last_int_in_endpoint(iface_desc, &dev->int_in_endpoint);
779 if (res) {
b7321e81 780 dev_err(&interface->dev, "no interrupt-in endpoint found\n");
920df8d7 781 retval = res;
b7321e81
JH		 782 goto error;
783 }
784
de46e566 785 if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) {
920df8d7
JH		 786 res = usb_find_last_int_out_endpoint(iface_desc,
787 &dev->int_out_endpoint);
788 if (res) {
de46e566 789 dev_err(&interface->dev, "no interrupt-out endpoint found\n");
920df8d7 790 retval = res;
de46e566
JH		 791 goto error;
792 }
793 }
794
a895d57d 795 /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
29cc8897 796 dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
946b960d
GKH		 797 if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
798 (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56))
799 /* IOWarrior56 has wMaxPacketSize different from report size */
800 dev->report_size = 7;
801
802 /* create the urb and buffer for reading */
803 dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL);
5656bbb7 804 if (!dev->int_in_urb)
946b960d 805 goto error;
946b960d 806 dev->int_in_buffer = kmalloc(dev->report_size, GFP_KERNEL);
3cfb4842 807 if (!dev->int_in_buffer)
946b960d 808 goto error;
946b960d
GKH		 809 usb_fill_int_urb(dev->int_in_urb, dev->udev,
810 usb_rcvintpipe(dev->udev,
811 dev->int_in_endpoint->bEndpointAddress),
812 dev->int_in_buffer, dev->report_size,
813 iowarrior_callback, dev,
814 dev->int_in_endpoint->bInterval);
815 /* create an internal buffer for interrupt data from the device */
816 dev->read_queue =
23feefda
GS		 817 kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
818 GFP_KERNEL);
3cfb4842 819 if (!dev->read_queue)
946b960d 820 goto error;
946b960d
GKH		 821 /* Get the serial-number of the chip */
822 memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
823 usb_string(udev, udev->descriptor.iSerialNumber, dev->chip_serial,
824 sizeof(dev->chip_serial));
825 if (strlen(dev->chip_serial) != 8)
826 memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
827
828 /* Set the idle timeout to 0, if this is interface 0 */
829 if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) {
147c5a17
EF		 830 usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
831 0x0A,
832 USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0,
833 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
946b960d
GKH		 834 }
835 /* allow device read and ioctl */
836 dev->present = 1;
837
838 /* we can register the device now, as it is ready */
839 usb_set_intfdata(interface, dev);
840
841 retval = usb_register_dev(interface, &iowarrior_class);
842 if (retval) {
843 /* something prevented us from registering this driver */
844 dev_err(&interface->dev, "Not able to get a minor for this device.\n");
845 usb_set_intfdata(interface, NULL);
846 goto error;
847 }
848
849 dev->minor = interface->minor;
850
851 /* let the user know what node this device is now attached to */
852 dev_info(&interface->dev, "IOWarrior product=0x%x, serial=%s interface=%d "
853 "now attached to iowarrior%d\n", dev->product_id, dev->chip_serial,
854 iface_desc->desc.bInterfaceNumber, dev->minor - IOWARRIOR_MINOR_BASE);
855 return retval;
856
857error:
858 iowarrior_delete(dev);
859 return retval;
860}
861
862/**
863 * iowarrior_disconnect
864 *
865 * Called by the usb core when the device is removed from the system.
866 */
867static void iowarrior_disconnect(struct usb_interface *interface)
868{
869 struct iowarrior *dev;
870 int minor;
871
946b960d 872 dev = usb_get_intfdata(interface);
03f36e88 873 mutex_lock(&iowarrior_open_disc_lock);
946b960d
GKH		 874 usb_set_intfdata(interface, NULL);
875
946b960d 876 minor = dev->minor;
c468a8aa
ON		 877 mutex_unlock(&iowarrior_open_disc_lock);
878 /* give back our minor - this will call close() locks need to be dropped at this point*/
946b960d 879
946b960d
GKH		 880 usb_deregister_dev(interface, &iowarrior_class);
881
d4ead16f
AS		 882 mutex_lock(&dev->mutex);
883
946b960d 884 /* prevent device read, write and ioctl */
edc4746f 885 dev->present = 0;
946b960d
GKH		 886
887 if (dev->opened) {
888 /* There is a process that holds a filedescriptor to the device ,
889 so we only shutdown read-/write-ops going on.
890 Deleting the device is postponed until close() was called.
891 */
892 usb_kill_urb(dev->int_in_urb);
b5f8d468 893 usb_kill_anchored_urbs(&dev->submitted);
946b960d
GKH		 894 wake_up_interruptible(&dev->read_wait);
895 wake_up_interruptible(&dev->write_wait);
edc4746f 896 mutex_unlock(&dev->mutex);
946b960d
GKH		 897 } else {
898 /* no process is using the device, cleanup now */
edc4746f 899 mutex_unlock(&dev->mutex);
946b960d
GKH		 900 iowarrior_delete(dev);
901 }
946b960d
GKH		 902
903 dev_info(&interface->dev, "I/O-Warror #%d now disconnected\n",
904 minor - IOWARRIOR_MINOR_BASE);
905}
906
907/* usb specific object needed to register this driver with the usb subsystem */
908static struct usb_driver iowarrior_driver = {
909 .name = "iowarrior",
910 .probe = iowarrior_probe,
911 .disconnect = iowarrior_disconnect,
912 .id_table = iowarrior_ids,
913};
914
65db4305 915module_usb_driver(iowarrior_driver);
Linux 6.x block layer and io_uring tree(s)