1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
4 #include <linux/init.h>
5 #include <linux/slab.h>
6 #include <linux/mm.h>
7 #include <linux/module.h>
8 #include <linux/moduleparam.h>
9 #include <linux/scatterlist.h>
10 #include <linux/mutex.h>
11 #include <linux/timer.h>
12 #include <linux/usb.h>
13 
14 #define SIMPLE_IO_TIMEOUT	10000	/* in milliseconds */
15 
16 /*-------------------------------------------------------------------------*/
17 
18 static int override_alt = -1;
19 module_param_named(alt, override_alt, int, 0644);
20 MODULE_PARM_DESC(alt, ">= 0 to override altsetting selection");
21 static void complicated_callback(struct urb *urb);
22 
23 /*-------------------------------------------------------------------------*/
24 
25 /* FIXME make these public somewhere; usbdevfs.h? */
26 
27 /* Parameter for usbtest driver. */
28 struct usbtest_param_32 {
29 	/* inputs */
30 	__u32		test_num;	/* 0..(TEST_CASES-1) */
31 	__u32		iterations;
32 	__u32		length;
33 	__u32		vary;
34 	__u32		sglen;
35 
36 	/* outputs */
37 	__s32		duration_sec;
38 	__s32		duration_usec;
39 };
40 
41 /*
42  * Compat parameter to the usbtest driver.
43  * This supports older user space binaries compiled with 64 bit compiler.
44  */
45 struct usbtest_param_64 {
46 	/* inputs */
47 	__u32		test_num;	/* 0..(TEST_CASES-1) */
48 	__u32		iterations;
49 	__u32		length;
50 	__u32		vary;
51 	__u32		sglen;
52 
53 	/* outputs */
54 	__s64		duration_sec;
55 	__s64		duration_usec;
56 };
57 
58 /* IOCTL interface to the driver. */
59 #define USBTEST_REQUEST_32    _IOWR('U', 100, struct usbtest_param_32)
60 /* COMPAT IOCTL interface to the driver. */
61 #define USBTEST_REQUEST_64    _IOWR('U', 100, struct usbtest_param_64)
62 
63 /*-------------------------------------------------------------------------*/
64 
65 #define	GENERIC		/* let probe() bind using module params */
66 
67 /* Some devices that can be used for testing will have "real" drivers.
68  * Entries for those need to be enabled here by hand, after disabling
69  * that "real" driver.
70  */
71 //#define	IBOT2		/* grab iBOT2 webcams */
72 //#define	KEYSPAN_19Qi	/* grab un-renumerated serial adapter */
73 
74 /*-------------------------------------------------------------------------*/
75 
76 struct usbtest_info {
77 	const char		*name;
78 	u8			ep_in;		/* bulk/intr source */
79 	u8			ep_out;		/* bulk/intr sink */
80 	unsigned		autoconf:1;
81 	unsigned		ctrl_out:1;
82 	unsigned		iso:1;		/* try iso in/out */
83 	unsigned		intr:1;		/* try interrupt in/out */
84 	int			alt;
85 };
86 
87 /* this is accessed only through usbfs ioctl calls.
88  * one ioctl to issue a test ... one lock per device.
89  * tests create other threads if they need them.
90  * urbs and buffers are allocated dynamically,
91  * and data generated deterministically.
92  */
93 struct usbtest_dev {
94 	struct usb_interface	*intf;
95 	struct usbtest_info	*info;
96 	int			in_pipe;
97 	int			out_pipe;
98 	int			in_iso_pipe;
99 	int			out_iso_pipe;
100 	int			in_int_pipe;
101 	int			out_int_pipe;
102 	struct usb_endpoint_descriptor	*iso_in, *iso_out;
103 	struct usb_endpoint_descriptor	*int_in, *int_out;
104 	struct mutex		lock;
105 
106 #define TBUF_SIZE	256
107 	u8			*buf;
108 };
109 
testdev_to_usbdev(struct usbtest_dev * test)110 static struct usb_device *testdev_to_usbdev(struct usbtest_dev *test)
111 {
112 	return interface_to_usbdev(test->intf);
113 }
114 
115 /* set up all urbs so they can be used with either bulk or interrupt */
116 #define	INTERRUPT_RATE		1	/* msec/transfer */
117 
118 #define ERROR(tdev, fmt, args...) \
119 	dev_err(&(tdev)->intf->dev , fmt , ## args)
120 #define WARNING(tdev, fmt, args...) \
121 	dev_warn(&(tdev)->intf->dev , fmt , ## args)
122 
123 #define GUARD_BYTE	0xA5
124 #define MAX_SGLEN	128
125 
126 /*-------------------------------------------------------------------------*/
127 
endpoint_update(int edi,struct usb_host_endpoint ** in,struct usb_host_endpoint ** out,struct usb_host_endpoint * e)128 static inline void endpoint_update(int edi,
129 				   struct usb_host_endpoint **in,
130 				   struct usb_host_endpoint **out,
131 				   struct usb_host_endpoint *e)
132 {
133 	if (edi) {
134 		if (!*in)
135 			*in = e;
136 	} else {
137 		if (!*out)
138 			*out = e;
139 	}
140 }
141 
142 static int
get_endpoints(struct usbtest_dev * dev,struct usb_interface * intf)143 get_endpoints(struct usbtest_dev *dev, struct usb_interface *intf)
144 {
145 	int				tmp;
146 	struct usb_host_interface	*alt;
147 	struct usb_host_endpoint	*in, *out;
148 	struct usb_host_endpoint	*iso_in, *iso_out;
149 	struct usb_host_endpoint	*int_in, *int_out;
150 	struct usb_device		*udev;
151 
152 	for (tmp = 0; tmp < intf->num_altsetting; tmp++) {
153 		unsigned	ep;
154 
155 		in = out = NULL;
156 		iso_in = iso_out = NULL;
157 		int_in = int_out = NULL;
158 		alt = intf->altsetting + tmp;
159 
160 		if (override_alt >= 0 &&
161 				override_alt != alt->desc.bAlternateSetting)
162 			continue;
163 
164 		/* take the first altsetting with in-bulk + out-bulk;
165 		 * ignore other endpoints and altsettings.
166 		 */
167 		for (ep = 0; ep < alt->desc.bNumEndpoints; ep++) {
168 			struct usb_host_endpoint	*e;
169 			int edi;
170 
171 			e = alt->endpoint + ep;
172 			edi = usb_endpoint_dir_in(&e->desc);
173 
174 			switch (usb_endpoint_type(&e->desc)) {
175 			case USB_ENDPOINT_XFER_BULK:
176 				endpoint_update(edi, &in, &out, e);
177 				continue;
178 			case USB_ENDPOINT_XFER_INT:
179 				if (dev->info->intr)
180 					endpoint_update(edi, &int_in, &int_out, e);
181 				continue;
182 			case USB_ENDPOINT_XFER_ISOC:
183 				if (dev->info->iso)
184 					endpoint_update(edi, &iso_in, &iso_out, e);
185 				fallthrough;
186 			default:
187 				continue;
188 			}
189 		}
190 		if ((in && out)  ||  iso_in || iso_out || int_in || int_out)
191 			goto found;
192 	}
193 	return -EINVAL;
194 
195 found:
196 	udev = testdev_to_usbdev(dev);
197 	dev->info->alt = alt->desc.bAlternateSetting;
198 	if (alt->desc.bAlternateSetting != 0) {
199 		tmp = usb_set_interface(udev,
200 				alt->desc.bInterfaceNumber,
201 				alt->desc.bAlternateSetting);
202 		if (tmp < 0)
203 			return tmp;
204 	}
205 
206 	if (in)
207 		dev->in_pipe = usb_rcvbulkpipe(udev,
208 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
209 	if (out)
210 		dev->out_pipe = usb_sndbulkpipe(udev,
211 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
212 
213 	if (iso_in) {
214 		dev->iso_in = &iso_in->desc;
215 		dev->in_iso_pipe = usb_rcvisocpipe(udev,
216 				iso_in->desc.bEndpointAddress
217 					& USB_ENDPOINT_NUMBER_MASK);
218 	}
219 
220 	if (iso_out) {
221 		dev->iso_out = &iso_out->desc;
222 		dev->out_iso_pipe = usb_sndisocpipe(udev,
223 				iso_out->desc.bEndpointAddress
224 					& USB_ENDPOINT_NUMBER_MASK);
225 	}
226 
227 	if (int_in) {
228 		dev->int_in = &int_in->desc;
229 		dev->in_int_pipe = usb_rcvintpipe(udev,
230 				int_in->desc.bEndpointAddress
231 					& USB_ENDPOINT_NUMBER_MASK);
232 	}
233 
234 	if (int_out) {
235 		dev->int_out = &int_out->desc;
236 		dev->out_int_pipe = usb_sndintpipe(udev,
237 				int_out->desc.bEndpointAddress
238 					& USB_ENDPOINT_NUMBER_MASK);
239 	}
240 	return 0;
241 }
242 
243 /*-------------------------------------------------------------------------*/
244 
245 /* Support for testing basic non-queued I/O streams.
246  *
247  * These just package urbs as requests that can be easily canceled.
248  * Each urb's data buffer is dynamically allocated; callers can fill
249  * them with non-zero test data (or test for it) when appropriate.
250  */
251 
simple_callback(struct urb * urb)252 static void simple_callback(struct urb *urb)
253 {
254 	complete(urb->context);
255 }
256 
usbtest_alloc_urb(struct usb_device * udev,int pipe,unsigned long bytes,unsigned transfer_flags,unsigned offset,u8 bInterval,usb_complete_t complete_fn)257 static struct urb *usbtest_alloc_urb(
258 	struct usb_device	*udev,
259 	int			pipe,
260 	unsigned long		bytes,
261 	unsigned		transfer_flags,
262 	unsigned		offset,
263 	u8			bInterval,
264 	usb_complete_t		complete_fn)
265 {
266 	struct urb		*urb;
267 
268 	urb = usb_alloc_urb(0, GFP_KERNEL);
269 	if (!urb)
270 		return urb;
271 
272 	if (bInterval)
273 		usb_fill_int_urb(urb, udev, pipe, NULL, bytes, complete_fn,
274 				NULL, bInterval);
275 	else
276 		usb_fill_bulk_urb(urb, udev, pipe, NULL, bytes, complete_fn,
277 				NULL);
278 
279 	urb->interval = (udev->speed == USB_SPEED_HIGH)
280 			? (INTERRUPT_RATE << 3)
281 			: INTERRUPT_RATE;
282 	urb->transfer_flags = transfer_flags;
283 	if (usb_pipein(pipe))
284 		urb->transfer_flags |= URB_SHORT_NOT_OK;
285 
286 	if ((bytes + offset) == 0)
287 		return urb;
288 
289 	if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
290 		urb->transfer_buffer = usb_alloc_coherent(udev, bytes + offset,
291 			GFP_KERNEL, &urb->transfer_dma);
292 	else
293 		urb->transfer_buffer = kmalloc(bytes + offset, GFP_KERNEL);
294 
295 	if (!urb->transfer_buffer) {
296 		usb_free_urb(urb);
297 		return NULL;
298 	}
299 
300 	/* To test unaligned transfers add an offset and fill the
301 		unused memory with a guard value */
302 	if (offset) {
303 		memset(urb->transfer_buffer, GUARD_BYTE, offset);
304 		urb->transfer_buffer += offset;
305 		if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
306 			urb->transfer_dma += offset;
307 	}
308 
309 	/* For inbound transfers use guard byte so that test fails if
310 		data not correctly copied */
311 	memset(urb->transfer_buffer,
312 			usb_pipein(urb->pipe) ? GUARD_BYTE : 0,
313 			bytes);
314 	return urb;
315 }
316 
simple_alloc_urb(struct usb_device * udev,int pipe,unsigned long bytes,u8 bInterval)317 static struct urb *simple_alloc_urb(
318 	struct usb_device	*udev,
319 	int			pipe,
320 	unsigned long		bytes,
321 	u8			bInterval)
322 {
323 	return usbtest_alloc_urb(udev, pipe, bytes, URB_NO_TRANSFER_DMA_MAP, 0,
324 			bInterval, simple_callback);
325 }
326 
complicated_alloc_urb(struct usb_device * udev,int pipe,unsigned long bytes,u8 bInterval)327 static struct urb *complicated_alloc_urb(
328 	struct usb_device	*udev,
329 	int			pipe,
330 	unsigned long		bytes,
331 	u8			bInterval)
332 {
333 	return usbtest_alloc_urb(udev, pipe, bytes, URB_NO_TRANSFER_DMA_MAP, 0,
334 			bInterval, complicated_callback);
335 }
336 
337 static unsigned pattern;
338 static unsigned mod_pattern;
339 module_param_named(pattern, mod_pattern, uint, S_IRUGO | S_IWUSR);
340 MODULE_PARM_DESC(mod_pattern, "i/o pattern (0 == zeroes)");
341 
get_maxpacket(struct usb_device * udev,int pipe)342 static unsigned get_maxpacket(struct usb_device *udev, int pipe)
343 {
344 	struct usb_host_endpoint	*ep;
345 
346 	ep = usb_pipe_endpoint(udev, pipe);
347 	return le16_to_cpup(&ep->desc.wMaxPacketSize);
348 }
349 
ss_isoc_get_packet_num(struct usb_device * udev,int pipe)350 static int ss_isoc_get_packet_num(struct usb_device *udev, int pipe)
351 {
352 	struct usb_host_endpoint *ep = usb_pipe_endpoint(udev, pipe);
353 
354 	return USB_SS_MULT(ep->ss_ep_comp.bmAttributes)
355 		* (1 + ep->ss_ep_comp.bMaxBurst);
356 }
357 
simple_fill_buf(struct urb * urb)358 static void simple_fill_buf(struct urb *urb)
359 {
360 	unsigned	i;
361 	u8		*buf = urb->transfer_buffer;
362 	unsigned	len = urb->transfer_buffer_length;
363 	unsigned	maxpacket;
364 
365 	switch (pattern) {
366 	default:
367 		fallthrough;
368 	case 0:
369 		memset(buf, 0, len);
370 		break;
371 	case 1:			/* mod63 */
372 		maxpacket = get_maxpacket(urb->dev, urb->pipe);
373 		for (i = 0; i < len; i++)
374 			*buf++ = (u8) ((i % maxpacket) % 63);
375 		break;
376 	}
377 }
378 
buffer_offset(void * buf)379 static inline unsigned long buffer_offset(void *buf)
380 {
381 	return (unsigned long)buf & (ARCH_KMALLOC_MINALIGN - 1);
382 }
383 
check_guard_bytes(struct usbtest_dev * tdev,struct urb * urb)384 static int check_guard_bytes(struct usbtest_dev *tdev, struct urb *urb)
385 {
386 	u8 *buf = urb->transfer_buffer;
387 	u8 *guard = buf - buffer_offset(buf);
388 	unsigned i;
389 
390 	for (i = 0; guard < buf; i++, guard++) {
391 		if (*guard != GUARD_BYTE) {
392 			ERROR(tdev, "guard byte[%d] %d (not %d)\n",
393 				i, *guard, GUARD_BYTE);
394 			return -EINVAL;
395 		}
396 	}
397 	return 0;
398 }
399 
simple_check_buf(struct usbtest_dev * tdev,struct urb * urb)400 static int simple_check_buf(struct usbtest_dev *tdev, struct urb *urb)
401 {
402 	unsigned	i;
403 	u8		expected;
404 	u8		*buf = urb->transfer_buffer;
405 	unsigned	len = urb->actual_length;
406 	unsigned	maxpacket = get_maxpacket(urb->dev, urb->pipe);
407 
408 	int ret = check_guard_bytes(tdev, urb);
409 	if (ret)
410 		return ret;
411 
412 	for (i = 0; i < len; i++, buf++) {
413 		switch (pattern) {
414 		/* all-zeroes has no synchronization issues */
415 		case 0:
416 			expected = 0;
417 			break;
418 		/* mod63 stays in sync with short-terminated transfers,
419 		 * or otherwise when host and gadget agree on how large
420 		 * each usb transfer request should be.  resync is done
421 		 * with set_interface or set_config.
422 		 */
423 		case 1:			/* mod63 */
424 			expected = (i % maxpacket) % 63;
425 			break;
426 		/* always fail unsupported patterns */
427 		default:
428 			expected = !*buf;
429 			break;
430 		}
431 		if (*buf == expected)
432 			continue;
433 		ERROR(tdev, "buf[%d] = %d (not %d)\n", i, *buf, expected);
434 		return -EINVAL;
435 	}
436 	return 0;
437 }
438 
simple_free_urb(struct urb * urb)439 static void simple_free_urb(struct urb *urb)
440 {
441 	unsigned long offset = buffer_offset(urb->transfer_buffer);
442 
443 	if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP)
444 		usb_free_coherent(
445 			urb->dev,
446 			urb->transfer_buffer_length + offset,
447 			urb->transfer_buffer - offset,
448 			urb->transfer_dma - offset);
449 	else
450 		kfree(urb->transfer_buffer - offset);
451 	usb_free_urb(urb);
452 }
453 
simple_io(struct usbtest_dev * tdev,struct urb * urb,int iterations,int vary,int expected,const char * label)454 static int simple_io(
455 	struct usbtest_dev	*tdev,
456 	struct urb		*urb,
457 	int			iterations,
458 	int			vary,
459 	int			expected,
460 	const char		*label
461 )
462 {
463 	struct usb_device	*udev = urb->dev;
464 	int			max = urb->transfer_buffer_length;
465 	struct completion	completion;
466 	int			retval = 0;
467 	unsigned long		expire;
468 
469 	urb->context = &completion;
470 	while (retval == 0 && iterations-- > 0) {
471 		init_completion(&completion);
472 		if (usb_pipeout(urb->pipe)) {
473 			simple_fill_buf(urb);
474 			urb->transfer_flags |= URB_ZERO_PACKET;
475 		}
476 		retval = usb_submit_urb(urb, GFP_KERNEL);
477 		if (retval != 0)
478 			break;
479 
480 		expire = msecs_to_jiffies(SIMPLE_IO_TIMEOUT);
481 		if (!wait_for_completion_timeout(&completion, expire)) {
482 			usb_kill_urb(urb);
483 			retval = (urb->status == -ENOENT ?
484 				  -ETIMEDOUT : urb->status);
485 		} else {
486 			retval = urb->status;
487 		}
488 
489 		urb->dev = udev;
490 		if (retval == 0 && usb_pipein(urb->pipe))
491 			retval = simple_check_buf(tdev, urb);
492 
493 		if (vary) {
494 			int	len = urb->transfer_buffer_length;
495 
496 			len += vary;
497 			len %= max;
498 			if (len == 0)
499 				len = (vary < max) ? vary : max;
500 			urb->transfer_buffer_length = len;
501 		}
502 
503 		/* FIXME if endpoint halted, clear halt (and log) */
504 	}
505 	urb->transfer_buffer_length = max;
506 
507 	if (expected != retval)
508 		dev_err(&udev->dev,
509 			"%s failed, iterations left %d, status %d (not %d)\n",
510 				label, iterations, retval, expected);
511 	return retval;
512 }
513 
514 
515 /*-------------------------------------------------------------------------*/
516 
517 /* We use scatterlist primitives to test queued I/O.
518  * Yes, this also tests the scatterlist primitives.
519  */
520 
free_sglist(struct scatterlist * sg,int nents)521 static void free_sglist(struct scatterlist *sg, int nents)
522 {
523 	unsigned		i;
524 
525 	if (!sg)
526 		return;
527 	for (i = 0; i < nents; i++) {
528 		if (!sg_page(&sg[i]))
529 			continue;
530 		kfree(sg_virt(&sg[i]));
531 	}
532 	kfree(sg);
533 }
534 
535 static struct scatterlist *
alloc_sglist(int nents,int max,int vary,struct usbtest_dev * dev,int pipe)536 alloc_sglist(int nents, int max, int vary, struct usbtest_dev *dev, int pipe)
537 {
538 	struct scatterlist	*sg;
539 	unsigned int		n_size = 0;
540 	unsigned		i;
541 	unsigned		size = max;
542 	unsigned		maxpacket =
543 		get_maxpacket(interface_to_usbdev(dev->intf), pipe);
544 
545 	if (max == 0)
546 		return NULL;
547 
548 	sg = kmalloc_array(nents, sizeof(*sg), GFP_KERNEL);
549 	if (!sg)
550 		return NULL;
551 	sg_init_table(sg, nents);
552 
553 	for (i = 0; i < nents; i++) {
554 		char		*buf;
555 		unsigned	j;
556 
557 		buf = kzalloc(size, GFP_KERNEL);
558 		if (!buf) {
559 			free_sglist(sg, i);
560 			return NULL;
561 		}
562 
563 		/* kmalloc pages are always physically contiguous! */
564 		sg_set_buf(&sg[i], buf, size);
565 
566 		switch (pattern) {
567 		case 0:
568 			/* already zeroed */
569 			break;
570 		case 1:
571 			for (j = 0; j < size; j++)
572 				*buf++ = (u8) (((j + n_size) % maxpacket) % 63);
573 			n_size += size;
574 			break;
575 		}
576 
577 		if (vary) {
578 			size += vary;
579 			size %= max;
580 			if (size == 0)
581 				size = (vary < max) ? vary : max;
582 		}
583 	}
584 
585 	return sg;
586 }
587 
588 struct sg_timeout {
589 	struct timer_list timer;
590 	struct usb_sg_request *req;
591 };
592 
sg_timeout(struct timer_list * t)593 static void sg_timeout(struct timer_list *t)
594 {
595 	struct sg_timeout *timeout = from_timer(timeout, t, timer);
596 
597 	usb_sg_cancel(timeout->req);
598 }
599 
perform_sglist(struct usbtest_dev * tdev,unsigned iterations,int pipe,struct usb_sg_request * req,struct scatterlist * sg,int nents)600 static int perform_sglist(
601 	struct usbtest_dev	*tdev,
602 	unsigned		iterations,
603 	int			pipe,
604 	struct usb_sg_request	*req,
605 	struct scatterlist	*sg,
606 	int			nents
607 )
608 {
609 	struct usb_device	*udev = testdev_to_usbdev(tdev);
610 	int			retval = 0;
611 	struct sg_timeout	timeout = {
612 		.req = req,
613 	};
614 
615 	timer_setup_on_stack(&timeout.timer, sg_timeout, 0);
616 
617 	while (retval == 0 && iterations-- > 0) {
618 		retval = usb_sg_init(req, udev, pipe,
619 				(udev->speed == USB_SPEED_HIGH)
620 					? (INTERRUPT_RATE << 3)
621 					: INTERRUPT_RATE,
622 				sg, nents, 0, GFP_KERNEL);
623 
624 		if (retval)
625 			break;
626 		mod_timer(&timeout.timer, jiffies +
627 				msecs_to_jiffies(SIMPLE_IO_TIMEOUT));
628 		usb_sg_wait(req);
629 		if (!del_timer_sync(&timeout.timer))
630 			retval = -ETIMEDOUT;
631 		else
632 			retval = req->status;
633 		destroy_timer_on_stack(&timeout.timer);
634 
635 		/* FIXME check resulting data pattern */
636 
637 		/* FIXME if endpoint halted, clear halt (and log) */
638 	}
639 
640 	/* FIXME for unlink or fault handling tests, don't report
641 	 * failure if retval is as we expected ...
642 	 */
643 	if (retval)
644 		ERROR(tdev, "perform_sglist failed, "
645 				"iterations left %d, status %d\n",
646 				iterations, retval);
647 	return retval;
648 }
649 
650 
651 /*-------------------------------------------------------------------------*/
652 
653 /* unqueued control message testing
654  *
655  * there's a nice set of device functional requirements in chapter 9 of the
656  * usb 2.0 spec, which we can apply to ANY device, even ones that don't use
657  * special test firmware.
658  *
659  * we know the device is configured (or suspended) by the time it's visible
660  * through usbfs.  we can't change that, so we won't test enumeration (which
661  * worked 'well enough' to get here, this time), power management (ditto),
662  * or remote wakeup (which needs human interaction).
663  */
664 
665 static unsigned realworld = 1;
666 module_param(realworld, uint, 0);
667 MODULE_PARM_DESC(realworld, "clear to demand stricter spec compliance");
668 
get_altsetting(struct usbtest_dev * dev)669 static int get_altsetting(struct usbtest_dev *dev)
670 {
671 	struct usb_interface	*iface = dev->intf;
672 	struct usb_device	*udev = interface_to_usbdev(iface);
673 	int			retval;
674 
675 	retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
676 			USB_REQ_GET_INTERFACE, USB_DIR_IN|USB_RECIP_INTERFACE,
677 			0, iface->altsetting[0].desc.bInterfaceNumber,
678 			dev->buf, 1, USB_CTRL_GET_TIMEOUT);
679 	switch (retval) {
680 	case 1:
681 		return dev->buf[0];
682 	case 0:
683 		retval = -ERANGE;
684 		fallthrough;
685 	default:
686 		return retval;
687 	}
688 }
689 
set_altsetting(struct usbtest_dev * dev,int alternate)690 static int set_altsetting(struct usbtest_dev *dev, int alternate)
691 {
692 	struct usb_interface		*iface = dev->intf;
693 	struct usb_device		*udev;
694 
695 	if (alternate < 0 || alternate >= 256)
696 		return -EINVAL;
697 
698 	udev = interface_to_usbdev(iface);
699 	return usb_set_interface(udev,
700 			iface->altsetting[0].desc.bInterfaceNumber,
701 			alternate);
702 }
703 
is_good_config(struct usbtest_dev * tdev,int len)704 static int is_good_config(struct usbtest_dev *tdev, int len)
705 {
706 	struct usb_config_descriptor	*config;
707 
708 	if (len < sizeof(*config))
709 		return 0;
710 	config = (struct usb_config_descriptor *) tdev->buf;
711 
712 	switch (config->bDescriptorType) {
713 	case USB_DT_CONFIG:
714 	case USB_DT_OTHER_SPEED_CONFIG:
715 		if (config->bLength != 9) {
716 			ERROR(tdev, "bogus config descriptor length\n");
717 			return 0;
718 		}
719 		/* this bit 'must be 1' but often isn't */
720 		if (!realworld && !(config->bmAttributes & 0x80)) {
721 			ERROR(tdev, "high bit of config attributes not set\n");
722 			return 0;
723 		}
724 		if (config->bmAttributes & 0x1f) {	/* reserved == 0 */
725 			ERROR(tdev, "reserved config bits set\n");
726 			return 0;
727 		}
728 		break;
729 	default:
730 		return 0;
731 	}
732 
733 	if (le16_to_cpu(config->wTotalLength) == len)	/* read it all */
734 		return 1;
735 	if (le16_to_cpu(config->wTotalLength) >= TBUF_SIZE)	/* max partial read */
736 		return 1;
737 	ERROR(tdev, "bogus config descriptor read size\n");
738 	return 0;
739 }
740 
is_good_ext(struct usbtest_dev * tdev,u8 * buf)741 static int is_good_ext(struct usbtest_dev *tdev, u8 *buf)
742 {
743 	struct usb_ext_cap_descriptor *ext;
744 	u32 attr;
745 
746 	ext = (struct usb_ext_cap_descriptor *) buf;
747 
748 	if (ext->bLength != USB_DT_USB_EXT_CAP_SIZE) {
749 		ERROR(tdev, "bogus usb 2.0 extension descriptor length\n");
750 		return 0;
751 	}
752 
753 	attr = le32_to_cpu(ext->bmAttributes);
754 	/* bits[1:15] is used and others are reserved */
755 	if (attr & ~0xfffe) {	/* reserved == 0 */
756 		ERROR(tdev, "reserved bits set\n");
757 		return 0;
758 	}
759 
760 	return 1;
761 }
762 
is_good_ss_cap(struct usbtest_dev * tdev,u8 * buf)763 static int is_good_ss_cap(struct usbtest_dev *tdev, u8 *buf)
764 {
765 	struct usb_ss_cap_descriptor *ss;
766 
767 	ss = (struct usb_ss_cap_descriptor *) buf;
768 
769 	if (ss->bLength != USB_DT_USB_SS_CAP_SIZE) {
770 		ERROR(tdev, "bogus superspeed device capability descriptor length\n");
771 		return 0;
772 	}
773 
774 	/*
775 	 * only bit[1] of bmAttributes is used for LTM and others are
776 	 * reserved
777 	 */
778 	if (ss->bmAttributes & ~0x02) {	/* reserved == 0 */
779 		ERROR(tdev, "reserved bits set in bmAttributes\n");
780 		return 0;
781 	}
782 
783 	/* bits[0:3] of wSpeedSupported is used and others are reserved */
784 	if (le16_to_cpu(ss->wSpeedSupported) & ~0x0f) {	/* reserved == 0 */
785 		ERROR(tdev, "reserved bits set in wSpeedSupported\n");
786 		return 0;
787 	}
788 
789 	return 1;
790 }
791 
is_good_con_id(struct usbtest_dev * tdev,u8 * buf)792 static int is_good_con_id(struct usbtest_dev *tdev, u8 *buf)
793 {
794 	struct usb_ss_container_id_descriptor *con_id;
795 
796 	con_id = (struct usb_ss_container_id_descriptor *) buf;
797 
798 	if (con_id->bLength != USB_DT_USB_SS_CONTN_ID_SIZE) {
799 		ERROR(tdev, "bogus container id descriptor length\n");
800 		return 0;
801 	}
802 
803 	if (con_id->bReserved) {	/* reserved == 0 */
804 		ERROR(tdev, "reserved bits set\n");
805 		return 0;
806 	}
807 
808 	return 1;
809 }
810 
811 /* sanity test for standard requests working with usb_control_mesg() and some
812  * of the utility functions which use it.
813  *
814  * this doesn't test how endpoint halts behave or data toggles get set, since
815  * we won't do I/O to bulk/interrupt endpoints here (which is how to change
816  * halt or toggle).  toggle testing is impractical without support from hcds.
817  *
818  * this avoids failing devices linux would normally work with, by not testing
819  * config/altsetting operations for devices that only support their defaults.
820  * such devices rarely support those needless operations.
821  *
822  * NOTE that since this is a sanity test, it's not examining boundary cases
823  * to see if usbcore, hcd, and device all behave right.  such testing would
824  * involve varied read sizes and other operation sequences.
825  */
ch9_postconfig(struct usbtest_dev * dev)826 static int ch9_postconfig(struct usbtest_dev *dev)
827 {
828 	struct usb_interface	*iface = dev->intf;
829 	struct usb_device	*udev = interface_to_usbdev(iface);
830 	int			i, alt, retval;
831 
832 	/* [9.2.3] if there's more than one altsetting, we need to be able to
833 	 * set and get each one.  mostly trusts the descriptors from usbcore.
834 	 */
835 	for (i = 0; i < iface->num_altsetting; i++) {
836 
837 		/* 9.2.3 constrains the range here */
838 		alt = iface->altsetting[i].desc.bAlternateSetting;
839 		if (alt < 0 || alt >= iface->num_altsetting) {
840 			dev_err(&iface->dev,
841 					"invalid alt [%d].bAltSetting = %d\n",
842 					i, alt);
843 		}
844 
845 		/* [real world] get/set unimplemented if there's only one */
846 		if (realworld && iface->num_altsetting == 1)
847 			continue;
848 
849 		/* [9.4.10] set_interface */
850 		retval = set_altsetting(dev, alt);
851 		if (retval) {
852 			dev_err(&iface->dev, "can't set_interface = %d, %d\n",
853 					alt, retval);
854 			return retval;
855 		}
856 
857 		/* [9.4.4] get_interface always works */
858 		retval = get_altsetting(dev);
859 		if (retval != alt) {
860 			dev_err(&iface->dev, "get alt should be %d, was %d\n",
861 					alt, retval);
862 			return (retval < 0) ? retval : -EDOM;
863 		}
864 
865 	}
866 
867 	/* [real world] get_config unimplemented if there's only one */
868 	if (!realworld || udev->descriptor.bNumConfigurations != 1) {
869 		int	expected = udev->actconfig->desc.bConfigurationValue;
870 
871 		/* [9.4.2] get_configuration always works
872 		 * ... although some cheap devices (like one TI Hub I've got)
873 		 * won't return config descriptors except before set_config.
874 		 */
875 		retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
876 				USB_REQ_GET_CONFIGURATION,
877 				USB_DIR_IN | USB_RECIP_DEVICE,
878 				0, 0, dev->buf, 1, USB_CTRL_GET_TIMEOUT);
879 		if (retval != 1 || dev->buf[0] != expected) {
880 			dev_err(&iface->dev, "get config --> %d %d (1 %d)\n",
881 				retval, dev->buf[0], expected);
882 			return (retval < 0) ? retval : -EDOM;
883 		}
884 	}
885 
886 	/* there's always [9.4.3] a device descriptor [9.6.1] */
887 	retval = usb_get_descriptor(udev, USB_DT_DEVICE, 0,
888 			dev->buf, sizeof(udev->descriptor));
889 	if (retval != sizeof(udev->descriptor)) {
890 		dev_err(&iface->dev, "dev descriptor --> %d\n", retval);
891 		return (retval < 0) ? retval : -EDOM;
892 	}
893 
894 	/*
895 	 * there's always [9.4.3] a bos device descriptor [9.6.2] in USB
896 	 * 3.0 spec
897 	 */
898 	if (le16_to_cpu(udev->descriptor.bcdUSB) >= 0x0210) {
899 		struct usb_bos_descriptor *bos = NULL;
900 		struct usb_dev_cap_header *header = NULL;
901 		unsigned total, num, length;
902 		u8 *buf;
903 
904 		retval = usb_get_descriptor(udev, USB_DT_BOS, 0, dev->buf,
905 				sizeof(*udev->bos->desc));
906 		if (retval != sizeof(*udev->bos->desc)) {
907 			dev_err(&iface->dev, "bos descriptor --> %d\n", retval);
908 			return (retval < 0) ? retval : -EDOM;
909 		}
910 
911 		bos = (struct usb_bos_descriptor *)dev->buf;
912 		total = le16_to_cpu(bos->wTotalLength);
913 		num = bos->bNumDeviceCaps;
914 
915 		if (total > TBUF_SIZE)
916 			total = TBUF_SIZE;
917 
918 		/*
919 		 * get generic device-level capability descriptors [9.6.2]
920 		 * in USB 3.0 spec
921 		 */
922 		retval = usb_get_descriptor(udev, USB_DT_BOS, 0, dev->buf,
923 				total);
924 		if (retval != total) {
925 			dev_err(&iface->dev, "bos descriptor set --> %d\n",
926 					retval);
927 			return (retval < 0) ? retval : -EDOM;
928 		}
929 
930 		length = sizeof(*udev->bos->desc);
931 		buf = dev->buf;
932 		for (i = 0; i < num; i++) {
933 			buf += length;
934 			if (buf + sizeof(struct usb_dev_cap_header) >
935 					dev->buf + total)
936 				break;
937 
938 			header = (struct usb_dev_cap_header *)buf;
939 			length = header->bLength;
940 
941 			if (header->bDescriptorType !=
942 					USB_DT_DEVICE_CAPABILITY) {
943 				dev_warn(&udev->dev, "not device capability descriptor, skip\n");
944 				continue;
945 			}
946 
947 			switch (header->bDevCapabilityType) {
948 			case USB_CAP_TYPE_EXT:
949 				if (buf + USB_DT_USB_EXT_CAP_SIZE >
950 						dev->buf + total ||
951 						!is_good_ext(dev, buf)) {
952 					dev_err(&iface->dev, "bogus usb 2.0 extension descriptor\n");
953 					return -EDOM;
954 				}
955 				break;
956 			case USB_SS_CAP_TYPE:
957 				if (buf + USB_DT_USB_SS_CAP_SIZE >
958 						dev->buf + total ||
959 						!is_good_ss_cap(dev, buf)) {
960 					dev_err(&iface->dev, "bogus superspeed device capability descriptor\n");
961 					return -EDOM;
962 				}
963 				break;
964 			case CONTAINER_ID_TYPE:
965 				if (buf + USB_DT_USB_SS_CONTN_ID_SIZE >
966 						dev->buf + total ||
967 						!is_good_con_id(dev, buf)) {
968 					dev_err(&iface->dev, "bogus container id descriptor\n");
969 					return -EDOM;
970 				}
971 				break;
972 			default:
973 				break;
974 			}
975 		}
976 	}
977 
978 	/* there's always [9.4.3] at least one config descriptor [9.6.3] */
979 	for (i = 0; i < udev->descriptor.bNumConfigurations; i++) {
980 		retval = usb_get_descriptor(udev, USB_DT_CONFIG, i,
981 				dev->buf, TBUF_SIZE);
982 		if (!is_good_config(dev, retval)) {
983 			dev_err(&iface->dev,
984 					"config [%d] descriptor --> %d\n",
985 					i, retval);
986 			return (retval < 0) ? retval : -EDOM;
987 		}
988 
989 		/* FIXME cross-checking udev->config[i] to make sure usbcore
990 		 * parsed it right (etc) would be good testing paranoia
991 		 */
992 	}
993 
994 	/* and sometimes [9.2.6.6] speed dependent descriptors */
995 	if (le16_to_cpu(udev->descriptor.bcdUSB) == 0x0200) {
996 		struct usb_qualifier_descriptor *d = NULL;
997 
998 		/* device qualifier [9.6.2] */
999 		retval = usb_get_descriptor(udev,
1000 				USB_DT_DEVICE_QUALIFIER, 0, dev->buf,
1001 				sizeof(struct usb_qualifier_descriptor));
1002 		if (retval == -EPIPE) {
1003 			if (udev->speed == USB_SPEED_HIGH) {
1004 				dev_err(&iface->dev,
1005 						"hs dev qualifier --> %d\n",
1006 						retval);
1007 				return retval;
1008 			}
1009 			/* usb2.0 but not high-speed capable; fine */
1010 		} else if (retval != sizeof(struct usb_qualifier_descriptor)) {
1011 			dev_err(&iface->dev, "dev qualifier --> %d\n", retval);
1012 			return (retval < 0) ? retval : -EDOM;
1013 		} else
1014 			d = (struct usb_qualifier_descriptor *) dev->buf;
1015 
1016 		/* might not have [9.6.2] any other-speed configs [9.6.4] */
1017 		if (d) {
1018 			unsigned max = d->bNumConfigurations;
1019 			for (i = 0; i < max; i++) {
1020 				retval = usb_get_descriptor(udev,
1021 					USB_DT_OTHER_SPEED_CONFIG, i,
1022 					dev->buf, TBUF_SIZE);
1023 				if (!is_good_config(dev, retval)) {
1024 					dev_err(&iface->dev,
1025 						"other speed config --> %d\n",
1026 						retval);
1027 					return (retval < 0) ? retval : -EDOM;
1028 				}
1029 			}
1030 		}
1031 	}
1032 	/* FIXME fetch strings from at least the device descriptor */
1033 
1034 	/* [9.4.5] get_status always works */
1035 	retval = usb_get_std_status(udev, USB_RECIP_DEVICE, 0, dev->buf);
1036 	if (retval) {
1037 		dev_err(&iface->dev, "get dev status --> %d\n", retval);
1038 		return retval;
1039 	}
1040 
1041 	/* FIXME configuration.bmAttributes says if we could try to set/clear
1042 	 * the device's remote wakeup feature ... if we can, test that here
1043 	 */
1044 
1045 	retval = usb_get_std_status(udev, USB_RECIP_INTERFACE,
1046 			iface->altsetting[0].desc.bInterfaceNumber, dev->buf);
1047 	if (retval) {
1048 		dev_err(&iface->dev, "get interface status --> %d\n", retval);
1049 		return retval;
1050 	}
1051 	/* FIXME get status for each endpoint in the interface */
1052 
1053 	return 0;
1054 }
1055 
1056 /*-------------------------------------------------------------------------*/
1057 
1058 /* use ch9 requests to test whether:
1059  *   (a) queues work for control, keeping N subtests queued and
1060  *       active (auto-resubmit) for M loops through the queue.
1061  *   (b) protocol stalls (control-only) will autorecover.
1062  *       it's not like bulk/intr; no halt clearing.
1063  *   (c) short control reads are reported and handled.
1064  *   (d) queues are always processed in-order
1065  */
1066 
1067 struct ctrl_ctx {
1068 	spinlock_t		lock;
1069 	struct usbtest_dev	*dev;
1070 	struct completion	complete;
1071 	unsigned		count;
1072 	unsigned		pending;
1073 	int			status;
1074 	struct urb		**urb;
1075 	struct usbtest_param_32	*param;
1076 	int			last;
1077 };
1078 
1079 #define NUM_SUBCASES	16		/* how many test subcases here? */
1080 
1081 struct subcase {
1082 	struct usb_ctrlrequest	setup;
1083 	int			number;
1084 	int			expected;
1085 };
1086 
ctrl_complete(struct urb * urb)1087 static void ctrl_complete(struct urb *urb)
1088 {
1089 	struct ctrl_ctx		*ctx = urb->context;
1090 	struct usb_ctrlrequest	*reqp;
1091 	struct subcase		*subcase;
1092 	int			status = urb->status;
1093 	unsigned long		flags;
1094 
1095 	reqp = (struct usb_ctrlrequest *)urb->setup_packet;
1096 	subcase = container_of(reqp, struct subcase, setup);
1097 
1098 	spin_lock_irqsave(&ctx->lock, flags);
1099 	ctx->count--;
1100 	ctx->pending--;
1101 
1102 	/* queue must transfer and complete in fifo order, unless
1103 	 * usb_unlink_urb() is used to unlink something not at the
1104 	 * physical queue head (not tested).
1105 	 */
1106 	if (subcase->number > 0) {
1107 		if ((subcase->number - ctx->last) != 1) {
1108 			ERROR(ctx->dev,
1109 				"subcase %d completed out of order, last %d\n",
1110 				subcase->number, ctx->last);
1111 			status = -EDOM;
1112 			ctx->last = subcase->number;
1113 			goto error;
1114 		}
1115 	}
1116 	ctx->last = subcase->number;
1117 
1118 	/* succeed or fault in only one way? */
1119 	if (status == subcase->expected)
1120 		status = 0;
1121 
1122 	/* async unlink for cleanup? */
1123 	else if (status != -ECONNRESET) {
1124 
1125 		/* some faults are allowed, not required */
1126 		if (subcase->expected > 0 && (
1127 			  ((status == -subcase->expected	/* happened */
1128 			   || status == 0))))			/* didn't */
1129 			status = 0;
1130 		/* sometimes more than one fault is allowed */
1131 		else if (subcase->number == 12 && status == -EPIPE)
1132 			status = 0;
1133 		else
1134 			ERROR(ctx->dev, "subtest %d error, status %d\n",
1135 					subcase->number, status);
1136 	}
1137 
1138 	/* unexpected status codes mean errors; ideally, in hardware */
1139 	if (status) {
1140 error:
1141 		if (ctx->status == 0) {
1142 			int		i;
1143 
1144 			ctx->status = status;
1145 			ERROR(ctx->dev, "control queue %02x.%02x, err %d, "
1146 					"%d left, subcase %d, len %d/%d\n",
1147 					reqp->bRequestType, reqp->bRequest,
1148 					status, ctx->count, subcase->number,
1149 					urb->actual_length,
1150 					urb->transfer_buffer_length);
1151 
1152 			/* FIXME this "unlink everything" exit route should
1153 			 * be a separate test case.
1154 			 */
1155 
1156 			/* unlink whatever's still pending */
1157 			for (i = 1; i < ctx->param->sglen; i++) {
1158 				struct urb *u = ctx->urb[
1159 							(i + subcase->number)
1160 							% ctx->param->sglen];
1161 
1162 				if (u == urb || !u->dev)
1163 					continue;
1164 				spin_unlock(&ctx->lock);
1165 				status = usb_unlink_urb(u);
1166 				spin_lock(&ctx->lock);
1167 				switch (status) {
1168 				case -EINPROGRESS:
1169 				case -EBUSY:
1170 				case -EIDRM:
1171 					continue;
1172 				default:
1173 					ERROR(ctx->dev, "urb unlink --> %d\n",
1174 							status);
1175 				}
1176 			}
1177 			status = ctx->status;
1178 		}
1179 	}
1180 
1181 	/* resubmit if we need to, else mark this as done */
1182 	if ((status == 0) && (ctx->pending < ctx->count)) {
1183 		status = usb_submit_urb(urb, GFP_ATOMIC);
1184 		if (status != 0) {
1185 			ERROR(ctx->dev,
1186 				"can't resubmit ctrl %02x.%02x, err %d\n",
1187 				reqp->bRequestType, reqp->bRequest, status);
1188 			urb->dev = NULL;
1189 		} else
1190 			ctx->pending++;
1191 	} else
1192 		urb->dev = NULL;
1193 
1194 	/* signal completion when nothing's queued */
1195 	if (ctx->pending == 0)
1196 		complete(&ctx->complete);
1197 	spin_unlock_irqrestore(&ctx->lock, flags);
1198 }
1199 
1200 static int
test_ctrl_queue(struct usbtest_dev * dev,struct usbtest_param_32 * param)1201 test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param_32 *param)
1202 {
1203 	struct usb_device	*udev = testdev_to_usbdev(dev);
1204 	struct urb		**urb;
1205 	struct ctrl_ctx		context;
1206 	int			i;
1207 
1208 	if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
1209 		return -EOPNOTSUPP;
1210 
1211 	spin_lock_init(&context.lock);
1212 	context.dev = dev;
1213 	init_completion(&context.complete);
1214 	context.count = param->sglen * param->iterations;
1215 	context.pending = 0;
1216 	context.status = -ENOMEM;
1217 	context.param = param;
1218 	context.last = -1;
1219 
1220 	/* allocate and init the urbs we'll queue.
1221 	 * as with bulk/intr sglists, sglen is the queue depth; it also
1222 	 * controls which subtests run (more tests than sglen) or rerun.
1223 	 */
1224 	urb = kcalloc(param->sglen, sizeof(struct urb *), GFP_KERNEL);
1225 	if (!urb)
1226 		return -ENOMEM;
1227 	for (i = 0; i < param->sglen; i++) {
1228 		int			pipe = usb_rcvctrlpipe(udev, 0);
1229 		unsigned		len;
1230 		struct urb		*u;
1231 		struct usb_ctrlrequest	req;
1232 		struct subcase		*reqp;
1233 
1234 		/* sign of this variable means:
1235 		 *  -: tested code must return this (negative) error code
1236 		 *  +: tested code may return this (negative too) error code
1237 		 */
1238 		int			expected = 0;
1239 
1240 		/* requests here are mostly expected to succeed on any
1241 		 * device, but some are chosen to trigger protocol stalls
1242 		 * or short reads.
1243 		 */
1244 		memset(&req, 0, sizeof(req));
1245 		req.bRequest = USB_REQ_GET_DESCRIPTOR;
1246 		req.bRequestType = USB_DIR_IN|USB_RECIP_DEVICE;
1247 
1248 		switch (i % NUM_SUBCASES) {
1249 		case 0:		/* get device descriptor */
1250 			req.wValue = cpu_to_le16(USB_DT_DEVICE << 8);
1251 			len = sizeof(struct usb_device_descriptor);
1252 			break;
1253 		case 1:		/* get first config descriptor (only) */
1254 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1255 			len = sizeof(struct usb_config_descriptor);
1256 			break;
1257 		case 2:		/* get altsetting (OFTEN STALLS) */
1258 			req.bRequest = USB_REQ_GET_INTERFACE;
1259 			req.bRequestType = USB_DIR_IN|USB_RECIP_INTERFACE;
1260 			/* index = 0 means first interface */
1261 			len = 1;
1262 			expected = EPIPE;
1263 			break;
1264 		case 3:		/* get interface status */
1265 			req.bRequest = USB_REQ_GET_STATUS;
1266 			req.bRequestType = USB_DIR_IN|USB_RECIP_INTERFACE;
1267 			/* interface 0 */
1268 			len = 2;
1269 			break;
1270 		case 4:		/* get device status */
1271 			req.bRequest = USB_REQ_GET_STATUS;
1272 			req.bRequestType = USB_DIR_IN|USB_RECIP_DEVICE;
1273 			len = 2;
1274 			break;
1275 		case 5:		/* get device qualifier (MAY STALL) */
1276 			req.wValue = cpu_to_le16 (USB_DT_DEVICE_QUALIFIER << 8);
1277 			len = sizeof(struct usb_qualifier_descriptor);
1278 			if (udev->speed != USB_SPEED_HIGH)
1279 				expected = EPIPE;
1280 			break;
1281 		case 6:		/* get first config descriptor, plus interface */
1282 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1283 			len = sizeof(struct usb_config_descriptor);
1284 			len += sizeof(struct usb_interface_descriptor);
1285 			break;
1286 		case 7:		/* get interface descriptor (ALWAYS STALLS) */
1287 			req.wValue = cpu_to_le16 (USB_DT_INTERFACE << 8);
1288 			/* interface == 0 */
1289 			len = sizeof(struct usb_interface_descriptor);
1290 			expected = -EPIPE;
1291 			break;
1292 		/* NOTE: two consecutive stalls in the queue here.
1293 		 *  that tests fault recovery a bit more aggressively. */
1294 		case 8:		/* clear endpoint halt (MAY STALL) */
1295 			req.bRequest = USB_REQ_CLEAR_FEATURE;
1296 			req.bRequestType = USB_RECIP_ENDPOINT;
1297 			/* wValue 0 == ep halt */
1298 			/* wIndex 0 == ep0 (shouldn't halt!) */
1299 			len = 0;
1300 			pipe = usb_sndctrlpipe(udev, 0);
1301 			expected = EPIPE;
1302 			break;
1303 		case 9:		/* get endpoint status */
1304 			req.bRequest = USB_REQ_GET_STATUS;
1305 			req.bRequestType = USB_DIR_IN|USB_RECIP_ENDPOINT;
1306 			/* endpoint 0 */
1307 			len = 2;
1308 			break;
1309 		case 10:	/* trigger short read (EREMOTEIO) */
1310 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1311 			len = 1024;
1312 			expected = -EREMOTEIO;
1313 			break;
1314 		/* NOTE: two consecutive _different_ faults in the queue. */
1315 		case 11:	/* get endpoint descriptor (ALWAYS STALLS) */
1316 			req.wValue = cpu_to_le16(USB_DT_ENDPOINT << 8);
1317 			/* endpoint == 0 */
1318 			len = sizeof(struct usb_interface_descriptor);
1319 			expected = EPIPE;
1320 			break;
1321 		/* NOTE: sometimes even a third fault in the queue! */
1322 		case 12:	/* get string 0 descriptor (MAY STALL) */
1323 			req.wValue = cpu_to_le16(USB_DT_STRING << 8);
1324 			/* string == 0, for language IDs */
1325 			len = sizeof(struct usb_interface_descriptor);
1326 			/* may succeed when > 4 languages */
1327 			expected = EREMOTEIO;	/* or EPIPE, if no strings */
1328 			break;
1329 		case 13:	/* short read, resembling case 10 */
1330 			req.wValue = cpu_to_le16((USB_DT_CONFIG << 8) | 0);
1331 			/* last data packet "should" be DATA1, not DATA0 */
1332 			if (udev->speed == USB_SPEED_SUPER)
1333 				len = 1024 - 512;
1334 			else
1335 				len = 1024 - udev->descriptor.bMaxPacketSize0;
1336 			expected = -EREMOTEIO;
1337 			break;
1338 		case 14:	/* short read; try to fill the last packet */
1339 			req.wValue = cpu_to_le16((USB_DT_DEVICE << 8) | 0);
1340 			/* device descriptor size == 18 bytes */
1341 			len = udev->descriptor.bMaxPacketSize0;
1342 			if (udev->speed == USB_SPEED_SUPER)
1343 				len = 512;
1344 			switch (len) {
1345 			case 8:
1346 				len = 24;
1347 				break;
1348 			case 16:
1349 				len = 32;
1350 				break;
1351 			}
1352 			expected = -EREMOTEIO;
1353 			break;
1354 		case 15:
1355 			req.wValue = cpu_to_le16(USB_DT_BOS << 8);
1356 			if (udev->bos)
1357 				len = le16_to_cpu(udev->bos->desc->wTotalLength);
1358 			else
1359 				len = sizeof(struct usb_bos_descriptor);
1360 			if (le16_to_cpu(udev->descriptor.bcdUSB) < 0x0201)
1361 				expected = -EPIPE;
1362 			break;
1363 		default:
1364 			ERROR(dev, "bogus number of ctrl queue testcases!\n");
1365 			context.status = -EINVAL;
1366 			goto cleanup;
1367 		}
1368 		req.wLength = cpu_to_le16(len);
1369 		urb[i] = u = simple_alloc_urb(udev, pipe, len, 0);
1370 		if (!u)
1371 			goto cleanup;
1372 
1373 		reqp = kmalloc(sizeof(*reqp), GFP_KERNEL);
1374 		if (!reqp)
1375 			goto cleanup;
1376 		reqp->setup = req;
1377 		reqp->number = i % NUM_SUBCASES;
1378 		reqp->expected = expected;
1379 		u->setup_packet = (char *) &reqp->setup;
1380 
1381 		u->context = &context;
1382 		u->complete = ctrl_complete;
1383 	}
1384 
1385 	/* queue the urbs */
1386 	context.urb = urb;
1387 	spin_lock_irq(&context.lock);
1388 	for (i = 0; i < param->sglen; i++) {
1389 		context.status = usb_submit_urb(urb[i], GFP_ATOMIC);
1390 		if (context.status != 0) {
1391 			ERROR(dev, "can't submit urb[%d], status %d\n",
1392 					i, context.status);
1393 			context.count = context.pending;
1394 			break;
1395 		}
1396 		context.pending++;
1397 	}
1398 	spin_unlock_irq(&context.lock);
1399 
1400 	/* FIXME  set timer and time out; provide a disconnect hook */
1401 
1402 	/* wait for the last one to complete */
1403 	if (context.pending > 0)
1404 		wait_for_completion(&context.complete);
1405 
1406 cleanup:
1407 	for (i = 0; i < param->sglen; i++) {
1408 		if (!urb[i])
1409 			continue;
1410 		urb[i]->dev = udev;
1411 		kfree(urb[i]->setup_packet);
1412 		simple_free_urb(urb[i]);
1413 	}
1414 	kfree(urb);
1415 	return context.status;
1416 }
1417 #undef NUM_SUBCASES
1418 
1419 
1420 /*-------------------------------------------------------------------------*/
1421 
unlink1_callback(struct urb * urb)1422 static void unlink1_callback(struct urb *urb)
1423 {
1424 	int	status = urb->status;
1425 
1426 	/* we "know" -EPIPE (stall) never happens */
1427 	if (!status)
1428 		status = usb_submit_urb(urb, GFP_ATOMIC);
1429 	if (status) {
1430 		urb->status = status;
1431 		complete(urb->context);
1432 	}
1433 }
1434 
unlink1(struct usbtest_dev * dev,int pipe,int size,int async)1435 static int unlink1(struct usbtest_dev *dev, int pipe, int size, int async)
1436 {
1437 	struct urb		*urb;
1438 	struct completion	completion;
1439 	int			retval = 0;
1440 
1441 	init_completion(&completion);
1442 	urb = simple_alloc_urb(testdev_to_usbdev(dev), pipe, size, 0);
1443 	if (!urb)
1444 		return -ENOMEM;
1445 	urb->context = &completion;
1446 	urb->complete = unlink1_callback;
1447 
1448 	if (usb_pipeout(urb->pipe)) {
1449 		simple_fill_buf(urb);
1450 		urb->transfer_flags |= URB_ZERO_PACKET;
1451 	}
1452 
1453 	/* keep the endpoint busy.  there are lots of hc/hcd-internal
1454 	 * states, and testing should get to all of them over time.
1455 	 *
1456 	 * FIXME want additional tests for when endpoint is STALLing
1457 	 * due to errors, or is just NAKing requests.
1458 	 */
1459 	retval = usb_submit_urb(urb, GFP_KERNEL);
1460 	if (retval != 0) {
1461 		dev_err(&dev->intf->dev, "submit fail %d\n", retval);
1462 		return retval;
1463 	}
1464 
1465 	/* unlinking that should always work.  variable delay tests more
1466 	 * hcd states and code paths, even with little other system load.
1467 	 */
1468 	msleep(jiffies % (2 * INTERRUPT_RATE));
1469 	if (async) {
1470 		while (!completion_done(&completion)) {
1471 			retval = usb_unlink_urb(urb);
1472 
1473 			if (retval == 0 && usb_pipein(urb->pipe))
1474 				retval = simple_check_buf(dev, urb);
1475 
1476 			switch (retval) {
1477 			case -EBUSY:
1478 			case -EIDRM:
1479 				/* we can't unlink urbs while they're completing
1480 				 * or if they've completed, and we haven't
1481 				 * resubmitted. "normal" drivers would prevent
1482 				 * resubmission, but since we're testing unlink
1483 				 * paths, we can't.
1484 				 */
1485 				ERROR(dev, "unlink retry\n");
1486 				continue;
1487 			case 0:
1488 			case -EINPROGRESS:
1489 				break;
1490 
1491 			default:
1492 				dev_err(&dev->intf->dev,
1493 					"unlink fail %d\n", retval);
1494 				return retval;
1495 			}
1496 
1497 			break;
1498 		}
1499 	} else
1500 		usb_kill_urb(urb);
1501 
1502 	wait_for_completion(&completion);
1503 	retval = urb->status;
1504 	simple_free_urb(urb);
1505 
1506 	if (async)
1507 		return (retval == -ECONNRESET) ? 0 : retval - 1000;
1508 	else
1509 		return (retval == -ENOENT || retval == -EPERM) ?
1510 				0 : retval - 2000;
1511 }
1512 
unlink_simple(struct usbtest_dev * dev,int pipe,int len)1513 static int unlink_simple(struct usbtest_dev *dev, int pipe, int len)
1514 {
1515 	int			retval = 0;
1516 
1517 	/* test sync and async paths */
1518 	retval = unlink1(dev, pipe, len, 1);
1519 	if (!retval)
1520 		retval = unlink1(dev, pipe, len, 0);
1521 	return retval;
1522 }
1523 
1524 /*-------------------------------------------------------------------------*/
1525 
1526 struct queued_ctx {
1527 	struct completion	complete;
1528 	atomic_t		pending;
1529 	unsigned		num;
1530 	int			status;
1531 	struct urb		**urbs;
1532 };
1533 
unlink_queued_callback(struct urb * urb)1534 static void unlink_queued_callback(struct urb *urb)
1535 {
1536 	int			status = urb->status;
1537 	struct queued_ctx	*ctx = urb->context;
1538 
1539 	if (ctx->status)
1540 		goto done;
1541 	if (urb == ctx->urbs[ctx->num - 4] || urb == ctx->urbs[ctx->num - 2]) {
1542 		if (status == -ECONNRESET)
1543 			goto done;
1544 		/* What error should we report if the URB completed normally? */
1545 	}
1546 	if (status != 0)
1547 		ctx->status = status;
1548 
1549  done:
1550 	if (atomic_dec_and_test(&ctx->pending))
1551 		complete(&ctx->complete);
1552 }
1553 
unlink_queued(struct usbtest_dev * dev,int pipe,unsigned num,unsigned size)1554 static int unlink_queued(struct usbtest_dev *dev, int pipe, unsigned num,
1555 		unsigned size)
1556 {
1557 	struct queued_ctx	ctx;
1558 	struct usb_device	*udev = testdev_to_usbdev(dev);
1559 	void			*buf;
1560 	dma_addr_t		buf_dma;
1561 	int			i;
1562 	int			retval = -ENOMEM;
1563 
1564 	init_completion(&ctx.complete);
1565 	atomic_set(&ctx.pending, 1);	/* One more than the actual value */
1566 	ctx.num = num;
1567 	ctx.status = 0;
1568 
1569 	buf = usb_alloc_coherent(udev, size, GFP_KERNEL, &buf_dma);
1570 	if (!buf)
1571 		return retval;
1572 	memset(buf, 0, size);
1573 
1574 	/* Allocate and init the urbs we'll queue */
1575 	ctx.urbs = kcalloc(num, sizeof(struct urb *), GFP_KERNEL);
1576 	if (!ctx.urbs)
1577 		goto free_buf;
1578 	for (i = 0; i < num; i++) {
1579 		ctx.urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
1580 		if (!ctx.urbs[i])
1581 			goto free_urbs;
1582 		usb_fill_bulk_urb(ctx.urbs[i], udev, pipe, buf, size,
1583 				unlink_queued_callback, &ctx);
1584 		ctx.urbs[i]->transfer_dma = buf_dma;
1585 		ctx.urbs[i]->transfer_flags = URB_NO_TRANSFER_DMA_MAP;
1586 
1587 		if (usb_pipeout(ctx.urbs[i]->pipe)) {
1588 			simple_fill_buf(ctx.urbs[i]);
1589 			ctx.urbs[i]->transfer_flags |= URB_ZERO_PACKET;
1590 		}
1591 	}
1592 
1593 	/* Submit all the URBs and then unlink URBs num - 4 and num - 2. */
1594 	for (i = 0; i < num; i++) {
1595 		atomic_inc(&ctx.pending);
1596 		retval = usb_submit_urb(ctx.urbs[i], GFP_KERNEL);
1597 		if (retval != 0) {
1598 			dev_err(&dev->intf->dev, "submit urbs[%d] fail %d\n",
1599 					i, retval);
1600 			atomic_dec(&ctx.pending);
1601 			ctx.status = retval;
1602 			break;
1603 		}
1604 	}
1605 	if (i == num) {
1606 		usb_unlink_urb(ctx.urbs[num - 4]);
1607 		usb_unlink_urb(ctx.urbs[num - 2]);
1608 	} else {
1609 		while (--i >= 0)
1610 			usb_unlink_urb(ctx.urbs[i]);
1611 	}
1612 
1613 	if (atomic_dec_and_test(&ctx.pending))		/* The extra count */
1614 		complete(&ctx.complete);
1615 	wait_for_completion(&ctx.complete);
1616 	retval = ctx.status;
1617 
1618  free_urbs:
1619 	for (i = 0; i < num; i++)
1620 		usb_free_urb(ctx.urbs[i]);
1621 	kfree(ctx.urbs);
1622  free_buf:
1623 	usb_free_coherent(udev, size, buf, buf_dma);
1624 	return retval;
1625 }
1626 
1627 /*-------------------------------------------------------------------------*/
1628 
verify_not_halted(struct usbtest_dev * tdev,int ep,struct urb * urb)1629 static int verify_not_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)
1630 {
1631 	int	retval;
1632 	u16	status;
1633 
1634 	/* shouldn't look or act halted */
1635 	retval = usb_get_std_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);
1636 	if (retval < 0) {
1637 		ERROR(tdev, "ep %02x couldn't get no-halt status, %d\n",
1638 				ep, retval);
1639 		return retval;
1640 	}
1641 	if (status != 0) {
1642 		ERROR(tdev, "ep %02x bogus status: %04x != 0\n", ep, status);
1643 		return -EINVAL;
1644 	}
1645 	retval = simple_io(tdev, urb, 1, 0, 0, __func__);
1646 	if (retval != 0)
1647 		return -EINVAL;
1648 	return 0;
1649 }
1650 
verify_halted(struct usbtest_dev * tdev,int ep,struct urb * urb)1651 static int verify_halted(struct usbtest_dev *tdev, int ep, struct urb *urb)
1652 {
1653 	int	retval;
1654 	u16	status;
1655 
1656 	/* should look and act halted */
1657 	retval = usb_get_std_status(urb->dev, USB_RECIP_ENDPOINT, ep, &status);
1658 	if (retval < 0) {
1659 		ERROR(tdev, "ep %02x couldn't get halt status, %d\n",
1660 				ep, retval);
1661 		return retval;
1662 	}
1663 	if (status != 1) {
1664 		ERROR(tdev, "ep %02x bogus status: %04x != 1\n", ep, status);
1665 		return -EINVAL;
1666 	}
1667 	retval = simple_io(tdev, urb, 1, 0, -EPIPE, __func__);
1668 	if (retval != -EPIPE)
1669 		return -EINVAL;
1670 	retval = simple_io(tdev, urb, 1, 0, -EPIPE, "verify_still_halted");
1671 	if (retval != -EPIPE)
1672 		return -EINVAL;
1673 	return 0;
1674 }
1675 
test_halt(struct usbtest_dev * tdev,int ep,struct urb * urb)1676 static int test_halt(struct usbtest_dev *tdev, int ep, struct urb *urb)
1677 {
1678 	int	retval;
1679 
1680 	/* shouldn't look or act halted now */
1681 	retval = verify_not_halted(tdev, ep, urb);
1682 	if (retval < 0)
1683 		return retval;
1684 
1685 	/* set halt (protocol test only), verify it worked */
1686 	retval = usb_control_msg(urb->dev, usb_sndctrlpipe(urb->dev, 0),
1687 			USB_REQ_SET_FEATURE, USB_RECIP_ENDPOINT,
1688 			USB_ENDPOINT_HALT, ep,
1689 			NULL, 0, USB_CTRL_SET_TIMEOUT);
1690 	if (retval < 0) {
1691 		ERROR(tdev, "ep %02x couldn't set halt, %d\n", ep, retval);
1692 		return retval;
1693 	}
1694 	retval = verify_halted(tdev, ep, urb);
1695 	if (retval < 0) {
1696 		int ret;
1697 
1698 		/* clear halt anyways, else further tests will fail */
1699 		ret = usb_clear_halt(urb->dev, urb->pipe);
1700 		if (ret)
1701 			ERROR(tdev, "ep %02x couldn't clear halt, %d\n",
1702 			      ep, ret);
1703 
1704 		return retval;
1705 	}
1706 
1707 	/* clear halt (tests API + protocol), verify it worked */
1708 	retval = usb_clear_halt(urb->dev, urb->pipe);
1709 	if (retval < 0) {
1710 		ERROR(tdev, "ep %02x couldn't clear halt, %d\n", ep, retval);
1711 		return retval;
1712 	}
1713 	retval = verify_not_halted(tdev, ep, urb);
1714 	if (retval < 0)
1715 		return retval;
1716 
1717 	/* NOTE:  could also verify SET_INTERFACE clear halts ... */
1718 
1719 	return 0;
1720 }
1721 
test_toggle_sync(struct usbtest_dev * tdev,int ep,struct urb * urb)1722 static int test_toggle_sync(struct usbtest_dev *tdev, int ep, struct urb *urb)
1723 {
1724 	int	retval;
1725 
1726 	/* clear initial data toggle to DATA0 */
1727 	retval = usb_clear_halt(urb->dev, urb->pipe);
1728 	if (retval < 0) {
1729 		ERROR(tdev, "ep %02x couldn't clear halt, %d\n", ep, retval);
1730 		return retval;
1731 	}
1732 
1733 	/* transfer 3 data packets, should be DATA0, DATA1, DATA0 */
1734 	retval = simple_io(tdev, urb, 1, 0, 0, __func__);
1735 	if (retval != 0)
1736 		return -EINVAL;
1737 
1738 	/* clear halt resets device side data toggle, host should react to it */
1739 	retval = usb_clear_halt(urb->dev, urb->pipe);
1740 	if (retval < 0) {
1741 		ERROR(tdev, "ep %02x couldn't clear halt, %d\n", ep, retval);
1742 		return retval;
1743 	}
1744 
1745 	/* host should use DATA0 again after clear halt */
1746 	retval = simple_io(tdev, urb, 1, 0, 0, __func__);
1747 
1748 	return retval;
1749 }
1750 
halt_simple(struct usbtest_dev * dev)1751 static int halt_simple(struct usbtest_dev *dev)
1752 {
1753 	int			ep;
1754 	int			retval = 0;
1755 	struct urb		*urb;
1756 	struct usb_device	*udev = testdev_to_usbdev(dev);
1757 
1758 	if (udev->speed == USB_SPEED_SUPER)
1759 		urb = simple_alloc_urb(udev, 0, 1024, 0);
1760 	else
1761 		urb = simple_alloc_urb(udev, 0, 512, 0);
1762 	if (urb == NULL)
1763 		return -ENOMEM;
1764 
1765 	if (dev->in_pipe) {
1766 		ep = usb_pipeendpoint(dev->in_pipe) | USB_DIR_IN;
1767 		urb->pipe = dev->in_pipe;
1768 		retval = test_halt(dev, ep, urb);
1769 		if (retval < 0)
1770 			goto done;
1771 	}
1772 
1773 	if (dev->out_pipe) {
1774 		ep = usb_pipeendpoint(dev->out_pipe);
1775 		urb->pipe = dev->out_pipe;
1776 		retval = test_halt(dev, ep, urb);
1777 	}
1778 done:
1779 	simple_free_urb(urb);
1780 	return retval;
1781 }
1782 
toggle_sync_simple(struct usbtest_dev * dev)1783 static int toggle_sync_simple(struct usbtest_dev *dev)
1784 {
1785 	int			ep;
1786 	int			retval = 0;
1787 	struct urb		*urb;
1788 	struct usb_device	*udev = testdev_to_usbdev(dev);
1789 	unsigned		maxp = get_maxpacket(udev, dev->out_pipe);
1790 
1791 	/*
1792 	 * Create a URB that causes a transfer of uneven amount of data packets
1793 	 * This way the clear toggle has an impact on the data toggle sequence.
1794 	 * Use 2 maxpacket length packets and one zero packet.
1795 	 */
1796 	urb = simple_alloc_urb(udev, 0,  2 * maxp, 0);
1797 	if (urb == NULL)
1798 		return -ENOMEM;
1799 
1800 	urb->transfer_flags |= URB_ZERO_PACKET;
1801 
1802 	ep = usb_pipeendpoint(dev->out_pipe);
1803 	urb->pipe = dev->out_pipe;
1804 	retval = test_toggle_sync(dev, ep, urb);
1805 
1806 	simple_free_urb(urb);
1807 	return retval;
1808 }
1809 
1810 /*-------------------------------------------------------------------------*/
1811 
1812 /* Control OUT tests use the vendor control requests from Intel's
1813  * USB 2.0 compliance test device:  write a buffer, read it back.
1814  *
1815  * Intel's spec only _requires_ that it work for one packet, which
1816  * is pretty weak.   Some HCDs place limits here; most devices will
1817  * need to be able to handle more than one OUT data packet.  We'll
1818  * try whatever we're told to try.
1819  */
ctrl_out(struct usbtest_dev * dev,unsigned count,unsigned length,unsigned vary,unsigned offset)1820 static int ctrl_out(struct usbtest_dev *dev,
1821 		unsigned count, unsigned length, unsigned vary, unsigned offset)
1822 {
1823 	unsigned		i, j, len;
1824 	int			retval;
1825 	u8			*buf;
1826 	char			*what = "?";
1827 	struct usb_device	*udev;
1828 
1829 	if (length < 1 || length > 0xffff || vary >= length)
1830 		return -EINVAL;
1831 
1832 	buf = kmalloc(length + offset, GFP_KERNEL);
1833 	if (!buf)
1834 		return -ENOMEM;
1835 
1836 	buf += offset;
1837 	udev = testdev_to_usbdev(dev);
1838 	len = length;
1839 	retval = 0;
1840 
1841 	/* NOTE:  hardware might well act differently if we pushed it
1842 	 * with lots back-to-back queued requests.
1843 	 */
1844 	for (i = 0; i < count; i++) {
1845 		/* write patterned data */
1846 		for (j = 0; j < len; j++)
1847 			buf[j] = (u8)(i + j);
1848 		retval = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
1849 				0x5b, USB_DIR_OUT|USB_TYPE_VENDOR,
1850 				0, 0, buf, len, USB_CTRL_SET_TIMEOUT);
1851 		if (retval != len) {
1852 			what = "write";
1853 			if (retval >= 0) {
1854 				ERROR(dev, "ctrl_out, wlen %d (expected %d)\n",
1855 						retval, len);
1856 				retval = -EBADMSG;
1857 			}
1858 			break;
1859 		}
1860 
1861 		/* read it back -- assuming nothing intervened!!  */
1862 		retval = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
1863 				0x5c, USB_DIR_IN|USB_TYPE_VENDOR,
1864 				0, 0, buf, len, USB_CTRL_GET_TIMEOUT);
1865 		if (retval != len) {
1866 			what = "read";
1867 			if (retval >= 0) {
1868 				ERROR(dev, "ctrl_out, rlen %d (expected %d)\n",
1869 						retval, len);
1870 				retval = -EBADMSG;
1871 			}
1872 			break;
1873 		}
1874 
1875 		/* fail if we can't verify */
1876 		for (j = 0; j < len; j++) {
1877 			if (buf[j] != (u8)(i + j)) {
1878 				ERROR(dev, "ctrl_out, byte %d is %d not %d\n",
1879 					j, buf[j], (u8)(i + j));
1880 				retval = -EBADMSG;
1881 				break;
1882 			}
1883 		}
1884 		if (retval < 0) {
1885 			what = "verify";
1886 			break;
1887 		}
1888 
1889 		len += vary;
1890 
1891 		/* [real world] the "zero bytes IN" case isn't really used.
1892 		 * hardware can easily trip up in this weird case, since its
1893 		 * status stage is IN, not OUT like other ep0in transfers.
1894 		 */
1895 		if (len > length)
1896 			len = realworld ? 1 : 0;
1897 	}
1898 
1899 	if (retval < 0)
1900 		ERROR(dev, "ctrl_out %s failed, code %d, count %d\n",
1901 			what, retval, i);
1902 
1903 	kfree(buf - offset);
1904 	return retval;
1905 }
1906 
1907 /*-------------------------------------------------------------------------*/
1908 
1909 /* ISO/BULK tests ... mimics common usage
1910  *  - buffer length is split into N packets (mostly maxpacket sized)
1911  *  - multi-buffers according to sglen
1912  */
1913 
1914 struct transfer_context {
1915 	unsigned		count;
1916 	unsigned		pending;
1917 	spinlock_t		lock;
1918 	struct completion	done;
1919 	int			submit_error;
1920 	unsigned long		errors;
1921 	unsigned long		packet_count;
1922 	struct usbtest_dev	*dev;
1923 	bool			is_iso;
1924 };
1925 
complicated_callback(struct urb * urb)1926 static void complicated_callback(struct urb *urb)
1927 {
1928 	struct transfer_context	*ctx = urb->context;
1929 	unsigned long flags;
1930 
1931 	spin_lock_irqsave(&ctx->lock, flags);
1932 	ctx->count--;
1933 
1934 	ctx->packet_count += urb->number_of_packets;
1935 	if (urb->error_count > 0)
1936 		ctx->errors += urb->error_count;
1937 	else if (urb->status != 0)
1938 		ctx->errors += (ctx->is_iso ? urb->number_of_packets : 1);
1939 	else if (urb->actual_length != urb->transfer_buffer_length)
1940 		ctx->errors++;
1941 	else if (check_guard_bytes(ctx->dev, urb) != 0)
1942 		ctx->errors++;
1943 
1944 	if (urb->status == 0 && ctx->count > (ctx->pending - 1)
1945 			&& !ctx->submit_error) {
1946 		int status = usb_submit_urb(urb, GFP_ATOMIC);
1947 		switch (status) {
1948 		case 0:
1949 			goto done;
1950 		default:
1951 			dev_err(&ctx->dev->intf->dev,
1952 					"resubmit err %d\n",
1953 					status);
1954 			fallthrough;
1955 		case -ENODEV:			/* disconnected */
1956 		case -ESHUTDOWN:		/* endpoint disabled */
1957 			ctx->submit_error = 1;
1958 			break;
1959 		}
1960 	}
1961 
1962 	ctx->pending--;
1963 	if (ctx->pending == 0) {
1964 		if (ctx->errors)
1965 			dev_err(&ctx->dev->intf->dev,
1966 				"during the test, %lu errors out of %lu\n",
1967 				ctx->errors, ctx->packet_count);
1968 		complete(&ctx->done);
1969 	}
1970 done:
1971 	spin_unlock_irqrestore(&ctx->lock, flags);
1972 }
1973 
iso_alloc_urb(struct usb_device * udev,int pipe,struct usb_endpoint_descriptor * desc,long bytes,unsigned offset)1974 static struct urb *iso_alloc_urb(
1975 	struct usb_device	*udev,
1976 	int			pipe,
1977 	struct usb_endpoint_descriptor	*desc,
1978 	long			bytes,
1979 	unsigned offset
1980 )
1981 {
1982 	struct urb		*urb;
1983 	unsigned		i, maxp, packets;
1984 
1985 	if (bytes < 0 || !desc)
1986 		return NULL;
1987 
1988 	maxp = usb_endpoint_maxp(desc);
1989 	if (udev->speed >= USB_SPEED_SUPER)
1990 		maxp *= ss_isoc_get_packet_num(udev, pipe);
1991 	else
1992 		maxp *= usb_endpoint_maxp_mult(desc);
1993 
1994 	packets = DIV_ROUND_UP(bytes, maxp);
1995 
1996 	urb = usb_alloc_urb(packets, GFP_KERNEL);
1997 	if (!urb)
1998 		return urb;
1999 	urb->dev = udev;
2000 	urb->pipe = pipe;
2001 
2002 	urb->number_of_packets = packets;
2003 	urb->transfer_buffer_length = bytes;
2004 	urb->transfer_buffer = usb_alloc_coherent(udev, bytes + offset,
2005 							GFP_KERNEL,
2006 							&urb->transfer_dma);
2007 	if (!urb->transfer_buffer) {
2008 		usb_free_urb(urb);
2009 		return NULL;
2010 	}
2011 	if (offset) {
2012 		memset(urb->transfer_buffer, GUARD_BYTE, offset);
2013 		urb->transfer_buffer += offset;
2014 		urb->transfer_dma += offset;
2015 	}
2016 	/* For inbound transfers use guard byte so that test fails if
2017 		data not correctly copied */
2018 	memset(urb->transfer_buffer,
2019 			usb_pipein(urb->pipe) ? GUARD_BYTE : 0,
2020 			bytes);
2021 
2022 	for (i = 0; i < packets; i++) {
2023 		/* here, only the last packet will be short */
2024 		urb->iso_frame_desc[i].length = min((unsigned) bytes, maxp);
2025 		bytes -= urb->iso_frame_desc[i].length;
2026 
2027 		urb->iso_frame_desc[i].offset = maxp * i;
2028 	}
2029 
2030 	urb->complete = complicated_callback;
2031 	/* urb->context = SET BY CALLER */
2032 	urb->interval = 1 << (desc->bInterval - 1);
2033 	urb->transfer_flags = URB_ISO_ASAP | URB_NO_TRANSFER_DMA_MAP;
2034 	return urb;
2035 }
2036 
2037 static int
test_queue(struct usbtest_dev * dev,struct usbtest_param_32 * param,int pipe,struct usb_endpoint_descriptor * desc,unsigned offset)2038 test_queue(struct usbtest_dev *dev, struct usbtest_param_32 *param,
2039 		int pipe, struct usb_endpoint_descriptor *desc, unsigned offset)
2040 {
2041 	struct transfer_context	context;
2042 	struct usb_device	*udev;
2043 	unsigned		i;
2044 	unsigned long		packets = 0;
2045 	int			status = 0;
2046 	struct urb		**urbs;
2047 
2048 	if (!param->sglen || param->iterations > UINT_MAX / param->sglen)
2049 		return -EINVAL;
2050 
2051 	if (param->sglen > MAX_SGLEN)
2052 		return -EINVAL;
2053 
2054 	urbs = kcalloc(param->sglen, sizeof(*urbs), GFP_KERNEL);
2055 	if (!urbs)
2056 		return -ENOMEM;
2057 
2058 	memset(&context, 0, sizeof(context));
2059 	context.count = param->iterations * param->sglen;
2060 	context.dev = dev;
2061 	context.is_iso = !!desc;
2062 	init_completion(&context.done);
2063 	spin_lock_init(&context.lock);
2064 
2065 	udev = testdev_to_usbdev(dev);
2066 
2067 	for (i = 0; i < param->sglen; i++) {
2068 		if (context.is_iso)
2069 			urbs[i] = iso_alloc_urb(udev, pipe, desc,
2070 					param->length, offset);
2071 		else
2072 			urbs[i] = complicated_alloc_urb(udev, pipe,
2073 					param->length, 0);
2074 
2075 		if (!urbs[i]) {
2076 			status = -ENOMEM;
2077 			goto fail;
2078 		}
2079 		packets += urbs[i]->number_of_packets;
2080 		urbs[i]->context = &context;
2081 	}
2082 	packets *= param->iterations;
2083 
2084 	if (context.is_iso) {
2085 		int transaction_num;
2086 
2087 		if (udev->speed >= USB_SPEED_SUPER)
2088 			transaction_num = ss_isoc_get_packet_num(udev, pipe);
2089 		else
2090 			transaction_num = usb_endpoint_maxp_mult(desc);
2091 
2092 		dev_info(&dev->intf->dev,
2093 			"iso period %d %sframes, wMaxPacket %d, transactions: %d\n",
2094 			1 << (desc->bInterval - 1),
2095 			(udev->speed >= USB_SPEED_HIGH) ? "micro" : "",
2096 			usb_endpoint_maxp(desc),
2097 			transaction_num);
2098 
2099 		dev_info(&dev->intf->dev,
2100 			"total %lu msec (%lu packets)\n",
2101 			(packets * (1 << (desc->bInterval - 1)))
2102 				/ ((udev->speed >= USB_SPEED_HIGH) ? 8 : 1),
2103 			packets);
2104 	}
2105 
2106 	spin_lock_irq(&context.lock);
2107 	for (i = 0; i < param->sglen; i++) {
2108 		++context.pending;
2109 		status = usb_submit_urb(urbs[i], GFP_ATOMIC);
2110 		if (status < 0) {
2111 			ERROR(dev, "submit iso[%d], error %d\n", i, status);
2112 			if (i == 0) {
2113 				spin_unlock_irq(&context.lock);
2114 				goto fail;
2115 			}
2116 
2117 			simple_free_urb(urbs[i]);
2118 			urbs[i] = NULL;
2119 			context.pending--;
2120 			context.submit_error = 1;
2121 			break;
2122 		}
2123 	}
2124 	spin_unlock_irq(&context.lock);
2125 
2126 	wait_for_completion(&context.done);
2127 
2128 	for (i = 0; i < param->sglen; i++) {
2129 		if (urbs[i])
2130 			simple_free_urb(urbs[i]);
2131 	}
2132 	/*
2133 	 * Isochronous transfers are expected to fail sometimes.  As an
2134 	 * arbitrary limit, we will report an error if any submissions
2135 	 * fail or if the transfer failure rate is > 10%.
2136 	 */
2137 	if (status != 0)
2138 		;
2139 	else if (context.submit_error)
2140 		status = -EACCES;
2141 	else if (context.errors >
2142 			(context.is_iso ? context.packet_count / 10 : 0))
2143 		status = -EIO;
2144 
2145 	kfree(urbs);
2146 	return status;
2147 
2148 fail:
2149 	for (i = 0; i < param->sglen; i++) {
2150 		if (urbs[i])
2151 			simple_free_urb(urbs[i]);
2152 	}
2153 
2154 	kfree(urbs);
2155 	return status;
2156 }
2157 
test_unaligned_bulk(struct usbtest_dev * tdev,int pipe,unsigned length,int iterations,unsigned transfer_flags,const char * label)2158 static int test_unaligned_bulk(
2159 	struct usbtest_dev *tdev,
2160 	int pipe,
2161 	unsigned length,
2162 	int iterations,
2163 	unsigned transfer_flags,
2164 	const char *label)
2165 {
2166 	int retval;
2167 	struct urb *urb = usbtest_alloc_urb(testdev_to_usbdev(tdev),
2168 			pipe, length, transfer_flags, 1, 0, simple_callback);
2169 
2170 	if (!urb)
2171 		return -ENOMEM;
2172 
2173 	retval = simple_io(tdev, urb, iterations, 0, 0, label);
2174 	simple_free_urb(urb);
2175 	return retval;
2176 }
2177 
2178 /* Run tests. */
2179 static int
usbtest_do_ioctl(struct usb_interface * intf,struct usbtest_param_32 * param)2180 usbtest_do_ioctl(struct usb_interface *intf, struct usbtest_param_32 *param)
2181 {
2182 	struct usbtest_dev	*dev = usb_get_intfdata(intf);
2183 	struct usb_device	*udev = testdev_to_usbdev(dev);
2184 	struct urb		*urb;
2185 	struct scatterlist	*sg;
2186 	struct usb_sg_request	req;
2187 	unsigned		i;
2188 	int	retval = -EOPNOTSUPP;
2189 
2190 	if (param->iterations <= 0)
2191 		return -EINVAL;
2192 	if (param->sglen > MAX_SGLEN)
2193 		return -EINVAL;
2194 	/*
2195 	 * Just a bunch of test cases that every HCD is expected to handle.
2196 	 *
2197 	 * Some may need specific firmware, though it'd be good to have
2198 	 * one firmware image to handle all the test cases.
2199 	 *
2200 	 * FIXME add more tests!  cancel requests, verify the data, control
2201 	 * queueing, concurrent read+write threads, and so on.
2202 	 */
2203 	switch (param->test_num) {
2204 
2205 	case 0:
2206 		dev_info(&intf->dev, "TEST 0:  NOP\n");
2207 		retval = 0;
2208 		break;
2209 
2210 	/* Simple non-queued bulk I/O tests */
2211 	case 1:
2212 		if (dev->out_pipe == 0)
2213 			break;
2214 		dev_info(&intf->dev,
2215 				"TEST 1:  write %d bytes %u times\n",
2216 				param->length, param->iterations);
2217 		urb = simple_alloc_urb(udev, dev->out_pipe, param->length, 0);
2218 		if (!urb) {
2219 			retval = -ENOMEM;
2220 			break;
2221 		}
2222 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
2223 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test1");
2224 		simple_free_urb(urb);
2225 		break;
2226 	case 2:
2227 		if (dev->in_pipe == 0)
2228 			break;
2229 		dev_info(&intf->dev,
2230 				"TEST 2:  read %d bytes %u times\n",
2231 				param->length, param->iterations);
2232 		urb = simple_alloc_urb(udev, dev->in_pipe, param->length, 0);
2233 		if (!urb) {
2234 			retval = -ENOMEM;
2235 			break;
2236 		}
2237 		/* FIRMWARE:  bulk source (maybe generates short writes) */
2238 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test2");
2239 		simple_free_urb(urb);
2240 		break;
2241 	case 3:
2242 		if (dev->out_pipe == 0 || param->vary == 0)
2243 			break;
2244 		dev_info(&intf->dev,
2245 				"TEST 3:  write/%d 0..%d bytes %u times\n",
2246 				param->vary, param->length, param->iterations);
2247 		urb = simple_alloc_urb(udev, dev->out_pipe, param->length, 0);
2248 		if (!urb) {
2249 			retval = -ENOMEM;
2250 			break;
2251 		}
2252 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
2253 		retval = simple_io(dev, urb, param->iterations, param->vary,
2254 					0, "test3");
2255 		simple_free_urb(urb);
2256 		break;
2257 	case 4:
2258 		if (dev->in_pipe == 0 || param->vary == 0)
2259 			break;
2260 		dev_info(&intf->dev,
2261 				"TEST 4:  read/%d 0..%d bytes %u times\n",
2262 				param->vary, param->length, param->iterations);
2263 		urb = simple_alloc_urb(udev, dev->in_pipe, param->length, 0);
2264 		if (!urb) {
2265 			retval = -ENOMEM;
2266 			break;
2267 		}
2268 		/* FIRMWARE:  bulk source (maybe generates short writes) */
2269 		retval = simple_io(dev, urb, param->iterations, param->vary,
2270 					0, "test4");
2271 		simple_free_urb(urb);
2272 		break;
2273 
2274 	/* Queued bulk I/O tests */
2275 	case 5:
2276 		if (dev->out_pipe == 0 || param->sglen == 0)
2277 			break;
2278 		dev_info(&intf->dev,
2279 			"TEST 5:  write %d sglists %d entries of %d bytes\n",
2280 				param->iterations,
2281 				param->sglen, param->length);
2282 		sg = alloc_sglist(param->sglen, param->length,
2283 				0, dev, dev->out_pipe);
2284 		if (!sg) {
2285 			retval = -ENOMEM;
2286 			break;
2287 		}
2288 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
2289 		retval = perform_sglist(dev, param->iterations, dev->out_pipe,
2290 				&req, sg, param->sglen);
2291 		free_sglist(sg, param->sglen);
2292 		break;
2293 
2294 	case 6:
2295 		if (dev->in_pipe == 0 || param->sglen == 0)
2296 			break;
2297 		dev_info(&intf->dev,
2298 			"TEST 6:  read %d sglists %d entries of %d bytes\n",
2299 				param->iterations,
2300 				param->sglen, param->length);
2301 		sg = alloc_sglist(param->sglen, param->length,
2302 				0, dev, dev->in_pipe);
2303 		if (!sg) {
2304 			retval = -ENOMEM;
2305 			break;
2306 		}
2307 		/* FIRMWARE:  bulk source (maybe generates short writes) */
2308 		retval = perform_sglist(dev, param->iterations, dev->in_pipe,
2309 				&req, sg, param->sglen);
2310 		free_sglist(sg, param->sglen);
2311 		break;
2312 	case 7:
2313 		if (dev->out_pipe == 0 || param->sglen == 0 || param->vary == 0)
2314 			break;
2315 		dev_info(&intf->dev,
2316 			"TEST 7:  write/%d %d sglists %d entries 0..%d bytes\n",
2317 				param->vary, param->iterations,
2318 				param->sglen, param->length);
2319 		sg = alloc_sglist(param->sglen, param->length,
2320 				param->vary, dev, dev->out_pipe);
2321 		if (!sg) {
2322 			retval = -ENOMEM;
2323 			break;
2324 		}
2325 		/* FIRMWARE:  bulk sink (maybe accepts short writes) */
2326 		retval = perform_sglist(dev, param->iterations, dev->out_pipe,
2327 				&req, sg, param->sglen);
2328 		free_sglist(sg, param->sglen);
2329 		break;
2330 	case 8:
2331 		if (dev->in_pipe == 0 || param->sglen == 0 || param->vary == 0)
2332 			break;
2333 		dev_info(&intf->dev,
2334 			"TEST 8:  read/%d %d sglists %d entries 0..%d bytes\n",
2335 				param->vary, param->iterations,
2336 				param->sglen, param->length);
2337 		sg = alloc_sglist(param->sglen, param->length,
2338 				param->vary, dev, dev->in_pipe);
2339 		if (!sg) {
2340 			retval = -ENOMEM;
2341 			break;
2342 		}
2343 		/* FIRMWARE:  bulk source (maybe generates short writes) */
2344 		retval = perform_sglist(dev, param->iterations, dev->in_pipe,
2345 				&req, sg, param->sglen);
2346 		free_sglist(sg, param->sglen);
2347 		break;
2348 
2349 	/* non-queued sanity tests for control (chapter 9 subset) */
2350 	case 9:
2351 		retval = 0;
2352 		dev_info(&intf->dev,
2353 			"TEST 9:  ch9 (subset) control tests, %d times\n",
2354 				param->iterations);
2355 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2356 			retval = ch9_postconfig(dev);
2357 		if (retval)
2358 			dev_err(&intf->dev, "ch9 subset failed, "
2359 					"iterations left %d\n", i);
2360 		break;
2361 
2362 	/* queued control messaging */
2363 	case 10:
2364 		retval = 0;
2365 		dev_info(&intf->dev,
2366 				"TEST 10:  queue %d control calls, %d times\n",
2367 				param->sglen,
2368 				param->iterations);
2369 		retval = test_ctrl_queue(dev, param);
2370 		break;
2371 
2372 	/* simple non-queued unlinks (ring with one urb) */
2373 	case 11:
2374 		if (dev->in_pipe == 0 || !param->length)
2375 			break;
2376 		retval = 0;
2377 		dev_info(&intf->dev, "TEST 11:  unlink %d reads of %d\n",
2378 				param->iterations, param->length);
2379 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2380 			retval = unlink_simple(dev, dev->in_pipe,
2381 						param->length);
2382 		if (retval)
2383 			dev_err(&intf->dev, "unlink reads failed %d, "
2384 				"iterations left %d\n", retval, i);
2385 		break;
2386 	case 12:
2387 		if (dev->out_pipe == 0 || !param->length)
2388 			break;
2389 		retval = 0;
2390 		dev_info(&intf->dev, "TEST 12:  unlink %d writes of %d\n",
2391 				param->iterations, param->length);
2392 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2393 			retval = unlink_simple(dev, dev->out_pipe,
2394 						param->length);
2395 		if (retval)
2396 			dev_err(&intf->dev, "unlink writes failed %d, "
2397 				"iterations left %d\n", retval, i);
2398 		break;
2399 
2400 	/* ep halt tests */
2401 	case 13:
2402 		if (dev->out_pipe == 0 && dev->in_pipe == 0)
2403 			break;
2404 		retval = 0;
2405 		dev_info(&intf->dev, "TEST 13:  set/clear %d halts\n",
2406 				param->iterations);
2407 		for (i = param->iterations; retval == 0 && i--; /* NOP */)
2408 			retval = halt_simple(dev);
2409 
2410 		if (retval)
2411 			ERROR(dev, "halts failed, iterations left %d\n", i);
2412 		break;
2413 
2414 	/* control write tests */
2415 	case 14:
2416 		if (!dev->info->ctrl_out)
2417 			break;
2418 		dev_info(&intf->dev, "TEST 14:  %d ep0out, %d..%d vary %d\n",
2419 				param->iterations,
2420 				realworld ? 1 : 0, param->length,
2421 				param->vary);
2422 		retval = ctrl_out(dev, param->iterations,
2423 				param->length, param->vary, 0);
2424 		break;
2425 
2426 	/* iso write tests */
2427 	case 15:
2428 		if (dev->out_iso_pipe == 0 || param->sglen == 0)
2429 			break;
2430 		dev_info(&intf->dev,
2431 			"TEST 15:  write %d iso, %d entries of %d bytes\n",
2432 				param->iterations,
2433 				param->sglen, param->length);
2434 		/* FIRMWARE:  iso sink */
2435 		retval = test_queue(dev, param,
2436 				dev->out_iso_pipe, dev->iso_out, 0);
2437 		break;
2438 
2439 	/* iso read tests */
2440 	case 16:
2441 		if (dev->in_iso_pipe == 0 || param->sglen == 0)
2442 			break;
2443 		dev_info(&intf->dev,
2444 			"TEST 16:  read %d iso, %d entries of %d bytes\n",
2445 				param->iterations,
2446 				param->sglen, param->length);
2447 		/* FIRMWARE:  iso source */
2448 		retval = test_queue(dev, param,
2449 				dev->in_iso_pipe, dev->iso_in, 0);
2450 		break;
2451 
2452 	/* FIXME scatterlist cancel (needs helper thread) */
2453 
2454 	/* Tests for bulk I/O using DMA mapping by core and odd address */
2455 	case 17:
2456 		if (dev->out_pipe == 0)
2457 			break;
2458 		dev_info(&intf->dev,
2459 			"TEST 17:  write odd addr %d bytes %u times core map\n",
2460 			param->length, param->iterations);
2461 
2462 		retval = test_unaligned_bulk(
2463 				dev, dev->out_pipe,
2464 				param->length, param->iterations,
2465 				0, "test17");
2466 		break;
2467 
2468 	case 18:
2469 		if (dev->in_pipe == 0)
2470 			break;
2471 		dev_info(&intf->dev,
2472 			"TEST 18:  read odd addr %d bytes %u times core map\n",
2473 			param->length, param->iterations);
2474 
2475 		retval = test_unaligned_bulk(
2476 				dev, dev->in_pipe,
2477 				param->length, param->iterations,
2478 				0, "test18");
2479 		break;
2480 
2481 	/* Tests for bulk I/O using premapped coherent buffer and odd address */
2482 	case 19:
2483 		if (dev->out_pipe == 0)
2484 			break;
2485 		dev_info(&intf->dev,
2486 			"TEST 19:  write odd addr %d bytes %u times premapped\n",
2487 			param->length, param->iterations);
2488 
2489 		retval = test_unaligned_bulk(
2490 				dev, dev->out_pipe,
2491 				param->length, param->iterations,
2492 				URB_NO_TRANSFER_DMA_MAP, "test19");
2493 		break;
2494 
2495 	case 20:
2496 		if (dev->in_pipe == 0)
2497 			break;
2498 		dev_info(&intf->dev,
2499 			"TEST 20:  read odd addr %d bytes %u times premapped\n",
2500 			param->length, param->iterations);
2501 
2502 		retval = test_unaligned_bulk(
2503 				dev, dev->in_pipe,
2504 				param->length, param->iterations,
2505 				URB_NO_TRANSFER_DMA_MAP, "test20");
2506 		break;
2507 
2508 	/* control write tests with unaligned buffer */
2509 	case 21:
2510 		if (!dev->info->ctrl_out)
2511 			break;
2512 		dev_info(&intf->dev,
2513 				"TEST 21:  %d ep0out odd addr, %d..%d vary %d\n",
2514 				param->iterations,
2515 				realworld ? 1 : 0, param->length,
2516 				param->vary);
2517 		retval = ctrl_out(dev, param->iterations,
2518 				param->length, param->vary, 1);
2519 		break;
2520 
2521 	/* unaligned iso tests */
2522 	case 22:
2523 		if (dev->out_iso_pipe == 0 || param->sglen == 0)
2524 			break;
2525 		dev_info(&intf->dev,
2526 			"TEST 22:  write %d iso odd, %d entries of %d bytes\n",
2527 				param->iterations,
2528 				param->sglen, param->length);
2529 		retval = test_queue(dev, param,
2530 				dev->out_iso_pipe, dev->iso_out, 1);
2531 		break;
2532 
2533 	case 23:
2534 		if (dev->in_iso_pipe == 0 || param->sglen == 0)
2535 			break;
2536 		dev_info(&intf->dev,
2537 			"TEST 23:  read %d iso odd, %d entries of %d bytes\n",
2538 				param->iterations,
2539 				param->sglen, param->length);
2540 		retval = test_queue(dev, param,
2541 				dev->in_iso_pipe, dev->iso_in, 1);
2542 		break;
2543 
2544 	/* unlink URBs from a bulk-OUT queue */
2545 	case 24:
2546 		if (dev->out_pipe == 0 || !param->length || param->sglen < 4)
2547 			break;
2548 		retval = 0;
2549 		dev_info(&intf->dev, "TEST 24:  unlink from %d queues of "
2550 				"%d %d-byte writes\n",
2551 				param->iterations, param->sglen, param->length);
2552 		for (i = param->iterations; retval == 0 && i > 0; --i) {
2553 			retval = unlink_queued(dev, dev->out_pipe,
2554 						param->sglen, param->length);
2555 			if (retval) {
2556 				dev_err(&intf->dev,
2557 					"unlink queued writes failed %d, "
2558 					"iterations left %d\n", retval, i);
2559 				break;
2560 			}
2561 		}
2562 		break;
2563 
2564 	/* Simple non-queued interrupt I/O tests */
2565 	case 25:
2566 		if (dev->out_int_pipe == 0)
2567 			break;
2568 		dev_info(&intf->dev,
2569 				"TEST 25: write %d bytes %u times\n",
2570 				param->length, param->iterations);
2571 		urb = simple_alloc_urb(udev, dev->out_int_pipe, param->length,
2572 				dev->int_out->bInterval);
2573 		if (!urb) {
2574 			retval = -ENOMEM;
2575 			break;
2576 		}
2577 		/* FIRMWARE: interrupt sink (maybe accepts short writes) */
2578 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test25");
2579 		simple_free_urb(urb);
2580 		break;
2581 	case 26:
2582 		if (dev->in_int_pipe == 0)
2583 			break;
2584 		dev_info(&intf->dev,
2585 				"TEST 26: read %d bytes %u times\n",
2586 				param->length, param->iterations);
2587 		urb = simple_alloc_urb(udev, dev->in_int_pipe, param->length,
2588 				dev->int_in->bInterval);
2589 		if (!urb) {
2590 			retval = -ENOMEM;
2591 			break;
2592 		}
2593 		/* FIRMWARE: interrupt source (maybe generates short writes) */
2594 		retval = simple_io(dev, urb, param->iterations, 0, 0, "test26");
2595 		simple_free_urb(urb);
2596 		break;
2597 	case 27:
2598 		/* We do performance test, so ignore data compare */
2599 		if (dev->out_pipe == 0 || param->sglen == 0 || pattern != 0)
2600 			break;
2601 		dev_info(&intf->dev,
2602 			"TEST 27: bulk write %dMbytes\n", (param->iterations *
2603 			param->sglen * param->length) / (1024 * 1024));
2604 		retval = test_queue(dev, param,
2605 				dev->out_pipe, NULL, 0);
2606 		break;
2607 	case 28:
2608 		if (dev->in_pipe == 0 || param->sglen == 0 || pattern != 0)
2609 			break;
2610 		dev_info(&intf->dev,
2611 			"TEST 28: bulk read %dMbytes\n", (param->iterations *
2612 			param->sglen * param->length) / (1024 * 1024));
2613 		retval = test_queue(dev, param,
2614 				dev->in_pipe, NULL, 0);
2615 		break;
2616 	/* Test data Toggle/seq_nr clear between bulk out transfers */
2617 	case 29:
2618 		if (dev->out_pipe == 0)
2619 			break;
2620 		retval = 0;
2621 		dev_info(&intf->dev, "TEST 29: Clear toggle between bulk writes %d times\n",
2622 				param->iterations);
2623 		for (i = param->iterations; retval == 0 && i > 0; --i)
2624 			retval = toggle_sync_simple(dev);
2625 
2626 		if (retval)
2627 			ERROR(dev, "toggle sync failed, iterations left %d\n",
2628 			      i);
2629 		break;
2630 	}
2631 	return retval;
2632 }
2633 
2634 /*-------------------------------------------------------------------------*/
2635 
2636 /* We only have this one interface to user space, through usbfs.
2637  * User mode code can scan usbfs to find N different devices (maybe on
2638  * different busses) to use when testing, and allocate one thread per
2639  * test.  So discovery is simplified, and we have no device naming issues.
2640  *
2641  * Don't use these only as stress/load tests.  Use them along with
2642  * other USB bus activity:  plugging, unplugging, mousing, mp3 playback,
2643  * video capture, and so on.  Run different tests at different times, in
2644  * different sequences.  Nothing here should interact with other devices,
2645  * except indirectly by consuming USB bandwidth and CPU resources for test
2646  * threads and request completion.  But the only way to know that for sure
2647  * is to test when HC queues are in use by many devices.
2648  *
2649  * WARNING:  Because usbfs grabs udev->dev.sem before calling this ioctl(),
2650  * it locks out usbcore in certain code paths.  Notably, if you disconnect
2651  * the device-under-test, hub_wq will wait block forever waiting for the
2652  * ioctl to complete ... so that usb_disconnect() can abort the pending
2653  * urbs and then call usbtest_disconnect().  To abort a test, you're best
2654  * off just killing the userspace task and waiting for it to exit.
2655  */
2656 
2657 static int
usbtest_ioctl(struct usb_interface * intf,unsigned int code,void * buf)2658 usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
2659 {
2660 
2661 	struct usbtest_dev	*dev = usb_get_intfdata(intf);
2662 	struct usbtest_param_64 *param_64 = buf;
2663 	struct usbtest_param_32 temp;
2664 	struct usbtest_param_32 *param_32 = buf;
2665 	struct timespec64 start;
2666 	struct timespec64 end;
2667 	struct timespec64 duration;
2668 	int retval = -EOPNOTSUPP;
2669 
2670 	/* FIXME USBDEVFS_CONNECTINFO doesn't say how fast the device is. */
2671 
2672 	pattern = mod_pattern;
2673 
2674 	if (mutex_lock_interruptible(&dev->lock))
2675 		return -ERESTARTSYS;
2676 
2677 	/* FIXME: What if a system sleep starts while a test is running? */
2678 
2679 	/* some devices, like ez-usb default devices, need a non-default
2680 	 * altsetting to have any active endpoints.  some tests change
2681 	 * altsettings; force a default so most tests don't need to check.
2682 	 */
2683 	if (dev->info->alt >= 0) {
2684 		if (intf->altsetting->desc.bInterfaceNumber) {
2685 			retval = -ENODEV;
2686 			goto free_mutex;
2687 		}
2688 		retval = set_altsetting(dev, dev->info->alt);
2689 		if (retval) {
2690 			dev_err(&intf->dev,
2691 					"set altsetting to %d failed, %d\n",
2692 					dev->info->alt, retval);
2693 			goto free_mutex;
2694 		}
2695 	}
2696 
2697 	switch (code) {
2698 	case USBTEST_REQUEST_64:
2699 		temp.test_num = param_64->test_num;
2700 		temp.iterations = param_64->iterations;
2701 		temp.length = param_64->length;
2702 		temp.sglen = param_64->sglen;
2703 		temp.vary = param_64->vary;
2704 		param_32 = &temp;
2705 		break;
2706 
2707 	case USBTEST_REQUEST_32:
2708 		break;
2709 
2710 	default:
2711 		retval = -EOPNOTSUPP;
2712 		goto free_mutex;
2713 	}
2714 
2715 	ktime_get_ts64(&start);
2716 
2717 	retval = usbtest_do_ioctl(intf, param_32);
2718 	if (retval < 0)
2719 		goto free_mutex;
2720 
2721 	ktime_get_ts64(&end);
2722 
2723 	duration = timespec64_sub(end, start);
2724 
2725 	temp.duration_sec = duration.tv_sec;
2726 	temp.duration_usec = duration.tv_nsec/NSEC_PER_USEC;
2727 
2728 	switch (code) {
2729 	case USBTEST_REQUEST_32:
2730 		param_32->duration_sec = temp.duration_sec;
2731 		param_32->duration_usec = temp.duration_usec;
2732 		break;
2733 
2734 	case USBTEST_REQUEST_64:
2735 		param_64->duration_sec = temp.duration_sec;
2736 		param_64->duration_usec = temp.duration_usec;
2737 		break;
2738 	}
2739 
2740 free_mutex:
2741 	mutex_unlock(&dev->lock);
2742 	return retval;
2743 }
2744 
2745 /*-------------------------------------------------------------------------*/
2746 
2747 static unsigned force_interrupt;
2748 module_param(force_interrupt, uint, 0);
2749 MODULE_PARM_DESC(force_interrupt, "0 = test default; else interrupt");
2750 
2751 #ifdef	GENERIC
2752 static unsigned short vendor;
2753 module_param(vendor, ushort, 0);
2754 MODULE_PARM_DESC(vendor, "vendor code (from usb-if)");
2755 
2756 static unsigned short product;
2757 module_param(product, ushort, 0);
2758 MODULE_PARM_DESC(product, "product code (from vendor)");
2759 #endif
2760 
2761 static int
usbtest_probe(struct usb_interface * intf,const struct usb_device_id * id)2762 usbtest_probe(struct usb_interface *intf, const struct usb_device_id *id)
2763 {
2764 	struct usb_device	*udev;
2765 	struct usbtest_dev	*dev;
2766 	struct usbtest_info	*info;
2767 	char			*rtest, *wtest;
2768 	char			*irtest, *iwtest;
2769 	char			*intrtest, *intwtest;
2770 
2771 	udev = interface_to_usbdev(intf);
2772 
2773 #ifdef	GENERIC
2774 	/* specify devices by module parameters? */
2775 	if (id->match_flags == 0) {
2776 		/* vendor match required, product match optional */
2777 		if (!vendor || le16_to_cpu(udev->descriptor.idVendor) != (u16)vendor)
2778 			return -ENODEV;
2779 		if (product && le16_to_cpu(udev->descriptor.idProduct) != (u16)product)
2780 			return -ENODEV;
2781 		dev_info(&intf->dev, "matched module params, "
2782 					"vend=0x%04x prod=0x%04x\n",
2783 				le16_to_cpu(udev->descriptor.idVendor),
2784 				le16_to_cpu(udev->descriptor.idProduct));
2785 	}
2786 #endif
2787 
2788 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
2789 	if (!dev)
2790 		return -ENOMEM;
2791 	info = (struct usbtest_info *) id->driver_info;
2792 	dev->info = info;
2793 	mutex_init(&dev->lock);
2794 
2795 	dev->intf = intf;
2796 
2797 	/* cacheline-aligned scratch for i/o */
2798 	dev->buf = kmalloc(TBUF_SIZE, GFP_KERNEL);
2799 	if (dev->buf == NULL) {
2800 		kfree(dev);
2801 		return -ENOMEM;
2802 	}
2803 
2804 	/* NOTE this doesn't yet test the handful of difference that are
2805 	 * visible with high speed interrupts:  bigger maxpacket (1K) and
2806 	 * "high bandwidth" modes (up to 3 packets/uframe).
2807 	 */
2808 	rtest = wtest = "";
2809 	irtest = iwtest = "";
2810 	intrtest = intwtest = "";
2811 	if (force_interrupt || udev->speed == USB_SPEED_LOW) {
2812 		if (info->ep_in) {
2813 			dev->in_pipe = usb_rcvintpipe(udev, info->ep_in);
2814 			rtest = " intr-in";
2815 		}
2816 		if (info->ep_out) {
2817 			dev->out_pipe = usb_sndintpipe(udev, info->ep_out);
2818 			wtest = " intr-out";
2819 		}
2820 	} else {
2821 		if (override_alt >= 0 || info->autoconf) {
2822 			int status;
2823 
2824 			status = get_endpoints(dev, intf);
2825 			if (status < 0) {
2826 				WARNING(dev, "couldn't get endpoints, %d\n",
2827 						status);
2828 				kfree(dev->buf);
2829 				kfree(dev);
2830 				return status;
2831 			}
2832 			/* may find bulk or ISO pipes */
2833 		} else {
2834 			if (info->ep_in)
2835 				dev->in_pipe = usb_rcvbulkpipe(udev,
2836 							info->ep_in);
2837 			if (info->ep_out)
2838 				dev->out_pipe = usb_sndbulkpipe(udev,
2839 							info->ep_out);
2840 		}
2841 		if (dev->in_pipe)
2842 			rtest = " bulk-in";
2843 		if (dev->out_pipe)
2844 			wtest = " bulk-out";
2845 		if (dev->in_iso_pipe)
2846 			irtest = " iso-in";
2847 		if (dev->out_iso_pipe)
2848 			iwtest = " iso-out";
2849 		if (dev->in_int_pipe)
2850 			intrtest = " int-in";
2851 		if (dev->out_int_pipe)
2852 			intwtest = " int-out";
2853 	}
2854 
2855 	usb_set_intfdata(intf, dev);
2856 	dev_info(&intf->dev, "%s\n", info->name);
2857 	dev_info(&intf->dev, "%s {control%s%s%s%s%s%s%s} tests%s\n",
2858 			usb_speed_string(udev->speed),
2859 			info->ctrl_out ? " in/out" : "",
2860 			rtest, wtest,
2861 			irtest, iwtest,
2862 			intrtest, intwtest,
2863 			info->alt >= 0 ? " (+alt)" : "");
2864 	return 0;
2865 }
2866 
usbtest_suspend(struct usb_interface * intf,pm_message_t message)2867 static int usbtest_suspend(struct usb_interface *intf, pm_message_t message)
2868 {
2869 	return 0;
2870 }
2871 
usbtest_resume(struct usb_interface * intf)2872 static int usbtest_resume(struct usb_interface *intf)
2873 {
2874 	return 0;
2875 }
2876 
2877 
usbtest_disconnect(struct usb_interface * intf)2878 static void usbtest_disconnect(struct usb_interface *intf)
2879 {
2880 	struct usbtest_dev	*dev = usb_get_intfdata(intf);
2881 
2882 	usb_set_intfdata(intf, NULL);
2883 	dev_dbg(&intf->dev, "disconnect\n");
2884 	kfree(dev->buf);
2885 	kfree(dev);
2886 }
2887 
2888 /* Basic testing only needs a device that can source or sink bulk traffic.
2889  * Any device can test control transfers (default with GENERIC binding).
2890  *
2891  * Several entries work with the default EP0 implementation that's built
2892  * into EZ-USB chips.  There's a default vendor ID which can be overridden
2893  * by (very) small config EEPROMS, but otherwise all these devices act
2894  * identically until firmware is loaded:  only EP0 works.  It turns out
2895  * to be easy to make other endpoints work, without modifying that EP0
2896  * behavior.  For now, we expect that kind of firmware.
2897  */
2898 
2899 /* an21xx or fx versions of ez-usb */
2900 static struct usbtest_info ez1_info = {
2901 	.name		= "EZ-USB device",
2902 	.ep_in		= 2,
2903 	.ep_out		= 2,
2904 	.alt		= 1,
2905 };
2906 
2907 /* fx2 version of ez-usb */
2908 static struct usbtest_info ez2_info = {
2909 	.name		= "FX2 device",
2910 	.ep_in		= 6,
2911 	.ep_out		= 2,
2912 	.alt		= 1,
2913 };
2914 
2915 /* ezusb family device with dedicated usb test firmware,
2916  */
2917 static struct usbtest_info fw_info = {
2918 	.name		= "usb test device",
2919 	.ep_in		= 2,
2920 	.ep_out		= 2,
2921 	.alt		= 1,
2922 	.autoconf	= 1,		/* iso and ctrl_out need autoconf */
2923 	.ctrl_out	= 1,
2924 	.iso		= 1,		/* iso_ep's are #8 in/out */
2925 };
2926 
2927 /* peripheral running Linux and 'zero.c' test firmware, or
2928  * its user-mode cousin. different versions of this use
2929  * different hardware with the same vendor/product codes.
2930  * host side MUST rely on the endpoint descriptors.
2931  */
2932 static struct usbtest_info gz_info = {
2933 	.name		= "Linux gadget zero",
2934 	.autoconf	= 1,
2935 	.ctrl_out	= 1,
2936 	.iso		= 1,
2937 	.intr		= 1,
2938 	.alt		= 0,
2939 };
2940 
2941 static struct usbtest_info um_info = {
2942 	.name		= "Linux user mode test driver",
2943 	.autoconf	= 1,
2944 	.alt		= -1,
2945 };
2946 
2947 static struct usbtest_info um2_info = {
2948 	.name		= "Linux user mode ISO test driver",
2949 	.autoconf	= 1,
2950 	.iso		= 1,
2951 	.alt		= -1,
2952 };
2953 
2954 #ifdef IBOT2
2955 /* this is a nice source of high speed bulk data;
2956  * uses an FX2, with firmware provided in the device
2957  */
2958 static struct usbtest_info ibot2_info = {
2959 	.name		= "iBOT2 webcam",
2960 	.ep_in		= 2,
2961 	.alt		= -1,
2962 };
2963 #endif
2964 
2965 #ifdef GENERIC
2966 /* we can use any device to test control traffic */
2967 static struct usbtest_info generic_info = {
2968 	.name		= "Generic USB device",
2969 	.alt		= -1,
2970 };
2971 #endif
2972 
2973 
2974 static const struct usb_device_id id_table[] = {
2975 
2976 	/*-------------------------------------------------------------*/
2977 
2978 	/* EZ-USB devices which download firmware to replace (or in our
2979 	 * case augment) the default device implementation.
2980 	 */
2981 
2982 	/* generic EZ-USB FX controller */
2983 	{ USB_DEVICE(0x0547, 0x2235),
2984 		.driver_info = (unsigned long) &ez1_info,
2985 	},
2986 
2987 	/* CY3671 development board with EZ-USB FX */
2988 	{ USB_DEVICE(0x0547, 0x0080),
2989 		.driver_info = (unsigned long) &ez1_info,
2990 	},
2991 
2992 	/* generic EZ-USB FX2 controller (or development board) */
2993 	{ USB_DEVICE(0x04b4, 0x8613),
2994 		.driver_info = (unsigned long) &ez2_info,
2995 	},
2996 
2997 	/* re-enumerated usb test device firmware */
2998 	{ USB_DEVICE(0xfff0, 0xfff0),
2999 		.driver_info = (unsigned long) &fw_info,
3000 	},
3001 
3002 	/* "Gadget Zero" firmware runs under Linux */
3003 	{ USB_DEVICE(0x0525, 0xa4a0),
3004 		.driver_info = (unsigned long) &gz_info,
3005 	},
3006 
3007 	/* so does a user-mode variant */
3008 	{ USB_DEVICE(0x0525, 0xa4a4),
3009 		.driver_info = (unsigned long) &um_info,
3010 	},
3011 
3012 	/* ... and a user-mode variant that talks iso */
3013 	{ USB_DEVICE(0x0525, 0xa4a3),
3014 		.driver_info = (unsigned long) &um2_info,
3015 	},
3016 
3017 #ifdef KEYSPAN_19Qi
3018 	/* Keyspan 19qi uses an21xx (original EZ-USB) */
3019 	/* this does not coexist with the real Keyspan 19qi driver! */
3020 	{ USB_DEVICE(0x06cd, 0x010b),
3021 		.driver_info = (unsigned long) &ez1_info,
3022 	},
3023 #endif
3024 
3025 	/*-------------------------------------------------------------*/
3026 
3027 #ifdef IBOT2
3028 	/* iBOT2 makes a nice source of high speed bulk-in data */
3029 	/* this does not coexist with a real iBOT2 driver! */
3030 	{ USB_DEVICE(0x0b62, 0x0059),
3031 		.driver_info = (unsigned long) &ibot2_info,
3032 	},
3033 #endif
3034 
3035 	/*-------------------------------------------------------------*/
3036 
3037 #ifdef GENERIC
3038 	/* module params can specify devices to use for control tests */
3039 	{ .driver_info = (unsigned long) &generic_info, },
3040 #endif
3041 
3042 	/*-------------------------------------------------------------*/
3043 
3044 	{ }
3045 };
3046 MODULE_DEVICE_TABLE(usb, id_table);
3047 
3048 static struct usb_driver usbtest_driver = {
3049 	.name =		"usbtest",
3050 	.id_table =	id_table,
3051 	.probe =	usbtest_probe,
3052 	.unlocked_ioctl = usbtest_ioctl,
3053 	.disconnect =	usbtest_disconnect,
3054 	.suspend =	usbtest_suspend,
3055 	.resume =	usbtest_resume,
3056 };
3057 
3058 /*-------------------------------------------------------------------------*/
3059 
usbtest_init(void)3060 static int __init usbtest_init(void)
3061 {
3062 #ifdef GENERIC
3063 	if (vendor)
3064 		pr_debug("params: vend=0x%04x prod=0x%04x\n", vendor, product);
3065 #endif
3066 	return usb_register(&usbtest_driver);
3067 }
3068 module_init(usbtest_init);
3069 
usbtest_exit(void)3070 static void __exit usbtest_exit(void)
3071 {
3072 	usb_deregister(&usbtest_driver);
3073 }
3074 module_exit(usbtest_exit);
3075 
3076 MODULE_DESCRIPTION("USB Core/HCD Testing Driver");
3077 MODULE_LICENSE("GPL");
3078 
3079