On Wed, Aug 22, 2012 at 12:48 AM, Sebastian Andrzej Siewior <sebastian@xxxxxxxxxxxxx> wrote: > Just one thing that bit while I was sleeping: > The HW acks SetConfig on its own. Once you notice this, you set > ->ep0_req_set_cfg and set state in bcm63xx_ep0_do_idle() to > EP0_IN_FAKE_STATUS_PHASE. This is I guess the workaround for mass_storage's > hold with DELAYED_STATUS and continues with a zero packet. EP0_IN_FAKE_STATUS_PHASE is there for the general case of: setup() callback returned >= 0 after a spoofed setup packet, and we're waiting for the gadget driver to send the 0-byte status reply so we can silently discard it and move on. When bcm63xx_udc is in EP0_IN_FAKE_STATUS_PHASE, it won't issue any more setup() callbacks until the 0-byte reply arrives from the gadget driver. If the host sends a setup request, the callback will be held off until after the (unused) status reply. This keeps the gadget driver from getting confused by out-of-sequence events. > Now two questions: > - If a gadget descides not NAK / stall the SetConfig requests. What happens > here? If the return value from the setup() callback was negative, bcm63xx_udc should just return to EP0_IDLE as the gadget driver will never send a 0-byte reply. I have added a new check for this condition, verified that it works as intended, and posted V4. I am hoping that these invalid SET_CONFIGURATION / SET_INTERFACE requests are uncommon. In what sorts of situations will a host request a configuration that isn't advertised in the device's descriptors? I had trouble just convincing usb_set_interface() / usb_driver_set_configuration() to send such a request because they honor bInterfaceNumber / bConfigurationValue from the descriptors. > - What happens if the host is faster than the UDC. SetConfig returns in > usb-storage with "DELAYED_STATUS". HW Acks this. Could the Host send another > request before the gadget queues the ep0 request? Could you please clarify if this is the sequence of events you are describing: 1) Host sends a valid SET_CONFIGURATION request to a mass storage gadget 2) Hardware instantly auto-acks the request, completing the status phase and allowing the host to proceed with another ep0 request 3) bcm63xx_udc sends a spoofed SET_CONFIGURATION setup packet to the gadget driver 4) setup() callback returns USB_GADGET_DELAYED_STATUS (0x7fff) but doesn't queue up a reply 5) Host sends another setup packet before usb_composite_setup_continue() is called to send the 0-byte status reply If so, the next steps should look like: 6) bcm63xx_udc takes a data IRQ, and sets ep0_req_completed 7) bcm63xx_udc stays in EP0_IN_FAKE_STATUS_PHASE until the 0-byte reply is received from usb_composite_setup_continue() 8) usb_composite_setup_continue() eventually sends the 0-byte reply 9) bcm63xx_udc returns to EP0_IDLE and notices that ep0_req_completed is now set 10) bcm63xx_ep0_do_setup() looks at the new request, and performs the setup() callback for the new setup request 11) Data/status phases are handled as usual
