Linux USB Driver Basics
Introduction
Drivers are software components that operating systems use to provide hardware specific services to applications. This webpage attempts to document the basics of USB drivers on Linux. The goal here is to provide you with a basic understanding of how USB device drivers on Linux work.
The File Abstraction
Linux, like other Unix derived operating systems, tries to make applications simpler by providing a common hardware abstraction, the File. Essentially, interactions with almost all hardware can be abstracted into the same interface that the operating system provides for manipulating files. Hence, you can "Open" a driver, "Read" a driver, "Write" to a driver and "Close" a driver. This abstraction extends all the way into the application, who can use the same system calls that it uses to open and manipulate files to talk to hardware.
The way this works is that the kernel creates nodes in the file system, typically located in /dev that represent a particular interface to a driver. To talk to a particular driver an application will open the /dev entry associated with that driver. The file descriptor returned by that open is passed to all future system calls (read, write, select), and is eventually passed to close.
Besides drivers, Unix also uses this file paradigm for various different kinds of IPC, and even for socket communications over a network.
It is quite surprising how many completely different kinds of hardware can be modeled with just 4 operations (open, close, read and write). That said, their is another very important system call that unix applications developers commonly use, select(). The select() system call allows applications to poll and determine whether data could be read from, or written to a file descriptor without blocking.
Sometimes a piece of hardware provides some functionality that doesn't fit well into this file centric paradigm. To allow for this, unix applications typically make use of the ioctl() system call. This call takes a numeric value that is essentially an identifier for a specific piece of functionality in the driver.
The Job of the Device Driver
Simply stated, it is the job of the driver to provide functions that the kernel can use to implement this file programming paradigm. Applications do not directly call functions in the driver, instead they call functions in libc that eventually call into the kernel (via the system call interface). The kernel implementations of these system calls call into your driver.
As you might expect, this means that you're going to be implementating open, close, read and write inside your driver. To implement select(), the kernel needs you to implement a method in your driver called poll(). Other than these, their are only a handfull of other functions that need to be implemented, and you have a driver!
Loading a Driver
Linux supports essentially two kinds of driver development models: 1) Compiled into the kernel, 2) Dynamically loadable driver modules. If configured properly, option 2 has the advantage that drivers can be loaded automatically by the kernel only when they are actually needed to service an application request. Option 1 presents a logically cleaner, and slightly faster scenario.
The choice is up to you. That said, we will now cover the basics of loading and unloading a kernel module into a running kernel.
First, understand that a Linux kernel driver cannot be dynamically linked against any librarys (not even libc, which many programmers dont even know they are linking against). The only code external to your driver that your allowed to make use of are functions that are implemented within the kernel. In fact, kernel modules are never "Linked", instead they are relocatable object files, .o's or sometimes .ko's.
The following command is used to install a driver into a running kernel:
[td@objective ~]$ insmod driver.ko
The following command is used to show what drivers are currently loaded into the kernel:
[td@objective ~]$ lsmod Module Size Used by md5 4033 1 ipv6 263105 22 ipt_REJECT 5441 1 ipt_state 1857 5 ip_conntrack 41369 1 ipt_state iptable_filter 2881 1 ip_tables 19521 3 ipt_REJECT,ipt_state,iptable_filter video 15685 0 button 4033 0 battery 9285 0 ac 4805 0 uhci_hcd 35025 0 ehci_hcd 40013 0 hw_random 5973 0 i2c_i801 8653 0 i2c_core 21313 1 i2c_i801 snd_intel8x0 34177 0 snd_ac97_codec 74937 1 snd_intel8x0 snd_pcm_oss 50673 0 snd_mixer_oss 17729 1 snd_pcm_oss snd_pcm 98889 3 snd_intel8x0,snd_ac97_codec snd_timer 32837 1 snd_pcm snd 57285 6 snd_intel8x0,snd_ac97_codec soundcore 10785 1 snd snd_page_alloc 9669 2 snd_intel8x0,snd_pcm e1000 102573 0 dm_snapshot 17413 0 dm_zero 2113 0 dm_mirror 25645 0 ext3 130633 2 jbd 83161 1 ext3 dm_mod 57333 6 dm_snapshot,dm_zero,dm_mirror ata_piix 9413 0 libata 46917 1 ata_piix sd_mod 20289 0 scsi_mod 146313 2 libata,sd_mod
The following command is used to remove a driver from a running kernel:
[td@objective ~]$ rmmod driver.ko
Since you never link your driver, you will not know about unresolved symbols until you actually load your driver into the kernel. It is during the "insmod" process that the kernel binds all of the calls to kernel functions in your code to their actual current locations in memory. This process is called "resolving symbol dependancies".
Understanding the Universal Serial Bus
From the highest level
As I'm sure you know from your own use of USB, the USB bus, besides offering communications also offers power to devices connected to it. The USB can offer up to 500mA for the devices connected to it. Devices that need more than this can be self powered.
Besides this, your probably aware of the fact that the USB can be expanded with hubs.
How hardware is about to make your life easier
Thankfully, your driver will not have to communicate directly on the Universal Serial Bus. Instead, your driver will communicate to the USB host controller, which will communicate on the bus on your behalf. The USB host controller is a piece of hardware that acts as a focal point for all of the CPU's interaction with the USB hardware. It hides most of the complexity of dealing with USB and also protects the USB hardware from potentially badly written driver software that might otherwise affect the whole bus.
Their are two kinds of host controller hardware commonly in use, UHCI (Universal Host Controller Interface) and OHCI (Open Host Controller Interface). The good news is that both of these host controllers present the same interface to your driver, so you really dont have to care about what kind of host controller hardware is present. As you might expect, UHCI & OHCI hardware has its own driver, that thankfully you will not need to touch. It will be the job of your driver to communicate (indirectly) with the host controller driver, to configure, read from or write to devices on the USB.
Types of Communications on the USB
USB devices have the full range of different speed, latency and reliability requirements. Things like mice and keyboard transfer only small amounts of data, relatively rarely, but they care a lot about latency. No one like a slow keyboard.
On the other hand, USB webcams often transfer compressed MPEG video, which is extremely high bandwidth, but because MPEG was designed to be transmitted over lossy communications channels, it is OK if the occasional packet is lost.
To support these differing requirements, USB supports a number of communications types.
-
Control Transfers - Control transfers are used when you need reliable (the data MUST get their) communications and you are sending a very small amount of data. Essentially, these transfers are commands, and their are a few commands that every device is required to support (GET_STATUS, CLEAR_FEATURE, SET_FEATURE, SET_ADDRESS, GET_DESCRIPTOR, SET_DESCRIPTOR, GET_CONFIGURATION, SET_CONFIGURATION, GET_INTERFACE, SET_INTERFACE, SYNCH_FRAME).
-
Bulk Transfers - Bulk transfers are used when you need reliable (the data MUST get their) communications and you are sending large amounts of data.
-
Interrupt Transfers - Interrupt transfers are simmilar to bulk transfers except they are configured to occur automatically at some interval. These types of transfers are useful for devices that stream constant data of the USB.
-
Isochronous Transfers - Isochronous transfers are very fast, and have guaranteed bus bandwidth, but they have no reliability. This transfer type seems to have been designed with MPEG in mind.
The code that you write is going to have to specify to the host controller what types of communcations you want to use. Thankfully, an extremely wide range of device types fit nicely into the above types of data transfers.
The heirarchical view of the USB
If you think about what I have described so far, it should be fairly apparent that since you will be dealing only indirectly with actual USB devices and instead be communicating through a host controller, that host controller must have some kind of data model for the devices that are connected to it on the USB bus. It must present some description of the devices connected, and their capabilities.
The capabilites of a USB device are modeled heirarchically by the host controller. Your driver will communicate to a USB device by making requests to nodes of this heirarchy. To fully understand the reasoning for all of the layers of the heirarchy I am about to tell you about please consider how generic a host controller must be, given how wide ranging the functionality of USB hardware can be.
When a USB is first plugged into the bus it is detected by the host controller. The host controller sends it the GET_DESCRIPTOR command and retrieves what is called the device descriptor. This structure is itself of a heirarchical nature and describes the features and capabilities of a particular device.
This "Device Descriptor" has 1 or more "Configuration Descriptors", which in turn has 1 or more "Interfaces", which in turn has 0 to N "Endpoints". I know this is a lot to swallow, but its the genericness and flexibility of this structure that lets USB work for so many different types of devices.
Remember, we're talking about 1 USB device here. Every device you have connected to your bus has a structure like this. Simple devices may not have multiple configurations or interfaces. Almost all devices will have at least 1 endpoint however, which means they will also have at least 1 interface and 1 configuration. The reason for this is that the endpoint is typically the part of this tree that the application interacts with.
The Importance of Endpoints
Endpoints are logically the parts of this tree that you write to or read from. If your goal is to read the mpeg coming out of a USB webcam, then you will be reading that data from an Endpoint. We talked a little about communications types above (remember Control, Bulk, Interrupt and Isochronous?) but a key to understanding USB is to understand that Endpoints support a particular type of communication. If you need to do bulk transfers to your device you'll need to find an endpoint on your device that supports bulk transfers. If you dont find it, then your out of luck. You cannot create endpoints, what you find represents the capabilities that this particular USB hardware is presenting to the host controller on your machine.
Endpoints can also be used as a secondary form of device identification. We will discuss the primary form of device identification employed shortly, but for now consider that you could identify a device by the presence of a particular heirarchy of configurations, interfaces and endpoints. In fact, the presence of the right number and types of nodes in this heirarchy is arguably the most important thing you care about. If a device identifies itself to you as being of a particular kind, that does you no good if the hardware doesn't support the endpoints you expect.
Coding details
USB Identification
All USB devices have two very important numbers that serve as our primary form of device identification. These numbers are the devices Vendor ID and Product ID. The idea is that if a company would mark all of the USB devices it creates with an id that identifies the company, it should be really easy to determine if a particular device was made by your company. Because a company might create many different kinds of USB devices, their is a second number, the Product ID. This number can be used to identify a particular product.
When a device is plugged into the USB bus, the kernel query's the installed drivers to find out which supports this particular piece of hardware. Essentially, the kernel calls a method in your driver called "probe". This function is passed the vendor and product id's, as well as a structure used to check for the availability of particular nodes in the devices USB heirarchy. If everything checks out, your driver should eventually call usb_register_dev() to let the kernel know that you do indeed handle this particular piece of hardware.
How it all begins
Now that you know some of the basic fundamentals, it's time we discuss some of the details in a little more depth. The first driver code that gets called by the kernel is your module init routine. Likewise, when your driver is unloaded (via rmmod), the last function that is called is your modules exit routine. It is the job of your init function to register a struct with the kernel called 'usb_driver'. This struct has information like your drivers name, (indirectly through another structure) the vendor and product id's of the usb hardware your driver services, and a pointer to a couple of functions called probe and disconnect (which we'll talk about shortly).
#define USB_VENDOR_ID 0x22FF #define USB_PRODUCT_ID_1 0x1111 #define USB_PRODUCT_ID_2 0x2222 static struct usb_device_id generic_usb_id_table [] = { { USB_DEVICE(USB_VENDOR_ID,USB_PRODUCT_ID_1) }, { USB_DEVICE(USB_VENDOR_ID,USB_PRODUCT_ID_2) } { } }; MODULE_DEVICE_TABLE (usb, generic_usb_id_table); static struct usb_driver generic_usb_driver = { .owner = THIS_MODULE, .name = "generic_usb_driver", .id_table = generic_usb_id_table, .probe = generic_usb_probe, .disconnect = generic_usb_disconnect }; static int __init generic_usb_driver_init( void ) { return usb_register( &generic_usb_driver ); } static void __exit generic_usb_driver_exit( void ) { usb_deregister( &generic_usb_driver ) } module_init (generic_usb_driver_init); module_exit (generic_usb_driver_exit);
Their is a bit of macro magic here at the end, but the basic idea is pretty simple. We fill out a structure and we implement some standard entry points that register and unregister that structure. What we have done at this point is told the kernel what vendor and product id's we handle, and what functions it should call when devices that match those id's are added or removed from the USB bus.
Getting Probed by the kernel
When a device is plugged into the USB bus, the USB host controller hardware generates an interrupt that wakes up the host controller driver. Eventually, the kernel finds the usb driver associated with the vendor and product id of the new device. It then calls that drivers probe method. When a device is removed, that also generates an interrupt and eventually, a call to your drivers disconnect function.
The drivers probe method is very important. First, consider that most USB drivers dont really run all the time. They are called by the kernel when they have work to do (such as reading and writing). Since it is usually possible for more than 1 kind of the same USB device to be plugged in, drivers cannot use global data to store information about their state. Instead they must declare some type of structure, which they allocate and populate an instance of when they are probe()'d by the kernel and they determine that they really do handle the hardware in question. Theirfore, it is the job of your probe function to examine the passed usb_interface structure to make sure it has all of the endpoints you need to function. Once that determination has been made you should kmalloc() your instance data structure, populate it (perhaps storing endpoint addresses or pre-allocating URB's) and return it by calling usb_set_intfdata() on the passed interface object. This instance data is passed back to you when the kernel calls into your driver from then on.
Another critical thing you have to do in your probe function is call usb_register_dev, passing a pointer to an instance of a usb_class_driver struct. This struct (the second structure down) is populated with a number of important fields.
static struct file_operations generic_fops = { .owner = THIS_MODULE, .read = generic_read, .write = generic_write, .poll = generic_poll, .ioctl = generic_ioctl }; static struct usb_class_driver generic_class = { .name = "generic_%d", .fops = &generic_fops, .mode = S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH, .minor_base = 42 };
The first structure above contains pointers to all of the functions used to support the file paradigm for this driver (read, write, poll and ioctl). The second structure contains a pointer to the first structure. It also contains a field that is used by the kernel when it creates your device nodes under /dev. The .name field of the usb_class_driver structure is used as a format string, combined with a number, to uniquely identify all of the devices on the USB bus that are serviced by your particular driver.
write
static ssize_t generic_write( struct file* file, const char __user* user_buffer, size_t count, loff_t* ppos );
Probably the first thing you'll want to do in your write function is access the instance data for this device that you allocated in probe(). You do this by looking at the "private_data" field of the struct file* passed to the function.
Basically, an URB is the unit of communication on the USB bus. Writing or reading from a device on the USB consists of creating and submitting properly constructed URBs. Given that, the next thing you need to do is call usb_alloc_urb() to create the urb for this write operation. Next, you need to create a kernel memory buffer, attach it to the URB, copy the write data from user space into your kernel buffer, finalize the initialization of the URB and finally call usb_submit_urb() to send it.
char* buf = NULL; struct urb* urb = usb_alloc_urb( 0, GFP_KERNEL ); buf = usb_buffer_alloc( dev->udev, count, GFP_KERNEL, &urb->transfer_dma ); if( buf ) { copy_from_user( buf, user_buffer, count ); usb_fill_bulk_urb( urb, dev->udev, usb_sndbulkpipe(dev->udev,dev->bulk_out_endpointAddr), buf, count, generic_write_bulk_callback, dev ); usb_submit_urb( urb, GFP_KERNEL ); usb_free_urb( urb ); }
Not the best code in the world, but shows you the steps of what your going to have to do.
read
Read is a lot simpler than write. Again, the first thing you'll probably want to do is get your instance data from the private_data field of the passed file* structure. Once thats done, you can get to the fun stuff:
usb_bulk_msg( dev->udev, usb_recvbulkpipe( dev->udev, dev->bulk_in_endpointAddr), dev->bulk_in_buffer, min(dev->bulk_in_size,count), &count, HZ*2 ); copy_to_user( buffer, dev->bulk_in_buffer, count );
The heart of your read() implementation may be as simple as this.
ioctl
ioctl is the back door. Essentially, ioctl exists because sometimes not every piece of hardware can operate exactly like a file in all cases. Sometimes, you just need to request a specific piece of functionality be performed on your behalf in the driver. You'd also like to be able to pass parameters to such a function, and be returned some kind of indication of the success of such a call.
static int generic_reader_ioctl( struct inode* inode, struct file* file, unsigned in cmd, unsigned long arg ) { struct usb_generic_instance_data* dev = (struct usb_generic_instance_data*)file->private_data; switch( cmd ) { case GET_STATE: return dev->global_state; break; default: break; } return -1; }
The above is a complete ioctl() function that implements a single logical function, GET_STATE. Any number of additional function can be added here simply by adding cases to the switch statement.