1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37#include <linux/fs.h>
38#include <linux/mm.h>
39#include <linux/slab.h>
40#include <linux/smp_lock.h>
41#include <linux/signal.h>
42#include <linux/poll.h>
43#include <linux/module.h>
44#include <linux/usb.h>
45#include <linux/usbdevice_fs.h>
46#include <linux/cdev.h>
47#include <linux/notifier.h>
48#include <linux/security.h>
49#include <asm/uaccess.h>
50#include <asm/byteorder.h>
51#include <linux/moduleparam.h>
52
53#include "hcd.h"
54#include "usb.h"
55#include "hub.h"
56
57#define USB_MAXBUS 64
58#define USB_DEVICE_MAX USB_MAXBUS * 128
59
60
61DEFINE_MUTEX(usbfs_mutex);
62
63struct dev_state {
64 struct list_head list;
65 struct usb_device *dev;
66 struct file *file;
67 spinlock_t lock;
68 struct list_head async_pending;
69 struct list_head async_completed;
70 wait_queue_head_t wait;
71 unsigned int discsignr;
72 struct pid *disc_pid;
73 uid_t disc_uid, disc_euid;
74 void __user *disccontext;
75 unsigned long ifclaimed;
76 u32 secid;
77 u32 disabled_bulk_eps;
78};
79
80struct async {
81 struct list_head asynclist;
82 struct dev_state *ps;
83 struct pid *pid;
84 uid_t uid, euid;
85 unsigned int signr;
86 unsigned int ifnum;
87 void __user *userbuffer;
88 void __user *userurb;
89 struct urb *urb;
90 int status;
91 u32 secid;
92 u8 bulk_addr;
93 u8 bulk_status;
94};
95
96static int usbfs_snoop;
97module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
98MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
99
100#define snoop(dev, format, arg...) \
101 do { \
102 if (usbfs_snoop) \
103 dev_info(dev , format , ## arg); \
104 } while (0)
105
106enum snoop_when {
107 SUBMIT, COMPLETE
108};
109
110#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
111
112#define MAX_USBFS_BUFFER_SIZE 16384
113
114
115static int connected(struct dev_state *ps)
116{
117 return (!list_empty(&ps->list) &&
118 ps->dev->state != USB_STATE_NOTATTACHED);
119}
120
121static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
122{
123 loff_t ret;
124
125 lock_kernel();
126
127 switch (orig) {
128 case 0:
129 file->f_pos = offset;
130 ret = file->f_pos;
131 break;
132 case 1:
133 file->f_pos += offset;
134 ret = file->f_pos;
135 break;
136 case 2:
137 default:
138 ret = -EINVAL;
139 }
140
141 unlock_kernel();
142 return ret;
143}
144
145static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
146 loff_t *ppos)
147{
148 struct dev_state *ps = file->private_data;
149 struct usb_device *dev = ps->dev;
150 ssize_t ret = 0;
151 unsigned len;
152 loff_t pos;
153 int i;
154
155 pos = *ppos;
156 usb_lock_device(dev);
157 if (!connected(ps)) {
158 ret = -ENODEV;
159 goto err;
160 } else if (pos < 0) {
161 ret = -EINVAL;
162 goto err;
163 }
164
165 if (pos < sizeof(struct usb_device_descriptor)) {
166
167 struct usb_device_descriptor temp_desc;
168
169 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
170 le16_to_cpus(&temp_desc.bcdUSB);
171 le16_to_cpus(&temp_desc.idVendor);
172 le16_to_cpus(&temp_desc.idProduct);
173 le16_to_cpus(&temp_desc.bcdDevice);
174
175 len = sizeof(struct usb_device_descriptor) - pos;
176 if (len > nbytes)
177 len = nbytes;
178 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
179 ret = -EFAULT;
180 goto err;
181 }
182
183 *ppos += len;
184 buf += len;
185 nbytes -= len;
186 ret += len;
187 }
188
189 pos = sizeof(struct usb_device_descriptor);
190 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
191 struct usb_config_descriptor *config =
192 (struct usb_config_descriptor *)dev->rawdescriptors[i];
193 unsigned int length = le16_to_cpu(config->wTotalLength);
194
195 if (*ppos < pos + length) {
196
197
198
199 unsigned alloclen =
200 le16_to_cpu(dev->config[i].desc.wTotalLength);
201
202 len = length - (*ppos - pos);
203 if (len > nbytes)
204 len = nbytes;
205
206
207 if (alloclen > (*ppos - pos)) {
208 alloclen -= (*ppos - pos);
209 if (copy_to_user(buf,
210 dev->rawdescriptors[i] + (*ppos - pos),
211 min(len, alloclen))) {
212 ret = -EFAULT;
213 goto err;
214 }
215 }
216
217 *ppos += len;
218 buf += len;
219 nbytes -= len;
220 ret += len;
221 }
222
223 pos += length;
224 }
225
226err:
227 usb_unlock_device(dev);
228 return ret;
229}
230
231
232
233
234
235static struct async *alloc_async(unsigned int numisoframes)
236{
237 struct async *as;
238
239 as = kzalloc(sizeof(struct async), GFP_KERNEL);
240 if (!as)
241 return NULL;
242 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
243 if (!as->urb) {
244 kfree(as);
245 return NULL;
246 }
247 return as;
248}
249
250static void free_async(struct async *as)
251{
252 put_pid(as->pid);
253 kfree(as->urb->transfer_buffer);
254 kfree(as->urb->setup_packet);
255 usb_free_urb(as->urb);
256 kfree(as);
257}
258
259static void async_newpending(struct async *as)
260{
261 struct dev_state *ps = as->ps;
262 unsigned long flags;
263
264 spin_lock_irqsave(&ps->lock, flags);
265 list_add_tail(&as->asynclist, &ps->async_pending);
266 spin_unlock_irqrestore(&ps->lock, flags);
267}
268
269static void async_removepending(struct async *as)
270{
271 struct dev_state *ps = as->ps;
272 unsigned long flags;
273
274 spin_lock_irqsave(&ps->lock, flags);
275 list_del_init(&as->asynclist);
276 spin_unlock_irqrestore(&ps->lock, flags);
277}
278
279static struct async *async_getcompleted(struct dev_state *ps)
280{
281 unsigned long flags;
282 struct async *as = NULL;
283
284 spin_lock_irqsave(&ps->lock, flags);
285 if (!list_empty(&ps->async_completed)) {
286 as = list_entry(ps->async_completed.next, struct async,
287 asynclist);
288 list_del_init(&as->asynclist);
289 }
290 spin_unlock_irqrestore(&ps->lock, flags);
291 return as;
292}
293
294static struct async *async_getpending(struct dev_state *ps,
295 void __user *userurb)
296{
297 unsigned long flags;
298 struct async *as;
299
300 spin_lock_irqsave(&ps->lock, flags);
301 list_for_each_entry(as, &ps->async_pending, asynclist)
302 if (as->userurb == userurb) {
303 list_del_init(&as->asynclist);
304 spin_unlock_irqrestore(&ps->lock, flags);
305 return as;
306 }
307 spin_unlock_irqrestore(&ps->lock, flags);
308 return NULL;
309}
310
311static void snoop_urb(struct usb_device *udev,
312 void __user *userurb, int pipe, unsigned length,
313 int timeout_or_status, enum snoop_when when)
314{
315 static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
316 static const char *dirs[] = {"out", "in"};
317 int ep;
318 const char *t, *d;
319
320 if (!usbfs_snoop)
321 return;
322
323 ep = usb_pipeendpoint(pipe);
324 t = types[usb_pipetype(pipe)];
325 d = dirs[!!usb_pipein(pipe)];
326
327 if (userurb) {
328 if (when == SUBMIT)
329 dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
330 "length %u\n",
331 userurb, ep, t, d, length);
332 else
333 dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
334 "actual_length %u status %d\n",
335 userurb, ep, t, d, length,
336 timeout_or_status);
337 } else {
338 if (when == SUBMIT)
339 dev_info(&udev->dev, "ep%d %s-%s, length %u, "
340 "timeout %d\n",
341 ep, t, d, length, timeout_or_status);
342 else
343 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
344 "status %d\n",
345 ep, t, d, length, timeout_or_status);
346 }
347}
348
349#define AS_CONTINUATION 1
350#define AS_UNLINK 2
351
352static void cancel_bulk_urbs(struct dev_state *ps, unsigned bulk_addr)
353__releases(ps->lock)
354__acquires(ps->lock)
355{
356 struct async *as;
357
358
359
360
361
362
363 list_for_each_entry(as, &ps->async_pending, asynclist) {
364 if (as->bulk_addr == bulk_addr) {
365 if (as->bulk_status != AS_CONTINUATION)
366 goto rescan;
367 as->bulk_status = AS_UNLINK;
368 as->bulk_addr = 0;
369 }
370 }
371 ps->disabled_bulk_eps |= (1 << bulk_addr);
372
373
374 rescan:
375 list_for_each_entry(as, &ps->async_pending, asynclist) {
376 if (as->bulk_status == AS_UNLINK) {
377 as->bulk_status = 0;
378 spin_unlock(&ps->lock);
379 usb_unlink_urb(as->urb);
380 spin_lock(&ps->lock);
381 goto rescan;
382 }
383 }
384}
385
386static void async_completed(struct urb *urb)
387{
388 struct async *as = urb->context;
389 struct dev_state *ps = as->ps;
390 struct siginfo sinfo;
391 struct pid *pid = NULL;
392 uid_t uid = 0;
393 uid_t euid = 0;
394 u32 secid = 0;
395 int signr;
396
397 spin_lock(&ps->lock);
398 list_move_tail(&as->asynclist, &ps->async_completed);
399 as->status = urb->status;
400 signr = as->signr;
401 if (signr) {
402 sinfo.si_signo = as->signr;
403 sinfo.si_errno = as->status;
404 sinfo.si_code = SI_ASYNCIO;
405 sinfo.si_addr = as->userurb;
406 pid = as->pid;
407 uid = as->uid;
408 euid = as->euid;
409 secid = as->secid;
410 }
411 snoop(&urb->dev->dev, "urb complete\n");
412 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
413 as->status, COMPLETE);
414 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
415 as->status != -ENOENT)
416 cancel_bulk_urbs(ps, as->bulk_addr);
417 spin_unlock(&ps->lock);
418
419 if (signr)
420 kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid,
421 euid, secid);
422
423 wake_up(&ps->wait);
424}
425
426static void destroy_async(struct dev_state *ps, struct list_head *list)
427{
428 struct async *as;
429 unsigned long flags;
430
431 spin_lock_irqsave(&ps->lock, flags);
432 while (!list_empty(list)) {
433 as = list_entry(list->next, struct async, asynclist);
434 list_del_init(&as->asynclist);
435
436
437 spin_unlock_irqrestore(&ps->lock, flags);
438 usb_kill_urb(as->urb);
439 spin_lock_irqsave(&ps->lock, flags);
440 }
441 spin_unlock_irqrestore(&ps->lock, flags);
442}
443
444static void destroy_async_on_interface(struct dev_state *ps,
445 unsigned int ifnum)
446{
447 struct list_head *p, *q, hitlist;
448 unsigned long flags;
449
450 INIT_LIST_HEAD(&hitlist);
451 spin_lock_irqsave(&ps->lock, flags);
452 list_for_each_safe(p, q, &ps->async_pending)
453 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
454 list_move_tail(p, &hitlist);
455 spin_unlock_irqrestore(&ps->lock, flags);
456 destroy_async(ps, &hitlist);
457}
458
459static void destroy_all_async(struct dev_state *ps)
460{
461 destroy_async(ps, &ps->async_pending);
462}
463
464
465
466
467
468
469
470static int driver_probe(struct usb_interface *intf,
471 const struct usb_device_id *id)
472{
473 return -ENODEV;
474}
475
476static void driver_disconnect(struct usb_interface *intf)
477{
478 struct dev_state *ps = usb_get_intfdata(intf);
479 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
480
481 if (!ps)
482 return;
483
484
485
486
487
488 if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
489 clear_bit(ifnum, &ps->ifclaimed);
490 else
491 dev_warn(&intf->dev, "interface number %u out of range\n",
492 ifnum);
493
494 usb_set_intfdata(intf, NULL);
495
496
497 destroy_async_on_interface(ps, ifnum);
498}
499
500
501
502
503static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
504{
505 return 0;
506}
507
508static int driver_resume(struct usb_interface *intf)
509{
510 return 0;
511}
512
513struct usb_driver usbfs_driver = {
514 .name = "usbfs",
515 .probe = driver_probe,
516 .disconnect = driver_disconnect,
517 .suspend = driver_suspend,
518 .resume = driver_resume,
519};
520
521static int claimintf(struct dev_state *ps, unsigned int ifnum)
522{
523 struct usb_device *dev = ps->dev;
524 struct usb_interface *intf;
525 int err;
526
527 if (ifnum >= 8*sizeof(ps->ifclaimed))
528 return -EINVAL;
529
530 if (test_bit(ifnum, &ps->ifclaimed))
531 return 0;
532
533 intf = usb_ifnum_to_if(dev, ifnum);
534 if (!intf)
535 err = -ENOENT;
536 else
537 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
538 if (err == 0)
539 set_bit(ifnum, &ps->ifclaimed);
540 return err;
541}
542
543static int releaseintf(struct dev_state *ps, unsigned int ifnum)
544{
545 struct usb_device *dev;
546 struct usb_interface *intf;
547 int err;
548
549 err = -EINVAL;
550 if (ifnum >= 8*sizeof(ps->ifclaimed))
551 return err;
552 dev = ps->dev;
553 intf = usb_ifnum_to_if(dev, ifnum);
554 if (!intf)
555 err = -ENOENT;
556 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
557 usb_driver_release_interface(&usbfs_driver, intf);
558 err = 0;
559 }
560 return err;
561}
562
563static int checkintf(struct dev_state *ps, unsigned int ifnum)
564{
565 if (ps->dev->state != USB_STATE_CONFIGURED)
566 return -EHOSTUNREACH;
567 if (ifnum >= 8*sizeof(ps->ifclaimed))
568 return -EINVAL;
569 if (test_bit(ifnum, &ps->ifclaimed))
570 return 0;
571
572 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
573 "interface %u before use\n", task_pid_nr(current),
574 current->comm, ifnum);
575 return claimintf(ps, ifnum);
576}
577
578static int findintfep(struct usb_device *dev, unsigned int ep)
579{
580 unsigned int i, j, e;
581 struct usb_interface *intf;
582 struct usb_host_interface *alts;
583 struct usb_endpoint_descriptor *endpt;
584
585 if (ep & ~(USB_DIR_IN|0xf))
586 return -EINVAL;
587 if (!dev->actconfig)
588 return -ESRCH;
589 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
590 intf = dev->actconfig->interface[i];
591 for (j = 0; j < intf->num_altsetting; j++) {
592 alts = &intf->altsetting[j];
593 for (e = 0; e < alts->desc.bNumEndpoints; e++) {
594 endpt = &alts->endpoint[e].desc;
595 if (endpt->bEndpointAddress == ep)
596 return alts->desc.bInterfaceNumber;
597 }
598 }
599 }
600 return -ENOENT;
601}
602
603static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
604 unsigned int index)
605{
606 int ret = 0;
607
608 if (ps->dev->state != USB_STATE_UNAUTHENTICATED
609 && ps->dev->state != USB_STATE_ADDRESS
610 && ps->dev->state != USB_STATE_CONFIGURED)
611 return -EHOSTUNREACH;
612 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
613 return 0;
614
615 index &= 0xff;
616 switch (requesttype & USB_RECIP_MASK) {
617 case USB_RECIP_ENDPOINT:
618 ret = findintfep(ps->dev, index);
619 if (ret >= 0)
620 ret = checkintf(ps, ret);
621 break;
622
623 case USB_RECIP_INTERFACE:
624 ret = checkintf(ps, index);
625 break;
626 }
627 return ret;
628}
629
630static int match_devt(struct device *dev, void *data)
631{
632 return dev->devt == (dev_t) (unsigned long) data;
633}
634
635static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
636{
637 struct device *dev;
638
639 dev = bus_find_device(&usb_bus_type, NULL,
640 (void *) (unsigned long) devt, match_devt);
641 if (!dev)
642 return NULL;
643 return container_of(dev, struct usb_device, dev);
644}
645
646
647
648
649static int usbdev_open(struct inode *inode, struct file *file)
650{
651 struct usb_device *dev = NULL;
652 struct dev_state *ps;
653 const struct cred *cred = current_cred();
654 int ret;
655
656 lock_kernel();
657
658 mutex_lock(&usbfs_mutex);
659
660 ret = -ENOMEM;
661 ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL);
662 if (!ps)
663 goto out;
664
665 ret = -ENODEV;
666
667
668 if (imajor(inode) == USB_DEVICE_MAJOR)
669 dev = usbdev_lookup_by_devt(inode->i_rdev);
670#ifdef CONFIG_USB_DEVICEFS
671
672 if (!dev) {
673 dev = inode->i_private;
674 if (dev && dev->usbfs_dentry &&
675 dev->usbfs_dentry->d_inode == inode)
676 usb_get_dev(dev);
677 else
678 dev = NULL;
679 }
680#endif
681 if (!dev || dev->state == USB_STATE_NOTATTACHED)
682 goto out;
683 ret = usb_autoresume_device(dev);
684 if (ret)
685 goto out;
686
687 ret = 0;
688 ps->dev = dev;
689 ps->file = file;
690 spin_lock_init(&ps->lock);
691 INIT_LIST_HEAD(&ps->list);
692 INIT_LIST_HEAD(&ps->async_pending);
693 INIT_LIST_HEAD(&ps->async_completed);
694 init_waitqueue_head(&ps->wait);
695 ps->discsignr = 0;
696 ps->disc_pid = get_pid(task_pid(current));
697 ps->disc_uid = cred->uid;
698 ps->disc_euid = cred->euid;
699 ps->disccontext = NULL;
700 ps->ifclaimed = 0;
701 security_task_getsecid(current, &ps->secid);
702 smp_wmb();
703 list_add_tail(&ps->list, &dev->filelist);
704 file->private_data = ps;
705 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
706 current->comm);
707 out:
708 if (ret) {
709 kfree(ps);
710 usb_put_dev(dev);
711 }
712 mutex_unlock(&usbfs_mutex);
713 unlock_kernel();
714 return ret;
715}
716
717static int usbdev_release(struct inode *inode, struct file *file)
718{
719 struct dev_state *ps = file->private_data;
720 struct usb_device *dev = ps->dev;
721 unsigned int ifnum;
722 struct async *as;
723
724 usb_lock_device(dev);
725 usb_hub_release_all_ports(dev, ps);
726
727
728 mutex_lock(&usbfs_mutex);
729 list_del_init(&ps->list);
730 mutex_unlock(&usbfs_mutex);
731
732 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
733 ifnum++) {
734 if (test_bit(ifnum, &ps->ifclaimed))
735 releaseintf(ps, ifnum);
736 }
737 destroy_all_async(ps);
738 usb_autosuspend_device(dev);
739 usb_unlock_device(dev);
740 usb_put_dev(dev);
741 put_pid(ps->disc_pid);
742
743 as = async_getcompleted(ps);
744 while (as) {
745 free_async(as);
746 as = async_getcompleted(ps);
747 }
748 kfree(ps);
749 return 0;
750}
751
752static int proc_control(struct dev_state *ps, void __user *arg)
753{
754 struct usb_device *dev = ps->dev;
755 struct usbdevfs_ctrltransfer ctrl;
756 unsigned int tmo;
757 unsigned char *tbuf;
758 unsigned wLength;
759 int i, pipe, ret;
760
761 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
762 return -EFAULT;
763 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex);
764 if (ret)
765 return ret;
766 wLength = ctrl.wLength;
767 if (wLength > PAGE_SIZE)
768 return -EINVAL;
769 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
770 if (!tbuf)
771 return -ENOMEM;
772 tmo = ctrl.timeout;
773 if (ctrl.bRequestType & 0x80) {
774 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
775 ctrl.wLength)) {
776 free_page((unsigned long)tbuf);
777 return -EINVAL;
778 }
779 pipe = usb_rcvctrlpipe(dev, 0);
780 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT);
781
782 usb_unlock_device(dev);
783 i = usb_control_msg(dev, pipe, ctrl.bRequest,
784 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
785 tbuf, ctrl.wLength, tmo);
786 usb_lock_device(dev);
787 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE);
788
789 if ((i > 0) && ctrl.wLength) {
790 if (copy_to_user(ctrl.data, tbuf, i)) {
791 free_page((unsigned long)tbuf);
792 return -EFAULT;
793 }
794 }
795 } else {
796 if (ctrl.wLength) {
797 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
798 free_page((unsigned long)tbuf);
799 return -EFAULT;
800 }
801 }
802 pipe = usb_sndctrlpipe(dev, 0);
803 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT);
804
805 usb_unlock_device(dev);
806 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
807 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
808 tbuf, ctrl.wLength, tmo);
809 usb_lock_device(dev);
810 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE);
811 }
812 free_page((unsigned long)tbuf);
813 if (i < 0 && i != -EPIPE) {
814 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
815 "failed cmd %s rqt %u rq %u len %u ret %d\n",
816 current->comm, ctrl.bRequestType, ctrl.bRequest,
817 ctrl.wLength, i);
818 }
819 return i;
820}
821
822static int proc_bulk(struct dev_state *ps, void __user *arg)
823{
824 struct usb_device *dev = ps->dev;
825 struct usbdevfs_bulktransfer bulk;
826 unsigned int tmo, len1, pipe;
827 int len2;
828 unsigned char *tbuf;
829 int i, ret;
830
831 if (copy_from_user(&bulk, arg, sizeof(bulk)))
832 return -EFAULT;
833 ret = findintfep(ps->dev, bulk.ep);
834 if (ret < 0)
835 return ret;
836 ret = checkintf(ps, ret);
837 if (ret)
838 return ret;
839 if (bulk.ep & USB_DIR_IN)
840 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
841 else
842 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
843 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
844 return -EINVAL;
845 len1 = bulk.len;
846 if (len1 > MAX_USBFS_BUFFER_SIZE)
847 return -EINVAL;
848 if (!(tbuf = kmalloc(len1, GFP_KERNEL)))
849 return -ENOMEM;
850 tmo = bulk.timeout;
851 if (bulk.ep & 0x80) {
852 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
853 kfree(tbuf);
854 return -EINVAL;
855 }
856 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT);
857
858 usb_unlock_device(dev);
859 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
860 usb_lock_device(dev);
861 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE);
862
863 if (!i && len2) {
864 if (copy_to_user(bulk.data, tbuf, len2)) {
865 kfree(tbuf);
866 return -EFAULT;
867 }
868 }
869 } else {
870 if (len1) {
871 if (copy_from_user(tbuf, bulk.data, len1)) {
872 kfree(tbuf);
873 return -EFAULT;
874 }
875 }
876 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT);
877
878 usb_unlock_device(dev);
879 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
880 usb_lock_device(dev);
881 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE);
882 }
883 kfree(tbuf);
884 if (i < 0)
885 return i;
886 return len2;
887}
888
889static int proc_resetep(struct dev_state *ps, void __user *arg)
890{
891 unsigned int ep;
892 int ret;
893
894 if (get_user(ep, (unsigned int __user *)arg))
895 return -EFAULT;
896 ret = findintfep(ps->dev, ep);
897 if (ret < 0)
898 return ret;
899 ret = checkintf(ps, ret);
900 if (ret)
901 return ret;
902 usb_reset_endpoint(ps->dev, ep);
903 return 0;
904}
905
906static int proc_clearhalt(struct dev_state *ps, void __user *arg)
907{
908 unsigned int ep;
909 int pipe;
910 int ret;
911
912 if (get_user(ep, (unsigned int __user *)arg))
913 return -EFAULT;
914 ret = findintfep(ps->dev, ep);
915 if (ret < 0)
916 return ret;
917 ret = checkintf(ps, ret);
918 if (ret)
919 return ret;
920 if (ep & USB_DIR_IN)
921 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
922 else
923 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
924
925 return usb_clear_halt(ps->dev, pipe);
926}
927
928static int proc_getdriver(struct dev_state *ps, void __user *arg)
929{
930 struct usbdevfs_getdriver gd;
931 struct usb_interface *intf;
932 int ret;
933
934 if (copy_from_user(&gd, arg, sizeof(gd)))
935 return -EFAULT;
936 intf = usb_ifnum_to_if(ps->dev, gd.interface);
937 if (!intf || !intf->dev.driver)
938 ret = -ENODATA;
939 else {
940 strncpy(gd.driver, intf->dev.driver->name,
941 sizeof(gd.driver));
942 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
943 }
944 return ret;
945}
946
947static int proc_connectinfo(struct dev_state *ps, void __user *arg)
948{
949 struct usbdevfs_connectinfo ci;
950
951 ci.devnum = ps->dev->devnum;
952 ci.slow = ps->dev->speed == USB_SPEED_LOW;
953 if (copy_to_user(arg, &ci, sizeof(ci)))
954 return -EFAULT;
955 return 0;
956}
957
958static int proc_resetdevice(struct dev_state *ps)
959{
960 return usb_reset_device(ps->dev);
961}
962
963static int proc_setintf(struct dev_state *ps, void __user *arg)
964{
965 struct usbdevfs_setinterface setintf;
966 int ret;
967
968 if (copy_from_user(&setintf, arg, sizeof(setintf)))
969 return -EFAULT;
970 if ((ret = checkintf(ps, setintf.interface)))
971 return ret;
972 return usb_set_interface(ps->dev, setintf.interface,
973 setintf.altsetting);
974}
975
976static int proc_setconfig(struct dev_state *ps, void __user *arg)
977{
978 int u;
979 int status = 0;
980 struct usb_host_config *actconfig;
981
982 if (get_user(u, (int __user *)arg))
983 return -EFAULT;
984
985 actconfig = ps->dev->actconfig;
986
987
988
989
990
991 if (actconfig) {
992 int i;
993
994 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
995 if (usb_interface_claimed(actconfig->interface[i])) {
996 dev_warn(&ps->dev->dev,
997 "usbfs: interface %d claimed by %s "
998 "while '%s' sets config #%d\n",
999 actconfig->interface[i]
1000 ->cur_altsetting
1001 ->desc.bInterfaceNumber,
1002 actconfig->interface[i]
1003 ->dev.driver->name,
1004 current->comm, u);
1005 status = -EBUSY;
1006 break;
1007 }
1008 }
1009 }
1010
1011
1012
1013
1014 if (status == 0) {
1015 if (actconfig && actconfig->desc.bConfigurationValue == u)
1016 status = usb_reset_configuration(ps->dev);
1017 else
1018 status = usb_set_configuration(ps->dev, u);
1019 }
1020
1021 return status;
1022}
1023
1024static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
1025 struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1026 void __user *arg)
1027{
1028 struct usbdevfs_iso_packet_desc *isopkt = NULL;
1029 struct usb_host_endpoint *ep;
1030 struct async *as;
1031 struct usb_ctrlrequest *dr = NULL;
1032 const struct cred *cred = current_cred();
1033 unsigned int u, totlen, isofrmlen;
1034 int ret, ifnum = -1;
1035 int is_in;
1036
1037 if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1038 USBDEVFS_URB_SHORT_NOT_OK |
1039 USBDEVFS_URB_BULK_CONTINUATION |
1040 USBDEVFS_URB_NO_FSBR |
1041 USBDEVFS_URB_ZERO_PACKET |
1042 USBDEVFS_URB_NO_INTERRUPT))
1043 return -EINVAL;
1044 if (uurb->buffer_length > 0 && !uurb->buffer)
1045 return -EINVAL;
1046 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1047 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1048 ifnum = findintfep(ps->dev, uurb->endpoint);
1049 if (ifnum < 0)
1050 return ifnum;
1051 ret = checkintf(ps, ifnum);
1052 if (ret)
1053 return ret;
1054 }
1055 if ((uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0) {
1056 is_in = 1;
1057 ep = ps->dev->ep_in[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
1058 } else {
1059 is_in = 0;
1060 ep = ps->dev->ep_out[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
1061 }
1062 if (!ep)
1063 return -ENOENT;
1064 switch(uurb->type) {
1065 case USBDEVFS_URB_TYPE_CONTROL:
1066 if (!usb_endpoint_xfer_control(&ep->desc))
1067 return -EINVAL;
1068
1069
1070 if (uurb->buffer_length < 8 ||
1071 uurb->buffer_length > (8 + MAX_USBFS_BUFFER_SIZE))
1072 return -EINVAL;
1073 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1074 if (!dr)
1075 return -ENOMEM;
1076 if (copy_from_user(dr, uurb->buffer, 8)) {
1077 kfree(dr);
1078 return -EFAULT;
1079 }
1080 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1081 kfree(dr);
1082 return -EINVAL;
1083 }
1084 ret = check_ctrlrecip(ps, dr->bRequestType,
1085 le16_to_cpup(&dr->wIndex));
1086 if (ret) {
1087 kfree(dr);
1088 return ret;
1089 }
1090 uurb->number_of_packets = 0;
1091 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1092 uurb->buffer += 8;
1093 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1094 is_in = 1;
1095 uurb->endpoint |= USB_DIR_IN;
1096 } else {
1097 is_in = 0;
1098 uurb->endpoint &= ~USB_DIR_IN;
1099 }
1100 break;
1101
1102 case USBDEVFS_URB_TYPE_BULK:
1103 switch (usb_endpoint_type(&ep->desc)) {
1104 case USB_ENDPOINT_XFER_CONTROL:
1105 case USB_ENDPOINT_XFER_ISOC:
1106 return -EINVAL;
1107
1108 }
1109 uurb->number_of_packets = 0;
1110 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1111 return -EINVAL;
1112 break;
1113
1114 case USBDEVFS_URB_TYPE_ISO:
1115
1116 if (uurb->number_of_packets < 1 ||
1117 uurb->number_of_packets > 128)
1118 return -EINVAL;
1119 if (!usb_endpoint_xfer_isoc(&ep->desc))
1120 return -EINVAL;
1121 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1122 uurb->number_of_packets;
1123 if (!(isopkt = kmalloc(isofrmlen, GFP_KERNEL)))
1124 return -ENOMEM;
1125 if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
1126 kfree(isopkt);
1127 return -EFAULT;
1128 }
1129 for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1130
1131
1132 if (isopkt[u].length > 8192) {
1133 kfree(isopkt);
1134 return -EINVAL;
1135 }
1136 totlen += isopkt[u].length;
1137 }
1138
1139 if (totlen > 196608) {
1140 kfree(isopkt);
1141 return -EINVAL;
1142 }
1143 uurb->buffer_length = totlen;
1144 break;
1145
1146 case USBDEVFS_URB_TYPE_INTERRUPT:
1147 uurb->number_of_packets = 0;
1148 if (!usb_endpoint_xfer_int(&ep->desc))
1149 return -EINVAL;
1150 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1151 return -EINVAL;
1152 break;
1153
1154 default:
1155 return -EINVAL;
1156 }
1157 if (uurb->buffer_length > 0 &&
1158 !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1159 uurb->buffer, uurb->buffer_length)) {
1160 kfree(isopkt);
1161 kfree(dr);
1162 return -EFAULT;
1163 }
1164 as = alloc_async(uurb->number_of_packets);
1165 if (!as) {
1166 kfree(isopkt);
1167 kfree(dr);
1168 return -ENOMEM;
1169 }
1170 if (uurb->buffer_length > 0) {
1171 as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1172 GFP_KERNEL);
1173 if (!as->urb->transfer_buffer) {
1174 kfree(isopkt);
1175 kfree(dr);
1176 free_async(as);
1177 return -ENOMEM;
1178 }
1179 }
1180 as->urb->dev = ps->dev;
1181 as->urb->pipe = (uurb->type << 30) |
1182 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1183 (uurb->endpoint & USB_DIR_IN);
1184
1185
1186
1187
1188
1189 u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1190 if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1191 u |= URB_ISO_ASAP;
1192 if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1193 u |= URB_SHORT_NOT_OK;
1194 if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1195 u |= URB_NO_FSBR;
1196 if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1197 u |= URB_ZERO_PACKET;
1198 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1199 u |= URB_NO_INTERRUPT;
1200 as->urb->transfer_flags = u;
1201
1202 as->urb->transfer_buffer_length = uurb->buffer_length;
1203 as->urb->setup_packet = (unsigned char *)dr;
1204 as->urb->start_frame = uurb->start_frame;
1205 as->urb->number_of_packets = uurb->number_of_packets;
1206 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1207 ps->dev->speed == USB_SPEED_HIGH)
1208 as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
1209 else
1210 as->urb->interval = ep->desc.bInterval;
1211 as->urb->context = as;
1212 as->urb->complete = async_completed;
1213 for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1214 as->urb->iso_frame_desc[u].offset = totlen;
1215 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1216 totlen += isopkt[u].length;
1217 }
1218 kfree(isopkt);
1219 as->ps = ps;
1220 as->userurb = arg;
1221 if (is_in && uurb->buffer_length > 0)
1222 as->userbuffer = uurb->buffer;
1223 else
1224 as->userbuffer = NULL;
1225 as->signr = uurb->signr;
1226 as->ifnum = ifnum;
1227 as->pid = get_pid(task_pid(current));
1228 as->uid = cred->uid;
1229 as->euid = cred->euid;
1230 security_task_getsecid(current, &as->secid);
1231 if (!is_in && uurb->buffer_length > 0) {
1232 if (copy_from_user(as->urb->transfer_buffer, uurb->buffer,
1233 uurb->buffer_length)) {
1234 free_async(as);
1235 return -EFAULT;
1236 }
1237 }
1238 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1239 as->urb->transfer_buffer_length, 0, SUBMIT);
1240 async_newpending(as);
1241
1242 if (usb_endpoint_xfer_bulk(&ep->desc)) {
1243 spin_lock_irq(&ps->lock);
1244
1245
1246
1247
1248
1249 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1250 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1251 >> 3);
1252
1253
1254
1255
1256 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1257 as->bulk_status = AS_CONTINUATION;
1258 else
1259 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1260
1261
1262
1263
1264 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1265 ret = -EREMOTEIO;
1266 else
1267 ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1268 spin_unlock_irq(&ps->lock);
1269 } else {
1270 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1271 }
1272
1273 if (ret) {
1274 dev_printk(KERN_DEBUG, &ps->dev->dev,
1275 "usbfs: usb_submit_urb returned %d\n", ret);
1276 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1277 0, ret, COMPLETE);
1278 async_removepending(as);
1279 free_async(as);
1280 return ret;
1281 }
1282 return 0;
1283}
1284
1285static int proc_submiturb(struct dev_state *ps, void __user *arg)
1286{
1287 struct usbdevfs_urb uurb;
1288
1289 if (copy_from_user(&uurb, arg, sizeof(uurb)))
1290 return -EFAULT;
1291
1292 return proc_do_submiturb(ps, &uurb,
1293 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1294 arg);
1295}
1296
1297static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
1298{
1299 struct async *as;
1300
1301 as = async_getpending(ps, arg);
1302 if (!as)
1303 return -EINVAL;
1304 usb_kill_urb(as->urb);
1305 return 0;
1306}
1307
1308static int processcompl(struct async *as, void __user * __user *arg)
1309{
1310 struct urb *urb = as->urb;
1311 struct usbdevfs_urb __user *userurb = as->userurb;
1312 void __user *addr = as->userurb;
1313 unsigned int i;
1314
1315 if (as->userbuffer)
1316 if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1317 urb->transfer_buffer_length))
1318 goto err_out;
1319 if (put_user(as->status, &userurb->status))
1320 goto err_out;
1321 if (put_user(urb->actual_length, &userurb->actual_length))
1322 goto err_out;
1323 if (put_user(urb->error_count, &userurb->error_count))
1324 goto err_out;
1325
1326 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1327 for (i = 0; i < urb->number_of_packets; i++) {
1328 if (put_user(urb->iso_frame_desc[i].actual_length,
1329 &userurb->iso_frame_desc[i].actual_length))
1330 goto err_out;
1331 if (put_user(urb->iso_frame_desc[i].status,
1332 &userurb->iso_frame_desc[i].status))
1333 goto err_out;
1334 }
1335 }
1336
1337 free_async(as);
1338
1339 if (put_user(addr, (void __user * __user *)arg))
1340 return -EFAULT;
1341 return 0;
1342
1343err_out:
1344 free_async(as);
1345 return -EFAULT;
1346}
1347
1348static struct async *reap_as(struct dev_state *ps)
1349{
1350 DECLARE_WAITQUEUE(wait, current);
1351 struct async *as = NULL;
1352 struct usb_device *dev = ps->dev;
1353
1354 add_wait_queue(&ps->wait, &wait);
1355 for (;;) {
1356 __set_current_state(TASK_INTERRUPTIBLE);
1357 as = async_getcompleted(ps);
1358 if (as)
1359 break;
1360 if (signal_pending(current))
1361 break;
1362 usb_unlock_device(dev);
1363 schedule();
1364 usb_lock_device(dev);
1365 }
1366 remove_wait_queue(&ps->wait, &wait);
1367 set_current_state(TASK_RUNNING);
1368 return as;
1369}
1370
1371static int proc_reapurb(struct dev_state *ps, void __user *arg)
1372{
1373 struct async *as = reap_as(ps);
1374 if (as)
1375 return processcompl(as, (void __user * __user *)arg);
1376 if (signal_pending(current))
1377 return -EINTR;
1378 return -EIO;
1379}
1380
1381static int proc_reapurbnonblock(struct dev_state *ps, void __user *arg)
1382{
1383 struct async *as;
1384
1385 if (!(as = async_getcompleted(ps)))
1386 return -EAGAIN;
1387 return processcompl(as, (void __user * __user *)arg);
1388}
1389
1390#ifdef CONFIG_COMPAT
1391
1392static int get_urb32(struct usbdevfs_urb *kurb,
1393 struct usbdevfs_urb32 __user *uurb)
1394{
1395 __u32 uptr;
1396 if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
1397 __get_user(kurb->type, &uurb->type) ||
1398 __get_user(kurb->endpoint, &uurb->endpoint) ||
1399 __get_user(kurb->status, &uurb->status) ||
1400 __get_user(kurb->flags, &uurb->flags) ||
1401 __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1402 __get_user(kurb->actual_length, &uurb->actual_length) ||
1403 __get_user(kurb->start_frame, &uurb->start_frame) ||
1404 __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1405 __get_user(kurb->error_count, &uurb->error_count) ||
1406 __get_user(kurb->signr, &uurb->signr))
1407 return -EFAULT;
1408
1409 if (__get_user(uptr, &uurb->buffer))
1410 return -EFAULT;
1411 kurb->buffer = compat_ptr(uptr);
1412 if (__get_user(uptr, &uurb->usercontext))
1413 return -EFAULT;
1414 kurb->usercontext = compat_ptr(uptr);
1415
1416 return 0;
1417}
1418
1419static int proc_submiturb_compat(struct dev_state *ps, void __user *arg)
1420{
1421 struct usbdevfs_urb uurb;
1422
1423 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
1424 return -EFAULT;
1425
1426 return proc_do_submiturb(ps, &uurb,
1427 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
1428 arg);
1429}
1430
1431static int processcompl_compat(struct async *as, void __user * __user *arg)
1432{
1433 struct urb *urb = as->urb;
1434 struct usbdevfs_urb32 __user *userurb = as->userurb;
1435 void __user *addr = as->userurb;
1436 unsigned int i;
1437
1438 if (as->userbuffer)
1439 if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1440 urb->transfer_buffer_length))
1441 return -EFAULT;
1442 if (put_user(as->status, &userurb->status))
1443 return -EFAULT;
1444 if (put_user(urb->actual_length, &userurb->actual_length))
1445 return -EFAULT;
1446 if (put_user(urb->error_count, &userurb->error_count))
1447 return -EFAULT;
1448
1449 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1450 for (i = 0; i < urb->number_of_packets; i++) {
1451 if (put_user(urb->iso_frame_desc[i].actual_length,
1452 &userurb->iso_frame_desc[i].actual_length))
1453 return -EFAULT;
1454 if (put_user(urb->iso_frame_desc[i].status,
1455 &userurb->iso_frame_desc[i].status))
1456 return -EFAULT;
1457 }
1458 }
1459
1460 free_async(as);
1461 if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
1462 return -EFAULT;
1463 return 0;
1464}
1465
1466static int proc_reapurb_compat(struct dev_state *ps, void __user *arg)
1467{
1468 struct async *as = reap_as(ps);
1469 if (as)
1470 return processcompl_compat(as, (void __user * __user *)arg);
1471 if (signal_pending(current))
1472 return -EINTR;
1473 return -EIO;
1474}
1475
1476static int proc_reapurbnonblock_compat(struct dev_state *ps, void __user *arg)
1477{
1478 struct async *as;
1479
1480 if (!(as = async_getcompleted(ps)))
1481 return -EAGAIN;
1482 return processcompl_compat(as, (void __user * __user *)arg);
1483}
1484
1485#endif
1486
1487static int proc_disconnectsignal(struct dev_state *ps, void __user *arg)
1488{
1489 struct usbdevfs_disconnectsignal ds;
1490
1491 if (copy_from_user(&ds, arg, sizeof(ds)))
1492 return -EFAULT;
1493 ps->discsignr = ds.signr;
1494 ps->disccontext = ds.context;
1495 return 0;
1496}
1497
1498static int proc_claiminterface(struct dev_state *ps, void __user *arg)
1499{
1500 unsigned int ifnum;
1501
1502 if (get_user(ifnum, (unsigned int __user *)arg))
1503 return -EFAULT;
1504 return claimintf(ps, ifnum);
1505}
1506
1507static int proc_releaseinterface(struct dev_state *ps, void __user *arg)
1508{
1509 unsigned int ifnum;
1510 int ret;
1511
1512 if (get_user(ifnum, (unsigned int __user *)arg))
1513 return -EFAULT;
1514 if ((ret = releaseintf(ps, ifnum)) < 0)
1515 return ret;
1516 destroy_async_on_interface (ps, ifnum);
1517 return 0;
1518}
1519
1520static int proc_ioctl(struct dev_state *ps, struct usbdevfs_ioctl *ctl)
1521{
1522 int size;
1523 void *buf = NULL;
1524 int retval = 0;
1525 struct usb_interface *intf = NULL;
1526 struct usb_driver *driver = NULL;
1527
1528
1529 if ((size = _IOC_SIZE(ctl->ioctl_code)) > 0) {
1530 if ((buf = kmalloc(size, GFP_KERNEL)) == NULL)
1531 return -ENOMEM;
1532 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
1533 if (copy_from_user(buf, ctl->data, size)) {
1534 kfree(buf);
1535 return -EFAULT;
1536 }
1537 } else {
1538 memset(buf, 0, size);
1539 }
1540 }
1541
1542 if (!connected(ps)) {
1543 kfree(buf);
1544 return -ENODEV;
1545 }
1546
1547 if (ps->dev->state != USB_STATE_CONFIGURED)
1548 retval = -EHOSTUNREACH;
1549 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
1550 retval = -EINVAL;
1551 else switch (ctl->ioctl_code) {
1552
1553
1554 case USBDEVFS_DISCONNECT:
1555 if (intf->dev.driver) {
1556 driver = to_usb_driver(intf->dev.driver);
1557 dev_dbg(&intf->dev, "disconnect by usbfs\n");
1558 usb_driver_release_interface(driver, intf);
1559 } else
1560 retval = -ENODATA;
1561 break;
1562
1563
1564 case USBDEVFS_CONNECT:
1565 if (!intf->dev.driver)
1566 retval = device_attach(&intf->dev);
1567 else
1568 retval = -EBUSY;
1569 break;
1570
1571
1572 default:
1573 if (intf->dev.driver)
1574 driver = to_usb_driver(intf->dev.driver);
1575 if (driver == NULL || driver->ioctl == NULL) {
1576 retval = -ENOTTY;
1577 } else {
1578 retval = driver->ioctl(intf, ctl->ioctl_code, buf);
1579 if (retval == -ENOIOCTLCMD)
1580 retval = -ENOTTY;
1581 }
1582 }
1583
1584
1585 if (retval >= 0
1586 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
1587 && size > 0
1588 && copy_to_user(ctl->data, buf, size) != 0)
1589 retval = -EFAULT;
1590
1591 kfree(buf);
1592 return retval;
1593}
1594
1595static int proc_ioctl_default(struct dev_state *ps, void __user *arg)
1596{
1597 struct usbdevfs_ioctl ctrl;
1598
1599 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1600 return -EFAULT;
1601 return proc_ioctl(ps, &ctrl);
1602}
1603
1604#ifdef CONFIG_COMPAT
1605static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
1606{
1607 struct usbdevfs_ioctl32 __user *uioc;
1608 struct usbdevfs_ioctl ctrl;
1609 u32 udata;
1610
1611 uioc = compat_ptr((long)arg);
1612 if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
1613 __get_user(ctrl.ifno, &uioc->ifno) ||
1614 __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
1615 __get_user(udata, &uioc->data))
1616 return -EFAULT;
1617 ctrl.data = compat_ptr(udata);
1618
1619 return proc_ioctl(ps, &ctrl);
1620}
1621#endif
1622
1623static int proc_claim_port(struct dev_state *ps, void __user *arg)
1624{
1625 unsigned portnum;
1626 int rc;
1627
1628 if (get_user(portnum, (unsigned __user *) arg))
1629 return -EFAULT;
1630 rc = usb_hub_claim_port(ps->dev, portnum, ps);
1631 if (rc == 0)
1632 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
1633 portnum, task_pid_nr(current), current->comm);
1634 return rc;
1635}
1636
1637static int proc_release_port(struct dev_state *ps, void __user *arg)
1638{
1639 unsigned portnum;
1640
1641 if (get_user(portnum, (unsigned __user *) arg))
1642 return -EFAULT;
1643 return usb_hub_release_port(ps->dev, portnum, ps);
1644}
1645
1646
1647
1648
1649
1650
1651static int usbdev_ioctl(struct inode *inode, struct file *file,
1652 unsigned int cmd, unsigned long arg)
1653{
1654 struct dev_state *ps = file->private_data;
1655 struct usb_device *dev = ps->dev;
1656 void __user *p = (void __user *)arg;
1657 int ret = -ENOTTY;
1658
1659 if (!(file->f_mode & FMODE_WRITE))
1660 return -EPERM;
1661 usb_lock_device(dev);
1662 if (!connected(ps)) {
1663 usb_unlock_device(dev);
1664 return -ENODEV;
1665 }
1666
1667 switch (cmd) {
1668 case USBDEVFS_CONTROL:
1669 snoop(&dev->dev, "%s: CONTROL\n", __func__);
1670 ret = proc_control(ps, p);
1671 if (ret >= 0)
1672 inode->i_mtime = CURRENT_TIME;
1673 break;
1674
1675 case USBDEVFS_BULK:
1676 snoop(&dev->dev, "%s: BULK\n", __func__);
1677 ret = proc_bulk(ps, p);
1678 if (ret >= 0)
1679 inode->i_mtime = CURRENT_TIME;
1680 break;
1681
1682 case USBDEVFS_RESETEP:
1683 snoop(&dev->dev, "%s: RESETEP\n", __func__);
1684 ret = proc_resetep(ps, p);
1685 if (ret >= 0)
1686 inode->i_mtime = CURRENT_TIME;
1687 break;
1688
1689 case USBDEVFS_RESET:
1690 snoop(&dev->dev, "%s: RESET\n", __func__);
1691 ret = proc_resetdevice(ps);
1692 break;
1693
1694 case USBDEVFS_CLEAR_HALT:
1695 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
1696 ret = proc_clearhalt(ps, p);
1697 if (ret >= 0)
1698 inode->i_mtime = CURRENT_TIME;
1699 break;
1700
1701 case USBDEVFS_GETDRIVER:
1702 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
1703 ret = proc_getdriver(ps, p);
1704 break;
1705
1706 case USBDEVFS_CONNECTINFO:
1707 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
1708 ret = proc_connectinfo(ps, p);
1709 break;
1710
1711 case USBDEVFS_SETINTERFACE:
1712 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
1713 ret = proc_setintf(ps, p);
1714 break;
1715
1716 case USBDEVFS_SETCONFIGURATION:
1717 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
1718 ret = proc_setconfig(ps, p);
1719 break;
1720
1721 case USBDEVFS_SUBMITURB:
1722 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
1723 ret = proc_submiturb(ps, p);
1724 if (ret >= 0)
1725 inode->i_mtime = CURRENT_TIME;
1726 break;
1727
1728#ifdef CONFIG_COMPAT
1729
1730 case USBDEVFS_SUBMITURB32:
1731 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
1732 ret = proc_submiturb_compat(ps, p);
1733 if (ret >= 0)
1734 inode->i_mtime = CURRENT_TIME;
1735 break;
1736
1737 case USBDEVFS_REAPURB32:
1738 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
1739 ret = proc_reapurb_compat(ps, p);
1740 break;
1741
1742 case USBDEVFS_REAPURBNDELAY32:
1743 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
1744 ret = proc_reapurbnonblock_compat(ps, p);
1745 break;
1746
1747 case USBDEVFS_IOCTL32:
1748 snoop(&dev->dev, "%s: IOCTL\n", __func__);
1749 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
1750 break;
1751#endif
1752
1753 case USBDEVFS_DISCARDURB:
1754 snoop(&dev->dev, "%s: DISCARDURB\n", __func__);
1755 ret = proc_unlinkurb(ps, p);
1756 break;
1757
1758 case USBDEVFS_REAPURB:
1759 snoop(&dev->dev, "%s: REAPURB\n", __func__);
1760 ret = proc_reapurb(ps, p);
1761 break;
1762
1763 case USBDEVFS_REAPURBNDELAY:
1764 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
1765 ret = proc_reapurbnonblock(ps, p);
1766 break;
1767
1768 case USBDEVFS_DISCSIGNAL:
1769 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
1770 ret = proc_disconnectsignal(ps, p);
1771 break;
1772
1773 case USBDEVFS_CLAIMINTERFACE:
1774 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
1775 ret = proc_claiminterface(ps, p);
1776 break;
1777
1778 case USBDEVFS_RELEASEINTERFACE:
1779 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
1780 ret = proc_releaseinterface(ps, p);
1781 break;
1782
1783 case USBDEVFS_IOCTL:
1784 snoop(&dev->dev, "%s: IOCTL\n", __func__);
1785 ret = proc_ioctl_default(ps, p);
1786 break;
1787
1788 case USBDEVFS_CLAIM_PORT:
1789 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
1790 ret = proc_claim_port(ps, p);
1791 break;
1792
1793 case USBDEVFS_RELEASE_PORT:
1794 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
1795 ret = proc_release_port(ps, p);
1796 break;
1797 }
1798 usb_unlock_device(dev);
1799 if (ret >= 0)
1800 inode->i_atime = CURRENT_TIME;
1801 return ret;
1802}
1803
1804
1805static unsigned int usbdev_poll(struct file *file,
1806 struct poll_table_struct *wait)
1807{
1808 struct dev_state *ps = file->private_data;
1809 unsigned int mask = 0;
1810
1811 poll_wait(file, &ps->wait, wait);
1812 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
1813 mask |= POLLOUT | POLLWRNORM;
1814 if (!connected(ps))
1815 mask |= POLLERR | POLLHUP;
1816 return mask;
1817}
1818
1819const struct file_operations usbdev_file_operations = {
1820 .owner = THIS_MODULE,
1821 .llseek = usbdev_lseek,
1822 .read = usbdev_read,
1823 .poll = usbdev_poll,
1824 .ioctl = usbdev_ioctl,
1825 .open = usbdev_open,
1826 .release = usbdev_release,
1827};
1828
1829static void usbdev_remove(struct usb_device *udev)
1830{
1831 struct dev_state *ps;
1832 struct siginfo sinfo;
1833
1834 while (!list_empty(&udev->filelist)) {
1835 ps = list_entry(udev->filelist.next, struct dev_state, list);
1836 destroy_all_async(ps);
1837 wake_up_all(&ps->wait);
1838 list_del_init(&ps->list);
1839 if (ps->discsignr) {
1840 sinfo.si_signo = ps->discsignr;
1841 sinfo.si_errno = EPIPE;
1842 sinfo.si_code = SI_ASYNCIO;
1843 sinfo.si_addr = ps->disccontext;
1844 kill_pid_info_as_uid(ps->discsignr, &sinfo,
1845 ps->disc_pid, ps->disc_uid,
1846 ps->disc_euid, ps->secid);
1847 }
1848 }
1849}
1850
1851#ifdef CONFIG_USB_DEVICE_CLASS
1852static struct class *usb_classdev_class;
1853
1854static int usb_classdev_add(struct usb_device *dev)
1855{
1856 struct device *cldev;
1857
1858 cldev = device_create(usb_classdev_class, &dev->dev, dev->dev.devt,
1859 NULL, "usbdev%d.%d", dev->bus->busnum,
1860 dev->devnum);
1861 if (IS_ERR(cldev))
1862 return PTR_ERR(cldev);
1863 dev->usb_classdev = cldev;
1864 return 0;
1865}
1866
1867static void usb_classdev_remove(struct usb_device *dev)
1868{
1869 if (dev->usb_classdev)
1870 device_unregister(dev->usb_classdev);
1871}
1872
1873#else
1874#define usb_classdev_add(dev) 0
1875#define usb_classdev_remove(dev) do {} while (0)
1876
1877#endif
1878
1879static int usbdev_notify(struct notifier_block *self,
1880 unsigned long action, void *dev)
1881{
1882 switch (action) {
1883 case USB_DEVICE_ADD:
1884 if (usb_classdev_add(dev))
1885 return NOTIFY_BAD;
1886 break;
1887 case USB_DEVICE_REMOVE:
1888 usb_classdev_remove(dev);
1889 usbdev_remove(dev);
1890 break;
1891 }
1892 return NOTIFY_OK;
1893}
1894
1895static struct notifier_block usbdev_nb = {
1896 .notifier_call = usbdev_notify,
1897};
1898
1899static struct cdev usb_device_cdev;
1900
1901int __init usb_devio_init(void)
1902{
1903 int retval;
1904
1905 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
1906 "usb_device");
1907 if (retval) {
1908 printk(KERN_ERR "Unable to register minors for usb_device\n");
1909 goto out;
1910 }
1911 cdev_init(&usb_device_cdev, &usbdev_file_operations);
1912 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
1913 if (retval) {
1914 printk(KERN_ERR "Unable to get usb_device major %d\n",
1915 USB_DEVICE_MAJOR);
1916 goto error_cdev;
1917 }
1918#ifdef CONFIG_USB_DEVICE_CLASS
1919 usb_classdev_class = class_create(THIS_MODULE, "usb_device");
1920 if (IS_ERR(usb_classdev_class)) {
1921 printk(KERN_ERR "Unable to register usb_device class\n");
1922 retval = PTR_ERR(usb_classdev_class);
1923 cdev_del(&usb_device_cdev);
1924 usb_classdev_class = NULL;
1925 goto out;
1926 }
1927
1928
1929
1930
1931 usb_classdev_class->dev_kobj = NULL;
1932#endif
1933 usb_register_notify(&usbdev_nb);
1934out:
1935 return retval;
1936
1937error_cdev:
1938 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1939 goto out;
1940}
1941
1942void usb_devio_cleanup(void)
1943{
1944 usb_unregister_notify(&usbdev_nb);
1945#ifdef CONFIG_USB_DEVICE_CLASS
1946 class_destroy(usb_classdev_class);
1947#endif
1948 cdev_del(&usb_device_cdev);
1949 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1950}
1951