linux/drivers/usb/core/devio.c
<<
>>
Prefs
   1/*****************************************************************************/
   2
   3/*
   4 *      devio.c  --  User space communication with USB devices.
   5 *
   6 *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
   7 *
   8 *      This program is free software; you can redistribute it and/or modify
   9 *      it under the terms of the GNU General Public License as published by
  10 *      the Free Software Foundation; either version 2 of the License, or
  11 *      (at your option) any later version.
  12 *
  13 *      This program is distributed in the hope that it will be useful,
  14 *      but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 *      GNU General Public License for more details.
  17 *
  18 *      You should have received a copy of the GNU General Public License
  19 *      along with this program; if not, write to the Free Software
  20 *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 *
  22 *  This file implements the usbfs/x/y files, where
  23 *  x is the bus number and y the device number.
  24 *
  25 *  It allows user space programs/"drivers" to communicate directly
  26 *  with USB devices without intervening kernel driver.
  27 *
  28 *  Revision history
  29 *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  30 *    04.01.2000   0.2   Turned into its own filesystem
  31 *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  32 *                       (CAN-2005-3055)
  33 */
  34
  35/*****************************************************************************/
  36
  37#include <linux/fs.h>
  38#include <linux/mm.h>
  39#include <linux/slab.h>
  40#include <linux/smp_lock.h>
  41#include <linux/signal.h>
  42#include <linux/poll.h>
  43#include <linux/module.h>
  44#include <linux/usb.h>
  45#include <linux/usbdevice_fs.h>
  46#include <linux/cdev.h>
  47#include <linux/notifier.h>
  48#include <linux/security.h>
  49#include <asm/uaccess.h>
  50#include <asm/byteorder.h>
  51#include <linux/moduleparam.h>
  52
  53#include "hcd.h"        /* for usbcore internals */
  54#include "usb.h"
  55#include "hub.h"
  56
  57#define USB_MAXBUS                      64
  58#define USB_DEVICE_MAX                  USB_MAXBUS * 128
  59
  60/* Mutual exclusion for removal, open, and release */
  61DEFINE_MUTEX(usbfs_mutex);
  62
  63struct dev_state {
  64        struct list_head list;      /* state list */
  65        struct usb_device *dev;
  66        struct file *file;
  67        spinlock_t lock;            /* protects the async urb lists */
  68        struct list_head async_pending;
  69        struct list_head async_completed;
  70        wait_queue_head_t wait;     /* wake up if a request completed */
  71        unsigned int discsignr;
  72        struct pid *disc_pid;
  73        uid_t disc_uid, disc_euid;
  74        void __user *disccontext;
  75        unsigned long ifclaimed;
  76        u32 secid;
  77        u32 disabled_bulk_eps;
  78};
  79
  80struct async {
  81        struct list_head asynclist;
  82        struct dev_state *ps;
  83        struct pid *pid;
  84        uid_t uid, euid;
  85        unsigned int signr;
  86        unsigned int ifnum;
  87        void __user *userbuffer;
  88        void __user *userurb;
  89        struct urb *urb;
  90        int status;
  91        u32 secid;
  92        u8 bulk_addr;
  93        u8 bulk_status;
  94};
  95
  96static int usbfs_snoop;
  97module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
  98MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
  99
 100#define snoop(dev, format, arg...)                              \
 101        do {                                                    \
 102                if (usbfs_snoop)                                \
 103                        dev_info(dev , format , ## arg);        \
 104        } while (0)
 105
 106enum snoop_when {
 107        SUBMIT, COMPLETE
 108};
 109
 110#define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 111
 112#define MAX_USBFS_BUFFER_SIZE   16384
 113
 114
 115static int connected(struct dev_state *ps)
 116{
 117        return (!list_empty(&ps->list) &&
 118                        ps->dev->state != USB_STATE_NOTATTACHED);
 119}
 120
 121static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
 122{
 123        loff_t ret;
 124
 125        lock_kernel();
 126
 127        switch (orig) {
 128        case 0:
 129                file->f_pos = offset;
 130                ret = file->f_pos;
 131                break;
 132        case 1:
 133                file->f_pos += offset;
 134                ret = file->f_pos;
 135                break;
 136        case 2:
 137        default:
 138                ret = -EINVAL;
 139        }
 140
 141        unlock_kernel();
 142        return ret;
 143}
 144
 145static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 146                           loff_t *ppos)
 147{
 148        struct dev_state *ps = file->private_data;
 149        struct usb_device *dev = ps->dev;
 150        ssize_t ret = 0;
 151        unsigned len;
 152        loff_t pos;
 153        int i;
 154
 155        pos = *ppos;
 156        usb_lock_device(dev);
 157        if (!connected(ps)) {
 158                ret = -ENODEV;
 159                goto err;
 160        } else if (pos < 0) {
 161                ret = -EINVAL;
 162                goto err;
 163        }
 164
 165        if (pos < sizeof(struct usb_device_descriptor)) {
 166                /* 18 bytes - fits on the stack */
 167                struct usb_device_descriptor temp_desc;
 168
 169                memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 170                le16_to_cpus(&temp_desc.bcdUSB);
 171                le16_to_cpus(&temp_desc.idVendor);
 172                le16_to_cpus(&temp_desc.idProduct);
 173                le16_to_cpus(&temp_desc.bcdDevice);
 174
 175                len = sizeof(struct usb_device_descriptor) - pos;
 176                if (len > nbytes)
 177                        len = nbytes;
 178                if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 179                        ret = -EFAULT;
 180                        goto err;
 181                }
 182
 183                *ppos += len;
 184                buf += len;
 185                nbytes -= len;
 186                ret += len;
 187        }
 188
 189        pos = sizeof(struct usb_device_descriptor);
 190        for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 191                struct usb_config_descriptor *config =
 192                        (struct usb_config_descriptor *)dev->rawdescriptors[i];
 193                unsigned int length = le16_to_cpu(config->wTotalLength);
 194
 195                if (*ppos < pos + length) {
 196
 197                        /* The descriptor may claim to be longer than it
 198                         * really is.  Here is the actual allocated length. */
 199                        unsigned alloclen =
 200                                le16_to_cpu(dev->config[i].desc.wTotalLength);
 201
 202                        len = length - (*ppos - pos);
 203                        if (len > nbytes)
 204                                len = nbytes;
 205
 206                        /* Simply don't write (skip over) unallocated parts */
 207                        if (alloclen > (*ppos - pos)) {
 208                                alloclen -= (*ppos - pos);
 209                                if (copy_to_user(buf,
 210                                    dev->rawdescriptors[i] + (*ppos - pos),
 211                                    min(len, alloclen))) {
 212                                        ret = -EFAULT;
 213                                        goto err;
 214                                }
 215                        }
 216
 217                        *ppos += len;
 218                        buf += len;
 219                        nbytes -= len;
 220                        ret += len;
 221                }
 222
 223                pos += length;
 224        }
 225
 226err:
 227        usb_unlock_device(dev);
 228        return ret;
 229}
 230
 231/*
 232 * async list handling
 233 */
 234
 235static struct async *alloc_async(unsigned int numisoframes)
 236{
 237        struct async *as;
 238
 239        as = kzalloc(sizeof(struct async), GFP_KERNEL);
 240        if (!as)
 241                return NULL;
 242        as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 243        if (!as->urb) {
 244                kfree(as);
 245                return NULL;
 246        }
 247        return as;
 248}
 249
 250static void free_async(struct async *as)
 251{
 252        put_pid(as->pid);
 253        kfree(as->urb->transfer_buffer);
 254        kfree(as->urb->setup_packet);
 255        usb_free_urb(as->urb);
 256        kfree(as);
 257}
 258
 259static void async_newpending(struct async *as)
 260{
 261        struct dev_state *ps = as->ps;
 262        unsigned long flags;
 263
 264        spin_lock_irqsave(&ps->lock, flags);
 265        list_add_tail(&as->asynclist, &ps->async_pending);
 266        spin_unlock_irqrestore(&ps->lock, flags);
 267}
 268
 269static void async_removepending(struct async *as)
 270{
 271        struct dev_state *ps = as->ps;
 272        unsigned long flags;
 273
 274        spin_lock_irqsave(&ps->lock, flags);
 275        list_del_init(&as->asynclist);
 276        spin_unlock_irqrestore(&ps->lock, flags);
 277}
 278
 279static struct async *async_getcompleted(struct dev_state *ps)
 280{
 281        unsigned long flags;
 282        struct async *as = NULL;
 283
 284        spin_lock_irqsave(&ps->lock, flags);
 285        if (!list_empty(&ps->async_completed)) {
 286                as = list_entry(ps->async_completed.next, struct async,
 287                                asynclist);
 288                list_del_init(&as->asynclist);
 289        }
 290        spin_unlock_irqrestore(&ps->lock, flags);
 291        return as;
 292}
 293
 294static struct async *async_getpending(struct dev_state *ps,
 295                                             void __user *userurb)
 296{
 297        unsigned long flags;
 298        struct async *as;
 299
 300        spin_lock_irqsave(&ps->lock, flags);
 301        list_for_each_entry(as, &ps->async_pending, asynclist)
 302                if (as->userurb == userurb) {
 303                        list_del_init(&as->asynclist);
 304                        spin_unlock_irqrestore(&ps->lock, flags);
 305                        return as;
 306                }
 307        spin_unlock_irqrestore(&ps->lock, flags);
 308        return NULL;
 309}
 310
 311static void snoop_urb(struct usb_device *udev,
 312                void __user *userurb, int pipe, unsigned length,
 313                int timeout_or_status, enum snoop_when when)
 314{
 315        static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 316        static const char *dirs[] = {"out", "in"};
 317        int ep;
 318        const char *t, *d;
 319
 320        if (!usbfs_snoop)
 321                return;
 322
 323        ep = usb_pipeendpoint(pipe);
 324        t = types[usb_pipetype(pipe)];
 325        d = dirs[!!usb_pipein(pipe)];
 326
 327        if (userurb) {          /* Async */
 328                if (when == SUBMIT)
 329                        dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
 330                                        "length %u\n",
 331                                        userurb, ep, t, d, length);
 332                else
 333                        dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
 334                                        "actual_length %u status %d\n",
 335                                        userurb, ep, t, d, length,
 336                                        timeout_or_status);
 337        } else {
 338                if (when == SUBMIT)
 339                        dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 340                                        "timeout %d\n",
 341                                        ep, t, d, length, timeout_or_status);
 342                else
 343                        dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 344                                        "status %d\n",
 345                                        ep, t, d, length, timeout_or_status);
 346        }
 347}
 348
 349#define AS_CONTINUATION 1
 350#define AS_UNLINK       2
 351
 352static void cancel_bulk_urbs(struct dev_state *ps, unsigned bulk_addr)
 353__releases(ps->lock)
 354__acquires(ps->lock)
 355{
 356        struct async *as;
 357
 358        /* Mark all the pending URBs that match bulk_addr, up to but not
 359         * including the first one without AS_CONTINUATION.  If such an
 360         * URB is encountered then a new transfer has already started so
 361         * the endpoint doesn't need to be disabled; otherwise it does.
 362         */
 363        list_for_each_entry(as, &ps->async_pending, asynclist) {
 364                if (as->bulk_addr == bulk_addr) {
 365                        if (as->bulk_status != AS_CONTINUATION)
 366                                goto rescan;
 367                        as->bulk_status = AS_UNLINK;
 368                        as->bulk_addr = 0;
 369                }
 370        }
 371        ps->disabled_bulk_eps |= (1 << bulk_addr);
 372
 373        /* Now carefully unlink all the marked pending URBs */
 374 rescan:
 375        list_for_each_entry(as, &ps->async_pending, asynclist) {
 376                if (as->bulk_status == AS_UNLINK) {
 377                        as->bulk_status = 0;            /* Only once */
 378                        spin_unlock(&ps->lock);         /* Allow completions */
 379                        usb_unlink_urb(as->urb);
 380                        spin_lock(&ps->lock);
 381                        goto rescan;
 382                }
 383        }
 384}
 385
 386static void async_completed(struct urb *urb)
 387{
 388        struct async *as = urb->context;
 389        struct dev_state *ps = as->ps;
 390        struct siginfo sinfo;
 391        struct pid *pid = NULL;
 392        uid_t uid = 0;
 393        uid_t euid = 0;
 394        u32 secid = 0;
 395        int signr;
 396
 397        spin_lock(&ps->lock);
 398        list_move_tail(&as->asynclist, &ps->async_completed);
 399        as->status = urb->status;
 400        signr = as->signr;
 401        if (signr) {
 402                sinfo.si_signo = as->signr;
 403                sinfo.si_errno = as->status;
 404                sinfo.si_code = SI_ASYNCIO;
 405                sinfo.si_addr = as->userurb;
 406                pid = as->pid;
 407                uid = as->uid;
 408                euid = as->euid;
 409                secid = as->secid;
 410        }
 411        snoop(&urb->dev->dev, "urb complete\n");
 412        snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 413                        as->status, COMPLETE);
 414        if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 415                        as->status != -ENOENT)
 416                cancel_bulk_urbs(ps, as->bulk_addr);
 417        spin_unlock(&ps->lock);
 418
 419        if (signr)
 420                kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid,
 421                                      euid, secid);
 422
 423        wake_up(&ps->wait);
 424}
 425
 426static void destroy_async(struct dev_state *ps, struct list_head *list)
 427{
 428        struct async *as;
 429        unsigned long flags;
 430
 431        spin_lock_irqsave(&ps->lock, flags);
 432        while (!list_empty(list)) {
 433                as = list_entry(list->next, struct async, asynclist);
 434                list_del_init(&as->asynclist);
 435
 436                /* drop the spinlock so the completion handler can run */
 437                spin_unlock_irqrestore(&ps->lock, flags);
 438                usb_kill_urb(as->urb);
 439                spin_lock_irqsave(&ps->lock, flags);
 440        }
 441        spin_unlock_irqrestore(&ps->lock, flags);
 442}
 443
 444static void destroy_async_on_interface(struct dev_state *ps,
 445                                       unsigned int ifnum)
 446{
 447        struct list_head *p, *q, hitlist;
 448        unsigned long flags;
 449
 450        INIT_LIST_HEAD(&hitlist);
 451        spin_lock_irqsave(&ps->lock, flags);
 452        list_for_each_safe(p, q, &ps->async_pending)
 453                if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 454                        list_move_tail(p, &hitlist);
 455        spin_unlock_irqrestore(&ps->lock, flags);
 456        destroy_async(ps, &hitlist);
 457}
 458
 459static void destroy_all_async(struct dev_state *ps)
 460{
 461        destroy_async(ps, &ps->async_pending);
 462}
 463
 464/*
 465 * interface claims are made only at the request of user level code,
 466 * which can also release them (explicitly or by closing files).
 467 * they're also undone when devices disconnect.
 468 */
 469
 470static int driver_probe(struct usb_interface *intf,
 471                        const struct usb_device_id *id)
 472{
 473        return -ENODEV;
 474}
 475
 476static void driver_disconnect(struct usb_interface *intf)
 477{
 478        struct dev_state *ps = usb_get_intfdata(intf);
 479        unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 480
 481        if (!ps)
 482                return;
 483
 484        /* NOTE:  this relies on usbcore having canceled and completed
 485         * all pending I/O requests; 2.6 does that.
 486         */
 487
 488        if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 489                clear_bit(ifnum, &ps->ifclaimed);
 490        else
 491                dev_warn(&intf->dev, "interface number %u out of range\n",
 492                         ifnum);
 493
 494        usb_set_intfdata(intf, NULL);
 495
 496        /* force async requests to complete */
 497        destroy_async_on_interface(ps, ifnum);
 498}
 499
 500/* The following routines are merely placeholders.  There is no way
 501 * to inform a user task about suspend or resumes.
 502 */
 503static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 504{
 505        return 0;
 506}
 507
 508static int driver_resume(struct usb_interface *intf)
 509{
 510        return 0;
 511}
 512
 513struct usb_driver usbfs_driver = {
 514        .name =         "usbfs",
 515        .probe =        driver_probe,
 516        .disconnect =   driver_disconnect,
 517        .suspend =      driver_suspend,
 518        .resume =       driver_resume,
 519};
 520
 521static int claimintf(struct dev_state *ps, unsigned int ifnum)
 522{
 523        struct usb_device *dev = ps->dev;
 524        struct usb_interface *intf;
 525        int err;
 526
 527        if (ifnum >= 8*sizeof(ps->ifclaimed))
 528                return -EINVAL;
 529        /* already claimed */
 530        if (test_bit(ifnum, &ps->ifclaimed))
 531                return 0;
 532
 533        intf = usb_ifnum_to_if(dev, ifnum);
 534        if (!intf)
 535                err = -ENOENT;
 536        else
 537                err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 538        if (err == 0)
 539                set_bit(ifnum, &ps->ifclaimed);
 540        return err;
 541}
 542
 543static int releaseintf(struct dev_state *ps, unsigned int ifnum)
 544{
 545        struct usb_device *dev;
 546        struct usb_interface *intf;
 547        int err;
 548
 549        err = -EINVAL;
 550        if (ifnum >= 8*sizeof(ps->ifclaimed))
 551                return err;
 552        dev = ps->dev;
 553        intf = usb_ifnum_to_if(dev, ifnum);
 554        if (!intf)
 555                err = -ENOENT;
 556        else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 557                usb_driver_release_interface(&usbfs_driver, intf);
 558                err = 0;
 559        }
 560        return err;
 561}
 562
 563static int checkintf(struct dev_state *ps, unsigned int ifnum)
 564{
 565        if (ps->dev->state != USB_STATE_CONFIGURED)
 566                return -EHOSTUNREACH;
 567        if (ifnum >= 8*sizeof(ps->ifclaimed))
 568                return -EINVAL;
 569        if (test_bit(ifnum, &ps->ifclaimed))
 570                return 0;
 571        /* if not yet claimed, claim it for the driver */
 572        dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 573                 "interface %u before use\n", task_pid_nr(current),
 574                 current->comm, ifnum);
 575        return claimintf(ps, ifnum);
 576}
 577
 578static int findintfep(struct usb_device *dev, unsigned int ep)
 579{
 580        unsigned int i, j, e;
 581        struct usb_interface *intf;
 582        struct usb_host_interface *alts;
 583        struct usb_endpoint_descriptor *endpt;
 584
 585        if (ep & ~(USB_DIR_IN|0xf))
 586                return -EINVAL;
 587        if (!dev->actconfig)
 588                return -ESRCH;
 589        for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 590                intf = dev->actconfig->interface[i];
 591                for (j = 0; j < intf->num_altsetting; j++) {
 592                        alts = &intf->altsetting[j];
 593                        for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 594                                endpt = &alts->endpoint[e].desc;
 595                                if (endpt->bEndpointAddress == ep)
 596                                        return alts->desc.bInterfaceNumber;
 597                        }
 598                }
 599        }
 600        return -ENOENT;
 601}
 602
 603static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
 604                           unsigned int index)
 605{
 606        int ret = 0;
 607
 608        if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 609         && ps->dev->state != USB_STATE_ADDRESS
 610         && ps->dev->state != USB_STATE_CONFIGURED)
 611                return -EHOSTUNREACH;
 612        if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 613                return 0;
 614
 615        index &= 0xff;
 616        switch (requesttype & USB_RECIP_MASK) {
 617        case USB_RECIP_ENDPOINT:
 618                ret = findintfep(ps->dev, index);
 619                if (ret >= 0)
 620                        ret = checkintf(ps, ret);
 621                break;
 622
 623        case USB_RECIP_INTERFACE:
 624                ret = checkintf(ps, index);
 625                break;
 626        }
 627        return ret;
 628}
 629
 630static int match_devt(struct device *dev, void *data)
 631{
 632        return dev->devt == (dev_t) (unsigned long) data;
 633}
 634
 635static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 636{
 637        struct device *dev;
 638
 639        dev = bus_find_device(&usb_bus_type, NULL,
 640                              (void *) (unsigned long) devt, match_devt);
 641        if (!dev)
 642                return NULL;
 643        return container_of(dev, struct usb_device, dev);
 644}
 645
 646/*
 647 * file operations
 648 */
 649static int usbdev_open(struct inode *inode, struct file *file)
 650{
 651        struct usb_device *dev = NULL;
 652        struct dev_state *ps;
 653        const struct cred *cred = current_cred();
 654        int ret;
 655
 656        lock_kernel();
 657        /* Protect against simultaneous removal or release */
 658        mutex_lock(&usbfs_mutex);
 659
 660        ret = -ENOMEM;
 661        ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL);
 662        if (!ps)
 663                goto out;
 664
 665        ret = -ENODEV;
 666
 667        /* usbdev device-node */
 668        if (imajor(inode) == USB_DEVICE_MAJOR)
 669                dev = usbdev_lookup_by_devt(inode->i_rdev);
 670#ifdef CONFIG_USB_DEVICEFS
 671        /* procfs file */
 672        if (!dev) {
 673                dev = inode->i_private;
 674                if (dev && dev->usbfs_dentry &&
 675                                        dev->usbfs_dentry->d_inode == inode)
 676                        usb_get_dev(dev);
 677                else
 678                        dev = NULL;
 679        }
 680#endif
 681        if (!dev || dev->state == USB_STATE_NOTATTACHED)
 682                goto out;
 683        ret = usb_autoresume_device(dev);
 684        if (ret)
 685                goto out;
 686
 687        ret = 0;
 688        ps->dev = dev;
 689        ps->file = file;
 690        spin_lock_init(&ps->lock);
 691        INIT_LIST_HEAD(&ps->list);
 692        INIT_LIST_HEAD(&ps->async_pending);
 693        INIT_LIST_HEAD(&ps->async_completed);
 694        init_waitqueue_head(&ps->wait);
 695        ps->discsignr = 0;
 696        ps->disc_pid = get_pid(task_pid(current));
 697        ps->disc_uid = cred->uid;
 698        ps->disc_euid = cred->euid;
 699        ps->disccontext = NULL;
 700        ps->ifclaimed = 0;
 701        security_task_getsecid(current, &ps->secid);
 702        smp_wmb();
 703        list_add_tail(&ps->list, &dev->filelist);
 704        file->private_data = ps;
 705        snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
 706                        current->comm);
 707 out:
 708        if (ret) {
 709                kfree(ps);
 710                usb_put_dev(dev);
 711        }
 712        mutex_unlock(&usbfs_mutex);
 713        unlock_kernel();
 714        return ret;
 715}
 716
 717static int usbdev_release(struct inode *inode, struct file *file)
 718{
 719        struct dev_state *ps = file->private_data;
 720        struct usb_device *dev = ps->dev;
 721        unsigned int ifnum;
 722        struct async *as;
 723
 724        usb_lock_device(dev);
 725        usb_hub_release_all_ports(dev, ps);
 726
 727        /* Protect against simultaneous open */
 728        mutex_lock(&usbfs_mutex);
 729        list_del_init(&ps->list);
 730        mutex_unlock(&usbfs_mutex);
 731
 732        for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
 733                        ifnum++) {
 734                if (test_bit(ifnum, &ps->ifclaimed))
 735                        releaseintf(ps, ifnum);
 736        }
 737        destroy_all_async(ps);
 738        usb_autosuspend_device(dev);
 739        usb_unlock_device(dev);
 740        usb_put_dev(dev);
 741        put_pid(ps->disc_pid);
 742
 743        as = async_getcompleted(ps);
 744        while (as) {
 745                free_async(as);
 746                as = async_getcompleted(ps);
 747        }
 748        kfree(ps);
 749        return 0;
 750}
 751
 752static int proc_control(struct dev_state *ps, void __user *arg)
 753{
 754        struct usb_device *dev = ps->dev;
 755        struct usbdevfs_ctrltransfer ctrl;
 756        unsigned int tmo;
 757        unsigned char *tbuf;
 758        unsigned wLength;
 759        int i, pipe, ret;
 760
 761        if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
 762                return -EFAULT;
 763        ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex);
 764        if (ret)
 765                return ret;
 766        wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
 767        if (wLength > PAGE_SIZE)
 768                return -EINVAL;
 769        tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
 770        if (!tbuf)
 771                return -ENOMEM;
 772        tmo = ctrl.timeout;
 773        if (ctrl.bRequestType & 0x80) {
 774                if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
 775                                               ctrl.wLength)) {
 776                        free_page((unsigned long)tbuf);
 777                        return -EINVAL;
 778                }
 779                pipe = usb_rcvctrlpipe(dev, 0);
 780                snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT);
 781
 782                usb_unlock_device(dev);
 783                i = usb_control_msg(dev, pipe, ctrl.bRequest,
 784                                    ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
 785                                    tbuf, ctrl.wLength, tmo);
 786                usb_lock_device(dev);
 787                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE);
 788
 789                if ((i > 0) && ctrl.wLength) {
 790                        if (copy_to_user(ctrl.data, tbuf, i)) {
 791                                free_page((unsigned long)tbuf);
 792                                return -EFAULT;
 793                        }
 794                }
 795        } else {
 796                if (ctrl.wLength) {
 797                        if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
 798                                free_page((unsigned long)tbuf);
 799                                return -EFAULT;
 800                        }
 801                }
 802                pipe = usb_sndctrlpipe(dev, 0);
 803                snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT);
 804
 805                usb_unlock_device(dev);
 806                i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
 807                                    ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
 808                                    tbuf, ctrl.wLength, tmo);
 809                usb_lock_device(dev);
 810                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE);
 811        }
 812        free_page((unsigned long)tbuf);
 813        if (i < 0 && i != -EPIPE) {
 814                dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
 815                           "failed cmd %s rqt %u rq %u len %u ret %d\n",
 816                           current->comm, ctrl.bRequestType, ctrl.bRequest,
 817                           ctrl.wLength, i);
 818        }
 819        return i;
 820}
 821
 822static int proc_bulk(struct dev_state *ps, void __user *arg)
 823{
 824        struct usb_device *dev = ps->dev;
 825        struct usbdevfs_bulktransfer bulk;
 826        unsigned int tmo, len1, pipe;
 827        int len2;
 828        unsigned char *tbuf;
 829        int i, ret;
 830
 831        if (copy_from_user(&bulk, arg, sizeof(bulk)))
 832                return -EFAULT;
 833        ret = findintfep(ps->dev, bulk.ep);
 834        if (ret < 0)
 835                return ret;
 836        ret = checkintf(ps, ret);
 837        if (ret)
 838                return ret;
 839        if (bulk.ep & USB_DIR_IN)
 840                pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
 841        else
 842                pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
 843        if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
 844                return -EINVAL;
 845        len1 = bulk.len;
 846        if (len1 > MAX_USBFS_BUFFER_SIZE)
 847                return -EINVAL;
 848        if (!(tbuf = kmalloc(len1, GFP_KERNEL)))
 849                return -ENOMEM;
 850        tmo = bulk.timeout;
 851        if (bulk.ep & 0x80) {
 852                if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
 853                        kfree(tbuf);
 854                        return -EINVAL;
 855                }
 856                snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT);
 857
 858                usb_unlock_device(dev);
 859                i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
 860                usb_lock_device(dev);
 861                snoop_urb(dev, NULL, pipe, len2, i, COMPLETE);
 862
 863                if (!i && len2) {
 864                        if (copy_to_user(bulk.data, tbuf, len2)) {
 865                                kfree(tbuf);
 866                                return -EFAULT;
 867                        }
 868                }
 869        } else {
 870                if (len1) {
 871                        if (copy_from_user(tbuf, bulk.data, len1)) {
 872                                kfree(tbuf);
 873                                return -EFAULT;
 874                        }
 875                }
 876                snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT);
 877
 878                usb_unlock_device(dev);
 879                i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
 880                usb_lock_device(dev);
 881                snoop_urb(dev, NULL, pipe, len2, i, COMPLETE);
 882        }
 883        kfree(tbuf);
 884        if (i < 0)
 885                return i;
 886        return len2;
 887}
 888
 889static int proc_resetep(struct dev_state *ps, void __user *arg)
 890{
 891        unsigned int ep;
 892        int ret;
 893
 894        if (get_user(ep, (unsigned int __user *)arg))
 895                return -EFAULT;
 896        ret = findintfep(ps->dev, ep);
 897        if (ret < 0)
 898                return ret;
 899        ret = checkintf(ps, ret);
 900        if (ret)
 901                return ret;
 902        usb_reset_endpoint(ps->dev, ep);
 903        return 0;
 904}
 905
 906static int proc_clearhalt(struct dev_state *ps, void __user *arg)
 907{
 908        unsigned int ep;
 909        int pipe;
 910        int ret;
 911
 912        if (get_user(ep, (unsigned int __user *)arg))
 913                return -EFAULT;
 914        ret = findintfep(ps->dev, ep);
 915        if (ret < 0)
 916                return ret;
 917        ret = checkintf(ps, ret);
 918        if (ret)
 919                return ret;
 920        if (ep & USB_DIR_IN)
 921                pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
 922        else
 923                pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
 924
 925        return usb_clear_halt(ps->dev, pipe);
 926}
 927
 928static int proc_getdriver(struct dev_state *ps, void __user *arg)
 929{
 930        struct usbdevfs_getdriver gd;
 931        struct usb_interface *intf;
 932        int ret;
 933
 934        if (copy_from_user(&gd, arg, sizeof(gd)))
 935                return -EFAULT;
 936        intf = usb_ifnum_to_if(ps->dev, gd.interface);
 937        if (!intf || !intf->dev.driver)
 938                ret = -ENODATA;
 939        else {
 940                strncpy(gd.driver, intf->dev.driver->name,
 941                                sizeof(gd.driver));
 942                ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
 943        }
 944        return ret;
 945}
 946
 947static int proc_connectinfo(struct dev_state *ps, void __user *arg)
 948{
 949        struct usbdevfs_connectinfo ci;
 950
 951        ci.devnum = ps->dev->devnum;
 952        ci.slow = ps->dev->speed == USB_SPEED_LOW;
 953        if (copy_to_user(arg, &ci, sizeof(ci)))
 954                return -EFAULT;
 955        return 0;
 956}
 957
 958static int proc_resetdevice(struct dev_state *ps)
 959{
 960        return usb_reset_device(ps->dev);
 961}
 962
 963static int proc_setintf(struct dev_state *ps, void __user *arg)
 964{
 965        struct usbdevfs_setinterface setintf;
 966        int ret;
 967
 968        if (copy_from_user(&setintf, arg, sizeof(setintf)))
 969                return -EFAULT;
 970        if ((ret = checkintf(ps, setintf.interface)))
 971                return ret;
 972        return usb_set_interface(ps->dev, setintf.interface,
 973                        setintf.altsetting);
 974}
 975
 976static int proc_setconfig(struct dev_state *ps, void __user *arg)
 977{
 978        int u;
 979        int status = 0;
 980        struct usb_host_config *actconfig;
 981
 982        if (get_user(u, (int __user *)arg))
 983                return -EFAULT;
 984
 985        actconfig = ps->dev->actconfig;
 986
 987        /* Don't touch the device if any interfaces are claimed.
 988         * It could interfere with other drivers' operations, and if
 989         * an interface is claimed by usbfs it could easily deadlock.
 990         */
 991        if (actconfig) {
 992                int i;
 993
 994                for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
 995                        if (usb_interface_claimed(actconfig->interface[i])) {
 996                                dev_warn(&ps->dev->dev,
 997                                        "usbfs: interface %d claimed by %s "
 998                                        "while '%s' sets config #%d\n",
 999                                        actconfig->interface[i]
1000                                                ->cur_altsetting
1001                                                ->desc.bInterfaceNumber,
1002                                        actconfig->interface[i]
1003                                                ->dev.driver->name,
1004                                        current->comm, u);
1005                                status = -EBUSY;
1006                                break;
1007                        }
1008                }
1009        }
1010
1011        /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1012         * so avoid usb_set_configuration()'s kick to sysfs
1013         */
1014        if (status == 0) {
1015                if (actconfig && actconfig->desc.bConfigurationValue == u)
1016                        status = usb_reset_configuration(ps->dev);
1017                else
1018                        status = usb_set_configuration(ps->dev, u);
1019        }
1020
1021        return status;
1022}
1023
1024static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
1025                        struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1026                        void __user *arg)
1027{
1028        struct usbdevfs_iso_packet_desc *isopkt = NULL;
1029        struct usb_host_endpoint *ep;
1030        struct async *as;
1031        struct usb_ctrlrequest *dr = NULL;
1032        const struct cred *cred = current_cred();
1033        unsigned int u, totlen, isofrmlen;
1034        int ret, ifnum = -1;
1035        int is_in;
1036
1037        if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1038                                USBDEVFS_URB_SHORT_NOT_OK |
1039                                USBDEVFS_URB_BULK_CONTINUATION |
1040                                USBDEVFS_URB_NO_FSBR |
1041                                USBDEVFS_URB_ZERO_PACKET |
1042                                USBDEVFS_URB_NO_INTERRUPT))
1043                return -EINVAL;
1044        if (uurb->buffer_length > 0 && !uurb->buffer)
1045                return -EINVAL;
1046        if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1047            (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1048                ifnum = findintfep(ps->dev, uurb->endpoint);
1049                if (ifnum < 0)
1050                        return ifnum;
1051                ret = checkintf(ps, ifnum);
1052                if (ret)
1053                        return ret;
1054        }
1055        if ((uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0) {
1056                is_in = 1;
1057                ep = ps->dev->ep_in[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
1058        } else {
1059                is_in = 0;
1060                ep = ps->dev->ep_out[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
1061        }
1062        if (!ep)
1063                return -ENOENT;
1064        switch(uurb->type) {
1065        case USBDEVFS_URB_TYPE_CONTROL:
1066                if (!usb_endpoint_xfer_control(&ep->desc))
1067                        return -EINVAL;
1068                /* min 8 byte setup packet,
1069                 * max 8 byte setup plus an arbitrary data stage */
1070                if (uurb->buffer_length < 8 ||
1071                    uurb->buffer_length > (8 + MAX_USBFS_BUFFER_SIZE))
1072                        return -EINVAL;
1073                dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1074                if (!dr)
1075                        return -ENOMEM;
1076                if (copy_from_user(dr, uurb->buffer, 8)) {
1077                        kfree(dr);
1078                        return -EFAULT;
1079                }
1080                if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1081                        kfree(dr);
1082                        return -EINVAL;
1083                }
1084                ret = check_ctrlrecip(ps, dr->bRequestType,
1085                                      le16_to_cpup(&dr->wIndex));
1086                if (ret) {
1087                        kfree(dr);
1088                        return ret;
1089                }
1090                uurb->number_of_packets = 0;
1091                uurb->buffer_length = le16_to_cpup(&dr->wLength);
1092                uurb->buffer += 8;
1093                if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1094                        is_in = 1;
1095                        uurb->endpoint |= USB_DIR_IN;
1096                } else {
1097                        is_in = 0;
1098                        uurb->endpoint &= ~USB_DIR_IN;
1099                }
1100                break;
1101
1102        case USBDEVFS_URB_TYPE_BULK:
1103                switch (usb_endpoint_type(&ep->desc)) {
1104                case USB_ENDPOINT_XFER_CONTROL:
1105                case USB_ENDPOINT_XFER_ISOC:
1106                        return -EINVAL;
1107                /* allow single-shot interrupt transfers, at bogus rates */
1108                }
1109                uurb->number_of_packets = 0;
1110                if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1111                        return -EINVAL;
1112                break;
1113
1114        case USBDEVFS_URB_TYPE_ISO:
1115                /* arbitrary limit */
1116                if (uurb->number_of_packets < 1 ||
1117                    uurb->number_of_packets > 128)
1118                        return -EINVAL;
1119                if (!usb_endpoint_xfer_isoc(&ep->desc))
1120                        return -EINVAL;
1121                isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1122                                   uurb->number_of_packets;
1123                if (!(isopkt = kmalloc(isofrmlen, GFP_KERNEL)))
1124                        return -ENOMEM;
1125                if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
1126                        kfree(isopkt);
1127                        return -EFAULT;
1128                }
1129                for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1130                        /* arbitrary limit,
1131                         * sufficient for USB 2.0 high-bandwidth iso */
1132                        if (isopkt[u].length > 8192) {
1133                                kfree(isopkt);
1134                                return -EINVAL;
1135                        }
1136                        totlen += isopkt[u].length;
1137                }
1138                /* 3072 * 64 microframes */
1139                if (totlen > 196608) {
1140                        kfree(isopkt);
1141                        return -EINVAL;
1142                }
1143                uurb->buffer_length = totlen;
1144                break;
1145
1146        case USBDEVFS_URB_TYPE_INTERRUPT:
1147                uurb->number_of_packets = 0;
1148                if (!usb_endpoint_xfer_int(&ep->desc))
1149                        return -EINVAL;
1150                if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1151                        return -EINVAL;
1152                break;
1153
1154        default:
1155                return -EINVAL;
1156        }
1157        if (uurb->buffer_length > 0 &&
1158                        !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1159                                uurb->buffer, uurb->buffer_length)) {
1160                kfree(isopkt);
1161                kfree(dr);
1162                return -EFAULT;
1163        }
1164        as = alloc_async(uurb->number_of_packets);
1165        if (!as) {
1166                kfree(isopkt);
1167                kfree(dr);
1168                return -ENOMEM;
1169        }
1170        if (uurb->buffer_length > 0) {
1171                as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1172                                GFP_KERNEL);
1173                if (!as->urb->transfer_buffer) {
1174                        kfree(isopkt);
1175                        kfree(dr);
1176                        free_async(as);
1177                        return -ENOMEM;
1178                }
1179        }
1180        as->urb->dev = ps->dev;
1181        as->urb->pipe = (uurb->type << 30) |
1182                        __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1183                        (uurb->endpoint & USB_DIR_IN);
1184
1185        /* This tedious sequence is necessary because the URB_* flags
1186         * are internal to the kernel and subject to change, whereas
1187         * the USBDEVFS_URB_* flags are a user API and must not be changed.
1188         */
1189        u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1190        if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1191                u |= URB_ISO_ASAP;
1192        if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1193                u |= URB_SHORT_NOT_OK;
1194        if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1195                u |= URB_NO_FSBR;
1196        if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1197                u |= URB_ZERO_PACKET;
1198        if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1199                u |= URB_NO_INTERRUPT;
1200        as->urb->transfer_flags = u;
1201
1202        as->urb->transfer_buffer_length = uurb->buffer_length;
1203        as->urb->setup_packet = (unsigned char *)dr;
1204        as->urb->start_frame = uurb->start_frame;
1205        as->urb->number_of_packets = uurb->number_of_packets;
1206        if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1207                        ps->dev->speed == USB_SPEED_HIGH)
1208                as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
1209        else
1210                as->urb->interval = ep->desc.bInterval;
1211        as->urb->context = as;
1212        as->urb->complete = async_completed;
1213        for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1214                as->urb->iso_frame_desc[u].offset = totlen;
1215                as->urb->iso_frame_desc[u].length = isopkt[u].length;
1216                totlen += isopkt[u].length;
1217        }
1218        kfree(isopkt);
1219        as->ps = ps;
1220        as->userurb = arg;
1221        if (is_in && uurb->buffer_length > 0)
1222                as->userbuffer = uurb->buffer;
1223        else
1224                as->userbuffer = NULL;
1225        as->signr = uurb->signr;
1226        as->ifnum = ifnum;
1227        as->pid = get_pid(task_pid(current));
1228        as->uid = cred->uid;
1229        as->euid = cred->euid;
1230        security_task_getsecid(current, &as->secid);
1231        if (!is_in && uurb->buffer_length > 0) {
1232                if (copy_from_user(as->urb->transfer_buffer, uurb->buffer,
1233                                uurb->buffer_length)) {
1234                        free_async(as);
1235                        return -EFAULT;
1236                }
1237        }
1238        snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1239                        as->urb->transfer_buffer_length, 0, SUBMIT);
1240        async_newpending(as);
1241
1242        if (usb_endpoint_xfer_bulk(&ep->desc)) {
1243                spin_lock_irq(&ps->lock);
1244
1245                /* Not exactly the endpoint address; the direction bit is
1246                 * shifted to the 0x10 position so that the value will be
1247                 * between 0 and 31.
1248                 */
1249                as->bulk_addr = usb_endpoint_num(&ep->desc) |
1250                        ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1251                                >> 3);
1252
1253                /* If this bulk URB is the start of a new transfer, re-enable
1254                 * the endpoint.  Otherwise mark it as a continuation URB.
1255                 */
1256                if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1257                        as->bulk_status = AS_CONTINUATION;
1258                else
1259                        ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1260
1261                /* Don't accept continuation URBs if the endpoint is
1262                 * disabled because of an earlier error.
1263                 */
1264                if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1265                        ret = -EREMOTEIO;
1266                else
1267                        ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1268                spin_unlock_irq(&ps->lock);
1269        } else {
1270                ret = usb_submit_urb(as->urb, GFP_KERNEL);
1271        }
1272
1273        if (ret) {
1274                dev_printk(KERN_DEBUG, &ps->dev->dev,
1275                           "usbfs: usb_submit_urb returned %d\n", ret);
1276                snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1277                                0, ret, COMPLETE);
1278                async_removepending(as);
1279                free_async(as);
1280                return ret;
1281        }
1282        return 0;
1283}
1284
1285static int proc_submiturb(struct dev_state *ps, void __user *arg)
1286{
1287        struct usbdevfs_urb uurb;
1288
1289        if (copy_from_user(&uurb, arg, sizeof(uurb)))
1290                return -EFAULT;
1291
1292        return proc_do_submiturb(ps, &uurb,
1293                        (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1294                        arg);
1295}
1296
1297static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
1298{
1299        struct async *as;
1300
1301        as = async_getpending(ps, arg);
1302        if (!as)
1303                return -EINVAL;
1304        usb_kill_urb(as->urb);
1305        return 0;
1306}
1307
1308static int processcompl(struct async *as, void __user * __user *arg)
1309{
1310        struct urb *urb = as->urb;
1311        struct usbdevfs_urb __user *userurb = as->userurb;
1312        void __user *addr = as->userurb;
1313        unsigned int i;
1314
1315        if (as->userbuffer)
1316                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1317                                 urb->transfer_buffer_length))
1318                        goto err_out;
1319        if (put_user(as->status, &userurb->status))
1320                goto err_out;
1321        if (put_user(urb->actual_length, &userurb->actual_length))
1322                goto err_out;
1323        if (put_user(urb->error_count, &userurb->error_count))
1324                goto err_out;
1325
1326        if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1327                for (i = 0; i < urb->number_of_packets; i++) {
1328                        if (put_user(urb->iso_frame_desc[i].actual_length,
1329                                     &userurb->iso_frame_desc[i].actual_length))
1330                                goto err_out;
1331                        if (put_user(urb->iso_frame_desc[i].status,
1332                                     &userurb->iso_frame_desc[i].status))
1333                                goto err_out;
1334                }
1335        }
1336
1337        free_async(as);
1338
1339        if (put_user(addr, (void __user * __user *)arg))
1340                return -EFAULT;
1341        return 0;
1342
1343err_out:
1344        free_async(as);
1345        return -EFAULT;
1346}
1347
1348static struct async *reap_as(struct dev_state *ps)
1349{
1350        DECLARE_WAITQUEUE(wait, current);
1351        struct async *as = NULL;
1352        struct usb_device *dev = ps->dev;
1353
1354        add_wait_queue(&ps->wait, &wait);
1355        for (;;) {
1356                __set_current_state(TASK_INTERRUPTIBLE);
1357                as = async_getcompleted(ps);
1358                if (as)
1359                        break;
1360                if (signal_pending(current))
1361                        break;
1362                usb_unlock_device(dev);
1363                schedule();
1364                usb_lock_device(dev);
1365        }
1366        remove_wait_queue(&ps->wait, &wait);
1367        set_current_state(TASK_RUNNING);
1368        return as;
1369}
1370
1371static int proc_reapurb(struct dev_state *ps, void __user *arg)
1372{
1373        struct async *as = reap_as(ps);
1374        if (as)
1375                return processcompl(as, (void __user * __user *)arg);
1376        if (signal_pending(current))
1377                return -EINTR;
1378        return -EIO;
1379}
1380
1381static int proc_reapurbnonblock(struct dev_state *ps, void __user *arg)
1382{
1383        struct async *as;
1384
1385        if (!(as = async_getcompleted(ps)))
1386                return -EAGAIN;
1387        return processcompl(as, (void __user * __user *)arg);
1388}
1389
1390#ifdef CONFIG_COMPAT
1391
1392static int get_urb32(struct usbdevfs_urb *kurb,
1393                     struct usbdevfs_urb32 __user *uurb)
1394{
1395        __u32  uptr;
1396        if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
1397            __get_user(kurb->type, &uurb->type) ||
1398            __get_user(kurb->endpoint, &uurb->endpoint) ||
1399            __get_user(kurb->status, &uurb->status) ||
1400            __get_user(kurb->flags, &uurb->flags) ||
1401            __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1402            __get_user(kurb->actual_length, &uurb->actual_length) ||
1403            __get_user(kurb->start_frame, &uurb->start_frame) ||
1404            __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1405            __get_user(kurb->error_count, &uurb->error_count) ||
1406            __get_user(kurb->signr, &uurb->signr))
1407                return -EFAULT;
1408
1409        if (__get_user(uptr, &uurb->buffer))
1410                return -EFAULT;
1411        kurb->buffer = compat_ptr(uptr);
1412        if (__get_user(uptr, &uurb->usercontext))
1413                return -EFAULT;
1414        kurb->usercontext = compat_ptr(uptr);
1415
1416        return 0;
1417}
1418
1419static int proc_submiturb_compat(struct dev_state *ps, void __user *arg)
1420{
1421        struct usbdevfs_urb uurb;
1422
1423        if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
1424                return -EFAULT;
1425
1426        return proc_do_submiturb(ps, &uurb,
1427                        ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
1428                        arg);
1429}
1430
1431static int processcompl_compat(struct async *as, void __user * __user *arg)
1432{
1433        struct urb *urb = as->urb;
1434        struct usbdevfs_urb32 __user *userurb = as->userurb;
1435        void __user *addr = as->userurb;
1436        unsigned int i;
1437
1438        if (as->userbuffer)
1439                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1440                                 urb->transfer_buffer_length))
1441                        return -EFAULT;
1442        if (put_user(as->status, &userurb->status))
1443                return -EFAULT;
1444        if (put_user(urb->actual_length, &userurb->actual_length))
1445                return -EFAULT;
1446        if (put_user(urb->error_count, &userurb->error_count))
1447                return -EFAULT;
1448
1449        if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1450                for (i = 0; i < urb->number_of_packets; i++) {
1451                        if (put_user(urb->iso_frame_desc[i].actual_length,
1452                                     &userurb->iso_frame_desc[i].actual_length))
1453                                return -EFAULT;
1454                        if (put_user(urb->iso_frame_desc[i].status,
1455                                     &userurb->iso_frame_desc[i].status))
1456                                return -EFAULT;
1457                }
1458        }
1459
1460        free_async(as);
1461        if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
1462                return -EFAULT;
1463        return 0;
1464}
1465
1466static int proc_reapurb_compat(struct dev_state *ps, void __user *arg)
1467{
1468        struct async *as = reap_as(ps);
1469        if (as)
1470                return processcompl_compat(as, (void __user * __user *)arg);
1471        if (signal_pending(current))
1472                return -EINTR;
1473        return -EIO;
1474}
1475
1476static int proc_reapurbnonblock_compat(struct dev_state *ps, void __user *arg)
1477{
1478        struct async *as;
1479
1480        if (!(as = async_getcompleted(ps)))
1481                return -EAGAIN;
1482        return processcompl_compat(as, (void __user * __user *)arg);
1483}
1484
1485#endif
1486
1487static int proc_disconnectsignal(struct dev_state *ps, void __user *arg)
1488{
1489        struct usbdevfs_disconnectsignal ds;
1490
1491        if (copy_from_user(&ds, arg, sizeof(ds)))
1492                return -EFAULT;
1493        ps->discsignr = ds.signr;
1494        ps->disccontext = ds.context;
1495        return 0;
1496}
1497
1498static int proc_claiminterface(struct dev_state *ps, void __user *arg)
1499{
1500        unsigned int ifnum;
1501
1502        if (get_user(ifnum, (unsigned int __user *)arg))
1503                return -EFAULT;
1504        return claimintf(ps, ifnum);
1505}
1506
1507static int proc_releaseinterface(struct dev_state *ps, void __user *arg)
1508{
1509        unsigned int ifnum;
1510        int ret;
1511
1512        if (get_user(ifnum, (unsigned int __user *)arg))
1513                return -EFAULT;
1514        if ((ret = releaseintf(ps, ifnum)) < 0)
1515                return ret;
1516        destroy_async_on_interface (ps, ifnum);
1517        return 0;
1518}
1519
1520static int proc_ioctl(struct dev_state *ps, struct usbdevfs_ioctl *ctl)
1521{
1522        int                     size;
1523        void                    *buf = NULL;
1524        int                     retval = 0;
1525        struct usb_interface    *intf = NULL;
1526        struct usb_driver       *driver = NULL;
1527
1528        /* alloc buffer */
1529        if ((size = _IOC_SIZE(ctl->ioctl_code)) > 0) {
1530                if ((buf = kmalloc(size, GFP_KERNEL)) == NULL)
1531                        return -ENOMEM;
1532                if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
1533                        if (copy_from_user(buf, ctl->data, size)) {
1534                                kfree(buf);
1535                                return -EFAULT;
1536                        }
1537                } else {
1538                        memset(buf, 0, size);
1539                }
1540        }
1541
1542        if (!connected(ps)) {
1543                kfree(buf);
1544                return -ENODEV;
1545        }
1546
1547        if (ps->dev->state != USB_STATE_CONFIGURED)
1548                retval = -EHOSTUNREACH;
1549        else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
1550                retval = -EINVAL;
1551        else switch (ctl->ioctl_code) {
1552
1553        /* disconnect kernel driver from interface */
1554        case USBDEVFS_DISCONNECT:
1555                if (intf->dev.driver) {
1556                        driver = to_usb_driver(intf->dev.driver);
1557                        dev_dbg(&intf->dev, "disconnect by usbfs\n");
1558                        usb_driver_release_interface(driver, intf);
1559                } else
1560                        retval = -ENODATA;
1561                break;
1562
1563        /* let kernel drivers try to (re)bind to the interface */
1564        case USBDEVFS_CONNECT:
1565                if (!intf->dev.driver)
1566                        retval = device_attach(&intf->dev);
1567                else
1568                        retval = -EBUSY;
1569                break;
1570
1571        /* talk directly to the interface's driver */
1572        default:
1573                if (intf->dev.driver)
1574                        driver = to_usb_driver(intf->dev.driver);
1575                if (driver == NULL || driver->ioctl == NULL) {
1576                        retval = -ENOTTY;
1577                } else {
1578                        retval = driver->ioctl(intf, ctl->ioctl_code, buf);
1579                        if (retval == -ENOIOCTLCMD)
1580                                retval = -ENOTTY;
1581                }
1582        }
1583
1584        /* cleanup and return */
1585        if (retval >= 0
1586                        && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
1587                        && size > 0
1588                        && copy_to_user(ctl->data, buf, size) != 0)
1589                retval = -EFAULT;
1590
1591        kfree(buf);
1592        return retval;
1593}
1594
1595static int proc_ioctl_default(struct dev_state *ps, void __user *arg)
1596{
1597        struct usbdevfs_ioctl   ctrl;
1598
1599        if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1600                return -EFAULT;
1601        return proc_ioctl(ps, &ctrl);
1602}
1603
1604#ifdef CONFIG_COMPAT
1605static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
1606{
1607        struct usbdevfs_ioctl32 __user *uioc;
1608        struct usbdevfs_ioctl ctrl;
1609        u32 udata;
1610
1611        uioc = compat_ptr((long)arg);
1612        if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
1613            __get_user(ctrl.ifno, &uioc->ifno) ||
1614            __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
1615            __get_user(udata, &uioc->data))
1616                return -EFAULT;
1617        ctrl.data = compat_ptr(udata);
1618
1619        return proc_ioctl(ps, &ctrl);
1620}
1621#endif
1622
1623static int proc_claim_port(struct dev_state *ps, void __user *arg)
1624{
1625        unsigned portnum;
1626        int rc;
1627
1628        if (get_user(portnum, (unsigned __user *) arg))
1629                return -EFAULT;
1630        rc = usb_hub_claim_port(ps->dev, portnum, ps);
1631        if (rc == 0)
1632                snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
1633                        portnum, task_pid_nr(current), current->comm);
1634        return rc;
1635}
1636
1637static int proc_release_port(struct dev_state *ps, void __user *arg)
1638{
1639        unsigned portnum;
1640
1641        if (get_user(portnum, (unsigned __user *) arg))
1642                return -EFAULT;
1643        return usb_hub_release_port(ps->dev, portnum, ps);
1644}
1645
1646/*
1647 * NOTE:  All requests here that have interface numbers as parameters
1648 * are assuming that somehow the configuration has been prevented from
1649 * changing.  But there's no mechanism to ensure that...
1650 */
1651static int usbdev_ioctl(struct inode *inode, struct file *file,
1652                        unsigned int cmd, unsigned long arg)
1653{
1654        struct dev_state *ps = file->private_data;
1655        struct usb_device *dev = ps->dev;
1656        void __user *p = (void __user *)arg;
1657        int ret = -ENOTTY;
1658
1659        if (!(file->f_mode & FMODE_WRITE))
1660                return -EPERM;
1661        usb_lock_device(dev);
1662        if (!connected(ps)) {
1663                usb_unlock_device(dev);
1664                return -ENODEV;
1665        }
1666
1667        switch (cmd) {
1668        case USBDEVFS_CONTROL:
1669                snoop(&dev->dev, "%s: CONTROL\n", __func__);
1670                ret = proc_control(ps, p);
1671                if (ret >= 0)
1672                        inode->i_mtime = CURRENT_TIME;
1673                break;
1674
1675        case USBDEVFS_BULK:
1676                snoop(&dev->dev, "%s: BULK\n", __func__);
1677                ret = proc_bulk(ps, p);
1678                if (ret >= 0)
1679                        inode->i_mtime = CURRENT_TIME;
1680                break;
1681
1682        case USBDEVFS_RESETEP:
1683                snoop(&dev->dev, "%s: RESETEP\n", __func__);
1684                ret = proc_resetep(ps, p);
1685                if (ret >= 0)
1686                        inode->i_mtime = CURRENT_TIME;
1687                break;
1688
1689        case USBDEVFS_RESET:
1690                snoop(&dev->dev, "%s: RESET\n", __func__);
1691                ret = proc_resetdevice(ps);
1692                break;
1693
1694        case USBDEVFS_CLEAR_HALT:
1695                snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
1696                ret = proc_clearhalt(ps, p);
1697                if (ret >= 0)
1698                        inode->i_mtime = CURRENT_TIME;
1699                break;
1700
1701        case USBDEVFS_GETDRIVER:
1702                snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
1703                ret = proc_getdriver(ps, p);
1704                break;
1705
1706        case USBDEVFS_CONNECTINFO:
1707                snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
1708                ret = proc_connectinfo(ps, p);
1709                break;
1710
1711        case USBDEVFS_SETINTERFACE:
1712                snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
1713                ret = proc_setintf(ps, p);
1714                break;
1715
1716        case USBDEVFS_SETCONFIGURATION:
1717                snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
1718                ret = proc_setconfig(ps, p);
1719                break;
1720
1721        case USBDEVFS_SUBMITURB:
1722                snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
1723                ret = proc_submiturb(ps, p);
1724                if (ret >= 0)
1725                        inode->i_mtime = CURRENT_TIME;
1726                break;
1727
1728#ifdef CONFIG_COMPAT
1729
1730        case USBDEVFS_SUBMITURB32:
1731                snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
1732                ret = proc_submiturb_compat(ps, p);
1733                if (ret >= 0)
1734                        inode->i_mtime = CURRENT_TIME;
1735                break;
1736
1737        case USBDEVFS_REAPURB32:
1738                snoop(&dev->dev, "%s: REAPURB32\n", __func__);
1739                ret = proc_reapurb_compat(ps, p);
1740                break;
1741
1742        case USBDEVFS_REAPURBNDELAY32:
1743                snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
1744                ret = proc_reapurbnonblock_compat(ps, p);
1745                break;
1746
1747        case USBDEVFS_IOCTL32:
1748                snoop(&dev->dev, "%s: IOCTL\n", __func__);
1749                ret = proc_ioctl_compat(ps, ptr_to_compat(p));
1750                break;
1751#endif
1752
1753        case USBDEVFS_DISCARDURB:
1754                snoop(&dev->dev, "%s: DISCARDURB\n", __func__);
1755                ret = proc_unlinkurb(ps, p);
1756                break;
1757
1758        case USBDEVFS_REAPURB:
1759                snoop(&dev->dev, "%s: REAPURB\n", __func__);
1760                ret = proc_reapurb(ps, p);
1761                break;
1762
1763        case USBDEVFS_REAPURBNDELAY:
1764                snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
1765                ret = proc_reapurbnonblock(ps, p);
1766                break;
1767
1768        case USBDEVFS_DISCSIGNAL:
1769                snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
1770                ret = proc_disconnectsignal(ps, p);
1771                break;
1772
1773        case USBDEVFS_CLAIMINTERFACE:
1774                snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
1775                ret = proc_claiminterface(ps, p);
1776                break;
1777
1778        case USBDEVFS_RELEASEINTERFACE:
1779                snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
1780                ret = proc_releaseinterface(ps, p);
1781                break;
1782
1783        case USBDEVFS_IOCTL:
1784                snoop(&dev->dev, "%s: IOCTL\n", __func__);
1785                ret = proc_ioctl_default(ps, p);
1786                break;
1787
1788        case USBDEVFS_CLAIM_PORT:
1789                snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
1790                ret = proc_claim_port(ps, p);
1791                break;
1792
1793        case USBDEVFS_RELEASE_PORT:
1794                snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
1795                ret = proc_release_port(ps, p);
1796                break;
1797        }
1798        usb_unlock_device(dev);
1799        if (ret >= 0)
1800                inode->i_atime = CURRENT_TIME;
1801        return ret;
1802}
1803
1804/* No kernel lock - fine */
1805static unsigned int usbdev_poll(struct file *file,
1806                                struct poll_table_struct *wait)
1807{
1808        struct dev_state *ps = file->private_data;
1809        unsigned int mask = 0;
1810
1811        poll_wait(file, &ps->wait, wait);
1812        if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
1813                mask |= POLLOUT | POLLWRNORM;
1814        if (!connected(ps))
1815                mask |= POLLERR | POLLHUP;
1816        return mask;
1817}
1818
1819const struct file_operations usbdev_file_operations = {
1820        .owner =        THIS_MODULE,
1821        .llseek =       usbdev_lseek,
1822        .read =         usbdev_read,
1823        .poll =         usbdev_poll,
1824        .ioctl =        usbdev_ioctl,
1825        .open =         usbdev_open,
1826        .release =      usbdev_release,
1827};
1828
1829static void usbdev_remove(struct usb_device *udev)
1830{
1831        struct dev_state *ps;
1832        struct siginfo sinfo;
1833
1834        while (!list_empty(&udev->filelist)) {
1835                ps = list_entry(udev->filelist.next, struct dev_state, list);
1836                destroy_all_async(ps);
1837                wake_up_all(&ps->wait);
1838                list_del_init(&ps->list);
1839                if (ps->discsignr) {
1840                        sinfo.si_signo = ps->discsignr;
1841                        sinfo.si_errno = EPIPE;
1842                        sinfo.si_code = SI_ASYNCIO;
1843                        sinfo.si_addr = ps->disccontext;
1844                        kill_pid_info_as_uid(ps->discsignr, &sinfo,
1845                                        ps->disc_pid, ps->disc_uid,
1846                                        ps->disc_euid, ps->secid);
1847                }
1848        }
1849}
1850
1851#ifdef CONFIG_USB_DEVICE_CLASS
1852static struct class *usb_classdev_class;
1853
1854static int usb_classdev_add(struct usb_device *dev)
1855{
1856        struct device *cldev;
1857
1858        cldev = device_create(usb_classdev_class, &dev->dev, dev->dev.devt,
1859                              NULL, "usbdev%d.%d", dev->bus->busnum,
1860                              dev->devnum);
1861        if (IS_ERR(cldev))
1862                return PTR_ERR(cldev);
1863        dev->usb_classdev = cldev;
1864        return 0;
1865}
1866
1867static void usb_classdev_remove(struct usb_device *dev)
1868{
1869        if (dev->usb_classdev)
1870                device_unregister(dev->usb_classdev);
1871}
1872
1873#else
1874#define usb_classdev_add(dev)           0
1875#define usb_classdev_remove(dev)        do {} while (0)
1876
1877#endif
1878
1879static int usbdev_notify(struct notifier_block *self,
1880                               unsigned long action, void *dev)
1881{
1882        switch (action) {
1883        case USB_DEVICE_ADD:
1884                if (usb_classdev_add(dev))
1885                        return NOTIFY_BAD;
1886                break;
1887        case USB_DEVICE_REMOVE:
1888                usb_classdev_remove(dev);
1889                usbdev_remove(dev);
1890                break;
1891        }
1892        return NOTIFY_OK;
1893}
1894
1895static struct notifier_block usbdev_nb = {
1896        .notifier_call =        usbdev_notify,
1897};
1898
1899static struct cdev usb_device_cdev;
1900
1901int __init usb_devio_init(void)
1902{
1903        int retval;
1904
1905        retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
1906                                        "usb_device");
1907        if (retval) {
1908                printk(KERN_ERR "Unable to register minors for usb_device\n");
1909                goto out;
1910        }
1911        cdev_init(&usb_device_cdev, &usbdev_file_operations);
1912        retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
1913        if (retval) {
1914                printk(KERN_ERR "Unable to get usb_device major %d\n",
1915                       USB_DEVICE_MAJOR);
1916                goto error_cdev;
1917        }
1918#ifdef CONFIG_USB_DEVICE_CLASS
1919        usb_classdev_class = class_create(THIS_MODULE, "usb_device");
1920        if (IS_ERR(usb_classdev_class)) {
1921                printk(KERN_ERR "Unable to register usb_device class\n");
1922                retval = PTR_ERR(usb_classdev_class);
1923                cdev_del(&usb_device_cdev);
1924                usb_classdev_class = NULL;
1925                goto out;
1926        }
1927        /* devices of this class shadow the major:minor of their parent
1928         * device, so clear ->dev_kobj to prevent adding duplicate entries
1929         * to /sys/dev
1930         */
1931        usb_classdev_class->dev_kobj = NULL;
1932#endif
1933        usb_register_notify(&usbdev_nb);
1934out:
1935        return retval;
1936
1937error_cdev:
1938        unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1939        goto out;
1940}
1941
1942void usb_devio_cleanup(void)
1943{
1944        usb_unregister_notify(&usbdev_nb);
1945#ifdef CONFIG_USB_DEVICE_CLASS
1946        class_destroy(usb_classdev_class);
1947#endif
1948        cdev_del(&usb_device_cdev);
1949        unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1950}
1951