1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24#include <linux/fs.h>
25#include <linux/mm.h>
26#include <linux/sched/signal.h>
27#include <linux/slab.h>
28#include <linux/signal.h>
29#include <linux/poll.h>
30#include <linux/module.h>
31#include <linux/string.h>
32#include <linux/usb.h>
33#include <linux/usbdevice_fs.h>
34#include <linux/usb/hcd.h>
35#include <linux/cdev.h>
36#include <linux/notifier.h>
37#include <linux/security.h>
38#include <linux/user_namespace.h>
39#include <linux/scatterlist.h>
40#include <linux/uaccess.h>
41#include <linux/dma-mapping.h>
42#include <asm/byteorder.h>
43#include <linux/moduleparam.h>
44
45#include "usb.h"
46
47#define USB_MAXBUS 64
48#define USB_DEVICE_MAX (USB_MAXBUS * 128)
49#define USB_SG_SIZE 16384
50
51
52DEFINE_MUTEX(usbfs_mutex);
53
54struct usb_dev_state {
55 struct list_head list;
56 struct usb_device *dev;
57 struct file *file;
58 spinlock_t lock;
59 struct list_head async_pending;
60 struct list_head async_completed;
61 struct list_head memory_list;
62 wait_queue_head_t wait;
63 unsigned int discsignr;
64 struct pid *disc_pid;
65 const struct cred *cred;
66 void __user *disccontext;
67 unsigned long ifclaimed;
68 u32 disabled_bulk_eps;
69 bool privileges_dropped;
70 unsigned long interface_allowed_mask;
71};
72
73struct usb_memory {
74 struct list_head memlist;
75 int vma_use_count;
76 int urb_use_count;
77 u32 size;
78 void *mem;
79 dma_addr_t dma_handle;
80 unsigned long vm_start;
81 struct usb_dev_state *ps;
82};
83
84struct async {
85 struct list_head asynclist;
86 struct usb_dev_state *ps;
87 struct pid *pid;
88 const struct cred *cred;
89 unsigned int signr;
90 unsigned int ifnum;
91 void __user *userbuffer;
92 void __user *userurb;
93 struct urb *urb;
94 struct usb_memory *usbm;
95 unsigned int mem_usage;
96 int status;
97 u8 bulk_addr;
98 u8 bulk_status;
99};
100
101static bool usbfs_snoop;
102module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
103MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
104
105static unsigned usbfs_snoop_max = 65536;
106module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
107MODULE_PARM_DESC(usbfs_snoop_max,
108 "maximum number of bytes to print while snooping");
109
110#define snoop(dev, format, arg...) \
111 do { \
112 if (usbfs_snoop) \
113 dev_info(dev, format, ## arg); \
114 } while (0)
115
116enum snoop_when {
117 SUBMIT, COMPLETE
118};
119
120#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
121
122
123static u32 usbfs_memory_mb = 16;
124module_param(usbfs_memory_mb, uint, 0644);
125MODULE_PARM_DESC(usbfs_memory_mb,
126 "maximum MB allowed for usbfs buffers (0 = no limit)");
127
128
129#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
130
131static atomic64_t usbfs_memory_usage;
132
133
134static int usbfs_increase_memory_usage(u64 amount)
135{
136 u64 lim;
137
138 lim = READ_ONCE(usbfs_memory_mb);
139 lim <<= 20;
140
141 atomic64_add(amount, &usbfs_memory_usage);
142
143 if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
144 atomic64_sub(amount, &usbfs_memory_usage);
145 return -ENOMEM;
146 }
147
148 return 0;
149}
150
151
152static void usbfs_decrease_memory_usage(u64 amount)
153{
154 atomic64_sub(amount, &usbfs_memory_usage);
155}
156
157static int connected(struct usb_dev_state *ps)
158{
159 return (!list_empty(&ps->list) &&
160 ps->dev->state != USB_STATE_NOTATTACHED);
161}
162
163static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
164{
165 struct usb_dev_state *ps = usbm->ps;
166 unsigned long flags;
167
168 spin_lock_irqsave(&ps->lock, flags);
169 --*count;
170 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
171 list_del(&usbm->memlist);
172 spin_unlock_irqrestore(&ps->lock, flags);
173
174 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
175 usbm->dma_handle);
176 usbfs_decrease_memory_usage(
177 usbm->size + sizeof(struct usb_memory));
178 kfree(usbm);
179 } else {
180 spin_unlock_irqrestore(&ps->lock, flags);
181 }
182}
183
184static void usbdev_vm_open(struct vm_area_struct *vma)
185{
186 struct usb_memory *usbm = vma->vm_private_data;
187 unsigned long flags;
188
189 spin_lock_irqsave(&usbm->ps->lock, flags);
190 ++usbm->vma_use_count;
191 spin_unlock_irqrestore(&usbm->ps->lock, flags);
192}
193
194static void usbdev_vm_close(struct vm_area_struct *vma)
195{
196 struct usb_memory *usbm = vma->vm_private_data;
197
198 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
199}
200
201static const struct vm_operations_struct usbdev_vm_ops = {
202 .open = usbdev_vm_open,
203 .close = usbdev_vm_close
204};
205
206static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
207{
208 struct usb_memory *usbm = NULL;
209 struct usb_dev_state *ps = file->private_data;
210 size_t size = vma->vm_end - vma->vm_start;
211 void *mem;
212 unsigned long flags;
213 dma_addr_t dma_handle;
214 int ret;
215
216 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
217 if (ret)
218 goto error;
219
220 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
221 if (!usbm) {
222 ret = -ENOMEM;
223 goto error_decrease_mem;
224 }
225
226 mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
227 &dma_handle);
228 if (!mem) {
229 ret = -ENOMEM;
230 goto error_free_usbm;
231 }
232
233 memset(mem, 0, size);
234
235 usbm->mem = mem;
236 usbm->dma_handle = dma_handle;
237 usbm->size = size;
238 usbm->ps = ps;
239 usbm->vm_start = vma->vm_start;
240 usbm->vma_use_count = 1;
241 INIT_LIST_HEAD(&usbm->memlist);
242
243 if (remap_pfn_range(vma, vma->vm_start,
244 virt_to_phys(usbm->mem) >> PAGE_SHIFT,
245 size, vma->vm_page_prot) < 0) {
246 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
247 return -EAGAIN;
248 }
249
250 vma->vm_flags |= VM_IO;
251 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
252 vma->vm_ops = &usbdev_vm_ops;
253 vma->vm_private_data = usbm;
254
255 spin_lock_irqsave(&ps->lock, flags);
256 list_add_tail(&usbm->memlist, &ps->memory_list);
257 spin_unlock_irqrestore(&ps->lock, flags);
258
259 return 0;
260
261error_free_usbm:
262 kfree(usbm);
263error_decrease_mem:
264 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
265error:
266 return ret;
267}
268
269static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
270 loff_t *ppos)
271{
272 struct usb_dev_state *ps = file->private_data;
273 struct usb_device *dev = ps->dev;
274 ssize_t ret = 0;
275 unsigned len;
276 loff_t pos;
277 int i;
278
279 pos = *ppos;
280 usb_lock_device(dev);
281 if (!connected(ps)) {
282 ret = -ENODEV;
283 goto err;
284 } else if (pos < 0) {
285 ret = -EINVAL;
286 goto err;
287 }
288
289 if (pos < sizeof(struct usb_device_descriptor)) {
290
291 struct usb_device_descriptor temp_desc;
292
293 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
294 le16_to_cpus(&temp_desc.bcdUSB);
295 le16_to_cpus(&temp_desc.idVendor);
296 le16_to_cpus(&temp_desc.idProduct);
297 le16_to_cpus(&temp_desc.bcdDevice);
298
299 len = sizeof(struct usb_device_descriptor) - pos;
300 if (len > nbytes)
301 len = nbytes;
302 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
303 ret = -EFAULT;
304 goto err;
305 }
306
307 *ppos += len;
308 buf += len;
309 nbytes -= len;
310 ret += len;
311 }
312
313 pos = sizeof(struct usb_device_descriptor);
314 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
315 struct usb_config_descriptor *config =
316 (struct usb_config_descriptor *)dev->rawdescriptors[i];
317 unsigned int length = le16_to_cpu(config->wTotalLength);
318
319 if (*ppos < pos + length) {
320
321
322
323 unsigned alloclen =
324 le16_to_cpu(dev->config[i].desc.wTotalLength);
325
326 len = length - (*ppos - pos);
327 if (len > nbytes)
328 len = nbytes;
329
330
331 if (alloclen > (*ppos - pos)) {
332 alloclen -= (*ppos - pos);
333 if (copy_to_user(buf,
334 dev->rawdescriptors[i] + (*ppos - pos),
335 min(len, alloclen))) {
336 ret = -EFAULT;
337 goto err;
338 }
339 }
340
341 *ppos += len;
342 buf += len;
343 nbytes -= len;
344 ret += len;
345 }
346
347 pos += length;
348 }
349
350err:
351 usb_unlock_device(dev);
352 return ret;
353}
354
355
356
357
358
359static struct async *alloc_async(unsigned int numisoframes)
360{
361 struct async *as;
362
363 as = kzalloc(sizeof(struct async), GFP_KERNEL);
364 if (!as)
365 return NULL;
366 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
367 if (!as->urb) {
368 kfree(as);
369 return NULL;
370 }
371 return as;
372}
373
374static void free_async(struct async *as)
375{
376 int i;
377
378 put_pid(as->pid);
379 if (as->cred)
380 put_cred(as->cred);
381 for (i = 0; i < as->urb->num_sgs; i++) {
382 if (sg_page(&as->urb->sg[i]))
383 kfree(sg_virt(&as->urb->sg[i]));
384 }
385
386 kfree(as->urb->sg);
387 if (as->usbm == NULL)
388 kfree(as->urb->transfer_buffer);
389 else
390 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
391
392 kfree(as->urb->setup_packet);
393 usb_free_urb(as->urb);
394 usbfs_decrease_memory_usage(as->mem_usage);
395 kfree(as);
396}
397
398static void async_newpending(struct async *as)
399{
400 struct usb_dev_state *ps = as->ps;
401 unsigned long flags;
402
403 spin_lock_irqsave(&ps->lock, flags);
404 list_add_tail(&as->asynclist, &ps->async_pending);
405 spin_unlock_irqrestore(&ps->lock, flags);
406}
407
408static void async_removepending(struct async *as)
409{
410 struct usb_dev_state *ps = as->ps;
411 unsigned long flags;
412
413 spin_lock_irqsave(&ps->lock, flags);
414 list_del_init(&as->asynclist);
415 spin_unlock_irqrestore(&ps->lock, flags);
416}
417
418static struct async *async_getcompleted(struct usb_dev_state *ps)
419{
420 unsigned long flags;
421 struct async *as = NULL;
422
423 spin_lock_irqsave(&ps->lock, flags);
424 if (!list_empty(&ps->async_completed)) {
425 as = list_entry(ps->async_completed.next, struct async,
426 asynclist);
427 list_del_init(&as->asynclist);
428 }
429 spin_unlock_irqrestore(&ps->lock, flags);
430 return as;
431}
432
433static struct async *async_getpending(struct usb_dev_state *ps,
434 void __user *userurb)
435{
436 struct async *as;
437
438 list_for_each_entry(as, &ps->async_pending, asynclist)
439 if (as->userurb == userurb) {
440 list_del_init(&as->asynclist);
441 return as;
442 }
443
444 return NULL;
445}
446
447static void snoop_urb(struct usb_device *udev,
448 void __user *userurb, int pipe, unsigned length,
449 int timeout_or_status, enum snoop_when when,
450 unsigned char *data, unsigned data_len)
451{
452 static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
453 static const char *dirs[] = {"out", "in"};
454 int ep;
455 const char *t, *d;
456
457 if (!usbfs_snoop)
458 return;
459
460 ep = usb_pipeendpoint(pipe);
461 t = types[usb_pipetype(pipe)];
462 d = dirs[!!usb_pipein(pipe)];
463
464 if (userurb) {
465 if (when == SUBMIT)
466 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
467 "length %u\n",
468 userurb, ep, t, d, length);
469 else
470 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
471 "actual_length %u status %d\n",
472 userurb, ep, t, d, length,
473 timeout_or_status);
474 } else {
475 if (when == SUBMIT)
476 dev_info(&udev->dev, "ep%d %s-%s, length %u, "
477 "timeout %d\n",
478 ep, t, d, length, timeout_or_status);
479 else
480 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
481 "status %d\n",
482 ep, t, d, length, timeout_or_status);
483 }
484
485 data_len = min(data_len, usbfs_snoop_max);
486 if (data && data_len > 0) {
487 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
488 data, data_len, 1);
489 }
490}
491
492static void snoop_urb_data(struct urb *urb, unsigned len)
493{
494 int i, size;
495
496 len = min(len, usbfs_snoop_max);
497 if (!usbfs_snoop || len == 0)
498 return;
499
500 if (urb->num_sgs == 0) {
501 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
502 urb->transfer_buffer, len, 1);
503 return;
504 }
505
506 for (i = 0; i < urb->num_sgs && len; i++) {
507 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
508 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
509 sg_virt(&urb->sg[i]), size, 1);
510 len -= size;
511 }
512}
513
514static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
515{
516 unsigned i, len, size;
517
518 if (urb->number_of_packets > 0)
519 len = urb->transfer_buffer_length;
520 else
521 len = urb->actual_length;
522
523 if (urb->num_sgs == 0) {
524 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
525 return -EFAULT;
526 return 0;
527 }
528
529 for (i = 0; i < urb->num_sgs && len; i++) {
530 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
531 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
532 return -EFAULT;
533 userbuffer += size;
534 len -= size;
535 }
536
537 return 0;
538}
539
540#define AS_CONTINUATION 1
541#define AS_UNLINK 2
542
543static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
544__releases(ps->lock)
545__acquires(ps->lock)
546{
547 struct urb *urb;
548 struct async *as;
549
550
551
552
553
554
555 list_for_each_entry(as, &ps->async_pending, asynclist) {
556 if (as->bulk_addr == bulk_addr) {
557 if (as->bulk_status != AS_CONTINUATION)
558 goto rescan;
559 as->bulk_status = AS_UNLINK;
560 as->bulk_addr = 0;
561 }
562 }
563 ps->disabled_bulk_eps |= (1 << bulk_addr);
564
565
566 rescan:
567 list_for_each_entry(as, &ps->async_pending, asynclist) {
568 if (as->bulk_status == AS_UNLINK) {
569 as->bulk_status = 0;
570 urb = as->urb;
571 usb_get_urb(urb);
572 spin_unlock(&ps->lock);
573 usb_unlink_urb(urb);
574 usb_put_urb(urb);
575 spin_lock(&ps->lock);
576 goto rescan;
577 }
578 }
579}
580
581static void async_completed(struct urb *urb)
582{
583 struct async *as = urb->context;
584 struct usb_dev_state *ps = as->ps;
585 struct siginfo sinfo;
586 struct pid *pid = NULL;
587 const struct cred *cred = NULL;
588 unsigned long flags;
589 int signr;
590
591 spin_lock_irqsave(&ps->lock, flags);
592 list_move_tail(&as->asynclist, &ps->async_completed);
593 as->status = urb->status;
594 signr = as->signr;
595 if (signr) {
596 clear_siginfo(&sinfo);
597 sinfo.si_signo = as->signr;
598 sinfo.si_errno = as->status;
599 sinfo.si_code = SI_ASYNCIO;
600 sinfo.si_addr = as->userurb;
601 pid = get_pid(as->pid);
602 cred = get_cred(as->cred);
603 }
604 snoop(&urb->dev->dev, "urb complete\n");
605 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
606 as->status, COMPLETE, NULL, 0);
607 if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
608 snoop_urb_data(urb, urb->actual_length);
609
610 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
611 as->status != -ENOENT)
612 cancel_bulk_urbs(ps, as->bulk_addr);
613
614 wake_up(&ps->wait);
615 spin_unlock_irqrestore(&ps->lock, flags);
616
617 if (signr) {
618 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred);
619 put_pid(pid);
620 put_cred(cred);
621 }
622}
623
624static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
625{
626 struct urb *urb;
627 struct async *as;
628 unsigned long flags;
629
630 spin_lock_irqsave(&ps->lock, flags);
631 while (!list_empty(list)) {
632 as = list_entry(list->next, struct async, asynclist);
633 list_del_init(&as->asynclist);
634 urb = as->urb;
635 usb_get_urb(urb);
636
637
638 spin_unlock_irqrestore(&ps->lock, flags);
639 usb_kill_urb(urb);
640 usb_put_urb(urb);
641 spin_lock_irqsave(&ps->lock, flags);
642 }
643 spin_unlock_irqrestore(&ps->lock, flags);
644}
645
646static void destroy_async_on_interface(struct usb_dev_state *ps,
647 unsigned int ifnum)
648{
649 struct list_head *p, *q, hitlist;
650 unsigned long flags;
651
652 INIT_LIST_HEAD(&hitlist);
653 spin_lock_irqsave(&ps->lock, flags);
654 list_for_each_safe(p, q, &ps->async_pending)
655 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
656 list_move_tail(p, &hitlist);
657 spin_unlock_irqrestore(&ps->lock, flags);
658 destroy_async(ps, &hitlist);
659}
660
661static void destroy_all_async(struct usb_dev_state *ps)
662{
663 destroy_async(ps, &ps->async_pending);
664}
665
666
667
668
669
670
671
672static int driver_probe(struct usb_interface *intf,
673 const struct usb_device_id *id)
674{
675 return -ENODEV;
676}
677
678static void driver_disconnect(struct usb_interface *intf)
679{
680 struct usb_dev_state *ps = usb_get_intfdata(intf);
681 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
682
683 if (!ps)
684 return;
685
686
687
688
689
690 if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
691 clear_bit(ifnum, &ps->ifclaimed);
692 else
693 dev_warn(&intf->dev, "interface number %u out of range\n",
694 ifnum);
695
696 usb_set_intfdata(intf, NULL);
697
698
699 destroy_async_on_interface(ps, ifnum);
700}
701
702
703
704
705static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
706{
707 return 0;
708}
709
710static int driver_resume(struct usb_interface *intf)
711{
712 return 0;
713}
714
715struct usb_driver usbfs_driver = {
716 .name = "usbfs",
717 .probe = driver_probe,
718 .disconnect = driver_disconnect,
719 .suspend = driver_suspend,
720 .resume = driver_resume,
721};
722
723static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
724{
725 struct usb_device *dev = ps->dev;
726 struct usb_interface *intf;
727 int err;
728
729 if (ifnum >= 8*sizeof(ps->ifclaimed))
730 return -EINVAL;
731
732 if (test_bit(ifnum, &ps->ifclaimed))
733 return 0;
734
735 if (ps->privileges_dropped &&
736 !test_bit(ifnum, &ps->interface_allowed_mask))
737 return -EACCES;
738
739 intf = usb_ifnum_to_if(dev, ifnum);
740 if (!intf)
741 err = -ENOENT;
742 else
743 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
744 if (err == 0)
745 set_bit(ifnum, &ps->ifclaimed);
746 return err;
747}
748
749static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
750{
751 struct usb_device *dev;
752 struct usb_interface *intf;
753 int err;
754
755 err = -EINVAL;
756 if (ifnum >= 8*sizeof(ps->ifclaimed))
757 return err;
758 dev = ps->dev;
759 intf = usb_ifnum_to_if(dev, ifnum);
760 if (!intf)
761 err = -ENOENT;
762 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
763 usb_driver_release_interface(&usbfs_driver, intf);
764 err = 0;
765 }
766 return err;
767}
768
769static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
770{
771 if (ps->dev->state != USB_STATE_CONFIGURED)
772 return -EHOSTUNREACH;
773 if (ifnum >= 8*sizeof(ps->ifclaimed))
774 return -EINVAL;
775 if (test_bit(ifnum, &ps->ifclaimed))
776 return 0;
777
778 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
779 "interface %u before use\n", task_pid_nr(current),
780 current->comm, ifnum);
781 return claimintf(ps, ifnum);
782}
783
784static int findintfep(struct usb_device *dev, unsigned int ep)
785{
786 unsigned int i, j, e;
787 struct usb_interface *intf;
788 struct usb_host_interface *alts;
789 struct usb_endpoint_descriptor *endpt;
790
791 if (ep & ~(USB_DIR_IN|0xf))
792 return -EINVAL;
793 if (!dev->actconfig)
794 return -ESRCH;
795 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
796 intf = dev->actconfig->interface[i];
797 for (j = 0; j < intf->num_altsetting; j++) {
798 alts = &intf->altsetting[j];
799 for (e = 0; e < alts->desc.bNumEndpoints; e++) {
800 endpt = &alts->endpoint[e].desc;
801 if (endpt->bEndpointAddress == ep)
802 return alts->desc.bInterfaceNumber;
803 }
804 }
805 }
806 return -ENOENT;
807}
808
809static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
810 unsigned int request, unsigned int index)
811{
812 int ret = 0;
813 struct usb_host_interface *alt_setting;
814
815 if (ps->dev->state != USB_STATE_UNAUTHENTICATED
816 && ps->dev->state != USB_STATE_ADDRESS
817 && ps->dev->state != USB_STATE_CONFIGURED)
818 return -EHOSTUNREACH;
819 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
820 return 0;
821
822
823
824
825
826
827 if (requesttype == 0xa1 && request == 0) {
828 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
829 index >> 8, index & 0xff);
830 if (alt_setting
831 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
832 return 0;
833 }
834
835 index &= 0xff;
836 switch (requesttype & USB_RECIP_MASK) {
837 case USB_RECIP_ENDPOINT:
838 if ((index & ~USB_DIR_IN) == 0)
839 return 0;
840 ret = findintfep(ps->dev, index);
841 if (ret < 0) {
842
843
844
845
846
847
848
849
850 ret = findintfep(ps->dev, index ^ 0x80);
851 if (ret >= 0)
852 dev_info(&ps->dev->dev,
853 "%s: process %i (%s) requesting ep %02x but needs %02x\n",
854 __func__, task_pid_nr(current),
855 current->comm, index, index ^ 0x80);
856 }
857 if (ret >= 0)
858 ret = checkintf(ps, ret);
859 break;
860
861 case USB_RECIP_INTERFACE:
862 ret = checkintf(ps, index);
863 break;
864 }
865 return ret;
866}
867
868static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
869 unsigned char ep)
870{
871 if (ep & USB_ENDPOINT_DIR_MASK)
872 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
873 else
874 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
875}
876
877static int parse_usbdevfs_streams(struct usb_dev_state *ps,
878 struct usbdevfs_streams __user *streams,
879 unsigned int *num_streams_ret,
880 unsigned int *num_eps_ret,
881 struct usb_host_endpoint ***eps_ret,
882 struct usb_interface **intf_ret)
883{
884 unsigned int i, num_streams, num_eps;
885 struct usb_host_endpoint **eps;
886 struct usb_interface *intf = NULL;
887 unsigned char ep;
888 int ifnum, ret;
889
890 if (get_user(num_streams, &streams->num_streams) ||
891 get_user(num_eps, &streams->num_eps))
892 return -EFAULT;
893
894 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
895 return -EINVAL;
896
897
898 if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
899 return -EINVAL;
900
901 eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL);
902 if (!eps)
903 return -ENOMEM;
904
905 for (i = 0; i < num_eps; i++) {
906 if (get_user(ep, &streams->eps[i])) {
907 ret = -EFAULT;
908 goto error;
909 }
910 eps[i] = ep_to_host_endpoint(ps->dev, ep);
911 if (!eps[i]) {
912 ret = -EINVAL;
913 goto error;
914 }
915
916
917 ifnum = findintfep(ps->dev, ep);
918 if (ifnum < 0) {
919 ret = ifnum;
920 goto error;
921 }
922
923 if (i == 0) {
924 ret = checkintf(ps, ifnum);
925 if (ret < 0)
926 goto error;
927 intf = usb_ifnum_to_if(ps->dev, ifnum);
928 } else {
929
930 if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
931 ret = -EINVAL;
932 goto error;
933 }
934 }
935 }
936
937 if (num_streams_ret)
938 *num_streams_ret = num_streams;
939 *num_eps_ret = num_eps;
940 *eps_ret = eps;
941 *intf_ret = intf;
942
943 return 0;
944
945error:
946 kfree(eps);
947 return ret;
948}
949
950static int match_devt(struct device *dev, void *data)
951{
952 return dev->devt == (dev_t) (unsigned long) data;
953}
954
955static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
956{
957 struct device *dev;
958
959 dev = bus_find_device(&usb_bus_type, NULL,
960 (void *) (unsigned long) devt, match_devt);
961 if (!dev)
962 return NULL;
963 return to_usb_device(dev);
964}
965
966
967
968
969static int usbdev_open(struct inode *inode, struct file *file)
970{
971 struct usb_device *dev = NULL;
972 struct usb_dev_state *ps;
973 int ret;
974
975 ret = -ENOMEM;
976 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
977 if (!ps)
978 goto out_free_ps;
979
980 ret = -ENODEV;
981
982
983 mutex_lock(&usbfs_mutex);
984
985
986 if (imajor(inode) == USB_DEVICE_MAJOR)
987 dev = usbdev_lookup_by_devt(inode->i_rdev);
988
989 mutex_unlock(&usbfs_mutex);
990
991 if (!dev)
992 goto out_free_ps;
993
994 usb_lock_device(dev);
995 if (dev->state == USB_STATE_NOTATTACHED)
996 goto out_unlock_device;
997
998 ret = usb_autoresume_device(dev);
999 if (ret)
1000 goto out_unlock_device;
1001
1002 ps->dev = dev;
1003 ps->file = file;
1004 ps->interface_allowed_mask = 0xFFFFFFFF;
1005 spin_lock_init(&ps->lock);
1006 INIT_LIST_HEAD(&ps->list);
1007 INIT_LIST_HEAD(&ps->async_pending);
1008 INIT_LIST_HEAD(&ps->async_completed);
1009 INIT_LIST_HEAD(&ps->memory_list);
1010 init_waitqueue_head(&ps->wait);
1011 ps->disc_pid = get_pid(task_pid(current));
1012 ps->cred = get_current_cred();
1013 smp_wmb();
1014 list_add_tail(&ps->list, &dev->filelist);
1015 file->private_data = ps;
1016 usb_unlock_device(dev);
1017 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1018 current->comm);
1019 return ret;
1020
1021 out_unlock_device:
1022 usb_unlock_device(dev);
1023 usb_put_dev(dev);
1024 out_free_ps:
1025 kfree(ps);
1026 return ret;
1027}
1028
1029static int usbdev_release(struct inode *inode, struct file *file)
1030{
1031 struct usb_dev_state *ps = file->private_data;
1032 struct usb_device *dev = ps->dev;
1033 unsigned int ifnum;
1034 struct async *as;
1035
1036 usb_lock_device(dev);
1037 usb_hub_release_all_ports(dev, ps);
1038
1039 list_del_init(&ps->list);
1040
1041 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1042 ifnum++) {
1043 if (test_bit(ifnum, &ps->ifclaimed))
1044 releaseintf(ps, ifnum);
1045 }
1046 destroy_all_async(ps);
1047 usb_autosuspend_device(dev);
1048 usb_unlock_device(dev);
1049 usb_put_dev(dev);
1050 put_pid(ps->disc_pid);
1051 put_cred(ps->cred);
1052
1053 as = async_getcompleted(ps);
1054 while (as) {
1055 free_async(as);
1056 as = async_getcompleted(ps);
1057 }
1058
1059 kfree(ps);
1060 return 0;
1061}
1062
1063static int proc_control(struct usb_dev_state *ps, void __user *arg)
1064{
1065 struct usb_device *dev = ps->dev;
1066 struct usbdevfs_ctrltransfer ctrl;
1067 unsigned int tmo;
1068 unsigned char *tbuf;
1069 unsigned wLength;
1070 int i, pipe, ret;
1071
1072 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1073 return -EFAULT;
1074 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1075 ctrl.wIndex);
1076 if (ret)
1077 return ret;
1078 wLength = ctrl.wLength;
1079 if (wLength > PAGE_SIZE)
1080 return -EINVAL;
1081 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1082 sizeof(struct usb_ctrlrequest));
1083 if (ret)
1084 return ret;
1085 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1086 if (!tbuf) {
1087 ret = -ENOMEM;
1088 goto done;
1089 }
1090 tmo = ctrl.timeout;
1091 snoop(&dev->dev, "control urb: bRequestType=%02x "
1092 "bRequest=%02x wValue=%04x "
1093 "wIndex=%04x wLength=%04x\n",
1094 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1095 ctrl.wIndex, ctrl.wLength);
1096 if (ctrl.bRequestType & 0x80) {
1097 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1098 ctrl.wLength)) {
1099 ret = -EINVAL;
1100 goto done;
1101 }
1102 pipe = usb_rcvctrlpipe(dev, 0);
1103 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1104
1105 usb_unlock_device(dev);
1106 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1107 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1108 tbuf, ctrl.wLength, tmo);
1109 usb_lock_device(dev);
1110 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1111 tbuf, max(i, 0));
1112 if ((i > 0) && ctrl.wLength) {
1113 if (copy_to_user(ctrl.data, tbuf, i)) {
1114 ret = -EFAULT;
1115 goto done;
1116 }
1117 }
1118 } else {
1119 if (ctrl.wLength) {
1120 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1121 ret = -EFAULT;
1122 goto done;
1123 }
1124 }
1125 pipe = usb_sndctrlpipe(dev, 0);
1126 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1127 tbuf, ctrl.wLength);
1128
1129 usb_unlock_device(dev);
1130 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1131 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1132 tbuf, ctrl.wLength, tmo);
1133 usb_lock_device(dev);
1134 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1135 }
1136 if (i < 0 && i != -EPIPE) {
1137 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1138 "failed cmd %s rqt %u rq %u len %u ret %d\n",
1139 current->comm, ctrl.bRequestType, ctrl.bRequest,
1140 ctrl.wLength, i);
1141 }
1142 ret = i;
1143 done:
1144 free_page((unsigned long) tbuf);
1145 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1146 sizeof(struct usb_ctrlrequest));
1147 return ret;
1148}
1149
1150static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1151{
1152 struct usb_device *dev = ps->dev;
1153 struct usbdevfs_bulktransfer bulk;
1154 unsigned int tmo, len1, pipe;
1155 int len2;
1156 unsigned char *tbuf;
1157 int i, ret;
1158
1159 if (copy_from_user(&bulk, arg, sizeof(bulk)))
1160 return -EFAULT;
1161 ret = findintfep(ps->dev, bulk.ep);
1162 if (ret < 0)
1163 return ret;
1164 ret = checkintf(ps, ret);
1165 if (ret)
1166 return ret;
1167 if (bulk.ep & USB_DIR_IN)
1168 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1169 else
1170 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1171 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1172 return -EINVAL;
1173 len1 = bulk.len;
1174 if (len1 >= (INT_MAX - sizeof(struct urb)))
1175 return -EINVAL;
1176 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1177 if (ret)
1178 return ret;
1179 tbuf = kmalloc(len1, GFP_KERNEL);
1180 if (!tbuf) {
1181 ret = -ENOMEM;
1182 goto done;
1183 }
1184 tmo = bulk.timeout;
1185 if (bulk.ep & 0x80) {
1186 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1187 ret = -EINVAL;
1188 goto done;
1189 }
1190 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1191
1192 usb_unlock_device(dev);
1193 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1194 usb_lock_device(dev);
1195 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1196
1197 if (!i && len2) {
1198 if (copy_to_user(bulk.data, tbuf, len2)) {
1199 ret = -EFAULT;
1200 goto done;
1201 }
1202 }
1203 } else {
1204 if (len1) {
1205 if (copy_from_user(tbuf, bulk.data, len1)) {
1206 ret = -EFAULT;
1207 goto done;
1208 }
1209 }
1210 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1211
1212 usb_unlock_device(dev);
1213 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1214 usb_lock_device(dev);
1215 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1216 }
1217 ret = (i < 0 ? i : len2);
1218 done:
1219 kfree(tbuf);
1220 usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1221 return ret;
1222}
1223
1224static void check_reset_of_active_ep(struct usb_device *udev,
1225 unsigned int epnum, char *ioctl_name)
1226{
1227 struct usb_host_endpoint **eps;
1228 struct usb_host_endpoint *ep;
1229
1230 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1231 ep = eps[epnum & 0x0f];
1232 if (ep && !list_empty(&ep->urb_list))
1233 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1234 task_pid_nr(current), current->comm,
1235 ioctl_name, epnum);
1236}
1237
1238static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1239{
1240 unsigned int ep;
1241 int ret;
1242
1243 if (get_user(ep, (unsigned int __user *)arg))
1244 return -EFAULT;
1245 ret = findintfep(ps->dev, ep);
1246 if (ret < 0)
1247 return ret;
1248 ret = checkintf(ps, ret);
1249 if (ret)
1250 return ret;
1251 check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1252 usb_reset_endpoint(ps->dev, ep);
1253 return 0;
1254}
1255
1256static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1257{
1258 unsigned int ep;
1259 int pipe;
1260 int ret;
1261
1262 if (get_user(ep, (unsigned int __user *)arg))
1263 return -EFAULT;
1264 ret = findintfep(ps->dev, ep);
1265 if (ret < 0)
1266 return ret;
1267 ret = checkintf(ps, ret);
1268 if (ret)
1269 return ret;
1270 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1271 if (ep & USB_DIR_IN)
1272 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1273 else
1274 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1275
1276 return usb_clear_halt(ps->dev, pipe);
1277}
1278
1279static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1280{
1281 struct usbdevfs_getdriver gd;
1282 struct usb_interface *intf;
1283 int ret;
1284
1285 if (copy_from_user(&gd, arg, sizeof(gd)))
1286 return -EFAULT;
1287 intf = usb_ifnum_to_if(ps->dev, gd.interface);
1288 if (!intf || !intf->dev.driver)
1289 ret = -ENODATA;
1290 else {
1291 strlcpy(gd.driver, intf->dev.driver->name,
1292 sizeof(gd.driver));
1293 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1294 }
1295 return ret;
1296}
1297
1298static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1299{
1300 struct usbdevfs_connectinfo ci;
1301
1302 memset(&ci, 0, sizeof(ci));
1303 ci.devnum = ps->dev->devnum;
1304 ci.slow = ps->dev->speed == USB_SPEED_LOW;
1305
1306 if (copy_to_user(arg, &ci, sizeof(ci)))
1307 return -EFAULT;
1308 return 0;
1309}
1310
1311static int proc_resetdevice(struct usb_dev_state *ps)
1312{
1313 struct usb_host_config *actconfig = ps->dev->actconfig;
1314 struct usb_interface *interface;
1315 int i, number;
1316
1317
1318
1319
1320
1321 if (ps->privileges_dropped && actconfig) {
1322 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1323 interface = actconfig->interface[i];
1324 number = interface->cur_altsetting->desc.bInterfaceNumber;
1325 if (usb_interface_claimed(interface) &&
1326 !test_bit(number, &ps->ifclaimed)) {
1327 dev_warn(&ps->dev->dev,
1328 "usbfs: interface %d claimed by %s while '%s' resets device\n",
1329 number, interface->dev.driver->name, current->comm);
1330 return -EACCES;
1331 }
1332 }
1333 }
1334
1335 return usb_reset_device(ps->dev);
1336}
1337
1338static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1339{
1340 struct usbdevfs_setinterface setintf;
1341 int ret;
1342
1343 if (copy_from_user(&setintf, arg, sizeof(setintf)))
1344 return -EFAULT;
1345 ret = checkintf(ps, setintf.interface);
1346 if (ret)
1347 return ret;
1348
1349 destroy_async_on_interface(ps, setintf.interface);
1350
1351 return usb_set_interface(ps->dev, setintf.interface,
1352 setintf.altsetting);
1353}
1354
1355static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1356{
1357 int u;
1358 int status = 0;
1359 struct usb_host_config *actconfig;
1360
1361 if (get_user(u, (int __user *)arg))
1362 return -EFAULT;
1363
1364 actconfig = ps->dev->actconfig;
1365
1366
1367
1368
1369
1370 if (actconfig) {
1371 int i;
1372
1373 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1374 if (usb_interface_claimed(actconfig->interface[i])) {
1375 dev_warn(&ps->dev->dev,
1376 "usbfs: interface %d claimed by %s "
1377 "while '%s' sets config #%d\n",
1378 actconfig->interface[i]
1379 ->cur_altsetting
1380 ->desc.bInterfaceNumber,
1381 actconfig->interface[i]
1382 ->dev.driver->name,
1383 current->comm, u);
1384 status = -EBUSY;
1385 break;
1386 }
1387 }
1388 }
1389
1390
1391
1392
1393 if (status == 0) {
1394 if (actconfig && actconfig->desc.bConfigurationValue == u)
1395 status = usb_reset_configuration(ps->dev);
1396 else
1397 status = usb_set_configuration(ps->dev, u);
1398 }
1399
1400 return status;
1401}
1402
1403static struct usb_memory *
1404find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1405{
1406 struct usb_memory *usbm = NULL, *iter;
1407 unsigned long flags;
1408 unsigned long uurb_start = (unsigned long)uurb->buffer;
1409
1410 spin_lock_irqsave(&ps->lock, flags);
1411 list_for_each_entry(iter, &ps->memory_list, memlist) {
1412 if (uurb_start >= iter->vm_start &&
1413 uurb_start < iter->vm_start + iter->size) {
1414 if (uurb->buffer_length > iter->vm_start + iter->size -
1415 uurb_start) {
1416 usbm = ERR_PTR(-EINVAL);
1417 } else {
1418 usbm = iter;
1419 usbm->urb_use_count++;
1420 }
1421 break;
1422 }
1423 }
1424 spin_unlock_irqrestore(&ps->lock, flags);
1425 return usbm;
1426}
1427
1428static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1429 struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1430 void __user *arg)
1431{
1432 struct usbdevfs_iso_packet_desc *isopkt = NULL;
1433 struct usb_host_endpoint *ep;
1434 struct async *as = NULL;
1435 struct usb_ctrlrequest *dr = NULL;
1436 unsigned int u, totlen, isofrmlen;
1437 int i, ret, num_sgs = 0, ifnum = -1;
1438 int number_of_packets = 0;
1439 unsigned int stream_id = 0;
1440 void *buf;
1441 bool is_in;
1442 bool allow_short = false;
1443 bool allow_zero = false;
1444 unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK |
1445 USBDEVFS_URB_BULK_CONTINUATION |
1446 USBDEVFS_URB_NO_FSBR |
1447 USBDEVFS_URB_ZERO_PACKET |
1448 USBDEVFS_URB_NO_INTERRUPT;
1449
1450 if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1451 mask |= USBDEVFS_URB_ISO_ASAP;
1452
1453 if (uurb->flags & ~mask)
1454 return -EINVAL;
1455
1456 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1457 return -EINVAL;
1458 if (uurb->buffer_length > 0 && !uurb->buffer)
1459 return -EINVAL;
1460 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1461 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1462 ifnum = findintfep(ps->dev, uurb->endpoint);
1463 if (ifnum < 0)
1464 return ifnum;
1465 ret = checkintf(ps, ifnum);
1466 if (ret)
1467 return ret;
1468 }
1469 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1470 if (!ep)
1471 return -ENOENT;
1472 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1473
1474 u = 0;
1475 switch (uurb->type) {
1476 case USBDEVFS_URB_TYPE_CONTROL:
1477 if (!usb_endpoint_xfer_control(&ep->desc))
1478 return -EINVAL;
1479
1480 if (uurb->buffer_length < 8)
1481 return -EINVAL;
1482 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1483 if (!dr)
1484 return -ENOMEM;
1485 if (copy_from_user(dr, uurb->buffer, 8)) {
1486 ret = -EFAULT;
1487 goto error;
1488 }
1489 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1490 ret = -EINVAL;
1491 goto error;
1492 }
1493 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1494 le16_to_cpup(&dr->wIndex));
1495 if (ret)
1496 goto error;
1497 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1498 uurb->buffer += 8;
1499 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1500 is_in = 1;
1501 uurb->endpoint |= USB_DIR_IN;
1502 } else {
1503 is_in = 0;
1504 uurb->endpoint &= ~USB_DIR_IN;
1505 }
1506 if (is_in)
1507 allow_short = true;
1508 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1509 "bRequest=%02x wValue=%04x "
1510 "wIndex=%04x wLength=%04x\n",
1511 dr->bRequestType, dr->bRequest,
1512 __le16_to_cpup(&dr->wValue),
1513 __le16_to_cpup(&dr->wIndex),
1514 __le16_to_cpup(&dr->wLength));
1515 u = sizeof(struct usb_ctrlrequest);
1516 break;
1517
1518 case USBDEVFS_URB_TYPE_BULK:
1519 if (!is_in)
1520 allow_zero = true;
1521 else
1522 allow_short = true;
1523 switch (usb_endpoint_type(&ep->desc)) {
1524 case USB_ENDPOINT_XFER_CONTROL:
1525 case USB_ENDPOINT_XFER_ISOC:
1526 return -EINVAL;
1527 case USB_ENDPOINT_XFER_INT:
1528
1529 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1530 goto interrupt_urb;
1531 }
1532 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1533 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1534 num_sgs = 0;
1535 if (ep->streams)
1536 stream_id = uurb->stream_id;
1537 break;
1538
1539 case USBDEVFS_URB_TYPE_INTERRUPT:
1540 if (!usb_endpoint_xfer_int(&ep->desc))
1541 return -EINVAL;
1542 interrupt_urb:
1543 if (!is_in)
1544 allow_zero = true;
1545 else
1546 allow_short = true;
1547 break;
1548
1549 case USBDEVFS_URB_TYPE_ISO:
1550
1551 if (uurb->number_of_packets < 1 ||
1552 uurb->number_of_packets > 128)
1553 return -EINVAL;
1554 if (!usb_endpoint_xfer_isoc(&ep->desc))
1555 return -EINVAL;
1556 number_of_packets = uurb->number_of_packets;
1557 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1558 number_of_packets;
1559 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1560 if (IS_ERR(isopkt)) {
1561 ret = PTR_ERR(isopkt);
1562 isopkt = NULL;
1563 goto error;
1564 }
1565 for (totlen = u = 0; u < number_of_packets; u++) {
1566
1567
1568
1569
1570
1571
1572 if (isopkt[u].length > 49152) {
1573 ret = -EINVAL;
1574 goto error;
1575 }
1576 totlen += isopkt[u].length;
1577 }
1578 u *= sizeof(struct usb_iso_packet_descriptor);
1579 uurb->buffer_length = totlen;
1580 break;
1581
1582 default:
1583 return -EINVAL;
1584 }
1585
1586 if (uurb->buffer_length > 0 &&
1587 !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1588 uurb->buffer, uurb->buffer_length)) {
1589 ret = -EFAULT;
1590 goto error;
1591 }
1592 as = alloc_async(number_of_packets);
1593 if (!as) {
1594 ret = -ENOMEM;
1595 goto error;
1596 }
1597
1598 as->usbm = find_memory_area(ps, uurb);
1599 if (IS_ERR(as->usbm)) {
1600 ret = PTR_ERR(as->usbm);
1601 as->usbm = NULL;
1602 goto error;
1603 }
1604
1605
1606
1607
1608 if (as->usbm)
1609 num_sgs = 0;
1610
1611 u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1612 num_sgs * sizeof(struct scatterlist);
1613 ret = usbfs_increase_memory_usage(u);
1614 if (ret)
1615 goto error;
1616 as->mem_usage = u;
1617
1618 if (num_sgs) {
1619 as->urb->sg = kmalloc_array(num_sgs,
1620 sizeof(struct scatterlist),
1621 GFP_KERNEL);
1622 if (!as->urb->sg) {
1623 ret = -ENOMEM;
1624 goto error;
1625 }
1626 as->urb->num_sgs = num_sgs;
1627 sg_init_table(as->urb->sg, as->urb->num_sgs);
1628
1629 totlen = uurb->buffer_length;
1630 for (i = 0; i < as->urb->num_sgs; i++) {
1631 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1632 buf = kmalloc(u, GFP_KERNEL);
1633 if (!buf) {
1634 ret = -ENOMEM;
1635 goto error;
1636 }
1637 sg_set_buf(&as->urb->sg[i], buf, u);
1638
1639 if (!is_in) {
1640 if (copy_from_user(buf, uurb->buffer, u)) {
1641 ret = -EFAULT;
1642 goto error;
1643 }
1644 uurb->buffer += u;
1645 }
1646 totlen -= u;
1647 }
1648 } else if (uurb->buffer_length > 0) {
1649 if (as->usbm) {
1650 unsigned long uurb_start = (unsigned long)uurb->buffer;
1651
1652 as->urb->transfer_buffer = as->usbm->mem +
1653 (uurb_start - as->usbm->vm_start);
1654 } else {
1655 as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1656 GFP_KERNEL);
1657 if (!as->urb->transfer_buffer) {
1658 ret = -ENOMEM;
1659 goto error;
1660 }
1661 if (!is_in) {
1662 if (copy_from_user(as->urb->transfer_buffer,
1663 uurb->buffer,
1664 uurb->buffer_length)) {
1665 ret = -EFAULT;
1666 goto error;
1667 }
1668 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1669
1670
1671
1672
1673
1674
1675 memset(as->urb->transfer_buffer, 0,
1676 uurb->buffer_length);
1677 }
1678 }
1679 }
1680 as->urb->dev = ps->dev;
1681 as->urb->pipe = (uurb->type << 30) |
1682 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1683 (uurb->endpoint & USB_DIR_IN);
1684
1685
1686
1687
1688
1689 u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1690 if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1691 u |= URB_ISO_ASAP;
1692 if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1693 u |= URB_SHORT_NOT_OK;
1694 if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1695 u |= URB_ZERO_PACKET;
1696 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1697 u |= URB_NO_INTERRUPT;
1698 as->urb->transfer_flags = u;
1699
1700 if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1701 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1702 if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1703 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1704
1705 as->urb->transfer_buffer_length = uurb->buffer_length;
1706 as->urb->setup_packet = (unsigned char *)dr;
1707 dr = NULL;
1708 as->urb->start_frame = uurb->start_frame;
1709 as->urb->number_of_packets = number_of_packets;
1710 as->urb->stream_id = stream_id;
1711
1712 if (ep->desc.bInterval) {
1713 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1714 ps->dev->speed == USB_SPEED_HIGH ||
1715 ps->dev->speed >= USB_SPEED_SUPER)
1716 as->urb->interval = 1 <<
1717 min(15, ep->desc.bInterval - 1);
1718 else
1719 as->urb->interval = ep->desc.bInterval;
1720 }
1721
1722 as->urb->context = as;
1723 as->urb->complete = async_completed;
1724 for (totlen = u = 0; u < number_of_packets; u++) {
1725 as->urb->iso_frame_desc[u].offset = totlen;
1726 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1727 totlen += isopkt[u].length;
1728 }
1729 kfree(isopkt);
1730 isopkt = NULL;
1731 as->ps = ps;
1732 as->userurb = arg;
1733 if (as->usbm) {
1734 unsigned long uurb_start = (unsigned long)uurb->buffer;
1735
1736 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1737 as->urb->transfer_dma = as->usbm->dma_handle +
1738 (uurb_start - as->usbm->vm_start);
1739 } else if (is_in && uurb->buffer_length > 0)
1740 as->userbuffer = uurb->buffer;
1741 as->signr = uurb->signr;
1742 as->ifnum = ifnum;
1743 as->pid = get_pid(task_pid(current));
1744 as->cred = get_current_cred();
1745 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1746 as->urb->transfer_buffer_length, 0, SUBMIT,
1747 NULL, 0);
1748 if (!is_in)
1749 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1750
1751 async_newpending(as);
1752
1753 if (usb_endpoint_xfer_bulk(&ep->desc)) {
1754 spin_lock_irq(&ps->lock);
1755
1756
1757
1758
1759
1760 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1761 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1762 >> 3);
1763
1764
1765
1766
1767 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1768 as->bulk_status = AS_CONTINUATION;
1769 else
1770 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1771
1772
1773
1774
1775 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1776 ret = -EREMOTEIO;
1777 else
1778 ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1779 spin_unlock_irq(&ps->lock);
1780 } else {
1781 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1782 }
1783
1784 if (ret) {
1785 dev_printk(KERN_DEBUG, &ps->dev->dev,
1786 "usbfs: usb_submit_urb returned %d\n", ret);
1787 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1788 0, ret, COMPLETE, NULL, 0);
1789 async_removepending(as);
1790 goto error;
1791 }
1792 return 0;
1793
1794 error:
1795 if (as && as->usbm)
1796 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1797 kfree(isopkt);
1798 kfree(dr);
1799 if (as)
1800 free_async(as);
1801 return ret;
1802}
1803
1804static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1805{
1806 struct usbdevfs_urb uurb;
1807
1808 if (copy_from_user(&uurb, arg, sizeof(uurb)))
1809 return -EFAULT;
1810
1811 return proc_do_submiturb(ps, &uurb,
1812 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1813 arg);
1814}
1815
1816static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1817{
1818 struct urb *urb;
1819 struct async *as;
1820 unsigned long flags;
1821
1822 spin_lock_irqsave(&ps->lock, flags);
1823 as = async_getpending(ps, arg);
1824 if (!as) {
1825 spin_unlock_irqrestore(&ps->lock, flags);
1826 return -EINVAL;
1827 }
1828
1829 urb = as->urb;
1830 usb_get_urb(urb);
1831 spin_unlock_irqrestore(&ps->lock, flags);
1832
1833 usb_kill_urb(urb);
1834 usb_put_urb(urb);
1835
1836 return 0;
1837}
1838
1839static void compute_isochronous_actual_length(struct urb *urb)
1840{
1841 unsigned int i;
1842
1843 if (urb->number_of_packets > 0) {
1844 urb->actual_length = 0;
1845 for (i = 0; i < urb->number_of_packets; i++)
1846 urb->actual_length +=
1847 urb->iso_frame_desc[i].actual_length;
1848 }
1849}
1850
1851static int processcompl(struct async *as, void __user * __user *arg)
1852{
1853 struct urb *urb = as->urb;
1854 struct usbdevfs_urb __user *userurb = as->userurb;
1855 void __user *addr = as->userurb;
1856 unsigned int i;
1857
1858 compute_isochronous_actual_length(urb);
1859 if (as->userbuffer && urb->actual_length) {
1860 if (copy_urb_data_to_user(as->userbuffer, urb))
1861 goto err_out;
1862 }
1863 if (put_user(as->status, &userurb->status))
1864 goto err_out;
1865 if (put_user(urb->actual_length, &userurb->actual_length))
1866 goto err_out;
1867 if (put_user(urb->error_count, &userurb->error_count))
1868 goto err_out;
1869
1870 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1871 for (i = 0; i < urb->number_of_packets; i++) {
1872 if (put_user(urb->iso_frame_desc[i].actual_length,
1873 &userurb->iso_frame_desc[i].actual_length))
1874 goto err_out;
1875 if (put_user(urb->iso_frame_desc[i].status,
1876 &userurb->iso_frame_desc[i].status))
1877 goto err_out;
1878 }
1879 }
1880
1881 if (put_user(addr, (void __user * __user *)arg))
1882 return -EFAULT;
1883 return 0;
1884
1885err_out:
1886 return -EFAULT;
1887}
1888
1889static struct async *reap_as(struct usb_dev_state *ps)
1890{
1891 DECLARE_WAITQUEUE(wait, current);
1892 struct async *as = NULL;
1893 struct usb_device *dev = ps->dev;
1894
1895 add_wait_queue(&ps->wait, &wait);
1896 for (;;) {
1897 __set_current_state(TASK_INTERRUPTIBLE);
1898 as = async_getcompleted(ps);
1899 if (as || !connected(ps))
1900 break;
1901 if (signal_pending(current))
1902 break;
1903 usb_unlock_device(dev);
1904 schedule();
1905 usb_lock_device(dev);
1906 }
1907 remove_wait_queue(&ps->wait, &wait);
1908 set_current_state(TASK_RUNNING);
1909 return as;
1910}
1911
1912static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1913{
1914 struct async *as = reap_as(ps);
1915
1916 if (as) {
1917 int retval;
1918
1919 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1920 retval = processcompl(as, (void __user * __user *)arg);
1921 free_async(as);
1922 return retval;
1923 }
1924 if (signal_pending(current))
1925 return -EINTR;
1926 return -ENODEV;
1927}
1928
1929static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1930{
1931 int retval;
1932 struct async *as;
1933
1934 as = async_getcompleted(ps);
1935 if (as) {
1936 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1937 retval = processcompl(as, (void __user * __user *)arg);
1938 free_async(as);
1939 } else {
1940 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1941 }
1942 return retval;
1943}
1944
1945#ifdef CONFIG_COMPAT
1946static int proc_control_compat(struct usb_dev_state *ps,
1947 struct usbdevfs_ctrltransfer32 __user *p32)
1948{
1949 struct usbdevfs_ctrltransfer __user *p;
1950 __u32 udata;
1951 p = compat_alloc_user_space(sizeof(*p));
1952 if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1953 get_user(udata, &p32->data) ||
1954 put_user(compat_ptr(udata), &p->data))
1955 return -EFAULT;
1956 return proc_control(ps, p);
1957}
1958
1959static int proc_bulk_compat(struct usb_dev_state *ps,
1960 struct usbdevfs_bulktransfer32 __user *p32)
1961{
1962 struct usbdevfs_bulktransfer __user *p;
1963 compat_uint_t n;
1964 compat_caddr_t addr;
1965
1966 p = compat_alloc_user_space(sizeof(*p));
1967
1968 if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1969 get_user(n, &p32->len) || put_user(n, &p->len) ||
1970 get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1971 get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1972 return -EFAULT;
1973
1974 return proc_bulk(ps, p);
1975}
1976static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1977{
1978 struct usbdevfs_disconnectsignal32 ds;
1979
1980 if (copy_from_user(&ds, arg, sizeof(ds)))
1981 return -EFAULT;
1982 ps->discsignr = ds.signr;
1983 ps->disccontext = compat_ptr(ds.context);
1984 return 0;
1985}
1986
1987static int get_urb32(struct usbdevfs_urb *kurb,
1988 struct usbdevfs_urb32 __user *uurb)
1989{
1990 struct usbdevfs_urb32 urb32;
1991 if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
1992 return -EFAULT;
1993 kurb->type = urb32.type;
1994 kurb->endpoint = urb32.endpoint;
1995 kurb->status = urb32.status;
1996 kurb->flags = urb32.flags;
1997 kurb->buffer = compat_ptr(urb32.buffer);
1998 kurb->buffer_length = urb32.buffer_length;
1999 kurb->actual_length = urb32.actual_length;
2000 kurb->start_frame = urb32.start_frame;
2001 kurb->number_of_packets = urb32.number_of_packets;
2002 kurb->error_count = urb32.error_count;
2003 kurb->signr = urb32.signr;
2004 kurb->usercontext = compat_ptr(urb32.usercontext);
2005 return 0;
2006}
2007
2008static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2009{
2010 struct usbdevfs_urb uurb;
2011
2012 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2013 return -EFAULT;
2014
2015 return proc_do_submiturb(ps, &uurb,
2016 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2017 arg);
2018}
2019
2020static int processcompl_compat(struct async *as, void __user * __user *arg)
2021{
2022 struct urb *urb = as->urb;
2023 struct usbdevfs_urb32 __user *userurb = as->userurb;
2024 void __user *addr = as->userurb;
2025 unsigned int i;
2026
2027 compute_isochronous_actual_length(urb);
2028 if (as->userbuffer && urb->actual_length) {
2029 if (copy_urb_data_to_user(as->userbuffer, urb))
2030 return -EFAULT;
2031 }
2032 if (put_user(as->status, &userurb->status))
2033 return -EFAULT;
2034 if (put_user(urb->actual_length, &userurb->actual_length))
2035 return -EFAULT;
2036 if (put_user(urb->error_count, &userurb->error_count))
2037 return -EFAULT;
2038
2039 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2040 for (i = 0; i < urb->number_of_packets; i++) {
2041 if (put_user(urb->iso_frame_desc[i].actual_length,
2042 &userurb->iso_frame_desc[i].actual_length))
2043 return -EFAULT;
2044 if (put_user(urb->iso_frame_desc[i].status,
2045 &userurb->iso_frame_desc[i].status))
2046 return -EFAULT;
2047 }
2048 }
2049
2050 if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2051 return -EFAULT;
2052 return 0;
2053}
2054
2055static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2056{
2057 struct async *as = reap_as(ps);
2058
2059 if (as) {
2060 int retval;
2061
2062 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2063 retval = processcompl_compat(as, (void __user * __user *)arg);
2064 free_async(as);
2065 return retval;
2066 }
2067 if (signal_pending(current))
2068 return -EINTR;
2069 return -ENODEV;
2070}
2071
2072static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2073{
2074 int retval;
2075 struct async *as;
2076
2077 as = async_getcompleted(ps);
2078 if (as) {
2079 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2080 retval = processcompl_compat(as, (void __user * __user *)arg);
2081 free_async(as);
2082 } else {
2083 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2084 }
2085 return retval;
2086}
2087
2088
2089#endif
2090
2091static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2092{
2093 struct usbdevfs_disconnectsignal ds;
2094
2095 if (copy_from_user(&ds, arg, sizeof(ds)))
2096 return -EFAULT;
2097 ps->discsignr = ds.signr;
2098 ps->disccontext = ds.context;
2099 return 0;
2100}
2101
2102static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2103{
2104 unsigned int ifnum;
2105
2106 if (get_user(ifnum, (unsigned int __user *)arg))
2107 return -EFAULT;
2108 return claimintf(ps, ifnum);
2109}
2110
2111static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2112{
2113 unsigned int ifnum;
2114 int ret;
2115
2116 if (get_user(ifnum, (unsigned int __user *)arg))
2117 return -EFAULT;
2118 ret = releaseintf(ps, ifnum);
2119 if (ret < 0)
2120 return ret;
2121 destroy_async_on_interface(ps, ifnum);
2122 return 0;
2123}
2124
2125static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2126{
2127 int size;
2128 void *buf = NULL;
2129 int retval = 0;
2130 struct usb_interface *intf = NULL;
2131 struct usb_driver *driver = NULL;
2132
2133 if (ps->privileges_dropped)
2134 return -EACCES;
2135
2136
2137 size = _IOC_SIZE(ctl->ioctl_code);
2138 if (size > 0) {
2139 buf = kmalloc(size, GFP_KERNEL);
2140 if (buf == NULL)
2141 return -ENOMEM;
2142 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2143 if (copy_from_user(buf, ctl->data, size)) {
2144 kfree(buf);
2145 return -EFAULT;
2146 }
2147 } else {
2148 memset(buf, 0, size);
2149 }
2150 }
2151
2152 if (!connected(ps)) {
2153 kfree(buf);
2154 return -ENODEV;
2155 }
2156
2157 if (ps->dev->state != USB_STATE_CONFIGURED)
2158 retval = -EHOSTUNREACH;
2159 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2160 retval = -EINVAL;
2161 else switch (ctl->ioctl_code) {
2162
2163
2164 case USBDEVFS_DISCONNECT:
2165 if (intf->dev.driver) {
2166 driver = to_usb_driver(intf->dev.driver);
2167 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2168 usb_driver_release_interface(driver, intf);
2169 } else
2170 retval = -ENODATA;
2171 break;
2172
2173
2174 case USBDEVFS_CONNECT:
2175 if (!intf->dev.driver)
2176 retval = device_attach(&intf->dev);
2177 else
2178 retval = -EBUSY;
2179 break;
2180
2181
2182 default:
2183 if (intf->dev.driver)
2184 driver = to_usb_driver(intf->dev.driver);
2185 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2186 retval = -ENOTTY;
2187 } else {
2188 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2189 if (retval == -ENOIOCTLCMD)
2190 retval = -ENOTTY;
2191 }
2192 }
2193
2194
2195 if (retval >= 0
2196 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2197 && size > 0
2198 && copy_to_user(ctl->data, buf, size) != 0)
2199 retval = -EFAULT;
2200
2201 kfree(buf);
2202 return retval;
2203}
2204
2205static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2206{
2207 struct usbdevfs_ioctl ctrl;
2208
2209 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2210 return -EFAULT;
2211 return proc_ioctl(ps, &ctrl);
2212}
2213
2214#ifdef CONFIG_COMPAT
2215static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2216{
2217 struct usbdevfs_ioctl32 ioc32;
2218 struct usbdevfs_ioctl ctrl;
2219
2220 if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2221 return -EFAULT;
2222 ctrl.ifno = ioc32.ifno;
2223 ctrl.ioctl_code = ioc32.ioctl_code;
2224 ctrl.data = compat_ptr(ioc32.data);
2225 return proc_ioctl(ps, &ctrl);
2226}
2227#endif
2228
2229static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2230{
2231 unsigned portnum;
2232 int rc;
2233
2234 if (get_user(portnum, (unsigned __user *) arg))
2235 return -EFAULT;
2236 rc = usb_hub_claim_port(ps->dev, portnum, ps);
2237 if (rc == 0)
2238 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2239 portnum, task_pid_nr(current), current->comm);
2240 return rc;
2241}
2242
2243static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2244{
2245 unsigned portnum;
2246
2247 if (get_user(portnum, (unsigned __user *) arg))
2248 return -EFAULT;
2249 return usb_hub_release_port(ps->dev, portnum, ps);
2250}
2251
2252static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2253{
2254 __u32 caps;
2255
2256 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2257 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2258 USBDEVFS_CAP_DROP_PRIVILEGES;
2259 if (!ps->dev->bus->no_stop_on_short)
2260 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2261 if (ps->dev->bus->sg_tablesize)
2262 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2263
2264 if (put_user(caps, (__u32 __user *)arg))
2265 return -EFAULT;
2266
2267 return 0;
2268}
2269
2270static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2271{
2272 struct usbdevfs_disconnect_claim dc;
2273 struct usb_interface *intf;
2274
2275 if (copy_from_user(&dc, arg, sizeof(dc)))
2276 return -EFAULT;
2277
2278 intf = usb_ifnum_to_if(ps->dev, dc.interface);
2279 if (!intf)
2280 return -EINVAL;
2281
2282 if (intf->dev.driver) {
2283 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2284
2285 if (ps->privileges_dropped)
2286 return -EACCES;
2287
2288 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2289 strncmp(dc.driver, intf->dev.driver->name,
2290 sizeof(dc.driver)) != 0)
2291 return -EBUSY;
2292
2293 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2294 strncmp(dc.driver, intf->dev.driver->name,
2295 sizeof(dc.driver)) == 0)
2296 return -EBUSY;
2297
2298 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2299 usb_driver_release_interface(driver, intf);
2300 }
2301
2302 return claimintf(ps, dc.interface);
2303}
2304
2305static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2306{
2307 unsigned num_streams, num_eps;
2308 struct usb_host_endpoint **eps;
2309 struct usb_interface *intf;
2310 int r;
2311
2312 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2313 &eps, &intf);
2314 if (r)
2315 return r;
2316
2317 destroy_async_on_interface(ps,
2318 intf->altsetting[0].desc.bInterfaceNumber);
2319
2320 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2321 kfree(eps);
2322 return r;
2323}
2324
2325static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2326{
2327 unsigned num_eps;
2328 struct usb_host_endpoint **eps;
2329 struct usb_interface *intf;
2330 int r;
2331
2332 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2333 if (r)
2334 return r;
2335
2336 destroy_async_on_interface(ps,
2337 intf->altsetting[0].desc.bInterfaceNumber);
2338
2339 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2340 kfree(eps);
2341 return r;
2342}
2343
2344static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2345{
2346 u32 data;
2347
2348 if (copy_from_user(&data, arg, sizeof(data)))
2349 return -EFAULT;
2350
2351
2352
2353
2354
2355 ps->interface_allowed_mask &= data;
2356 ps->privileges_dropped = true;
2357
2358 return 0;
2359}
2360
2361
2362
2363
2364
2365
2366static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2367 void __user *p)
2368{
2369 struct usb_dev_state *ps = file->private_data;
2370 struct inode *inode = file_inode(file);
2371 struct usb_device *dev = ps->dev;
2372 int ret = -ENOTTY;
2373
2374 if (!(file->f_mode & FMODE_WRITE))
2375 return -EPERM;
2376
2377 usb_lock_device(dev);
2378
2379
2380 switch (cmd) {
2381 case USBDEVFS_REAPURB:
2382 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2383 ret = proc_reapurb(ps, p);
2384 goto done;
2385
2386 case USBDEVFS_REAPURBNDELAY:
2387 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2388 ret = proc_reapurbnonblock(ps, p);
2389 goto done;
2390
2391#ifdef CONFIG_COMPAT
2392 case USBDEVFS_REAPURB32:
2393 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2394 ret = proc_reapurb_compat(ps, p);
2395 goto done;
2396
2397 case USBDEVFS_REAPURBNDELAY32:
2398 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2399 ret = proc_reapurbnonblock_compat(ps, p);
2400 goto done;
2401#endif
2402 }
2403
2404 if (!connected(ps)) {
2405 usb_unlock_device(dev);
2406 return -ENODEV;
2407 }
2408
2409 switch (cmd) {
2410 case USBDEVFS_CONTROL:
2411 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2412 ret = proc_control(ps, p);
2413 if (ret >= 0)
2414 inode->i_mtime = current_time(inode);
2415 break;
2416
2417 case USBDEVFS_BULK:
2418 snoop(&dev->dev, "%s: BULK\n", __func__);
2419 ret = proc_bulk(ps, p);
2420 if (ret >= 0)
2421 inode->i_mtime = current_time(inode);
2422 break;
2423
2424 case USBDEVFS_RESETEP:
2425 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2426 ret = proc_resetep(ps, p);
2427 if (ret >= 0)
2428 inode->i_mtime = current_time(inode);
2429 break;
2430
2431 case USBDEVFS_RESET:
2432 snoop(&dev->dev, "%s: RESET\n", __func__);
2433 ret = proc_resetdevice(ps);
2434 break;
2435
2436 case USBDEVFS_CLEAR_HALT:
2437 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2438 ret = proc_clearhalt(ps, p);
2439 if (ret >= 0)
2440 inode->i_mtime = current_time(inode);
2441 break;
2442
2443 case USBDEVFS_GETDRIVER:
2444 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2445 ret = proc_getdriver(ps, p);
2446 break;
2447
2448 case USBDEVFS_CONNECTINFO:
2449 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2450 ret = proc_connectinfo(ps, p);
2451 break;
2452
2453 case USBDEVFS_SETINTERFACE:
2454 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2455 ret = proc_setintf(ps, p);
2456 break;
2457
2458 case USBDEVFS_SETCONFIGURATION:
2459 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2460 ret = proc_setconfig(ps, p);
2461 break;
2462
2463 case USBDEVFS_SUBMITURB:
2464 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2465 ret = proc_submiturb(ps, p);
2466 if (ret >= 0)
2467 inode->i_mtime = current_time(inode);
2468 break;
2469
2470#ifdef CONFIG_COMPAT
2471 case USBDEVFS_CONTROL32:
2472 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2473 ret = proc_control_compat(ps, p);
2474 if (ret >= 0)
2475 inode->i_mtime = current_time(inode);
2476 break;
2477
2478 case USBDEVFS_BULK32:
2479 snoop(&dev->dev, "%s: BULK32\n", __func__);
2480 ret = proc_bulk_compat(ps, p);
2481 if (ret >= 0)
2482 inode->i_mtime = current_time(inode);
2483 break;
2484
2485 case USBDEVFS_DISCSIGNAL32:
2486 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2487 ret = proc_disconnectsignal_compat(ps, p);
2488 break;
2489
2490 case USBDEVFS_SUBMITURB32:
2491 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2492 ret = proc_submiturb_compat(ps, p);
2493 if (ret >= 0)
2494 inode->i_mtime = current_time(inode);
2495 break;
2496
2497 case USBDEVFS_IOCTL32:
2498 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2499 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2500 break;
2501#endif
2502
2503 case USBDEVFS_DISCARDURB:
2504 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2505 ret = proc_unlinkurb(ps, p);
2506 break;
2507
2508 case USBDEVFS_DISCSIGNAL:
2509 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2510 ret = proc_disconnectsignal(ps, p);
2511 break;
2512
2513 case USBDEVFS_CLAIMINTERFACE:
2514 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2515 ret = proc_claiminterface(ps, p);
2516 break;
2517
2518 case USBDEVFS_RELEASEINTERFACE:
2519 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2520 ret = proc_releaseinterface(ps, p);
2521 break;
2522
2523 case USBDEVFS_IOCTL:
2524 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2525 ret = proc_ioctl_default(ps, p);
2526 break;
2527
2528 case USBDEVFS_CLAIM_PORT:
2529 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2530 ret = proc_claim_port(ps, p);
2531 break;
2532
2533 case USBDEVFS_RELEASE_PORT:
2534 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2535 ret = proc_release_port(ps, p);
2536 break;
2537 case USBDEVFS_GET_CAPABILITIES:
2538 ret = proc_get_capabilities(ps, p);
2539 break;
2540 case USBDEVFS_DISCONNECT_CLAIM:
2541 ret = proc_disconnect_claim(ps, p);
2542 break;
2543 case USBDEVFS_ALLOC_STREAMS:
2544 ret = proc_alloc_streams(ps, p);
2545 break;
2546 case USBDEVFS_FREE_STREAMS:
2547 ret = proc_free_streams(ps, p);
2548 break;
2549 case USBDEVFS_DROP_PRIVILEGES:
2550 ret = proc_drop_privileges(ps, p);
2551 break;
2552 case USBDEVFS_GET_SPEED:
2553 ret = ps->dev->speed;
2554 break;
2555 }
2556
2557 done:
2558 usb_unlock_device(dev);
2559 if (ret >= 0)
2560 inode->i_atime = current_time(inode);
2561 return ret;
2562}
2563
2564static long usbdev_ioctl(struct file *file, unsigned int cmd,
2565 unsigned long arg)
2566{
2567 int ret;
2568
2569 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2570
2571 return ret;
2572}
2573
2574#ifdef CONFIG_COMPAT
2575static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2576 unsigned long arg)
2577{
2578 int ret;
2579
2580 ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2581
2582 return ret;
2583}
2584#endif
2585
2586
2587static __poll_t usbdev_poll(struct file *file,
2588 struct poll_table_struct *wait)
2589{
2590 struct usb_dev_state *ps = file->private_data;
2591 __poll_t mask = 0;
2592
2593 poll_wait(file, &ps->wait, wait);
2594 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2595 mask |= EPOLLOUT | EPOLLWRNORM;
2596 if (!connected(ps))
2597 mask |= EPOLLHUP;
2598 if (list_empty(&ps->list))
2599 mask |= EPOLLERR;
2600 return mask;
2601}
2602
2603const struct file_operations usbdev_file_operations = {
2604 .owner = THIS_MODULE,
2605 .llseek = no_seek_end_llseek,
2606 .read = usbdev_read,
2607 .poll = usbdev_poll,
2608 .unlocked_ioctl = usbdev_ioctl,
2609#ifdef CONFIG_COMPAT
2610 .compat_ioctl = usbdev_compat_ioctl,
2611#endif
2612 .mmap = usbdev_mmap,
2613 .open = usbdev_open,
2614 .release = usbdev_release,
2615};
2616
2617static void usbdev_remove(struct usb_device *udev)
2618{
2619 struct usb_dev_state *ps;
2620 struct siginfo sinfo;
2621
2622 while (!list_empty(&udev->filelist)) {
2623 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2624 destroy_all_async(ps);
2625 wake_up_all(&ps->wait);
2626 list_del_init(&ps->list);
2627 if (ps->discsignr) {
2628 clear_siginfo(&sinfo);
2629 sinfo.si_signo = ps->discsignr;
2630 sinfo.si_errno = EPIPE;
2631 sinfo.si_code = SI_ASYNCIO;
2632 sinfo.si_addr = ps->disccontext;
2633 kill_pid_info_as_cred(ps->discsignr, &sinfo,
2634 ps->disc_pid, ps->cred);
2635 }
2636 }
2637}
2638
2639static int usbdev_notify(struct notifier_block *self,
2640 unsigned long action, void *dev)
2641{
2642 switch (action) {
2643 case USB_DEVICE_ADD:
2644 break;
2645 case USB_DEVICE_REMOVE:
2646 usbdev_remove(dev);
2647 break;
2648 }
2649 return NOTIFY_OK;
2650}
2651
2652static struct notifier_block usbdev_nb = {
2653 .notifier_call = usbdev_notify,
2654};
2655
2656static struct cdev usb_device_cdev;
2657
2658int __init usb_devio_init(void)
2659{
2660 int retval;
2661
2662 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2663 "usb_device");
2664 if (retval) {
2665 printk(KERN_ERR "Unable to register minors for usb_device\n");
2666 goto out;
2667 }
2668 cdev_init(&usb_device_cdev, &usbdev_file_operations);
2669 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2670 if (retval) {
2671 printk(KERN_ERR "Unable to get usb_device major %d\n",
2672 USB_DEVICE_MAJOR);
2673 goto error_cdev;
2674 }
2675 usb_register_notify(&usbdev_nb);
2676out:
2677 return retval;
2678
2679error_cdev:
2680 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2681 goto out;
2682}
2683
2684void usb_devio_cleanup(void)
2685{
2686 usb_unregister_notify(&usbdev_nb);
2687 cdev_del(&usb_device_cdev);
2688 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2689}
2690
