1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37#include <linux/fs.h>
38#include <linux/mm.h>
39#include <linux/slab.h>
40#include <linux/signal.h>
41#include <linux/poll.h>
42#include <linux/module.h>
43#include <linux/string.h>
44#include <linux/usb.h>
45#include <linux/usbdevice_fs.h>
46#include <linux/usb/hcd.h>
47#include <linux/cdev.h>
48#include <linux/notifier.h>
49#include <linux/security.h>
50#include <linux/user_namespace.h>
51#include <linux/scatterlist.h>
52#include <linux/uaccess.h>
53#include <linux/dma-mapping.h>
54#include <asm/byteorder.h>
55#include <linux/moduleparam.h>
56
57#include "usb.h"
58
59#define USB_MAXBUS 64
60#define USB_DEVICE_MAX (USB_MAXBUS * 128)
61#define USB_SG_SIZE 16384
62
63
64DEFINE_MUTEX(usbfs_mutex);
65
66struct usb_dev_state {
67 struct list_head list;
68 struct usb_device *dev;
69 struct file *file;
70 spinlock_t lock;
71 struct list_head async_pending;
72 struct list_head async_completed;
73 struct list_head memory_list;
74 wait_queue_head_t wait;
75 unsigned int discsignr;
76 struct pid *disc_pid;
77 const struct cred *cred;
78 void __user *disccontext;
79 unsigned long ifclaimed;
80 u32 secid;
81 u32 disabled_bulk_eps;
82 bool privileges_dropped;
83 unsigned long interface_allowed_mask;
84};
85
86struct usb_memory {
87 struct list_head memlist;
88 int vma_use_count;
89 int urb_use_count;
90 u32 size;
91 void *mem;
92 dma_addr_t dma_handle;
93 unsigned long vm_start;
94 struct usb_dev_state *ps;
95};
96
97struct async {
98 struct list_head asynclist;
99 struct usb_dev_state *ps;
100 struct pid *pid;
101 const struct cred *cred;
102 unsigned int signr;
103 unsigned int ifnum;
104 void __user *userbuffer;
105 void __user *userurb;
106 struct urb *urb;
107 struct usb_memory *usbm;
108 unsigned int mem_usage;
109 int status;
110 u32 secid;
111 u8 bulk_addr;
112 u8 bulk_status;
113};
114
115static bool usbfs_snoop;
116module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
117MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
118
119static unsigned usbfs_snoop_max = 65536;
120module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
121MODULE_PARM_DESC(usbfs_snoop_max,
122 "maximum number of bytes to print while snooping");
123
124#define snoop(dev, format, arg...) \
125 do { \
126 if (usbfs_snoop) \
127 dev_info(dev, format, ## arg); \
128 } while (0)
129
130enum snoop_when {
131 SUBMIT, COMPLETE
132};
133
134#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
135
136
137static unsigned usbfs_memory_mb = 16;
138module_param(usbfs_memory_mb, uint, 0644);
139MODULE_PARM_DESC(usbfs_memory_mb,
140 "maximum MB allowed for usbfs buffers (0 = no limit)");
141
142
143#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
144
145static atomic_t usbfs_memory_usage;
146
147
148static int usbfs_increase_memory_usage(unsigned amount)
149{
150 unsigned lim;
151
152
153
154
155
156 lim = ACCESS_ONCE(usbfs_memory_mb);
157 if (lim == 0 || lim > (USBFS_XFER_MAX >> 20))
158 lim = USBFS_XFER_MAX;
159 else
160 lim <<= 20;
161
162 atomic_add(amount, &usbfs_memory_usage);
163 if (atomic_read(&usbfs_memory_usage) <= lim)
164 return 0;
165 atomic_sub(amount, &usbfs_memory_usage);
166 return -ENOMEM;
167}
168
169
170static void usbfs_decrease_memory_usage(unsigned amount)
171{
172 atomic_sub(amount, &usbfs_memory_usage);
173}
174
175static int connected(struct usb_dev_state *ps)
176{
177 return (!list_empty(&ps->list) &&
178 ps->dev->state != USB_STATE_NOTATTACHED);
179}
180
181static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
182{
183 struct usb_dev_state *ps = usbm->ps;
184 unsigned long flags;
185
186 spin_lock_irqsave(&ps->lock, flags);
187 --*count;
188 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
189 list_del(&usbm->memlist);
190 spin_unlock_irqrestore(&ps->lock, flags);
191
192 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
193 usbm->dma_handle);
194 usbfs_decrease_memory_usage(
195 usbm->size + sizeof(struct usb_memory));
196 kfree(usbm);
197 } else {
198 spin_unlock_irqrestore(&ps->lock, flags);
199 }
200}
201
202static void usbdev_vm_open(struct vm_area_struct *vma)
203{
204 struct usb_memory *usbm = vma->vm_private_data;
205 unsigned long flags;
206
207 spin_lock_irqsave(&usbm->ps->lock, flags);
208 ++usbm->vma_use_count;
209 spin_unlock_irqrestore(&usbm->ps->lock, flags);
210}
211
212static void usbdev_vm_close(struct vm_area_struct *vma)
213{
214 struct usb_memory *usbm = vma->vm_private_data;
215
216 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
217}
218
219static struct vm_operations_struct usbdev_vm_ops = {
220 .open = usbdev_vm_open,
221 .close = usbdev_vm_close
222};
223
224static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
225{
226 struct usb_memory *usbm = NULL;
227 struct usb_dev_state *ps = file->private_data;
228 size_t size = vma->vm_end - vma->vm_start;
229 void *mem;
230 unsigned long flags;
231 dma_addr_t dma_handle;
232 int ret;
233
234 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
235 if (ret)
236 goto error;
237
238 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
239 if (!usbm) {
240 ret = -ENOMEM;
241 goto error_decrease_mem;
242 }
243
244 mem = usb_alloc_coherent(ps->dev, size, GFP_USER, &dma_handle);
245 if (!mem) {
246 ret = -ENOMEM;
247 goto error_free_usbm;
248 }
249
250 memset(mem, 0, size);
251
252 usbm->mem = mem;
253 usbm->dma_handle = dma_handle;
254 usbm->size = size;
255 usbm->ps = ps;
256 usbm->vm_start = vma->vm_start;
257 usbm->vma_use_count = 1;
258 INIT_LIST_HEAD(&usbm->memlist);
259
260 if (remap_pfn_range(vma, vma->vm_start,
261 virt_to_phys(usbm->mem) >> PAGE_SHIFT,
262 size, vma->vm_page_prot) < 0) {
263 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
264 return -EAGAIN;
265 }
266
267 vma->vm_flags |= VM_IO;
268 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
269 vma->vm_ops = &usbdev_vm_ops;
270 vma->vm_private_data = usbm;
271
272 spin_lock_irqsave(&ps->lock, flags);
273 list_add_tail(&usbm->memlist, &ps->memory_list);
274 spin_unlock_irqrestore(&ps->lock, flags);
275
276 return 0;
277
278error_free_usbm:
279 kfree(usbm);
280error_decrease_mem:
281 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
282error:
283 return ret;
284}
285
286static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
287 loff_t *ppos)
288{
289 struct usb_dev_state *ps = file->private_data;
290 struct usb_device *dev = ps->dev;
291 ssize_t ret = 0;
292 unsigned len;
293 loff_t pos;
294 int i;
295
296 pos = *ppos;
297 usb_lock_device(dev);
298 if (!connected(ps)) {
299 ret = -ENODEV;
300 goto err;
301 } else if (pos < 0) {
302 ret = -EINVAL;
303 goto err;
304 }
305
306 if (pos < sizeof(struct usb_device_descriptor)) {
307
308 struct usb_device_descriptor temp_desc;
309
310 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
311 le16_to_cpus(&temp_desc.bcdUSB);
312 le16_to_cpus(&temp_desc.idVendor);
313 le16_to_cpus(&temp_desc.idProduct);
314 le16_to_cpus(&temp_desc.bcdDevice);
315
316 len = sizeof(struct usb_device_descriptor) - pos;
317 if (len > nbytes)
318 len = nbytes;
319 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
320 ret = -EFAULT;
321 goto err;
322 }
323
324 *ppos += len;
325 buf += len;
326 nbytes -= len;
327 ret += len;
328 }
329
330 pos = sizeof(struct usb_device_descriptor);
331 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
332 struct usb_config_descriptor *config =
333 (struct usb_config_descriptor *)dev->rawdescriptors[i];
334 unsigned int length = le16_to_cpu(config->wTotalLength);
335
336 if (*ppos < pos + length) {
337
338
339
340 unsigned alloclen =
341 le16_to_cpu(dev->config[i].desc.wTotalLength);
342
343 len = length - (*ppos - pos);
344 if (len > nbytes)
345 len = nbytes;
346
347
348 if (alloclen > (*ppos - pos)) {
349 alloclen -= (*ppos - pos);
350 if (copy_to_user(buf,
351 dev->rawdescriptors[i] + (*ppos - pos),
352 min(len, alloclen))) {
353 ret = -EFAULT;
354 goto err;
355 }
356 }
357
358 *ppos += len;
359 buf += len;
360 nbytes -= len;
361 ret += len;
362 }
363
364 pos += length;
365 }
366
367err:
368 usb_unlock_device(dev);
369 return ret;
370}
371
372
373
374
375
376static struct async *alloc_async(unsigned int numisoframes)
377{
378 struct async *as;
379
380 as = kzalloc(sizeof(struct async), GFP_KERNEL);
381 if (!as)
382 return NULL;
383 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
384 if (!as->urb) {
385 kfree(as);
386 return NULL;
387 }
388 return as;
389}
390
391static void free_async(struct async *as)
392{
393 int i;
394
395 put_pid(as->pid);
396 if (as->cred)
397 put_cred(as->cred);
398 for (i = 0; i < as->urb->num_sgs; i++) {
399 if (sg_page(&as->urb->sg[i]))
400 kfree(sg_virt(&as->urb->sg[i]));
401 }
402
403 kfree(as->urb->sg);
404 if (as->usbm == NULL)
405 kfree(as->urb->transfer_buffer);
406 else
407 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
408
409 kfree(as->urb->setup_packet);
410 usb_free_urb(as->urb);
411 usbfs_decrease_memory_usage(as->mem_usage);
412 kfree(as);
413}
414
415static void async_newpending(struct async *as)
416{
417 struct usb_dev_state *ps = as->ps;
418 unsigned long flags;
419
420 spin_lock_irqsave(&ps->lock, flags);
421 list_add_tail(&as->asynclist, &ps->async_pending);
422 spin_unlock_irqrestore(&ps->lock, flags);
423}
424
425static void async_removepending(struct async *as)
426{
427 struct usb_dev_state *ps = as->ps;
428 unsigned long flags;
429
430 spin_lock_irqsave(&ps->lock, flags);
431 list_del_init(&as->asynclist);
432 spin_unlock_irqrestore(&ps->lock, flags);
433}
434
435static struct async *async_getcompleted(struct usb_dev_state *ps)
436{
437 unsigned long flags;
438 struct async *as = NULL;
439
440 spin_lock_irqsave(&ps->lock, flags);
441 if (!list_empty(&ps->async_completed)) {
442 as = list_entry(ps->async_completed.next, struct async,
443 asynclist);
444 list_del_init(&as->asynclist);
445 }
446 spin_unlock_irqrestore(&ps->lock, flags);
447 return as;
448}
449
450static struct async *async_getpending(struct usb_dev_state *ps,
451 void __user *userurb)
452{
453 struct async *as;
454
455 list_for_each_entry(as, &ps->async_pending, asynclist)
456 if (as->userurb == userurb) {
457 list_del_init(&as->asynclist);
458 return as;
459 }
460
461 return NULL;
462}
463
464static void snoop_urb(struct usb_device *udev,
465 void __user *userurb, int pipe, unsigned length,
466 int timeout_or_status, enum snoop_when when,
467 unsigned char *data, unsigned data_len)
468{
469 static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
470 static const char *dirs[] = {"out", "in"};
471 int ep;
472 const char *t, *d;
473
474 if (!usbfs_snoop)
475 return;
476
477 ep = usb_pipeendpoint(pipe);
478 t = types[usb_pipetype(pipe)];
479 d = dirs[!!usb_pipein(pipe)];
480
481 if (userurb) {
482 if (when == SUBMIT)
483 dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
484 "length %u\n",
485 userurb, ep, t, d, length);
486 else
487 dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
488 "actual_length %u status %d\n",
489 userurb, ep, t, d, length,
490 timeout_or_status);
491 } else {
492 if (when == SUBMIT)
493 dev_info(&udev->dev, "ep%d %s-%s, length %u, "
494 "timeout %d\n",
495 ep, t, d, length, timeout_or_status);
496 else
497 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
498 "status %d\n",
499 ep, t, d, length, timeout_or_status);
500 }
501
502 data_len = min(data_len, usbfs_snoop_max);
503 if (data && data_len > 0) {
504 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
505 data, data_len, 1);
506 }
507}
508
509static void snoop_urb_data(struct urb *urb, unsigned len)
510{
511 int i, size;
512
513 len = min(len, usbfs_snoop_max);
514 if (!usbfs_snoop || len == 0)
515 return;
516
517 if (urb->num_sgs == 0) {
518 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
519 urb->transfer_buffer, len, 1);
520 return;
521 }
522
523 for (i = 0; i < urb->num_sgs && len; i++) {
524 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
525 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
526 sg_virt(&urb->sg[i]), size, 1);
527 len -= size;
528 }
529}
530
531static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
532{
533 unsigned i, len, size;
534
535 if (urb->number_of_packets > 0)
536 len = urb->transfer_buffer_length;
537 else
538 len = urb->actual_length;
539
540 if (urb->num_sgs == 0) {
541 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
542 return -EFAULT;
543 return 0;
544 }
545
546 for (i = 0; i < urb->num_sgs && len; i++) {
547 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
548 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
549 return -EFAULT;
550 userbuffer += size;
551 len -= size;
552 }
553
554 return 0;
555}
556
557#define AS_CONTINUATION 1
558#define AS_UNLINK 2
559
560static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
561__releases(ps->lock)
562__acquires(ps->lock)
563{
564 struct urb *urb;
565 struct async *as;
566
567
568
569
570
571
572 list_for_each_entry(as, &ps->async_pending, asynclist) {
573 if (as->bulk_addr == bulk_addr) {
574 if (as->bulk_status != AS_CONTINUATION)
575 goto rescan;
576 as->bulk_status = AS_UNLINK;
577 as->bulk_addr = 0;
578 }
579 }
580 ps->disabled_bulk_eps |= (1 << bulk_addr);
581
582
583 rescan:
584 list_for_each_entry(as, &ps->async_pending, asynclist) {
585 if (as->bulk_status == AS_UNLINK) {
586 as->bulk_status = 0;
587 urb = as->urb;
588 usb_get_urb(urb);
589 spin_unlock(&ps->lock);
590 usb_unlink_urb(urb);
591 usb_put_urb(urb);
592 spin_lock(&ps->lock);
593 goto rescan;
594 }
595 }
596}
597
598static void async_completed(struct urb *urb)
599{
600 struct async *as = urb->context;
601 struct usb_dev_state *ps = as->ps;
602 struct siginfo sinfo;
603 struct pid *pid = NULL;
604 u32 secid = 0;
605 const struct cred *cred = NULL;
606 int signr;
607
608 spin_lock(&ps->lock);
609 list_move_tail(&as->asynclist, &ps->async_completed);
610 as->status = urb->status;
611 signr = as->signr;
612 if (signr) {
613 memset(&sinfo, 0, sizeof(sinfo));
614 sinfo.si_signo = as->signr;
615 sinfo.si_errno = as->status;
616 sinfo.si_code = SI_ASYNCIO;
617 sinfo.si_addr = as->userurb;
618 pid = get_pid(as->pid);
619 cred = get_cred(as->cred);
620 secid = as->secid;
621 }
622 snoop(&urb->dev->dev, "urb complete\n");
623 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
624 as->status, COMPLETE, NULL, 0);
625 if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
626 snoop_urb_data(urb, urb->actual_length);
627
628 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
629 as->status != -ENOENT)
630 cancel_bulk_urbs(ps, as->bulk_addr);
631 spin_unlock(&ps->lock);
632
633 if (signr) {
634 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
635 put_pid(pid);
636 put_cred(cred);
637 }
638
639 wake_up(&ps->wait);
640}
641
642static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
643{
644 struct urb *urb;
645 struct async *as;
646 unsigned long flags;
647
648 spin_lock_irqsave(&ps->lock, flags);
649 while (!list_empty(list)) {
650 as = list_entry(list->next, struct async, asynclist);
651 list_del_init(&as->asynclist);
652 urb = as->urb;
653 usb_get_urb(urb);
654
655
656 spin_unlock_irqrestore(&ps->lock, flags);
657 usb_kill_urb(urb);
658 usb_put_urb(urb);
659 spin_lock_irqsave(&ps->lock, flags);
660 }
661 spin_unlock_irqrestore(&ps->lock, flags);
662}
663
664static void destroy_async_on_interface(struct usb_dev_state *ps,
665 unsigned int ifnum)
666{
667 struct list_head *p, *q, hitlist;
668 unsigned long flags;
669
670 INIT_LIST_HEAD(&hitlist);
671 spin_lock_irqsave(&ps->lock, flags);
672 list_for_each_safe(p, q, &ps->async_pending)
673 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
674 list_move_tail(p, &hitlist);
675 spin_unlock_irqrestore(&ps->lock, flags);
676 destroy_async(ps, &hitlist);
677}
678
679static void destroy_all_async(struct usb_dev_state *ps)
680{
681 destroy_async(ps, &ps->async_pending);
682}
683
684
685
686
687
688
689
690static int driver_probe(struct usb_interface *intf,
691 const struct usb_device_id *id)
692{
693 return -ENODEV;
694}
695
696static void driver_disconnect(struct usb_interface *intf)
697{
698 struct usb_dev_state *ps = usb_get_intfdata(intf);
699 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
700
701 if (!ps)
702 return;
703
704
705
706
707
708 if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
709 clear_bit(ifnum, &ps->ifclaimed);
710 else
711 dev_warn(&intf->dev, "interface number %u out of range\n",
712 ifnum);
713
714 usb_set_intfdata(intf, NULL);
715
716
717 destroy_async_on_interface(ps, ifnum);
718}
719
720
721
722
723static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
724{
725 return 0;
726}
727
728static int driver_resume(struct usb_interface *intf)
729{
730 return 0;
731}
732
733struct usb_driver usbfs_driver = {
734 .name = "usbfs",
735 .probe = driver_probe,
736 .disconnect = driver_disconnect,
737 .suspend = driver_suspend,
738 .resume = driver_resume,
739};
740
741static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
742{
743 struct usb_device *dev = ps->dev;
744 struct usb_interface *intf;
745 int err;
746
747 if (ifnum >= 8*sizeof(ps->ifclaimed))
748 return -EINVAL;
749
750 if (test_bit(ifnum, &ps->ifclaimed))
751 return 0;
752
753 if (ps->privileges_dropped &&
754 !test_bit(ifnum, &ps->interface_allowed_mask))
755 return -EACCES;
756
757 intf = usb_ifnum_to_if(dev, ifnum);
758 if (!intf)
759 err = -ENOENT;
760 else
761 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
762 if (err == 0)
763 set_bit(ifnum, &ps->ifclaimed);
764 return err;
765}
766
767static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
768{
769 struct usb_device *dev;
770 struct usb_interface *intf;
771 int err;
772
773 err = -EINVAL;
774 if (ifnum >= 8*sizeof(ps->ifclaimed))
775 return err;
776 dev = ps->dev;
777 intf = usb_ifnum_to_if(dev, ifnum);
778 if (!intf)
779 err = -ENOENT;
780 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
781 usb_driver_release_interface(&usbfs_driver, intf);
782 err = 0;
783 }
784 return err;
785}
786
787static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
788{
789 if (ps->dev->state != USB_STATE_CONFIGURED)
790 return -EHOSTUNREACH;
791 if (ifnum >= 8*sizeof(ps->ifclaimed))
792 return -EINVAL;
793 if (test_bit(ifnum, &ps->ifclaimed))
794 return 0;
795
796 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
797 "interface %u before use\n", task_pid_nr(current),
798 current->comm, ifnum);
799 return claimintf(ps, ifnum);
800}
801
802static int findintfep(struct usb_device *dev, unsigned int ep)
803{
804 unsigned int i, j, e;
805 struct usb_interface *intf;
806 struct usb_host_interface *alts;
807 struct usb_endpoint_descriptor *endpt;
808
809 if (ep & ~(USB_DIR_IN|0xf))
810 return -EINVAL;
811 if (!dev->actconfig)
812 return -ESRCH;
813 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
814 intf = dev->actconfig->interface[i];
815 for (j = 0; j < intf->num_altsetting; j++) {
816 alts = &intf->altsetting[j];
817 for (e = 0; e < alts->desc.bNumEndpoints; e++) {
818 endpt = &alts->endpoint[e].desc;
819 if (endpt->bEndpointAddress == ep)
820 return alts->desc.bInterfaceNumber;
821 }
822 }
823 }
824 return -ENOENT;
825}
826
827static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
828 unsigned int request, unsigned int index)
829{
830 int ret = 0;
831 struct usb_host_interface *alt_setting;
832
833 if (ps->dev->state != USB_STATE_UNAUTHENTICATED
834 && ps->dev->state != USB_STATE_ADDRESS
835 && ps->dev->state != USB_STATE_CONFIGURED)
836 return -EHOSTUNREACH;
837 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
838 return 0;
839
840
841
842
843
844
845 if (requesttype == 0xa1 && request == 0) {
846 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
847 index >> 8, index & 0xff);
848 if (alt_setting
849 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
850 return 0;
851 }
852
853 index &= 0xff;
854 switch (requesttype & USB_RECIP_MASK) {
855 case USB_RECIP_ENDPOINT:
856 if ((index & ~USB_DIR_IN) == 0)
857 return 0;
858 ret = findintfep(ps->dev, index);
859 if (ret < 0) {
860
861
862
863
864
865
866
867
868 ret = findintfep(ps->dev, index ^ 0x80);
869 if (ret >= 0)
870 dev_info(&ps->dev->dev,
871 "%s: process %i (%s) requesting ep %02x but needs %02x\n",
872 __func__, task_pid_nr(current),
873 current->comm, index, index ^ 0x80);
874 }
875 if (ret >= 0)
876 ret = checkintf(ps, ret);
877 break;
878
879 case USB_RECIP_INTERFACE:
880 ret = checkintf(ps, index);
881 break;
882 }
883 return ret;
884}
885
886static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
887 unsigned char ep)
888{
889 if (ep & USB_ENDPOINT_DIR_MASK)
890 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
891 else
892 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
893}
894
895static int parse_usbdevfs_streams(struct usb_dev_state *ps,
896 struct usbdevfs_streams __user *streams,
897 unsigned int *num_streams_ret,
898 unsigned int *num_eps_ret,
899 struct usb_host_endpoint ***eps_ret,
900 struct usb_interface **intf_ret)
901{
902 unsigned int i, num_streams, num_eps;
903 struct usb_host_endpoint **eps;
904 struct usb_interface *intf = NULL;
905 unsigned char ep;
906 int ifnum, ret;
907
908 if (get_user(num_streams, &streams->num_streams) ||
909 get_user(num_eps, &streams->num_eps))
910 return -EFAULT;
911
912 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
913 return -EINVAL;
914
915
916 if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
917 return -EINVAL;
918
919 eps = kmalloc(num_eps * sizeof(*eps), GFP_KERNEL);
920 if (!eps)
921 return -ENOMEM;
922
923 for (i = 0; i < num_eps; i++) {
924 if (get_user(ep, &streams->eps[i])) {
925 ret = -EFAULT;
926 goto error;
927 }
928 eps[i] = ep_to_host_endpoint(ps->dev, ep);
929 if (!eps[i]) {
930 ret = -EINVAL;
931 goto error;
932 }
933
934
935 ifnum = findintfep(ps->dev, ep);
936 if (ifnum < 0) {
937 ret = ifnum;
938 goto error;
939 }
940
941 if (i == 0) {
942 ret = checkintf(ps, ifnum);
943 if (ret < 0)
944 goto error;
945 intf = usb_ifnum_to_if(ps->dev, ifnum);
946 } else {
947
948 if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
949 ret = -EINVAL;
950 goto error;
951 }
952 }
953 }
954
955 if (num_streams_ret)
956 *num_streams_ret = num_streams;
957 *num_eps_ret = num_eps;
958 *eps_ret = eps;
959 *intf_ret = intf;
960
961 return 0;
962
963error:
964 kfree(eps);
965 return ret;
966}
967
968static int match_devt(struct device *dev, void *data)
969{
970 return dev->devt == (dev_t) (unsigned long) data;
971}
972
973static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
974{
975 struct device *dev;
976
977 dev = bus_find_device(&usb_bus_type, NULL,
978 (void *) (unsigned long) devt, match_devt);
979 if (!dev)
980 return NULL;
981 return to_usb_device(dev);
982}
983
984
985
986
987static int usbdev_open(struct inode *inode, struct file *file)
988{
989 struct usb_device *dev = NULL;
990 struct usb_dev_state *ps;
991 int ret;
992
993 ret = -ENOMEM;
994 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
995 if (!ps)
996 goto out_free_ps;
997
998 ret = -ENODEV;
999
1000
1001 mutex_lock(&usbfs_mutex);
1002
1003
1004 if (imajor(inode) == USB_DEVICE_MAJOR)
1005 dev = usbdev_lookup_by_devt(inode->i_rdev);
1006
1007 mutex_unlock(&usbfs_mutex);
1008
1009 if (!dev)
1010 goto out_free_ps;
1011
1012 usb_lock_device(dev);
1013 if (dev->state == USB_STATE_NOTATTACHED)
1014 goto out_unlock_device;
1015
1016 ret = usb_autoresume_device(dev);
1017 if (ret)
1018 goto out_unlock_device;
1019
1020 ps->dev = dev;
1021 ps->file = file;
1022 ps->interface_allowed_mask = 0xFFFFFFFF;
1023 spin_lock_init(&ps->lock);
1024 INIT_LIST_HEAD(&ps->list);
1025 INIT_LIST_HEAD(&ps->async_pending);
1026 INIT_LIST_HEAD(&ps->async_completed);
1027 INIT_LIST_HEAD(&ps->memory_list);
1028 init_waitqueue_head(&ps->wait);
1029 ps->disc_pid = get_pid(task_pid(current));
1030 ps->cred = get_current_cred();
1031 security_task_getsecid(current, &ps->secid);
1032 smp_wmb();
1033 list_add_tail(&ps->list, &dev->filelist);
1034 file->private_data = ps;
1035 usb_unlock_device(dev);
1036 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1037 current->comm);
1038 return ret;
1039
1040 out_unlock_device:
1041 usb_unlock_device(dev);
1042 usb_put_dev(dev);
1043 out_free_ps:
1044 kfree(ps);
1045 return ret;
1046}
1047
1048static int usbdev_release(struct inode *inode, struct file *file)
1049{
1050 struct usb_dev_state *ps = file->private_data;
1051 struct usb_device *dev = ps->dev;
1052 unsigned int ifnum;
1053 struct async *as;
1054
1055 usb_lock_device(dev);
1056 usb_hub_release_all_ports(dev, ps);
1057
1058 list_del_init(&ps->list);
1059
1060 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1061 ifnum++) {
1062 if (test_bit(ifnum, &ps->ifclaimed))
1063 releaseintf(ps, ifnum);
1064 }
1065 destroy_all_async(ps);
1066 usb_autosuspend_device(dev);
1067 usb_unlock_device(dev);
1068 usb_put_dev(dev);
1069 put_pid(ps->disc_pid);
1070 put_cred(ps->cred);
1071
1072 as = async_getcompleted(ps);
1073 while (as) {
1074 free_async(as);
1075 as = async_getcompleted(ps);
1076 }
1077
1078 kfree(ps);
1079 return 0;
1080}
1081
1082static int proc_control(struct usb_dev_state *ps, void __user *arg)
1083{
1084 struct usb_device *dev = ps->dev;
1085 struct usbdevfs_ctrltransfer ctrl;
1086 unsigned int tmo;
1087 unsigned char *tbuf;
1088 unsigned wLength;
1089 int i, pipe, ret;
1090
1091 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1092 return -EFAULT;
1093 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1094 ctrl.wIndex);
1095 if (ret)
1096 return ret;
1097 wLength = ctrl.wLength;
1098 if (wLength > PAGE_SIZE)
1099 return -EINVAL;
1100 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1101 sizeof(struct usb_ctrlrequest));
1102 if (ret)
1103 return ret;
1104 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1105 if (!tbuf) {
1106 ret = -ENOMEM;
1107 goto done;
1108 }
1109 tmo = ctrl.timeout;
1110 snoop(&dev->dev, "control urb: bRequestType=%02x "
1111 "bRequest=%02x wValue=%04x "
1112 "wIndex=%04x wLength=%04x\n",
1113 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1114 ctrl.wIndex, ctrl.wLength);
1115 if (ctrl.bRequestType & 0x80) {
1116 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1117 ctrl.wLength)) {
1118 ret = -EINVAL;
1119 goto done;
1120 }
1121 pipe = usb_rcvctrlpipe(dev, 0);
1122 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1123
1124 usb_unlock_device(dev);
1125 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1126 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1127 tbuf, ctrl.wLength, tmo);
1128 usb_lock_device(dev);
1129 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1130 tbuf, max(i, 0));
1131 if ((i > 0) && ctrl.wLength) {
1132 if (copy_to_user(ctrl.data, tbuf, i)) {
1133 ret = -EFAULT;
1134 goto done;
1135 }
1136 }
1137 } else {
1138 if (ctrl.wLength) {
1139 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1140 ret = -EFAULT;
1141 goto done;
1142 }
1143 }
1144 pipe = usb_sndctrlpipe(dev, 0);
1145 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1146 tbuf, ctrl.wLength);
1147
1148 usb_unlock_device(dev);
1149 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1150 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1151 tbuf, ctrl.wLength, tmo);
1152 usb_lock_device(dev);
1153 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1154 }
1155 if (i < 0 && i != -EPIPE) {
1156 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1157 "failed cmd %s rqt %u rq %u len %u ret %d\n",
1158 current->comm, ctrl.bRequestType, ctrl.bRequest,
1159 ctrl.wLength, i);
1160 }
1161 ret = i;
1162 done:
1163 free_page((unsigned long) tbuf);
1164 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1165 sizeof(struct usb_ctrlrequest));
1166 return ret;
1167}
1168
1169static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1170{
1171 struct usb_device *dev = ps->dev;
1172 struct usbdevfs_bulktransfer bulk;
1173 unsigned int tmo, len1, pipe;
1174 int len2;
1175 unsigned char *tbuf;
1176 int i, ret;
1177
1178 if (copy_from_user(&bulk, arg, sizeof(bulk)))
1179 return -EFAULT;
1180 ret = findintfep(ps->dev, bulk.ep);
1181 if (ret < 0)
1182 return ret;
1183 ret = checkintf(ps, ret);
1184 if (ret)
1185 return ret;
1186 if (bulk.ep & USB_DIR_IN)
1187 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1188 else
1189 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1190 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1191 return -EINVAL;
1192 len1 = bulk.len;
1193 if (len1 >= USBFS_XFER_MAX)
1194 return -EINVAL;
1195 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1196 if (ret)
1197 return ret;
1198 tbuf = kmalloc(len1, GFP_KERNEL);
1199 if (!tbuf) {
1200 ret = -ENOMEM;
1201 goto done;
1202 }
1203 tmo = bulk.timeout;
1204 if (bulk.ep & 0x80) {
1205 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1206 ret = -EINVAL;
1207 goto done;
1208 }
1209 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1210
1211 usb_unlock_device(dev);
1212 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1213 usb_lock_device(dev);
1214 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1215
1216 if (!i && len2) {
1217 if (copy_to_user(bulk.data, tbuf, len2)) {
1218 ret = -EFAULT;
1219 goto done;
1220 }
1221 }
1222 } else {
1223 if (len1) {
1224 if (copy_from_user(tbuf, bulk.data, len1)) {
1225 ret = -EFAULT;
1226 goto done;
1227 }
1228 }
1229 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1230
1231 usb_unlock_device(dev);
1232 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1233 usb_lock_device(dev);
1234 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1235 }
1236 ret = (i < 0 ? i : len2);
1237 done:
1238 kfree(tbuf);
1239 usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1240 return ret;
1241}
1242
1243static void check_reset_of_active_ep(struct usb_device *udev,
1244 unsigned int epnum, char *ioctl_name)
1245{
1246 struct usb_host_endpoint **eps;
1247 struct usb_host_endpoint *ep;
1248
1249 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1250 ep = eps[epnum & 0x0f];
1251 if (ep && !list_empty(&ep->urb_list))
1252 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1253 task_pid_nr(current), current->comm,
1254 ioctl_name, epnum);
1255}
1256
1257static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1258{
1259 unsigned int ep;
1260 int ret;
1261
1262 if (get_user(ep, (unsigned int __user *)arg))
1263 return -EFAULT;
1264 ret = findintfep(ps->dev, ep);
1265 if (ret < 0)
1266 return ret;
1267 ret = checkintf(ps, ret);
1268 if (ret)
1269 return ret;
1270 check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1271 usb_reset_endpoint(ps->dev, ep);
1272 return 0;
1273}
1274
1275static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1276{
1277 unsigned int ep;
1278 int pipe;
1279 int ret;
1280
1281 if (get_user(ep, (unsigned int __user *)arg))
1282 return -EFAULT;
1283 ret = findintfep(ps->dev, ep);
1284 if (ret < 0)
1285 return ret;
1286 ret = checkintf(ps, ret);
1287 if (ret)
1288 return ret;
1289 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1290 if (ep & USB_DIR_IN)
1291 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1292 else
1293 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1294
1295 return usb_clear_halt(ps->dev, pipe);
1296}
1297
1298static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1299{
1300 struct usbdevfs_getdriver gd;
1301 struct usb_interface *intf;
1302 int ret;
1303
1304 if (copy_from_user(&gd, arg, sizeof(gd)))
1305 return -EFAULT;
1306 intf = usb_ifnum_to_if(ps->dev, gd.interface);
1307 if (!intf || !intf->dev.driver)
1308 ret = -ENODATA;
1309 else {
1310 strlcpy(gd.driver, intf->dev.driver->name,
1311 sizeof(gd.driver));
1312 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1313 }
1314 return ret;
1315}
1316
1317static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1318{
1319 struct usbdevfs_connectinfo ci;
1320
1321 memset(&ci, 0, sizeof(ci));
1322 ci.devnum = ps->dev->devnum;
1323 ci.slow = ps->dev->speed == USB_SPEED_LOW;
1324
1325 if (copy_to_user(arg, &ci, sizeof(ci)))
1326 return -EFAULT;
1327 return 0;
1328}
1329
1330static int proc_resetdevice(struct usb_dev_state *ps)
1331{
1332 struct usb_host_config *actconfig = ps->dev->actconfig;
1333 struct usb_interface *interface;
1334 int i, number;
1335
1336
1337
1338
1339
1340 if (ps->privileges_dropped && actconfig) {
1341 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1342 interface = actconfig->interface[i];
1343 number = interface->cur_altsetting->desc.bInterfaceNumber;
1344 if (usb_interface_claimed(interface) &&
1345 !test_bit(number, &ps->ifclaimed)) {
1346 dev_warn(&ps->dev->dev,
1347 "usbfs: interface %d claimed by %s while '%s' resets device\n",
1348 number, interface->dev.driver->name, current->comm);
1349 return -EACCES;
1350 }
1351 }
1352 }
1353
1354 return usb_reset_device(ps->dev);
1355}
1356
1357static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1358{
1359 struct usbdevfs_setinterface setintf;
1360 int ret;
1361
1362 if (copy_from_user(&setintf, arg, sizeof(setintf)))
1363 return -EFAULT;
1364 ret = checkintf(ps, setintf.interface);
1365 if (ret)
1366 return ret;
1367
1368 destroy_async_on_interface(ps, setintf.interface);
1369
1370 return usb_set_interface(ps->dev, setintf.interface,
1371 setintf.altsetting);
1372}
1373
1374static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1375{
1376 int u;
1377 int status = 0;
1378 struct usb_host_config *actconfig;
1379
1380 if (get_user(u, (int __user *)arg))
1381 return -EFAULT;
1382
1383 actconfig = ps->dev->actconfig;
1384
1385
1386
1387
1388
1389 if (actconfig) {
1390 int i;
1391
1392 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1393 if (usb_interface_claimed(actconfig->interface[i])) {
1394 dev_warn(&ps->dev->dev,
1395 "usbfs: interface %d claimed by %s "
1396 "while '%s' sets config #%d\n",
1397 actconfig->interface[i]
1398 ->cur_altsetting
1399 ->desc.bInterfaceNumber,
1400 actconfig->interface[i]
1401 ->dev.driver->name,
1402 current->comm, u);
1403 status = -EBUSY;
1404 break;
1405 }
1406 }
1407 }
1408
1409
1410
1411
1412 if (status == 0) {
1413 if (actconfig && actconfig->desc.bConfigurationValue == u)
1414 status = usb_reset_configuration(ps->dev);
1415 else
1416 status = usb_set_configuration(ps->dev, u);
1417 }
1418
1419 return status;
1420}
1421
1422static struct usb_memory *
1423find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1424{
1425 struct usb_memory *usbm = NULL, *iter;
1426 unsigned long flags;
1427 unsigned long uurb_start = (unsigned long)uurb->buffer;
1428
1429 spin_lock_irqsave(&ps->lock, flags);
1430 list_for_each_entry(iter, &ps->memory_list, memlist) {
1431 if (uurb_start >= iter->vm_start &&
1432 uurb_start < iter->vm_start + iter->size) {
1433 if (uurb->buffer_length > iter->vm_start + iter->size -
1434 uurb_start) {
1435 usbm = ERR_PTR(-EINVAL);
1436 } else {
1437 usbm = iter;
1438 usbm->urb_use_count++;
1439 }
1440 break;
1441 }
1442 }
1443 spin_unlock_irqrestore(&ps->lock, flags);
1444 return usbm;
1445}
1446
1447static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1448 struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1449 void __user *arg)
1450{
1451 struct usbdevfs_iso_packet_desc *isopkt = NULL;
1452 struct usb_host_endpoint *ep;
1453 struct async *as = NULL;
1454 struct usb_ctrlrequest *dr = NULL;
1455 unsigned int u, totlen, isofrmlen;
1456 int i, ret, is_in, num_sgs = 0, ifnum = -1;
1457 int number_of_packets = 0;
1458 unsigned int stream_id = 0;
1459 void *buf;
1460
1461 if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1462 USBDEVFS_URB_SHORT_NOT_OK |
1463 USBDEVFS_URB_BULK_CONTINUATION |
1464 USBDEVFS_URB_NO_FSBR |
1465 USBDEVFS_URB_ZERO_PACKET |
1466 USBDEVFS_URB_NO_INTERRUPT))
1467 return -EINVAL;
1468 if (uurb->buffer_length > 0 && !uurb->buffer)
1469 return -EINVAL;
1470 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1471 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1472 ifnum = findintfep(ps->dev, uurb->endpoint);
1473 if (ifnum < 0)
1474 return ifnum;
1475 ret = checkintf(ps, ifnum);
1476 if (ret)
1477 return ret;
1478 }
1479 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1480 if (!ep)
1481 return -ENOENT;
1482 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1483
1484 u = 0;
1485 switch (uurb->type) {
1486 case USBDEVFS_URB_TYPE_CONTROL:
1487 if (!usb_endpoint_xfer_control(&ep->desc))
1488 return -EINVAL;
1489
1490 if (uurb->buffer_length < 8)
1491 return -EINVAL;
1492 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1493 if (!dr)
1494 return -ENOMEM;
1495 if (copy_from_user(dr, uurb->buffer, 8)) {
1496 ret = -EFAULT;
1497 goto error;
1498 }
1499 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1500 ret = -EINVAL;
1501 goto error;
1502 }
1503 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1504 le16_to_cpup(&dr->wIndex));
1505 if (ret)
1506 goto error;
1507 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1508 uurb->buffer += 8;
1509 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1510 is_in = 1;
1511 uurb->endpoint |= USB_DIR_IN;
1512 } else {
1513 is_in = 0;
1514 uurb->endpoint &= ~USB_DIR_IN;
1515 }
1516 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1517 "bRequest=%02x wValue=%04x "
1518 "wIndex=%04x wLength=%04x\n",
1519 dr->bRequestType, dr->bRequest,
1520 __le16_to_cpup(&dr->wValue),
1521 __le16_to_cpup(&dr->wIndex),
1522 __le16_to_cpup(&dr->wLength));
1523 u = sizeof(struct usb_ctrlrequest);
1524 break;
1525
1526 case USBDEVFS_URB_TYPE_BULK:
1527 switch (usb_endpoint_type(&ep->desc)) {
1528 case USB_ENDPOINT_XFER_CONTROL:
1529 case USB_ENDPOINT_XFER_ISOC:
1530 return -EINVAL;
1531 case USB_ENDPOINT_XFER_INT:
1532
1533 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1534 goto interrupt_urb;
1535 }
1536 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1537 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1538 num_sgs = 0;
1539 if (ep->streams)
1540 stream_id = uurb->stream_id;
1541 break;
1542
1543 case USBDEVFS_URB_TYPE_INTERRUPT:
1544 if (!usb_endpoint_xfer_int(&ep->desc))
1545 return -EINVAL;
1546 interrupt_urb:
1547 break;
1548
1549 case USBDEVFS_URB_TYPE_ISO:
1550
1551 if (uurb->number_of_packets < 1 ||
1552 uurb->number_of_packets > 128)
1553 return -EINVAL;
1554 if (!usb_endpoint_xfer_isoc(&ep->desc))
1555 return -EINVAL;
1556 number_of_packets = uurb->number_of_packets;
1557 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1558 number_of_packets;
1559 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1560 if (IS_ERR(isopkt)) {
1561 ret = PTR_ERR(isopkt);
1562 isopkt = NULL;
1563 goto error;
1564 }
1565 for (totlen = u = 0; u < number_of_packets; u++) {
1566
1567
1568
1569
1570
1571
1572 if (isopkt[u].length > 49152) {
1573 ret = -EINVAL;
1574 goto error;
1575 }
1576 totlen += isopkt[u].length;
1577 }
1578 u *= sizeof(struct usb_iso_packet_descriptor);
1579 uurb->buffer_length = totlen;
1580 break;
1581
1582 default:
1583 return -EINVAL;
1584 }
1585
1586 if (uurb->buffer_length >= USBFS_XFER_MAX) {
1587 ret = -EINVAL;
1588 goto error;
1589 }
1590 if (uurb->buffer_length > 0 &&
1591 !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1592 uurb->buffer, uurb->buffer_length)) {
1593 ret = -EFAULT;
1594 goto error;
1595 }
1596 as = alloc_async(number_of_packets);
1597 if (!as) {
1598 ret = -ENOMEM;
1599 goto error;
1600 }
1601
1602 as->usbm = find_memory_area(ps, uurb);
1603 if (IS_ERR(as->usbm)) {
1604 ret = PTR_ERR(as->usbm);
1605 as->usbm = NULL;
1606 goto error;
1607 }
1608
1609
1610
1611
1612 if (as->usbm)
1613 num_sgs = 0;
1614
1615 u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1616 num_sgs * sizeof(struct scatterlist);
1617 ret = usbfs_increase_memory_usage(u);
1618 if (ret)
1619 goto error;
1620 as->mem_usage = u;
1621
1622 if (num_sgs) {
1623 as->urb->sg = kmalloc(num_sgs * sizeof(struct scatterlist),
1624 GFP_KERNEL);
1625 if (!as->urb->sg) {
1626 ret = -ENOMEM;
1627 goto error;
1628 }
1629 as->urb->num_sgs = num_sgs;
1630 sg_init_table(as->urb->sg, as->urb->num_sgs);
1631
1632 totlen = uurb->buffer_length;
1633 for (i = 0; i < as->urb->num_sgs; i++) {
1634 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1635 buf = kmalloc(u, GFP_KERNEL);
1636 if (!buf) {
1637 ret = -ENOMEM;
1638 goto error;
1639 }
1640 sg_set_buf(&as->urb->sg[i], buf, u);
1641
1642 if (!is_in) {
1643 if (copy_from_user(buf, uurb->buffer, u)) {
1644 ret = -EFAULT;
1645 goto error;
1646 }
1647 uurb->buffer += u;
1648 }
1649 totlen -= u;
1650 }
1651 } else if (uurb->buffer_length > 0) {
1652 if (as->usbm) {
1653 unsigned long uurb_start = (unsigned long)uurb->buffer;
1654
1655 as->urb->transfer_buffer = as->usbm->mem +
1656 (uurb_start - as->usbm->vm_start);
1657 } else {
1658 as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1659 GFP_KERNEL);
1660 if (!as->urb->transfer_buffer) {
1661 ret = -ENOMEM;
1662 goto error;
1663 }
1664 if (!is_in) {
1665 if (copy_from_user(as->urb->transfer_buffer,
1666 uurb->buffer,
1667 uurb->buffer_length)) {
1668 ret = -EFAULT;
1669 goto error;
1670 }
1671 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1672
1673
1674
1675
1676
1677
1678 memset(as->urb->transfer_buffer, 0,
1679 uurb->buffer_length);
1680 }
1681 }
1682 }
1683 as->urb->dev = ps->dev;
1684 as->urb->pipe = (uurb->type << 30) |
1685 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1686 (uurb->endpoint & USB_DIR_IN);
1687
1688
1689
1690
1691
1692 u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1693 if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1694 u |= URB_ISO_ASAP;
1695 if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
1696 u |= URB_SHORT_NOT_OK;
1697 if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1698 u |= URB_NO_FSBR;
1699 if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1700 u |= URB_ZERO_PACKET;
1701 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1702 u |= URB_NO_INTERRUPT;
1703 as->urb->transfer_flags = u;
1704
1705 as->urb->transfer_buffer_length = uurb->buffer_length;
1706 as->urb->setup_packet = (unsigned char *)dr;
1707 dr = NULL;
1708 as->urb->start_frame = uurb->start_frame;
1709 as->urb->number_of_packets = number_of_packets;
1710 as->urb->stream_id = stream_id;
1711 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1712 ps->dev->speed == USB_SPEED_HIGH)
1713 as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
1714 else
1715 as->urb->interval = ep->desc.bInterval;
1716 as->urb->context = as;
1717 as->urb->complete = async_completed;
1718 for (totlen = u = 0; u < number_of_packets; u++) {
1719 as->urb->iso_frame_desc[u].offset = totlen;
1720 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1721 totlen += isopkt[u].length;
1722 }
1723 kfree(isopkt);
1724 isopkt = NULL;
1725 as->ps = ps;
1726 as->userurb = arg;
1727 if (as->usbm) {
1728 unsigned long uurb_start = (unsigned long)uurb->buffer;
1729
1730 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1731 as->urb->transfer_dma = as->usbm->dma_handle +
1732 (uurb_start - as->usbm->vm_start);
1733 } else if (is_in && uurb->buffer_length > 0)
1734 as->userbuffer = uurb->buffer;
1735 as->signr = uurb->signr;
1736 as->ifnum = ifnum;
1737 as->pid = get_pid(task_pid(current));
1738 as->cred = get_current_cred();
1739 security_task_getsecid(current, &as->secid);
1740 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1741 as->urb->transfer_buffer_length, 0, SUBMIT,
1742 NULL, 0);
1743 if (!is_in)
1744 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1745
1746 async_newpending(as);
1747
1748 if (usb_endpoint_xfer_bulk(&ep->desc)) {
1749 spin_lock_irq(&ps->lock);
1750
1751
1752
1753
1754
1755 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1756 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1757 >> 3);
1758
1759
1760
1761
1762 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1763 as->bulk_status = AS_CONTINUATION;
1764 else
1765 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1766
1767
1768
1769
1770 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1771 ret = -EREMOTEIO;
1772 else
1773 ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1774 spin_unlock_irq(&ps->lock);
1775 } else {
1776 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1777 }
1778
1779 if (ret) {
1780 dev_printk(KERN_DEBUG, &ps->dev->dev,
1781 "usbfs: usb_submit_urb returned %d\n", ret);
1782 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1783 0, ret, COMPLETE, NULL, 0);
1784 async_removepending(as);
1785 goto error;
1786 }
1787 return 0;
1788
1789 error:
1790 if (as && as->usbm)
1791 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1792 kfree(isopkt);
1793 kfree(dr);
1794 if (as)
1795 free_async(as);
1796 return ret;
1797}
1798
1799static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1800{
1801 struct usbdevfs_urb uurb;
1802
1803 if (copy_from_user(&uurb, arg, sizeof(uurb)))
1804 return -EFAULT;
1805
1806 return proc_do_submiturb(ps, &uurb,
1807 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1808 arg);
1809}
1810
1811static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1812{
1813 struct urb *urb;
1814 struct async *as;
1815 unsigned long flags;
1816
1817 spin_lock_irqsave(&ps->lock, flags);
1818 as = async_getpending(ps, arg);
1819 if (!as) {
1820 spin_unlock_irqrestore(&ps->lock, flags);
1821 return -EINVAL;
1822 }
1823
1824 urb = as->urb;
1825 usb_get_urb(urb);
1826 spin_unlock_irqrestore(&ps->lock, flags);
1827
1828 usb_kill_urb(urb);
1829 usb_put_urb(urb);
1830
1831 return 0;
1832}
1833
1834static int processcompl(struct async *as, void __user * __user *arg)
1835{
1836 struct urb *urb = as->urb;
1837 struct usbdevfs_urb __user *userurb = as->userurb;
1838 void __user *addr = as->userurb;
1839 unsigned int i;
1840
1841 if (as->userbuffer && urb->actual_length) {
1842 if (copy_urb_data_to_user(as->userbuffer, urb))
1843 goto err_out;
1844 }
1845 if (put_user(as->status, &userurb->status))
1846 goto err_out;
1847 if (put_user(urb->actual_length, &userurb->actual_length))
1848 goto err_out;
1849 if (put_user(urb->error_count, &userurb->error_count))
1850 goto err_out;
1851
1852 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1853 for (i = 0; i < urb->number_of_packets; i++) {
1854 if (put_user(urb->iso_frame_desc[i].actual_length,
1855 &userurb->iso_frame_desc[i].actual_length))
1856 goto err_out;
1857 if (put_user(urb->iso_frame_desc[i].status,
1858 &userurb->iso_frame_desc[i].status))
1859 goto err_out;
1860 }
1861 }
1862
1863 if (put_user(addr, (void __user * __user *)arg))
1864 return -EFAULT;
1865 return 0;
1866
1867err_out:
1868 return -EFAULT;
1869}
1870
1871static struct async *reap_as(struct usb_dev_state *ps)
1872{
1873 DECLARE_WAITQUEUE(wait, current);
1874 struct async *as = NULL;
1875 struct usb_device *dev = ps->dev;
1876
1877 add_wait_queue(&ps->wait, &wait);
1878 for (;;) {
1879 __set_current_state(TASK_INTERRUPTIBLE);
1880 as = async_getcompleted(ps);
1881 if (as || !connected(ps))
1882 break;
1883 if (signal_pending(current))
1884 break;
1885 usb_unlock_device(dev);
1886 schedule();
1887 usb_lock_device(dev);
1888 }
1889 remove_wait_queue(&ps->wait, &wait);
1890 set_current_state(TASK_RUNNING);
1891 return as;
1892}
1893
1894static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1895{
1896 struct async *as = reap_as(ps);
1897
1898 if (as) {
1899 int retval;
1900
1901 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
1902 retval = processcompl(as, (void __user * __user *)arg);
1903 free_async(as);
1904 return retval;
1905 }
1906 if (signal_pending(current))
1907 return -EINTR;
1908 return -ENODEV;
1909}
1910
1911static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1912{
1913 int retval;
1914 struct async *as;
1915
1916 as = async_getcompleted(ps);
1917 if (as) {
1918 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
1919 retval = processcompl(as, (void __user * __user *)arg);
1920 free_async(as);
1921 } else {
1922 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1923 }
1924 return retval;
1925}
1926
1927#ifdef CONFIG_COMPAT
1928static int proc_control_compat(struct usb_dev_state *ps,
1929 struct usbdevfs_ctrltransfer32 __user *p32)
1930{
1931 struct usbdevfs_ctrltransfer __user *p;
1932 __u32 udata;
1933 p = compat_alloc_user_space(sizeof(*p));
1934 if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1935 get_user(udata, &p32->data) ||
1936 put_user(compat_ptr(udata), &p->data))
1937 return -EFAULT;
1938 return proc_control(ps, p);
1939}
1940
1941static int proc_bulk_compat(struct usb_dev_state *ps,
1942 struct usbdevfs_bulktransfer32 __user *p32)
1943{
1944 struct usbdevfs_bulktransfer __user *p;
1945 compat_uint_t n;
1946 compat_caddr_t addr;
1947
1948 p = compat_alloc_user_space(sizeof(*p));
1949
1950 if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1951 get_user(n, &p32->len) || put_user(n, &p->len) ||
1952 get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1953 get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1954 return -EFAULT;
1955
1956 return proc_bulk(ps, p);
1957}
1958static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1959{
1960 struct usbdevfs_disconnectsignal32 ds;
1961
1962 if (copy_from_user(&ds, arg, sizeof(ds)))
1963 return -EFAULT;
1964 ps->discsignr = ds.signr;
1965 ps->disccontext = compat_ptr(ds.context);
1966 return 0;
1967}
1968
1969static int get_urb32(struct usbdevfs_urb *kurb,
1970 struct usbdevfs_urb32 __user *uurb)
1971{
1972 __u32 uptr;
1973 if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
1974 __get_user(kurb->type, &uurb->type) ||
1975 __get_user(kurb->endpoint, &uurb->endpoint) ||
1976 __get_user(kurb->status, &uurb->status) ||
1977 __get_user(kurb->flags, &uurb->flags) ||
1978 __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1979 __get_user(kurb->actual_length, &uurb->actual_length) ||
1980 __get_user(kurb->start_frame, &uurb->start_frame) ||
1981 __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1982 __get_user(kurb->error_count, &uurb->error_count) ||
1983 __get_user(kurb->signr, &uurb->signr))
1984 return -EFAULT;
1985
1986 if (__get_user(uptr, &uurb->buffer))
1987 return -EFAULT;
1988 kurb->buffer = compat_ptr(uptr);
1989 if (__get_user(uptr, &uurb->usercontext))
1990 return -EFAULT;
1991 kurb->usercontext = compat_ptr(uptr);
1992
1993 return 0;
1994}
1995
1996static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
1997{
1998 struct usbdevfs_urb uurb;
1999
2000 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2001 return -EFAULT;
2002
2003 return proc_do_submiturb(ps, &uurb,
2004 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2005 arg);
2006}
2007
2008static int processcompl_compat(struct async *as, void __user * __user *arg)
2009{
2010 struct urb *urb = as->urb;
2011 struct usbdevfs_urb32 __user *userurb = as->userurb;
2012 void __user *addr = as->userurb;
2013 unsigned int i;
2014
2015 if (as->userbuffer && urb->actual_length) {
2016 if (copy_urb_data_to_user(as->userbuffer, urb))
2017 return -EFAULT;
2018 }
2019 if (put_user(as->status, &userurb->status))
2020 return -EFAULT;
2021 if (put_user(urb->actual_length, &userurb->actual_length))
2022 return -EFAULT;
2023 if (put_user(urb->error_count, &userurb->error_count))
2024 return -EFAULT;
2025
2026 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2027 for (i = 0; i < urb->number_of_packets; i++) {
2028 if (put_user(urb->iso_frame_desc[i].actual_length,
2029 &userurb->iso_frame_desc[i].actual_length))
2030 return -EFAULT;
2031 if (put_user(urb->iso_frame_desc[i].status,
2032 &userurb->iso_frame_desc[i].status))
2033 return -EFAULT;
2034 }
2035 }
2036
2037 if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2038 return -EFAULT;
2039 return 0;
2040}
2041
2042static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2043{
2044 struct async *as = reap_as(ps);
2045
2046 if (as) {
2047 int retval;
2048
2049 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
2050 retval = processcompl_compat(as, (void __user * __user *)arg);
2051 free_async(as);
2052 return retval;
2053 }
2054 if (signal_pending(current))
2055 return -EINTR;
2056 return -ENODEV;
2057}
2058
2059static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2060{
2061 int retval;
2062 struct async *as;
2063
2064 as = async_getcompleted(ps);
2065 if (as) {
2066 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
2067 retval = processcompl_compat(as, (void __user * __user *)arg);
2068 free_async(as);
2069 } else {
2070 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2071 }
2072 return retval;
2073}
2074
2075
2076#endif
2077
2078static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2079{
2080 struct usbdevfs_disconnectsignal ds;
2081
2082 if (copy_from_user(&ds, arg, sizeof(ds)))
2083 return -EFAULT;
2084 ps->discsignr = ds.signr;
2085 ps->disccontext = ds.context;
2086 return 0;
2087}
2088
2089static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2090{
2091 unsigned int ifnum;
2092
2093 if (get_user(ifnum, (unsigned int __user *)arg))
2094 return -EFAULT;
2095 return claimintf(ps, ifnum);
2096}
2097
2098static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2099{
2100 unsigned int ifnum;
2101 int ret;
2102
2103 if (get_user(ifnum, (unsigned int __user *)arg))
2104 return -EFAULT;
2105 ret = releaseintf(ps, ifnum);
2106 if (ret < 0)
2107 return ret;
2108 destroy_async_on_interface(ps, ifnum);
2109 return 0;
2110}
2111
2112static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2113{
2114 int size;
2115 void *buf = NULL;
2116 int retval = 0;
2117 struct usb_interface *intf = NULL;
2118 struct usb_driver *driver = NULL;
2119
2120 if (ps->privileges_dropped)
2121 return -EACCES;
2122
2123
2124 size = _IOC_SIZE(ctl->ioctl_code);
2125 if (size > 0) {
2126 buf = kmalloc(size, GFP_KERNEL);
2127 if (buf == NULL)
2128 return -ENOMEM;
2129 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2130 if (copy_from_user(buf, ctl->data, size)) {
2131 kfree(buf);
2132 return -EFAULT;
2133 }
2134 } else {
2135 memset(buf, 0, size);
2136 }
2137 }
2138
2139 if (!connected(ps)) {
2140 kfree(buf);
2141 return -ENODEV;
2142 }
2143
2144 if (ps->dev->state != USB_STATE_CONFIGURED)
2145 retval = -EHOSTUNREACH;
2146 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2147 retval = -EINVAL;
2148 else switch (ctl->ioctl_code) {
2149
2150
2151 case USBDEVFS_DISCONNECT:
2152 if (intf->dev.driver) {
2153 driver = to_usb_driver(intf->dev.driver);
2154 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2155 usb_driver_release_interface(driver, intf);
2156 } else
2157 retval = -ENODATA;
2158 break;
2159
2160
2161 case USBDEVFS_CONNECT:
2162 if (!intf->dev.driver)
2163 retval = device_attach(&intf->dev);
2164 else
2165 retval = -EBUSY;
2166 break;
2167
2168
2169 default:
2170 if (intf->dev.driver)
2171 driver = to_usb_driver(intf->dev.driver);
2172 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2173 retval = -ENOTTY;
2174 } else {
2175 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2176 if (retval == -ENOIOCTLCMD)
2177 retval = -ENOTTY;
2178 }
2179 }
2180
2181
2182 if (retval >= 0
2183 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2184 && size > 0
2185 && copy_to_user(ctl->data, buf, size) != 0)
2186 retval = -EFAULT;
2187
2188 kfree(buf);
2189 return retval;
2190}
2191
2192static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2193{
2194 struct usbdevfs_ioctl ctrl;
2195
2196 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2197 return -EFAULT;
2198 return proc_ioctl(ps, &ctrl);
2199}
2200
2201#ifdef CONFIG_COMPAT
2202static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2203{
2204 struct usbdevfs_ioctl32 __user *uioc;
2205 struct usbdevfs_ioctl ctrl;
2206 u32 udata;
2207
2208 uioc = compat_ptr((long)arg);
2209 if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
2210 __get_user(ctrl.ifno, &uioc->ifno) ||
2211 __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
2212 __get_user(udata, &uioc->data))
2213 return -EFAULT;
2214 ctrl.data = compat_ptr(udata);
2215
2216 return proc_ioctl(ps, &ctrl);
2217}
2218#endif
2219
2220static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2221{
2222 unsigned portnum;
2223 int rc;
2224
2225 if (get_user(portnum, (unsigned __user *) arg))
2226 return -EFAULT;
2227 rc = usb_hub_claim_port(ps->dev, portnum, ps);
2228 if (rc == 0)
2229 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2230 portnum, task_pid_nr(current), current->comm);
2231 return rc;
2232}
2233
2234static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2235{
2236 unsigned portnum;
2237
2238 if (get_user(portnum, (unsigned __user *) arg))
2239 return -EFAULT;
2240 return usb_hub_release_port(ps->dev, portnum, ps);
2241}
2242
2243static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2244{
2245 __u32 caps;
2246
2247 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2248 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2249 USBDEVFS_CAP_DROP_PRIVILEGES;
2250 if (!ps->dev->bus->no_stop_on_short)
2251 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2252 if (ps->dev->bus->sg_tablesize)
2253 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2254
2255 if (put_user(caps, (__u32 __user *)arg))
2256 return -EFAULT;
2257
2258 return 0;
2259}
2260
2261static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2262{
2263 struct usbdevfs_disconnect_claim dc;
2264 struct usb_interface *intf;
2265
2266 if (copy_from_user(&dc, arg, sizeof(dc)))
2267 return -EFAULT;
2268
2269 intf = usb_ifnum_to_if(ps->dev, dc.interface);
2270 if (!intf)
2271 return -EINVAL;
2272
2273 if (intf->dev.driver) {
2274 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2275
2276 if (ps->privileges_dropped)
2277 return -EACCES;
2278
2279 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2280 strncmp(dc.driver, intf->dev.driver->name,
2281 sizeof(dc.driver)) != 0)
2282 return -EBUSY;
2283
2284 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2285 strncmp(dc.driver, intf->dev.driver->name,
2286 sizeof(dc.driver)) == 0)
2287 return -EBUSY;
2288
2289 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2290 usb_driver_release_interface(driver, intf);
2291 }
2292
2293 return claimintf(ps, dc.interface);
2294}
2295
2296static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2297{
2298 unsigned num_streams, num_eps;
2299 struct usb_host_endpoint **eps;
2300 struct usb_interface *intf;
2301 int r;
2302
2303 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2304 &eps, &intf);
2305 if (r)
2306 return r;
2307
2308 destroy_async_on_interface(ps,
2309 intf->altsetting[0].desc.bInterfaceNumber);
2310
2311 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2312 kfree(eps);
2313 return r;
2314}
2315
2316static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2317{
2318 unsigned num_eps;
2319 struct usb_host_endpoint **eps;
2320 struct usb_interface *intf;
2321 int r;
2322
2323 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2324 if (r)
2325 return r;
2326
2327 destroy_async_on_interface(ps,
2328 intf->altsetting[0].desc.bInterfaceNumber);
2329
2330 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2331 kfree(eps);
2332 return r;
2333}
2334
2335static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2336{
2337 u32 data;
2338
2339 if (copy_from_user(&data, arg, sizeof(data)))
2340 return -EFAULT;
2341
2342
2343
2344
2345
2346 ps->interface_allowed_mask &= data;
2347 ps->privileges_dropped = true;
2348
2349 return 0;
2350}
2351
2352
2353
2354
2355
2356
2357static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2358 void __user *p)
2359{
2360 struct usb_dev_state *ps = file->private_data;
2361 struct inode *inode = file_inode(file);
2362 struct usb_device *dev = ps->dev;
2363 int ret = -ENOTTY;
2364
2365 if (!(file->f_mode & FMODE_WRITE))
2366 return -EPERM;
2367
2368 usb_lock_device(dev);
2369
2370
2371 switch (cmd) {
2372 case USBDEVFS_REAPURB:
2373 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2374 ret = proc_reapurb(ps, p);
2375 goto done;
2376
2377 case USBDEVFS_REAPURBNDELAY:
2378 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2379 ret = proc_reapurbnonblock(ps, p);
2380 goto done;
2381
2382#ifdef CONFIG_COMPAT
2383 case USBDEVFS_REAPURB32:
2384 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2385 ret = proc_reapurb_compat(ps, p);
2386 goto done;
2387
2388 case USBDEVFS_REAPURBNDELAY32:
2389 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2390 ret = proc_reapurbnonblock_compat(ps, p);
2391 goto done;
2392#endif
2393 }
2394
2395 if (!connected(ps)) {
2396 usb_unlock_device(dev);
2397 return -ENODEV;
2398 }
2399
2400 switch (cmd) {
2401 case USBDEVFS_CONTROL:
2402 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2403 ret = proc_control(ps, p);
2404 if (ret >= 0)
2405 inode->i_mtime = CURRENT_TIME;
2406 break;
2407
2408 case USBDEVFS_BULK:
2409 snoop(&dev->dev, "%s: BULK\n", __func__);
2410 ret = proc_bulk(ps, p);
2411 if (ret >= 0)
2412 inode->i_mtime = CURRENT_TIME;
2413 break;
2414
2415 case USBDEVFS_RESETEP:
2416 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2417 ret = proc_resetep(ps, p);
2418 if (ret >= 0)
2419 inode->i_mtime = CURRENT_TIME;
2420 break;
2421
2422 case USBDEVFS_RESET:
2423 snoop(&dev->dev, "%s: RESET\n", __func__);
2424 ret = proc_resetdevice(ps);
2425 break;
2426
2427 case USBDEVFS_CLEAR_HALT:
2428 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2429 ret = proc_clearhalt(ps, p);
2430 if (ret >= 0)
2431 inode->i_mtime = CURRENT_TIME;
2432 break;
2433
2434 case USBDEVFS_GETDRIVER:
2435 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2436 ret = proc_getdriver(ps, p);
2437 break;
2438
2439 case USBDEVFS_CONNECTINFO:
2440 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2441 ret = proc_connectinfo(ps, p);
2442 break;
2443
2444 case USBDEVFS_SETINTERFACE:
2445 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2446 ret = proc_setintf(ps, p);
2447 break;
2448
2449 case USBDEVFS_SETCONFIGURATION:
2450 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2451 ret = proc_setconfig(ps, p);
2452 break;
2453
2454 case USBDEVFS_SUBMITURB:
2455 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2456 ret = proc_submiturb(ps, p);
2457 if (ret >= 0)
2458 inode->i_mtime = CURRENT_TIME;
2459 break;
2460
2461#ifdef CONFIG_COMPAT
2462 case USBDEVFS_CONTROL32:
2463 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2464 ret = proc_control_compat(ps, p);
2465 if (ret >= 0)
2466 inode->i_mtime = CURRENT_TIME;
2467 break;
2468
2469 case USBDEVFS_BULK32:
2470 snoop(&dev->dev, "%s: BULK32\n", __func__);
2471 ret = proc_bulk_compat(ps, p);
2472 if (ret >= 0)
2473 inode->i_mtime = CURRENT_TIME;
2474 break;
2475
2476 case USBDEVFS_DISCSIGNAL32:
2477 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2478 ret = proc_disconnectsignal_compat(ps, p);
2479 break;
2480
2481 case USBDEVFS_SUBMITURB32:
2482 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2483 ret = proc_submiturb_compat(ps, p);
2484 if (ret >= 0)
2485 inode->i_mtime = CURRENT_TIME;
2486 break;
2487
2488 case USBDEVFS_IOCTL32:
2489 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2490 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2491 break;
2492#endif
2493
2494 case USBDEVFS_DISCARDURB:
2495 snoop(&dev->dev, "%s: DISCARDURB %p\n", __func__, p);
2496 ret = proc_unlinkurb(ps, p);
2497 break;
2498
2499 case USBDEVFS_DISCSIGNAL:
2500 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2501 ret = proc_disconnectsignal(ps, p);
2502 break;
2503
2504 case USBDEVFS_CLAIMINTERFACE:
2505 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2506 ret = proc_claiminterface(ps, p);
2507 break;
2508
2509 case USBDEVFS_RELEASEINTERFACE:
2510 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2511 ret = proc_releaseinterface(ps, p);
2512 break;
2513
2514 case USBDEVFS_IOCTL:
2515 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2516 ret = proc_ioctl_default(ps, p);
2517 break;
2518
2519 case USBDEVFS_CLAIM_PORT:
2520 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2521 ret = proc_claim_port(ps, p);
2522 break;
2523
2524 case USBDEVFS_RELEASE_PORT:
2525 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2526 ret = proc_release_port(ps, p);
2527 break;
2528 case USBDEVFS_GET_CAPABILITIES:
2529 ret = proc_get_capabilities(ps, p);
2530 break;
2531 case USBDEVFS_DISCONNECT_CLAIM:
2532 ret = proc_disconnect_claim(ps, p);
2533 break;
2534 case USBDEVFS_ALLOC_STREAMS:
2535 ret = proc_alloc_streams(ps, p);
2536 break;
2537 case USBDEVFS_FREE_STREAMS:
2538 ret = proc_free_streams(ps, p);
2539 break;
2540 case USBDEVFS_DROP_PRIVILEGES:
2541 ret = proc_drop_privileges(ps, p);
2542 break;
2543 }
2544
2545 done:
2546 usb_unlock_device(dev);
2547 if (ret >= 0)
2548 inode->i_atime = CURRENT_TIME;
2549 return ret;
2550}
2551
2552static long usbdev_ioctl(struct file *file, unsigned int cmd,
2553 unsigned long arg)
2554{
2555 int ret;
2556
2557 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2558
2559 return ret;
2560}
2561
2562#ifdef CONFIG_COMPAT
2563static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2564 unsigned long arg)
2565{
2566 int ret;
2567
2568 ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2569
2570 return ret;
2571}
2572#endif
2573
2574
2575static unsigned int usbdev_poll(struct file *file,
2576 struct poll_table_struct *wait)
2577{
2578 struct usb_dev_state *ps = file->private_data;
2579 unsigned int mask = 0;
2580
2581 poll_wait(file, &ps->wait, wait);
2582 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2583 mask |= POLLOUT | POLLWRNORM;
2584 if (!connected(ps))
2585 mask |= POLLERR | POLLHUP;
2586 return mask;
2587}
2588
2589const struct file_operations usbdev_file_operations = {
2590 .owner = THIS_MODULE,
2591 .llseek = no_seek_end_llseek,
2592 .read = usbdev_read,
2593 .poll = usbdev_poll,
2594 .unlocked_ioctl = usbdev_ioctl,
2595#ifdef CONFIG_COMPAT
2596 .compat_ioctl = usbdev_compat_ioctl,
2597#endif
2598 .mmap = usbdev_mmap,
2599 .open = usbdev_open,
2600 .release = usbdev_release,
2601};
2602
2603static void usbdev_remove(struct usb_device *udev)
2604{
2605 struct usb_dev_state *ps;
2606 struct siginfo sinfo;
2607
2608 while (!list_empty(&udev->filelist)) {
2609 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2610 destroy_all_async(ps);
2611 wake_up_all(&ps->wait);
2612 list_del_init(&ps->list);
2613 if (ps->discsignr) {
2614 memset(&sinfo, 0, sizeof(sinfo));
2615 sinfo.si_signo = ps->discsignr;
2616 sinfo.si_errno = EPIPE;
2617 sinfo.si_code = SI_ASYNCIO;
2618 sinfo.si_addr = ps->disccontext;
2619 kill_pid_info_as_cred(ps->discsignr, &sinfo,
2620 ps->disc_pid, ps->cred, ps->secid);
2621 }
2622 }
2623}
2624
2625static int usbdev_notify(struct notifier_block *self,
2626 unsigned long action, void *dev)
2627{
2628 switch (action) {
2629 case USB_DEVICE_ADD:
2630 break;
2631 case USB_DEVICE_REMOVE:
2632 usbdev_remove(dev);
2633 break;
2634 }
2635 return NOTIFY_OK;
2636}
2637
2638static struct notifier_block usbdev_nb = {
2639 .notifier_call = usbdev_notify,
2640};
2641
2642static struct cdev usb_device_cdev;
2643
2644int __init usb_devio_init(void)
2645{
2646 int retval;
2647
2648 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2649 "usb_device");
2650 if (retval) {
2651 printk(KERN_ERR "Unable to register minors for usb_device\n");
2652 goto out;
2653 }
2654 cdev_init(&usb_device_cdev, &usbdev_file_operations);
2655 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2656 if (retval) {
2657 printk(KERN_ERR "Unable to get usb_device major %d\n",
2658 USB_DEVICE_MAJOR);
2659 goto error_cdev;
2660 }
2661 usb_register_notify(&usbdev_nb);
2662out:
2663 return retval;
2664
2665error_cdev:
2666 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2667 goto out;
2668}
2669
2670void usb_devio_cleanup(void)
2671{
2672 usb_unregister_notify(&usbdev_nb);
2673 cdev_del(&usb_device_cdev);
2674 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2675}
2676
