1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37#include <linux/fs.h>
38#include <linux/mm.h>
39#include <linux/sched/signal.h>
40#include <linux/slab.h>
41#include <linux/signal.h>
42#include <linux/poll.h>
43#include <linux/module.h>
44#include <linux/string.h>
45#include <linux/usb.h>
46#include <linux/usbdevice_fs.h>
47#include <linux/usb/hcd.h>
48#include <linux/cdev.h>
49#include <linux/notifier.h>
50#include <linux/security.h>
51#include <linux/user_namespace.h>
52#include <linux/scatterlist.h>
53#include <linux/uaccess.h>
54#include <linux/dma-mapping.h>
55#include <asm/byteorder.h>
56#include <linux/moduleparam.h>
57
58#include "usb.h"
59
60#define USB_MAXBUS 64
61#define USB_DEVICE_MAX (USB_MAXBUS * 128)
62#define USB_SG_SIZE 16384
63
64
65DEFINE_MUTEX(usbfs_mutex);
66
67struct usb_dev_state {
68 struct list_head list;
69 struct usb_device *dev;
70 struct file *file;
71 spinlock_t lock;
72 struct list_head async_pending;
73 struct list_head async_completed;
74 struct list_head memory_list;
75 wait_queue_head_t wait;
76 unsigned int discsignr;
77 struct pid *disc_pid;
78 const struct cred *cred;
79 void __user *disccontext;
80 unsigned long ifclaimed;
81 u32 secid;
82 u32 disabled_bulk_eps;
83 bool privileges_dropped;
84 unsigned long interface_allowed_mask;
85};
86
87struct usb_memory {
88 struct list_head memlist;
89 int vma_use_count;
90 int urb_use_count;
91 u32 size;
92 void *mem;
93 dma_addr_t dma_handle;
94 unsigned long vm_start;
95 struct usb_dev_state *ps;
96};
97
98struct async {
99 struct list_head asynclist;
100 struct usb_dev_state *ps;
101 struct pid *pid;
102 const struct cred *cred;
103 unsigned int signr;
104 unsigned int ifnum;
105 void __user *userbuffer;
106 void __user *userurb;
107 struct urb *urb;
108 struct usb_memory *usbm;
109 unsigned int mem_usage;
110 int status;
111 u32 secid;
112 u8 bulk_addr;
113 u8 bulk_status;
114};
115
116static bool usbfs_snoop;
117module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
118MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
119
120static unsigned usbfs_snoop_max = 65536;
121module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
122MODULE_PARM_DESC(usbfs_snoop_max,
123 "maximum number of bytes to print while snooping");
124
125#define snoop(dev, format, arg...) \
126 do { \
127 if (usbfs_snoop) \
128 dev_info(dev, format, ## arg); \
129 } while (0)
130
131enum snoop_when {
132 SUBMIT, COMPLETE
133};
134
135#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
136
137
138static u32 usbfs_memory_mb = 16;
139module_param(usbfs_memory_mb, uint, 0644);
140MODULE_PARM_DESC(usbfs_memory_mb,
141 "maximum MB allowed for usbfs buffers (0 = no limit)");
142
143
144#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
145
146static atomic64_t usbfs_memory_usage;
147
148
149static int usbfs_increase_memory_usage(u64 amount)
150{
151 u64 lim;
152
153 lim = ACCESS_ONCE(usbfs_memory_mb);
154 lim <<= 20;
155
156 atomic64_add(amount, &usbfs_memory_usage);
157
158 if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
159 atomic64_sub(amount, &usbfs_memory_usage);
160 return -ENOMEM;
161 }
162
163 return 0;
164}
165
166
167static void usbfs_decrease_memory_usage(u64 amount)
168{
169 atomic64_sub(amount, &usbfs_memory_usage);
170}
171
172static int connected(struct usb_dev_state *ps)
173{
174 return (!list_empty(&ps->list) &&
175 ps->dev->state != USB_STATE_NOTATTACHED);
176}
177
178static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
179{
180 struct usb_dev_state *ps = usbm->ps;
181 unsigned long flags;
182
183 spin_lock_irqsave(&ps->lock, flags);
184 --*count;
185 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
186 list_del(&usbm->memlist);
187 spin_unlock_irqrestore(&ps->lock, flags);
188
189 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
190 usbm->dma_handle);
191 usbfs_decrease_memory_usage(
192 usbm->size + sizeof(struct usb_memory));
193 kfree(usbm);
194 } else {
195 spin_unlock_irqrestore(&ps->lock, flags);
196 }
197}
198
199static void usbdev_vm_open(struct vm_area_struct *vma)
200{
201 struct usb_memory *usbm = vma->vm_private_data;
202 unsigned long flags;
203
204 spin_lock_irqsave(&usbm->ps->lock, flags);
205 ++usbm->vma_use_count;
206 spin_unlock_irqrestore(&usbm->ps->lock, flags);
207}
208
209static void usbdev_vm_close(struct vm_area_struct *vma)
210{
211 struct usb_memory *usbm = vma->vm_private_data;
212
213 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
214}
215
216static const struct vm_operations_struct usbdev_vm_ops = {
217 .open = usbdev_vm_open,
218 .close = usbdev_vm_close
219};
220
221static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
222{
223 struct usb_memory *usbm = NULL;
224 struct usb_dev_state *ps = file->private_data;
225 size_t size = vma->vm_end - vma->vm_start;
226 void *mem;
227 unsigned long flags;
228 dma_addr_t dma_handle;
229 int ret;
230
231 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
232 if (ret)
233 goto error;
234
235 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
236 if (!usbm) {
237 ret = -ENOMEM;
238 goto error_decrease_mem;
239 }
240
241 mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
242 &dma_handle);
243 if (!mem) {
244 ret = -ENOMEM;
245 goto error_free_usbm;
246 }
247
248 memset(mem, 0, size);
249
250 usbm->mem = mem;
251 usbm->dma_handle = dma_handle;
252 usbm->size = size;
253 usbm->ps = ps;
254 usbm->vm_start = vma->vm_start;
255 usbm->vma_use_count = 1;
256 INIT_LIST_HEAD(&usbm->memlist);
257
258 if (remap_pfn_range(vma, vma->vm_start,
259 virt_to_phys(usbm->mem) >> PAGE_SHIFT,
260 size, vma->vm_page_prot) < 0) {
261 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
262 return -EAGAIN;
263 }
264
265 vma->vm_flags |= VM_IO;
266 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
267 vma->vm_ops = &usbdev_vm_ops;
268 vma->vm_private_data = usbm;
269
270 spin_lock_irqsave(&ps->lock, flags);
271 list_add_tail(&usbm->memlist, &ps->memory_list);
272 spin_unlock_irqrestore(&ps->lock, flags);
273
274 return 0;
275
276error_free_usbm:
277 kfree(usbm);
278error_decrease_mem:
279 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
280error:
281 return ret;
282}
283
284static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
285 loff_t *ppos)
286{
287 struct usb_dev_state *ps = file->private_data;
288 struct usb_device *dev = ps->dev;
289 ssize_t ret = 0;
290 unsigned len;
291 loff_t pos;
292 int i;
293
294 pos = *ppos;
295 usb_lock_device(dev);
296 if (!connected(ps)) {
297 ret = -ENODEV;
298 goto err;
299 } else if (pos < 0) {
300 ret = -EINVAL;
301 goto err;
302 }
303
304 if (pos < sizeof(struct usb_device_descriptor)) {
305
306 struct usb_device_descriptor temp_desc;
307
308 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
309 le16_to_cpus(&temp_desc.bcdUSB);
310 le16_to_cpus(&temp_desc.idVendor);
311 le16_to_cpus(&temp_desc.idProduct);
312 le16_to_cpus(&temp_desc.bcdDevice);
313
314 len = sizeof(struct usb_device_descriptor) - pos;
315 if (len > nbytes)
316 len = nbytes;
317 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
318 ret = -EFAULT;
319 goto err;
320 }
321
322 *ppos += len;
323 buf += len;
324 nbytes -= len;
325 ret += len;
326 }
327
328 pos = sizeof(struct usb_device_descriptor);
329 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
330 struct usb_config_descriptor *config =
331 (struct usb_config_descriptor *)dev->rawdescriptors[i];
332 unsigned int length = le16_to_cpu(config->wTotalLength);
333
334 if (*ppos < pos + length) {
335
336
337
338 unsigned alloclen =
339 le16_to_cpu(dev->config[i].desc.wTotalLength);
340
341 len = length - (*ppos - pos);
342 if (len > nbytes)
343 len = nbytes;
344
345
346 if (alloclen > (*ppos - pos)) {
347 alloclen -= (*ppos - pos);
348 if (copy_to_user(buf,
349 dev->rawdescriptors[i] + (*ppos - pos),
350 min(len, alloclen))) {
351 ret = -EFAULT;
352 goto err;
353 }
354 }
355
356 *ppos += len;
357 buf += len;
358 nbytes -= len;
359 ret += len;
360 }
361
362 pos += length;
363 }
364
365err:
366 usb_unlock_device(dev);
367 return ret;
368}
369
370
371
372
373
374static struct async *alloc_async(unsigned int numisoframes)
375{
376 struct async *as;
377
378 as = kzalloc(sizeof(struct async), GFP_KERNEL);
379 if (!as)
380 return NULL;
381 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
382 if (!as->urb) {
383 kfree(as);
384 return NULL;
385 }
386 return as;
387}
388
389static void free_async(struct async *as)
390{
391 int i;
392
393 put_pid(as->pid);
394 if (as->cred)
395 put_cred(as->cred);
396 for (i = 0; i < as->urb->num_sgs; i++) {
397 if (sg_page(&as->urb->sg[i]))
398 kfree(sg_virt(&as->urb->sg[i]));
399 }
400
401 kfree(as->urb->sg);
402 if (as->usbm == NULL)
403 kfree(as->urb->transfer_buffer);
404 else
405 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
406
407 kfree(as->urb->setup_packet);
408 usb_free_urb(as->urb);
409 usbfs_decrease_memory_usage(as->mem_usage);
410 kfree(as);
411}
412
413static void async_newpending(struct async *as)
414{
415 struct usb_dev_state *ps = as->ps;
416 unsigned long flags;
417
418 spin_lock_irqsave(&ps->lock, flags);
419 list_add_tail(&as->asynclist, &ps->async_pending);
420 spin_unlock_irqrestore(&ps->lock, flags);
421}
422
423static void async_removepending(struct async *as)
424{
425 struct usb_dev_state *ps = as->ps;
426 unsigned long flags;
427
428 spin_lock_irqsave(&ps->lock, flags);
429 list_del_init(&as->asynclist);
430 spin_unlock_irqrestore(&ps->lock, flags);
431}
432
433static struct async *async_getcompleted(struct usb_dev_state *ps)
434{
435 unsigned long flags;
436 struct async *as = NULL;
437
438 spin_lock_irqsave(&ps->lock, flags);
439 if (!list_empty(&ps->async_completed)) {
440 as = list_entry(ps->async_completed.next, struct async,
441 asynclist);
442 list_del_init(&as->asynclist);
443 }
444 spin_unlock_irqrestore(&ps->lock, flags);
445 return as;
446}
447
448static struct async *async_getpending(struct usb_dev_state *ps,
449 void __user *userurb)
450{
451 struct async *as;
452
453 list_for_each_entry(as, &ps->async_pending, asynclist)
454 if (as->userurb == userurb) {
455 list_del_init(&as->asynclist);
456 return as;
457 }
458
459 return NULL;
460}
461
462static void snoop_urb(struct usb_device *udev,
463 void __user *userurb, int pipe, unsigned length,
464 int timeout_or_status, enum snoop_when when,
465 unsigned char *data, unsigned data_len)
466{
467 static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
468 static const char *dirs[] = {"out", "in"};
469 int ep;
470 const char *t, *d;
471
472 if (!usbfs_snoop)
473 return;
474
475 ep = usb_pipeendpoint(pipe);
476 t = types[usb_pipetype(pipe)];
477 d = dirs[!!usb_pipein(pipe)];
478
479 if (userurb) {
480 if (when == SUBMIT)
481 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
482 "length %u\n",
483 userurb, ep, t, d, length);
484 else
485 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
486 "actual_length %u status %d\n",
487 userurb, ep, t, d, length,
488 timeout_or_status);
489 } else {
490 if (when == SUBMIT)
491 dev_info(&udev->dev, "ep%d %s-%s, length %u, "
492 "timeout %d\n",
493 ep, t, d, length, timeout_or_status);
494 else
495 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
496 "status %d\n",
497 ep, t, d, length, timeout_or_status);
498 }
499
500 data_len = min(data_len, usbfs_snoop_max);
501 if (data && data_len > 0) {
502 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
503 data, data_len, 1);
504 }
505}
506
507static void snoop_urb_data(struct urb *urb, unsigned len)
508{
509 int i, size;
510
511 len = min(len, usbfs_snoop_max);
512 if (!usbfs_snoop || len == 0)
513 return;
514
515 if (urb->num_sgs == 0) {
516 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
517 urb->transfer_buffer, len, 1);
518 return;
519 }
520
521 for (i = 0; i < urb->num_sgs && len; i++) {
522 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
523 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
524 sg_virt(&urb->sg[i]), size, 1);
525 len -= size;
526 }
527}
528
529static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
530{
531 unsigned i, len, size;
532
533 if (urb->number_of_packets > 0)
534 len = urb->transfer_buffer_length;
535 else
536 len = urb->actual_length;
537
538 if (urb->num_sgs == 0) {
539 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
540 return -EFAULT;
541 return 0;
542 }
543
544 for (i = 0; i < urb->num_sgs && len; i++) {
545 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
546 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
547 return -EFAULT;
548 userbuffer += size;
549 len -= size;
550 }
551
552 return 0;
553}
554
555#define AS_CONTINUATION 1
556#define AS_UNLINK 2
557
558static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
559__releases(ps->lock)
560__acquires(ps->lock)
561{
562 struct urb *urb;
563 struct async *as;
564
565
566
567
568
569
570 list_for_each_entry(as, &ps->async_pending, asynclist) {
571 if (as->bulk_addr == bulk_addr) {
572 if (as->bulk_status != AS_CONTINUATION)
573 goto rescan;
574 as->bulk_status = AS_UNLINK;
575 as->bulk_addr = 0;
576 }
577 }
578 ps->disabled_bulk_eps |= (1 << bulk_addr);
579
580
581 rescan:
582 list_for_each_entry(as, &ps->async_pending, asynclist) {
583 if (as->bulk_status == AS_UNLINK) {
584 as->bulk_status = 0;
585 urb = as->urb;
586 usb_get_urb(urb);
587 spin_unlock(&ps->lock);
588 usb_unlink_urb(urb);
589 usb_put_urb(urb);
590 spin_lock(&ps->lock);
591 goto rescan;
592 }
593 }
594}
595
596static void async_completed(struct urb *urb)
597{
598 struct async *as = urb->context;
599 struct usb_dev_state *ps = as->ps;
600 struct siginfo sinfo;
601 struct pid *pid = NULL;
602 u32 secid = 0;
603 const struct cred *cred = NULL;
604 int signr;
605
606 spin_lock(&ps->lock);
607 list_move_tail(&as->asynclist, &ps->async_completed);
608 as->status = urb->status;
609 signr = as->signr;
610 if (signr) {
611 memset(&sinfo, 0, sizeof(sinfo));
612 sinfo.si_signo = as->signr;
613 sinfo.si_errno = as->status;
614 sinfo.si_code = SI_ASYNCIO;
615 sinfo.si_addr = as->userurb;
616 pid = get_pid(as->pid);
617 cred = get_cred(as->cred);
618 secid = as->secid;
619 }
620 snoop(&urb->dev->dev, "urb complete\n");
621 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
622 as->status, COMPLETE, NULL, 0);
623 if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
624 snoop_urb_data(urb, urb->actual_length);
625
626 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
627 as->status != -ENOENT)
628 cancel_bulk_urbs(ps, as->bulk_addr);
629
630 wake_up(&ps->wait);
631 spin_unlock(&ps->lock);
632
633 if (signr) {
634 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
635 put_pid(pid);
636 put_cred(cred);
637 }
638}
639
640static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
641{
642 struct urb *urb;
643 struct async *as;
644 unsigned long flags;
645
646 spin_lock_irqsave(&ps->lock, flags);
647 while (!list_empty(list)) {
648 as = list_entry(list->next, struct async, asynclist);
649 list_del_init(&as->asynclist);
650 urb = as->urb;
651 usb_get_urb(urb);
652
653
654 spin_unlock_irqrestore(&ps->lock, flags);
655 usb_kill_urb(urb);
656 usb_put_urb(urb);
657 spin_lock_irqsave(&ps->lock, flags);
658 }
659 spin_unlock_irqrestore(&ps->lock, flags);
660}
661
662static void destroy_async_on_interface(struct usb_dev_state *ps,
663 unsigned int ifnum)
664{
665 struct list_head *p, *q, hitlist;
666 unsigned long flags;
667
668 INIT_LIST_HEAD(&hitlist);
669 spin_lock_irqsave(&ps->lock, flags);
670 list_for_each_safe(p, q, &ps->async_pending)
671 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
672 list_move_tail(p, &hitlist);
673 spin_unlock_irqrestore(&ps->lock, flags);
674 destroy_async(ps, &hitlist);
675}
676
677static void destroy_all_async(struct usb_dev_state *ps)
678{
679 destroy_async(ps, &ps->async_pending);
680}
681
682
683
684
685
686
687
688static int driver_probe(struct usb_interface *intf,
689 const struct usb_device_id *id)
690{
691 return -ENODEV;
692}
693
694static void driver_disconnect(struct usb_interface *intf)
695{
696 struct usb_dev_state *ps = usb_get_intfdata(intf);
697 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
698
699 if (!ps)
700 return;
701
702
703
704
705
706 if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
707 clear_bit(ifnum, &ps->ifclaimed);
708 else
709 dev_warn(&intf->dev, "interface number %u out of range\n",
710 ifnum);
711
712 usb_set_intfdata(intf, NULL);
713
714
715 destroy_async_on_interface(ps, ifnum);
716}
717
718
719
720
721static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
722{
723 return 0;
724}
725
726static int driver_resume(struct usb_interface *intf)
727{
728 return 0;
729}
730
731struct usb_driver usbfs_driver = {
732 .name = "usbfs",
733 .probe = driver_probe,
734 .disconnect = driver_disconnect,
735 .suspend = driver_suspend,
736 .resume = driver_resume,
737};
738
739static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
740{
741 struct usb_device *dev = ps->dev;
742 struct usb_interface *intf;
743 int err;
744
745 if (ifnum >= 8*sizeof(ps->ifclaimed))
746 return -EINVAL;
747
748 if (test_bit(ifnum, &ps->ifclaimed))
749 return 0;
750
751 if (ps->privileges_dropped &&
752 !test_bit(ifnum, &ps->interface_allowed_mask))
753 return -EACCES;
754
755 intf = usb_ifnum_to_if(dev, ifnum);
756 if (!intf)
757 err = -ENOENT;
758 else
759 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
760 if (err == 0)
761 set_bit(ifnum, &ps->ifclaimed);
762 return err;
763}
764
765static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
766{
767 struct usb_device *dev;
768 struct usb_interface *intf;
769 int err;
770
771 err = -EINVAL;
772 if (ifnum >= 8*sizeof(ps->ifclaimed))
773 return err;
774 dev = ps->dev;
775 intf = usb_ifnum_to_if(dev, ifnum);
776 if (!intf)
777 err = -ENOENT;
778 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
779 usb_driver_release_interface(&usbfs_driver, intf);
780 err = 0;
781 }
782 return err;
783}
784
785static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
786{
787 if (ps->dev->state != USB_STATE_CONFIGURED)
788 return -EHOSTUNREACH;
789 if (ifnum >= 8*sizeof(ps->ifclaimed))
790 return -EINVAL;
791 if (test_bit(ifnum, &ps->ifclaimed))
792 return 0;
793
794 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
795 "interface %u before use\n", task_pid_nr(current),
796 current->comm, ifnum);
797 return claimintf(ps, ifnum);
798}
799
800static int findintfep(struct usb_device *dev, unsigned int ep)
801{
802 unsigned int i, j, e;
803 struct usb_interface *intf;
804 struct usb_host_interface *alts;
805 struct usb_endpoint_descriptor *endpt;
806
807 if (ep & ~(USB_DIR_IN|0xf))
808 return -EINVAL;
809 if (!dev->actconfig)
810 return -ESRCH;
811 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
812 intf = dev->actconfig->interface[i];
813 for (j = 0; j < intf->num_altsetting; j++) {
814 alts = &intf->altsetting[j];
815 for (e = 0; e < alts->desc.bNumEndpoints; e++) {
816 endpt = &alts->endpoint[e].desc;
817 if (endpt->bEndpointAddress == ep)
818 return alts->desc.bInterfaceNumber;
819 }
820 }
821 }
822 return -ENOENT;
823}
824
825static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
826 unsigned int request, unsigned int index)
827{
828 int ret = 0;
829 struct usb_host_interface *alt_setting;
830
831 if (ps->dev->state != USB_STATE_UNAUTHENTICATED
832 && ps->dev->state != USB_STATE_ADDRESS
833 && ps->dev->state != USB_STATE_CONFIGURED)
834 return -EHOSTUNREACH;
835 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
836 return 0;
837
838
839
840
841
842
843 if (requesttype == 0xa1 && request == 0) {
844 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
845 index >> 8, index & 0xff);
846 if (alt_setting
847 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
848 return 0;
849 }
850
851 index &= 0xff;
852 switch (requesttype & USB_RECIP_MASK) {
853 case USB_RECIP_ENDPOINT:
854 if ((index & ~USB_DIR_IN) == 0)
855 return 0;
856 ret = findintfep(ps->dev, index);
857 if (ret < 0) {
858
859
860
861
862
863
864
865
866 ret = findintfep(ps->dev, index ^ 0x80);
867 if (ret >= 0)
868 dev_info(&ps->dev->dev,
869 "%s: process %i (%s) requesting ep %02x but needs %02x\n",
870 __func__, task_pid_nr(current),
871 current->comm, index, index ^ 0x80);
872 }
873 if (ret >= 0)
874 ret = checkintf(ps, ret);
875 break;
876
877 case USB_RECIP_INTERFACE:
878 ret = checkintf(ps, index);
879 break;
880 }
881 return ret;
882}
883
884static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
885 unsigned char ep)
886{
887 if (ep & USB_ENDPOINT_DIR_MASK)
888 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
889 else
890 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
891}
892
893static int parse_usbdevfs_streams(struct usb_dev_state *ps,
894 struct usbdevfs_streams __user *streams,
895 unsigned int *num_streams_ret,
896 unsigned int *num_eps_ret,
897 struct usb_host_endpoint ***eps_ret,
898 struct usb_interface **intf_ret)
899{
900 unsigned int i, num_streams, num_eps;
901 struct usb_host_endpoint **eps;
902 struct usb_interface *intf = NULL;
903 unsigned char ep;
904 int ifnum, ret;
905
906 if (get_user(num_streams, &streams->num_streams) ||
907 get_user(num_eps, &streams->num_eps))
908 return -EFAULT;
909
910 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
911 return -EINVAL;
912
913
914 if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
915 return -EINVAL;
916
917 eps = kmalloc(num_eps * sizeof(*eps), GFP_KERNEL);
918 if (!eps)
919 return -ENOMEM;
920
921 for (i = 0; i < num_eps; i++) {
922 if (get_user(ep, &streams->eps[i])) {
923 ret = -EFAULT;
924 goto error;
925 }
926 eps[i] = ep_to_host_endpoint(ps->dev, ep);
927 if (!eps[i]) {
928 ret = -EINVAL;
929 goto error;
930 }
931
932
933 ifnum = findintfep(ps->dev, ep);
934 if (ifnum < 0) {
935 ret = ifnum;
936 goto error;
937 }
938
939 if (i == 0) {
940 ret = checkintf(ps, ifnum);
941 if (ret < 0)
942 goto error;
943 intf = usb_ifnum_to_if(ps->dev, ifnum);
944 } else {
945
946 if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
947 ret = -EINVAL;
948 goto error;
949 }
950 }
951 }
952
953 if (num_streams_ret)
954 *num_streams_ret = num_streams;
955 *num_eps_ret = num_eps;
956 *eps_ret = eps;
957 *intf_ret = intf;
958
959 return 0;
960
961error:
962 kfree(eps);
963 return ret;
964}
965
966static int match_devt(struct device *dev, void *data)
967{
968 return dev->devt == (dev_t) (unsigned long) data;
969}
970
971static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
972{
973 struct device *dev;
974
975 dev = bus_find_device(&usb_bus_type, NULL,
976 (void *) (unsigned long) devt, match_devt);
977 if (!dev)
978 return NULL;
979 return to_usb_device(dev);
980}
981
982
983
984
985static int usbdev_open(struct inode *inode, struct file *file)
986{
987 struct usb_device *dev = NULL;
988 struct usb_dev_state *ps;
989 int ret;
990
991 ret = -ENOMEM;
992 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
993 if (!ps)
994 goto out_free_ps;
995
996 ret = -ENODEV;
997
998
999 mutex_lock(&usbfs_mutex);
1000
1001
1002 if (imajor(inode) == USB_DEVICE_MAJOR)
1003 dev = usbdev_lookup_by_devt(inode->i_rdev);
1004
1005 mutex_unlock(&usbfs_mutex);
1006
1007 if (!dev)
1008 goto out_free_ps;
1009
1010 usb_lock_device(dev);
1011 if (dev->state == USB_STATE_NOTATTACHED)
1012 goto out_unlock_device;
1013
1014 ret = usb_autoresume_device(dev);
1015 if (ret)
1016 goto out_unlock_device;
1017
1018 ps->dev = dev;
1019 ps->file = file;
1020 ps->interface_allowed_mask = 0xFFFFFFFF;
1021 spin_lock_init(&ps->lock);
1022 INIT_LIST_HEAD(&ps->list);
1023 INIT_LIST_HEAD(&ps->async_pending);
1024 INIT_LIST_HEAD(&ps->async_completed);
1025 INIT_LIST_HEAD(&ps->memory_list);
1026 init_waitqueue_head(&ps->wait);
1027 ps->disc_pid = get_pid(task_pid(current));
1028 ps->cred = get_current_cred();
1029 security_task_getsecid(current, &ps->secid);
1030 smp_wmb();
1031 list_add_tail(&ps->list, &dev->filelist);
1032 file->private_data = ps;
1033 usb_unlock_device(dev);
1034 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1035 current->comm);
1036 return ret;
1037
1038 out_unlock_device:
1039 usb_unlock_device(dev);
1040 usb_put_dev(dev);
1041 out_free_ps:
1042 kfree(ps);
1043 return ret;
1044}
1045
1046static int usbdev_release(struct inode *inode, struct file *file)
1047{
1048 struct usb_dev_state *ps = file->private_data;
1049 struct usb_device *dev = ps->dev;
1050 unsigned int ifnum;
1051 struct async *as;
1052
1053 usb_lock_device(dev);
1054 usb_hub_release_all_ports(dev, ps);
1055
1056 list_del_init(&ps->list);
1057
1058 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1059 ifnum++) {
1060 if (test_bit(ifnum, &ps->ifclaimed))
1061 releaseintf(ps, ifnum);
1062 }
1063 destroy_all_async(ps);
1064 usb_autosuspend_device(dev);
1065 usb_unlock_device(dev);
1066 usb_put_dev(dev);
1067 put_pid(ps->disc_pid);
1068 put_cred(ps->cred);
1069
1070 as = async_getcompleted(ps);
1071 while (as) {
1072 free_async(as);
1073 as = async_getcompleted(ps);
1074 }
1075
1076 kfree(ps);
1077 return 0;
1078}
1079
1080static int proc_control(struct usb_dev_state *ps, void __user *arg)
1081{
1082 struct usb_device *dev = ps->dev;
1083 struct usbdevfs_ctrltransfer ctrl;
1084 unsigned int tmo;
1085 unsigned char *tbuf;
1086 unsigned wLength;
1087 int i, pipe, ret;
1088
1089 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1090 return -EFAULT;
1091 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1092 ctrl.wIndex);
1093 if (ret)
1094 return ret;
1095 wLength = ctrl.wLength;
1096 if (wLength > PAGE_SIZE)
1097 return -EINVAL;
1098 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1099 sizeof(struct usb_ctrlrequest));
1100 if (ret)
1101 return ret;
1102 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1103 if (!tbuf) {
1104 ret = -ENOMEM;
1105 goto done;
1106 }
1107 tmo = ctrl.timeout;
1108 snoop(&dev->dev, "control urb: bRequestType=%02x "
1109 "bRequest=%02x wValue=%04x "
1110 "wIndex=%04x wLength=%04x\n",
1111 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1112 ctrl.wIndex, ctrl.wLength);
1113 if (ctrl.bRequestType & 0x80) {
1114 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1115 ctrl.wLength)) {
1116 ret = -EINVAL;
1117 goto done;
1118 }
1119 pipe = usb_rcvctrlpipe(dev, 0);
1120 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1121
1122 usb_unlock_device(dev);
1123 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1124 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1125 tbuf, ctrl.wLength, tmo);
1126 usb_lock_device(dev);
1127 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1128 tbuf, max(i, 0));
1129 if ((i > 0) && ctrl.wLength) {
1130 if (copy_to_user(ctrl.data, tbuf, i)) {
1131 ret = -EFAULT;
1132 goto done;
1133 }
1134 }
1135 } else {
1136 if (ctrl.wLength) {
1137 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1138 ret = -EFAULT;
1139 goto done;
1140 }
1141 }
1142 pipe = usb_sndctrlpipe(dev, 0);
1143 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1144 tbuf, ctrl.wLength);
1145
1146 usb_unlock_device(dev);
1147 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1148 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1149 tbuf, ctrl.wLength, tmo);
1150 usb_lock_device(dev);
1151 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1152 }
1153 if (i < 0 && i != -EPIPE) {
1154 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1155 "failed cmd %s rqt %u rq %u len %u ret %d\n",
1156 current->comm, ctrl.bRequestType, ctrl.bRequest,
1157 ctrl.wLength, i);
1158 }
1159 ret = i;
1160 done:
1161 free_page((unsigned long) tbuf);
1162 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1163 sizeof(struct usb_ctrlrequest));
1164 return ret;
1165}
1166
1167static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1168{
1169 struct usb_device *dev = ps->dev;
1170 struct usbdevfs_bulktransfer bulk;
1171 unsigned int tmo, len1, pipe;
1172 int len2;
1173 unsigned char *tbuf;
1174 int i, ret;
1175
1176 if (copy_from_user(&bulk, arg, sizeof(bulk)))
1177 return -EFAULT;
1178 ret = findintfep(ps->dev, bulk.ep);
1179 if (ret < 0)
1180 return ret;
1181 ret = checkintf(ps, ret);
1182 if (ret)
1183 return ret;
1184 if (bulk.ep & USB_DIR_IN)
1185 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1186 else
1187 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1188 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1189 return -EINVAL;
1190 len1 = bulk.len;
1191 if (len1 >= (INT_MAX - sizeof(struct urb)))
1192 return -EINVAL;
1193 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1194 if (ret)
1195 return ret;
1196 tbuf = kmalloc(len1, GFP_KERNEL);
1197 if (!tbuf) {
1198 ret = -ENOMEM;
1199 goto done;
1200 }
1201 tmo = bulk.timeout;
1202 if (bulk.ep & 0x80) {
1203 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1204 ret = -EINVAL;
1205 goto done;
1206 }
1207 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1208
1209 usb_unlock_device(dev);
1210 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1211 usb_lock_device(dev);
1212 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1213
1214 if (!i && len2) {
1215 if (copy_to_user(bulk.data, tbuf, len2)) {
1216 ret = -EFAULT;
1217 goto done;
1218 }
1219 }
1220 } else {
1221 if (len1) {
1222 if (copy_from_user(tbuf, bulk.data, len1)) {
1223 ret = -EFAULT;
1224 goto done;
1225 }
1226 }
1227 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1228
1229 usb_unlock_device(dev);
1230 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1231 usb_lock_device(dev);
1232 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1233 }
1234 ret = (i < 0 ? i : len2);
1235 done:
1236 kfree(tbuf);
1237 usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1238 return ret;
1239}
1240
1241static void check_reset_of_active_ep(struct usb_device *udev,
1242 unsigned int epnum, char *ioctl_name)
1243{
1244 struct usb_host_endpoint **eps;
1245 struct usb_host_endpoint *ep;
1246
1247 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1248 ep = eps[epnum & 0x0f];
1249 if (ep && !list_empty(&ep->urb_list))
1250 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1251 task_pid_nr(current), current->comm,
1252 ioctl_name, epnum);
1253}
1254
1255static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1256{
1257 unsigned int ep;
1258 int ret;
1259
1260 if (get_user(ep, (unsigned int __user *)arg))
1261 return -EFAULT;
1262 ret = findintfep(ps->dev, ep);
1263 if (ret < 0)
1264 return ret;
1265 ret = checkintf(ps, ret);
1266 if (ret)
1267 return ret;
1268 check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1269 usb_reset_endpoint(ps->dev, ep);
1270 return 0;
1271}
1272
1273static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1274{
1275 unsigned int ep;
1276 int pipe;
1277 int ret;
1278
1279 if (get_user(ep, (unsigned int __user *)arg))
1280 return -EFAULT;
1281 ret = findintfep(ps->dev, ep);
1282 if (ret < 0)
1283 return ret;
1284 ret = checkintf(ps, ret);
1285 if (ret)
1286 return ret;
1287 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1288 if (ep & USB_DIR_IN)
1289 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1290 else
1291 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1292
1293 return usb_clear_halt(ps->dev, pipe);
1294}
1295
1296static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1297{
1298 struct usbdevfs_getdriver gd;
1299 struct usb_interface *intf;
1300 int ret;
1301
1302 if (copy_from_user(&gd, arg, sizeof(gd)))
1303 return -EFAULT;
1304 intf = usb_ifnum_to_if(ps->dev, gd.interface);
1305 if (!intf || !intf->dev.driver)
1306 ret = -ENODATA;
1307 else {
1308 strlcpy(gd.driver, intf->dev.driver->name,
1309 sizeof(gd.driver));
1310 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1311 }
1312 return ret;
1313}
1314
1315static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1316{
1317 struct usbdevfs_connectinfo ci;
1318
1319 memset(&ci, 0, sizeof(ci));
1320 ci.devnum = ps->dev->devnum;
1321 ci.slow = ps->dev->speed == USB_SPEED_LOW;
1322
1323 if (copy_to_user(arg, &ci, sizeof(ci)))
1324 return -EFAULT;
1325 return 0;
1326}
1327
1328static int proc_resetdevice(struct usb_dev_state *ps)
1329{
1330 struct usb_host_config *actconfig = ps->dev->actconfig;
1331 struct usb_interface *interface;
1332 int i, number;
1333
1334
1335
1336
1337
1338 if (ps->privileges_dropped && actconfig) {
1339 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1340 interface = actconfig->interface[i];
1341 number = interface->cur_altsetting->desc.bInterfaceNumber;
1342 if (usb_interface_claimed(interface) &&
1343 !test_bit(number, &ps->ifclaimed)) {
1344 dev_warn(&ps->dev->dev,
1345 "usbfs: interface %d claimed by %s while '%s' resets device\n",
1346 number, interface->dev.driver->name, current->comm);
1347 return -EACCES;
1348 }
1349 }
1350 }
1351
1352 return usb_reset_device(ps->dev);
1353}
1354
1355static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1356{
1357 struct usbdevfs_setinterface setintf;
1358 int ret;
1359
1360 if (copy_from_user(&setintf, arg, sizeof(setintf)))
1361 return -EFAULT;
1362 ret = checkintf(ps, setintf.interface);
1363 if (ret)
1364 return ret;
1365
1366 destroy_async_on_interface(ps, setintf.interface);
1367
1368 return usb_set_interface(ps->dev, setintf.interface,
1369 setintf.altsetting);
1370}
1371
1372static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1373{
1374 int u;
1375 int status = 0;
1376 struct usb_host_config *actconfig;
1377
1378 if (get_user(u, (int __user *)arg))
1379 return -EFAULT;
1380
1381 actconfig = ps->dev->actconfig;
1382
1383
1384
1385
1386
1387 if (actconfig) {
1388 int i;
1389
1390 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1391 if (usb_interface_claimed(actconfig->interface[i])) {
1392 dev_warn(&ps->dev->dev,
1393 "usbfs: interface %d claimed by %s "
1394 "while '%s' sets config #%d\n",
1395 actconfig->interface[i]
1396 ->cur_altsetting
1397 ->desc.bInterfaceNumber,
1398 actconfig->interface[i]
1399 ->dev.driver->name,
1400 current->comm, u);
1401 status = -EBUSY;
1402 break;
1403 }
1404 }
1405 }
1406
1407
1408
1409
1410 if (status == 0) {
1411 if (actconfig && actconfig->desc.bConfigurationValue == u)
1412 status = usb_reset_configuration(ps->dev);
1413 else
1414 status = usb_set_configuration(ps->dev, u);
1415 }
1416
1417 return status;
1418}
1419
1420static struct usb_memory *
1421find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1422{
1423 struct usb_memory *usbm = NULL, *iter;
1424 unsigned long flags;
1425 unsigned long uurb_start = (unsigned long)uurb->buffer;
1426
1427 spin_lock_irqsave(&ps->lock, flags);
1428 list_for_each_entry(iter, &ps->memory_list, memlist) {
1429 if (uurb_start >= iter->vm_start &&
1430 uurb_start < iter->vm_start + iter->size) {
1431 if (uurb->buffer_length > iter->vm_start + iter->size -
1432 uurb_start) {
1433 usbm = ERR_PTR(-EINVAL);
1434 } else {
1435 usbm = iter;
1436 usbm->urb_use_count++;
1437 }
1438 break;
1439 }
1440 }
1441 spin_unlock_irqrestore(&ps->lock, flags);
1442 return usbm;
1443}
1444
1445static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1446 struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1447 void __user *arg)
1448{
1449 struct usbdevfs_iso_packet_desc *isopkt = NULL;
1450 struct usb_host_endpoint *ep;
1451 struct async *as = NULL;
1452 struct usb_ctrlrequest *dr = NULL;
1453 unsigned int u, totlen, isofrmlen;
1454 int i, ret, is_in, num_sgs = 0, ifnum = -1;
1455 int number_of_packets = 0;
1456 unsigned int stream_id = 0;
1457 void *buf;
1458
1459 if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1460 USBDEVFS_URB_SHORT_NOT_OK |
1461 USBDEVFS_URB_BULK_CONTINUATION |
1462 USBDEVFS_URB_NO_FSBR |
1463 USBDEVFS_URB_ZERO_PACKET |
1464 USBDEVFS_URB_NO_INTERRUPT))
1465 return -EINVAL;
1466 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1467 return -EINVAL;
1468 if (uurb->buffer_length > 0 && !uurb->buffer)
1469 return -EINVAL;
1470 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1471 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1472 ifnum = findintfep(ps->dev, uurb->endpoint);
1473 if (ifnum < 0)
1474 return ifnum;
1475 ret = checkintf(ps, ifnum);
1476 if (ret)
1477 return ret;
1478 }
1479 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1480 if (!ep)
1481 return -ENOENT;
1482 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1483
1484 u = 0;
1485 switch (uurb->type) {
1486 case USBDEVFS_URB_TYPE_CONTROL:
1487 if (!usb_endpoint_xfer_control(&ep->desc))
1488 return -EINVAL;
1489
1490 if (uurb->buffer_length < 8)
1491 return -EINVAL;
1492 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1493 if (!dr)
1494 return -ENOMEM;
1495 if (copy_from_user(dr, uurb->buffer, 8)) {
1496 ret = -EFAULT;
1497 goto error;
1498 }
1499 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1500 ret = -EINVAL;
1501 goto error;
1502 }
1503 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1504 le16_to_cpup(&dr->wIndex));
1505 if (ret)
1506 goto error;
1507 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1508 uurb->buffer += 8;
1509 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1510 is_in = 1;
1511 uurb->endpoint |= USB_DIR_IN;
1512 } else {
1513 is_in = 0;
1514 uurb->endpoint &= ~USB_DIR_IN;
1515 }
1516 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1517 "bRequest=%02x wValue=%04x "
1518 "wIndex=%04x wLength=%04x\n",
1519 dr->bRequestType, dr->bRequest,
1520 __le16_to_cpup(&dr->wValue),
1521 __le16_to_cpup(&dr->wIndex),
1522 __le16_to_cpup(&dr->wLength));
1523 u = sizeof(struct usb_ctrlrequest);
1524 break;
1525
1526 case USBDEVFS_URB_TYPE_BULK:
1527 switch (usb_endpoint_type(&ep->desc)) {
1528 case USB_ENDPOINT_XFER_CONTROL:
1529 case USB_ENDPOINT_XFER_ISOC:
1530 return -EINVAL;
1531 case USB_ENDPOINT_XFER_INT:
1532
1533 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1534 goto interrupt_urb;
1535 }
1536 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1537 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1538 num_sgs = 0;
1539 if (ep->streams)
1540 stream_id = uurb->stream_id;
1541 break;
1542
1543 case USBDEVFS_URB_TYPE_INTERRUPT:
1544 if (!usb_endpoint_xfer_int(&ep->desc))
1545 return -EINVAL;
1546 interrupt_urb:
1547 break;
1548
1549 case USBDEVFS_URB_TYPE_ISO:
1550
1551 if (uurb->number_of_packets < 1 ||
1552 uurb->number_of_packets > 128)
1553 return -EINVAL;
1554 if (!usb_endpoint_xfer_isoc(&ep->desc))
1555 return -EINVAL;
1556 number_of_packets = uurb->number_of_packets;
1557 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1558 number_of_packets;
1559 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1560 if (IS_ERR(isopkt)) {
1561 ret = PTR_ERR(isopkt);
1562 isopkt = NULL;
1563 goto error;
1564 }
1565 for (totlen = u = 0; u < number_of_packets; u++) {
1566
1567
1568
1569
1570
1571
1572 if (isopkt[u].length > 49152) {
1573 ret = -EINVAL;
1574 goto error;
1575 }
1576 totlen += isopkt[u].length;
1577 }
1578 u *= sizeof(struct usb_iso_packet_descriptor);
1579 uurb->buffer_length = totlen;
1580 break;
1581
1582 default:
1583 return -EINVAL;
1584 }
1585
1586 if (uurb->buffer_length > 0 &&
1587 !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1588 uurb->buffer, uurb->buffer_length)) {
1589 ret = -EFAULT;
1590 goto error;
1591 }
1592 as = alloc_async(number_of_packets);
1593 if (!as) {
1594 ret = -ENOMEM;
1595 goto error;
1596 }
1597
1598 as->usbm = find_memory_area(ps, uurb);
1599 if (IS_ERR(as->usbm)) {
1600 ret = PTR_ERR(as->usbm);
1601 as->usbm = NULL;
1602 goto error;
1603 }
1604
1605
1606
1607
1608 if (as->usbm)
1609 num_sgs = 0;
1610
1611 u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1612 num_sgs * sizeof(struct scatterlist);
1613 ret = usbfs_increase_memory_usage(u);
1614 if (ret)
1615 goto error;
1616 as->mem_usage = u;
1617
1618 if (num_sgs) {
1619 as->urb->sg = kmalloc(num_sgs * sizeof(struct scatterlist),
1620 GFP_KERNEL);
1621 if (!as->urb->sg) {
1622 ret = -ENOMEM;
1623 goto error;
1624 }
1625 as->urb->num_sgs = num_sgs;
1626 sg_init_table(as->urb->sg, as->urb->num_sgs);
1627
1628 totlen = uurb->buffer_length;
1629 for (i = 0; i < as->urb->num_sgs; i++) {
1630 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1631 buf = kmalloc(u, GFP_KERNEL);
1632 if (!buf) {
1633 ret = -ENOMEM;
1634 goto error;
1635 }
1636 sg_set_buf(&as->urb->sg[i], buf, u);
1637
1638 if (!is_in) {
1639 if (copy_from_user(buf, uurb->buffer, u)) {
1640 ret = -EFAULT;
1641 goto error;
1642 }
1643 uurb->buffer += u;
1644 }
1645 totlen -= u;
1646 }
1647 } else if (uurb->buffer_length > 0) {
1648 if (as->usbm) {
1649 unsigned long uurb_start = (unsigned long)uurb->buffer;
1650
1651 as->urb->transfer_buffer = as->usbm->mem +
1652 (uurb_start - as->usbm->vm_start);
1653 } else {
1654 as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1655 GFP_KERNEL);
1656 if (!as->urb->transfer_buffer) {
1657 ret = -ENOMEM;
1658 goto error;
1659 }
1660 if (!is_in) {
1661 if (copy_from_user(as->urb->transfer_buffer,
1662 uurb->buffer,
1663 uurb->buffer_length)) {
1664 ret = -EFAULT;
1665 goto error;
1666 }
1667 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1668
1669
1670
1671
1672
1673
1674 memset(as->urb->transfer_buffer, 0,
1675 uurb->buffer_length);
1676 }
1677 }
1678 }
1679 as->urb->dev = ps->dev;
1680 as->urb->pipe = (uurb->type << 30) |
1681 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1682 (uurb->endpoint & USB_DIR_IN);
1683
1684
1685
1686
1687
1688 u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1689 if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1690 u |= URB_ISO_ASAP;
1691 if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
1692 u |= URB_SHORT_NOT_OK;
1693 if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1694 u |= URB_NO_FSBR;
1695 if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1696 u |= URB_ZERO_PACKET;
1697 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1698 u |= URB_NO_INTERRUPT;
1699 as->urb->transfer_flags = u;
1700
1701 as->urb->transfer_buffer_length = uurb->buffer_length;
1702 as->urb->setup_packet = (unsigned char *)dr;
1703 dr = NULL;
1704 as->urb->start_frame = uurb->start_frame;
1705 as->urb->number_of_packets = number_of_packets;
1706 as->urb->stream_id = stream_id;
1707
1708 if (ep->desc.bInterval) {
1709 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1710 ps->dev->speed == USB_SPEED_HIGH ||
1711 ps->dev->speed >= USB_SPEED_SUPER)
1712 as->urb->interval = 1 <<
1713 min(15, ep->desc.bInterval - 1);
1714 else
1715 as->urb->interval = ep->desc.bInterval;
1716 }
1717
1718 as->urb->context = as;
1719 as->urb->complete = async_completed;
1720 for (totlen = u = 0; u < number_of_packets; u++) {
1721 as->urb->iso_frame_desc[u].offset = totlen;
1722 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1723 totlen += isopkt[u].length;
1724 }
1725 kfree(isopkt);
1726 isopkt = NULL;
1727 as->ps = ps;
1728 as->userurb = arg;
1729 if (as->usbm) {
1730 unsigned long uurb_start = (unsigned long)uurb->buffer;
1731
1732 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1733 as->urb->transfer_dma = as->usbm->dma_handle +
1734 (uurb_start - as->usbm->vm_start);
1735 } else if (is_in && uurb->buffer_length > 0)
1736 as->userbuffer = uurb->buffer;
1737 as->signr = uurb->signr;
1738 as->ifnum = ifnum;
1739 as->pid = get_pid(task_pid(current));
1740 as->cred = get_current_cred();
1741 security_task_getsecid(current, &as->secid);
1742 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1743 as->urb->transfer_buffer_length, 0, SUBMIT,
1744 NULL, 0);
1745 if (!is_in)
1746 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1747
1748 async_newpending(as);
1749
1750 if (usb_endpoint_xfer_bulk(&ep->desc)) {
1751 spin_lock_irq(&ps->lock);
1752
1753
1754
1755
1756
1757 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1758 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1759 >> 3);
1760
1761
1762
1763
1764 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1765 as->bulk_status = AS_CONTINUATION;
1766 else
1767 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1768
1769
1770
1771
1772 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1773 ret = -EREMOTEIO;
1774 else
1775 ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1776 spin_unlock_irq(&ps->lock);
1777 } else {
1778 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1779 }
1780
1781 if (ret) {
1782 dev_printk(KERN_DEBUG, &ps->dev->dev,
1783 "usbfs: usb_submit_urb returned %d\n", ret);
1784 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1785 0, ret, COMPLETE, NULL, 0);
1786 async_removepending(as);
1787 goto error;
1788 }
1789 return 0;
1790
1791 error:
1792 if (as && as->usbm)
1793 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1794 kfree(isopkt);
1795 kfree(dr);
1796 if (as)
1797 free_async(as);
1798 return ret;
1799}
1800
1801static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1802{
1803 struct usbdevfs_urb uurb;
1804
1805 if (copy_from_user(&uurb, arg, sizeof(uurb)))
1806 return -EFAULT;
1807
1808 return proc_do_submiturb(ps, &uurb,
1809 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1810 arg);
1811}
1812
1813static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1814{
1815 struct urb *urb;
1816 struct async *as;
1817 unsigned long flags;
1818
1819 spin_lock_irqsave(&ps->lock, flags);
1820 as = async_getpending(ps, arg);
1821 if (!as) {
1822 spin_unlock_irqrestore(&ps->lock, flags);
1823 return -EINVAL;
1824 }
1825
1826 urb = as->urb;
1827 usb_get_urb(urb);
1828 spin_unlock_irqrestore(&ps->lock, flags);
1829
1830 usb_kill_urb(urb);
1831 usb_put_urb(urb);
1832
1833 return 0;
1834}
1835
1836static int processcompl(struct async *as, void __user * __user *arg)
1837{
1838 struct urb *urb = as->urb;
1839 struct usbdevfs_urb __user *userurb = as->userurb;
1840 void __user *addr = as->userurb;
1841 unsigned int i;
1842
1843 if (as->userbuffer && urb->actual_length) {
1844 if (copy_urb_data_to_user(as->userbuffer, urb))
1845 goto err_out;
1846 }
1847 if (put_user(as->status, &userurb->status))
1848 goto err_out;
1849 if (put_user(urb->actual_length, &userurb->actual_length))
1850 goto err_out;
1851 if (put_user(urb->error_count, &userurb->error_count))
1852 goto err_out;
1853
1854 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1855 for (i = 0; i < urb->number_of_packets; i++) {
1856 if (put_user(urb->iso_frame_desc[i].actual_length,
1857 &userurb->iso_frame_desc[i].actual_length))
1858 goto err_out;
1859 if (put_user(urb->iso_frame_desc[i].status,
1860 &userurb->iso_frame_desc[i].status))
1861 goto err_out;
1862 }
1863 }
1864
1865 if (put_user(addr, (void __user * __user *)arg))
1866 return -EFAULT;
1867 return 0;
1868
1869err_out:
1870 return -EFAULT;
1871}
1872
1873static struct async *reap_as(struct usb_dev_state *ps)
1874{
1875 DECLARE_WAITQUEUE(wait, current);
1876 struct async *as = NULL;
1877 struct usb_device *dev = ps->dev;
1878
1879 add_wait_queue(&ps->wait, &wait);
1880 for (;;) {
1881 __set_current_state(TASK_INTERRUPTIBLE);
1882 as = async_getcompleted(ps);
1883 if (as || !connected(ps))
1884 break;
1885 if (signal_pending(current))
1886 break;
1887 usb_unlock_device(dev);
1888 schedule();
1889 usb_lock_device(dev);
1890 }
1891 remove_wait_queue(&ps->wait, &wait);
1892 set_current_state(TASK_RUNNING);
1893 return as;
1894}
1895
1896static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1897{
1898 struct async *as = reap_as(ps);
1899
1900 if (as) {
1901 int retval;
1902
1903 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1904 retval = processcompl(as, (void __user * __user *)arg);
1905 free_async(as);
1906 return retval;
1907 }
1908 if (signal_pending(current))
1909 return -EINTR;
1910 return -ENODEV;
1911}
1912
1913static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1914{
1915 int retval;
1916 struct async *as;
1917
1918 as = async_getcompleted(ps);
1919 if (as) {
1920 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1921 retval = processcompl(as, (void __user * __user *)arg);
1922 free_async(as);
1923 } else {
1924 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1925 }
1926 return retval;
1927}
1928
1929#ifdef CONFIG_COMPAT
1930static int proc_control_compat(struct usb_dev_state *ps,
1931 struct usbdevfs_ctrltransfer32 __user *p32)
1932{
1933 struct usbdevfs_ctrltransfer __user *p;
1934 __u32 udata;
1935 p = compat_alloc_user_space(sizeof(*p));
1936 if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1937 get_user(udata, &p32->data) ||
1938 put_user(compat_ptr(udata), &p->data))
1939 return -EFAULT;
1940 return proc_control(ps, p);
1941}
1942
1943static int proc_bulk_compat(struct usb_dev_state *ps,
1944 struct usbdevfs_bulktransfer32 __user *p32)
1945{
1946 struct usbdevfs_bulktransfer __user *p;
1947 compat_uint_t n;
1948 compat_caddr_t addr;
1949
1950 p = compat_alloc_user_space(sizeof(*p));
1951
1952 if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1953 get_user(n, &p32->len) || put_user(n, &p->len) ||
1954 get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1955 get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1956 return -EFAULT;
1957
1958 return proc_bulk(ps, p);
1959}
1960static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1961{
1962 struct usbdevfs_disconnectsignal32 ds;
1963
1964 if (copy_from_user(&ds, arg, sizeof(ds)))
1965 return -EFAULT;
1966 ps->discsignr = ds.signr;
1967 ps->disccontext = compat_ptr(ds.context);
1968 return 0;
1969}
1970
1971static int get_urb32(struct usbdevfs_urb *kurb,
1972 struct usbdevfs_urb32 __user *uurb)
1973{
1974 struct usbdevfs_urb32 urb32;
1975 if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
1976 return -EFAULT;
1977 kurb->type = urb32.type;
1978 kurb->endpoint = urb32.endpoint;
1979 kurb->status = urb32.status;
1980 kurb->flags = urb32.flags;
1981 kurb->buffer = compat_ptr(urb32.buffer);
1982 kurb->buffer_length = urb32.buffer_length;
1983 kurb->actual_length = urb32.actual_length;
1984 kurb->start_frame = urb32.start_frame;
1985 kurb->number_of_packets = urb32.number_of_packets;
1986 kurb->error_count = urb32.error_count;
1987 kurb->signr = urb32.signr;
1988 kurb->usercontext = compat_ptr(urb32.usercontext);
1989 return 0;
1990}
1991
1992static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
1993{
1994 struct usbdevfs_urb uurb;
1995
1996 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
1997 return -EFAULT;
1998
1999 return proc_do_submiturb(ps, &uurb,
2000 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2001 arg);
2002}
2003
2004static int processcompl_compat(struct async *as, void __user * __user *arg)
2005{
2006 struct urb *urb = as->urb;
2007 struct usbdevfs_urb32 __user *userurb = as->userurb;
2008 void __user *addr = as->userurb;
2009 unsigned int i;
2010
2011 if (as->userbuffer && urb->actual_length) {
2012 if (copy_urb_data_to_user(as->userbuffer, urb))
2013 return -EFAULT;
2014 }
2015 if (put_user(as->status, &userurb->status))
2016 return -EFAULT;
2017 if (put_user(urb->actual_length, &userurb->actual_length))
2018 return -EFAULT;
2019 if (put_user(urb->error_count, &userurb->error_count))
2020 return -EFAULT;
2021
2022 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2023 for (i = 0; i < urb->number_of_packets; i++) {
2024 if (put_user(urb->iso_frame_desc[i].actual_length,
2025 &userurb->iso_frame_desc[i].actual_length))
2026 return -EFAULT;
2027 if (put_user(urb->iso_frame_desc[i].status,
2028 &userurb->iso_frame_desc[i].status))
2029 return -EFAULT;
2030 }
2031 }
2032
2033 if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2034 return -EFAULT;
2035 return 0;
2036}
2037
2038static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2039{
2040 struct async *as = reap_as(ps);
2041
2042 if (as) {
2043 int retval;
2044
2045 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2046 retval = processcompl_compat(as, (void __user * __user *)arg);
2047 free_async(as);
2048 return retval;
2049 }
2050 if (signal_pending(current))
2051 return -EINTR;
2052 return -ENODEV;
2053}
2054
2055static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2056{
2057 int retval;
2058 struct async *as;
2059
2060 as = async_getcompleted(ps);
2061 if (as) {
2062 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2063 retval = processcompl_compat(as, (void __user * __user *)arg);
2064 free_async(as);
2065 } else {
2066 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2067 }
2068 return retval;
2069}
2070
2071
2072#endif
2073
2074static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2075{
2076 struct usbdevfs_disconnectsignal ds;
2077
2078 if (copy_from_user(&ds, arg, sizeof(ds)))
2079 return -EFAULT;
2080 ps->discsignr = ds.signr;
2081 ps->disccontext = ds.context;
2082 return 0;
2083}
2084
2085static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2086{
2087 unsigned int ifnum;
2088
2089 if (get_user(ifnum, (unsigned int __user *)arg))
2090 return -EFAULT;
2091 return claimintf(ps, ifnum);
2092}
2093
2094static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2095{
2096 unsigned int ifnum;
2097 int ret;
2098
2099 if (get_user(ifnum, (unsigned int __user *)arg))
2100 return -EFAULT;
2101 ret = releaseintf(ps, ifnum);
2102 if (ret < 0)
2103 return ret;
2104 destroy_async_on_interface(ps, ifnum);
2105 return 0;
2106}
2107
2108static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2109{
2110 int size;
2111 void *buf = NULL;
2112 int retval = 0;
2113 struct usb_interface *intf = NULL;
2114 struct usb_driver *driver = NULL;
2115
2116 if (ps->privileges_dropped)
2117 return -EACCES;
2118
2119
2120 size = _IOC_SIZE(ctl->ioctl_code);
2121 if (size > 0) {
2122 buf = kmalloc(size, GFP_KERNEL);
2123 if (buf == NULL)
2124 return -ENOMEM;
2125 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2126 if (copy_from_user(buf, ctl->data, size)) {
2127 kfree(buf);
2128 return -EFAULT;
2129 }
2130 } else {
2131 memset(buf, 0, size);
2132 }
2133 }
2134
2135 if (!connected(ps)) {
2136 kfree(buf);
2137 return -ENODEV;
2138 }
2139
2140 if (ps->dev->state != USB_STATE_CONFIGURED)
2141 retval = -EHOSTUNREACH;
2142 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2143 retval = -EINVAL;
2144 else switch (ctl->ioctl_code) {
2145
2146
2147 case USBDEVFS_DISCONNECT:
2148 if (intf->dev.driver) {
2149 driver = to_usb_driver(intf->dev.driver);
2150 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2151 usb_driver_release_interface(driver, intf);
2152 } else
2153 retval = -ENODATA;
2154 break;
2155
2156
2157 case USBDEVFS_CONNECT:
2158 if (!intf->dev.driver)
2159 retval = device_attach(&intf->dev);
2160 else
2161 retval = -EBUSY;
2162 break;
2163
2164
2165 default:
2166 if (intf->dev.driver)
2167 driver = to_usb_driver(intf->dev.driver);
2168 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2169 retval = -ENOTTY;
2170 } else {
2171 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2172 if (retval == -ENOIOCTLCMD)
2173 retval = -ENOTTY;
2174 }
2175 }
2176
2177
2178 if (retval >= 0
2179 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2180 && size > 0
2181 && copy_to_user(ctl->data, buf, size) != 0)
2182 retval = -EFAULT;
2183
2184 kfree(buf);
2185 return retval;
2186}
2187
2188static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2189{
2190 struct usbdevfs_ioctl ctrl;
2191
2192 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2193 return -EFAULT;
2194 return proc_ioctl(ps, &ctrl);
2195}
2196
2197#ifdef CONFIG_COMPAT
2198static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2199{
2200 struct usbdevfs_ioctl32 ioc32;
2201 struct usbdevfs_ioctl ctrl;
2202
2203 if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2204 return -EFAULT;
2205 ctrl.ifno = ioc32.ifno;
2206 ctrl.ioctl_code = ioc32.ioctl_code;
2207 ctrl.data = compat_ptr(ioc32.data);
2208 return proc_ioctl(ps, &ctrl);
2209}
2210#endif
2211
2212static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2213{
2214 unsigned portnum;
2215 int rc;
2216
2217 if (get_user(portnum, (unsigned __user *) arg))
2218 return -EFAULT;
2219 rc = usb_hub_claim_port(ps->dev, portnum, ps);
2220 if (rc == 0)
2221 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2222 portnum, task_pid_nr(current), current->comm);
2223 return rc;
2224}
2225
2226static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2227{
2228 unsigned portnum;
2229
2230 if (get_user(portnum, (unsigned __user *) arg))
2231 return -EFAULT;
2232 return usb_hub_release_port(ps->dev, portnum, ps);
2233}
2234
2235static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2236{
2237 __u32 caps;
2238
2239 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2240 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2241 USBDEVFS_CAP_DROP_PRIVILEGES;
2242 if (!ps->dev->bus->no_stop_on_short)
2243 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2244 if (ps->dev->bus->sg_tablesize)
2245 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2246
2247 if (put_user(caps, (__u32 __user *)arg))
2248 return -EFAULT;
2249
2250 return 0;
2251}
2252
2253static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2254{
2255 struct usbdevfs_disconnect_claim dc;
2256 struct usb_interface *intf;
2257
2258 if (copy_from_user(&dc, arg, sizeof(dc)))
2259 return -EFAULT;
2260
2261 intf = usb_ifnum_to_if(ps->dev, dc.interface);
2262 if (!intf)
2263 return -EINVAL;
2264
2265 if (intf->dev.driver) {
2266 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2267
2268 if (ps->privileges_dropped)
2269 return -EACCES;
2270
2271 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2272 strncmp(dc.driver, intf->dev.driver->name,
2273 sizeof(dc.driver)) != 0)
2274 return -EBUSY;
2275
2276 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2277 strncmp(dc.driver, intf->dev.driver->name,
2278 sizeof(dc.driver)) == 0)
2279 return -EBUSY;
2280
2281 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2282 usb_driver_release_interface(driver, intf);
2283 }
2284
2285 return claimintf(ps, dc.interface);
2286}
2287
2288static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2289{
2290 unsigned num_streams, num_eps;
2291 struct usb_host_endpoint **eps;
2292 struct usb_interface *intf;
2293 int r;
2294
2295 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2296 &eps, &intf);
2297 if (r)
2298 return r;
2299
2300 destroy_async_on_interface(ps,
2301 intf->altsetting[0].desc.bInterfaceNumber);
2302
2303 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2304 kfree(eps);
2305 return r;
2306}
2307
2308static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2309{
2310 unsigned num_eps;
2311 struct usb_host_endpoint **eps;
2312 struct usb_interface *intf;
2313 int r;
2314
2315 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2316 if (r)
2317 return r;
2318
2319 destroy_async_on_interface(ps,
2320 intf->altsetting[0].desc.bInterfaceNumber);
2321
2322 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2323 kfree(eps);
2324 return r;
2325}
2326
2327static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2328{
2329 u32 data;
2330
2331 if (copy_from_user(&data, arg, sizeof(data)))
2332 return -EFAULT;
2333
2334
2335
2336
2337
2338 ps->interface_allowed_mask &= data;
2339 ps->privileges_dropped = true;
2340
2341 return 0;
2342}
2343
2344
2345
2346
2347
2348
2349static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2350 void __user *p)
2351{
2352 struct usb_dev_state *ps = file->private_data;
2353 struct inode *inode = file_inode(file);
2354 struct usb_device *dev = ps->dev;
2355 int ret = -ENOTTY;
2356
2357 if (!(file->f_mode & FMODE_WRITE))
2358 return -EPERM;
2359
2360 usb_lock_device(dev);
2361
2362
2363 switch (cmd) {
2364 case USBDEVFS_REAPURB:
2365 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2366 ret = proc_reapurb(ps, p);
2367 goto done;
2368
2369 case USBDEVFS_REAPURBNDELAY:
2370 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2371 ret = proc_reapurbnonblock(ps, p);
2372 goto done;
2373
2374#ifdef CONFIG_COMPAT
2375 case USBDEVFS_REAPURB32:
2376 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2377 ret = proc_reapurb_compat(ps, p);
2378 goto done;
2379
2380 case USBDEVFS_REAPURBNDELAY32:
2381 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2382 ret = proc_reapurbnonblock_compat(ps, p);
2383 goto done;
2384#endif
2385 }
2386
2387 if (!connected(ps)) {
2388 usb_unlock_device(dev);
2389 return -ENODEV;
2390 }
2391
2392 switch (cmd) {
2393 case USBDEVFS_CONTROL:
2394 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2395 ret = proc_control(ps, p);
2396 if (ret >= 0)
2397 inode->i_mtime = current_time(inode);
2398 break;
2399
2400 case USBDEVFS_BULK:
2401 snoop(&dev->dev, "%s: BULK\n", __func__);
2402 ret = proc_bulk(ps, p);
2403 if (ret >= 0)
2404 inode->i_mtime = current_time(inode);
2405 break;
2406
2407 case USBDEVFS_RESETEP:
2408 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2409 ret = proc_resetep(ps, p);
2410 if (ret >= 0)
2411 inode->i_mtime = current_time(inode);
2412 break;
2413
2414 case USBDEVFS_RESET:
2415 snoop(&dev->dev, "%s: RESET\n", __func__);
2416 ret = proc_resetdevice(ps);
2417 break;
2418
2419 case USBDEVFS_CLEAR_HALT:
2420 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2421 ret = proc_clearhalt(ps, p);
2422 if (ret >= 0)
2423 inode->i_mtime = current_time(inode);
2424 break;
2425
2426 case USBDEVFS_GETDRIVER:
2427 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2428 ret = proc_getdriver(ps, p);
2429 break;
2430
2431 case USBDEVFS_CONNECTINFO:
2432 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2433 ret = proc_connectinfo(ps, p);
2434 break;
2435
2436 case USBDEVFS_SETINTERFACE:
2437 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2438 ret = proc_setintf(ps, p);
2439 break;
2440
2441 case USBDEVFS_SETCONFIGURATION:
2442 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2443 ret = proc_setconfig(ps, p);
2444 break;
2445
2446 case USBDEVFS_SUBMITURB:
2447 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2448 ret = proc_submiturb(ps, p);
2449 if (ret >= 0)
2450 inode->i_mtime = current_time(inode);
2451 break;
2452
2453#ifdef CONFIG_COMPAT
2454 case USBDEVFS_CONTROL32:
2455 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2456 ret = proc_control_compat(ps, p);
2457 if (ret >= 0)
2458 inode->i_mtime = current_time(inode);
2459 break;
2460
2461 case USBDEVFS_BULK32:
2462 snoop(&dev->dev, "%s: BULK32\n", __func__);
2463 ret = proc_bulk_compat(ps, p);
2464 if (ret >= 0)
2465 inode->i_mtime = current_time(inode);
2466 break;
2467
2468 case USBDEVFS_DISCSIGNAL32:
2469 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2470 ret = proc_disconnectsignal_compat(ps, p);
2471 break;
2472
2473 case USBDEVFS_SUBMITURB32:
2474 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2475 ret = proc_submiturb_compat(ps, p);
2476 if (ret >= 0)
2477 inode->i_mtime = current_time(inode);
2478 break;
2479
2480 case USBDEVFS_IOCTL32:
2481 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2482 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2483 break;
2484#endif
2485
2486 case USBDEVFS_DISCARDURB:
2487 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2488 ret = proc_unlinkurb(ps, p);
2489 break;
2490
2491 case USBDEVFS_DISCSIGNAL:
2492 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2493 ret = proc_disconnectsignal(ps, p);
2494 break;
2495
2496 case USBDEVFS_CLAIMINTERFACE:
2497 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2498 ret = proc_claiminterface(ps, p);
2499 break;
2500
2501 case USBDEVFS_RELEASEINTERFACE:
2502 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2503 ret = proc_releaseinterface(ps, p);
2504 break;
2505
2506 case USBDEVFS_IOCTL:
2507 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2508 ret = proc_ioctl_default(ps, p);
2509 break;
2510
2511 case USBDEVFS_CLAIM_PORT:
2512 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2513 ret = proc_claim_port(ps, p);
2514 break;
2515
2516 case USBDEVFS_RELEASE_PORT:
2517 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2518 ret = proc_release_port(ps, p);
2519 break;
2520 case USBDEVFS_GET_CAPABILITIES:
2521 ret = proc_get_capabilities(ps, p);
2522 break;
2523 case USBDEVFS_DISCONNECT_CLAIM:
2524 ret = proc_disconnect_claim(ps, p);
2525 break;
2526 case USBDEVFS_ALLOC_STREAMS:
2527 ret = proc_alloc_streams(ps, p);
2528 break;
2529 case USBDEVFS_FREE_STREAMS:
2530 ret = proc_free_streams(ps, p);
2531 break;
2532 case USBDEVFS_DROP_PRIVILEGES:
2533 ret = proc_drop_privileges(ps, p);
2534 break;
2535 case USBDEVFS_GET_SPEED:
2536 ret = ps->dev->speed;
2537 break;
2538 }
2539
2540 done:
2541 usb_unlock_device(dev);
2542 if (ret >= 0)
2543 inode->i_atime = current_time(inode);
2544 return ret;
2545}
2546
2547static long usbdev_ioctl(struct file *file, unsigned int cmd,
2548 unsigned long arg)
2549{
2550 int ret;
2551
2552 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2553
2554 return ret;
2555}
2556
2557#ifdef CONFIG_COMPAT
2558static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2559 unsigned long arg)
2560{
2561 int ret;
2562
2563 ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2564
2565 return ret;
2566}
2567#endif
2568
2569
2570static unsigned int usbdev_poll(struct file *file,
2571 struct poll_table_struct *wait)
2572{
2573 struct usb_dev_state *ps = file->private_data;
2574 unsigned int mask = 0;
2575
2576 poll_wait(file, &ps->wait, wait);
2577 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2578 mask |= POLLOUT | POLLWRNORM;
2579 if (!connected(ps))
2580 mask |= POLLHUP;
2581 if (list_empty(&ps->list))
2582 mask |= POLLERR;
2583 return mask;
2584}
2585
2586const struct file_operations usbdev_file_operations = {
2587 .owner = THIS_MODULE,
2588 .llseek = no_seek_end_llseek,
2589 .read = usbdev_read,
2590 .poll = usbdev_poll,
2591 .unlocked_ioctl = usbdev_ioctl,
2592#ifdef CONFIG_COMPAT
2593 .compat_ioctl = usbdev_compat_ioctl,
2594#endif
2595 .mmap = usbdev_mmap,
2596 .open = usbdev_open,
2597 .release = usbdev_release,
2598};
2599
2600static void usbdev_remove(struct usb_device *udev)
2601{
2602 struct usb_dev_state *ps;
2603 struct siginfo sinfo;
2604
2605 while (!list_empty(&udev->filelist)) {
2606 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2607 destroy_all_async(ps);
2608 wake_up_all(&ps->wait);
2609 list_del_init(&ps->list);
2610 if (ps->discsignr) {
2611 memset(&sinfo, 0, sizeof(sinfo));
2612 sinfo.si_signo = ps->discsignr;
2613 sinfo.si_errno = EPIPE;
2614 sinfo.si_code = SI_ASYNCIO;
2615 sinfo.si_addr = ps->disccontext;
2616 kill_pid_info_as_cred(ps->discsignr, &sinfo,
2617 ps->disc_pid, ps->cred, ps->secid);
2618 }
2619 }
2620}
2621
2622static int usbdev_notify(struct notifier_block *self,
2623 unsigned long action, void *dev)
2624{
2625 switch (action) {
2626 case USB_DEVICE_ADD:
2627 break;
2628 case USB_DEVICE_REMOVE:
2629 usbdev_remove(dev);
2630 break;
2631 }
2632 return NOTIFY_OK;
2633}
2634
2635static struct notifier_block usbdev_nb = {
2636 .notifier_call = usbdev_notify,
2637};
2638
2639static struct cdev usb_device_cdev;
2640
2641int __init usb_devio_init(void)
2642{
2643 int retval;
2644
2645 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2646 "usb_device");
2647 if (retval) {
2648 printk(KERN_ERR "Unable to register minors for usb_device\n");
2649 goto out;
2650 }
2651 cdev_init(&usb_device_cdev, &usbdev_file_operations);
2652 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2653 if (retval) {
2654 printk(KERN_ERR "Unable to get usb_device major %d\n",
2655 USB_DEVICE_MAJOR);
2656 goto error_cdev;
2657 }
2658 usb_register_notify(&usbdev_nb);
2659out:
2660 return retval;
2661
2662error_cdev:
2663 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2664 goto out;
2665}
2666
2667void usb_devio_cleanup(void)
2668{
2669 usb_unregister_notify(&usbdev_nb);
2670 cdev_del(&usb_device_cdev);
2671 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2672}
2673