LXR linux/drivers/usb/core/devio.c

   1/*****************************************************************************/
   2
   3/*
   4 *      devio.c  --  User space communication with USB devices.
   5 *
   6 *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
   7 *
   8 *      This program is free software; you can redistribute it and/or modify
   9 *      it under the terms of the GNU General Public License as published by
  10 *      the Free Software Foundation; either version 2 of the License, or
  11 *      (at your option) any later version.
  12 *
  13 *      This program is distributed in the hope that it will be useful,
  14 *      but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 *      GNU General Public License for more details.
  17 *
  18 *      You should have received a copy of the GNU General Public License
  19 *      along with this program; if not, write to the Free Software
  20 *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 *
  22 *  This file implements the usbfs/x/y files, where
  23 *  x is the bus number and y the device number.
  24 *
  25 *  It allows user space programs/"drivers" to communicate directly
  26 *  with USB devices without intervening kernel driver.
  27 *
  28 *  Revision history
  29 *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  30 *    04.01.2000   0.2   Turned into its own filesystem
  31 *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  32 *                       (CAN-2005-3055)
  33 */
  34
  35/*****************************************************************************/
  36
  37#include <linux/fs.h>
  38#include <linux/mm.h>
  39#include <linux/sched/signal.h>
  40#include <linux/slab.h>
  41#include <linux/signal.h>
  42#include <linux/poll.h>
  43#include <linux/module.h>
  44#include <linux/string.h>
  45#include <linux/usb.h>
  46#include <linux/usbdevice_fs.h>
  47#include <linux/usb/hcd.h>      /* for usbcore internals */
  48#include <linux/cdev.h>
  49#include <linux/notifier.h>
  50#include <linux/security.h>
  51#include <linux/user_namespace.h>
  52#include <linux/scatterlist.h>
  53#include <linux/uaccess.h>
  54#include <linux/dma-mapping.h>
  55#include <asm/byteorder.h>
  56#include <linux/moduleparam.h>
  57
  58#include "usb.h"
  59
  60#define USB_MAXBUS                      64
  61#define USB_DEVICE_MAX                  (USB_MAXBUS * 128)
  62#define USB_SG_SIZE                     16384 /* split-size for large txs */
  63
  64/* Mutual exclusion for removal, open, and release */
  65DEFINE_MUTEX(usbfs_mutex);
  66
  67struct usb_dev_state {
  68        struct list_head list;      /* state list */
  69        struct usb_device *dev;
  70        struct file *file;
  71        spinlock_t lock;            /* protects the async urb lists */
  72        struct list_head async_pending;
  73        struct list_head async_completed;
  74        struct list_head memory_list;
  75        wait_queue_head_t wait;     /* wake up if a request completed */
  76        unsigned int discsignr;
  77        struct pid *disc_pid;
  78        const struct cred *cred;
  79        void __user *disccontext;
  80        unsigned long ifclaimed;
  81        u32 secid;
  82        u32 disabled_bulk_eps;
  83        bool privileges_dropped;
  84        unsigned long interface_allowed_mask;
  85};
  86
  87struct usb_memory {
  88        struct list_head memlist;
  89        int vma_use_count;
  90        int urb_use_count;
  91        u32 size;
  92        void *mem;
  93        dma_addr_t dma_handle;
  94        unsigned long vm_start;
  95        struct usb_dev_state *ps;
  96};
  97
  98struct async {
  99        struct list_head asynclist;
 100        struct usb_dev_state *ps;
 101        struct pid *pid;
 102        const struct cred *cred;
 103        unsigned int signr;
 104        unsigned int ifnum;
 105        void __user *userbuffer;
 106        void __user *userurb;
 107        struct urb *urb;
 108        struct usb_memory *usbm;
 109        unsigned int mem_usage;
 110        int status;
 111        u32 secid;
 112        u8 bulk_addr;
 113        u8 bulk_status;
 114};
 115
 116static bool usbfs_snoop;
 117module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 118MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 119
 120static unsigned usbfs_snoop_max = 65536;
 121module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
 122MODULE_PARM_DESC(usbfs_snoop_max,
 123                "maximum number of bytes to print while snooping");
 124
 125#define snoop(dev, format, arg...)                              \
 126        do {                                                    \
 127                if (usbfs_snoop)                                \
 128                        dev_info(dev, format, ## arg);          \
 129        } while (0)
 130
 131enum snoop_when {
 132        SUBMIT, COMPLETE
 133};
 134
 135#define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 136
 137/* Limit on the total amount of memory we can allocate for transfers */
 138static u32 usbfs_memory_mb = 16;
 139module_param(usbfs_memory_mb, uint, 0644);
 140MODULE_PARM_DESC(usbfs_memory_mb,
 141                "maximum MB allowed for usbfs buffers (0 = no limit)");
 142
 143/* Hard limit, necessary to avoid arithmetic overflow */
 144#define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
 145
 146static atomic64_t usbfs_memory_usage;   /* Total memory currently allocated */
 147
 148/* Check whether it's okay to allocate more memory for a transfer */
 149static int usbfs_increase_memory_usage(u64 amount)
 150{
 151        u64 lim;
 152
 153        lim = ACCESS_ONCE(usbfs_memory_mb);
 154        lim <<= 20;
 155
 156        atomic64_add(amount, &usbfs_memory_usage);
 157
 158        if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
 159                atomic64_sub(amount, &usbfs_memory_usage);
 160                return -ENOMEM;
 161        }
 162
 163        return 0;
 164}
 165
 166/* Memory for a transfer is being deallocated */
 167static void usbfs_decrease_memory_usage(u64 amount)
 168{
 169        atomic64_sub(amount, &usbfs_memory_usage);
 170}
 171
 172static int connected(struct usb_dev_state *ps)
 173{
 174        return (!list_empty(&ps->list) &&
 175                        ps->dev->state != USB_STATE_NOTATTACHED);
 176}
 177
 178static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
 179{
 180        struct usb_dev_state *ps = usbm->ps;
 181        unsigned long flags;
 182
 183        spin_lock_irqsave(&ps->lock, flags);
 184        --*count;
 185        if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
 186                list_del(&usbm->memlist);
 187                spin_unlock_irqrestore(&ps->lock, flags);
 188
 189                usb_free_coherent(ps->dev, usbm->size, usbm->mem,
 190                                usbm->dma_handle);
 191                usbfs_decrease_memory_usage(
 192                        usbm->size + sizeof(struct usb_memory));
 193                kfree(usbm);
 194        } else {
 195                spin_unlock_irqrestore(&ps->lock, flags);
 196        }
 197}
 198
 199static void usbdev_vm_open(struct vm_area_struct *vma)
 200{
 201        struct usb_memory *usbm = vma->vm_private_data;
 202        unsigned long flags;
 203
 204        spin_lock_irqsave(&usbm->ps->lock, flags);
 205        ++usbm->vma_use_count;
 206        spin_unlock_irqrestore(&usbm->ps->lock, flags);
 207}
 208
 209static void usbdev_vm_close(struct vm_area_struct *vma)
 210{
 211        struct usb_memory *usbm = vma->vm_private_data;
 212
 213        dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 214}
 215
 216static const struct vm_operations_struct usbdev_vm_ops = {
 217        .open = usbdev_vm_open,
 218        .close = usbdev_vm_close
 219};
 220
 221static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 222{
 223        struct usb_memory *usbm = NULL;
 224        struct usb_dev_state *ps = file->private_data;
 225        size_t size = vma->vm_end - vma->vm_start;
 226        void *mem;
 227        unsigned long flags;
 228        dma_addr_t dma_handle;
 229        int ret;
 230
 231        ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 232        if (ret)
 233                goto error;
 234
 235        usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
 236        if (!usbm) {
 237                ret = -ENOMEM;
 238                goto error_decrease_mem;
 239        }
 240
 241        mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
 242                        &dma_handle);
 243        if (!mem) {
 244                ret = -ENOMEM;
 245                goto error_free_usbm;
 246        }
 247
 248        memset(mem, 0, size);
 249
 250        usbm->mem = mem;
 251        usbm->dma_handle = dma_handle;
 252        usbm->size = size;
 253        usbm->ps = ps;
 254        usbm->vm_start = vma->vm_start;
 255        usbm->vma_use_count = 1;
 256        INIT_LIST_HEAD(&usbm->memlist);
 257
 258        if (remap_pfn_range(vma, vma->vm_start,
 259                        virt_to_phys(usbm->mem) >> PAGE_SHIFT,
 260                        size, vma->vm_page_prot) < 0) {
 261                dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 262                return -EAGAIN;
 263        }
 264
 265        vma->vm_flags |= VM_IO;
 266        vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
 267        vma->vm_ops = &usbdev_vm_ops;
 268        vma->vm_private_data = usbm;
 269
 270        spin_lock_irqsave(&ps->lock, flags);
 271        list_add_tail(&usbm->memlist, &ps->memory_list);
 272        spin_unlock_irqrestore(&ps->lock, flags);
 273
 274        return 0;
 275
 276error_free_usbm:
 277        kfree(usbm);
 278error_decrease_mem:
 279        usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
 280error:
 281        return ret;
 282}
 283
 284static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 285                           loff_t *ppos)
 286{
 287        struct usb_dev_state *ps = file->private_data;
 288        struct usb_device *dev = ps->dev;
 289        ssize_t ret = 0;
 290        unsigned len;
 291        loff_t pos;
 292        int i;
 293
 294        pos = *ppos;
 295        usb_lock_device(dev);
 296        if (!connected(ps)) {
 297                ret = -ENODEV;
 298                goto err;
 299        } else if (pos < 0) {
 300                ret = -EINVAL;
 301                goto err;
 302        }
 303
 304        if (pos < sizeof(struct usb_device_descriptor)) {
 305                /* 18 bytes - fits on the stack */
 306                struct usb_device_descriptor temp_desc;
 307
 308                memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 309                le16_to_cpus(&temp_desc.bcdUSB);
 310                le16_to_cpus(&temp_desc.idVendor);
 311                le16_to_cpus(&temp_desc.idProduct);
 312                le16_to_cpus(&temp_desc.bcdDevice);
 313
 314                len = sizeof(struct usb_device_descriptor) - pos;
 315                if (len > nbytes)
 316                        len = nbytes;
 317                if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 318                        ret = -EFAULT;
 319                        goto err;
 320                }
 321
 322                *ppos += len;
 323                buf += len;
 324                nbytes -= len;
 325                ret += len;
 326        }
 327
 328        pos = sizeof(struct usb_device_descriptor);
 329        for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 330                struct usb_config_descriptor *config =
 331                        (struct usb_config_descriptor *)dev->rawdescriptors[i];
 332                unsigned int length = le16_to_cpu(config->wTotalLength);
 333
 334                if (*ppos < pos + length) {
 335
 336                        /* The descriptor may claim to be longer than it
 337                         * really is.  Here is the actual allocated length. */
 338                        unsigned alloclen =
 339                                le16_to_cpu(dev->config[i].desc.wTotalLength);
 340
 341                        len = length - (*ppos - pos);
 342                        if (len > nbytes)
 343                                len = nbytes;
 344
 345                        /* Simply don't write (skip over) unallocated parts */
 346                        if (alloclen > (*ppos - pos)) {
 347                                alloclen -= (*ppos - pos);
 348                                if (copy_to_user(buf,
 349                                    dev->rawdescriptors[i] + (*ppos - pos),
 350                                    min(len, alloclen))) {
 351                                        ret = -EFAULT;
 352                                        goto err;
 353                                }
 354                        }
 355
 356                        *ppos += len;
 357                        buf += len;
 358                        nbytes -= len;
 359                        ret += len;
 360                }
 361
 362                pos += length;
 363        }
 364
 365err:
 366        usb_unlock_device(dev);
 367        return ret;
 368}
 369
 370/*
 371 * async list handling
 372 */
 373
 374static struct async *alloc_async(unsigned int numisoframes)
 375{
 376        struct async *as;
 377
 378        as = kzalloc(sizeof(struct async), GFP_KERNEL);
 379        if (!as)
 380                return NULL;
 381        as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 382        if (!as->urb) {
 383                kfree(as);
 384                return NULL;
 385        }
 386        return as;
 387}
 388
 389static void free_async(struct async *as)
 390{
 391        int i;
 392
 393        put_pid(as->pid);
 394        if (as->cred)
 395                put_cred(as->cred);
 396        for (i = 0; i < as->urb->num_sgs; i++) {
 397                if (sg_page(&as->urb->sg[i]))
 398                        kfree(sg_virt(&as->urb->sg[i]));
 399        }
 400
 401        kfree(as->urb->sg);
 402        if (as->usbm == NULL)
 403                kfree(as->urb->transfer_buffer);
 404        else
 405                dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 406
 407        kfree(as->urb->setup_packet);
 408        usb_free_urb(as->urb);
 409        usbfs_decrease_memory_usage(as->mem_usage);
 410        kfree(as);
 411}
 412
 413static void async_newpending(struct async *as)
 414{
 415        struct usb_dev_state *ps = as->ps;
 416        unsigned long flags;
 417
 418        spin_lock_irqsave(&ps->lock, flags);
 419        list_add_tail(&as->asynclist, &ps->async_pending);
 420        spin_unlock_irqrestore(&ps->lock, flags);
 421}
 422
 423static void async_removepending(struct async *as)
 424{
 425        struct usb_dev_state *ps = as->ps;
 426        unsigned long flags;
 427
 428        spin_lock_irqsave(&ps->lock, flags);
 429        list_del_init(&as->asynclist);
 430        spin_unlock_irqrestore(&ps->lock, flags);
 431}
 432
 433static struct async *async_getcompleted(struct usb_dev_state *ps)
 434{
 435        unsigned long flags;
 436        struct async *as = NULL;
 437
 438        spin_lock_irqsave(&ps->lock, flags);
 439        if (!list_empty(&ps->async_completed)) {
 440                as = list_entry(ps->async_completed.next, struct async,
 441                                asynclist);
 442                list_del_init(&as->asynclist);
 443        }
 444        spin_unlock_irqrestore(&ps->lock, flags);
 445        return as;
 446}
 447
 448static struct async *async_getpending(struct usb_dev_state *ps,
 449                                             void __user *userurb)
 450{
 451        struct async *as;
 452
 453        list_for_each_entry(as, &ps->async_pending, asynclist)
 454                if (as->userurb == userurb) {
 455                        list_del_init(&as->asynclist);
 456                        return as;
 457                }
 458
 459        return NULL;
 460}
 461
 462static void snoop_urb(struct usb_device *udev,
 463                void __user *userurb, int pipe, unsigned length,
 464                int timeout_or_status, enum snoop_when when,
 465                unsigned char *data, unsigned data_len)
 466{
 467        static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 468        static const char *dirs[] = {"out", "in"};
 469        int ep;
 470        const char *t, *d;
 471
 472        if (!usbfs_snoop)
 473                return;
 474
 475        ep = usb_pipeendpoint(pipe);
 476        t = types[usb_pipetype(pipe)];
 477        d = dirs[!!usb_pipein(pipe)];
 478
 479        if (userurb) {          /* Async */
 480                if (when == SUBMIT)
 481                        dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 482                                        "length %u\n",
 483                                        userurb, ep, t, d, length);
 484                else
 485                        dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 486                                        "actual_length %u status %d\n",
 487                                        userurb, ep, t, d, length,
 488                                        timeout_or_status);
 489        } else {
 490                if (when == SUBMIT)
 491                        dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 492                                        "timeout %d\n",
 493                                        ep, t, d, length, timeout_or_status);
 494                else
 495                        dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 496                                        "status %d\n",
 497                                        ep, t, d, length, timeout_or_status);
 498        }
 499
 500        data_len = min(data_len, usbfs_snoop_max);
 501        if (data && data_len > 0) {
 502                print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 503                        data, data_len, 1);
 504        }
 505}
 506
 507static void snoop_urb_data(struct urb *urb, unsigned len)
 508{
 509        int i, size;
 510
 511        len = min(len, usbfs_snoop_max);
 512        if (!usbfs_snoop || len == 0)
 513                return;
 514
 515        if (urb->num_sgs == 0) {
 516                print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 517                        urb->transfer_buffer, len, 1);
 518                return;
 519        }
 520
 521        for (i = 0; i < urb->num_sgs && len; i++) {
 522                size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 523                print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 524                        sg_virt(&urb->sg[i]), size, 1);
 525                len -= size;
 526        }
 527}
 528
 529static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
 530{
 531        unsigned i, len, size;
 532
 533        if (urb->number_of_packets > 0)         /* Isochronous */
 534                len = urb->transfer_buffer_length;
 535        else                                    /* Non-Isoc */
 536                len = urb->actual_length;
 537
 538        if (urb->num_sgs == 0) {
 539                if (copy_to_user(userbuffer, urb->transfer_buffer, len))
 540                        return -EFAULT;
 541                return 0;
 542        }
 543
 544        for (i = 0; i < urb->num_sgs && len; i++) {
 545                size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 546                if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
 547                        return -EFAULT;
 548                userbuffer += size;
 549                len -= size;
 550        }
 551
 552        return 0;
 553}
 554
 555#define AS_CONTINUATION 1
 556#define AS_UNLINK       2
 557
 558static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
 559__releases(ps->lock)
 560__acquires(ps->lock)
 561{
 562        struct urb *urb;
 563        struct async *as;
 564
 565        /* Mark all the pending URBs that match bulk_addr, up to but not
 566         * including the first one without AS_CONTINUATION.  If such an
 567         * URB is encountered then a new transfer has already started so
 568         * the endpoint doesn't need to be disabled; otherwise it does.
 569         */
 570        list_for_each_entry(as, &ps->async_pending, asynclist) {
 571                if (as->bulk_addr == bulk_addr) {
 572                        if (as->bulk_status != AS_CONTINUATION)
 573                                goto rescan;
 574                        as->bulk_status = AS_UNLINK;
 575                        as->bulk_addr = 0;
 576                }
 577        }
 578        ps->disabled_bulk_eps |= (1 << bulk_addr);
 579
 580        /* Now carefully unlink all the marked pending URBs */
 581 rescan:
 582        list_for_each_entry(as, &ps->async_pending, asynclist) {
 583                if (as->bulk_status == AS_UNLINK) {
 584                        as->bulk_status = 0;            /* Only once */
 585                        urb = as->urb;
 586                        usb_get_urb(urb);
 587                        spin_unlock(&ps->lock);         /* Allow completions */
 588                        usb_unlink_urb(urb);
 589                        usb_put_urb(urb);
 590                        spin_lock(&ps->lock);
 591                        goto rescan;
 592                }
 593        }
 594}
 595
 596static void async_completed(struct urb *urb)
 597{
 598        struct async *as = urb->context;
 599        struct usb_dev_state *ps = as->ps;
 600        struct siginfo sinfo;
 601        struct pid *pid = NULL;
 602        u32 secid = 0;
 603        const struct cred *cred = NULL;
 604        int signr;
 605
 606        spin_lock(&ps->lock);
 607        list_move_tail(&as->asynclist, &ps->async_completed);
 608        as->status = urb->status;
 609        signr = as->signr;
 610        if (signr) {
 611                memset(&sinfo, 0, sizeof(sinfo));
 612                sinfo.si_signo = as->signr;
 613                sinfo.si_errno = as->status;
 614                sinfo.si_code = SI_ASYNCIO;
 615                sinfo.si_addr = as->userurb;
 616                pid = get_pid(as->pid);
 617                cred = get_cred(as->cred);
 618                secid = as->secid;
 619        }
 620        snoop(&urb->dev->dev, "urb complete\n");
 621        snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 622                        as->status, COMPLETE, NULL, 0);
 623        if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
 624                snoop_urb_data(urb, urb->actual_length);
 625
 626        if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 627                        as->status != -ENOENT)
 628                cancel_bulk_urbs(ps, as->bulk_addr);
 629
 630        wake_up(&ps->wait);
 631        spin_unlock(&ps->lock);
 632
 633        if (signr) {
 634                kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
 635                put_pid(pid);
 636                put_cred(cred);
 637        }
 638}
 639
 640static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
 641{
 642        struct urb *urb;
 643        struct async *as;
 644        unsigned long flags;
 645
 646        spin_lock_irqsave(&ps->lock, flags);
 647        while (!list_empty(list)) {
 648                as = list_entry(list->next, struct async, asynclist);
 649                list_del_init(&as->asynclist);
 650                urb = as->urb;
 651                usb_get_urb(urb);
 652
 653                /* drop the spinlock so the completion handler can run */
 654                spin_unlock_irqrestore(&ps->lock, flags);
 655                usb_kill_urb(urb);
 656                usb_put_urb(urb);
 657                spin_lock_irqsave(&ps->lock, flags);
 658        }
 659        spin_unlock_irqrestore(&ps->lock, flags);
 660}
 661
 662static void destroy_async_on_interface(struct usb_dev_state *ps,
 663                                       unsigned int ifnum)
 664{
 665        struct list_head *p, *q, hitlist;
 666        unsigned long flags;
 667
 668        INIT_LIST_HEAD(&hitlist);
 669        spin_lock_irqsave(&ps->lock, flags);
 670        list_for_each_safe(p, q, &ps->async_pending)
 671                if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 672                        list_move_tail(p, &hitlist);
 673        spin_unlock_irqrestore(&ps->lock, flags);
 674        destroy_async(ps, &hitlist);
 675}
 676
 677static void destroy_all_async(struct usb_dev_state *ps)
 678{
 679        destroy_async(ps, &ps->async_pending);
 680}
 681
 682/*
 683 * interface claims are made only at the request of user level code,
 684 * which can also release them (explicitly or by closing files).
 685 * they're also undone when devices disconnect.
 686 */
 687
 688static int driver_probe(struct usb_interface *intf,
 689                        const struct usb_device_id *id)
 690{
 691        return -ENODEV;
 692}
 693
 694static void driver_disconnect(struct usb_interface *intf)
 695{
 696        struct usb_dev_state *ps = usb_get_intfdata(intf);
 697        unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 698
 699        if (!ps)
 700                return;
 701
 702        /* NOTE:  this relies on usbcore having canceled and completed
 703         * all pending I/O requests; 2.6 does that.
 704         */
 705
 706        if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 707                clear_bit(ifnum, &ps->ifclaimed);
 708        else
 709                dev_warn(&intf->dev, "interface number %u out of range\n",
 710                         ifnum);
 711
 712        usb_set_intfdata(intf, NULL);
 713
 714        /* force async requests to complete */
 715        destroy_async_on_interface(ps, ifnum);
 716}
 717
 718/* The following routines are merely placeholders.  There is no way
 719 * to inform a user task about suspend or resumes.
 720 */
 721static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 722{
 723        return 0;
 724}
 725
 726static int driver_resume(struct usb_interface *intf)
 727{
 728        return 0;
 729}
 730
 731struct usb_driver usbfs_driver = {
 732        .name =         "usbfs",
 733        .probe =        driver_probe,
 734        .disconnect =   driver_disconnect,
 735        .suspend =      driver_suspend,
 736        .resume =       driver_resume,
 737};
 738
 739static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 740{
 741        struct usb_device *dev = ps->dev;
 742        struct usb_interface *intf;
 743        int err;
 744
 745        if (ifnum >= 8*sizeof(ps->ifclaimed))
 746                return -EINVAL;
 747        /* already claimed */
 748        if (test_bit(ifnum, &ps->ifclaimed))
 749                return 0;
 750
 751        if (ps->privileges_dropped &&
 752                        !test_bit(ifnum, &ps->interface_allowed_mask))
 753                return -EACCES;
 754
 755        intf = usb_ifnum_to_if(dev, ifnum);
 756        if (!intf)
 757                err = -ENOENT;
 758        else
 759                err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 760        if (err == 0)
 761                set_bit(ifnum, &ps->ifclaimed);
 762        return err;
 763}
 764
 765static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 766{
 767        struct usb_device *dev;
 768        struct usb_interface *intf;
 769        int err;
 770
 771        err = -EINVAL;
 772        if (ifnum >= 8*sizeof(ps->ifclaimed))
 773                return err;
 774        dev = ps->dev;
 775        intf = usb_ifnum_to_if(dev, ifnum);
 776        if (!intf)
 777                err = -ENOENT;
 778        else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 779                usb_driver_release_interface(&usbfs_driver, intf);
 780                err = 0;
 781        }
 782        return err;
 783}
 784
 785static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
 786{
 787        if (ps->dev->state != USB_STATE_CONFIGURED)
 788                return -EHOSTUNREACH;
 789        if (ifnum >= 8*sizeof(ps->ifclaimed))
 790                return -EINVAL;
 791        if (test_bit(ifnum, &ps->ifclaimed))
 792                return 0;
 793        /* if not yet claimed, claim it for the driver */
 794        dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 795                 "interface %u before use\n", task_pid_nr(current),
 796                 current->comm, ifnum);
 797        return claimintf(ps, ifnum);
 798}
 799
 800static int findintfep(struct usb_device *dev, unsigned int ep)
 801{
 802        unsigned int i, j, e;
 803        struct usb_interface *intf;
 804        struct usb_host_interface *alts;
 805        struct usb_endpoint_descriptor *endpt;
 806
 807        if (ep & ~(USB_DIR_IN|0xf))
 808                return -EINVAL;
 809        if (!dev->actconfig)
 810                return -ESRCH;
 811        for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 812                intf = dev->actconfig->interface[i];
 813                for (j = 0; j < intf->num_altsetting; j++) {
 814                        alts = &intf->altsetting[j];
 815                        for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 816                                endpt = &alts->endpoint[e].desc;
 817                                if (endpt->bEndpointAddress == ep)
 818                                        return alts->desc.bInterfaceNumber;
 819                        }
 820                }
 821        }
 822        return -ENOENT;
 823}
 824
 825static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 826                           unsigned int request, unsigned int index)
 827{
 828        int ret = 0;
 829        struct usb_host_interface *alt_setting;
 830
 831        if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 832         && ps->dev->state != USB_STATE_ADDRESS
 833         && ps->dev->state != USB_STATE_CONFIGURED)
 834                return -EHOSTUNREACH;
 835        if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 836                return 0;
 837
 838        /*
 839         * check for the special corner case 'get_device_id' in the printer
 840         * class specification, which we always want to allow as it is used
 841         * to query things like ink level, etc.
 842         */
 843        if (requesttype == 0xa1 && request == 0) {
 844                alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 845                                                   index >> 8, index & 0xff);
 846                if (alt_setting
 847                 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
 848                        return 0;
 849        }
 850
 851        index &= 0xff;
 852        switch (requesttype & USB_RECIP_MASK) {
 853        case USB_RECIP_ENDPOINT:
 854                if ((index & ~USB_DIR_IN) == 0)
 855                        return 0;
 856                ret = findintfep(ps->dev, index);
 857                if (ret < 0) {
 858                        /*
 859                         * Some not fully compliant Win apps seem to get
 860                         * index wrong and have the endpoint number here
 861                         * rather than the endpoint address (with the
 862                         * correct direction). Win does let this through,
 863                         * so we'll not reject it here but leave it to
 864                         * the device to not break KVM. But we warn.
 865                         */
 866                        ret = findintfep(ps->dev, index ^ 0x80);
 867                        if (ret >= 0)
 868                                dev_info(&ps->dev->dev,
 869                                        "%s: process %i (%s) requesting ep %02x but needs %02x\n",
 870                                        __func__, task_pid_nr(current),
 871                                        current->comm, index, index ^ 0x80);
 872                }
 873                if (ret >= 0)
 874                        ret = checkintf(ps, ret);
 875                break;
 876
 877        case USB_RECIP_INTERFACE:
 878                ret = checkintf(ps, index);
 879                break;
 880        }
 881        return ret;
 882}
 883
 884static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
 885                                                     unsigned char ep)
 886{
 887        if (ep & USB_ENDPOINT_DIR_MASK)
 888                return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
 889        else
 890                return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
 891}
 892
 893static int parse_usbdevfs_streams(struct usb_dev_state *ps,
 894                                  struct usbdevfs_streams __user *streams,
 895                                  unsigned int *num_streams_ret,
 896                                  unsigned int *num_eps_ret,
 897                                  struct usb_host_endpoint ***eps_ret,
 898                                  struct usb_interface **intf_ret)
 899{
 900        unsigned int i, num_streams, num_eps;
 901        struct usb_host_endpoint **eps;
 902        struct usb_interface *intf = NULL;
 903        unsigned char ep;
 904        int ifnum, ret;
 905
 906        if (get_user(num_streams, &streams->num_streams) ||
 907            get_user(num_eps, &streams->num_eps))
 908                return -EFAULT;
 909
 910        if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
 911                return -EINVAL;
 912
 913        /* The XHCI controller allows max 2 ^ 16 streams */
 914        if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
 915                return -EINVAL;
 916
 917        eps = kmalloc(num_eps * sizeof(*eps), GFP_KERNEL);
 918        if (!eps)
 919                return -ENOMEM;
 920
 921        for (i = 0; i < num_eps; i++) {
 922                if (get_user(ep, &streams->eps[i])) {
 923                        ret = -EFAULT;
 924                        goto error;
 925                }
 926                eps[i] = ep_to_host_endpoint(ps->dev, ep);
 927                if (!eps[i]) {
 928                        ret = -EINVAL;
 929                        goto error;
 930                }
 931
 932                /* usb_alloc/free_streams operate on an usb_interface */
 933                ifnum = findintfep(ps->dev, ep);
 934                if (ifnum < 0) {
 935                        ret = ifnum;
 936                        goto error;
 937                }
 938
 939                if (i == 0) {
 940                        ret = checkintf(ps, ifnum);
 941                        if (ret < 0)
 942                                goto error;
 943                        intf = usb_ifnum_to_if(ps->dev, ifnum);
 944                } else {
 945                        /* Verify all eps belong to the same interface */
 946                        if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
 947                                ret = -EINVAL;
 948                                goto error;
 949                        }
 950                }
 951        }
 952
 953        if (num_streams_ret)
 954                *num_streams_ret = num_streams;
 955        *num_eps_ret = num_eps;
 956        *eps_ret = eps;
 957        *intf_ret = intf;
 958
 959        return 0;
 960
 961error:
 962        kfree(eps);
 963        return ret;
 964}
 965
 966static int match_devt(struct device *dev, void *data)
 967{
 968        return dev->devt == (dev_t) (unsigned long) data;
 969}
 970
 971static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 972{
 973        struct device *dev;
 974
 975        dev = bus_find_device(&usb_bus_type, NULL,
 976                              (void *) (unsigned long) devt, match_devt);
 977        if (!dev)
 978                return NULL;
 979        return to_usb_device(dev);
 980}
 981
 982/*
 983 * file operations
 984 */
 985static int usbdev_open(struct inode *inode, struct file *file)
 986{
 987        struct usb_device *dev = NULL;
 988        struct usb_dev_state *ps;
 989        int ret;
 990
 991        ret = -ENOMEM;
 992        ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
 993        if (!ps)
 994                goto out_free_ps;
 995
 996        ret = -ENODEV;
 997
 998        /* Protect against simultaneous removal or release */
 999        mutex_lock(&usbfs_mutex);
1000

1001        /* usbdev device-node */
1002        if (imajor(inode) == USB_DEVICE_MAJOR)
1003                dev = usbdev_lookup_by_devt(inode->i_rdev);
1004
1005        mutex_unlock(&usbfs_mutex);
1006
1007        if (!dev)
1008                goto out_free_ps;
1009
1010        usb_lock_device(dev);
1011        if (dev->state == USB_STATE_NOTATTACHED)
1012                goto out_unlock_device;
1013
1014        ret = usb_autoresume_device(dev);
1015        if (ret)
1016                goto out_unlock_device;
1017
1018        ps->dev = dev;
1019        ps->file = file;
1020        ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1021        spin_lock_init(&ps->lock);
1022        INIT_LIST_HEAD(&ps->list);
1023        INIT_LIST_HEAD(&ps->async_pending);
1024        INIT_LIST_HEAD(&ps->async_completed);
1025        INIT_LIST_HEAD(&ps->memory_list);
1026        init_waitqueue_head(&ps->wait);
1027        ps->disc_pid = get_pid(task_pid(current));
1028        ps->cred = get_current_cred();
1029        security_task_getsecid(current, &ps->secid);
1030        smp_wmb();
1031        list_add_tail(&ps->list, &dev->filelist);
1032        file->private_data = ps;
1033        usb_unlock_device(dev);
1034        snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1035                        current->comm);
1036        return ret;
1037
1038 out_unlock_device:
1039        usb_unlock_device(dev);
1040        usb_put_dev(dev);
1041 out_free_ps:
1042        kfree(ps);
1043        return ret;
1044}
1045
1046static int usbdev_release(struct inode *inode, struct file *file)
1047{
1048        struct usb_dev_state *ps = file->private_data;
1049        struct usb_device *dev = ps->dev;
1050        unsigned int ifnum;
1051        struct async *as;
1052
1053        usb_lock_device(dev);
1054        usb_hub_release_all_ports(dev, ps);
1055
1056        list_del_init(&ps->list);
1057
1058        for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1059                        ifnum++) {
1060                if (test_bit(ifnum, &ps->ifclaimed))
1061                        releaseintf(ps, ifnum);
1062        }
1063        destroy_all_async(ps);
1064        usb_autosuspend_device(dev);
1065        usb_unlock_device(dev);
1066        usb_put_dev(dev);
1067        put_pid(ps->disc_pid);
1068        put_cred(ps->cred);
1069
1070        as = async_getcompleted(ps);
1071        while (as) {
1072                free_async(as);
1073                as = async_getcompleted(ps);
1074        }
1075
1076        kfree(ps);
1077        return 0;
1078}
1079
1080static int proc_control(struct usb_dev_state *ps, void __user *arg)
1081{
1082        struct usb_device *dev = ps->dev;
1083        struct usbdevfs_ctrltransfer ctrl;
1084        unsigned int tmo;
1085        unsigned char *tbuf;
1086        unsigned wLength;
1087        int i, pipe, ret;
1088
1089        if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1090                return -EFAULT;
1091        ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1092                              ctrl.wIndex);
1093        if (ret)
1094                return ret;
1095        wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
1096        if (wLength > PAGE_SIZE)
1097                return -EINVAL;
1098        ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1099                        sizeof(struct usb_ctrlrequest));
1100        if (ret)
1101                return ret;
1102        tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1103        if (!tbuf) {
1104                ret = -ENOMEM;
1105                goto done;
1106        }
1107        tmo = ctrl.timeout;
1108        snoop(&dev->dev, "control urb: bRequestType=%02x "
1109                "bRequest=%02x wValue=%04x "
1110                "wIndex=%04x wLength=%04x\n",
1111                ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1112                ctrl.wIndex, ctrl.wLength);
1113        if (ctrl.bRequestType & 0x80) {
1114                if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1115                                               ctrl.wLength)) {
1116                        ret = -EINVAL;
1117                        goto done;
1118                }
1119                pipe = usb_rcvctrlpipe(dev, 0);
1120                snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1121
1122                usb_unlock_device(dev);
1123                i = usb_control_msg(dev, pipe, ctrl.bRequest,
1124                                    ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1125                                    tbuf, ctrl.wLength, tmo);
1126                usb_lock_device(dev);
1127                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1128                          tbuf, max(i, 0));
1129                if ((i > 0) && ctrl.wLength) {
1130                        if (copy_to_user(ctrl.data, tbuf, i)) {
1131                                ret = -EFAULT;
1132                                goto done;
1133                        }
1134                }
1135        } else {
1136                if (ctrl.wLength) {
1137                        if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1138                                ret = -EFAULT;
1139                                goto done;
1140                        }
1141                }
1142                pipe = usb_sndctrlpipe(dev, 0);
1143                snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1144                        tbuf, ctrl.wLength);
1145
1146                usb_unlock_device(dev);
1147                i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1148                                    ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1149                                    tbuf, ctrl.wLength, tmo);
1150                usb_lock_device(dev);
1151                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1152        }
1153        if (i < 0 && i != -EPIPE) {
1154                dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1155                           "failed cmd %s rqt %u rq %u len %u ret %d\n",
1156                           current->comm, ctrl.bRequestType, ctrl.bRequest,
1157                           ctrl.wLength, i);
1158        }
1159        ret = i;
1160 done:
1161        free_page((unsigned long) tbuf);
1162        usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1163                        sizeof(struct usb_ctrlrequest));
1164        return ret;
1165}
1166
1167static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1168{
1169        struct usb_device *dev = ps->dev;
1170        struct usbdevfs_bulktransfer bulk;
1171        unsigned int tmo, len1, pipe;
1172        int len2;
1173        unsigned char *tbuf;
1174        int i, ret;
1175
1176        if (copy_from_user(&bulk, arg, sizeof(bulk)))
1177                return -EFAULT;
1178        ret = findintfep(ps->dev, bulk.ep);
1179        if (ret < 0)
1180                return ret;
1181        ret = checkintf(ps, ret);
1182        if (ret)
1183                return ret;
1184        if (bulk.ep & USB_DIR_IN)
1185                pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1186        else
1187                pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1188        if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1189                return -EINVAL;
1190        len1 = bulk.len;
1191        if (len1 >= (INT_MAX - sizeof(struct urb)))
1192                return -EINVAL;
1193        ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1194        if (ret)
1195                return ret;
1196        tbuf = kmalloc(len1, GFP_KERNEL);
1197        if (!tbuf) {
1198                ret = -ENOMEM;
1199                goto done;
1200        }
1201        tmo = bulk.timeout;
1202        if (bulk.ep & 0x80) {
1203                if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1204                        ret = -EINVAL;
1205                        goto done;
1206                }
1207                snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1208
1209                usb_unlock_device(dev);
1210                i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1211                usb_lock_device(dev);
1212                snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1213
1214                if (!i && len2) {
1215                        if (copy_to_user(bulk.data, tbuf, len2)) {
1216                                ret = -EFAULT;
1217                                goto done;
1218                        }
1219                }
1220        } else {
1221                if (len1) {
1222                        if (copy_from_user(tbuf, bulk.data, len1)) {
1223                                ret = -EFAULT;
1224                                goto done;
1225                        }
1226                }
1227                snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1228
1229                usb_unlock_device(dev);
1230                i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1231                usb_lock_device(dev);
1232                snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1233        }
1234        ret = (i < 0 ? i : len2);
1235 done:
1236        kfree(tbuf);
1237        usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1238        return ret;
1239}
1240
1241static void check_reset_of_active_ep(struct usb_device *udev,
1242                unsigned int epnum, char *ioctl_name)
1243{
1244        struct usb_host_endpoint **eps;
1245        struct usb_host_endpoint *ep;
1246
1247        eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1248        ep = eps[epnum & 0x0f];
1249        if (ep && !list_empty(&ep->urb_list))
1250                dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1251                                task_pid_nr(current), current->comm,
1252                                ioctl_name, epnum);
1253}
1254
1255static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1256{
1257        unsigned int ep;
1258        int ret;
1259
1260        if (get_user(ep, (unsigned int __user *)arg))
1261                return -EFAULT;
1262        ret = findintfep(ps->dev, ep);
1263        if (ret < 0)
1264                return ret;
1265        ret = checkintf(ps, ret);
1266        if (ret)
1267                return ret;
1268        check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1269        usb_reset_endpoint(ps->dev, ep);
1270        return 0;
1271}
1272
1273static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1274{
1275        unsigned int ep;
1276        int pipe;
1277        int ret;
1278
1279        if (get_user(ep, (unsigned int __user *)arg))
1280                return -EFAULT;
1281        ret = findintfep(ps->dev, ep);
1282        if (ret < 0)
1283                return ret;
1284        ret = checkintf(ps, ret);
1285        if (ret)
1286                return ret;
1287        check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1288        if (ep & USB_DIR_IN)
1289                pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1290        else
1291                pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1292
1293        return usb_clear_halt(ps->dev, pipe);
1294}
1295
1296static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1297{
1298        struct usbdevfs_getdriver gd;
1299        struct usb_interface *intf;
1300        int ret;
1301
1302        if (copy_from_user(&gd, arg, sizeof(gd)))
1303                return -EFAULT;
1304        intf = usb_ifnum_to_if(ps->dev, gd.interface);
1305        if (!intf || !intf->dev.driver)
1306                ret = -ENODATA;
1307        else {
1308                strlcpy(gd.driver, intf->dev.driver->name,
1309                                sizeof(gd.driver));
1310                ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1311        }
1312        return ret;
1313}
1314
1315static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1316{
1317        struct usbdevfs_connectinfo ci;
1318
1319        memset(&ci, 0, sizeof(ci));
1320        ci.devnum = ps->dev->devnum;
1321        ci.slow = ps->dev->speed == USB_SPEED_LOW;
1322
1323        if (copy_to_user(arg, &ci, sizeof(ci)))
1324                return -EFAULT;
1325        return 0;
1326}
1327
1328static int proc_resetdevice(struct usb_dev_state *ps)
1329{
1330        struct usb_host_config *actconfig = ps->dev->actconfig;
1331        struct usb_interface *interface;
1332        int i, number;
1333
1334        /* Don't allow a device reset if the process has dropped the
1335         * privilege to do such things and any of the interfaces are
1336         * currently claimed.
1337         */
1338        if (ps->privileges_dropped && actconfig) {
1339                for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1340                        interface = actconfig->interface[i];
1341                        number = interface->cur_altsetting->desc.bInterfaceNumber;
1342                        if (usb_interface_claimed(interface) &&
1343                                        !test_bit(number, &ps->ifclaimed)) {
1344                                dev_warn(&ps->dev->dev,
1345                                        "usbfs: interface %d claimed by %s while '%s' resets device\n",
1346                                        number, interface->dev.driver->name, current->comm);
1347                                return -EACCES;
1348                        }
1349                }
1350        }
1351
1352        return usb_reset_device(ps->dev);
1353}
1354
1355static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1356{
1357        struct usbdevfs_setinterface setintf;
1358        int ret;
1359
1360        if (copy_from_user(&setintf, arg, sizeof(setintf)))
1361                return -EFAULT;
1362        ret = checkintf(ps, setintf.interface);
1363        if (ret)
1364                return ret;
1365
1366        destroy_async_on_interface(ps, setintf.interface);
1367
1368        return usb_set_interface(ps->dev, setintf.interface,
1369                        setintf.altsetting);
1370}
1371
1372static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1373{
1374        int u;
1375        int status = 0;
1376        struct usb_host_config *actconfig;
1377
1378        if (get_user(u, (int __user *)arg))
1379                return -EFAULT;
1380
1381        actconfig = ps->dev->actconfig;
1382
1383        /* Don't touch the device if any interfaces are claimed.
1384         * It could interfere with other drivers' operations, and if
1385         * an interface is claimed by usbfs it could easily deadlock.
1386         */
1387        if (actconfig) {
1388                int i;
1389
1390                for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1391                        if (usb_interface_claimed(actconfig->interface[i])) {
1392                                dev_warn(&ps->dev->dev,
1393                                        "usbfs: interface %d claimed by %s "
1394                                        "while '%s' sets config #%d\n",
1395                                        actconfig->interface[i]
1396                                                ->cur_altsetting
1397                                                ->desc.bInterfaceNumber,
1398                                        actconfig->interface[i]
1399                                                ->dev.driver->name,
1400                                        current->comm, u);
1401                                status = -EBUSY;
1402                                break;
1403                        }
1404                }
1405        }
1406
1407        /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1408         * so avoid usb_set_configuration()'s kick to sysfs
1409         */
1410        if (status == 0) {
1411                if (actconfig && actconfig->desc.bConfigurationValue == u)
1412                        status = usb_reset_configuration(ps->dev);
1413                else
1414                        status = usb_set_configuration(ps->dev, u);
1415        }
1416
1417        return status;
1418}
1419
1420static struct usb_memory *
1421find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1422{
1423        struct usb_memory *usbm = NULL, *iter;
1424        unsigned long flags;
1425        unsigned long uurb_start = (unsigned long)uurb->buffer;
1426
1427        spin_lock_irqsave(&ps->lock, flags);
1428        list_for_each_entry(iter, &ps->memory_list, memlist) {
1429                if (uurb_start >= iter->vm_start &&
1430                                uurb_start < iter->vm_start + iter->size) {
1431                        if (uurb->buffer_length > iter->vm_start + iter->size -
1432                                        uurb_start) {
1433                                usbm = ERR_PTR(-EINVAL);
1434                        } else {
1435                                usbm = iter;
1436                                usbm->urb_use_count++;
1437                        }
1438                        break;
1439                }
1440        }
1441        spin_unlock_irqrestore(&ps->lock, flags);
1442        return usbm;
1443}
1444
1445static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1446                        struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1447                        void __user *arg)
1448{
1449        struct usbdevfs_iso_packet_desc *isopkt = NULL;
1450        struct usb_host_endpoint *ep;
1451        struct async *as = NULL;
1452        struct usb_ctrlrequest *dr = NULL;
1453        unsigned int u, totlen, isofrmlen;
1454        int i, ret, is_in, num_sgs = 0, ifnum = -1;
1455        int number_of_packets = 0;
1456        unsigned int stream_id = 0;
1457        void *buf;
1458
1459        if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1460                                USBDEVFS_URB_SHORT_NOT_OK |
1461                                USBDEVFS_URB_BULK_CONTINUATION |
1462                                USBDEVFS_URB_NO_FSBR |
1463                                USBDEVFS_URB_ZERO_PACKET |
1464                                USBDEVFS_URB_NO_INTERRUPT))
1465                return -EINVAL;
1466        if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1467                return -EINVAL;
1468        if (uurb->buffer_length > 0 && !uurb->buffer)
1469                return -EINVAL;
1470        if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1471            (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1472                ifnum = findintfep(ps->dev, uurb->endpoint);
1473                if (ifnum < 0)
1474                        return ifnum;
1475                ret = checkintf(ps, ifnum);
1476                if (ret)
1477                        return ret;
1478        }
1479        ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1480        if (!ep)
1481                return -ENOENT;
1482        is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1483
1484        u = 0;
1485        switch (uurb->type) {
1486        case USBDEVFS_URB_TYPE_CONTROL:
1487                if (!usb_endpoint_xfer_control(&ep->desc))
1488                        return -EINVAL;
1489                /* min 8 byte setup packet */
1490                if (uurb->buffer_length < 8)
1491                        return -EINVAL;
1492                dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1493                if (!dr)
1494                        return -ENOMEM;
1495                if (copy_from_user(dr, uurb->buffer, 8)) {
1496                        ret = -EFAULT;
1497                        goto error;
1498                }
1499                if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1500                        ret = -EINVAL;
1501                        goto error;
1502                }
1503                ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1504                                      le16_to_cpup(&dr->wIndex));
1505                if (ret)
1506                        goto error;
1507                uurb->buffer_length = le16_to_cpup(&dr->wLength);
1508                uurb->buffer += 8;
1509                if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1510                        is_in = 1;
1511                        uurb->endpoint |= USB_DIR_IN;
1512                } else {
1513                        is_in = 0;
1514                        uurb->endpoint &= ~USB_DIR_IN;
1515                }
1516                snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1517                        "bRequest=%02x wValue=%04x "
1518                        "wIndex=%04x wLength=%04x\n",
1519                        dr->bRequestType, dr->bRequest,
1520                        __le16_to_cpup(&dr->wValue),
1521                        __le16_to_cpup(&dr->wIndex),
1522                        __le16_to_cpup(&dr->wLength));
1523                u = sizeof(struct usb_ctrlrequest);
1524                break;
1525
1526        case USBDEVFS_URB_TYPE_BULK:
1527                switch (usb_endpoint_type(&ep->desc)) {
1528                case USB_ENDPOINT_XFER_CONTROL:
1529                case USB_ENDPOINT_XFER_ISOC:
1530                        return -EINVAL;
1531                case USB_ENDPOINT_XFER_INT:
1532                        /* allow single-shot interrupt transfers */
1533                        uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1534                        goto interrupt_urb;
1535                }
1536                num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1537                if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1538                        num_sgs = 0;
1539                if (ep->streams)
1540                        stream_id = uurb->stream_id;
1541                break;
1542
1543        case USBDEVFS_URB_TYPE_INTERRUPT:
1544                if (!usb_endpoint_xfer_int(&ep->desc))
1545                        return -EINVAL;
1546 interrupt_urb:
1547                break;
1548
1549        case USBDEVFS_URB_TYPE_ISO:
1550                /* arbitrary limit */
1551                if (uurb->number_of_packets < 1 ||
1552                    uurb->number_of_packets > 128)
1553                        return -EINVAL;
1554                if (!usb_endpoint_xfer_isoc(&ep->desc))
1555                        return -EINVAL;
1556                number_of_packets = uurb->number_of_packets;
1557                isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1558                                   number_of_packets;
1559                isopkt = memdup_user(iso_frame_desc, isofrmlen);
1560                if (IS_ERR(isopkt)) {
1561                        ret = PTR_ERR(isopkt);
1562                        isopkt = NULL;
1563                        goto error;
1564                }
1565                for (totlen = u = 0; u < number_of_packets; u++) {
1566                        /*
1567                         * arbitrary limit need for USB 3.0
1568                         * bMaxBurst (0~15 allowed, 1~16 packets)
1569                         * bmAttributes (bit 1:0, mult 0~2, 1~3 packets)
1570                         * sizemax: 1024 * 16 * 3 = 49152
1571                         */
1572                        if (isopkt[u].length > 49152) {
1573                                ret = -EINVAL;
1574                                goto error;
1575                        }
1576                        totlen += isopkt[u].length;
1577                }
1578                u *= sizeof(struct usb_iso_packet_descriptor);
1579                uurb->buffer_length = totlen;
1580                break;
1581
1582        default:
1583                return -EINVAL;
1584        }
1585
1586        if (uurb->buffer_length > 0 &&
1587                        !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1588                                uurb->buffer, uurb->buffer_length)) {
1589                ret = -EFAULT;
1590                goto error;
1591        }
1592        as = alloc_async(number_of_packets);
1593        if (!as) {
1594                ret = -ENOMEM;
1595                goto error;
1596        }
1597
1598        as->usbm = find_memory_area(ps, uurb);
1599        if (IS_ERR(as->usbm)) {
1600                ret = PTR_ERR(as->usbm);
1601                as->usbm = NULL;
1602                goto error;
1603        }
1604
1605        /* do not use SG buffers when memory mapped segments
1606         * are in use
1607         */
1608        if (as->usbm)
1609                num_sgs = 0;
1610
1611        u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1612             num_sgs * sizeof(struct scatterlist);
1613        ret = usbfs_increase_memory_usage(u);
1614        if (ret)
1615                goto error;
1616        as->mem_usage = u;
1617
1618        if (num_sgs) {
1619                as->urb->sg = kmalloc(num_sgs * sizeof(struct scatterlist),
1620                                      GFP_KERNEL);
1621                if (!as->urb->sg) {
1622                        ret = -ENOMEM;
1623                        goto error;
1624                }
1625                as->urb->num_sgs = num_sgs;
1626                sg_init_table(as->urb->sg, as->urb->num_sgs);
1627
1628                totlen = uurb->buffer_length;
1629                for (i = 0; i < as->urb->num_sgs; i++) {
1630                        u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1631                        buf = kmalloc(u, GFP_KERNEL);
1632                        if (!buf) {
1633                                ret = -ENOMEM;
1634                                goto error;
1635                        }
1636                        sg_set_buf(&as->urb->sg[i], buf, u);
1637
1638                        if (!is_in) {
1639                                if (copy_from_user(buf, uurb->buffer, u)) {
1640                                        ret = -EFAULT;
1641                                        goto error;
1642                                }
1643                                uurb->buffer += u;
1644                        }
1645                        totlen -= u;
1646                }
1647        } else if (uurb->buffer_length > 0) {
1648                if (as->usbm) {
1649                        unsigned long uurb_start = (unsigned long)uurb->buffer;
1650
1651                        as->urb->transfer_buffer = as->usbm->mem +
1652                                        (uurb_start - as->usbm->vm_start);
1653                } else {
1654                        as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1655                                        GFP_KERNEL);
1656                        if (!as->urb->transfer_buffer) {
1657                                ret = -ENOMEM;
1658                                goto error;
1659                        }
1660                        if (!is_in) {
1661                                if (copy_from_user(as->urb->transfer_buffer,
1662                                                   uurb->buffer,
1663                                                   uurb->buffer_length)) {
1664                                        ret = -EFAULT;
1665                                        goto error;
1666                                }
1667                        } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1668                                /*
1669                                 * Isochronous input data may end up being
1670                                 * discontiguous if some of the packets are
1671                                 * short. Clear the buffer so that the gaps
1672                                 * don't leak kernel data to userspace.
1673                                 */
1674                                memset(as->urb->transfer_buffer, 0,
1675                                                uurb->buffer_length);
1676                        }
1677                }
1678        }
1679        as->urb->dev = ps->dev;
1680        as->urb->pipe = (uurb->type << 30) |
1681                        __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1682                        (uurb->endpoint & USB_DIR_IN);
1683
1684        /* This tedious sequence is necessary because the URB_* flags
1685         * are internal to the kernel and subject to change, whereas
1686         * the USBDEVFS_URB_* flags are a user API and must not be changed.
1687         */
1688        u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1689        if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1690                u |= URB_ISO_ASAP;
1691        if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
1692                u |= URB_SHORT_NOT_OK;
1693        if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1694                u |= URB_NO_FSBR;
1695        if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1696                u |= URB_ZERO_PACKET;
1697        if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1698                u |= URB_NO_INTERRUPT;
1699        as->urb->transfer_flags = u;
1700
1701        as->urb->transfer_buffer_length = uurb->buffer_length;
1702        as->urb->setup_packet = (unsigned char *)dr;
1703        dr = NULL;
1704        as->urb->start_frame = uurb->start_frame;
1705        as->urb->number_of_packets = number_of_packets;
1706        as->urb->stream_id = stream_id;
1707
1708        if (ep->desc.bInterval) {
1709                if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1710                                ps->dev->speed == USB_SPEED_HIGH ||
1711                                ps->dev->speed >= USB_SPEED_SUPER)
1712                        as->urb->interval = 1 <<
1713                                        min(15, ep->desc.bInterval - 1);
1714                else
1715                        as->urb->interval = ep->desc.bInterval;
1716        }
1717
1718        as->urb->context = as;
1719        as->urb->complete = async_completed;
1720        for (totlen = u = 0; u < number_of_packets; u++) {
1721                as->urb->iso_frame_desc[u].offset = totlen;
1722                as->urb->iso_frame_desc[u].length = isopkt[u].length;
1723                totlen += isopkt[u].length;
1724        }
1725        kfree(isopkt);
1726        isopkt = NULL;
1727        as->ps = ps;
1728        as->userurb = arg;
1729        if (as->usbm) {
1730                unsigned long uurb_start = (unsigned long)uurb->buffer;
1731
1732                as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1733                as->urb->transfer_dma = as->usbm->dma_handle +
1734                                (uurb_start - as->usbm->vm_start);
1735        } else if (is_in && uurb->buffer_length > 0)
1736                as->userbuffer = uurb->buffer;
1737        as->signr = uurb->signr;
1738        as->ifnum = ifnum;
1739        as->pid = get_pid(task_pid(current));
1740        as->cred = get_current_cred();
1741        security_task_getsecid(current, &as->secid);
1742        snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1743                        as->urb->transfer_buffer_length, 0, SUBMIT,
1744                        NULL, 0);
1745        if (!is_in)
1746                snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1747
1748        async_newpending(as);
1749
1750        if (usb_endpoint_xfer_bulk(&ep->desc)) {
1751                spin_lock_irq(&ps->lock);
1752
1753                /* Not exactly the endpoint address; the direction bit is
1754                 * shifted to the 0x10 position so that the value will be
1755                 * between 0 and 31.
1756                 */
1757                as->bulk_addr = usb_endpoint_num(&ep->desc) |
1758                        ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1759                                >> 3);
1760
1761                /* If this bulk URB is the start of a new transfer, re-enable
1762                 * the endpoint.  Otherwise mark it as a continuation URB.
1763                 */
1764                if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1765                        as->bulk_status = AS_CONTINUATION;
1766                else
1767                        ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1768
1769                /* Don't accept continuation URBs if the endpoint is
1770                 * disabled because of an earlier error.
1771                 */
1772                if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1773                        ret = -EREMOTEIO;
1774                else
1775                        ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1776                spin_unlock_irq(&ps->lock);
1777        } else {
1778                ret = usb_submit_urb(as->urb, GFP_KERNEL);
1779        }
1780
1781        if (ret) {
1782                dev_printk(KERN_DEBUG, &ps->dev->dev,
1783                           "usbfs: usb_submit_urb returned %d\n", ret);
1784                snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1785                                0, ret, COMPLETE, NULL, 0);
1786                async_removepending(as);
1787                goto error;
1788        }
1789        return 0;
1790
1791 error:
1792        if (as && as->usbm)
1793                dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1794        kfree(isopkt);
1795        kfree(dr);
1796        if (as)
1797                free_async(as);
1798        return ret;
1799}
1800
1801static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1802{
1803        struct usbdevfs_urb uurb;
1804
1805        if (copy_from_user(&uurb, arg, sizeof(uurb)))
1806                return -EFAULT;
1807
1808        return proc_do_submiturb(ps, &uurb,
1809                        (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1810                        arg);
1811}
1812
1813static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1814{
1815        struct urb *urb;
1816        struct async *as;
1817        unsigned long flags;
1818
1819        spin_lock_irqsave(&ps->lock, flags);
1820        as = async_getpending(ps, arg);
1821        if (!as) {
1822                spin_unlock_irqrestore(&ps->lock, flags);
1823                return -EINVAL;
1824        }
1825
1826        urb = as->urb;
1827        usb_get_urb(urb);
1828        spin_unlock_irqrestore(&ps->lock, flags);
1829
1830        usb_kill_urb(urb);
1831        usb_put_urb(urb);
1832
1833        return 0;
1834}
1835
1836static int processcompl(struct async *as, void __user * __user *arg)
1837{
1838        struct urb *urb = as->urb;
1839        struct usbdevfs_urb __user *userurb = as->userurb;
1840        void __user *addr = as->userurb;
1841        unsigned int i;
1842
1843        if (as->userbuffer && urb->actual_length) {
1844                if (copy_urb_data_to_user(as->userbuffer, urb))
1845                        goto err_out;
1846        }
1847        if (put_user(as->status, &userurb->status))
1848                goto err_out;
1849        if (put_user(urb->actual_length, &userurb->actual_length))
1850                goto err_out;
1851        if (put_user(urb->error_count, &userurb->error_count))
1852                goto err_out;
1853
1854        if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1855                for (i = 0; i < urb->number_of_packets; i++) {
1856                        if (put_user(urb->iso_frame_desc[i].actual_length,
1857                                     &userurb->iso_frame_desc[i].actual_length))
1858                                goto err_out;
1859                        if (put_user(urb->iso_frame_desc[i].status,
1860                                     &userurb->iso_frame_desc[i].status))
1861                                goto err_out;
1862                }
1863        }
1864
1865        if (put_user(addr, (void __user * __user *)arg))
1866                return -EFAULT;
1867        return 0;
1868
1869err_out:
1870        return -EFAULT;
1871}
1872
1873static struct async *reap_as(struct usb_dev_state *ps)
1874{
1875        DECLARE_WAITQUEUE(wait, current);
1876        struct async *as = NULL;
1877        struct usb_device *dev = ps->dev;
1878
1879        add_wait_queue(&ps->wait, &wait);
1880        for (;;) {
1881                __set_current_state(TASK_INTERRUPTIBLE);
1882                as = async_getcompleted(ps);
1883                if (as || !connected(ps))
1884                        break;
1885                if (signal_pending(current))
1886                        break;
1887                usb_unlock_device(dev);
1888                schedule();
1889                usb_lock_device(dev);
1890        }
1891        remove_wait_queue(&ps->wait, &wait);
1892        set_current_state(TASK_RUNNING);
1893        return as;
1894}
1895
1896static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1897{
1898        struct async *as = reap_as(ps);
1899
1900        if (as) {
1901                int retval;
1902
1903                snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1904                retval = processcompl(as, (void __user * __user *)arg);
1905                free_async(as);
1906                return retval;
1907        }
1908        if (signal_pending(current))
1909                return -EINTR;
1910        return -ENODEV;
1911}
1912
1913static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1914{
1915        int retval;
1916        struct async *as;
1917
1918        as = async_getcompleted(ps);
1919        if (as) {
1920                snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1921                retval = processcompl(as, (void __user * __user *)arg);
1922                free_async(as);
1923        } else {
1924                retval = (connected(ps) ? -EAGAIN : -ENODEV);
1925        }
1926        return retval;
1927}
1928
1929#ifdef CONFIG_COMPAT
1930static int proc_control_compat(struct usb_dev_state *ps,
1931                                struct usbdevfs_ctrltransfer32 __user *p32)
1932{
1933        struct usbdevfs_ctrltransfer __user *p;
1934        __u32 udata;
1935        p = compat_alloc_user_space(sizeof(*p));
1936        if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1937            get_user(udata, &p32->data) ||
1938            put_user(compat_ptr(udata), &p->data))
1939                return -EFAULT;
1940        return proc_control(ps, p);
1941}
1942
1943static int proc_bulk_compat(struct usb_dev_state *ps,
1944                        struct usbdevfs_bulktransfer32 __user *p32)
1945{
1946        struct usbdevfs_bulktransfer __user *p;
1947        compat_uint_t n;
1948        compat_caddr_t addr;
1949
1950        p = compat_alloc_user_space(sizeof(*p));
1951
1952        if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1953            get_user(n, &p32->len) || put_user(n, &p->len) ||
1954            get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1955            get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1956                return -EFAULT;
1957
1958        return proc_bulk(ps, p);
1959}
1960static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1961{
1962        struct usbdevfs_disconnectsignal32 ds;
1963
1964        if (copy_from_user(&ds, arg, sizeof(ds)))
1965                return -EFAULT;
1966        ps->discsignr = ds.signr;
1967        ps->disccontext = compat_ptr(ds.context);
1968        return 0;
1969}
1970
1971static int get_urb32(struct usbdevfs_urb *kurb,
1972                     struct usbdevfs_urb32 __user *uurb)
1973{
1974        struct usbdevfs_urb32 urb32;
1975        if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
1976                return -EFAULT;
1977        kurb->type = urb32.type;
1978        kurb->endpoint = urb32.endpoint;
1979        kurb->status = urb32.status;
1980        kurb->flags = urb32.flags;
1981        kurb->buffer = compat_ptr(urb32.buffer);
1982        kurb->buffer_length = urb32.buffer_length;
1983        kurb->actual_length = urb32.actual_length;
1984        kurb->start_frame = urb32.start_frame;
1985        kurb->number_of_packets = urb32.number_of_packets;
1986        kurb->error_count = urb32.error_count;
1987        kurb->signr = urb32.signr;
1988        kurb->usercontext = compat_ptr(urb32.usercontext);
1989        return 0;
1990}
1991
1992static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
1993{
1994        struct usbdevfs_urb uurb;
1995
1996        if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
1997                return -EFAULT;
1998
1999        return proc_do_submiturb(ps, &uurb,
2000                        ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,

2001                        arg);
2002}
2003
2004static int processcompl_compat(struct async *as, void __user * __user *arg)
2005{
2006        struct urb *urb = as->urb;
2007        struct usbdevfs_urb32 __user *userurb = as->userurb;
2008        void __user *addr = as->userurb;
2009        unsigned int i;
2010
2011        if (as->userbuffer && urb->actual_length) {
2012                if (copy_urb_data_to_user(as->userbuffer, urb))
2013                        return -EFAULT;
2014        }
2015        if (put_user(as->status, &userurb->status))
2016                return -EFAULT;
2017        if (put_user(urb->actual_length, &userurb->actual_length))
2018                return -EFAULT;
2019        if (put_user(urb->error_count, &userurb->error_count))
2020                return -EFAULT;
2021
2022        if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2023                for (i = 0; i < urb->number_of_packets; i++) {
2024                        if (put_user(urb->iso_frame_desc[i].actual_length,
2025                                     &userurb->iso_frame_desc[i].actual_length))
2026                                return -EFAULT;
2027                        if (put_user(urb->iso_frame_desc[i].status,
2028                                     &userurb->iso_frame_desc[i].status))
2029                                return -EFAULT;
2030                }
2031        }
2032
2033        if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2034                return -EFAULT;
2035        return 0;
2036}
2037
2038static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2039{
2040        struct async *as = reap_as(ps);
2041
2042        if (as) {
2043                int retval;
2044
2045                snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2046                retval = processcompl_compat(as, (void __user * __user *)arg);
2047                free_async(as);
2048                return retval;
2049        }
2050        if (signal_pending(current))
2051                return -EINTR;
2052        return -ENODEV;
2053}
2054
2055static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2056{
2057        int retval;
2058        struct async *as;
2059
2060        as = async_getcompleted(ps);
2061        if (as) {
2062                snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2063                retval = processcompl_compat(as, (void __user * __user *)arg);
2064                free_async(as);
2065        } else {
2066                retval = (connected(ps) ? -EAGAIN : -ENODEV);
2067        }
2068        return retval;
2069}
2070
2071
2072#endif
2073
2074static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2075{
2076        struct usbdevfs_disconnectsignal ds;
2077
2078        if (copy_from_user(&ds, arg, sizeof(ds)))
2079                return -EFAULT;
2080        ps->discsignr = ds.signr;
2081        ps->disccontext = ds.context;
2082        return 0;
2083}
2084
2085static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2086{
2087        unsigned int ifnum;
2088
2089        if (get_user(ifnum, (unsigned int __user *)arg))
2090                return -EFAULT;
2091        return claimintf(ps, ifnum);
2092}
2093
2094static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2095{
2096        unsigned int ifnum;
2097        int ret;
2098
2099        if (get_user(ifnum, (unsigned int __user *)arg))
2100                return -EFAULT;
2101        ret = releaseintf(ps, ifnum);
2102        if (ret < 0)
2103                return ret;
2104        destroy_async_on_interface(ps, ifnum);
2105        return 0;
2106}
2107
2108static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2109{
2110        int                     size;
2111        void                    *buf = NULL;
2112        int                     retval = 0;
2113        struct usb_interface    *intf = NULL;
2114        struct usb_driver       *driver = NULL;
2115
2116        if (ps->privileges_dropped)
2117                return -EACCES;
2118
2119        /* alloc buffer */
2120        size = _IOC_SIZE(ctl->ioctl_code);
2121        if (size > 0) {
2122                buf = kmalloc(size, GFP_KERNEL);
2123                if (buf == NULL)
2124                        return -ENOMEM;
2125                if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2126                        if (copy_from_user(buf, ctl->data, size)) {
2127                                kfree(buf);
2128                                return -EFAULT;
2129                        }
2130                } else {
2131                        memset(buf, 0, size);
2132                }
2133        }
2134
2135        if (!connected(ps)) {
2136                kfree(buf);
2137                return -ENODEV;
2138        }
2139
2140        if (ps->dev->state != USB_STATE_CONFIGURED)
2141                retval = -EHOSTUNREACH;
2142        else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2143                retval = -EINVAL;
2144        else switch (ctl->ioctl_code) {
2145
2146        /* disconnect kernel driver from interface */
2147        case USBDEVFS_DISCONNECT:
2148                if (intf->dev.driver) {
2149                        driver = to_usb_driver(intf->dev.driver);
2150                        dev_dbg(&intf->dev, "disconnect by usbfs\n");
2151                        usb_driver_release_interface(driver, intf);
2152                } else
2153                        retval = -ENODATA;
2154                break;
2155
2156        /* let kernel drivers try to (re)bind to the interface */
2157        case USBDEVFS_CONNECT:
2158                if (!intf->dev.driver)
2159                        retval = device_attach(&intf->dev);
2160                else
2161                        retval = -EBUSY;
2162                break;
2163
2164        /* talk directly to the interface's driver */
2165        default:
2166                if (intf->dev.driver)
2167                        driver = to_usb_driver(intf->dev.driver);
2168                if (driver == NULL || driver->unlocked_ioctl == NULL) {
2169                        retval = -ENOTTY;
2170                } else {
2171                        retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2172                        if (retval == -ENOIOCTLCMD)
2173                                retval = -ENOTTY;
2174                }
2175        }
2176
2177        /* cleanup and return */
2178        if (retval >= 0
2179                        && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2180                        && size > 0
2181                        && copy_to_user(ctl->data, buf, size) != 0)
2182                retval = -EFAULT;
2183
2184        kfree(buf);
2185        return retval;
2186}
2187
2188static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2189{
2190        struct usbdevfs_ioctl   ctrl;
2191
2192        if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2193                return -EFAULT;
2194        return proc_ioctl(ps, &ctrl);
2195}
2196
2197#ifdef CONFIG_COMPAT
2198static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2199{
2200        struct usbdevfs_ioctl32 ioc32;
2201        struct usbdevfs_ioctl ctrl;
2202
2203        if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2204                return -EFAULT;
2205        ctrl.ifno = ioc32.ifno;
2206        ctrl.ioctl_code = ioc32.ioctl_code;
2207        ctrl.data = compat_ptr(ioc32.data);
2208        return proc_ioctl(ps, &ctrl);
2209}
2210#endif
2211
2212static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2213{
2214        unsigned portnum;
2215        int rc;
2216
2217        if (get_user(portnum, (unsigned __user *) arg))
2218                return -EFAULT;
2219        rc = usb_hub_claim_port(ps->dev, portnum, ps);
2220        if (rc == 0)
2221                snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2222                        portnum, task_pid_nr(current), current->comm);
2223        return rc;
2224}
2225
2226static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2227{
2228        unsigned portnum;
2229
2230        if (get_user(portnum, (unsigned __user *) arg))
2231                return -EFAULT;
2232        return usb_hub_release_port(ps->dev, portnum, ps);
2233}
2234
2235static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2236{
2237        __u32 caps;
2238
2239        caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2240                        USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2241                        USBDEVFS_CAP_DROP_PRIVILEGES;
2242        if (!ps->dev->bus->no_stop_on_short)
2243                caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2244        if (ps->dev->bus->sg_tablesize)
2245                caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2246
2247        if (put_user(caps, (__u32 __user *)arg))
2248                return -EFAULT;
2249
2250        return 0;
2251}
2252
2253static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2254{
2255        struct usbdevfs_disconnect_claim dc;
2256        struct usb_interface *intf;
2257
2258        if (copy_from_user(&dc, arg, sizeof(dc)))
2259                return -EFAULT;
2260
2261        intf = usb_ifnum_to_if(ps->dev, dc.interface);
2262        if (!intf)
2263                return -EINVAL;
2264
2265        if (intf->dev.driver) {
2266                struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2267
2268                if (ps->privileges_dropped)
2269                        return -EACCES;
2270
2271                if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2272                                strncmp(dc.driver, intf->dev.driver->name,
2273                                        sizeof(dc.driver)) != 0)
2274                        return -EBUSY;
2275
2276                if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2277                                strncmp(dc.driver, intf->dev.driver->name,
2278                                        sizeof(dc.driver)) == 0)
2279                        return -EBUSY;
2280
2281                dev_dbg(&intf->dev, "disconnect by usbfs\n");
2282                usb_driver_release_interface(driver, intf);
2283        }
2284
2285        return claimintf(ps, dc.interface);
2286}
2287
2288static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2289{
2290        unsigned num_streams, num_eps;
2291        struct usb_host_endpoint **eps;
2292        struct usb_interface *intf;
2293        int r;
2294
2295        r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2296                                   &eps, &intf);
2297        if (r)
2298                return r;
2299
2300        destroy_async_on_interface(ps,
2301                                   intf->altsetting[0].desc.bInterfaceNumber);
2302
2303        r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2304        kfree(eps);
2305        return r;
2306}
2307
2308static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2309{
2310        unsigned num_eps;
2311        struct usb_host_endpoint **eps;
2312        struct usb_interface *intf;
2313        int r;
2314
2315        r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2316        if (r)
2317                return r;
2318
2319        destroy_async_on_interface(ps,
2320                                   intf->altsetting[0].desc.bInterfaceNumber);
2321
2322        r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2323        kfree(eps);
2324        return r;
2325}
2326
2327static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2328{
2329        u32 data;
2330
2331        if (copy_from_user(&data, arg, sizeof(data)))
2332                return -EFAULT;
2333
2334        /* This is a one way operation. Once privileges are
2335         * dropped, you cannot regain them. You may however reissue
2336         * this ioctl to shrink the allowed interfaces mask.
2337         */
2338        ps->interface_allowed_mask &= data;
2339        ps->privileges_dropped = true;
2340
2341        return 0;
2342}
2343
2344/*
2345 * NOTE:  All requests here that have interface numbers as parameters
2346 * are assuming that somehow the configuration has been prevented from
2347 * changing.  But there's no mechanism to ensure that...
2348 */
2349static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2350                                void __user *p)
2351{
2352        struct usb_dev_state *ps = file->private_data;
2353        struct inode *inode = file_inode(file);
2354        struct usb_device *dev = ps->dev;
2355        int ret = -ENOTTY;
2356
2357        if (!(file->f_mode & FMODE_WRITE))
2358                return -EPERM;
2359
2360        usb_lock_device(dev);
2361
2362        /* Reap operations are allowed even after disconnection */
2363        switch (cmd) {
2364        case USBDEVFS_REAPURB:
2365                snoop(&dev->dev, "%s: REAPURB\n", __func__);
2366                ret = proc_reapurb(ps, p);
2367                goto done;
2368
2369        case USBDEVFS_REAPURBNDELAY:
2370                snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2371                ret = proc_reapurbnonblock(ps, p);
2372                goto done;
2373
2374#ifdef CONFIG_COMPAT
2375        case USBDEVFS_REAPURB32:
2376                snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2377                ret = proc_reapurb_compat(ps, p);
2378                goto done;
2379
2380        case USBDEVFS_REAPURBNDELAY32:
2381                snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2382                ret = proc_reapurbnonblock_compat(ps, p);
2383                goto done;
2384#endif
2385        }
2386
2387        if (!connected(ps)) {
2388                usb_unlock_device(dev);
2389                return -ENODEV;
2390        }
2391
2392        switch (cmd) {
2393        case USBDEVFS_CONTROL:
2394                snoop(&dev->dev, "%s: CONTROL\n", __func__);
2395                ret = proc_control(ps, p);
2396                if (ret >= 0)
2397                        inode->i_mtime = current_time(inode);
2398                break;
2399
2400        case USBDEVFS_BULK:
2401                snoop(&dev->dev, "%s: BULK\n", __func__);
2402                ret = proc_bulk(ps, p);
2403                if (ret >= 0)
2404                        inode->i_mtime = current_time(inode);
2405                break;
2406
2407        case USBDEVFS_RESETEP:
2408                snoop(&dev->dev, "%s: RESETEP\n", __func__);
2409                ret = proc_resetep(ps, p);
2410                if (ret >= 0)
2411                        inode->i_mtime = current_time(inode);
2412                break;
2413
2414        case USBDEVFS_RESET:
2415                snoop(&dev->dev, "%s: RESET\n", __func__);
2416                ret = proc_resetdevice(ps);
2417                break;
2418
2419        case USBDEVFS_CLEAR_HALT:
2420                snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2421                ret = proc_clearhalt(ps, p);
2422                if (ret >= 0)
2423                        inode->i_mtime = current_time(inode);
2424                break;
2425
2426        case USBDEVFS_GETDRIVER:
2427                snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2428                ret = proc_getdriver(ps, p);
2429                break;
2430
2431        case USBDEVFS_CONNECTINFO:
2432                snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2433                ret = proc_connectinfo(ps, p);
2434                break;
2435
2436        case USBDEVFS_SETINTERFACE:
2437                snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2438                ret = proc_setintf(ps, p);
2439                break;
2440
2441        case USBDEVFS_SETCONFIGURATION:
2442                snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2443                ret = proc_setconfig(ps, p);
2444                break;
2445
2446        case USBDEVFS_SUBMITURB:
2447                snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2448                ret = proc_submiturb(ps, p);
2449                if (ret >= 0)
2450                        inode->i_mtime = current_time(inode);
2451                break;
2452
2453#ifdef CONFIG_COMPAT
2454        case USBDEVFS_CONTROL32:
2455                snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2456                ret = proc_control_compat(ps, p);
2457                if (ret >= 0)
2458                        inode->i_mtime = current_time(inode);
2459                break;
2460
2461        case USBDEVFS_BULK32:
2462                snoop(&dev->dev, "%s: BULK32\n", __func__);
2463                ret = proc_bulk_compat(ps, p);
2464                if (ret >= 0)
2465                        inode->i_mtime = current_time(inode);
2466                break;
2467
2468        case USBDEVFS_DISCSIGNAL32:
2469                snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2470                ret = proc_disconnectsignal_compat(ps, p);
2471                break;
2472
2473        case USBDEVFS_SUBMITURB32:
2474                snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2475                ret = proc_submiturb_compat(ps, p);
2476                if (ret >= 0)
2477                        inode->i_mtime = current_time(inode);
2478                break;
2479
2480        case USBDEVFS_IOCTL32:
2481                snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2482                ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2483                break;
2484#endif
2485
2486        case USBDEVFS_DISCARDURB:
2487                snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2488                ret = proc_unlinkurb(ps, p);
2489                break;
2490
2491        case USBDEVFS_DISCSIGNAL:
2492                snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2493                ret = proc_disconnectsignal(ps, p);
2494                break;
2495
2496        case USBDEVFS_CLAIMINTERFACE:
2497                snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2498                ret = proc_claiminterface(ps, p);
2499                break;
2500
2501        case USBDEVFS_RELEASEINTERFACE:
2502                snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2503                ret = proc_releaseinterface(ps, p);
2504                break;
2505
2506        case USBDEVFS_IOCTL:
2507                snoop(&dev->dev, "%s: IOCTL\n", __func__);
2508                ret = proc_ioctl_default(ps, p);
2509                break;
2510
2511        case USBDEVFS_CLAIM_PORT:
2512                snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2513                ret = proc_claim_port(ps, p);
2514                break;
2515
2516        case USBDEVFS_RELEASE_PORT:
2517                snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2518                ret = proc_release_port(ps, p);
2519                break;
2520        case USBDEVFS_GET_CAPABILITIES:
2521                ret = proc_get_capabilities(ps, p);
2522                break;
2523        case USBDEVFS_DISCONNECT_CLAIM:
2524                ret = proc_disconnect_claim(ps, p);
2525                break;
2526        case USBDEVFS_ALLOC_STREAMS:
2527                ret = proc_alloc_streams(ps, p);
2528                break;
2529        case USBDEVFS_FREE_STREAMS:
2530                ret = proc_free_streams(ps, p);
2531                break;
2532        case USBDEVFS_DROP_PRIVILEGES:
2533                ret = proc_drop_privileges(ps, p);
2534                break;
2535        case USBDEVFS_GET_SPEED:
2536                ret = ps->dev->speed;
2537                break;
2538        }
2539
2540 done:
2541        usb_unlock_device(dev);
2542        if (ret >= 0)
2543                inode->i_atime = current_time(inode);
2544        return ret;
2545}
2546
2547static long usbdev_ioctl(struct file *file, unsigned int cmd,
2548                        unsigned long arg)
2549{
2550        int ret;
2551
2552        ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2553
2554        return ret;
2555}
2556
2557#ifdef CONFIG_COMPAT
2558static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2559                        unsigned long arg)
2560{
2561        int ret;
2562
2563        ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2564
2565        return ret;
2566}
2567#endif
2568
2569/* No kernel lock - fine */
2570static unsigned int usbdev_poll(struct file *file,
2571                                struct poll_table_struct *wait)
2572{
2573        struct usb_dev_state *ps = file->private_data;
2574        unsigned int mask = 0;
2575
2576        poll_wait(file, &ps->wait, wait);
2577        if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2578                mask |= POLLOUT | POLLWRNORM;
2579        if (!connected(ps))
2580                mask |= POLLHUP;
2581        if (list_empty(&ps->list))
2582                mask |= POLLERR;
2583        return mask;
2584}
2585
2586const struct file_operations usbdev_file_operations = {
2587        .owner =          THIS_MODULE,
2588        .llseek =         no_seek_end_llseek,
2589        .read =           usbdev_read,
2590        .poll =           usbdev_poll,
2591        .unlocked_ioctl = usbdev_ioctl,
2592#ifdef CONFIG_COMPAT
2593        .compat_ioctl =   usbdev_compat_ioctl,
2594#endif
2595        .mmap =           usbdev_mmap,
2596        .open =           usbdev_open,
2597        .release =        usbdev_release,
2598};
2599
2600static void usbdev_remove(struct usb_device *udev)
2601{
2602        struct usb_dev_state *ps;
2603        struct siginfo sinfo;
2604
2605        while (!list_empty(&udev->filelist)) {
2606                ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2607                destroy_all_async(ps);
2608                wake_up_all(&ps->wait);
2609                list_del_init(&ps->list);
2610                if (ps->discsignr) {
2611                        memset(&sinfo, 0, sizeof(sinfo));
2612                        sinfo.si_signo = ps->discsignr;
2613                        sinfo.si_errno = EPIPE;
2614                        sinfo.si_code = SI_ASYNCIO;
2615                        sinfo.si_addr = ps->disccontext;
2616                        kill_pid_info_as_cred(ps->discsignr, &sinfo,
2617                                        ps->disc_pid, ps->cred, ps->secid);
2618                }
2619        }
2620}
2621
2622static int usbdev_notify(struct notifier_block *self,
2623                               unsigned long action, void *dev)
2624{
2625        switch (action) {
2626        case USB_DEVICE_ADD:
2627                break;
2628        case USB_DEVICE_REMOVE:
2629                usbdev_remove(dev);
2630                break;
2631        }
2632        return NOTIFY_OK;
2633}
2634
2635static struct notifier_block usbdev_nb = {
2636        .notifier_call =        usbdev_notify,
2637};
2638
2639static struct cdev usb_device_cdev;
2640
2641int __init usb_devio_init(void)
2642{
2643        int retval;
2644
2645        retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2646                                        "usb_device");
2647        if (retval) {
2648                printk(KERN_ERR "Unable to register minors for usb_device\n");
2649                goto out;
2650        }
2651        cdev_init(&usb_device_cdev, &usbdev_file_operations);
2652        retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2653        if (retval) {
2654                printk(KERN_ERR "Unable to get usb_device major %d\n",
2655                       USB_DEVICE_MAJOR);
2656                goto error_cdev;
2657        }
2658        usb_register_notify(&usbdev_nb);
2659out:
2660        return retval;
2661
2662error_cdev:
2663        unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2664        goto out;
2665}
2666
2667void usb_devio_cleanup(void)
2668{
2669        usb_unregister_notify(&usbdev_nb);
2670        cdev_del(&usb_device_cdev);
2671        unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2672}
2673