tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / drivers / usb / core / devio.c
at v5.7-rc5 2799 lines 70 kB view raw
1// SPDX-License-Identifier: GPL-2.0+ 2/*****************************************************************************/ 3 4/* 5 * devio.c -- User space communication with USB devices. 6 * 7 * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch) 8 * 9 * This file implements the usbfs/x/y files, where 10 * x is the bus number and y the device number. 11 * 12 * It allows user space programs/"drivers" to communicate directly 13 * with USB devices without intervening kernel driver. 14 * 15 * Revision history 16 * 22.12.1999 0.1 Initial release (split from proc_usb.c) 17 * 04.01.2000 0.2 Turned into its own filesystem 18 * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery 19 * (CAN-2005-3055) 20 */ 21 22/*****************************************************************************/ 23 24#include <linux/fs.h> 25#include <linux/mm.h> 26#include <linux/sched/signal.h> 27#include <linux/slab.h> 28#include <linux/signal.h> 29#include <linux/poll.h> 30#include <linux/module.h> 31#include <linux/string.h> 32#include <linux/usb.h> 33#include <linux/usbdevice_fs.h> 34#include <linux/usb/hcd.h> /* for usbcore internals */ 35#include <linux/cdev.h> 36#include <linux/notifier.h> 37#include <linux/security.h> 38#include <linux/user_namespace.h> 39#include <linux/scatterlist.h> 40#include <linux/uaccess.h> 41#include <linux/dma-mapping.h> 42#include <asm/byteorder.h> 43#include <linux/moduleparam.h> 44 45#include "usb.h" 46 47#ifdef CONFIG_PM 48#define MAYBE_CAP_SUSPEND USBDEVFS_CAP_SUSPEND 49#else 50#define MAYBE_CAP_SUSPEND 0 51#endif 52 53#define USB_MAXBUS 64 54#define USB_DEVICE_MAX (USB_MAXBUS * 128) 55#define USB_SG_SIZE 16384 /* split-size for large txs */ 56 57/* Mutual exclusion for ps->list in resume vs. release and remove */ 58static DEFINE_MUTEX(usbfs_mutex); 59 60struct usb_dev_state { 61 struct list_head list; /* state list */ 62 struct usb_device *dev; 63 struct file *file; 64 spinlock_t lock; /* protects the async urb lists */ 65 struct list_head async_pending; 66 struct list_head async_completed; 67 struct list_head memory_list; 68 wait_queue_head_t wait; /* wake up if a request completed */ 69 wait_queue_head_t wait_for_resume; /* wake up upon runtime resume */ 70 unsigned int discsignr; 71 struct pid *disc_pid; 72 const struct cred *cred; 73 sigval_t disccontext; 74 unsigned long ifclaimed; 75 u32 disabled_bulk_eps; 76 unsigned long interface_allowed_mask; 77 int not_yet_resumed; 78 bool suspend_allowed; 79 bool privileges_dropped; 80}; 81 82struct usb_memory { 83 struct list_head memlist; 84 int vma_use_count; 85 int urb_use_count; 86 u32 size; 87 void *mem; 88 dma_addr_t dma_handle; 89 unsigned long vm_start; 90 struct usb_dev_state *ps; 91}; 92 93struct async { 94 struct list_head asynclist; 95 struct usb_dev_state *ps; 96 struct pid *pid; 97 const struct cred *cred; 98 unsigned int signr; 99 unsigned int ifnum; 100 void __user *userbuffer; 101 void __user *userurb; 102 sigval_t userurb_sigval; 103 struct urb *urb; 104 struct usb_memory *usbm; 105 unsigned int mem_usage; 106 int status; 107 u8 bulk_addr; 108 u8 bulk_status; 109}; 110 111static bool usbfs_snoop; 112module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR); 113MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic"); 114 115static unsigned usbfs_snoop_max = 65536; 116module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR); 117MODULE_PARM_DESC(usbfs_snoop_max, 118 "maximum number of bytes to print while snooping"); 119 120#define snoop(dev, format, arg...) \ 121 do { \ 122 if (usbfs_snoop) \ 123 dev_info(dev, format, ## arg); \ 124 } while (0) 125 126enum snoop_when { 127 SUBMIT, COMPLETE 128}; 129 130#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) 131 132/* Limit on the total amount of memory we can allocate for transfers */ 133static u32 usbfs_memory_mb = 16; 134module_param(usbfs_memory_mb, uint, 0644); 135MODULE_PARM_DESC(usbfs_memory_mb, 136 "maximum MB allowed for usbfs buffers (0 = no limit)"); 137 138/* Hard limit, necessary to avoid arithmetic overflow */ 139#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) 140 141static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ 142 143/* Check whether it's okay to allocate more memory for a transfer */ 144static int usbfs_increase_memory_usage(u64 amount) 145{ 146 u64 lim; 147 148 lim = READ_ONCE(usbfs_memory_mb); 149 lim <<= 20; 150 151 atomic64_add(amount, &usbfs_memory_usage); 152 153 if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) { 154 atomic64_sub(amount, &usbfs_memory_usage); 155 return -ENOMEM; 156 } 157 158 return 0; 159} 160 161/* Memory for a transfer is being deallocated */ 162static void usbfs_decrease_memory_usage(u64 amount) 163{ 164 atomic64_sub(amount, &usbfs_memory_usage); 165} 166 167static int connected(struct usb_dev_state *ps) 168{ 169 return (!list_empty(&ps->list) && 170 ps->dev->state != USB_STATE_NOTATTACHED); 171} 172 173static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) 174{ 175 struct usb_dev_state *ps = usbm->ps; 176 unsigned long flags; 177 178 spin_lock_irqsave(&ps->lock, flags); 179 --*count; 180 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) { 181 list_del(&usbm->memlist); 182 spin_unlock_irqrestore(&ps->lock, flags); 183 184 usb_free_coherent(ps->dev, usbm->size, usbm->mem, 185 usbm->dma_handle); 186 usbfs_decrease_memory_usage( 187 usbm->size + sizeof(struct usb_memory)); 188 kfree(usbm); 189 } else { 190 spin_unlock_irqrestore(&ps->lock, flags); 191 } 192} 193 194static void usbdev_vm_open(struct vm_area_struct *vma) 195{ 196 struct usb_memory *usbm = vma->vm_private_data; 197 unsigned long flags; 198 199 spin_lock_irqsave(&usbm->ps->lock, flags); 200 ++usbm->vma_use_count; 201 spin_unlock_irqrestore(&usbm->ps->lock, flags); 202} 203 204static void usbdev_vm_close(struct vm_area_struct *vma) 205{ 206 struct usb_memory *usbm = vma->vm_private_data; 207 208 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 209} 210 211static const struct vm_operations_struct usbdev_vm_ops = { 212 .open = usbdev_vm_open, 213 .close = usbdev_vm_close 214}; 215 216static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) 217{ 218 struct usb_memory *usbm = NULL; 219 struct usb_dev_state *ps = file->private_data; 220 struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus); 221 size_t size = vma->vm_end - vma->vm_start; 222 void *mem; 223 unsigned long flags; 224 dma_addr_t dma_handle; 225 int ret; 226 227 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory)); 228 if (ret) 229 goto error; 230 231 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL); 232 if (!usbm) { 233 ret = -ENOMEM; 234 goto error_decrease_mem; 235 } 236 237 mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN, 238 &dma_handle); 239 if (!mem) { 240 ret = -ENOMEM; 241 goto error_free_usbm; 242 } 243 244 memset(mem, 0, size); 245 246 usbm->mem = mem; 247 usbm->dma_handle = dma_handle; 248 usbm->size = size; 249 usbm->ps = ps; 250 usbm->vm_start = vma->vm_start; 251 usbm->vma_use_count = 1; 252 INIT_LIST_HEAD(&usbm->memlist); 253 254 if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) { 255 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 256 return -EAGAIN; 257 } 258 259 vma->vm_flags |= VM_IO; 260 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP); 261 vma->vm_ops = &usbdev_vm_ops; 262 vma->vm_private_data = usbm; 263 264 spin_lock_irqsave(&ps->lock, flags); 265 list_add_tail(&usbm->memlist, &ps->memory_list); 266 spin_unlock_irqrestore(&ps->lock, flags); 267 268 return 0; 269 270error_free_usbm: 271 kfree(usbm); 272error_decrease_mem: 273 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory)); 274error: 275 return ret; 276} 277 278static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, 279 loff_t *ppos) 280{ 281 struct usb_dev_state *ps = file->private_data; 282 struct usb_device *dev = ps->dev; 283 ssize_t ret = 0; 284 unsigned len; 285 loff_t pos; 286 int i; 287 288 pos = *ppos; 289 usb_lock_device(dev); 290 if (!connected(ps)) { 291 ret = -ENODEV; 292 goto err; 293 } else if (pos < 0) { 294 ret = -EINVAL; 295 goto err; 296 } 297 298 if (pos < sizeof(struct usb_device_descriptor)) { 299 /* 18 bytes - fits on the stack */ 300 struct usb_device_descriptor temp_desc; 301 302 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor)); 303 le16_to_cpus(&temp_desc.bcdUSB); 304 le16_to_cpus(&temp_desc.idVendor); 305 le16_to_cpus(&temp_desc.idProduct); 306 le16_to_cpus(&temp_desc.bcdDevice); 307 308 len = sizeof(struct usb_device_descriptor) - pos; 309 if (len > nbytes) 310 len = nbytes; 311 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) { 312 ret = -EFAULT; 313 goto err; 314 } 315 316 *ppos += len; 317 buf += len; 318 nbytes -= len; 319 ret += len; 320 } 321 322 pos = sizeof(struct usb_device_descriptor); 323 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { 324 struct usb_config_descriptor *config = 325 (struct usb_config_descriptor *)dev->rawdescriptors[i]; 326 unsigned int length = le16_to_cpu(config->wTotalLength); 327 328 if (*ppos < pos + length) { 329 330 /* The descriptor may claim to be longer than it 331 * really is. Here is the actual allocated length. */ 332 unsigned alloclen = 333 le16_to_cpu(dev->config[i].desc.wTotalLength); 334 335 len = length - (*ppos - pos); 336 if (len > nbytes) 337 len = nbytes; 338 339 /* Simply don't write (skip over) unallocated parts */ 340 if (alloclen > (*ppos - pos)) { 341 alloclen -= (*ppos - pos); 342 if (copy_to_user(buf, 343 dev->rawdescriptors[i] + (*ppos - pos), 344 min(len, alloclen))) { 345 ret = -EFAULT; 346 goto err; 347 } 348 } 349 350 *ppos += len; 351 buf += len; 352 nbytes -= len; 353 ret += len; 354 } 355 356 pos += length; 357 } 358 359err: 360 usb_unlock_device(dev); 361 return ret; 362} 363 364/* 365 * async list handling 366 */ 367 368static struct async *alloc_async(unsigned int numisoframes) 369{ 370 struct async *as; 371 372 as = kzalloc(sizeof(struct async), GFP_KERNEL); 373 if (!as) 374 return NULL; 375 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL); 376 if (!as->urb) { 377 kfree(as); 378 return NULL; 379 } 380 return as; 381} 382 383static void free_async(struct async *as) 384{ 385 int i; 386 387 put_pid(as->pid); 388 if (as->cred) 389 put_cred(as->cred); 390 for (i = 0; i < as->urb->num_sgs; i++) { 391 if (sg_page(&as->urb->sg[i])) 392 kfree(sg_virt(&as->urb->sg[i])); 393 } 394 395 kfree(as->urb->sg); 396 if (as->usbm == NULL) 397 kfree(as->urb->transfer_buffer); 398 else 399 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count); 400 401 kfree(as->urb->setup_packet); 402 usb_free_urb(as->urb); 403 usbfs_decrease_memory_usage(as->mem_usage); 404 kfree(as); 405} 406 407static void async_newpending(struct async *as) 408{ 409 struct usb_dev_state *ps = as->ps; 410 unsigned long flags; 411 412 spin_lock_irqsave(&ps->lock, flags); 413 list_add_tail(&as->asynclist, &ps->async_pending); 414 spin_unlock_irqrestore(&ps->lock, flags); 415} 416 417static void async_removepending(struct async *as) 418{ 419 struct usb_dev_state *ps = as->ps; 420 unsigned long flags; 421 422 spin_lock_irqsave(&ps->lock, flags); 423 list_del_init(&as->asynclist); 424 spin_unlock_irqrestore(&ps->lock, flags); 425} 426 427static struct async *async_getcompleted(struct usb_dev_state *ps) 428{ 429 unsigned long flags; 430 struct async *as = NULL; 431 432 spin_lock_irqsave(&ps->lock, flags); 433 if (!list_empty(&ps->async_completed)) { 434 as = list_entry(ps->async_completed.next, struct async, 435 asynclist); 436 list_del_init(&as->asynclist); 437 } 438 spin_unlock_irqrestore(&ps->lock, flags); 439 return as; 440} 441 442static struct async *async_getpending(struct usb_dev_state *ps, 443 void __user *userurb) 444{ 445 struct async *as; 446 447 list_for_each_entry(as, &ps->async_pending, asynclist) 448 if (as->userurb == userurb) { 449 list_del_init(&as->asynclist); 450 return as; 451 } 452 453 return NULL; 454} 455 456static void snoop_urb(struct usb_device *udev, 457 void __user *userurb, int pipe, unsigned length, 458 int timeout_or_status, enum snoop_when when, 459 unsigned char *data, unsigned data_len) 460{ 461 static const char *types[] = {"isoc", "int", "ctrl", "bulk"}; 462 static const char *dirs[] = {"out", "in"}; 463 int ep; 464 const char *t, *d; 465 466 if (!usbfs_snoop) 467 return; 468 469 ep = usb_pipeendpoint(pipe); 470 t = types[usb_pipetype(pipe)]; 471 d = dirs[!!usb_pipein(pipe)]; 472 473 if (userurb) { /* Async */ 474 if (when == SUBMIT) 475 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " 476 "length %u\n", 477 userurb, ep, t, d, length); 478 else 479 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " 480 "actual_length %u status %d\n", 481 userurb, ep, t, d, length, 482 timeout_or_status); 483 } else { 484 if (when == SUBMIT) 485 dev_info(&udev->dev, "ep%d %s-%s, length %u, " 486 "timeout %d\n", 487 ep, t, d, length, timeout_or_status); 488 else 489 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, " 490 "status %d\n", 491 ep, t, d, length, timeout_or_status); 492 } 493 494 data_len = min(data_len, usbfs_snoop_max); 495 if (data && data_len > 0) { 496 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 497 data, data_len, 1); 498 } 499} 500 501static void snoop_urb_data(struct urb *urb, unsigned len) 502{ 503 int i, size; 504 505 len = min(len, usbfs_snoop_max); 506 if (!usbfs_snoop || len == 0) 507 return; 508 509 if (urb->num_sgs == 0) { 510 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 511 urb->transfer_buffer, len, 1); 512 return; 513 } 514 515 for (i = 0; i < urb->num_sgs && len; i++) { 516 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 517 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 518 sg_virt(&urb->sg[i]), size, 1); 519 len -= size; 520 } 521} 522 523static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb) 524{ 525 unsigned i, len, size; 526 527 if (urb->number_of_packets > 0) /* Isochronous */ 528 len = urb->transfer_buffer_length; 529 else /* Non-Isoc */ 530 len = urb->actual_length; 531 532 if (urb->num_sgs == 0) { 533 if (copy_to_user(userbuffer, urb->transfer_buffer, len)) 534 return -EFAULT; 535 return 0; 536 } 537 538 for (i = 0; i < urb->num_sgs && len; i++) { 539 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 540 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size)) 541 return -EFAULT; 542 userbuffer += size; 543 len -= size; 544 } 545 546 return 0; 547} 548 549#define AS_CONTINUATION 1 550#define AS_UNLINK 2 551 552static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr) 553__releases(ps->lock) 554__acquires(ps->lock) 555{ 556 struct urb *urb; 557 struct async *as; 558 559 /* Mark all the pending URBs that match bulk_addr, up to but not 560 * including the first one without AS_CONTINUATION. If such an 561 * URB is encountered then a new transfer has already started so 562 * the endpoint doesn't need to be disabled; otherwise it does. 563 */ 564 list_for_each_entry(as, &ps->async_pending, asynclist) { 565 if (as->bulk_addr == bulk_addr) { 566 if (as->bulk_status != AS_CONTINUATION) 567 goto rescan; 568 as->bulk_status = AS_UNLINK; 569 as->bulk_addr = 0; 570 } 571 } 572 ps->disabled_bulk_eps |= (1 << bulk_addr); 573 574 /* Now carefully unlink all the marked pending URBs */ 575 rescan: 576 list_for_each_entry_reverse(as, &ps->async_pending, asynclist) { 577 if (as->bulk_status == AS_UNLINK) { 578 as->bulk_status = 0; /* Only once */ 579 urb = as->urb; 580 usb_get_urb(urb); 581 spin_unlock(&ps->lock); /* Allow completions */ 582 usb_unlink_urb(urb); 583 usb_put_urb(urb); 584 spin_lock(&ps->lock); 585 goto rescan; 586 } 587 } 588} 589 590static void async_completed(struct urb *urb) 591{ 592 struct async *as = urb->context; 593 struct usb_dev_state *ps = as->ps; 594 struct pid *pid = NULL; 595 const struct cred *cred = NULL; 596 unsigned long flags; 597 sigval_t addr; 598 int signr, errno; 599 600 spin_lock_irqsave(&ps->lock, flags); 601 list_move_tail(&as->asynclist, &ps->async_completed); 602 as->status = urb->status; 603 signr = as->signr; 604 if (signr) { 605 errno = as->status; 606 addr = as->userurb_sigval; 607 pid = get_pid(as->pid); 608 cred = get_cred(as->cred); 609 } 610 snoop(&urb->dev->dev, "urb complete\n"); 611 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length, 612 as->status, COMPLETE, NULL, 0); 613 if (usb_urb_dir_in(urb)) 614 snoop_urb_data(urb, urb->actual_length); 615 616 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET && 617 as->status != -ENOENT) 618 cancel_bulk_urbs(ps, as->bulk_addr); 619 620 wake_up(&ps->wait); 621 spin_unlock_irqrestore(&ps->lock, flags); 622 623 if (signr) { 624 kill_pid_usb_asyncio(signr, errno, addr, pid, cred); 625 put_pid(pid); 626 put_cred(cred); 627 } 628} 629 630static void destroy_async(struct usb_dev_state *ps, struct list_head *list) 631{ 632 struct urb *urb; 633 struct async *as; 634 unsigned long flags; 635 636 spin_lock_irqsave(&ps->lock, flags); 637 while (!list_empty(list)) { 638 as = list_last_entry(list, struct async, asynclist); 639 list_del_init(&as->asynclist); 640 urb = as->urb; 641 usb_get_urb(urb); 642 643 /* drop the spinlock so the completion handler can run */ 644 spin_unlock_irqrestore(&ps->lock, flags); 645 usb_kill_urb(urb); 646 usb_put_urb(urb); 647 spin_lock_irqsave(&ps->lock, flags); 648 } 649 spin_unlock_irqrestore(&ps->lock, flags); 650} 651 652static void destroy_async_on_interface(struct usb_dev_state *ps, 653 unsigned int ifnum) 654{ 655 struct list_head *p, *q, hitlist; 656 unsigned long flags; 657 658 INIT_LIST_HEAD(&hitlist); 659 spin_lock_irqsave(&ps->lock, flags); 660 list_for_each_safe(p, q, &ps->async_pending) 661 if (ifnum == list_entry(p, struct async, asynclist)->ifnum) 662 list_move_tail(p, &hitlist); 663 spin_unlock_irqrestore(&ps->lock, flags); 664 destroy_async(ps, &hitlist); 665} 666 667static void destroy_all_async(struct usb_dev_state *ps) 668{ 669 destroy_async(ps, &ps->async_pending); 670} 671 672/* 673 * interface claims are made only at the request of user level code, 674 * which can also release them (explicitly or by closing files). 675 * they're also undone when devices disconnect. 676 */ 677 678static int driver_probe(struct usb_interface *intf, 679 const struct usb_device_id *id) 680{ 681 return -ENODEV; 682} 683 684static void driver_disconnect(struct usb_interface *intf) 685{ 686 struct usb_dev_state *ps = usb_get_intfdata(intf); 687 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber; 688 689 if (!ps) 690 return; 691 692 /* NOTE: this relies on usbcore having canceled and completed 693 * all pending I/O requests; 2.6 does that. 694 */ 695 696 if (likely(ifnum < 8*sizeof(ps->ifclaimed))) 697 clear_bit(ifnum, &ps->ifclaimed); 698 else 699 dev_warn(&intf->dev, "interface number %u out of range\n", 700 ifnum); 701 702 usb_set_intfdata(intf, NULL); 703 704 /* force async requests to complete */ 705 destroy_async_on_interface(ps, ifnum); 706} 707 708/* We don't care about suspend/resume of claimed interfaces */ 709static int driver_suspend(struct usb_interface *intf, pm_message_t msg) 710{ 711 return 0; 712} 713 714static int driver_resume(struct usb_interface *intf) 715{ 716 return 0; 717} 718 719/* The following routines apply to the entire device, not interfaces */ 720void usbfs_notify_suspend(struct usb_device *udev) 721{ 722 /* We don't need to handle this */ 723} 724 725void usbfs_notify_resume(struct usb_device *udev) 726{ 727 struct usb_dev_state *ps; 728 729 /* Protect against simultaneous remove or release */ 730 mutex_lock(&usbfs_mutex); 731 list_for_each_entry(ps, &udev->filelist, list) { 732 WRITE_ONCE(ps->not_yet_resumed, 0); 733 wake_up_all(&ps->wait_for_resume); 734 } 735 mutex_unlock(&usbfs_mutex); 736} 737 738struct usb_driver usbfs_driver = { 739 .name = "usbfs", 740 .probe = driver_probe, 741 .disconnect = driver_disconnect, 742 .suspend = driver_suspend, 743 .resume = driver_resume, 744 .supports_autosuspend = 1, 745}; 746 747static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) 748{ 749 struct usb_device *dev = ps->dev; 750 struct usb_interface *intf; 751 int err; 752 753 if (ifnum >= 8*sizeof(ps->ifclaimed)) 754 return -EINVAL; 755 /* already claimed */ 756 if (test_bit(ifnum, &ps->ifclaimed)) 757 return 0; 758 759 if (ps->privileges_dropped && 760 !test_bit(ifnum, &ps->interface_allowed_mask)) 761 return -EACCES; 762 763 intf = usb_ifnum_to_if(dev, ifnum); 764 if (!intf) 765 err = -ENOENT; 766 else { 767 unsigned int old_suppress; 768 769 /* suppress uevents while claiming interface */ 770 old_suppress = dev_get_uevent_suppress(&intf->dev); 771 dev_set_uevent_suppress(&intf->dev, 1); 772 err = usb_driver_claim_interface(&usbfs_driver, intf, ps); 773 dev_set_uevent_suppress(&intf->dev, old_suppress); 774 } 775 if (err == 0) 776 set_bit(ifnum, &ps->ifclaimed); 777 return err; 778} 779 780static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) 781{ 782 struct usb_device *dev; 783 struct usb_interface *intf; 784 int err; 785 786 err = -EINVAL; 787 if (ifnum >= 8*sizeof(ps->ifclaimed)) 788 return err; 789 dev = ps->dev; 790 intf = usb_ifnum_to_if(dev, ifnum); 791 if (!intf) 792 err = -ENOENT; 793 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { 794 unsigned int old_suppress; 795 796 /* suppress uevents while releasing interface */ 797 old_suppress = dev_get_uevent_suppress(&intf->dev); 798 dev_set_uevent_suppress(&intf->dev, 1); 799 usb_driver_release_interface(&usbfs_driver, intf); 800 dev_set_uevent_suppress(&intf->dev, old_suppress); 801 err = 0; 802 } 803 return err; 804} 805 806static int checkintf(struct usb_dev_state *ps, unsigned int ifnum) 807{ 808 if (ps->dev->state != USB_STATE_CONFIGURED) 809 return -EHOSTUNREACH; 810 if (ifnum >= 8*sizeof(ps->ifclaimed)) 811 return -EINVAL; 812 if (test_bit(ifnum, &ps->ifclaimed)) 813 return 0; 814 /* if not yet claimed, claim it for the driver */ 815 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim " 816 "interface %u before use\n", task_pid_nr(current), 817 current->comm, ifnum); 818 return claimintf(ps, ifnum); 819} 820 821static int findintfep(struct usb_device *dev, unsigned int ep) 822{ 823 unsigned int i, j, e; 824 struct usb_interface *intf; 825 struct usb_host_interface *alts; 826 struct usb_endpoint_descriptor *endpt; 827 828 if (ep & ~(USB_DIR_IN|0xf)) 829 return -EINVAL; 830 if (!dev->actconfig) 831 return -ESRCH; 832 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { 833 intf = dev->actconfig->interface[i]; 834 for (j = 0; j < intf->num_altsetting; j++) { 835 alts = &intf->altsetting[j]; 836 for (e = 0; e < alts->desc.bNumEndpoints; e++) { 837 endpt = &alts->endpoint[e].desc; 838 if (endpt->bEndpointAddress == ep) 839 return alts->desc.bInterfaceNumber; 840 } 841 } 842 } 843 return -ENOENT; 844} 845 846static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype, 847 unsigned int request, unsigned int index) 848{ 849 int ret = 0; 850 struct usb_host_interface *alt_setting; 851 852 if (ps->dev->state != USB_STATE_UNAUTHENTICATED 853 && ps->dev->state != USB_STATE_ADDRESS 854 && ps->dev->state != USB_STATE_CONFIGURED) 855 return -EHOSTUNREACH; 856 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) 857 return 0; 858 859 /* 860 * check for the special corner case 'get_device_id' in the printer 861 * class specification, which we always want to allow as it is used 862 * to query things like ink level, etc. 863 */ 864 if (requesttype == 0xa1 && request == 0) { 865 alt_setting = usb_find_alt_setting(ps->dev->actconfig, 866 index >> 8, index & 0xff); 867 if (alt_setting 868 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER) 869 return 0; 870 } 871 872 index &= 0xff; 873 switch (requesttype & USB_RECIP_MASK) { 874 case USB_RECIP_ENDPOINT: 875 if ((index & ~USB_DIR_IN) == 0) 876 return 0; 877 ret = findintfep(ps->dev, index); 878 if (ret < 0) { 879 /* 880 * Some not fully compliant Win apps seem to get 881 * index wrong and have the endpoint number here 882 * rather than the endpoint address (with the 883 * correct direction). Win does let this through, 884 * so we'll not reject it here but leave it to 885 * the device to not break KVM. But we warn. 886 */ 887 ret = findintfep(ps->dev, index ^ 0x80); 888 if (ret >= 0) 889 dev_info(&ps->dev->dev, 890 "%s: process %i (%s) requesting ep %02x but needs %02x\n", 891 __func__, task_pid_nr(current), 892 current->comm, index, index ^ 0x80); 893 } 894 if (ret >= 0) 895 ret = checkintf(ps, ret); 896 break; 897 898 case USB_RECIP_INTERFACE: 899 ret = checkintf(ps, index); 900 break; 901 } 902 return ret; 903} 904 905static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev, 906 unsigned char ep) 907{ 908 if (ep & USB_ENDPOINT_DIR_MASK) 909 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK]; 910 else 911 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK]; 912} 913 914static int parse_usbdevfs_streams(struct usb_dev_state *ps, 915 struct usbdevfs_streams __user *streams, 916 unsigned int *num_streams_ret, 917 unsigned int *num_eps_ret, 918 struct usb_host_endpoint ***eps_ret, 919 struct usb_interface **intf_ret) 920{ 921 unsigned int i, num_streams, num_eps; 922 struct usb_host_endpoint **eps; 923 struct usb_interface *intf = NULL; 924 unsigned char ep; 925 int ifnum, ret; 926 927 if (get_user(num_streams, &streams->num_streams) || 928 get_user(num_eps, &streams->num_eps)) 929 return -EFAULT; 930 931 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS) 932 return -EINVAL; 933 934 /* The XHCI controller allows max 2 ^ 16 streams */ 935 if (num_streams_ret && (num_streams < 2 || num_streams > 65536)) 936 return -EINVAL; 937 938 eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL); 939 if (!eps) 940 return -ENOMEM; 941 942 for (i = 0; i < num_eps; i++) { 943 if (get_user(ep, &streams->eps[i])) { 944 ret = -EFAULT; 945 goto error; 946 } 947 eps[i] = ep_to_host_endpoint(ps->dev, ep); 948 if (!eps[i]) { 949 ret = -EINVAL; 950 goto error; 951 } 952 953 /* usb_alloc/free_streams operate on an usb_interface */ 954 ifnum = findintfep(ps->dev, ep); 955 if (ifnum < 0) { 956 ret = ifnum; 957 goto error; 958 } 959 960 if (i == 0) { 961 ret = checkintf(ps, ifnum); 962 if (ret < 0) 963 goto error; 964 intf = usb_ifnum_to_if(ps->dev, ifnum); 965 } else { 966 /* Verify all eps belong to the same interface */ 967 if (ifnum != intf->altsetting->desc.bInterfaceNumber) { 968 ret = -EINVAL; 969 goto error; 970 } 971 } 972 } 973 974 if (num_streams_ret) 975 *num_streams_ret = num_streams; 976 *num_eps_ret = num_eps; 977 *eps_ret = eps; 978 *intf_ret = intf; 979 980 return 0; 981 982error: 983 kfree(eps); 984 return ret; 985} 986 987static struct usb_device *usbdev_lookup_by_devt(dev_t devt) 988{ 989 struct device *dev; 990 991 dev = bus_find_device_by_devt(&usb_bus_type, devt); 992 if (!dev) 993 return NULL; 994 return to_usb_device(dev); 995} 996 997/* 998 * file operations 999 */ 1000static int usbdev_open(struct inode *inode, struct file *file) 1001{ 1002 struct usb_device *dev = NULL; 1003 struct usb_dev_state *ps; 1004 int ret; 1005 1006 ret = -ENOMEM; 1007 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL); 1008 if (!ps) 1009 goto out_free_ps; 1010 1011 ret = -ENODEV; 1012 1013 /* usbdev device-node */ 1014 if (imajor(inode) == USB_DEVICE_MAJOR) 1015 dev = usbdev_lookup_by_devt(inode->i_rdev); 1016 if (!dev) 1017 goto out_free_ps; 1018 1019 usb_lock_device(dev); 1020 if (dev->state == USB_STATE_NOTATTACHED) 1021 goto out_unlock_device; 1022 1023 ret = usb_autoresume_device(dev); 1024 if (ret) 1025 goto out_unlock_device; 1026 1027 ps->dev = dev; 1028 ps->file = file; 1029 ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */ 1030 spin_lock_init(&ps->lock); 1031 INIT_LIST_HEAD(&ps->list); 1032 INIT_LIST_HEAD(&ps->async_pending); 1033 INIT_LIST_HEAD(&ps->async_completed); 1034 INIT_LIST_HEAD(&ps->memory_list); 1035 init_waitqueue_head(&ps->wait); 1036 init_waitqueue_head(&ps->wait_for_resume); 1037 ps->disc_pid = get_pid(task_pid(current)); 1038 ps->cred = get_current_cred(); 1039 smp_wmb(); 1040 1041 /* Can't race with resume; the device is already active */ 1042 list_add_tail(&ps->list, &dev->filelist); 1043 file->private_data = ps; 1044 usb_unlock_device(dev); 1045 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current), 1046 current->comm); 1047 return ret; 1048 1049 out_unlock_device: 1050 usb_unlock_device(dev); 1051 usb_put_dev(dev); 1052 out_free_ps: 1053 kfree(ps); 1054 return ret; 1055} 1056 1057static int usbdev_release(struct inode *inode, struct file *file) 1058{ 1059 struct usb_dev_state *ps = file->private_data; 1060 struct usb_device *dev = ps->dev; 1061 unsigned int ifnum; 1062 struct async *as; 1063 1064 usb_lock_device(dev); 1065 usb_hub_release_all_ports(dev, ps); 1066 1067 /* Protect against simultaneous resume */ 1068 mutex_lock(&usbfs_mutex); 1069 list_del_init(&ps->list); 1070 mutex_unlock(&usbfs_mutex); 1071 1072 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed); 1073 ifnum++) { 1074 if (test_bit(ifnum, &ps->ifclaimed)) 1075 releaseintf(ps, ifnum); 1076 } 1077 destroy_all_async(ps); 1078 if (!ps->suspend_allowed) 1079 usb_autosuspend_device(dev); 1080 usb_unlock_device(dev); 1081 usb_put_dev(dev); 1082 put_pid(ps->disc_pid); 1083 put_cred(ps->cred); 1084 1085 as = async_getcompleted(ps); 1086 while (as) { 1087 free_async(as); 1088 as = async_getcompleted(ps); 1089 } 1090 1091 kfree(ps); 1092 return 0; 1093} 1094 1095static int proc_control(struct usb_dev_state *ps, void __user *arg) 1096{ 1097 struct usb_device *dev = ps->dev; 1098 struct usbdevfs_ctrltransfer ctrl; 1099 unsigned int tmo; 1100 unsigned char *tbuf; 1101 unsigned wLength; 1102 int i, pipe, ret; 1103 1104 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 1105 return -EFAULT; 1106 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest, 1107 ctrl.wIndex); 1108 if (ret) 1109 return ret; 1110 wLength = ctrl.wLength; /* To suppress 64k PAGE_SIZE warning */ 1111 if (wLength > PAGE_SIZE) 1112 return -EINVAL; 1113 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1114 sizeof(struct usb_ctrlrequest)); 1115 if (ret) 1116 return ret; 1117 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL); 1118 if (!tbuf) { 1119 ret = -ENOMEM; 1120 goto done; 1121 } 1122 tmo = ctrl.timeout; 1123 snoop(&dev->dev, "control urb: bRequestType=%02x " 1124 "bRequest=%02x wValue=%04x " 1125 "wIndex=%04x wLength=%04x\n", 1126 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue, 1127 ctrl.wIndex, ctrl.wLength); 1128 if (ctrl.bRequestType & 0x80) { 1129 if (ctrl.wLength && !access_ok(ctrl.data, 1130 ctrl.wLength)) { 1131 ret = -EINVAL; 1132 goto done; 1133 } 1134 pipe = usb_rcvctrlpipe(dev, 0); 1135 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0); 1136 1137 usb_unlock_device(dev); 1138 i = usb_control_msg(dev, pipe, ctrl.bRequest, 1139 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex, 1140 tbuf, ctrl.wLength, tmo); 1141 usb_lock_device(dev); 1142 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, 1143 tbuf, max(i, 0)); 1144 if ((i > 0) && ctrl.wLength) { 1145 if (copy_to_user(ctrl.data, tbuf, i)) { 1146 ret = -EFAULT; 1147 goto done; 1148 } 1149 } 1150 } else { 1151 if (ctrl.wLength) { 1152 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) { 1153 ret = -EFAULT; 1154 goto done; 1155 } 1156 } 1157 pipe = usb_sndctrlpipe(dev, 0); 1158 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, 1159 tbuf, ctrl.wLength); 1160 1161 usb_unlock_device(dev); 1162 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, 1163 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex, 1164 tbuf, ctrl.wLength, tmo); 1165 usb_lock_device(dev); 1166 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0); 1167 } 1168 if (i < 0 && i != -EPIPE) { 1169 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL " 1170 "failed cmd %s rqt %u rq %u len %u ret %d\n", 1171 current->comm, ctrl.bRequestType, ctrl.bRequest, 1172 ctrl.wLength, i); 1173 } 1174 ret = i; 1175 done: 1176 free_page((unsigned long) tbuf); 1177 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1178 sizeof(struct usb_ctrlrequest)); 1179 return ret; 1180} 1181 1182static int proc_bulk(struct usb_dev_state *ps, void __user *arg) 1183{ 1184 struct usb_device *dev = ps->dev; 1185 struct usbdevfs_bulktransfer bulk; 1186 unsigned int tmo, len1, pipe; 1187 int len2; 1188 unsigned char *tbuf; 1189 int i, ret; 1190 1191 if (copy_from_user(&bulk, arg, sizeof(bulk))) 1192 return -EFAULT; 1193 ret = findintfep(ps->dev, bulk.ep); 1194 if (ret < 0) 1195 return ret; 1196 ret = checkintf(ps, ret); 1197 if (ret) 1198 return ret; 1199 if (bulk.ep & USB_DIR_IN) 1200 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f); 1201 else 1202 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f); 1203 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) 1204 return -EINVAL; 1205 len1 = bulk.len; 1206 if (len1 >= (INT_MAX - sizeof(struct urb))) 1207 return -EINVAL; 1208 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); 1209 if (ret) 1210 return ret; 1211 tbuf = kmalloc(len1, GFP_KERNEL); 1212 if (!tbuf) { 1213 ret = -ENOMEM; 1214 goto done; 1215 } 1216 tmo = bulk.timeout; 1217 if (bulk.ep & 0x80) { 1218 if (len1 && !access_ok(bulk.data, len1)) { 1219 ret = -EINVAL; 1220 goto done; 1221 } 1222 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0); 1223 1224 usb_unlock_device(dev); 1225 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 1226 usb_lock_device(dev); 1227 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2); 1228 1229 if (!i && len2) { 1230 if (copy_to_user(bulk.data, tbuf, len2)) { 1231 ret = -EFAULT; 1232 goto done; 1233 } 1234 } 1235 } else { 1236 if (len1) { 1237 if (copy_from_user(tbuf, bulk.data, len1)) { 1238 ret = -EFAULT; 1239 goto done; 1240 } 1241 } 1242 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1); 1243 1244 usb_unlock_device(dev); 1245 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 1246 usb_lock_device(dev); 1247 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0); 1248 } 1249 ret = (i < 0 ? i : len2); 1250 done: 1251 kfree(tbuf); 1252 usbfs_decrease_memory_usage(len1 + sizeof(struct urb)); 1253 return ret; 1254} 1255 1256static void check_reset_of_active_ep(struct usb_device *udev, 1257 unsigned int epnum, char *ioctl_name) 1258{ 1259 struct usb_host_endpoint **eps; 1260 struct usb_host_endpoint *ep; 1261 1262 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out; 1263 ep = eps[epnum & 0x0f]; 1264 if (ep && !list_empty(&ep->urb_list)) 1265 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n", 1266 task_pid_nr(current), current->comm, 1267 ioctl_name, epnum); 1268} 1269 1270static int proc_resetep(struct usb_dev_state *ps, void __user *arg) 1271{ 1272 unsigned int ep; 1273 int ret; 1274 1275 if (get_user(ep, (unsigned int __user *)arg)) 1276 return -EFAULT; 1277 ret = findintfep(ps->dev, ep); 1278 if (ret < 0) 1279 return ret; 1280 ret = checkintf(ps, ret); 1281 if (ret) 1282 return ret; 1283 check_reset_of_active_ep(ps->dev, ep, "RESETEP"); 1284 usb_reset_endpoint(ps->dev, ep); 1285 return 0; 1286} 1287 1288static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg) 1289{ 1290 unsigned int ep; 1291 int pipe; 1292 int ret; 1293 1294 if (get_user(ep, (unsigned int __user *)arg)) 1295 return -EFAULT; 1296 ret = findintfep(ps->dev, ep); 1297 if (ret < 0) 1298 return ret; 1299 ret = checkintf(ps, ret); 1300 if (ret) 1301 return ret; 1302 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT"); 1303 if (ep & USB_DIR_IN) 1304 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f); 1305 else 1306 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f); 1307 1308 return usb_clear_halt(ps->dev, pipe); 1309} 1310 1311static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) 1312{ 1313 struct usbdevfs_getdriver gd; 1314 struct usb_interface *intf; 1315 int ret; 1316 1317 if (copy_from_user(&gd, arg, sizeof(gd))) 1318 return -EFAULT; 1319 intf = usb_ifnum_to_if(ps->dev, gd.interface); 1320 if (!intf || !intf->dev.driver) 1321 ret = -ENODATA; 1322 else { 1323 strlcpy(gd.driver, intf->dev.driver->name, 1324 sizeof(gd.driver)); 1325 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0); 1326 } 1327 return ret; 1328} 1329 1330static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) 1331{ 1332 struct usbdevfs_connectinfo ci; 1333 1334 memset(&ci, 0, sizeof(ci)); 1335 ci.devnum = ps->dev->devnum; 1336 ci.slow = ps->dev->speed == USB_SPEED_LOW; 1337 1338 if (copy_to_user(arg, &ci, sizeof(ci))) 1339 return -EFAULT; 1340 return 0; 1341} 1342 1343static int proc_conninfo_ex(struct usb_dev_state *ps, 1344 void __user *arg, size_t size) 1345{ 1346 struct usbdevfs_conninfo_ex ci; 1347 struct usb_device *udev = ps->dev; 1348 1349 if (size < sizeof(ci.size)) 1350 return -EINVAL; 1351 1352 memset(&ci, 0, sizeof(ci)); 1353 ci.size = sizeof(ci); 1354 ci.busnum = udev->bus->busnum; 1355 ci.devnum = udev->devnum; 1356 ci.speed = udev->speed; 1357 1358 while (udev && udev->portnum != 0) { 1359 if (++ci.num_ports <= ARRAY_SIZE(ci.ports)) 1360 ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] = 1361 udev->portnum; 1362 udev = udev->parent; 1363 } 1364 1365 if (ci.num_ports < ARRAY_SIZE(ci.ports)) 1366 memmove(&ci.ports[0], 1367 &ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports], 1368 ci.num_ports); 1369 1370 if (copy_to_user(arg, &ci, min(sizeof(ci), size))) 1371 return -EFAULT; 1372 1373 return 0; 1374} 1375 1376static int proc_resetdevice(struct usb_dev_state *ps) 1377{ 1378 struct usb_host_config *actconfig = ps->dev->actconfig; 1379 struct usb_interface *interface; 1380 int i, number; 1381 1382 /* Don't allow a device reset if the process has dropped the 1383 * privilege to do such things and any of the interfaces are 1384 * currently claimed. 1385 */ 1386 if (ps->privileges_dropped && actconfig) { 1387 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1388 interface = actconfig->interface[i]; 1389 number = interface->cur_altsetting->desc.bInterfaceNumber; 1390 if (usb_interface_claimed(interface) && 1391 !test_bit(number, &ps->ifclaimed)) { 1392 dev_warn(&ps->dev->dev, 1393 "usbfs: interface %d claimed by %s while '%s' resets device\n", 1394 number, interface->dev.driver->name, current->comm); 1395 return -EACCES; 1396 } 1397 } 1398 } 1399 1400 return usb_reset_device(ps->dev); 1401} 1402 1403static int proc_setintf(struct usb_dev_state *ps, void __user *arg) 1404{ 1405 struct usbdevfs_setinterface setintf; 1406 int ret; 1407 1408 if (copy_from_user(&setintf, arg, sizeof(setintf))) 1409 return -EFAULT; 1410 ret = checkintf(ps, setintf.interface); 1411 if (ret) 1412 return ret; 1413 1414 destroy_async_on_interface(ps, setintf.interface); 1415 1416 return usb_set_interface(ps->dev, setintf.interface, 1417 setintf.altsetting); 1418} 1419 1420static int proc_setconfig(struct usb_dev_state *ps, void __user *arg) 1421{ 1422 int u; 1423 int status = 0; 1424 struct usb_host_config *actconfig; 1425 1426 if (get_user(u, (int __user *)arg)) 1427 return -EFAULT; 1428 1429 actconfig = ps->dev->actconfig; 1430 1431 /* Don't touch the device if any interfaces are claimed. 1432 * It could interfere with other drivers' operations, and if 1433 * an interface is claimed by usbfs it could easily deadlock. 1434 */ 1435 if (actconfig) { 1436 int i; 1437 1438 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1439 if (usb_interface_claimed(actconfig->interface[i])) { 1440 dev_warn(&ps->dev->dev, 1441 "usbfs: interface %d claimed by %s " 1442 "while '%s' sets config #%d\n", 1443 actconfig->interface[i] 1444 ->cur_altsetting 1445 ->desc.bInterfaceNumber, 1446 actconfig->interface[i] 1447 ->dev.driver->name, 1448 current->comm, u); 1449 status = -EBUSY; 1450 break; 1451 } 1452 } 1453 } 1454 1455 /* SET_CONFIGURATION is often abused as a "cheap" driver reset, 1456 * so avoid usb_set_configuration()'s kick to sysfs 1457 */ 1458 if (status == 0) { 1459 if (actconfig && actconfig->desc.bConfigurationValue == u) 1460 status = usb_reset_configuration(ps->dev); 1461 else 1462 status = usb_set_configuration(ps->dev, u); 1463 } 1464 1465 return status; 1466} 1467 1468static struct usb_memory * 1469find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb) 1470{ 1471 struct usb_memory *usbm = NULL, *iter; 1472 unsigned long flags; 1473 unsigned long uurb_start = (unsigned long)uurb->buffer; 1474 1475 spin_lock_irqsave(&ps->lock, flags); 1476 list_for_each_entry(iter, &ps->memory_list, memlist) { 1477 if (uurb_start >= iter->vm_start && 1478 uurb_start < iter->vm_start + iter->size) { 1479 if (uurb->buffer_length > iter->vm_start + iter->size - 1480 uurb_start) { 1481 usbm = ERR_PTR(-EINVAL); 1482 } else { 1483 usbm = iter; 1484 usbm->urb_use_count++; 1485 } 1486 break; 1487 } 1488 } 1489 spin_unlock_irqrestore(&ps->lock, flags); 1490 return usbm; 1491} 1492 1493static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb, 1494 struct usbdevfs_iso_packet_desc __user *iso_frame_desc, 1495 void __user *arg, sigval_t userurb_sigval) 1496{ 1497 struct usbdevfs_iso_packet_desc *isopkt = NULL; 1498 struct usb_host_endpoint *ep; 1499 struct async *as = NULL; 1500 struct usb_ctrlrequest *dr = NULL; 1501 unsigned int u, totlen, isofrmlen; 1502 int i, ret, num_sgs = 0, ifnum = -1; 1503 int number_of_packets = 0; 1504 unsigned int stream_id = 0; 1505 void *buf; 1506 bool is_in; 1507 bool allow_short = false; 1508 bool allow_zero = false; 1509 unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | 1510 USBDEVFS_URB_BULK_CONTINUATION | 1511 USBDEVFS_URB_NO_FSBR | 1512 USBDEVFS_URB_ZERO_PACKET | 1513 USBDEVFS_URB_NO_INTERRUPT; 1514 /* USBDEVFS_URB_ISO_ASAP is a special case */ 1515 if (uurb->type == USBDEVFS_URB_TYPE_ISO) 1516 mask |= USBDEVFS_URB_ISO_ASAP; 1517 1518 if (uurb->flags & ~mask) 1519 return -EINVAL; 1520 1521 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) 1522 return -EINVAL; 1523 if (uurb->buffer_length > 0 && !uurb->buffer) 1524 return -EINVAL; 1525 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && 1526 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) { 1527 ifnum = findintfep(ps->dev, uurb->endpoint); 1528 if (ifnum < 0) 1529 return ifnum; 1530 ret = checkintf(ps, ifnum); 1531 if (ret) 1532 return ret; 1533 } 1534 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint); 1535 if (!ep) 1536 return -ENOENT; 1537 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0; 1538 1539 u = 0; 1540 switch (uurb->type) { 1541 case USBDEVFS_URB_TYPE_CONTROL: 1542 if (!usb_endpoint_xfer_control(&ep->desc)) 1543 return -EINVAL; 1544 /* min 8 byte setup packet */ 1545 if (uurb->buffer_length < 8) 1546 return -EINVAL; 1547 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL); 1548 if (!dr) 1549 return -ENOMEM; 1550 if (copy_from_user(dr, uurb->buffer, 8)) { 1551 ret = -EFAULT; 1552 goto error; 1553 } 1554 if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) { 1555 ret = -EINVAL; 1556 goto error; 1557 } 1558 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest, 1559 le16_to_cpu(dr->wIndex)); 1560 if (ret) 1561 goto error; 1562 uurb->buffer_length = le16_to_cpu(dr->wLength); 1563 uurb->buffer += 8; 1564 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) { 1565 is_in = true; 1566 uurb->endpoint |= USB_DIR_IN; 1567 } else { 1568 is_in = false; 1569 uurb->endpoint &= ~USB_DIR_IN; 1570 } 1571 if (is_in) 1572 allow_short = true; 1573 snoop(&ps->dev->dev, "control urb: bRequestType=%02x " 1574 "bRequest=%02x wValue=%04x " 1575 "wIndex=%04x wLength=%04x\n", 1576 dr->bRequestType, dr->bRequest, 1577 __le16_to_cpu(dr->wValue), 1578 __le16_to_cpu(dr->wIndex), 1579 __le16_to_cpu(dr->wLength)); 1580 u = sizeof(struct usb_ctrlrequest); 1581 break; 1582 1583 case USBDEVFS_URB_TYPE_BULK: 1584 if (!is_in) 1585 allow_zero = true; 1586 else 1587 allow_short = true; 1588 switch (usb_endpoint_type(&ep->desc)) { 1589 case USB_ENDPOINT_XFER_CONTROL: 1590 case USB_ENDPOINT_XFER_ISOC: 1591 return -EINVAL; 1592 case USB_ENDPOINT_XFER_INT: 1593 /* allow single-shot interrupt transfers */ 1594 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT; 1595 goto interrupt_urb; 1596 } 1597 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); 1598 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize) 1599 num_sgs = 0; 1600 if (ep->streams) 1601 stream_id = uurb->stream_id; 1602 break; 1603 1604 case USBDEVFS_URB_TYPE_INTERRUPT: 1605 if (!usb_endpoint_xfer_int(&ep->desc)) 1606 return -EINVAL; 1607 interrupt_urb: 1608 if (!is_in) 1609 allow_zero = true; 1610 else 1611 allow_short = true; 1612 break; 1613 1614 case USBDEVFS_URB_TYPE_ISO: 1615 /* arbitrary limit */ 1616 if (uurb->number_of_packets < 1 || 1617 uurb->number_of_packets > 128) 1618 return -EINVAL; 1619 if (!usb_endpoint_xfer_isoc(&ep->desc)) 1620 return -EINVAL; 1621 number_of_packets = uurb->number_of_packets; 1622 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * 1623 number_of_packets; 1624 isopkt = memdup_user(iso_frame_desc, isofrmlen); 1625 if (IS_ERR(isopkt)) { 1626 ret = PTR_ERR(isopkt); 1627 isopkt = NULL; 1628 goto error; 1629 } 1630 for (totlen = u = 0; u < number_of_packets; u++) { 1631 /* 1632 * arbitrary limit need for USB 3.1 Gen2 1633 * sizemax: 96 DPs at SSP, 96 * 1024 = 98304 1634 */ 1635 if (isopkt[u].length > 98304) { 1636 ret = -EINVAL; 1637 goto error; 1638 } 1639 totlen += isopkt[u].length; 1640 } 1641 u *= sizeof(struct usb_iso_packet_descriptor); 1642 uurb->buffer_length = totlen; 1643 break; 1644 1645 default: 1646 return -EINVAL; 1647 } 1648 1649 if (uurb->buffer_length > 0 && 1650 !access_ok(uurb->buffer, uurb->buffer_length)) { 1651 ret = -EFAULT; 1652 goto error; 1653 } 1654 as = alloc_async(number_of_packets); 1655 if (!as) { 1656 ret = -ENOMEM; 1657 goto error; 1658 } 1659 1660 as->usbm = find_memory_area(ps, uurb); 1661 if (IS_ERR(as->usbm)) { 1662 ret = PTR_ERR(as->usbm); 1663 as->usbm = NULL; 1664 goto error; 1665 } 1666 1667 /* do not use SG buffers when memory mapped segments 1668 * are in use 1669 */ 1670 if (as->usbm) 1671 num_sgs = 0; 1672 1673 u += sizeof(struct async) + sizeof(struct urb) + 1674 (as->usbm ? 0 : uurb->buffer_length) + 1675 num_sgs * sizeof(struct scatterlist); 1676 ret = usbfs_increase_memory_usage(u); 1677 if (ret) 1678 goto error; 1679 as->mem_usage = u; 1680 1681 if (num_sgs) { 1682 as->urb->sg = kmalloc_array(num_sgs, 1683 sizeof(struct scatterlist), 1684 GFP_KERNEL); 1685 if (!as->urb->sg) { 1686 ret = -ENOMEM; 1687 goto error; 1688 } 1689 as->urb->num_sgs = num_sgs; 1690 sg_init_table(as->urb->sg, as->urb->num_sgs); 1691 1692 totlen = uurb->buffer_length; 1693 for (i = 0; i < as->urb->num_sgs; i++) { 1694 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen; 1695 buf = kmalloc(u, GFP_KERNEL); 1696 if (!buf) { 1697 ret = -ENOMEM; 1698 goto error; 1699 } 1700 sg_set_buf(&as->urb->sg[i], buf, u); 1701 1702 if (!is_in) { 1703 if (copy_from_user(buf, uurb->buffer, u)) { 1704 ret = -EFAULT; 1705 goto error; 1706 } 1707 uurb->buffer += u; 1708 } 1709 totlen -= u; 1710 } 1711 } else if (uurb->buffer_length > 0) { 1712 if (as->usbm) { 1713 unsigned long uurb_start = (unsigned long)uurb->buffer; 1714 1715 as->urb->transfer_buffer = as->usbm->mem + 1716 (uurb_start - as->usbm->vm_start); 1717 } else { 1718 as->urb->transfer_buffer = kmalloc(uurb->buffer_length, 1719 GFP_KERNEL); 1720 if (!as->urb->transfer_buffer) { 1721 ret = -ENOMEM; 1722 goto error; 1723 } 1724 if (!is_in) { 1725 if (copy_from_user(as->urb->transfer_buffer, 1726 uurb->buffer, 1727 uurb->buffer_length)) { 1728 ret = -EFAULT; 1729 goto error; 1730 } 1731 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) { 1732 /* 1733 * Isochronous input data may end up being 1734 * discontiguous if some of the packets are 1735 * short. Clear the buffer so that the gaps 1736 * don't leak kernel data to userspace. 1737 */ 1738 memset(as->urb->transfer_buffer, 0, 1739 uurb->buffer_length); 1740 } 1741 } 1742 } 1743 as->urb->dev = ps->dev; 1744 as->urb->pipe = (uurb->type << 30) | 1745 __create_pipe(ps->dev, uurb->endpoint & 0xf) | 1746 (uurb->endpoint & USB_DIR_IN); 1747 1748 /* This tedious sequence is necessary because the URB_* flags 1749 * are internal to the kernel and subject to change, whereas 1750 * the USBDEVFS_URB_* flags are a user API and must not be changed. 1751 */ 1752 u = (is_in ? URB_DIR_IN : URB_DIR_OUT); 1753 if (uurb->flags & USBDEVFS_URB_ISO_ASAP) 1754 u |= URB_ISO_ASAP; 1755 if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1756 u |= URB_SHORT_NOT_OK; 1757 if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1758 u |= URB_ZERO_PACKET; 1759 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) 1760 u |= URB_NO_INTERRUPT; 1761 as->urb->transfer_flags = u; 1762 1763 if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1764 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n"); 1765 if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1766 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n"); 1767 1768 as->urb->transfer_buffer_length = uurb->buffer_length; 1769 as->urb->setup_packet = (unsigned char *)dr; 1770 dr = NULL; 1771 as->urb->start_frame = uurb->start_frame; 1772 as->urb->number_of_packets = number_of_packets; 1773 as->urb->stream_id = stream_id; 1774 1775 if (ep->desc.bInterval) { 1776 if (uurb->type == USBDEVFS_URB_TYPE_ISO || 1777 ps->dev->speed == USB_SPEED_HIGH || 1778 ps->dev->speed >= USB_SPEED_SUPER) 1779 as->urb->interval = 1 << 1780 min(15, ep->desc.bInterval - 1); 1781 else 1782 as->urb->interval = ep->desc.bInterval; 1783 } 1784 1785 as->urb->context = as; 1786 as->urb->complete = async_completed; 1787 for (totlen = u = 0; u < number_of_packets; u++) { 1788 as->urb->iso_frame_desc[u].offset = totlen; 1789 as->urb->iso_frame_desc[u].length = isopkt[u].length; 1790 totlen += isopkt[u].length; 1791 } 1792 kfree(isopkt); 1793 isopkt = NULL; 1794 as->ps = ps; 1795 as->userurb = arg; 1796 as->userurb_sigval = userurb_sigval; 1797 if (as->usbm) { 1798 unsigned long uurb_start = (unsigned long)uurb->buffer; 1799 1800 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; 1801 as->urb->transfer_dma = as->usbm->dma_handle + 1802 (uurb_start - as->usbm->vm_start); 1803 } else if (is_in && uurb->buffer_length > 0) 1804 as->userbuffer = uurb->buffer; 1805 as->signr = uurb->signr; 1806 as->ifnum = ifnum; 1807 as->pid = get_pid(task_pid(current)); 1808 as->cred = get_current_cred(); 1809 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1810 as->urb->transfer_buffer_length, 0, SUBMIT, 1811 NULL, 0); 1812 if (!is_in) 1813 snoop_urb_data(as->urb, as->urb->transfer_buffer_length); 1814 1815 async_newpending(as); 1816 1817 if (usb_endpoint_xfer_bulk(&ep->desc)) { 1818 spin_lock_irq(&ps->lock); 1819 1820 /* Not exactly the endpoint address; the direction bit is 1821 * shifted to the 0x10 position so that the value will be 1822 * between 0 and 31. 1823 */ 1824 as->bulk_addr = usb_endpoint_num(&ep->desc) | 1825 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK) 1826 >> 3); 1827 1828 /* If this bulk URB is the start of a new transfer, re-enable 1829 * the endpoint. Otherwise mark it as a continuation URB. 1830 */ 1831 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION) 1832 as->bulk_status = AS_CONTINUATION; 1833 else 1834 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr); 1835 1836 /* Don't accept continuation URBs if the endpoint is 1837 * disabled because of an earlier error. 1838 */ 1839 if (ps->disabled_bulk_eps & (1 << as->bulk_addr)) 1840 ret = -EREMOTEIO; 1841 else 1842 ret = usb_submit_urb(as->urb, GFP_ATOMIC); 1843 spin_unlock_irq(&ps->lock); 1844 } else { 1845 ret = usb_submit_urb(as->urb, GFP_KERNEL); 1846 } 1847 1848 if (ret) { 1849 dev_printk(KERN_DEBUG, &ps->dev->dev, 1850 "usbfs: usb_submit_urb returned %d\n", ret); 1851 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1852 0, ret, COMPLETE, NULL, 0); 1853 async_removepending(as); 1854 goto error; 1855 } 1856 return 0; 1857 1858 error: 1859 kfree(isopkt); 1860 kfree(dr); 1861 if (as) 1862 free_async(as); 1863 return ret; 1864} 1865 1866static int proc_submiturb(struct usb_dev_state *ps, void __user *arg) 1867{ 1868 struct usbdevfs_urb uurb; 1869 sigval_t userurb_sigval; 1870 1871 if (copy_from_user(&uurb, arg, sizeof(uurb))) 1872 return -EFAULT; 1873 1874 memset(&userurb_sigval, 0, sizeof(userurb_sigval)); 1875 userurb_sigval.sival_ptr = arg; 1876 1877 return proc_do_submiturb(ps, &uurb, 1878 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), 1879 arg, userurb_sigval); 1880} 1881 1882static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg) 1883{ 1884 struct urb *urb; 1885 struct async *as; 1886 unsigned long flags; 1887 1888 spin_lock_irqsave(&ps->lock, flags); 1889 as = async_getpending(ps, arg); 1890 if (!as) { 1891 spin_unlock_irqrestore(&ps->lock, flags); 1892 return -EINVAL; 1893 } 1894 1895 urb = as->urb; 1896 usb_get_urb(urb); 1897 spin_unlock_irqrestore(&ps->lock, flags); 1898 1899 usb_kill_urb(urb); 1900 usb_put_urb(urb); 1901 1902 return 0; 1903} 1904 1905static void compute_isochronous_actual_length(struct urb *urb) 1906{ 1907 unsigned int i; 1908 1909 if (urb->number_of_packets > 0) { 1910 urb->actual_length = 0; 1911 for (i = 0; i < urb->number_of_packets; i++) 1912 urb->actual_length += 1913 urb->iso_frame_desc[i].actual_length; 1914 } 1915} 1916 1917static int processcompl(struct async *as, void __user * __user *arg) 1918{ 1919 struct urb *urb = as->urb; 1920 struct usbdevfs_urb __user *userurb = as->userurb; 1921 void __user *addr = as->userurb; 1922 unsigned int i; 1923 1924 compute_isochronous_actual_length(urb); 1925 if (as->userbuffer && urb->actual_length) { 1926 if (copy_urb_data_to_user(as->userbuffer, urb)) 1927 goto err_out; 1928 } 1929 if (put_user(as->status, &userurb->status)) 1930 goto err_out; 1931 if (put_user(urb->actual_length, &userurb->actual_length)) 1932 goto err_out; 1933 if (put_user(urb->error_count, &userurb->error_count)) 1934 goto err_out; 1935 1936 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 1937 for (i = 0; i < urb->number_of_packets; i++) { 1938 if (put_user(urb->iso_frame_desc[i].actual_length, 1939 &userurb->iso_frame_desc[i].actual_length)) 1940 goto err_out; 1941 if (put_user(urb->iso_frame_desc[i].status, 1942 &userurb->iso_frame_desc[i].status)) 1943 goto err_out; 1944 } 1945 } 1946 1947 if (put_user(addr, (void __user * __user *)arg)) 1948 return -EFAULT; 1949 return 0; 1950 1951err_out: 1952 return -EFAULT; 1953} 1954 1955static struct async *reap_as(struct usb_dev_state *ps) 1956{ 1957 DECLARE_WAITQUEUE(wait, current); 1958 struct async *as = NULL; 1959 struct usb_device *dev = ps->dev; 1960 1961 add_wait_queue(&ps->wait, &wait); 1962 for (;;) { 1963 __set_current_state(TASK_INTERRUPTIBLE); 1964 as = async_getcompleted(ps); 1965 if (as || !connected(ps)) 1966 break; 1967 if (signal_pending(current)) 1968 break; 1969 usb_unlock_device(dev); 1970 schedule(); 1971 usb_lock_device(dev); 1972 } 1973 remove_wait_queue(&ps->wait, &wait); 1974 set_current_state(TASK_RUNNING); 1975 return as; 1976} 1977 1978static int proc_reapurb(struct usb_dev_state *ps, void __user *arg) 1979{ 1980 struct async *as = reap_as(ps); 1981 1982 if (as) { 1983 int retval; 1984 1985 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 1986 retval = processcompl(as, (void __user * __user *)arg); 1987 free_async(as); 1988 return retval; 1989 } 1990 if (signal_pending(current)) 1991 return -EINTR; 1992 return -ENODEV; 1993} 1994 1995static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg) 1996{ 1997 int retval; 1998 struct async *as; 1999 2000 as = async_getcompleted(ps); 2001 if (as) { 2002 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 2003 retval = processcompl(as, (void __user * __user *)arg); 2004 free_async(as); 2005 } else { 2006 retval = (connected(ps) ? -EAGAIN : -ENODEV); 2007 } 2008 return retval; 2009} 2010 2011#ifdef CONFIG_COMPAT 2012static int proc_control_compat(struct usb_dev_state *ps, 2013 struct usbdevfs_ctrltransfer32 __user *p32) 2014{ 2015 struct usbdevfs_ctrltransfer __user *p; 2016 __u32 udata; 2017 p = compat_alloc_user_space(sizeof(*p)); 2018 if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) || 2019 get_user(udata, &p32->data) || 2020 put_user(compat_ptr(udata), &p->data)) 2021 return -EFAULT; 2022 return proc_control(ps, p); 2023} 2024 2025static int proc_bulk_compat(struct usb_dev_state *ps, 2026 struct usbdevfs_bulktransfer32 __user *p32) 2027{ 2028 struct usbdevfs_bulktransfer __user *p; 2029 compat_uint_t n; 2030 compat_caddr_t addr; 2031 2032 p = compat_alloc_user_space(sizeof(*p)); 2033 2034 if (get_user(n, &p32->ep) || put_user(n, &p->ep) || 2035 get_user(n, &p32->len) || put_user(n, &p->len) || 2036 get_user(n, &p32->timeout) || put_user(n, &p->timeout) || 2037 get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data)) 2038 return -EFAULT; 2039 2040 return proc_bulk(ps, p); 2041} 2042static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg) 2043{ 2044 struct usbdevfs_disconnectsignal32 ds; 2045 2046 if (copy_from_user(&ds, arg, sizeof(ds))) 2047 return -EFAULT; 2048 ps->discsignr = ds.signr; 2049 ps->disccontext.sival_int = ds.context; 2050 return 0; 2051} 2052 2053static int get_urb32(struct usbdevfs_urb *kurb, 2054 struct usbdevfs_urb32 __user *uurb) 2055{ 2056 struct usbdevfs_urb32 urb32; 2057 if (copy_from_user(&urb32, uurb, sizeof(*uurb))) 2058 return -EFAULT; 2059 kurb->type = urb32.type; 2060 kurb->endpoint = urb32.endpoint; 2061 kurb->status = urb32.status; 2062 kurb->flags = urb32.flags; 2063 kurb->buffer = compat_ptr(urb32.buffer); 2064 kurb->buffer_length = urb32.buffer_length; 2065 kurb->actual_length = urb32.actual_length; 2066 kurb->start_frame = urb32.start_frame; 2067 kurb->number_of_packets = urb32.number_of_packets; 2068 kurb->error_count = urb32.error_count; 2069 kurb->signr = urb32.signr; 2070 kurb->usercontext = compat_ptr(urb32.usercontext); 2071 return 0; 2072} 2073 2074static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg) 2075{ 2076 struct usbdevfs_urb uurb; 2077 sigval_t userurb_sigval; 2078 2079 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg)) 2080 return -EFAULT; 2081 2082 memset(&userurb_sigval, 0, sizeof(userurb_sigval)); 2083 userurb_sigval.sival_int = ptr_to_compat(arg); 2084 2085 return proc_do_submiturb(ps, &uurb, 2086 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, 2087 arg, userurb_sigval); 2088} 2089 2090static int processcompl_compat(struct async *as, void __user * __user *arg) 2091{ 2092 struct urb *urb = as->urb; 2093 struct usbdevfs_urb32 __user *userurb = as->userurb; 2094 void __user *addr = as->userurb; 2095 unsigned int i; 2096 2097 compute_isochronous_actual_length(urb); 2098 if (as->userbuffer && urb->actual_length) { 2099 if (copy_urb_data_to_user(as->userbuffer, urb)) 2100 return -EFAULT; 2101 } 2102 if (put_user(as->status, &userurb->status)) 2103 return -EFAULT; 2104 if (put_user(urb->actual_length, &userurb->actual_length)) 2105 return -EFAULT; 2106 if (put_user(urb->error_count, &userurb->error_count)) 2107 return -EFAULT; 2108 2109 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 2110 for (i = 0; i < urb->number_of_packets; i++) { 2111 if (put_user(urb->iso_frame_desc[i].actual_length, 2112 &userurb->iso_frame_desc[i].actual_length)) 2113 return -EFAULT; 2114 if (put_user(urb->iso_frame_desc[i].status, 2115 &userurb->iso_frame_desc[i].status)) 2116 return -EFAULT; 2117 } 2118 } 2119 2120 if (put_user(ptr_to_compat(addr), (u32 __user *)arg)) 2121 return -EFAULT; 2122 return 0; 2123} 2124 2125static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg) 2126{ 2127 struct async *as = reap_as(ps); 2128 2129 if (as) { 2130 int retval; 2131 2132 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 2133 retval = processcompl_compat(as, (void __user * __user *)arg); 2134 free_async(as); 2135 return retval; 2136 } 2137 if (signal_pending(current)) 2138 return -EINTR; 2139 return -ENODEV; 2140} 2141 2142static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg) 2143{ 2144 int retval; 2145 struct async *as; 2146 2147 as = async_getcompleted(ps); 2148 if (as) { 2149 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 2150 retval = processcompl_compat(as, (void __user * __user *)arg); 2151 free_async(as); 2152 } else { 2153 retval = (connected(ps) ? -EAGAIN : -ENODEV); 2154 } 2155 return retval; 2156} 2157 2158 2159#endif 2160 2161static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg) 2162{ 2163 struct usbdevfs_disconnectsignal ds; 2164 2165 if (copy_from_user(&ds, arg, sizeof(ds))) 2166 return -EFAULT; 2167 ps->discsignr = ds.signr; 2168 ps->disccontext.sival_ptr = ds.context; 2169 return 0; 2170} 2171 2172static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg) 2173{ 2174 unsigned int ifnum; 2175 2176 if (get_user(ifnum, (unsigned int __user *)arg)) 2177 return -EFAULT; 2178 return claimintf(ps, ifnum); 2179} 2180 2181static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg) 2182{ 2183 unsigned int ifnum; 2184 int ret; 2185 2186 if (get_user(ifnum, (unsigned int __user *)arg)) 2187 return -EFAULT; 2188 ret = releaseintf(ps, ifnum); 2189 if (ret < 0) 2190 return ret; 2191 destroy_async_on_interface(ps, ifnum); 2192 return 0; 2193} 2194 2195static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl) 2196{ 2197 int size; 2198 void *buf = NULL; 2199 int retval = 0; 2200 struct usb_interface *intf = NULL; 2201 struct usb_driver *driver = NULL; 2202 2203 if (ps->privileges_dropped) 2204 return -EACCES; 2205 2206 if (!connected(ps)) 2207 return -ENODEV; 2208 2209 /* alloc buffer */ 2210 size = _IOC_SIZE(ctl->ioctl_code); 2211 if (size > 0) { 2212 buf = kmalloc(size, GFP_KERNEL); 2213 if (buf == NULL) 2214 return -ENOMEM; 2215 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) { 2216 if (copy_from_user(buf, ctl->data, size)) { 2217 kfree(buf); 2218 return -EFAULT; 2219 } 2220 } else { 2221 memset(buf, 0, size); 2222 } 2223 } 2224 2225 if (ps->dev->state != USB_STATE_CONFIGURED) 2226 retval = -EHOSTUNREACH; 2227 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno))) 2228 retval = -EINVAL; 2229 else switch (ctl->ioctl_code) { 2230 2231 /* disconnect kernel driver from interface */ 2232 case USBDEVFS_DISCONNECT: 2233 if (intf->dev.driver) { 2234 driver = to_usb_driver(intf->dev.driver); 2235 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2236 usb_driver_release_interface(driver, intf); 2237 } else 2238 retval = -ENODATA; 2239 break; 2240 2241 /* let kernel drivers try to (re)bind to the interface */ 2242 case USBDEVFS_CONNECT: 2243 if (!intf->dev.driver) 2244 retval = device_attach(&intf->dev); 2245 else 2246 retval = -EBUSY; 2247 break; 2248 2249 /* talk directly to the interface's driver */ 2250 default: 2251 if (intf->dev.driver) 2252 driver = to_usb_driver(intf->dev.driver); 2253 if (driver == NULL || driver->unlocked_ioctl == NULL) { 2254 retval = -ENOTTY; 2255 } else { 2256 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf); 2257 if (retval == -ENOIOCTLCMD) 2258 retval = -ENOTTY; 2259 } 2260 } 2261 2262 /* cleanup and return */ 2263 if (retval >= 0 2264 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0 2265 && size > 0 2266 && copy_to_user(ctl->data, buf, size) != 0) 2267 retval = -EFAULT; 2268 2269 kfree(buf); 2270 return retval; 2271} 2272 2273static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg) 2274{ 2275 struct usbdevfs_ioctl ctrl; 2276 2277 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 2278 return -EFAULT; 2279 return proc_ioctl(ps, &ctrl); 2280} 2281 2282#ifdef CONFIG_COMPAT 2283static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg) 2284{ 2285 struct usbdevfs_ioctl32 ioc32; 2286 struct usbdevfs_ioctl ctrl; 2287 2288 if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32))) 2289 return -EFAULT; 2290 ctrl.ifno = ioc32.ifno; 2291 ctrl.ioctl_code = ioc32.ioctl_code; 2292 ctrl.data = compat_ptr(ioc32.data); 2293 return proc_ioctl(ps, &ctrl); 2294} 2295#endif 2296 2297static int proc_claim_port(struct usb_dev_state *ps, void __user *arg) 2298{ 2299 unsigned portnum; 2300 int rc; 2301 2302 if (get_user(portnum, (unsigned __user *) arg)) 2303 return -EFAULT; 2304 rc = usb_hub_claim_port(ps->dev, portnum, ps); 2305 if (rc == 0) 2306 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n", 2307 portnum, task_pid_nr(current), current->comm); 2308 return rc; 2309} 2310 2311static int proc_release_port(struct usb_dev_state *ps, void __user *arg) 2312{ 2313 unsigned portnum; 2314 2315 if (get_user(portnum, (unsigned __user *) arg)) 2316 return -EFAULT; 2317 return usb_hub_release_port(ps->dev, portnum, ps); 2318} 2319 2320static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg) 2321{ 2322 __u32 caps; 2323 2324 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM | 2325 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP | 2326 USBDEVFS_CAP_DROP_PRIVILEGES | 2327 USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND; 2328 if (!ps->dev->bus->no_stop_on_short) 2329 caps |= USBDEVFS_CAP_BULK_CONTINUATION; 2330 if (ps->dev->bus->sg_tablesize) 2331 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER; 2332 2333 if (put_user(caps, (__u32 __user *)arg)) 2334 return -EFAULT; 2335 2336 return 0; 2337} 2338 2339static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg) 2340{ 2341 struct usbdevfs_disconnect_claim dc; 2342 struct usb_interface *intf; 2343 2344 if (copy_from_user(&dc, arg, sizeof(dc))) 2345 return -EFAULT; 2346 2347 intf = usb_ifnum_to_if(ps->dev, dc.interface); 2348 if (!intf) 2349 return -EINVAL; 2350 2351 if (intf->dev.driver) { 2352 struct usb_driver *driver = to_usb_driver(intf->dev.driver); 2353 2354 if (ps->privileges_dropped) 2355 return -EACCES; 2356 2357 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) && 2358 strncmp(dc.driver, intf->dev.driver->name, 2359 sizeof(dc.driver)) != 0) 2360 return -EBUSY; 2361 2362 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) && 2363 strncmp(dc.driver, intf->dev.driver->name, 2364 sizeof(dc.driver)) == 0) 2365 return -EBUSY; 2366 2367 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2368 usb_driver_release_interface(driver, intf); 2369 } 2370 2371 return claimintf(ps, dc.interface); 2372} 2373 2374static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg) 2375{ 2376 unsigned num_streams, num_eps; 2377 struct usb_host_endpoint **eps; 2378 struct usb_interface *intf; 2379 int r; 2380 2381 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps, 2382 &eps, &intf); 2383 if (r) 2384 return r; 2385 2386 destroy_async_on_interface(ps, 2387 intf->altsetting[0].desc.bInterfaceNumber); 2388 2389 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL); 2390 kfree(eps); 2391 return r; 2392} 2393 2394static int proc_free_streams(struct usb_dev_state *ps, void __user *arg) 2395{ 2396 unsigned num_eps; 2397 struct usb_host_endpoint **eps; 2398 struct usb_interface *intf; 2399 int r; 2400 2401 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf); 2402 if (r) 2403 return r; 2404 2405 destroy_async_on_interface(ps, 2406 intf->altsetting[0].desc.bInterfaceNumber); 2407 2408 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL); 2409 kfree(eps); 2410 return r; 2411} 2412 2413static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg) 2414{ 2415 u32 data; 2416 2417 if (copy_from_user(&data, arg, sizeof(data))) 2418 return -EFAULT; 2419 2420 /* This is a one way operation. Once privileges are 2421 * dropped, you cannot regain them. You may however reissue 2422 * this ioctl to shrink the allowed interfaces mask. 2423 */ 2424 ps->interface_allowed_mask &= data; 2425 ps->privileges_dropped = true; 2426 2427 return 0; 2428} 2429 2430static int proc_forbid_suspend(struct usb_dev_state *ps) 2431{ 2432 int ret = 0; 2433 2434 if (ps->suspend_allowed) { 2435 ret = usb_autoresume_device(ps->dev); 2436 if (ret == 0) 2437 ps->suspend_allowed = false; 2438 else if (ret != -ENODEV) 2439 ret = -EIO; 2440 } 2441 return ret; 2442} 2443 2444static int proc_allow_suspend(struct usb_dev_state *ps) 2445{ 2446 if (!connected(ps)) 2447 return -ENODEV; 2448 2449 WRITE_ONCE(ps->not_yet_resumed, 1); 2450 if (!ps->suspend_allowed) { 2451 usb_autosuspend_device(ps->dev); 2452 ps->suspend_allowed = true; 2453 } 2454 return 0; 2455} 2456 2457static int proc_wait_for_resume(struct usb_dev_state *ps) 2458{ 2459 int ret; 2460 2461 usb_unlock_device(ps->dev); 2462 ret = wait_event_interruptible(ps->wait_for_resume, 2463 READ_ONCE(ps->not_yet_resumed) == 0); 2464 usb_lock_device(ps->dev); 2465 2466 if (ret != 0) 2467 return -EINTR; 2468 return proc_forbid_suspend(ps); 2469} 2470 2471/* 2472 * NOTE: All requests here that have interface numbers as parameters 2473 * are assuming that somehow the configuration has been prevented from 2474 * changing. But there's no mechanism to ensure that... 2475 */ 2476static long usbdev_do_ioctl(struct file *file, unsigned int cmd, 2477 void __user *p) 2478{ 2479 struct usb_dev_state *ps = file->private_data; 2480 struct inode *inode = file_inode(file); 2481 struct usb_device *dev = ps->dev; 2482 int ret = -ENOTTY; 2483 2484 if (!(file->f_mode & FMODE_WRITE)) 2485 return -EPERM; 2486 2487 usb_lock_device(dev); 2488 2489 /* Reap operations are allowed even after disconnection */ 2490 switch (cmd) { 2491 case USBDEVFS_REAPURB: 2492 snoop(&dev->dev, "%s: REAPURB\n", __func__); 2493 ret = proc_reapurb(ps, p); 2494 goto done; 2495 2496 case USBDEVFS_REAPURBNDELAY: 2497 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__); 2498 ret = proc_reapurbnonblock(ps, p); 2499 goto done; 2500 2501#ifdef CONFIG_COMPAT 2502 case USBDEVFS_REAPURB32: 2503 snoop(&dev->dev, "%s: REAPURB32\n", __func__); 2504 ret = proc_reapurb_compat(ps, p); 2505 goto done; 2506 2507 case USBDEVFS_REAPURBNDELAY32: 2508 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__); 2509 ret = proc_reapurbnonblock_compat(ps, p); 2510 goto done; 2511#endif 2512 } 2513 2514 if (!connected(ps)) { 2515 usb_unlock_device(dev); 2516 return -ENODEV; 2517 } 2518 2519 switch (cmd) { 2520 case USBDEVFS_CONTROL: 2521 snoop(&dev->dev, "%s: CONTROL\n", __func__); 2522 ret = proc_control(ps, p); 2523 if (ret >= 0) 2524 inode->i_mtime = current_time(inode); 2525 break; 2526 2527 case USBDEVFS_BULK: 2528 snoop(&dev->dev, "%s: BULK\n", __func__); 2529 ret = proc_bulk(ps, p); 2530 if (ret >= 0) 2531 inode->i_mtime = current_time(inode); 2532 break; 2533 2534 case USBDEVFS_RESETEP: 2535 snoop(&dev->dev, "%s: RESETEP\n", __func__); 2536 ret = proc_resetep(ps, p); 2537 if (ret >= 0) 2538 inode->i_mtime = current_time(inode); 2539 break; 2540 2541 case USBDEVFS_RESET: 2542 snoop(&dev->dev, "%s: RESET\n", __func__); 2543 ret = proc_resetdevice(ps); 2544 break; 2545 2546 case USBDEVFS_CLEAR_HALT: 2547 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__); 2548 ret = proc_clearhalt(ps, p); 2549 if (ret >= 0) 2550 inode->i_mtime = current_time(inode); 2551 break; 2552 2553 case USBDEVFS_GETDRIVER: 2554 snoop(&dev->dev, "%s: GETDRIVER\n", __func__); 2555 ret = proc_getdriver(ps, p); 2556 break; 2557 2558 case USBDEVFS_CONNECTINFO: 2559 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__); 2560 ret = proc_connectinfo(ps, p); 2561 break; 2562 2563 case USBDEVFS_SETINTERFACE: 2564 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__); 2565 ret = proc_setintf(ps, p); 2566 break; 2567 2568 case USBDEVFS_SETCONFIGURATION: 2569 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__); 2570 ret = proc_setconfig(ps, p); 2571 break; 2572 2573 case USBDEVFS_SUBMITURB: 2574 snoop(&dev->dev, "%s: SUBMITURB\n", __func__); 2575 ret = proc_submiturb(ps, p); 2576 if (ret >= 0) 2577 inode->i_mtime = current_time(inode); 2578 break; 2579 2580#ifdef CONFIG_COMPAT 2581 case USBDEVFS_CONTROL32: 2582 snoop(&dev->dev, "%s: CONTROL32\n", __func__); 2583 ret = proc_control_compat(ps, p); 2584 if (ret >= 0) 2585 inode->i_mtime = current_time(inode); 2586 break; 2587 2588 case USBDEVFS_BULK32: 2589 snoop(&dev->dev, "%s: BULK32\n", __func__); 2590 ret = proc_bulk_compat(ps, p); 2591 if (ret >= 0) 2592 inode->i_mtime = current_time(inode); 2593 break; 2594 2595 case USBDEVFS_DISCSIGNAL32: 2596 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__); 2597 ret = proc_disconnectsignal_compat(ps, p); 2598 break; 2599 2600 case USBDEVFS_SUBMITURB32: 2601 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__); 2602 ret = proc_submiturb_compat(ps, p); 2603 if (ret >= 0) 2604 inode->i_mtime = current_time(inode); 2605 break; 2606 2607 case USBDEVFS_IOCTL32: 2608 snoop(&dev->dev, "%s: IOCTL32\n", __func__); 2609 ret = proc_ioctl_compat(ps, ptr_to_compat(p)); 2610 break; 2611#endif 2612 2613 case USBDEVFS_DISCARDURB: 2614 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p); 2615 ret = proc_unlinkurb(ps, p); 2616 break; 2617 2618 case USBDEVFS_DISCSIGNAL: 2619 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__); 2620 ret = proc_disconnectsignal(ps, p); 2621 break; 2622 2623 case USBDEVFS_CLAIMINTERFACE: 2624 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__); 2625 ret = proc_claiminterface(ps, p); 2626 break; 2627 2628 case USBDEVFS_RELEASEINTERFACE: 2629 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__); 2630 ret = proc_releaseinterface(ps, p); 2631 break; 2632 2633 case USBDEVFS_IOCTL: 2634 snoop(&dev->dev, "%s: IOCTL\n", __func__); 2635 ret = proc_ioctl_default(ps, p); 2636 break; 2637 2638 case USBDEVFS_CLAIM_PORT: 2639 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__); 2640 ret = proc_claim_port(ps, p); 2641 break; 2642 2643 case USBDEVFS_RELEASE_PORT: 2644 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__); 2645 ret = proc_release_port(ps, p); 2646 break; 2647 case USBDEVFS_GET_CAPABILITIES: 2648 ret = proc_get_capabilities(ps, p); 2649 break; 2650 case USBDEVFS_DISCONNECT_CLAIM: 2651 ret = proc_disconnect_claim(ps, p); 2652 break; 2653 case USBDEVFS_ALLOC_STREAMS: 2654 ret = proc_alloc_streams(ps, p); 2655 break; 2656 case USBDEVFS_FREE_STREAMS: 2657 ret = proc_free_streams(ps, p); 2658 break; 2659 case USBDEVFS_DROP_PRIVILEGES: 2660 ret = proc_drop_privileges(ps, p); 2661 break; 2662 case USBDEVFS_GET_SPEED: 2663 ret = ps->dev->speed; 2664 break; 2665 case USBDEVFS_FORBID_SUSPEND: 2666 ret = proc_forbid_suspend(ps); 2667 break; 2668 case USBDEVFS_ALLOW_SUSPEND: 2669 ret = proc_allow_suspend(ps); 2670 break; 2671 case USBDEVFS_WAIT_FOR_RESUME: 2672 ret = proc_wait_for_resume(ps); 2673 break; 2674 } 2675 2676 /* Handle variable-length commands */ 2677 switch (cmd & ~IOCSIZE_MASK) { 2678 case USBDEVFS_CONNINFO_EX(0): 2679 ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd)); 2680 break; 2681 } 2682 2683 done: 2684 usb_unlock_device(dev); 2685 if (ret >= 0) 2686 inode->i_atime = current_time(inode); 2687 return ret; 2688} 2689 2690static long usbdev_ioctl(struct file *file, unsigned int cmd, 2691 unsigned long arg) 2692{ 2693 int ret; 2694 2695 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg); 2696 2697 return ret; 2698} 2699 2700/* No kernel lock - fine */ 2701static __poll_t usbdev_poll(struct file *file, 2702 struct poll_table_struct *wait) 2703{ 2704 struct usb_dev_state *ps = file->private_data; 2705 __poll_t mask = 0; 2706 2707 poll_wait(file, &ps->wait, wait); 2708 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed)) 2709 mask |= EPOLLOUT | EPOLLWRNORM; 2710 if (!connected(ps)) 2711 mask |= EPOLLHUP; 2712 if (list_empty(&ps->list)) 2713 mask |= EPOLLERR; 2714 return mask; 2715} 2716 2717const struct file_operations usbdev_file_operations = { 2718 .owner = THIS_MODULE, 2719 .llseek = no_seek_end_llseek, 2720 .read = usbdev_read, 2721 .poll = usbdev_poll, 2722 .unlocked_ioctl = usbdev_ioctl, 2723 .compat_ioctl = compat_ptr_ioctl, 2724 .mmap = usbdev_mmap, 2725 .open = usbdev_open, 2726 .release = usbdev_release, 2727}; 2728 2729static void usbdev_remove(struct usb_device *udev) 2730{ 2731 struct usb_dev_state *ps; 2732 2733 /* Protect against simultaneous resume */ 2734 mutex_lock(&usbfs_mutex); 2735 while (!list_empty(&udev->filelist)) { 2736 ps = list_entry(udev->filelist.next, struct usb_dev_state, list); 2737 destroy_all_async(ps); 2738 wake_up_all(&ps->wait); 2739 WRITE_ONCE(ps->not_yet_resumed, 0); 2740 wake_up_all(&ps->wait_for_resume); 2741 list_del_init(&ps->list); 2742 if (ps->discsignr) 2743 kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext, 2744 ps->disc_pid, ps->cred); 2745 } 2746 mutex_unlock(&usbfs_mutex); 2747} 2748 2749static int usbdev_notify(struct notifier_block *self, 2750 unsigned long action, void *dev) 2751{ 2752 switch (action) { 2753 case USB_DEVICE_ADD: 2754 break; 2755 case USB_DEVICE_REMOVE: 2756 usbdev_remove(dev); 2757 break; 2758 } 2759 return NOTIFY_OK; 2760} 2761 2762static struct notifier_block usbdev_nb = { 2763 .notifier_call = usbdev_notify, 2764}; 2765 2766static struct cdev usb_device_cdev; 2767 2768int __init usb_devio_init(void) 2769{ 2770 int retval; 2771 2772 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX, 2773 "usb_device"); 2774 if (retval) { 2775 printk(KERN_ERR "Unable to register minors for usb_device\n"); 2776 goto out; 2777 } 2778 cdev_init(&usb_device_cdev, &usbdev_file_operations); 2779 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX); 2780 if (retval) { 2781 printk(KERN_ERR "Unable to get usb_device major %d\n", 2782 USB_DEVICE_MAJOR); 2783 goto error_cdev; 2784 } 2785 usb_register_notify(&usbdev_nb); 2786out: 2787 return retval; 2788 2789error_cdev: 2790 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2791 goto out; 2792} 2793 2794void usb_devio_cleanup(void) 2795{ 2796 usb_unregister_notify(&usbdev_nb); 2797 cdev_del(&usb_device_cdev); 2798 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2799}