devio.c (72485B)
1// SPDX-License-Identifier: GPL-2.0+ 2/*****************************************************************************/ 3 4/* 5 * devio.c -- User space communication with USB devices. 6 * 7 * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch) 8 * 9 * This file implements the usbfs/x/y files, where 10 * x is the bus number and y the device number. 11 * 12 * It allows user space programs/"drivers" to communicate directly 13 * with USB devices without intervening kernel driver. 14 * 15 * Revision history 16 * 22.12.1999 0.1 Initial release (split from proc_usb.c) 17 * 04.01.2000 0.2 Turned into its own filesystem 18 * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery 19 * (CAN-2005-3055) 20 */ 21 22/*****************************************************************************/ 23 24#include <linux/fs.h> 25#include <linux/mm.h> 26#include <linux/sched/signal.h> 27#include <linux/slab.h> 28#include <linux/signal.h> 29#include <linux/poll.h> 30#include <linux/module.h> 31#include <linux/string.h> 32#include <linux/usb.h> 33#include <linux/usbdevice_fs.h> 34#include <linux/usb/hcd.h> /* for usbcore internals */ 35#include <linux/usb/quirks.h> 36#include <linux/cdev.h> 37#include <linux/notifier.h> 38#include <linux/security.h> 39#include <linux/user_namespace.h> 40#include <linux/scatterlist.h> 41#include <linux/uaccess.h> 42#include <linux/dma-mapping.h> 43#include <asm/byteorder.h> 44#include <linux/moduleparam.h> 45 46#include "usb.h" 47 48#ifdef CONFIG_PM 49#define MAYBE_CAP_SUSPEND USBDEVFS_CAP_SUSPEND 50#else 51#define MAYBE_CAP_SUSPEND 0 52#endif 53 54#define USB_MAXBUS 64 55#define USB_DEVICE_MAX (USB_MAXBUS * 128) 56#define USB_SG_SIZE 16384 /* split-size for large txs */ 57 58/* Mutual exclusion for ps->list in resume vs. release and remove */ 59static DEFINE_MUTEX(usbfs_mutex); 60 61struct usb_dev_state { 62 struct list_head list; /* state list */ 63 struct usb_device *dev; 64 struct file *file; 65 spinlock_t lock; /* protects the async urb lists */ 66 struct list_head async_pending; 67 struct list_head async_completed; 68 struct list_head memory_list; 69 wait_queue_head_t wait; /* wake up if a request completed */ 70 wait_queue_head_t wait_for_resume; /* wake up upon runtime resume */ 71 unsigned int discsignr; 72 struct pid *disc_pid; 73 const struct cred *cred; 74 sigval_t disccontext; 75 unsigned long ifclaimed; 76 u32 disabled_bulk_eps; 77 unsigned long interface_allowed_mask; 78 int not_yet_resumed; 79 bool suspend_allowed; 80 bool privileges_dropped; 81}; 82 83struct usb_memory { 84 struct list_head memlist; 85 int vma_use_count; 86 int urb_use_count; 87 u32 size; 88 void *mem; 89 dma_addr_t dma_handle; 90 unsigned long vm_start; 91 struct usb_dev_state *ps; 92}; 93 94struct async { 95 struct list_head asynclist; 96 struct usb_dev_state *ps; 97 struct pid *pid; 98 const struct cred *cred; 99 unsigned int signr; 100 unsigned int ifnum; 101 void __user *userbuffer; 102 void __user *userurb; 103 sigval_t userurb_sigval; 104 struct urb *urb; 105 struct usb_memory *usbm; 106 unsigned int mem_usage; 107 int status; 108 u8 bulk_addr; 109 u8 bulk_status; 110}; 111 112static bool usbfs_snoop; 113module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR); 114MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic"); 115 116static unsigned usbfs_snoop_max = 65536; 117module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR); 118MODULE_PARM_DESC(usbfs_snoop_max, 119 "maximum number of bytes to print while snooping"); 120 121#define snoop(dev, format, arg...) \ 122 do { \ 123 if (usbfs_snoop) \ 124 dev_info(dev, format, ## arg); \ 125 } while (0) 126 127enum snoop_when { 128 SUBMIT, COMPLETE 129}; 130 131#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) 132 133/* Limit on the total amount of memory we can allocate for transfers */ 134static u32 usbfs_memory_mb = 16; 135module_param(usbfs_memory_mb, uint, 0644); 136MODULE_PARM_DESC(usbfs_memory_mb, 137 "maximum MB allowed for usbfs buffers (0 = no limit)"); 138 139/* Hard limit, necessary to avoid arithmetic overflow */ 140#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) 141 142static DEFINE_SPINLOCK(usbfs_memory_usage_lock); 143static u64 usbfs_memory_usage; /* Total memory currently allocated */ 144 145/* Check whether it's okay to allocate more memory for a transfer */ 146static int usbfs_increase_memory_usage(u64 amount) 147{ 148 u64 lim, total_mem; 149 unsigned long flags; 150 int ret; 151 152 lim = READ_ONCE(usbfs_memory_mb); 153 lim <<= 20; 154 155 ret = 0; 156 spin_lock_irqsave(&usbfs_memory_usage_lock, flags); 157 total_mem = usbfs_memory_usage + amount; 158 if (lim > 0 && total_mem > lim) 159 ret = -ENOMEM; 160 else 161 usbfs_memory_usage = total_mem; 162 spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags); 163 164 return ret; 165} 166 167/* Memory for a transfer is being deallocated */ 168static void usbfs_decrease_memory_usage(u64 amount) 169{ 170 unsigned long flags; 171 172 spin_lock_irqsave(&usbfs_memory_usage_lock, flags); 173 if (amount > usbfs_memory_usage) 174 usbfs_memory_usage = 0; 175 else 176 usbfs_memory_usage -= amount; 177 spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags); 178} 179 180static int connected(struct usb_dev_state *ps) 181{ 182 return (!list_empty(&ps->list) && 183 ps->dev->state != USB_STATE_NOTATTACHED); 184} 185 186static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) 187{ 188 struct usb_dev_state *ps = usbm->ps; 189 unsigned long flags; 190 191 spin_lock_irqsave(&ps->lock, flags); 192 --*count; 193 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) { 194 list_del(&usbm->memlist); 195 spin_unlock_irqrestore(&ps->lock, flags); 196 197 usb_free_coherent(ps->dev, usbm->size, usbm->mem, 198 usbm->dma_handle); 199 usbfs_decrease_memory_usage( 200 usbm->size + sizeof(struct usb_memory)); 201 kfree(usbm); 202 } else { 203 spin_unlock_irqrestore(&ps->lock, flags); 204 } 205} 206 207static void usbdev_vm_open(struct vm_area_struct *vma) 208{ 209 struct usb_memory *usbm = vma->vm_private_data; 210 unsigned long flags; 211 212 spin_lock_irqsave(&usbm->ps->lock, flags); 213 ++usbm->vma_use_count; 214 spin_unlock_irqrestore(&usbm->ps->lock, flags); 215} 216 217static void usbdev_vm_close(struct vm_area_struct *vma) 218{ 219 struct usb_memory *usbm = vma->vm_private_data; 220 221 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 222} 223 224static const struct vm_operations_struct usbdev_vm_ops = { 225 .open = usbdev_vm_open, 226 .close = usbdev_vm_close 227}; 228 229static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) 230{ 231 struct usb_memory *usbm = NULL; 232 struct usb_dev_state *ps = file->private_data; 233 struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus); 234 size_t size = vma->vm_end - vma->vm_start; 235 void *mem; 236 unsigned long flags; 237 dma_addr_t dma_handle; 238 int ret; 239 240 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory)); 241 if (ret) 242 goto error; 243 244 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL); 245 if (!usbm) { 246 ret = -ENOMEM; 247 goto error_decrease_mem; 248 } 249 250 mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN, 251 &dma_handle); 252 if (!mem) { 253 ret = -ENOMEM; 254 goto error_free_usbm; 255 } 256 257 memset(mem, 0, size); 258 259 usbm->mem = mem; 260 usbm->dma_handle = dma_handle; 261 usbm->size = size; 262 usbm->ps = ps; 263 usbm->vm_start = vma->vm_start; 264 usbm->vma_use_count = 1; 265 INIT_LIST_HEAD(&usbm->memlist); 266 267 if (hcd->localmem_pool || !hcd_uses_dma(hcd)) { 268 if (remap_pfn_range(vma, vma->vm_start, 269 virt_to_phys(usbm->mem) >> PAGE_SHIFT, 270 size, vma->vm_page_prot) < 0) { 271 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 272 return -EAGAIN; 273 } 274 } else { 275 if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, 276 size)) { 277 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 278 return -EAGAIN; 279 } 280 } 281 282 vma->vm_flags |= VM_IO; 283 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP); 284 vma->vm_ops = &usbdev_vm_ops; 285 vma->vm_private_data = usbm; 286 287 spin_lock_irqsave(&ps->lock, flags); 288 list_add_tail(&usbm->memlist, &ps->memory_list); 289 spin_unlock_irqrestore(&ps->lock, flags); 290 291 return 0; 292 293error_free_usbm: 294 kfree(usbm); 295error_decrease_mem: 296 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory)); 297error: 298 return ret; 299} 300 301static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, 302 loff_t *ppos) 303{ 304 struct usb_dev_state *ps = file->private_data; 305 struct usb_device *dev = ps->dev; 306 ssize_t ret = 0; 307 unsigned len; 308 loff_t pos; 309 int i; 310 311 pos = *ppos; 312 usb_lock_device(dev); 313 if (!connected(ps)) { 314 ret = -ENODEV; 315 goto err; 316 } else if (pos < 0) { 317 ret = -EINVAL; 318 goto err; 319 } 320 321 if (pos < sizeof(struct usb_device_descriptor)) { 322 /* 18 bytes - fits on the stack */ 323 struct usb_device_descriptor temp_desc; 324 325 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor)); 326 le16_to_cpus(&temp_desc.bcdUSB); 327 le16_to_cpus(&temp_desc.idVendor); 328 le16_to_cpus(&temp_desc.idProduct); 329 le16_to_cpus(&temp_desc.bcdDevice); 330 331 len = sizeof(struct usb_device_descriptor) - pos; 332 if (len > nbytes) 333 len = nbytes; 334 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) { 335 ret = -EFAULT; 336 goto err; 337 } 338 339 *ppos += len; 340 buf += len; 341 nbytes -= len; 342 ret += len; 343 } 344 345 pos = sizeof(struct usb_device_descriptor); 346 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { 347 struct usb_config_descriptor *config = 348 (struct usb_config_descriptor *)dev->rawdescriptors[i]; 349 unsigned int length = le16_to_cpu(config->wTotalLength); 350 351 if (*ppos < pos + length) { 352 353 /* The descriptor may claim to be longer than it 354 * really is. Here is the actual allocated length. */ 355 unsigned alloclen = 356 le16_to_cpu(dev->config[i].desc.wTotalLength); 357 358 len = length - (*ppos - pos); 359 if (len > nbytes) 360 len = nbytes; 361 362 /* Simply don't write (skip over) unallocated parts */ 363 if (alloclen > (*ppos - pos)) { 364 alloclen -= (*ppos - pos); 365 if (copy_to_user(buf, 366 dev->rawdescriptors[i] + (*ppos - pos), 367 min(len, alloclen))) { 368 ret = -EFAULT; 369 goto err; 370 } 371 } 372 373 *ppos += len; 374 buf += len; 375 nbytes -= len; 376 ret += len; 377 } 378 379 pos += length; 380 } 381 382err: 383 usb_unlock_device(dev); 384 return ret; 385} 386 387/* 388 * async list handling 389 */ 390 391static struct async *alloc_async(unsigned int numisoframes) 392{ 393 struct async *as; 394 395 as = kzalloc(sizeof(struct async), GFP_KERNEL); 396 if (!as) 397 return NULL; 398 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL); 399 if (!as->urb) { 400 kfree(as); 401 return NULL; 402 } 403 return as; 404} 405 406static void free_async(struct async *as) 407{ 408 int i; 409 410 put_pid(as->pid); 411 if (as->cred) 412 put_cred(as->cred); 413 for (i = 0; i < as->urb->num_sgs; i++) { 414 if (sg_page(&as->urb->sg[i])) 415 kfree(sg_virt(&as->urb->sg[i])); 416 } 417 418 kfree(as->urb->sg); 419 if (as->usbm == NULL) 420 kfree(as->urb->transfer_buffer); 421 else 422 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count); 423 424 kfree(as->urb->setup_packet); 425 usb_free_urb(as->urb); 426 usbfs_decrease_memory_usage(as->mem_usage); 427 kfree(as); 428} 429 430static void async_newpending(struct async *as) 431{ 432 struct usb_dev_state *ps = as->ps; 433 unsigned long flags; 434 435 spin_lock_irqsave(&ps->lock, flags); 436 list_add_tail(&as->asynclist, &ps->async_pending); 437 spin_unlock_irqrestore(&ps->lock, flags); 438} 439 440static void async_removepending(struct async *as) 441{ 442 struct usb_dev_state *ps = as->ps; 443 unsigned long flags; 444 445 spin_lock_irqsave(&ps->lock, flags); 446 list_del_init(&as->asynclist); 447 spin_unlock_irqrestore(&ps->lock, flags); 448} 449 450static struct async *async_getcompleted(struct usb_dev_state *ps) 451{ 452 unsigned long flags; 453 struct async *as = NULL; 454 455 spin_lock_irqsave(&ps->lock, flags); 456 if (!list_empty(&ps->async_completed)) { 457 as = list_entry(ps->async_completed.next, struct async, 458 asynclist); 459 list_del_init(&as->asynclist); 460 } 461 spin_unlock_irqrestore(&ps->lock, flags); 462 return as; 463} 464 465static struct async *async_getpending(struct usb_dev_state *ps, 466 void __user *userurb) 467{ 468 struct async *as; 469 470 list_for_each_entry(as, &ps->async_pending, asynclist) 471 if (as->userurb == userurb) { 472 list_del_init(&as->asynclist); 473 return as; 474 } 475 476 return NULL; 477} 478 479static void snoop_urb(struct usb_device *udev, 480 void __user *userurb, int pipe, unsigned length, 481 int timeout_or_status, enum snoop_when when, 482 unsigned char *data, unsigned data_len) 483{ 484 static const char *types[] = {"isoc", "int", "ctrl", "bulk"}; 485 static const char *dirs[] = {"out", "in"}; 486 int ep; 487 const char *t, *d; 488 489 if (!usbfs_snoop) 490 return; 491 492 ep = usb_pipeendpoint(pipe); 493 t = types[usb_pipetype(pipe)]; 494 d = dirs[!!usb_pipein(pipe)]; 495 496 if (userurb) { /* Async */ 497 if (when == SUBMIT) 498 dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " 499 "length %u\n", 500 userurb, ep, t, d, length); 501 else 502 dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " 503 "actual_length %u status %d\n", 504 userurb, ep, t, d, length, 505 timeout_or_status); 506 } else { 507 if (when == SUBMIT) 508 dev_info(&udev->dev, "ep%d %s-%s, length %u, " 509 "timeout %d\n", 510 ep, t, d, length, timeout_or_status); 511 else 512 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, " 513 "status %d\n", 514 ep, t, d, length, timeout_or_status); 515 } 516 517 data_len = min(data_len, usbfs_snoop_max); 518 if (data && data_len > 0) { 519 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 520 data, data_len, 1); 521 } 522} 523 524static void snoop_urb_data(struct urb *urb, unsigned len) 525{ 526 int i, size; 527 528 len = min(len, usbfs_snoop_max); 529 if (!usbfs_snoop || len == 0) 530 return; 531 532 if (urb->num_sgs == 0) { 533 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 534 urb->transfer_buffer, len, 1); 535 return; 536 } 537 538 for (i = 0; i < urb->num_sgs && len; i++) { 539 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 540 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 541 sg_virt(&urb->sg[i]), size, 1); 542 len -= size; 543 } 544} 545 546static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb) 547{ 548 unsigned i, len, size; 549 550 if (urb->number_of_packets > 0) /* Isochronous */ 551 len = urb->transfer_buffer_length; 552 else /* Non-Isoc */ 553 len = urb->actual_length; 554 555 if (urb->num_sgs == 0) { 556 if (copy_to_user(userbuffer, urb->transfer_buffer, len)) 557 return -EFAULT; 558 return 0; 559 } 560 561 for (i = 0; i < urb->num_sgs && len; i++) { 562 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 563 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size)) 564 return -EFAULT; 565 userbuffer += size; 566 len -= size; 567 } 568 569 return 0; 570} 571 572#define AS_CONTINUATION 1 573#define AS_UNLINK 2 574 575static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr) 576__releases(ps->lock) 577__acquires(ps->lock) 578{ 579 struct urb *urb; 580 struct async *as; 581 582 /* Mark all the pending URBs that match bulk_addr, up to but not 583 * including the first one without AS_CONTINUATION. If such an 584 * URB is encountered then a new transfer has already started so 585 * the endpoint doesn't need to be disabled; otherwise it does. 586 */ 587 list_for_each_entry(as, &ps->async_pending, asynclist) { 588 if (as->bulk_addr == bulk_addr) { 589 if (as->bulk_status != AS_CONTINUATION) 590 goto rescan; 591 as->bulk_status = AS_UNLINK; 592 as->bulk_addr = 0; 593 } 594 } 595 ps->disabled_bulk_eps |= (1 << bulk_addr); 596 597 /* Now carefully unlink all the marked pending URBs */ 598 rescan: 599 list_for_each_entry_reverse(as, &ps->async_pending, asynclist) { 600 if (as->bulk_status == AS_UNLINK) { 601 as->bulk_status = 0; /* Only once */ 602 urb = as->urb; 603 usb_get_urb(urb); 604 spin_unlock(&ps->lock); /* Allow completions */ 605 usb_unlink_urb(urb); 606 usb_put_urb(urb); 607 spin_lock(&ps->lock); 608 goto rescan; 609 } 610 } 611} 612 613static void async_completed(struct urb *urb) 614{ 615 struct async *as = urb->context; 616 struct usb_dev_state *ps = as->ps; 617 struct pid *pid = NULL; 618 const struct cred *cred = NULL; 619 unsigned long flags; 620 sigval_t addr; 621 int signr, errno; 622 623 spin_lock_irqsave(&ps->lock, flags); 624 list_move_tail(&as->asynclist, &ps->async_completed); 625 as->status = urb->status; 626 signr = as->signr; 627 if (signr) { 628 errno = as->status; 629 addr = as->userurb_sigval; 630 pid = get_pid(as->pid); 631 cred = get_cred(as->cred); 632 } 633 snoop(&urb->dev->dev, "urb complete\n"); 634 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length, 635 as->status, COMPLETE, NULL, 0); 636 if (usb_urb_dir_in(urb)) 637 snoop_urb_data(urb, urb->actual_length); 638 639 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET && 640 as->status != -ENOENT) 641 cancel_bulk_urbs(ps, as->bulk_addr); 642 643 wake_up(&ps->wait); 644 spin_unlock_irqrestore(&ps->lock, flags); 645 646 if (signr) { 647 kill_pid_usb_asyncio(signr, errno, addr, pid, cred); 648 put_pid(pid); 649 put_cred(cred); 650 } 651} 652 653static void destroy_async(struct usb_dev_state *ps, struct list_head *list) 654{ 655 struct urb *urb; 656 struct async *as; 657 unsigned long flags; 658 659 spin_lock_irqsave(&ps->lock, flags); 660 while (!list_empty(list)) { 661 as = list_last_entry(list, struct async, asynclist); 662 list_del_init(&as->asynclist); 663 urb = as->urb; 664 usb_get_urb(urb); 665 666 /* drop the spinlock so the completion handler can run */ 667 spin_unlock_irqrestore(&ps->lock, flags); 668 usb_kill_urb(urb); 669 usb_put_urb(urb); 670 spin_lock_irqsave(&ps->lock, flags); 671 } 672 spin_unlock_irqrestore(&ps->lock, flags); 673} 674 675static void destroy_async_on_interface(struct usb_dev_state *ps, 676 unsigned int ifnum) 677{ 678 struct list_head *p, *q, hitlist; 679 unsigned long flags; 680 681 INIT_LIST_HEAD(&hitlist); 682 spin_lock_irqsave(&ps->lock, flags); 683 list_for_each_safe(p, q, &ps->async_pending) 684 if (ifnum == list_entry(p, struct async, asynclist)->ifnum) 685 list_move_tail(p, &hitlist); 686 spin_unlock_irqrestore(&ps->lock, flags); 687 destroy_async(ps, &hitlist); 688} 689 690static void destroy_all_async(struct usb_dev_state *ps) 691{ 692 destroy_async(ps, &ps->async_pending); 693} 694 695/* 696 * interface claims are made only at the request of user level code, 697 * which can also release them (explicitly or by closing files). 698 * they're also undone when devices disconnect. 699 */ 700 701static int driver_probe(struct usb_interface *intf, 702 const struct usb_device_id *id) 703{ 704 return -ENODEV; 705} 706 707static void driver_disconnect(struct usb_interface *intf) 708{ 709 struct usb_dev_state *ps = usb_get_intfdata(intf); 710 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber; 711 712 if (!ps) 713 return; 714 715 /* NOTE: this relies on usbcore having canceled and completed 716 * all pending I/O requests; 2.6 does that. 717 */ 718 719 if (likely(ifnum < 8*sizeof(ps->ifclaimed))) 720 clear_bit(ifnum, &ps->ifclaimed); 721 else 722 dev_warn(&intf->dev, "interface number %u out of range\n", 723 ifnum); 724 725 usb_set_intfdata(intf, NULL); 726 727 /* force async requests to complete */ 728 destroy_async_on_interface(ps, ifnum); 729} 730 731/* We don't care about suspend/resume of claimed interfaces */ 732static int driver_suspend(struct usb_interface *intf, pm_message_t msg) 733{ 734 return 0; 735} 736 737static int driver_resume(struct usb_interface *intf) 738{ 739 return 0; 740} 741 742/* The following routines apply to the entire device, not interfaces */ 743void usbfs_notify_suspend(struct usb_device *udev) 744{ 745 /* We don't need to handle this */ 746} 747 748void usbfs_notify_resume(struct usb_device *udev) 749{ 750 struct usb_dev_state *ps; 751 752 /* Protect against simultaneous remove or release */ 753 mutex_lock(&usbfs_mutex); 754 list_for_each_entry(ps, &udev->filelist, list) { 755 WRITE_ONCE(ps->not_yet_resumed, 0); 756 wake_up_all(&ps->wait_for_resume); 757 } 758 mutex_unlock(&usbfs_mutex); 759} 760 761struct usb_driver usbfs_driver = { 762 .name = "usbfs", 763 .probe = driver_probe, 764 .disconnect = driver_disconnect, 765 .suspend = driver_suspend, 766 .resume = driver_resume, 767 .supports_autosuspend = 1, 768}; 769 770static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) 771{ 772 struct usb_device *dev = ps->dev; 773 struct usb_interface *intf; 774 int err; 775 776 if (ifnum >= 8*sizeof(ps->ifclaimed)) 777 return -EINVAL; 778 /* already claimed */ 779 if (test_bit(ifnum, &ps->ifclaimed)) 780 return 0; 781 782 if (ps->privileges_dropped && 783 !test_bit(ifnum, &ps->interface_allowed_mask)) 784 return -EACCES; 785 786 intf = usb_ifnum_to_if(dev, ifnum); 787 if (!intf) 788 err = -ENOENT; 789 else { 790 unsigned int old_suppress; 791 792 /* suppress uevents while claiming interface */ 793 old_suppress = dev_get_uevent_suppress(&intf->dev); 794 dev_set_uevent_suppress(&intf->dev, 1); 795 err = usb_driver_claim_interface(&usbfs_driver, intf, ps); 796 dev_set_uevent_suppress(&intf->dev, old_suppress); 797 } 798 if (err == 0) 799 set_bit(ifnum, &ps->ifclaimed); 800 return err; 801} 802 803static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) 804{ 805 struct usb_device *dev; 806 struct usb_interface *intf; 807 int err; 808 809 err = -EINVAL; 810 if (ifnum >= 8*sizeof(ps->ifclaimed)) 811 return err; 812 dev = ps->dev; 813 intf = usb_ifnum_to_if(dev, ifnum); 814 if (!intf) 815 err = -ENOENT; 816 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { 817 unsigned int old_suppress; 818 819 /* suppress uevents while releasing interface */ 820 old_suppress = dev_get_uevent_suppress(&intf->dev); 821 dev_set_uevent_suppress(&intf->dev, 1); 822 usb_driver_release_interface(&usbfs_driver, intf); 823 dev_set_uevent_suppress(&intf->dev, old_suppress); 824 err = 0; 825 } 826 return err; 827} 828 829static int checkintf(struct usb_dev_state *ps, unsigned int ifnum) 830{ 831 if (ps->dev->state != USB_STATE_CONFIGURED) 832 return -EHOSTUNREACH; 833 if (ifnum >= 8*sizeof(ps->ifclaimed)) 834 return -EINVAL; 835 if (test_bit(ifnum, &ps->ifclaimed)) 836 return 0; 837 /* if not yet claimed, claim it for the driver */ 838 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim " 839 "interface %u before use\n", task_pid_nr(current), 840 current->comm, ifnum); 841 return claimintf(ps, ifnum); 842} 843 844static int findintfep(struct usb_device *dev, unsigned int ep) 845{ 846 unsigned int i, j, e; 847 struct usb_interface *intf; 848 struct usb_host_interface *alts; 849 struct usb_endpoint_descriptor *endpt; 850 851 if (ep & ~(USB_DIR_IN|0xf)) 852 return -EINVAL; 853 if (!dev->actconfig) 854 return -ESRCH; 855 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { 856 intf = dev->actconfig->interface[i]; 857 for (j = 0; j < intf->num_altsetting; j++) { 858 alts = &intf->altsetting[j]; 859 for (e = 0; e < alts->desc.bNumEndpoints; e++) { 860 endpt = &alts->endpoint[e].desc; 861 if (endpt->bEndpointAddress == ep) 862 return alts->desc.bInterfaceNumber; 863 } 864 } 865 } 866 return -ENOENT; 867} 868 869static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype, 870 unsigned int request, unsigned int index) 871{ 872 int ret = 0; 873 struct usb_host_interface *alt_setting; 874 875 if (ps->dev->state != USB_STATE_UNAUTHENTICATED 876 && ps->dev->state != USB_STATE_ADDRESS 877 && ps->dev->state != USB_STATE_CONFIGURED) 878 return -EHOSTUNREACH; 879 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) 880 return 0; 881 882 /* 883 * check for the special corner case 'get_device_id' in the printer 884 * class specification, which we always want to allow as it is used 885 * to query things like ink level, etc. 886 */ 887 if (requesttype == 0xa1 && request == 0) { 888 alt_setting = usb_find_alt_setting(ps->dev->actconfig, 889 index >> 8, index & 0xff); 890 if (alt_setting 891 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER) 892 return 0; 893 } 894 895 index &= 0xff; 896 switch (requesttype & USB_RECIP_MASK) { 897 case USB_RECIP_ENDPOINT: 898 if ((index & ~USB_DIR_IN) == 0) 899 return 0; 900 ret = findintfep(ps->dev, index); 901 if (ret < 0) { 902 /* 903 * Some not fully compliant Win apps seem to get 904 * index wrong and have the endpoint number here 905 * rather than the endpoint address (with the 906 * correct direction). Win does let this through, 907 * so we'll not reject it here but leave it to 908 * the device to not break KVM. But we warn. 909 */ 910 ret = findintfep(ps->dev, index ^ 0x80); 911 if (ret >= 0) 912 dev_info(&ps->dev->dev, 913 "%s: process %i (%s) requesting ep %02x but needs %02x\n", 914 __func__, task_pid_nr(current), 915 current->comm, index, index ^ 0x80); 916 } 917 if (ret >= 0) 918 ret = checkintf(ps, ret); 919 break; 920 921 case USB_RECIP_INTERFACE: 922 ret = checkintf(ps, index); 923 break; 924 } 925 return ret; 926} 927 928static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev, 929 unsigned char ep) 930{ 931 if (ep & USB_ENDPOINT_DIR_MASK) 932 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK]; 933 else 934 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK]; 935} 936 937static int parse_usbdevfs_streams(struct usb_dev_state *ps, 938 struct usbdevfs_streams __user *streams, 939 unsigned int *num_streams_ret, 940 unsigned int *num_eps_ret, 941 struct usb_host_endpoint ***eps_ret, 942 struct usb_interface **intf_ret) 943{ 944 unsigned int i, num_streams, num_eps; 945 struct usb_host_endpoint **eps; 946 struct usb_interface *intf = NULL; 947 unsigned char ep; 948 int ifnum, ret; 949 950 if (get_user(num_streams, &streams->num_streams) || 951 get_user(num_eps, &streams->num_eps)) 952 return -EFAULT; 953 954 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS) 955 return -EINVAL; 956 957 /* The XHCI controller allows max 2 ^ 16 streams */ 958 if (num_streams_ret && (num_streams < 2 || num_streams > 65536)) 959 return -EINVAL; 960 961 eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL); 962 if (!eps) 963 return -ENOMEM; 964 965 for (i = 0; i < num_eps; i++) { 966 if (get_user(ep, &streams->eps[i])) { 967 ret = -EFAULT; 968 goto error; 969 } 970 eps[i] = ep_to_host_endpoint(ps->dev, ep); 971 if (!eps[i]) { 972 ret = -EINVAL; 973 goto error; 974 } 975 976 /* usb_alloc/free_streams operate on an usb_interface */ 977 ifnum = findintfep(ps->dev, ep); 978 if (ifnum < 0) { 979 ret = ifnum; 980 goto error; 981 } 982 983 if (i == 0) { 984 ret = checkintf(ps, ifnum); 985 if (ret < 0) 986 goto error; 987 intf = usb_ifnum_to_if(ps->dev, ifnum); 988 } else { 989 /* Verify all eps belong to the same interface */ 990 if (ifnum != intf->altsetting->desc.bInterfaceNumber) { 991 ret = -EINVAL; 992 goto error; 993 } 994 } 995 } 996 997 if (num_streams_ret) 998 *num_streams_ret = num_streams; 999 *num_eps_ret = num_eps; 1000 *eps_ret = eps; 1001 *intf_ret = intf; 1002 1003 return 0; 1004 1005error: 1006 kfree(eps); 1007 return ret; 1008} 1009 1010static struct usb_device *usbdev_lookup_by_devt(dev_t devt) 1011{ 1012 struct device *dev; 1013 1014 dev = bus_find_device_by_devt(&usb_bus_type, devt); 1015 if (!dev) 1016 return NULL; 1017 return to_usb_device(dev); 1018} 1019 1020/* 1021 * file operations 1022 */ 1023static int usbdev_open(struct inode *inode, struct file *file) 1024{ 1025 struct usb_device *dev = NULL; 1026 struct usb_dev_state *ps; 1027 int ret; 1028 1029 ret = -ENOMEM; 1030 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL); 1031 if (!ps) 1032 goto out_free_ps; 1033 1034 ret = -ENODEV; 1035 1036 /* usbdev device-node */ 1037 if (imajor(inode) == USB_DEVICE_MAJOR) 1038 dev = usbdev_lookup_by_devt(inode->i_rdev); 1039 if (!dev) 1040 goto out_free_ps; 1041 1042 usb_lock_device(dev); 1043 if (dev->state == USB_STATE_NOTATTACHED) 1044 goto out_unlock_device; 1045 1046 ret = usb_autoresume_device(dev); 1047 if (ret) 1048 goto out_unlock_device; 1049 1050 ps->dev = dev; 1051 ps->file = file; 1052 ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */ 1053 spin_lock_init(&ps->lock); 1054 INIT_LIST_HEAD(&ps->list); 1055 INIT_LIST_HEAD(&ps->async_pending); 1056 INIT_LIST_HEAD(&ps->async_completed); 1057 INIT_LIST_HEAD(&ps->memory_list); 1058 init_waitqueue_head(&ps->wait); 1059 init_waitqueue_head(&ps->wait_for_resume); 1060 ps->disc_pid = get_pid(task_pid(current)); 1061 ps->cred = get_current_cred(); 1062 smp_wmb(); 1063 1064 /* Can't race with resume; the device is already active */ 1065 list_add_tail(&ps->list, &dev->filelist); 1066 file->private_data = ps; 1067 usb_unlock_device(dev); 1068 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current), 1069 current->comm); 1070 return ret; 1071 1072 out_unlock_device: 1073 usb_unlock_device(dev); 1074 usb_put_dev(dev); 1075 out_free_ps: 1076 kfree(ps); 1077 return ret; 1078} 1079 1080static int usbdev_release(struct inode *inode, struct file *file) 1081{ 1082 struct usb_dev_state *ps = file->private_data; 1083 struct usb_device *dev = ps->dev; 1084 unsigned int ifnum; 1085 struct async *as; 1086 1087 usb_lock_device(dev); 1088 usb_hub_release_all_ports(dev, ps); 1089 1090 /* Protect against simultaneous resume */ 1091 mutex_lock(&usbfs_mutex); 1092 list_del_init(&ps->list); 1093 mutex_unlock(&usbfs_mutex); 1094 1095 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed); 1096 ifnum++) { 1097 if (test_bit(ifnum, &ps->ifclaimed)) 1098 releaseintf(ps, ifnum); 1099 } 1100 destroy_all_async(ps); 1101 if (!ps->suspend_allowed) 1102 usb_autosuspend_device(dev); 1103 usb_unlock_device(dev); 1104 usb_put_dev(dev); 1105 put_pid(ps->disc_pid); 1106 put_cred(ps->cred); 1107 1108 as = async_getcompleted(ps); 1109 while (as) { 1110 free_async(as); 1111 as = async_getcompleted(ps); 1112 } 1113 1114 kfree(ps); 1115 return 0; 1116} 1117 1118static void usbfs_blocking_completion(struct urb *urb) 1119{ 1120 complete((struct completion *) urb->context); 1121} 1122 1123/* 1124 * Much like usb_start_wait_urb, but returns status separately from 1125 * actual_length and uses a killable wait. 1126 */ 1127static int usbfs_start_wait_urb(struct urb *urb, int timeout, 1128 unsigned int *actlen) 1129{ 1130 DECLARE_COMPLETION_ONSTACK(ctx); 1131 unsigned long expire; 1132 int rc; 1133 1134 urb->context = &ctx; 1135 urb->complete = usbfs_blocking_completion; 1136 *actlen = 0; 1137 rc = usb_submit_urb(urb, GFP_KERNEL); 1138 if (unlikely(rc)) 1139 return rc; 1140 1141 expire = (timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT); 1142 rc = wait_for_completion_killable_timeout(&ctx, expire); 1143 if (rc <= 0) { 1144 usb_kill_urb(urb); 1145 *actlen = urb->actual_length; 1146 if (urb->status != -ENOENT) 1147 ; /* Completed before it was killed */ 1148 else if (rc < 0) 1149 return -EINTR; 1150 else 1151 return -ETIMEDOUT; 1152 } 1153 *actlen = urb->actual_length; 1154 return urb->status; 1155} 1156 1157static int do_proc_control(struct usb_dev_state *ps, 1158 struct usbdevfs_ctrltransfer *ctrl) 1159{ 1160 struct usb_device *dev = ps->dev; 1161 unsigned int tmo; 1162 unsigned char *tbuf; 1163 unsigned int wLength, actlen; 1164 int i, pipe, ret; 1165 struct urb *urb = NULL; 1166 struct usb_ctrlrequest *dr = NULL; 1167 1168 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest, 1169 ctrl->wIndex); 1170 if (ret) 1171 return ret; 1172 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */ 1173 if (wLength > PAGE_SIZE) 1174 return -EINVAL; 1175 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1176 sizeof(struct usb_ctrlrequest)); 1177 if (ret) 1178 return ret; 1179 1180 ret = -ENOMEM; 1181 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL); 1182 if (!tbuf) 1183 goto done; 1184 urb = usb_alloc_urb(0, GFP_NOIO); 1185 if (!urb) 1186 goto done; 1187 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO); 1188 if (!dr) 1189 goto done; 1190 1191 dr->bRequestType = ctrl->bRequestType; 1192 dr->bRequest = ctrl->bRequest; 1193 dr->wValue = cpu_to_le16(ctrl->wValue); 1194 dr->wIndex = cpu_to_le16(ctrl->wIndex); 1195 dr->wLength = cpu_to_le16(ctrl->wLength); 1196 1197 tmo = ctrl->timeout; 1198 snoop(&dev->dev, "control urb: bRequestType=%02x " 1199 "bRequest=%02x wValue=%04x " 1200 "wIndex=%04x wLength=%04x\n", 1201 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue, 1202 ctrl->wIndex, ctrl->wLength); 1203 1204 if ((ctrl->bRequestType & USB_DIR_IN) && wLength) { 1205 pipe = usb_rcvctrlpipe(dev, 0); 1206 usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf, 1207 wLength, NULL, NULL); 1208 snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, NULL, 0); 1209 1210 usb_unlock_device(dev); 1211 i = usbfs_start_wait_urb(urb, tmo, &actlen); 1212 1213 /* Linger a bit, prior to the next control message. */ 1214 if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) 1215 msleep(200); 1216 usb_lock_device(dev); 1217 snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, tbuf, actlen); 1218 if (!i && actlen) { 1219 if (copy_to_user(ctrl->data, tbuf, actlen)) { 1220 ret = -EFAULT; 1221 goto done; 1222 } 1223 } 1224 } else { 1225 if (wLength) { 1226 if (copy_from_user(tbuf, ctrl->data, wLength)) { 1227 ret = -EFAULT; 1228 goto done; 1229 } 1230 } 1231 pipe = usb_sndctrlpipe(dev, 0); 1232 usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf, 1233 wLength, NULL, NULL); 1234 snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, tbuf, wLength); 1235 1236 usb_unlock_device(dev); 1237 i = usbfs_start_wait_urb(urb, tmo, &actlen); 1238 1239 /* Linger a bit, prior to the next control message. */ 1240 if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) 1241 msleep(200); 1242 usb_lock_device(dev); 1243 snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, NULL, 0); 1244 } 1245 if (i < 0 && i != -EPIPE) { 1246 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL " 1247 "failed cmd %s rqt %u rq %u len %u ret %d\n", 1248 current->comm, ctrl->bRequestType, ctrl->bRequest, 1249 ctrl->wLength, i); 1250 } 1251 ret = (i < 0 ? i : actlen); 1252 1253 done: 1254 kfree(dr); 1255 usb_free_urb(urb); 1256 free_page((unsigned long) tbuf); 1257 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1258 sizeof(struct usb_ctrlrequest)); 1259 return ret; 1260} 1261 1262static int proc_control(struct usb_dev_state *ps, void __user *arg) 1263{ 1264 struct usbdevfs_ctrltransfer ctrl; 1265 1266 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 1267 return -EFAULT; 1268 return do_proc_control(ps, &ctrl); 1269} 1270 1271static int do_proc_bulk(struct usb_dev_state *ps, 1272 struct usbdevfs_bulktransfer *bulk) 1273{ 1274 struct usb_device *dev = ps->dev; 1275 unsigned int tmo, len1, len2, pipe; 1276 unsigned char *tbuf; 1277 int i, ret; 1278 struct urb *urb = NULL; 1279 struct usb_host_endpoint *ep; 1280 1281 ret = findintfep(ps->dev, bulk->ep); 1282 if (ret < 0) 1283 return ret; 1284 ret = checkintf(ps, ret); 1285 if (ret) 1286 return ret; 1287 1288 len1 = bulk->len; 1289 if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb))) 1290 return -EINVAL; 1291 1292 if (bulk->ep & USB_DIR_IN) 1293 pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f); 1294 else 1295 pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f); 1296 ep = usb_pipe_endpoint(dev, pipe); 1297 if (!ep || !usb_endpoint_maxp(&ep->desc)) 1298 return -EINVAL; 1299 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); 1300 if (ret) 1301 return ret; 1302 1303 /* 1304 * len1 can be almost arbitrarily large. Don't WARN if it's 1305 * too big, just fail the request. 1306 */ 1307 ret = -ENOMEM; 1308 tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN); 1309 if (!tbuf) 1310 goto done; 1311 urb = usb_alloc_urb(0, GFP_KERNEL); 1312 if (!urb) 1313 goto done; 1314 1315 if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) == 1316 USB_ENDPOINT_XFER_INT) { 1317 pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30); 1318 usb_fill_int_urb(urb, dev, pipe, tbuf, len1, 1319 NULL, NULL, ep->desc.bInterval); 1320 } else { 1321 usb_fill_bulk_urb(urb, dev, pipe, tbuf, len1, NULL, NULL); 1322 } 1323 1324 tmo = bulk->timeout; 1325 if (bulk->ep & 0x80) { 1326 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0); 1327 1328 usb_unlock_device(dev); 1329 i = usbfs_start_wait_urb(urb, tmo, &len2); 1330 usb_lock_device(dev); 1331 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2); 1332 1333 if (!i && len2) { 1334 if (copy_to_user(bulk->data, tbuf, len2)) { 1335 ret = -EFAULT; 1336 goto done; 1337 } 1338 } 1339 } else { 1340 if (len1) { 1341 if (copy_from_user(tbuf, bulk->data, len1)) { 1342 ret = -EFAULT; 1343 goto done; 1344 } 1345 } 1346 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1); 1347 1348 usb_unlock_device(dev); 1349 i = usbfs_start_wait_urb(urb, tmo, &len2); 1350 usb_lock_device(dev); 1351 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0); 1352 } 1353 ret = (i < 0 ? i : len2); 1354 done: 1355 usb_free_urb(urb); 1356 kfree(tbuf); 1357 usbfs_decrease_memory_usage(len1 + sizeof(struct urb)); 1358 return ret; 1359} 1360 1361static int proc_bulk(struct usb_dev_state *ps, void __user *arg) 1362{ 1363 struct usbdevfs_bulktransfer bulk; 1364 1365 if (copy_from_user(&bulk, arg, sizeof(bulk))) 1366 return -EFAULT; 1367 return do_proc_bulk(ps, &bulk); 1368} 1369 1370static void check_reset_of_active_ep(struct usb_device *udev, 1371 unsigned int epnum, char *ioctl_name) 1372{ 1373 struct usb_host_endpoint **eps; 1374 struct usb_host_endpoint *ep; 1375 1376 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out; 1377 ep = eps[epnum & 0x0f]; 1378 if (ep && !list_empty(&ep->urb_list)) 1379 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n", 1380 task_pid_nr(current), current->comm, 1381 ioctl_name, epnum); 1382} 1383 1384static int proc_resetep(struct usb_dev_state *ps, void __user *arg) 1385{ 1386 unsigned int ep; 1387 int ret; 1388 1389 if (get_user(ep, (unsigned int __user *)arg)) 1390 return -EFAULT; 1391 ret = findintfep(ps->dev, ep); 1392 if (ret < 0) 1393 return ret; 1394 ret = checkintf(ps, ret); 1395 if (ret) 1396 return ret; 1397 check_reset_of_active_ep(ps->dev, ep, "RESETEP"); 1398 usb_reset_endpoint(ps->dev, ep); 1399 return 0; 1400} 1401 1402static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg) 1403{ 1404 unsigned int ep; 1405 int pipe; 1406 int ret; 1407 1408 if (get_user(ep, (unsigned int __user *)arg)) 1409 return -EFAULT; 1410 ret = findintfep(ps->dev, ep); 1411 if (ret < 0) 1412 return ret; 1413 ret = checkintf(ps, ret); 1414 if (ret) 1415 return ret; 1416 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT"); 1417 if (ep & USB_DIR_IN) 1418 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f); 1419 else 1420 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f); 1421 1422 return usb_clear_halt(ps->dev, pipe); 1423} 1424 1425static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) 1426{ 1427 struct usbdevfs_getdriver gd; 1428 struct usb_interface *intf; 1429 int ret; 1430 1431 if (copy_from_user(&gd, arg, sizeof(gd))) 1432 return -EFAULT; 1433 intf = usb_ifnum_to_if(ps->dev, gd.interface); 1434 if (!intf || !intf->dev.driver) 1435 ret = -ENODATA; 1436 else { 1437 strlcpy(gd.driver, intf->dev.driver->name, 1438 sizeof(gd.driver)); 1439 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0); 1440 } 1441 return ret; 1442} 1443 1444static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) 1445{ 1446 struct usbdevfs_connectinfo ci; 1447 1448 memset(&ci, 0, sizeof(ci)); 1449 ci.devnum = ps->dev->devnum; 1450 ci.slow = ps->dev->speed == USB_SPEED_LOW; 1451 1452 if (copy_to_user(arg, &ci, sizeof(ci))) 1453 return -EFAULT; 1454 return 0; 1455} 1456 1457static int proc_conninfo_ex(struct usb_dev_state *ps, 1458 void __user *arg, size_t size) 1459{ 1460 struct usbdevfs_conninfo_ex ci; 1461 struct usb_device *udev = ps->dev; 1462 1463 if (size < sizeof(ci.size)) 1464 return -EINVAL; 1465 1466 memset(&ci, 0, sizeof(ci)); 1467 ci.size = sizeof(ci); 1468 ci.busnum = udev->bus->busnum; 1469 ci.devnum = udev->devnum; 1470 ci.speed = udev->speed; 1471 1472 while (udev && udev->portnum != 0) { 1473 if (++ci.num_ports <= ARRAY_SIZE(ci.ports)) 1474 ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] = 1475 udev->portnum; 1476 udev = udev->parent; 1477 } 1478 1479 if (ci.num_ports < ARRAY_SIZE(ci.ports)) 1480 memmove(&ci.ports[0], 1481 &ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports], 1482 ci.num_ports); 1483 1484 if (copy_to_user(arg, &ci, min(sizeof(ci), size))) 1485 return -EFAULT; 1486 1487 return 0; 1488} 1489 1490static int proc_resetdevice(struct usb_dev_state *ps) 1491{ 1492 struct usb_host_config *actconfig = ps->dev->actconfig; 1493 struct usb_interface *interface; 1494 int i, number; 1495 1496 /* Don't allow a device reset if the process has dropped the 1497 * privilege to do such things and any of the interfaces are 1498 * currently claimed. 1499 */ 1500 if (ps->privileges_dropped && actconfig) { 1501 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1502 interface = actconfig->interface[i]; 1503 number = interface->cur_altsetting->desc.bInterfaceNumber; 1504 if (usb_interface_claimed(interface) && 1505 !test_bit(number, &ps->ifclaimed)) { 1506 dev_warn(&ps->dev->dev, 1507 "usbfs: interface %d claimed by %s while '%s' resets device\n", 1508 number, interface->dev.driver->name, current->comm); 1509 return -EACCES; 1510 } 1511 } 1512 } 1513 1514 return usb_reset_device(ps->dev); 1515} 1516 1517static int proc_setintf(struct usb_dev_state *ps, void __user *arg) 1518{ 1519 struct usbdevfs_setinterface setintf; 1520 int ret; 1521 1522 if (copy_from_user(&setintf, arg, sizeof(setintf))) 1523 return -EFAULT; 1524 ret = checkintf(ps, setintf.interface); 1525 if (ret) 1526 return ret; 1527 1528 destroy_async_on_interface(ps, setintf.interface); 1529 1530 return usb_set_interface(ps->dev, setintf.interface, 1531 setintf.altsetting); 1532} 1533 1534static int proc_setconfig(struct usb_dev_state *ps, void __user *arg) 1535{ 1536 int u; 1537 int status = 0; 1538 struct usb_host_config *actconfig; 1539 1540 if (get_user(u, (int __user *)arg)) 1541 return -EFAULT; 1542 1543 actconfig = ps->dev->actconfig; 1544 1545 /* Don't touch the device if any interfaces are claimed. 1546 * It could interfere with other drivers' operations, and if 1547 * an interface is claimed by usbfs it could easily deadlock. 1548 */ 1549 if (actconfig) { 1550 int i; 1551 1552 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1553 if (usb_interface_claimed(actconfig->interface[i])) { 1554 dev_warn(&ps->dev->dev, 1555 "usbfs: interface %d claimed by %s " 1556 "while '%s' sets config #%d\n", 1557 actconfig->interface[i] 1558 ->cur_altsetting 1559 ->desc.bInterfaceNumber, 1560 actconfig->interface[i] 1561 ->dev.driver->name, 1562 current->comm, u); 1563 status = -EBUSY; 1564 break; 1565 } 1566 } 1567 } 1568 1569 /* SET_CONFIGURATION is often abused as a "cheap" driver reset, 1570 * so avoid usb_set_configuration()'s kick to sysfs 1571 */ 1572 if (status == 0) { 1573 if (actconfig && actconfig->desc.bConfigurationValue == u) 1574 status = usb_reset_configuration(ps->dev); 1575 else 1576 status = usb_set_configuration(ps->dev, u); 1577 } 1578 1579 return status; 1580} 1581 1582static struct usb_memory * 1583find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb) 1584{ 1585 struct usb_memory *usbm = NULL, *iter; 1586 unsigned long flags; 1587 unsigned long uurb_start = (unsigned long)uurb->buffer; 1588 1589 spin_lock_irqsave(&ps->lock, flags); 1590 list_for_each_entry(iter, &ps->memory_list, memlist) { 1591 if (uurb_start >= iter->vm_start && 1592 uurb_start < iter->vm_start + iter->size) { 1593 if (uurb->buffer_length > iter->vm_start + iter->size - 1594 uurb_start) { 1595 usbm = ERR_PTR(-EINVAL); 1596 } else { 1597 usbm = iter; 1598 usbm->urb_use_count++; 1599 } 1600 break; 1601 } 1602 } 1603 spin_unlock_irqrestore(&ps->lock, flags); 1604 return usbm; 1605} 1606 1607static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb, 1608 struct usbdevfs_iso_packet_desc __user *iso_frame_desc, 1609 void __user *arg, sigval_t userurb_sigval) 1610{ 1611 struct usbdevfs_iso_packet_desc *isopkt = NULL; 1612 struct usb_host_endpoint *ep; 1613 struct async *as = NULL; 1614 struct usb_ctrlrequest *dr = NULL; 1615 unsigned int u, totlen, isofrmlen; 1616 int i, ret, num_sgs = 0, ifnum = -1; 1617 int number_of_packets = 0; 1618 unsigned int stream_id = 0; 1619 void *buf; 1620 bool is_in; 1621 bool allow_short = false; 1622 bool allow_zero = false; 1623 unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | 1624 USBDEVFS_URB_BULK_CONTINUATION | 1625 USBDEVFS_URB_NO_FSBR | 1626 USBDEVFS_URB_ZERO_PACKET | 1627 USBDEVFS_URB_NO_INTERRUPT; 1628 /* USBDEVFS_URB_ISO_ASAP is a special case */ 1629 if (uurb->type == USBDEVFS_URB_TYPE_ISO) 1630 mask |= USBDEVFS_URB_ISO_ASAP; 1631 1632 if (uurb->flags & ~mask) 1633 return -EINVAL; 1634 1635 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) 1636 return -EINVAL; 1637 if (uurb->buffer_length > 0 && !uurb->buffer) 1638 return -EINVAL; 1639 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && 1640 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) { 1641 ifnum = findintfep(ps->dev, uurb->endpoint); 1642 if (ifnum < 0) 1643 return ifnum; 1644 ret = checkintf(ps, ifnum); 1645 if (ret) 1646 return ret; 1647 } 1648 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint); 1649 if (!ep) 1650 return -ENOENT; 1651 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0; 1652 1653 u = 0; 1654 switch (uurb->type) { 1655 case USBDEVFS_URB_TYPE_CONTROL: 1656 if (!usb_endpoint_xfer_control(&ep->desc)) 1657 return -EINVAL; 1658 /* min 8 byte setup packet */ 1659 if (uurb->buffer_length < 8) 1660 return -EINVAL; 1661 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL); 1662 if (!dr) 1663 return -ENOMEM; 1664 if (copy_from_user(dr, uurb->buffer, 8)) { 1665 ret = -EFAULT; 1666 goto error; 1667 } 1668 if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) { 1669 ret = -EINVAL; 1670 goto error; 1671 } 1672 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest, 1673 le16_to_cpu(dr->wIndex)); 1674 if (ret) 1675 goto error; 1676 uurb->buffer_length = le16_to_cpu(dr->wLength); 1677 uurb->buffer += 8; 1678 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) { 1679 is_in = true; 1680 uurb->endpoint |= USB_DIR_IN; 1681 } else { 1682 is_in = false; 1683 uurb->endpoint &= ~USB_DIR_IN; 1684 } 1685 if (is_in) 1686 allow_short = true; 1687 snoop(&ps->dev->dev, "control urb: bRequestType=%02x " 1688 "bRequest=%02x wValue=%04x " 1689 "wIndex=%04x wLength=%04x\n", 1690 dr->bRequestType, dr->bRequest, 1691 __le16_to_cpu(dr->wValue), 1692 __le16_to_cpu(dr->wIndex), 1693 __le16_to_cpu(dr->wLength)); 1694 u = sizeof(struct usb_ctrlrequest); 1695 break; 1696 1697 case USBDEVFS_URB_TYPE_BULK: 1698 if (!is_in) 1699 allow_zero = true; 1700 else 1701 allow_short = true; 1702 switch (usb_endpoint_type(&ep->desc)) { 1703 case USB_ENDPOINT_XFER_CONTROL: 1704 case USB_ENDPOINT_XFER_ISOC: 1705 return -EINVAL; 1706 case USB_ENDPOINT_XFER_INT: 1707 /* allow single-shot interrupt transfers */ 1708 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT; 1709 goto interrupt_urb; 1710 } 1711 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); 1712 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize) 1713 num_sgs = 0; 1714 if (ep->streams) 1715 stream_id = uurb->stream_id; 1716 break; 1717 1718 case USBDEVFS_URB_TYPE_INTERRUPT: 1719 if (!usb_endpoint_xfer_int(&ep->desc)) 1720 return -EINVAL; 1721 interrupt_urb: 1722 if (!is_in) 1723 allow_zero = true; 1724 else 1725 allow_short = true; 1726 break; 1727 1728 case USBDEVFS_URB_TYPE_ISO: 1729 /* arbitrary limit */ 1730 if (uurb->number_of_packets < 1 || 1731 uurb->number_of_packets > 128) 1732 return -EINVAL; 1733 if (!usb_endpoint_xfer_isoc(&ep->desc)) 1734 return -EINVAL; 1735 number_of_packets = uurb->number_of_packets; 1736 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * 1737 number_of_packets; 1738 isopkt = memdup_user(iso_frame_desc, isofrmlen); 1739 if (IS_ERR(isopkt)) { 1740 ret = PTR_ERR(isopkt); 1741 isopkt = NULL; 1742 goto error; 1743 } 1744 for (totlen = u = 0; u < number_of_packets; u++) { 1745 /* 1746 * arbitrary limit need for USB 3.1 Gen2 1747 * sizemax: 96 DPs at SSP, 96 * 1024 = 98304 1748 */ 1749 if (isopkt[u].length > 98304) { 1750 ret = -EINVAL; 1751 goto error; 1752 } 1753 totlen += isopkt[u].length; 1754 } 1755 u *= sizeof(struct usb_iso_packet_descriptor); 1756 uurb->buffer_length = totlen; 1757 break; 1758 1759 default: 1760 return -EINVAL; 1761 } 1762 1763 if (uurb->buffer_length > 0 && 1764 !access_ok(uurb->buffer, uurb->buffer_length)) { 1765 ret = -EFAULT; 1766 goto error; 1767 } 1768 as = alloc_async(number_of_packets); 1769 if (!as) { 1770 ret = -ENOMEM; 1771 goto error; 1772 } 1773 1774 as->usbm = find_memory_area(ps, uurb); 1775 if (IS_ERR(as->usbm)) { 1776 ret = PTR_ERR(as->usbm); 1777 as->usbm = NULL; 1778 goto error; 1779 } 1780 1781 /* do not use SG buffers when memory mapped segments 1782 * are in use 1783 */ 1784 if (as->usbm) 1785 num_sgs = 0; 1786 1787 u += sizeof(struct async) + sizeof(struct urb) + 1788 (as->usbm ? 0 : uurb->buffer_length) + 1789 num_sgs * sizeof(struct scatterlist); 1790 ret = usbfs_increase_memory_usage(u); 1791 if (ret) 1792 goto error; 1793 as->mem_usage = u; 1794 1795 if (num_sgs) { 1796 as->urb->sg = kmalloc_array(num_sgs, 1797 sizeof(struct scatterlist), 1798 GFP_KERNEL | __GFP_NOWARN); 1799 if (!as->urb->sg) { 1800 ret = -ENOMEM; 1801 goto error; 1802 } 1803 as->urb->num_sgs = num_sgs; 1804 sg_init_table(as->urb->sg, as->urb->num_sgs); 1805 1806 totlen = uurb->buffer_length; 1807 for (i = 0; i < as->urb->num_sgs; i++) { 1808 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen; 1809 buf = kmalloc(u, GFP_KERNEL); 1810 if (!buf) { 1811 ret = -ENOMEM; 1812 goto error; 1813 } 1814 sg_set_buf(&as->urb->sg[i], buf, u); 1815 1816 if (!is_in) { 1817 if (copy_from_user(buf, uurb->buffer, u)) { 1818 ret = -EFAULT; 1819 goto error; 1820 } 1821 uurb->buffer += u; 1822 } 1823 totlen -= u; 1824 } 1825 } else if (uurb->buffer_length > 0) { 1826 if (as->usbm) { 1827 unsigned long uurb_start = (unsigned long)uurb->buffer; 1828 1829 as->urb->transfer_buffer = as->usbm->mem + 1830 (uurb_start - as->usbm->vm_start); 1831 } else { 1832 as->urb->transfer_buffer = kmalloc(uurb->buffer_length, 1833 GFP_KERNEL | __GFP_NOWARN); 1834 if (!as->urb->transfer_buffer) { 1835 ret = -ENOMEM; 1836 goto error; 1837 } 1838 if (!is_in) { 1839 if (copy_from_user(as->urb->transfer_buffer, 1840 uurb->buffer, 1841 uurb->buffer_length)) { 1842 ret = -EFAULT; 1843 goto error; 1844 } 1845 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) { 1846 /* 1847 * Isochronous input data may end up being 1848 * discontiguous if some of the packets are 1849 * short. Clear the buffer so that the gaps 1850 * don't leak kernel data to userspace. 1851 */ 1852 memset(as->urb->transfer_buffer, 0, 1853 uurb->buffer_length); 1854 } 1855 } 1856 } 1857 as->urb->dev = ps->dev; 1858 as->urb->pipe = (uurb->type << 30) | 1859 __create_pipe(ps->dev, uurb->endpoint & 0xf) | 1860 (uurb->endpoint & USB_DIR_IN); 1861 1862 /* This tedious sequence is necessary because the URB_* flags 1863 * are internal to the kernel and subject to change, whereas 1864 * the USBDEVFS_URB_* flags are a user API and must not be changed. 1865 */ 1866 u = (is_in ? URB_DIR_IN : URB_DIR_OUT); 1867 if (uurb->flags & USBDEVFS_URB_ISO_ASAP) 1868 u |= URB_ISO_ASAP; 1869 if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1870 u |= URB_SHORT_NOT_OK; 1871 if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1872 u |= URB_ZERO_PACKET; 1873 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) 1874 u |= URB_NO_INTERRUPT; 1875 as->urb->transfer_flags = u; 1876 1877 if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1878 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n"); 1879 if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1880 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n"); 1881 1882 as->urb->transfer_buffer_length = uurb->buffer_length; 1883 as->urb->setup_packet = (unsigned char *)dr; 1884 dr = NULL; 1885 as->urb->start_frame = uurb->start_frame; 1886 as->urb->number_of_packets = number_of_packets; 1887 as->urb->stream_id = stream_id; 1888 1889 if (ep->desc.bInterval) { 1890 if (uurb->type == USBDEVFS_URB_TYPE_ISO || 1891 ps->dev->speed == USB_SPEED_HIGH || 1892 ps->dev->speed >= USB_SPEED_SUPER) 1893 as->urb->interval = 1 << 1894 min(15, ep->desc.bInterval - 1); 1895 else 1896 as->urb->interval = ep->desc.bInterval; 1897 } 1898 1899 as->urb->context = as; 1900 as->urb->complete = async_completed; 1901 for (totlen = u = 0; u < number_of_packets; u++) { 1902 as->urb->iso_frame_desc[u].offset = totlen; 1903 as->urb->iso_frame_desc[u].length = isopkt[u].length; 1904 totlen += isopkt[u].length; 1905 } 1906 kfree(isopkt); 1907 isopkt = NULL; 1908 as->ps = ps; 1909 as->userurb = arg; 1910 as->userurb_sigval = userurb_sigval; 1911 if (as->usbm) { 1912 unsigned long uurb_start = (unsigned long)uurb->buffer; 1913 1914 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; 1915 as->urb->transfer_dma = as->usbm->dma_handle + 1916 (uurb_start - as->usbm->vm_start); 1917 } else if (is_in && uurb->buffer_length > 0) 1918 as->userbuffer = uurb->buffer; 1919 as->signr = uurb->signr; 1920 as->ifnum = ifnum; 1921 as->pid = get_pid(task_pid(current)); 1922 as->cred = get_current_cred(); 1923 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1924 as->urb->transfer_buffer_length, 0, SUBMIT, 1925 NULL, 0); 1926 if (!is_in) 1927 snoop_urb_data(as->urb, as->urb->transfer_buffer_length); 1928 1929 async_newpending(as); 1930 1931 if (usb_endpoint_xfer_bulk(&ep->desc)) { 1932 spin_lock_irq(&ps->lock); 1933 1934 /* Not exactly the endpoint address; the direction bit is 1935 * shifted to the 0x10 position so that the value will be 1936 * between 0 and 31. 1937 */ 1938 as->bulk_addr = usb_endpoint_num(&ep->desc) | 1939 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK) 1940 >> 3); 1941 1942 /* If this bulk URB is the start of a new transfer, re-enable 1943 * the endpoint. Otherwise mark it as a continuation URB. 1944 */ 1945 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION) 1946 as->bulk_status = AS_CONTINUATION; 1947 else 1948 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr); 1949 1950 /* Don't accept continuation URBs if the endpoint is 1951 * disabled because of an earlier error. 1952 */ 1953 if (ps->disabled_bulk_eps & (1 << as->bulk_addr)) 1954 ret = -EREMOTEIO; 1955 else 1956 ret = usb_submit_urb(as->urb, GFP_ATOMIC); 1957 spin_unlock_irq(&ps->lock); 1958 } else { 1959 ret = usb_submit_urb(as->urb, GFP_KERNEL); 1960 } 1961 1962 if (ret) { 1963 dev_printk(KERN_DEBUG, &ps->dev->dev, 1964 "usbfs: usb_submit_urb returned %d\n", ret); 1965 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1966 0, ret, COMPLETE, NULL, 0); 1967 async_removepending(as); 1968 goto error; 1969 } 1970 return 0; 1971 1972 error: 1973 kfree(isopkt); 1974 kfree(dr); 1975 if (as) 1976 free_async(as); 1977 return ret; 1978} 1979 1980static int proc_submiturb(struct usb_dev_state *ps, void __user *arg) 1981{ 1982 struct usbdevfs_urb uurb; 1983 sigval_t userurb_sigval; 1984 1985 if (copy_from_user(&uurb, arg, sizeof(uurb))) 1986 return -EFAULT; 1987 1988 memset(&userurb_sigval, 0, sizeof(userurb_sigval)); 1989 userurb_sigval.sival_ptr = arg; 1990 1991 return proc_do_submiturb(ps, &uurb, 1992 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), 1993 arg, userurb_sigval); 1994} 1995 1996static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg) 1997{ 1998 struct urb *urb; 1999 struct async *as; 2000 unsigned long flags; 2001 2002 spin_lock_irqsave(&ps->lock, flags); 2003 as = async_getpending(ps, arg); 2004 if (!as) { 2005 spin_unlock_irqrestore(&ps->lock, flags); 2006 return -EINVAL; 2007 } 2008 2009 urb = as->urb; 2010 usb_get_urb(urb); 2011 spin_unlock_irqrestore(&ps->lock, flags); 2012 2013 usb_kill_urb(urb); 2014 usb_put_urb(urb); 2015 2016 return 0; 2017} 2018 2019static void compute_isochronous_actual_length(struct urb *urb) 2020{ 2021 unsigned int i; 2022 2023 if (urb->number_of_packets > 0) { 2024 urb->actual_length = 0; 2025 for (i = 0; i < urb->number_of_packets; i++) 2026 urb->actual_length += 2027 urb->iso_frame_desc[i].actual_length; 2028 } 2029} 2030 2031static int processcompl(struct async *as, void __user * __user *arg) 2032{ 2033 struct urb *urb = as->urb; 2034 struct usbdevfs_urb __user *userurb = as->userurb; 2035 void __user *addr = as->userurb; 2036 unsigned int i; 2037 2038 compute_isochronous_actual_length(urb); 2039 if (as->userbuffer && urb->actual_length) { 2040 if (copy_urb_data_to_user(as->userbuffer, urb)) 2041 goto err_out; 2042 } 2043 if (put_user(as->status, &userurb->status)) 2044 goto err_out; 2045 if (put_user(urb->actual_length, &userurb->actual_length)) 2046 goto err_out; 2047 if (put_user(urb->error_count, &userurb->error_count)) 2048 goto err_out; 2049 2050 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 2051 for (i = 0; i < urb->number_of_packets; i++) { 2052 if (put_user(urb->iso_frame_desc[i].actual_length, 2053 &userurb->iso_frame_desc[i].actual_length)) 2054 goto err_out; 2055 if (put_user(urb->iso_frame_desc[i].status, 2056 &userurb->iso_frame_desc[i].status)) 2057 goto err_out; 2058 } 2059 } 2060 2061 if (put_user(addr, (void __user * __user *)arg)) 2062 return -EFAULT; 2063 return 0; 2064 2065err_out: 2066 return -EFAULT; 2067} 2068 2069static struct async *reap_as(struct usb_dev_state *ps) 2070{ 2071 DECLARE_WAITQUEUE(wait, current); 2072 struct async *as = NULL; 2073 struct usb_device *dev = ps->dev; 2074 2075 add_wait_queue(&ps->wait, &wait); 2076 for (;;) { 2077 __set_current_state(TASK_INTERRUPTIBLE); 2078 as = async_getcompleted(ps); 2079 if (as || !connected(ps)) 2080 break; 2081 if (signal_pending(current)) 2082 break; 2083 usb_unlock_device(dev); 2084 schedule(); 2085 usb_lock_device(dev); 2086 } 2087 remove_wait_queue(&ps->wait, &wait); 2088 set_current_state(TASK_RUNNING); 2089 return as; 2090} 2091 2092static int proc_reapurb(struct usb_dev_state *ps, void __user *arg) 2093{ 2094 struct async *as = reap_as(ps); 2095 2096 if (as) { 2097 int retval; 2098 2099 snoop(&ps->dev->dev, "reap %px\n", as->userurb); 2100 retval = processcompl(as, (void __user * __user *)arg); 2101 free_async(as); 2102 return retval; 2103 } 2104 if (signal_pending(current)) 2105 return -EINTR; 2106 return -ENODEV; 2107} 2108 2109static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg) 2110{ 2111 int retval; 2112 struct async *as; 2113 2114 as = async_getcompleted(ps); 2115 if (as) { 2116 snoop(&ps->dev->dev, "reap %px\n", as->userurb); 2117 retval = processcompl(as, (void __user * __user *)arg); 2118 free_async(as); 2119 } else { 2120 retval = (connected(ps) ? -EAGAIN : -ENODEV); 2121 } 2122 return retval; 2123} 2124 2125#ifdef CONFIG_COMPAT 2126static int proc_control_compat(struct usb_dev_state *ps, 2127 struct usbdevfs_ctrltransfer32 __user *p32) 2128{ 2129 struct usbdevfs_ctrltransfer ctrl; 2130 u32 udata; 2131 2132 if (copy_from_user(&ctrl, p32, sizeof(*p32) - sizeof(compat_caddr_t)) || 2133 get_user(udata, &p32->data)) 2134 return -EFAULT; 2135 ctrl.data = compat_ptr(udata); 2136 return do_proc_control(ps, &ctrl); 2137} 2138 2139static int proc_bulk_compat(struct usb_dev_state *ps, 2140 struct usbdevfs_bulktransfer32 __user *p32) 2141{ 2142 struct usbdevfs_bulktransfer bulk; 2143 compat_caddr_t addr; 2144 2145 if (get_user(bulk.ep, &p32->ep) || 2146 get_user(bulk.len, &p32->len) || 2147 get_user(bulk.timeout, &p32->timeout) || 2148 get_user(addr, &p32->data)) 2149 return -EFAULT; 2150 bulk.data = compat_ptr(addr); 2151 return do_proc_bulk(ps, &bulk); 2152} 2153 2154static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg) 2155{ 2156 struct usbdevfs_disconnectsignal32 ds; 2157 2158 if (copy_from_user(&ds, arg, sizeof(ds))) 2159 return -EFAULT; 2160 ps->discsignr = ds.signr; 2161 ps->disccontext.sival_int = ds.context; 2162 return 0; 2163} 2164 2165static int get_urb32(struct usbdevfs_urb *kurb, 2166 struct usbdevfs_urb32 __user *uurb) 2167{ 2168 struct usbdevfs_urb32 urb32; 2169 if (copy_from_user(&urb32, uurb, sizeof(*uurb))) 2170 return -EFAULT; 2171 kurb->type = urb32.type; 2172 kurb->endpoint = urb32.endpoint; 2173 kurb->status = urb32.status; 2174 kurb->flags = urb32.flags; 2175 kurb->buffer = compat_ptr(urb32.buffer); 2176 kurb->buffer_length = urb32.buffer_length; 2177 kurb->actual_length = urb32.actual_length; 2178 kurb->start_frame = urb32.start_frame; 2179 kurb->number_of_packets = urb32.number_of_packets; 2180 kurb->error_count = urb32.error_count; 2181 kurb->signr = urb32.signr; 2182 kurb->usercontext = compat_ptr(urb32.usercontext); 2183 return 0; 2184} 2185 2186static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg) 2187{ 2188 struct usbdevfs_urb uurb; 2189 sigval_t userurb_sigval; 2190 2191 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg)) 2192 return -EFAULT; 2193 2194 memset(&userurb_sigval, 0, sizeof(userurb_sigval)); 2195 userurb_sigval.sival_int = ptr_to_compat(arg); 2196 2197 return proc_do_submiturb(ps, &uurb, 2198 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, 2199 arg, userurb_sigval); 2200} 2201 2202static int processcompl_compat(struct async *as, void __user * __user *arg) 2203{ 2204 struct urb *urb = as->urb; 2205 struct usbdevfs_urb32 __user *userurb = as->userurb; 2206 void __user *addr = as->userurb; 2207 unsigned int i; 2208 2209 compute_isochronous_actual_length(urb); 2210 if (as->userbuffer && urb->actual_length) { 2211 if (copy_urb_data_to_user(as->userbuffer, urb)) 2212 return -EFAULT; 2213 } 2214 if (put_user(as->status, &userurb->status)) 2215 return -EFAULT; 2216 if (put_user(urb->actual_length, &userurb->actual_length)) 2217 return -EFAULT; 2218 if (put_user(urb->error_count, &userurb->error_count)) 2219 return -EFAULT; 2220 2221 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 2222 for (i = 0; i < urb->number_of_packets; i++) { 2223 if (put_user(urb->iso_frame_desc[i].actual_length, 2224 &userurb->iso_frame_desc[i].actual_length)) 2225 return -EFAULT; 2226 if (put_user(urb->iso_frame_desc[i].status, 2227 &userurb->iso_frame_desc[i].status)) 2228 return -EFAULT; 2229 } 2230 } 2231 2232 if (put_user(ptr_to_compat(addr), (u32 __user *)arg)) 2233 return -EFAULT; 2234 return 0; 2235} 2236 2237static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg) 2238{ 2239 struct async *as = reap_as(ps); 2240 2241 if (as) { 2242 int retval; 2243 2244 snoop(&ps->dev->dev, "reap %px\n", as->userurb); 2245 retval = processcompl_compat(as, (void __user * __user *)arg); 2246 free_async(as); 2247 return retval; 2248 } 2249 if (signal_pending(current)) 2250 return -EINTR; 2251 return -ENODEV; 2252} 2253 2254static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg) 2255{ 2256 int retval; 2257 struct async *as; 2258 2259 as = async_getcompleted(ps); 2260 if (as) { 2261 snoop(&ps->dev->dev, "reap %px\n", as->userurb); 2262 retval = processcompl_compat(as, (void __user * __user *)arg); 2263 free_async(as); 2264 } else { 2265 retval = (connected(ps) ? -EAGAIN : -ENODEV); 2266 } 2267 return retval; 2268} 2269 2270 2271#endif 2272 2273static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg) 2274{ 2275 struct usbdevfs_disconnectsignal ds; 2276 2277 if (copy_from_user(&ds, arg, sizeof(ds))) 2278 return -EFAULT; 2279 ps->discsignr = ds.signr; 2280 ps->disccontext.sival_ptr = ds.context; 2281 return 0; 2282} 2283 2284static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg) 2285{ 2286 unsigned int ifnum; 2287 2288 if (get_user(ifnum, (unsigned int __user *)arg)) 2289 return -EFAULT; 2290 return claimintf(ps, ifnum); 2291} 2292 2293static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg) 2294{ 2295 unsigned int ifnum; 2296 int ret; 2297 2298 if (get_user(ifnum, (unsigned int __user *)arg)) 2299 return -EFAULT; 2300 ret = releaseintf(ps, ifnum); 2301 if (ret < 0) 2302 return ret; 2303 destroy_async_on_interface(ps, ifnum); 2304 return 0; 2305} 2306 2307static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl) 2308{ 2309 int size; 2310 void *buf = NULL; 2311 int retval = 0; 2312 struct usb_interface *intf = NULL; 2313 struct usb_driver *driver = NULL; 2314 2315 if (ps->privileges_dropped) 2316 return -EACCES; 2317 2318 if (!connected(ps)) 2319 return -ENODEV; 2320 2321 /* alloc buffer */ 2322 size = _IOC_SIZE(ctl->ioctl_code); 2323 if (size > 0) { 2324 buf = kmalloc(size, GFP_KERNEL); 2325 if (buf == NULL) 2326 return -ENOMEM; 2327 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) { 2328 if (copy_from_user(buf, ctl->data, size)) { 2329 kfree(buf); 2330 return -EFAULT; 2331 } 2332 } else { 2333 memset(buf, 0, size); 2334 } 2335 } 2336 2337 if (ps->dev->state != USB_STATE_CONFIGURED) 2338 retval = -EHOSTUNREACH; 2339 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno))) 2340 retval = -EINVAL; 2341 else switch (ctl->ioctl_code) { 2342 2343 /* disconnect kernel driver from interface */ 2344 case USBDEVFS_DISCONNECT: 2345 if (intf->dev.driver) { 2346 driver = to_usb_driver(intf->dev.driver); 2347 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2348 usb_driver_release_interface(driver, intf); 2349 } else 2350 retval = -ENODATA; 2351 break; 2352 2353 /* let kernel drivers try to (re)bind to the interface */ 2354 case USBDEVFS_CONNECT: 2355 if (!intf->dev.driver) 2356 retval = device_attach(&intf->dev); 2357 else 2358 retval = -EBUSY; 2359 break; 2360 2361 /* talk directly to the interface's driver */ 2362 default: 2363 if (intf->dev.driver) 2364 driver = to_usb_driver(intf->dev.driver); 2365 if (driver == NULL || driver->unlocked_ioctl == NULL) { 2366 retval = -ENOTTY; 2367 } else { 2368 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf); 2369 if (retval == -ENOIOCTLCMD) 2370 retval = -ENOTTY; 2371 } 2372 } 2373 2374 /* cleanup and return */ 2375 if (retval >= 0 2376 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0 2377 && size > 0 2378 && copy_to_user(ctl->data, buf, size) != 0) 2379 retval = -EFAULT; 2380 2381 kfree(buf); 2382 return retval; 2383} 2384 2385static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg) 2386{ 2387 struct usbdevfs_ioctl ctrl; 2388 2389 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 2390 return -EFAULT; 2391 return proc_ioctl(ps, &ctrl); 2392} 2393 2394#ifdef CONFIG_COMPAT 2395static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg) 2396{ 2397 struct usbdevfs_ioctl32 ioc32; 2398 struct usbdevfs_ioctl ctrl; 2399 2400 if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32))) 2401 return -EFAULT; 2402 ctrl.ifno = ioc32.ifno; 2403 ctrl.ioctl_code = ioc32.ioctl_code; 2404 ctrl.data = compat_ptr(ioc32.data); 2405 return proc_ioctl(ps, &ctrl); 2406} 2407#endif 2408 2409static int proc_claim_port(struct usb_dev_state *ps, void __user *arg) 2410{ 2411 unsigned portnum; 2412 int rc; 2413 2414 if (get_user(portnum, (unsigned __user *) arg)) 2415 return -EFAULT; 2416 rc = usb_hub_claim_port(ps->dev, portnum, ps); 2417 if (rc == 0) 2418 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n", 2419 portnum, task_pid_nr(current), current->comm); 2420 return rc; 2421} 2422 2423static int proc_release_port(struct usb_dev_state *ps, void __user *arg) 2424{ 2425 unsigned portnum; 2426 2427 if (get_user(portnum, (unsigned __user *) arg)) 2428 return -EFAULT; 2429 return usb_hub_release_port(ps->dev, portnum, ps); 2430} 2431 2432static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg) 2433{ 2434 __u32 caps; 2435 2436 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM | 2437 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP | 2438 USBDEVFS_CAP_DROP_PRIVILEGES | 2439 USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND; 2440 if (!ps->dev->bus->no_stop_on_short) 2441 caps |= USBDEVFS_CAP_BULK_CONTINUATION; 2442 if (ps->dev->bus->sg_tablesize) 2443 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER; 2444 2445 if (put_user(caps, (__u32 __user *)arg)) 2446 return -EFAULT; 2447 2448 return 0; 2449} 2450 2451static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg) 2452{ 2453 struct usbdevfs_disconnect_claim dc; 2454 struct usb_interface *intf; 2455 2456 if (copy_from_user(&dc, arg, sizeof(dc))) 2457 return -EFAULT; 2458 2459 intf = usb_ifnum_to_if(ps->dev, dc.interface); 2460 if (!intf) 2461 return -EINVAL; 2462 2463 if (intf->dev.driver) { 2464 struct usb_driver *driver = to_usb_driver(intf->dev.driver); 2465 2466 if (ps->privileges_dropped) 2467 return -EACCES; 2468 2469 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) && 2470 strncmp(dc.driver, intf->dev.driver->name, 2471 sizeof(dc.driver)) != 0) 2472 return -EBUSY; 2473 2474 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) && 2475 strncmp(dc.driver, intf->dev.driver->name, 2476 sizeof(dc.driver)) == 0) 2477 return -EBUSY; 2478 2479 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2480 usb_driver_release_interface(driver, intf); 2481 } 2482 2483 return claimintf(ps, dc.interface); 2484} 2485 2486static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg) 2487{ 2488 unsigned num_streams, num_eps; 2489 struct usb_host_endpoint **eps; 2490 struct usb_interface *intf; 2491 int r; 2492 2493 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps, 2494 &eps, &intf); 2495 if (r) 2496 return r; 2497 2498 destroy_async_on_interface(ps, 2499 intf->altsetting[0].desc.bInterfaceNumber); 2500 2501 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL); 2502 kfree(eps); 2503 return r; 2504} 2505 2506static int proc_free_streams(struct usb_dev_state *ps, void __user *arg) 2507{ 2508 unsigned num_eps; 2509 struct usb_host_endpoint **eps; 2510 struct usb_interface *intf; 2511 int r; 2512 2513 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf); 2514 if (r) 2515 return r; 2516 2517 destroy_async_on_interface(ps, 2518 intf->altsetting[0].desc.bInterfaceNumber); 2519 2520 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL); 2521 kfree(eps); 2522 return r; 2523} 2524 2525static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg) 2526{ 2527 u32 data; 2528 2529 if (copy_from_user(&data, arg, sizeof(data))) 2530 return -EFAULT; 2531 2532 /* This is a one way operation. Once privileges are 2533 * dropped, you cannot regain them. You may however reissue 2534 * this ioctl to shrink the allowed interfaces mask. 2535 */ 2536 ps->interface_allowed_mask &= data; 2537 ps->privileges_dropped = true; 2538 2539 return 0; 2540} 2541 2542static int proc_forbid_suspend(struct usb_dev_state *ps) 2543{ 2544 int ret = 0; 2545 2546 if (ps->suspend_allowed) { 2547 ret = usb_autoresume_device(ps->dev); 2548 if (ret == 0) 2549 ps->suspend_allowed = false; 2550 else if (ret != -ENODEV) 2551 ret = -EIO; 2552 } 2553 return ret; 2554} 2555 2556static int proc_allow_suspend(struct usb_dev_state *ps) 2557{ 2558 if (!connected(ps)) 2559 return -ENODEV; 2560 2561 WRITE_ONCE(ps->not_yet_resumed, 1); 2562 if (!ps->suspend_allowed) { 2563 usb_autosuspend_device(ps->dev); 2564 ps->suspend_allowed = true; 2565 } 2566 return 0; 2567} 2568 2569static int proc_wait_for_resume(struct usb_dev_state *ps) 2570{ 2571 int ret; 2572 2573 usb_unlock_device(ps->dev); 2574 ret = wait_event_interruptible(ps->wait_for_resume, 2575 READ_ONCE(ps->not_yet_resumed) == 0); 2576 usb_lock_device(ps->dev); 2577 2578 if (ret != 0) 2579 return -EINTR; 2580 return proc_forbid_suspend(ps); 2581} 2582 2583/* 2584 * NOTE: All requests here that have interface numbers as parameters 2585 * are assuming that somehow the configuration has been prevented from 2586 * changing. But there's no mechanism to ensure that... 2587 */ 2588static long usbdev_do_ioctl(struct file *file, unsigned int cmd, 2589 void __user *p) 2590{ 2591 struct usb_dev_state *ps = file->private_data; 2592 struct inode *inode = file_inode(file); 2593 struct usb_device *dev = ps->dev; 2594 int ret = -ENOTTY; 2595 2596 if (!(file->f_mode & FMODE_WRITE)) 2597 return -EPERM; 2598 2599 usb_lock_device(dev); 2600 2601 /* Reap operations are allowed even after disconnection */ 2602 switch (cmd) { 2603 case USBDEVFS_REAPURB: 2604 snoop(&dev->dev, "%s: REAPURB\n", __func__); 2605 ret = proc_reapurb(ps, p); 2606 goto done; 2607 2608 case USBDEVFS_REAPURBNDELAY: 2609 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__); 2610 ret = proc_reapurbnonblock(ps, p); 2611 goto done; 2612 2613#ifdef CONFIG_COMPAT 2614 case USBDEVFS_REAPURB32: 2615 snoop(&dev->dev, "%s: REAPURB32\n", __func__); 2616 ret = proc_reapurb_compat(ps, p); 2617 goto done; 2618 2619 case USBDEVFS_REAPURBNDELAY32: 2620 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__); 2621 ret = proc_reapurbnonblock_compat(ps, p); 2622 goto done; 2623#endif 2624 } 2625 2626 if (!connected(ps)) { 2627 usb_unlock_device(dev); 2628 return -ENODEV; 2629 } 2630 2631 switch (cmd) { 2632 case USBDEVFS_CONTROL: 2633 snoop(&dev->dev, "%s: CONTROL\n", __func__); 2634 ret = proc_control(ps, p); 2635 if (ret >= 0) 2636 inode->i_mtime = current_time(inode); 2637 break; 2638 2639 case USBDEVFS_BULK: 2640 snoop(&dev->dev, "%s: BULK\n", __func__); 2641 ret = proc_bulk(ps, p); 2642 if (ret >= 0) 2643 inode->i_mtime = current_time(inode); 2644 break; 2645 2646 case USBDEVFS_RESETEP: 2647 snoop(&dev->dev, "%s: RESETEP\n", __func__); 2648 ret = proc_resetep(ps, p); 2649 if (ret >= 0) 2650 inode->i_mtime = current_time(inode); 2651 break; 2652 2653 case USBDEVFS_RESET: 2654 snoop(&dev->dev, "%s: RESET\n", __func__); 2655 ret = proc_resetdevice(ps); 2656 break; 2657 2658 case USBDEVFS_CLEAR_HALT: 2659 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__); 2660 ret = proc_clearhalt(ps, p); 2661 if (ret >= 0) 2662 inode->i_mtime = current_time(inode); 2663 break; 2664 2665 case USBDEVFS_GETDRIVER: 2666 snoop(&dev->dev, "%s: GETDRIVER\n", __func__); 2667 ret = proc_getdriver(ps, p); 2668 break; 2669 2670 case USBDEVFS_CONNECTINFO: 2671 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__); 2672 ret = proc_connectinfo(ps, p); 2673 break; 2674 2675 case USBDEVFS_SETINTERFACE: 2676 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__); 2677 ret = proc_setintf(ps, p); 2678 break; 2679 2680 case USBDEVFS_SETCONFIGURATION: 2681 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__); 2682 ret = proc_setconfig(ps, p); 2683 break; 2684 2685 case USBDEVFS_SUBMITURB: 2686 snoop(&dev->dev, "%s: SUBMITURB\n", __func__); 2687 ret = proc_submiturb(ps, p); 2688 if (ret >= 0) 2689 inode->i_mtime = current_time(inode); 2690 break; 2691 2692#ifdef CONFIG_COMPAT 2693 case USBDEVFS_CONTROL32: 2694 snoop(&dev->dev, "%s: CONTROL32\n", __func__); 2695 ret = proc_control_compat(ps, p); 2696 if (ret >= 0) 2697 inode->i_mtime = current_time(inode); 2698 break; 2699 2700 case USBDEVFS_BULK32: 2701 snoop(&dev->dev, "%s: BULK32\n", __func__); 2702 ret = proc_bulk_compat(ps, p); 2703 if (ret >= 0) 2704 inode->i_mtime = current_time(inode); 2705 break; 2706 2707 case USBDEVFS_DISCSIGNAL32: 2708 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__); 2709 ret = proc_disconnectsignal_compat(ps, p); 2710 break; 2711 2712 case USBDEVFS_SUBMITURB32: 2713 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__); 2714 ret = proc_submiturb_compat(ps, p); 2715 if (ret >= 0) 2716 inode->i_mtime = current_time(inode); 2717 break; 2718 2719 case USBDEVFS_IOCTL32: 2720 snoop(&dev->dev, "%s: IOCTL32\n", __func__); 2721 ret = proc_ioctl_compat(ps, ptr_to_compat(p)); 2722 break; 2723#endif 2724 2725 case USBDEVFS_DISCARDURB: 2726 snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p); 2727 ret = proc_unlinkurb(ps, p); 2728 break; 2729 2730 case USBDEVFS_DISCSIGNAL: 2731 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__); 2732 ret = proc_disconnectsignal(ps, p); 2733 break; 2734 2735 case USBDEVFS_CLAIMINTERFACE: 2736 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__); 2737 ret = proc_claiminterface(ps, p); 2738 break; 2739 2740 case USBDEVFS_RELEASEINTERFACE: 2741 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__); 2742 ret = proc_releaseinterface(ps, p); 2743 break; 2744 2745 case USBDEVFS_IOCTL: 2746 snoop(&dev->dev, "%s: IOCTL\n", __func__); 2747 ret = proc_ioctl_default(ps, p); 2748 break; 2749 2750 case USBDEVFS_CLAIM_PORT: 2751 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__); 2752 ret = proc_claim_port(ps, p); 2753 break; 2754 2755 case USBDEVFS_RELEASE_PORT: 2756 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__); 2757 ret = proc_release_port(ps, p); 2758 break; 2759 case USBDEVFS_GET_CAPABILITIES: 2760 ret = proc_get_capabilities(ps, p); 2761 break; 2762 case USBDEVFS_DISCONNECT_CLAIM: 2763 ret = proc_disconnect_claim(ps, p); 2764 break; 2765 case USBDEVFS_ALLOC_STREAMS: 2766 ret = proc_alloc_streams(ps, p); 2767 break; 2768 case USBDEVFS_FREE_STREAMS: 2769 ret = proc_free_streams(ps, p); 2770 break; 2771 case USBDEVFS_DROP_PRIVILEGES: 2772 ret = proc_drop_privileges(ps, p); 2773 break; 2774 case USBDEVFS_GET_SPEED: 2775 ret = ps->dev->speed; 2776 break; 2777 case USBDEVFS_FORBID_SUSPEND: 2778 ret = proc_forbid_suspend(ps); 2779 break; 2780 case USBDEVFS_ALLOW_SUSPEND: 2781 ret = proc_allow_suspend(ps); 2782 break; 2783 case USBDEVFS_WAIT_FOR_RESUME: 2784 ret = proc_wait_for_resume(ps); 2785 break; 2786 } 2787 2788 /* Handle variable-length commands */ 2789 switch (cmd & ~IOCSIZE_MASK) { 2790 case USBDEVFS_CONNINFO_EX(0): 2791 ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd)); 2792 break; 2793 } 2794 2795 done: 2796 usb_unlock_device(dev); 2797 if (ret >= 0) 2798 inode->i_atime = current_time(inode); 2799 return ret; 2800} 2801 2802static long usbdev_ioctl(struct file *file, unsigned int cmd, 2803 unsigned long arg) 2804{ 2805 int ret; 2806 2807 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg); 2808 2809 return ret; 2810} 2811 2812/* No kernel lock - fine */ 2813static __poll_t usbdev_poll(struct file *file, 2814 struct poll_table_struct *wait) 2815{ 2816 struct usb_dev_state *ps = file->private_data; 2817 __poll_t mask = 0; 2818 2819 poll_wait(file, &ps->wait, wait); 2820 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed)) 2821 mask |= EPOLLOUT | EPOLLWRNORM; 2822 if (!connected(ps)) 2823 mask |= EPOLLHUP; 2824 if (list_empty(&ps->list)) 2825 mask |= EPOLLERR; 2826 return mask; 2827} 2828 2829const struct file_operations usbdev_file_operations = { 2830 .owner = THIS_MODULE, 2831 .llseek = no_seek_end_llseek, 2832 .read = usbdev_read, 2833 .poll = usbdev_poll, 2834 .unlocked_ioctl = usbdev_ioctl, 2835 .compat_ioctl = compat_ptr_ioctl, 2836 .mmap = usbdev_mmap, 2837 .open = usbdev_open, 2838 .release = usbdev_release, 2839}; 2840 2841static void usbdev_remove(struct usb_device *udev) 2842{ 2843 struct usb_dev_state *ps; 2844 2845 /* Protect against simultaneous resume */ 2846 mutex_lock(&usbfs_mutex); 2847 while (!list_empty(&udev->filelist)) { 2848 ps = list_entry(udev->filelist.next, struct usb_dev_state, list); 2849 destroy_all_async(ps); 2850 wake_up_all(&ps->wait); 2851 WRITE_ONCE(ps->not_yet_resumed, 0); 2852 wake_up_all(&ps->wait_for_resume); 2853 list_del_init(&ps->list); 2854 if (ps->discsignr) 2855 kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext, 2856 ps->disc_pid, ps->cred); 2857 } 2858 mutex_unlock(&usbfs_mutex); 2859} 2860 2861static int usbdev_notify(struct notifier_block *self, 2862 unsigned long action, void *dev) 2863{ 2864 switch (action) { 2865 case USB_DEVICE_ADD: 2866 break; 2867 case USB_DEVICE_REMOVE: 2868 usbdev_remove(dev); 2869 break; 2870 } 2871 return NOTIFY_OK; 2872} 2873 2874static struct notifier_block usbdev_nb = { 2875 .notifier_call = usbdev_notify, 2876}; 2877 2878static struct cdev usb_device_cdev; 2879 2880int __init usb_devio_init(void) 2881{ 2882 int retval; 2883 2884 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX, 2885 "usb_device"); 2886 if (retval) { 2887 printk(KERN_ERR "Unable to register minors for usb_device\n"); 2888 goto out; 2889 } 2890 cdev_init(&usb_device_cdev, &usbdev_file_operations); 2891 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX); 2892 if (retval) { 2893 printk(KERN_ERR "Unable to get usb_device major %d\n", 2894 USB_DEVICE_MAJOR); 2895 goto error_cdev; 2896 } 2897 usb_register_notify(&usbdev_nb); 2898out: 2899 return retval; 2900 2901error_cdev: 2902 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2903 goto out; 2904} 2905 2906void usb_devio_cleanup(void) 2907{ 2908 usb_unregister_notify(&usbdev_nb); 2909 cdev_del(&usb_device_cdev); 2910 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2911}