drivers/usb/core/devio.c

   1 // SPDX-License-Identifier: GPL-2.0+
   2 /*****************************************************************************/
   3
   4 /*
   5  *      devio.c  --  User space communication with USB devices.
   6  *
   7  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
   8  *
   9  *  This file implements the usbfs/x/y files, where
  10  *  x is the bus number and y the device number.
  11  *
  12  *  It allows user space programs/"drivers" to communicate directly
  13  *  with USB devices without intervening kernel driver.
  14  *
  15  *  Revision history
  16  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  17  *    04.01.2000   0.2   Turned into its own filesystem
  18  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  19  *                       (CAN-2005-3055)
  20  */
  21
  22 /*****************************************************************************/
  23
  24 #include <linux/fs.h>
  25 #include <linux/mm.h>
  26 #include <linux/sched/signal.h>
  27 #include <linux/slab.h>
  28 #include <linux/signal.h>
  29 #include <linux/poll.h>
  30 #include <linux/module.h>
  31 #include <linux/string.h>
  32 #include <linux/usb.h>
  33 #include <linux/usbdevice_fs.h>
  34 #include <linux/usb/hcd.h>      /* for usbcore internals */
  35 #include <linux/cdev.h>
  36 #include <linux/notifier.h>
  37 #include <linux/security.h>
  38 #include <linux/user_namespace.h>
  39 #include <linux/scatterlist.h>
  40 #include <linux/uaccess.h>
  41 #include <linux/dma-mapping.h>
  42 #include <asm/byteorder.h>
  43 #include <linux/moduleparam.h>
  44
  45 #include "usb.h"
  46
  47 #define USB_MAXBUS                      64
  48 #define USB_DEVICE_MAX                  (USB_MAXBUS * 128)
  49 #define USB_SG_SIZE                     16384 /* split-size for large txs */
  50
  51 /* Mutual exclusion for removal, open, and release */
  52 DEFINE_MUTEX(usbfs_mutex);
  53
  54 struct usb_dev_state {
  55         struct list_head list;      /* state list */
  56         struct usb_device *dev;
  57         struct file *file;
  58         spinlock_t lock;            /* protects the async urb lists */
  59         struct list_head async_pending;
  60         struct list_head async_completed;
  61         struct list_head memory_list;
  62         wait_queue_head_t wait;     /* wake up if a request completed */
  63         unsigned int discsignr;
  64         struct pid *disc_pid;
  65         const struct cred *cred;
  66         void __user *disccontext;
  67         unsigned long ifclaimed;
  68         u32 secid;
  69         u32 disabled_bulk_eps;
  70         bool privileges_dropped;
  71         unsigned long interface_allowed_mask;
  72 };
  73
  74 struct usb_memory {
  75         struct list_head memlist;
  76         int vma_use_count;
  77         int urb_use_count;
  78         u32 size;
  79         void *mem;
  80         dma_addr_t dma_handle;
  81         unsigned long vm_start;
  82         struct usb_dev_state *ps;
  83 };
  84
  85 struct async {
  86         struct list_head asynclist;
  87         struct usb_dev_state *ps;
  88         struct pid *pid;
  89         const struct cred *cred;
  90         unsigned int signr;
  91         unsigned int ifnum;
  92         void __user *userbuffer;
  93         void __user *userurb;
  94         struct urb *urb;
  95         struct usb_memory *usbm;
  96         unsigned int mem_usage;
  97         int status;
  98         u32 secid;
  99         u8 bulk_addr;
 100         u8 bulk_status;
 101 };
 102
 103 static bool usbfs_snoop;
 104 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 105 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 106
 107 static unsigned usbfs_snoop_max = 65536;
 108 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
 109 MODULE_PARM_DESC(usbfs_snoop_max,
 110                 "maximum number of bytes to print while snooping");
 111
 112 #define snoop(dev, format, arg...)                              \
 113         do {                                                    \
 114                 if (usbfs_snoop)                                \
 115                         dev_info(dev, format, ## arg);          \
 116         } while (0)
 117
 118 enum snoop_when {
 119         SUBMIT, COMPLETE
 120 };
 121
 122 #define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 123
 124 /* Limit on the total amount of memory we can allocate for transfers */
 125 static u32 usbfs_memory_mb = 16;
 126 module_param(usbfs_memory_mb, uint, 0644);
 127 MODULE_PARM_DESC(usbfs_memory_mb,
 128                 "maximum MB allowed for usbfs buffers (0 = no limit)");
 129
 130 /* Hard limit, necessary to avoid arithmetic overflow */
 131 #define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
 132
 133 static atomic64_t usbfs_memory_usage;   /* Total memory currently allocated */
 134
 135 /* Check whether it's okay to allocate more memory for a transfer */
 136 static int usbfs_increase_memory_usage(u64 amount)
 137 {
 138         u64 lim;
 139
 140         lim = READ_ONCE(usbfs_memory_mb);
 141         lim <<= 20;
 142
 143         atomic64_add(amount, &usbfs_memory_usage);
 144
 145         if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
 146                 atomic64_sub(amount, &usbfs_memory_usage);
 147                 return -ENOMEM;
 148         }
 149
 150         return 0;
 151 }
 152
 153 /* Memory for a transfer is being deallocated */
 154 static void usbfs_decrease_memory_usage(u64 amount)
 155 {
 156         atomic64_sub(amount, &usbfs_memory_usage);
 157 }
 158
 159 static int connected(struct usb_dev_state *ps)
 160 {
 161         return (!list_empty(&ps->list) &&
 162                         ps->dev->state != USB_STATE_NOTATTACHED);
 163 }
 164
 165 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
 166 {
 167         struct usb_dev_state *ps = usbm->ps;
 168         unsigned long flags;
 169
 170         spin_lock_irqsave(&ps->lock, flags);
 171         --*count;
 172         if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
 173                 list_del(&usbm->memlist);
 174                 spin_unlock_irqrestore(&ps->lock, flags);
 175
 176                 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
 177                                 usbm->dma_handle);
 178                 usbfs_decrease_memory_usage(
 179                         usbm->size + sizeof(struct usb_memory));
 180                 kfree(usbm);
 181         } else {
 182                 spin_unlock_irqrestore(&ps->lock, flags);
 183         }
 184 }
 185
 186 static void usbdev_vm_open(struct vm_area_struct *vma)
 187 {
 188         struct usb_memory *usbm = vma->vm_private_data;
 189         unsigned long flags;
 190
 191         spin_lock_irqsave(&usbm->ps->lock, flags);
 192         ++usbm->vma_use_count;
 193         spin_unlock_irqrestore(&usbm->ps->lock, flags);
 194 }
 195
 196 static void usbdev_vm_close(struct vm_area_struct *vma)
 197 {
 198         struct usb_memory *usbm = vma->vm_private_data;
 199
 200         dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 201 }
 202
 203 static const struct vm_operations_struct usbdev_vm_ops = {
 204         .open = usbdev_vm_open,
 205         .close = usbdev_vm_close
 206 };
 207
 208 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 209 {
 210         struct usb_memory *usbm = NULL;
 211         struct usb_dev_state *ps = file->private_data;
 212         size_t size = vma->vm_end - vma->vm_start;
 213         void *mem;
 214         unsigned long flags;
 215         dma_addr_t dma_handle;
 216         int ret;
 217
 218         ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 219         if (ret)
 220                 goto error;
 221
 222         usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
 223         if (!usbm) {
 224                 ret = -ENOMEM;
 225                 goto error_decrease_mem;
 226         }
 227
 228         mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
 229                         &dma_handle);
 230         if (!mem) {
 231                 ret = -ENOMEM;
 232                 goto error_free_usbm;
 233         }
 234
 235         memset(mem, 0, size);
 236
 237         usbm->mem = mem;
 238         usbm->dma_handle = dma_handle;
 239         usbm->size = size;
 240         usbm->ps = ps;
 241         usbm->vm_start = vma->vm_start;
 242         usbm->vma_use_count = 1;
 243         INIT_LIST_HEAD(&usbm->memlist);
 244
 245         if (remap_pfn_range(vma, vma->vm_start,
 246                         virt_to_phys(usbm->mem) >> PAGE_SHIFT,
 247                         size, vma->vm_page_prot) < 0) {
 248                 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 249                 return -EAGAIN;
 250         }
 251
 252         vma->vm_flags |= VM_IO;
 253         vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
 254         vma->vm_ops = &usbdev_vm_ops;
 255         vma->vm_private_data = usbm;
 256
 257         spin_lock_irqsave(&ps->lock, flags);
 258         list_add_tail(&usbm->memlist, &ps->memory_list);
 259         spin_unlock_irqrestore(&ps->lock, flags);
 260
 261         return 0;
 262
 263 error_free_usbm:
 264         kfree(usbm);
 265 error_decrease_mem:
 266         usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
 267 error:
 268         return ret;
 269 }
 270
 271 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 272                            loff_t *ppos)
 273 {
 274         struct usb_dev_state *ps = file->private_data;
 275         struct usb_device *dev = ps->dev;
 276         ssize_t ret = 0;
 277         unsigned len;
 278         loff_t pos;
 279         int i;
 280
 281         pos = *ppos;
 282         usb_lock_device(dev);
 283         if (!connected(ps)) {
 284                 ret = -ENODEV;
 285                 goto err;
 286         } else if (pos < 0) {
 287                 ret = -EINVAL;
 288                 goto err;
 289         }
 290
 291         if (pos < sizeof(struct usb_device_descriptor)) {
 292                 /* 18 bytes - fits on the stack */
 293                 struct usb_device_descriptor temp_desc;
 294
 295                 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 296                 le16_to_cpus(&temp_desc.bcdUSB);
 297                 le16_to_cpus(&temp_desc.idVendor);
 298                 le16_to_cpus(&temp_desc.idProduct);
 299                 le16_to_cpus(&temp_desc.bcdDevice);
 300
 301                 len = sizeof(struct usb_device_descriptor) - pos;
 302                 if (len > nbytes)
 303                         len = nbytes;
 304                 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 305                         ret = -EFAULT;
 306                         goto err;
 307                 }
 308
 309                 *ppos += len;
 310                 buf += len;
 311                 nbytes -= len;
 312                 ret += len;
 313         }
 314
 315         pos = sizeof(struct usb_device_descriptor);
 316         for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 317                 struct usb_config_descriptor *config =
 318                         (struct usb_config_descriptor *)dev->rawdescriptors[i];
 319                 unsigned int length = le16_to_cpu(config->wTotalLength);
 320
 321                 if (*ppos < pos + length) {
 322
 323                         /* The descriptor may claim to be longer than it
 324                          * really is.  Here is the actual allocated length. */
 325                         unsigned alloclen =
 326                                 le16_to_cpu(dev->config[i].desc.wTotalLength);
 327
 328                         len = length - (*ppos - pos);
 329                         if (len > nbytes)
 330                                 len = nbytes;
 331
 332                         /* Simply don't write (skip over) unallocated parts */
 333                         if (alloclen > (*ppos - pos)) {
 334                                 alloclen -= (*ppos - pos);
 335                                 if (copy_to_user(buf,
 336                                     dev->rawdescriptors[i] + (*ppos - pos),
 337                                     min(len, alloclen))) {
 338                                         ret = -EFAULT;
 339                                         goto err;
 340                                 }
 341                         }
 342
 343                         *ppos += len;
 344                         buf += len;
 345                         nbytes -= len;
 346                         ret += len;
 347                 }
 348
 349                 pos += length;
 350         }
 351
 352 err:
 353         usb_unlock_device(dev);
 354         return ret;
 355 }
 356
 357 /*
 358  * async list handling
 359  */
 360
 361 static struct async *alloc_async(unsigned int numisoframes)
 362 {
 363         struct async *as;
 364
 365         as = kzalloc(sizeof(struct async), GFP_KERNEL);
 366         if (!as)
 367                 return NULL;
 368         as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 369         if (!as->urb) {
 370                 kfree(as);
 371                 return NULL;
 372         }
 373         return as;
 374 }
 375
 376 static void free_async(struct async *as)
 377 {
 378         int i;
 379
 380         put_pid(as->pid);
 381         if (as->cred)
 382                 put_cred(as->cred);
 383         for (i = 0; i < as->urb->num_sgs; i++) {
 384                 if (sg_page(&as->urb->sg[i]))
 385                         kfree(sg_virt(&as->urb->sg[i]));
 386         }
 387
 388         kfree(as->urb->sg);
 389         if (as->usbm == NULL)
 390                 kfree(as->urb->transfer_buffer);
 391         else
 392                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 393
 394         kfree(as->urb->setup_packet);
 395         usb_free_urb(as->urb);
 396         usbfs_decrease_memory_usage(as->mem_usage);
 397         kfree(as);
 398 }
 399
 400 static void async_newpending(struct async *as)
 401 {
 402         struct usb_dev_state *ps = as->ps;
 403         unsigned long flags;
 404
 405         spin_lock_irqsave(&ps->lock, flags);
 406         list_add_tail(&as->asynclist, &ps->async_pending);
 407         spin_unlock_irqrestore(&ps->lock, flags);
 408 }
 409
 410 static void async_removepending(struct async *as)
 411 {
 412         struct usb_dev_state *ps = as->ps;
 413         unsigned long flags;
 414
 415         spin_lock_irqsave(&ps->lock, flags);
 416         list_del_init(&as->asynclist);
 417         spin_unlock_irqrestore(&ps->lock, flags);
 418 }
 419
 420 static struct async *async_getcompleted(struct usb_dev_state *ps)
 421 {
 422         unsigned long flags;
 423         struct async *as = NULL;
 424
 425         spin_lock_irqsave(&ps->lock, flags);
 426         if (!list_empty(&ps->async_completed)) {
 427                 as = list_entry(ps->async_completed.next, struct async,
 428                                 asynclist);
 429                 list_del_init(&as->asynclist);
 430         }
 431         spin_unlock_irqrestore(&ps->lock, flags);
 432         return as;
 433 }
 434
 435 static struct async *async_getpending(struct usb_dev_state *ps,
 436                                              void __user *userurb)
 437 {
 438         struct async *as;
 439
 440         list_for_each_entry(as, &ps->async_pending, asynclist)
 441                 if (as->userurb == userurb) {
 442                         list_del_init(&as->asynclist);
 443                         return as;
 444                 }
 445
 446         return NULL;
 447 }
 448
 449 static void snoop_urb(struct usb_device *udev,
 450                 void __user *userurb, int pipe, unsigned length,
 451                 int timeout_or_status, enum snoop_when when,
 452                 unsigned char *data, unsigned data_len)
 453 {
 454         static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 455         static const char *dirs[] = {"out", "in"};
 456         int ep;
 457         const char *t, *d;
 458
 459         if (!usbfs_snoop)
 460                 return;
 461
 462         ep = usb_pipeendpoint(pipe);
 463         t = types[usb_pipetype(pipe)];
 464         d = dirs[!!usb_pipein(pipe)];
 465
 466         if (userurb) {          /* Async */
 467                 if (when == SUBMIT)
 468                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 469                                         "length %u\n",
 470                                         userurb, ep, t, d, length);
 471                 else
 472                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 473                                         "actual_length %u status %d\n",
 474                                         userurb, ep, t, d, length,
 475                                         timeout_or_status);
 476         } else {
 477                 if (when == SUBMIT)
 478                         dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 479                                         "timeout %d\n",
 480                                         ep, t, d, length, timeout_or_status);
 481                 else
 482                         dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 483                                         "status %d\n",
 484                                         ep, t, d, length, timeout_or_status);
 485         }
 486
 487         data_len = min(data_len, usbfs_snoop_max);
 488         if (data && data_len > 0) {
 489                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 490                         data, data_len, 1);
 491         }
 492 }
 493
 494 static void snoop_urb_data(struct urb *urb, unsigned len)
 495 {
 496         int i, size;
 497
 498         len = min(len, usbfs_snoop_max);
 499         if (!usbfs_snoop || len == 0)
 500                 return;
 501
 502         if (urb->num_sgs == 0) {
 503                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 504                         urb->transfer_buffer, len, 1);
 505                 return;
 506         }
 507
 508         for (i = 0; i < urb->num_sgs && len; i++) {
 509                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 510                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 511                         sg_virt(&urb->sg[i]), size, 1);
 512                 len -= size;
 513         }
 514 }
 515
 516 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
 517 {
 518         unsigned i, len, size;
 519
 520         if (urb->number_of_packets > 0)         /* Isochronous */
 521                 len = urb->transfer_buffer_length;
 522         else                                    /* Non-Isoc */
 523                 len = urb->actual_length;
 524
 525         if (urb->num_sgs == 0) {
 526                 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
 527                         return -EFAULT;
 528                 return 0;
 529         }
 530
 531         for (i = 0; i < urb->num_sgs && len; i++) {
 532                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 533                 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
 534                         return -EFAULT;
 535                 userbuffer += size;
 536                 len -= size;
 537         }
 538
 539         return 0;
 540 }
 541
 542 #define AS_CONTINUATION 1
 543 #define AS_UNLINK       2
 544
 545 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
 546 __releases(ps->lock)
 547 __acquires(ps->lock)
 548 {
 549         struct urb *urb;
 550         struct async *as;
 551
 552         /* Mark all the pending URBs that match bulk_addr, up to but not
 553          * including the first one without AS_CONTINUATION.  If such an
 554          * URB is encountered then a new transfer has already started so
 555          * the endpoint doesn't need to be disabled; otherwise it does.
 556          */
 557         list_for_each_entry(as, &ps->async_pending, asynclist) {
 558                 if (as->bulk_addr == bulk_addr) {
 559                         if (as->bulk_status != AS_CONTINUATION)
 560                                 goto rescan;
 561                         as->bulk_status = AS_UNLINK;
 562                         as->bulk_addr = 0;
 563                 }
 564         }
 565         ps->disabled_bulk_eps |= (1 << bulk_addr);
 566
 567         /* Now carefully unlink all the marked pending URBs */
 568  rescan:
 569         list_for_each_entry(as, &ps->async_pending, asynclist) {
 570                 if (as->bulk_status == AS_UNLINK) {
 571                         as->bulk_status = 0;            /* Only once */
 572                         urb = as->urb;
 573                         usb_get_urb(urb);
 574                         spin_unlock(&ps->lock);         /* Allow completions */
 575                         usb_unlink_urb(urb);
 576                         usb_put_urb(urb);
 577                         spin_lock(&ps->lock);
 578                         goto rescan;
 579                 }
 580         }
 581 }
 582
 583 static void async_completed(struct urb *urb)
 584 {
 585         struct async *as = urb->context;
 586         struct usb_dev_state *ps = as->ps;
 587         struct siginfo sinfo;
 588         struct pid *pid = NULL;
 589         u32 secid = 0;
 590         const struct cred *cred = NULL;
 591         int signr;
 592
 593         spin_lock(&ps->lock);
 594         list_move_tail(&as->asynclist, &ps->async_completed);
 595         as->status = urb->status;
 596         signr = as->signr;
 597         if (signr) {
 598                 memset(&sinfo, 0, sizeof(sinfo));
 599                 sinfo.si_signo = as->signr;
 600                 sinfo.si_errno = as->status;
 601                 sinfo.si_code = SI_ASYNCIO;
 602                 sinfo.si_addr = as->userurb;
 603                 pid = get_pid(as->pid);
 604                 cred = get_cred(as->cred);
 605                 secid = as->secid;
 606         }
 607         snoop(&urb->dev->dev, "urb complete\n");
 608         snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 609                         as->status, COMPLETE, NULL, 0);
 610         if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
 611                 snoop_urb_data(urb, urb->actual_length);
 612
 613         if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 614                         as->status != -ENOENT)
 615                 cancel_bulk_urbs(ps, as->bulk_addr);
 616
 617         wake_up(&ps->wait);
 618         spin_unlock(&ps->lock);
 619
 620         if (signr) {
 621                 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
 622                 put_pid(pid);
 623                 put_cred(cred);
 624         }
 625 }
 626
 627 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
 628 {
 629         struct urb *urb;
 630         struct async *as;
 631         unsigned long flags;
 632
 633         spin_lock_irqsave(&ps->lock, flags);
 634         while (!list_empty(list)) {
 635                 as = list_entry(list->next, struct async, asynclist);
 636                 list_del_init(&as->asynclist);
 637                 urb = as->urb;
 638                 usb_get_urb(urb);
 639
 640                 /* drop the spinlock so the completion handler can run */
 641                 spin_unlock_irqrestore(&ps->lock, flags);
 642                 usb_kill_urb(urb);
 643                 usb_put_urb(urb);
 644                 spin_lock_irqsave(&ps->lock, flags);
 645         }
 646         spin_unlock_irqrestore(&ps->lock, flags);
 647 }
 648
 649 static void destroy_async_on_interface(struct usb_dev_state *ps,
 650                                        unsigned int ifnum)
 651 {
 652         struct list_head *p, *q, hitlist;
 653         unsigned long flags;
 654
 655         INIT_LIST_HEAD(&hitlist);
 656         spin_lock_irqsave(&ps->lock, flags);
 657         list_for_each_safe(p, q, &ps->async_pending)
 658                 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 659                         list_move_tail(p, &hitlist);
 660         spin_unlock_irqrestore(&ps->lock, flags);
 661         destroy_async(ps, &hitlist);
 662 }
 663
 664 static void destroy_all_async(struct usb_dev_state *ps)
 665 {
 666         destroy_async(ps, &ps->async_pending);
 667 }
 668
 669 /*
 670  * interface claims are made only at the request of user level code,
 671  * which can also release them (explicitly or by closing files).
 672  * they're also undone when devices disconnect.
 673  */
 674
 675 static int driver_probe(struct usb_interface *intf,
 676                         const struct usb_device_id *id)
 677 {
 678         return -ENODEV;
 679 }
 680
 681 static void driver_disconnect(struct usb_interface *intf)
 682 {
 683         struct usb_dev_state *ps = usb_get_intfdata(intf);
 684         unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 685
 686         if (!ps)
 687                 return;
 688
 689         /* NOTE:  this relies on usbcore having canceled and completed
 690          * all pending I/O requests; 2.6 does that.
 691          */
 692
 693         if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 694                 clear_bit(ifnum, &ps->ifclaimed);
 695         else
 696                 dev_warn(&intf->dev, "interface number %u out of range\n",
 697                          ifnum);
 698
 699         usb_set_intfdata(intf, NULL);
 700
 701         /* force async requests to complete */
 702         destroy_async_on_interface(ps, ifnum);
 703 }
 704
 705 /* The following routines are merely placeholders.  There is no way
 706  * to inform a user task about suspend or resumes.
 707  */
 708 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 709 {
 710         return 0;
 711 }
 712
 713 static int driver_resume(struct usb_interface *intf)
 714 {
 715         return 0;
 716 }
 717
 718 struct usb_driver usbfs_driver = {
 719         .name =         "usbfs",
 720         .probe =        driver_probe,
 721         .disconnect =   driver_disconnect,
 722         .suspend =      driver_suspend,
 723         .resume =       driver_resume,
 724 };
 725
 726 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 727 {
 728         struct usb_device *dev = ps->dev;
 729         struct usb_interface *intf;
 730         int err;
 731
 732         if (ifnum >= 8*sizeof(ps->ifclaimed))
 733                 return -EINVAL;
 734         /* already claimed */
 735         if (test_bit(ifnum, &ps->ifclaimed))
 736                 return 0;
 737
 738         if (ps->privileges_dropped &&
 739                         !test_bit(ifnum, &ps->interface_allowed_mask))
 740                 return -EACCES;
 741
 742         intf = usb_ifnum_to_if(dev, ifnum);
 743         if (!intf)
 744                 err = -ENOENT;
 745         else
 746                 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 747         if (err == 0)
 748                 set_bit(ifnum, &ps->ifclaimed);
 749         return err;
 750 }
 751
 752 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 753 {
 754         struct usb_device *dev;
 755         struct usb_interface *intf;
 756         int err;
 757
 758         err = -EINVAL;
 759         if (ifnum >= 8*sizeof(ps->ifclaimed))
 760                 return err;
 761         dev = ps->dev;
 762         intf = usb_ifnum_to_if(dev, ifnum);
 763         if (!intf)
 764                 err = -ENOENT;
 765         else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 766                 usb_driver_release_interface(&usbfs_driver, intf);
 767                 err = 0;
 768         }
 769         return err;
 770 }
 771
 772 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
 773 {
 774         if (ps->dev->state != USB_STATE_CONFIGURED)
 775                 return -EHOSTUNREACH;
 776         if (ifnum >= 8*sizeof(ps->ifclaimed))
 777                 return -EINVAL;
 778         if (test_bit(ifnum, &ps->ifclaimed))
 779                 return 0;
 780         /* if not yet claimed, claim it for the driver */
 781         dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 782                  "interface %u before use\n", task_pid_nr(current),
 783                  current->comm, ifnum);
 784         return claimintf(ps, ifnum);
 785 }
 786
 787 static int findintfep(struct usb_device *dev, unsigned int ep)
 788 {
 789         unsigned int i, j, e;
 790         struct usb_interface *intf;
 791         struct usb_host_interface *alts;
 792         struct usb_endpoint_descriptor *endpt;
 793
 794         if (ep & ~(USB_DIR_IN|0xf))
 795                 return -EINVAL;
 796         if (!dev->actconfig)
 797                 return -ESRCH;
 798         for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 799                 intf = dev->actconfig->interface[i];
 800                 for (j = 0; j < intf->num_altsetting; j++) {
 801                         alts = &intf->altsetting[j];
 802                         for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 803                                 endpt = &alts->endpoint[e].desc;
 804                                 if (endpt->bEndpointAddress == ep)
 805                                         return alts->desc.bInterfaceNumber;
 806                         }
 807                 }
 808         }
 809         return -ENOENT;
 810 }
 811
 812 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 813                            unsigned int request, unsigned int index)
 814 {
 815         int ret = 0;
 816         struct usb_host_interface *alt_setting;
 817
 818         if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 819          && ps->dev->state != USB_STATE_ADDRESS
 820          && ps->dev->state != USB_STATE_CONFIGURED)
 821                 return -EHOSTUNREACH;
 822         if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 823                 return 0;
 824
 825         /*
 826          * check for the special corner case 'get_device_id' in the printer
 827          * class specification, which we always want to allow as it is used
 828          * to query things like ink level, etc.
 829          */
 830         if (requesttype == 0xa1 && request == 0) {
 831                 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 832                                                    index >> 8, index & 0xff);
 833                 if (alt_setting
 834                  && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
 835                         return 0;
 836         }
 837
 838         index &= 0xff;
 839         switch (requesttype & USB_RECIP_MASK) {
 840         case USB_RECIP_ENDPOINT:
 841                 if ((index & ~USB_DIR_IN) == 0)
 842                         return 0;
 843                 ret = findintfep(ps->dev, index);
 844                 if (ret < 0) {
 845                         /*
 846                          * Some not fully compliant Win apps seem to get
 847                          * index wrong and have the endpoint number here
 848                          * rather than the endpoint address (with the
 849                          * correct direction). Win does let this through,
 850                          * so we'll not reject it here but leave it to
 851                          * the device to not break KVM. But we warn.
 852                          */
 853                         ret = findintfep(ps->dev, index ^ 0x80);
 854                         if (ret >= 0)
 855                                 dev_info(&ps->dev->dev,
 856                                         "%s: process %i (%s) requesting ep %02x but needs %02x\n",
 857                                         __func__, task_pid_nr(current),
 858                                         current->comm, index, index ^ 0x80);
 859                 }
 860                 if (ret >= 0)
 861                         ret = checkintf(ps, ret);
 862                 break;
 863
 864         case USB_RECIP_INTERFACE:
 865                 ret = checkintf(ps, index);
 866                 break;
 867         }
 868         return ret;
 869 }
 870
 871 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
 872                                                      unsigned char ep)
 873 {
 874         if (ep & USB_ENDPOINT_DIR_MASK)
 875                 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
 876         else
 877                 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
 878 }
 879
 880 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
 881                                   struct usbdevfs_streams __user *streams,
 882                                   unsigned int *num_streams_ret,
 883                                   unsigned int *num_eps_ret,
 884                                   struct usb_host_endpoint ***eps_ret,
 885                                   struct usb_interface **intf_ret)
 886 {
 887         unsigned int i, num_streams, num_eps;
 888         struct usb_host_endpoint **eps;
 889         struct usb_interface *intf = NULL;
 890         unsigned char ep;
 891         int ifnum, ret;
 892
 893         if (get_user(num_streams, &streams->num_streams) ||
 894             get_user(num_eps, &streams->num_eps))
 895                 return -EFAULT;
 896
 897         if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
 898                 return -EINVAL;
 899
 900         /* The XHCI controller allows max 2 ^ 16 streams */
 901         if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
 902                 return -EINVAL;
 903
 904         eps = kmalloc(num_eps * sizeof(*eps), GFP_KERNEL);
 905         if (!eps)
 906                 return -ENOMEM;
 907
 908         for (i = 0; i < num_eps; i++) {
 909                 if (get_user(ep, &streams->eps[i])) {
 910                         ret = -EFAULT;
 911                         goto error;
 912                 }
 913                 eps[i] = ep_to_host_endpoint(ps->dev, ep);
 914                 if (!eps[i]) {
 915                         ret = -EINVAL;
 916                         goto error;
 917                 }
 918
 919                 /* usb_alloc/free_streams operate on an usb_interface */
 920                 ifnum = findintfep(ps->dev, ep);
 921                 if (ifnum < 0) {
 922                         ret = ifnum;
 923                         goto error;
 924                 }
 925
 926                 if (i == 0) {
 927                         ret = checkintf(ps, ifnum);
 928                         if (ret < 0)
 929                                 goto error;
 930                         intf = usb_ifnum_to_if(ps->dev, ifnum);
 931                 } else {
 932                         /* Verify all eps belong to the same interface */
 933                         if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
 934                                 ret = -EINVAL;
 935                                 goto error;
 936                         }
 937                 }
 938         }
 939
 940         if (num_streams_ret)
 941                 *num_streams_ret = num_streams;
 942         *num_eps_ret = num_eps;
 943         *eps_ret = eps;
 944         *intf_ret = intf;
 945
 946         return 0;
 947
 948 error:
 949         kfree(eps);
 950         return ret;
 951 }
 952
 953 static int match_devt(struct device *dev, void *data)
 954 {
 955         return dev->devt == (dev_t) (unsigned long) data;
 956 }
 957
 958 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 959 {
 960         struct device *dev;
 961
 962         dev = bus_find_device(&usb_bus_type, NULL,
 963                               (void *) (unsigned long) devt, match_devt);
 964         if (!dev)
 965                 return NULL;
 966         return to_usb_device(dev);
 967 }
 968
 969 /*
 970  * file operations
 971  */
 972 static int usbdev_open(struct inode *inode, struct file *file)
 973 {
 974         struct usb_device *dev = NULL;
 975         struct usb_dev_state *ps;
 976         int ret;
 977
 978         ret = -ENOMEM;
 979         ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
 980         if (!ps)
 981                 goto out_free_ps;
 982
 983         ret = -ENODEV;
 984
 985         /* Protect against simultaneous removal or release */
 986         mutex_lock(&usbfs_mutex);
 987
 988         /* usbdev device-node */
 989         if (imajor(inode) == USB_DEVICE_MAJOR)
 990                 dev = usbdev_lookup_by_devt(inode->i_rdev);
 991
 992         mutex_unlock(&usbfs_mutex);
 993
 994         if (!dev)
 995                 goto out_free_ps;
 996
 997         usb_lock_device(dev);
 998         if (dev->state == USB_STATE_NOTATTACHED)
 999                 goto out_unlock_device;
1000
1001         ret = usb_autoresume_device(dev);
1002         if (ret)
1003                 goto out_unlock_device;
1004
1005         ps->dev = dev;
1006         ps->file = file;
1007         ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1008         spin_lock_init(&ps->lock);
1009         INIT_LIST_HEAD(&ps->list);
1010         INIT_LIST_HEAD(&ps->async_pending);
1011         INIT_LIST_HEAD(&ps->async_completed);
1012         INIT_LIST_HEAD(&ps->memory_list);
1013         init_waitqueue_head(&ps->wait);
1014         ps->disc_pid = get_pid(task_pid(current));
1015         ps->cred = get_current_cred();
1016         security_task_getsecid(current, &ps->secid);
1017         smp_wmb();
1018         list_add_tail(&ps->list, &dev->filelist);
1019         file->private_data = ps;
1020         usb_unlock_device(dev);
1021         snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1022                         current->comm);
1023         return ret;
1024
1025  out_unlock_device:
1026         usb_unlock_device(dev);
1027         usb_put_dev(dev);
1028  out_free_ps:
1029         kfree(ps);
1030         return ret;
1031 }
1032
1033 static int usbdev_release(struct inode *inode, struct file *file)
1034 {
1035         struct usb_dev_state *ps = file->private_data;
1036         struct usb_device *dev = ps->dev;
1037         unsigned int ifnum;
1038         struct async *as;
1039
1040         usb_lock_device(dev);
1041         usb_hub_release_all_ports(dev, ps);
1042
1043         list_del_init(&ps->list);
1044
1045         for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1046                         ifnum++) {
1047                 if (test_bit(ifnum, &ps->ifclaimed))
1048                         releaseintf(ps, ifnum);
1049         }
1050         destroy_all_async(ps);
1051         usb_autosuspend_device(dev);
1052         usb_unlock_device(dev);
1053         usb_put_dev(dev);
1054         put_pid(ps->disc_pid);
1055         put_cred(ps->cred);
1056
1057         as = async_getcompleted(ps);
1058         while (as) {
1059                 free_async(as);
1060                 as = async_getcompleted(ps);
1061         }
1062
1063         kfree(ps);
1064         return 0;
1065 }
1066
1067 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1068 {
1069         struct usb_device *dev = ps->dev;
1070         struct usbdevfs_ctrltransfer ctrl;
1071         unsigned int tmo;
1072         unsigned char *tbuf;
1073         unsigned wLength;
1074         int i, pipe, ret;
1075
1076         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1077                 return -EFAULT;
1078         ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1079                               ctrl.wIndex);
1080         if (ret)
1081                 return ret;
1082         wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
1083         if (wLength > PAGE_SIZE)
1084                 return -EINVAL;
1085         ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1086                         sizeof(struct usb_ctrlrequest));
1087         if (ret)
1088                 return ret;
1089         tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1090         if (!tbuf) {
1091                 ret = -ENOMEM;
1092                 goto done;
1093         }
1094         tmo = ctrl.timeout;
1095         snoop(&dev->dev, "control urb: bRequestType=%02x "
1096                 "bRequest=%02x wValue=%04x "
1097                 "wIndex=%04x wLength=%04x\n",
1098                 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1099                 ctrl.wIndex, ctrl.wLength);
1100         if (ctrl.bRequestType & 0x80) {
1101                 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1102                                                ctrl.wLength)) {
1103                         ret = -EINVAL;
1104                         goto done;
1105                 }
1106                 pipe = usb_rcvctrlpipe(dev, 0);
1107                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1108
1109                 usb_unlock_device(dev);
1110                 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1111                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1112                                     tbuf, ctrl.wLength, tmo);
1113                 usb_lock_device(dev);
1114                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1115                           tbuf, max(i, 0));
1116                 if ((i > 0) && ctrl.wLength) {
1117                         if (copy_to_user(ctrl.data, tbuf, i)) {
1118                                 ret = -EFAULT;
1119                                 goto done;
1120                         }
1121                 }
1122         } else {
1123                 if (ctrl.wLength) {
1124                         if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1125                                 ret = -EFAULT;
1126                                 goto done;
1127                         }
1128                 }
1129                 pipe = usb_sndctrlpipe(dev, 0);
1130                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1131                         tbuf, ctrl.wLength);
1132
1133                 usb_unlock_device(dev);
1134                 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1135                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1136                                     tbuf, ctrl.wLength, tmo);
1137                 usb_lock_device(dev);
1138                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1139         }
1140         if (i < 0 && i != -EPIPE) {
1141                 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1142                            "failed cmd %s rqt %u rq %u len %u ret %d\n",
1143                            current->comm, ctrl.bRequestType, ctrl.bRequest,
1144                            ctrl.wLength, i);
1145         }
1146         ret = i;
1147  done:
1148         free_page((unsigned long) tbuf);
1149         usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1150                         sizeof(struct usb_ctrlrequest));
1151         return ret;
1152 }
1153
1154 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1155 {
1156         struct usb_device *dev = ps->dev;
1157         struct usbdevfs_bulktransfer bulk;
1158         unsigned int tmo, len1, pipe;
1159         int len2;
1160         unsigned char *tbuf;
1161         int i, ret;
1162
1163         if (copy_from_user(&bulk, arg, sizeof(bulk)))
1164                 return -EFAULT;
1165         ret = findintfep(ps->dev, bulk.ep);
1166         if (ret < 0)
1167                 return ret;
1168         ret = checkintf(ps, ret);
1169         if (ret)
1170                 return ret;
1171         if (bulk.ep & USB_DIR_IN)
1172                 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1173         else
1174                 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1175         if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1176                 return -EINVAL;
1177         len1 = bulk.len;
1178         if (len1 >= (INT_MAX - sizeof(struct urb)))
1179                 return -EINVAL;
1180         ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1181         if (ret)
1182                 return ret;
1183         tbuf = kmalloc(len1, GFP_KERNEL);
1184         if (!tbuf) {
1185                 ret = -ENOMEM;
1186                 goto done;
1187         }
1188         tmo = bulk.timeout;
1189         if (bulk.ep & 0x80) {
1190                 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1191                         ret = -EINVAL;
1192                         goto done;
1193                 }
1194                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1195
1196                 usb_unlock_device(dev);
1197                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1198                 usb_lock_device(dev);
1199                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1200
1201                 if (!i && len2) {
1202                         if (copy_to_user(bulk.data, tbuf, len2)) {
1203                                 ret = -EFAULT;
1204                                 goto done;
1205                         }
1206                 }
1207         } else {
1208                 if (len1) {
1209                         if (copy_from_user(tbuf, bulk.data, len1)) {
1210                                 ret = -EFAULT;
1211                                 goto done;
1212                         }
1213                 }
1214                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1215
1216                 usb_unlock_device(dev);
1217                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1218                 usb_lock_device(dev);
1219                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1220         }
1221         ret = (i < 0 ? i : len2);
1222  done:
1223         kfree(tbuf);
1224         usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1225         return ret;
1226 }
1227
1228 static void check_reset_of_active_ep(struct usb_device *udev,
1229                 unsigned int epnum, char *ioctl_name)
1230 {
1231         struct usb_host_endpoint **eps;
1232         struct usb_host_endpoint *ep;
1233
1234         eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1235         ep = eps[epnum & 0x0f];
1236         if (ep && !list_empty(&ep->urb_list))
1237                 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1238                                 task_pid_nr(current), current->comm,
1239                                 ioctl_name, epnum);
1240 }
1241
1242 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1243 {
1244         unsigned int ep;
1245         int ret;
1246
1247         if (get_user(ep, (unsigned int __user *)arg))
1248                 return -EFAULT;
1249         ret = findintfep(ps->dev, ep);
1250         if (ret < 0)
1251                 return ret;
1252         ret = checkintf(ps, ret);
1253         if (ret)
1254                 return ret;
1255         check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1256         usb_reset_endpoint(ps->dev, ep);
1257         return 0;
1258 }
1259
1260 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1261 {
1262         unsigned int ep;
1263         int pipe;
1264         int ret;
1265
1266         if (get_user(ep, (unsigned int __user *)arg))
1267                 return -EFAULT;
1268         ret = findintfep(ps->dev, ep);
1269         if (ret < 0)
1270                 return ret;
1271         ret = checkintf(ps, ret);
1272         if (ret)
1273                 return ret;
1274         check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1275         if (ep & USB_DIR_IN)
1276                 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1277         else
1278                 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1279
1280         return usb_clear_halt(ps->dev, pipe);
1281 }
1282
1283 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1284 {
1285         struct usbdevfs_getdriver gd;
1286         struct usb_interface *intf;
1287         int ret;
1288
1289         if (copy_from_user(&gd, arg, sizeof(gd)))
1290                 return -EFAULT;
1291         intf = usb_ifnum_to_if(ps->dev, gd.interface);
1292         if (!intf || !intf->dev.driver)
1293                 ret = -ENODATA;
1294         else {
1295                 strlcpy(gd.driver, intf->dev.driver->name,
1296                                 sizeof(gd.driver));
1297                 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1298         }
1299         return ret;
1300 }
1301
1302 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1303 {
1304         struct usbdevfs_connectinfo ci;
1305
1306         memset(&ci, 0, sizeof(ci));
1307         ci.devnum = ps->dev->devnum;
1308         ci.slow = ps->dev->speed == USB_SPEED_LOW;
1309
1310         if (copy_to_user(arg, &ci, sizeof(ci)))
1311                 return -EFAULT;
1312         return 0;
1313 }
1314
1315 static int proc_resetdevice(struct usb_dev_state *ps)
1316 {
1317         struct usb_host_config *actconfig = ps->dev->actconfig;
1318         struct usb_interface *interface;
1319         int i, number;
1320
1321         /* Don't allow a device reset if the process has dropped the
1322          * privilege to do such things and any of the interfaces are
1323          * currently claimed.
1324          */
1325         if (ps->privileges_dropped && actconfig) {
1326                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1327                         interface = actconfig->interface[i];
1328                         number = interface->cur_altsetting->desc.bInterfaceNumber;
1329                         if (usb_interface_claimed(interface) &&
1330                                         !test_bit(number, &ps->ifclaimed)) {
1331                                 dev_warn(&ps->dev->dev,
1332                                         "usbfs: interface %d claimed by %s while '%s' resets device\n",
1333                                         number, interface->dev.driver->name, current->comm);
1334                                 return -EACCES;
1335                         }
1336                 }
1337         }
1338
1339         return usb_reset_device(ps->dev);
1340 }
1341
1342 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1343 {
1344         struct usbdevfs_setinterface setintf;
1345         int ret;
1346
1347         if (copy_from_user(&setintf, arg, sizeof(setintf)))
1348                 return -EFAULT;
1349         ret = checkintf(ps, setintf.interface);
1350         if (ret)
1351                 return ret;
1352
1353         destroy_async_on_interface(ps, setintf.interface);
1354
1355         return usb_set_interface(ps->dev, setintf.interface,
1356                         setintf.altsetting);
1357 }
1358
1359 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1360 {
1361         int u;
1362         int status = 0;
1363         struct usb_host_config *actconfig;
1364
1365         if (get_user(u, (int __user *)arg))
1366                 return -EFAULT;
1367
1368         actconfig = ps->dev->actconfig;
1369
1370         /* Don't touch the device if any interfaces are claimed.
1371          * It could interfere with other drivers' operations, and if
1372          * an interface is claimed by usbfs it could easily deadlock.
1373          */
1374         if (actconfig) {
1375                 int i;
1376
1377                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1378                         if (usb_interface_claimed(actconfig->interface[i])) {
1379                                 dev_warn(&ps->dev->dev,
1380                                         "usbfs: interface %d claimed by %s "
1381                                         "while '%s' sets config #%d\n",
1382                                         actconfig->interface[i]
1383                                                 ->cur_altsetting
1384                                                 ->desc.bInterfaceNumber,
1385                                         actconfig->interface[i]
1386                                                 ->dev.driver->name,
1387                                         current->comm, u);
1388                                 status = -EBUSY;
1389                                 break;
1390                         }
1391                 }
1392         }
1393
1394         /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1395          * so avoid usb_set_configuration()'s kick to sysfs
1396          */
1397         if (status == 0) {
1398                 if (actconfig && actconfig->desc.bConfigurationValue == u)
1399                         status = usb_reset_configuration(ps->dev);
1400                 else
1401                         status = usb_set_configuration(ps->dev, u);
1402         }
1403
1404         return status;
1405 }
1406
1407 static struct usb_memory *
1408 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1409 {
1410         struct usb_memory *usbm = NULL, *iter;
1411         unsigned long flags;
1412         unsigned long uurb_start = (unsigned long)uurb->buffer;
1413
1414         spin_lock_irqsave(&ps->lock, flags);
1415         list_for_each_entry(iter, &ps->memory_list, memlist) {
1416                 if (uurb_start >= iter->vm_start &&
1417                                 uurb_start < iter->vm_start + iter->size) {
1418                         if (uurb->buffer_length > iter->vm_start + iter->size -
1419                                         uurb_start) {
1420                                 usbm = ERR_PTR(-EINVAL);
1421                         } else {
1422                                 usbm = iter;
1423                                 usbm->urb_use_count++;
1424                         }
1425                         break;
1426                 }
1427         }
1428         spin_unlock_irqrestore(&ps->lock, flags);
1429         return usbm;
1430 }
1431
1432 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1433                         struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1434                         void __user *arg)
1435 {
1436         struct usbdevfs_iso_packet_desc *isopkt = NULL;
1437         struct usb_host_endpoint *ep;
1438         struct async *as = NULL;
1439         struct usb_ctrlrequest *dr = NULL;
1440         unsigned int u, totlen, isofrmlen;
1441         int i, ret, is_in, num_sgs = 0, ifnum = -1;
1442         int number_of_packets = 0;
1443         unsigned int stream_id = 0;
1444         void *buf;
1445         unsigned long mask =    USBDEVFS_URB_SHORT_NOT_OK |
1446                                 USBDEVFS_URB_BULK_CONTINUATION |
1447                                 USBDEVFS_URB_NO_FSBR |
1448                                 USBDEVFS_URB_ZERO_PACKET |
1449                                 USBDEVFS_URB_NO_INTERRUPT;
1450         /* USBDEVFS_URB_ISO_ASAP is a special case */
1451         if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1452                 mask |= USBDEVFS_URB_ISO_ASAP;
1453
1454         if (uurb->flags & ~mask)
1455                         return -EINVAL;
1456
1457         if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1458                 return -EINVAL;
1459         if (uurb->buffer_length > 0 && !uurb->buffer)
1460                 return -EINVAL;
1461         if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1462             (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1463                 ifnum = findintfep(ps->dev, uurb->endpoint);
1464                 if (ifnum < 0)
1465                         return ifnum;
1466                 ret = checkintf(ps, ifnum);
1467                 if (ret)
1468                         return ret;
1469         }
1470         ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1471         if (!ep)
1472                 return -ENOENT;
1473         is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1474
1475         u = 0;
1476         switch (uurb->type) {
1477         case USBDEVFS_URB_TYPE_CONTROL:
1478                 if (!usb_endpoint_xfer_control(&ep->desc))
1479                         return -EINVAL;
1480                 /* min 8 byte setup packet */
1481                 if (uurb->buffer_length < 8)
1482                         return -EINVAL;
1483                 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1484                 if (!dr)
1485                         return -ENOMEM;
1486                 if (copy_from_user(dr, uurb->buffer, 8)) {
1487                         ret = -EFAULT;
1488                         goto error;
1489                 }
1490                 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1491                         ret = -EINVAL;
1492                         goto error;
1493                 }
1494                 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1495                                       le16_to_cpup(&dr->wIndex));
1496                 if (ret)
1497                         goto error;
1498                 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1499                 uurb->buffer += 8;
1500                 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1501                         is_in = 1;
1502                         uurb->endpoint |= USB_DIR_IN;
1503                 } else {
1504                         is_in = 0;
1505                         uurb->endpoint &= ~USB_DIR_IN;
1506                 }
1507                 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1508                         "bRequest=%02x wValue=%04x "
1509                         "wIndex=%04x wLength=%04x\n",
1510                         dr->bRequestType, dr->bRequest,
1511                         __le16_to_cpup(&dr->wValue),
1512                         __le16_to_cpup(&dr->wIndex),
1513                         __le16_to_cpup(&dr->wLength));
1514                 u = sizeof(struct usb_ctrlrequest);
1515                 break;
1516
1517         case USBDEVFS_URB_TYPE_BULK:
1518                 switch (usb_endpoint_type(&ep->desc)) {
1519                 case USB_ENDPOINT_XFER_CONTROL:
1520                 case USB_ENDPOINT_XFER_ISOC:
1521                         return -EINVAL;
1522                 case USB_ENDPOINT_XFER_INT:
1523                         /* allow single-shot interrupt transfers */
1524                         uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1525                         goto interrupt_urb;
1526                 }
1527                 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1528                 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1529                         num_sgs = 0;
1530                 if (ep->streams)
1531                         stream_id = uurb->stream_id;
1532                 break;
1533
1534         case USBDEVFS_URB_TYPE_INTERRUPT:
1535                 if (!usb_endpoint_xfer_int(&ep->desc))
1536                         return -EINVAL;
1537  interrupt_urb:
1538                 break;
1539
1540         case USBDEVFS_URB_TYPE_ISO:
1541                 /* arbitrary limit */
1542                 if (uurb->number_of_packets < 1 ||
1543                     uurb->number_of_packets > 128)
1544                         return -EINVAL;
1545                 if (!usb_endpoint_xfer_isoc(&ep->desc))
1546                         return -EINVAL;
1547                 number_of_packets = uurb->number_of_packets;
1548                 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1549                                    number_of_packets;
1550                 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1551                 if (IS_ERR(isopkt)) {
1552                         ret = PTR_ERR(isopkt);
1553                         isopkt = NULL;
1554                         goto error;
1555                 }
1556                 for (totlen = u = 0; u < number_of_packets; u++) {
1557                         /*
1558                          * arbitrary limit need for USB 3.0
1559                          * bMaxBurst (0~15 allowed, 1~16 packets)
1560                          * bmAttributes (bit 1:0, mult 0~2, 1~3 packets)
1561                          * sizemax: 1024 * 16 * 3 = 49152
1562                          */
1563                         if (isopkt[u].length > 49152) {
1564                                 ret = -EINVAL;
1565                                 goto error;
1566                         }
1567                         totlen += isopkt[u].length;
1568                 }
1569                 u *= sizeof(struct usb_iso_packet_descriptor);
1570                 uurb->buffer_length = totlen;
1571                 break;
1572
1573         default:
1574                 return -EINVAL;
1575         }
1576
1577         if (uurb->buffer_length > 0 &&
1578                         !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1579                                 uurb->buffer, uurb->buffer_length)) {
1580                 ret = -EFAULT;
1581                 goto error;
1582         }
1583         as = alloc_async(number_of_packets);
1584         if (!as) {
1585                 ret = -ENOMEM;
1586                 goto error;
1587         }
1588
1589         as->usbm = find_memory_area(ps, uurb);
1590         if (IS_ERR(as->usbm)) {
1591                 ret = PTR_ERR(as->usbm);
1592                 as->usbm = NULL;
1593                 goto error;
1594         }
1595
1596         /* do not use SG buffers when memory mapped segments
1597          * are in use
1598          */
1599         if (as->usbm)
1600                 num_sgs = 0;
1601
1602         u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1603              num_sgs * sizeof(struct scatterlist);
1604         ret = usbfs_increase_memory_usage(u);
1605         if (ret)
1606                 goto error;
1607         as->mem_usage = u;
1608
1609         if (num_sgs) {
1610                 as->urb->sg = kmalloc(num_sgs * sizeof(struct scatterlist),
1611                                       GFP_KERNEL);
1612                 if (!as->urb->sg) {
1613                         ret = -ENOMEM;
1614                         goto error;
1615                 }
1616                 as->urb->num_sgs = num_sgs;
1617                 sg_init_table(as->urb->sg, as->urb->num_sgs);
1618
1619                 totlen = uurb->buffer_length;
1620                 for (i = 0; i < as->urb->num_sgs; i++) {
1621                         u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1622                         buf = kmalloc(u, GFP_KERNEL);
1623                         if (!buf) {
1624                                 ret = -ENOMEM;
1625                                 goto error;
1626                         }
1627                         sg_set_buf(&as->urb->sg[i], buf, u);
1628
1629                         if (!is_in) {
1630                                 if (copy_from_user(buf, uurb->buffer, u)) {
1631                                         ret = -EFAULT;
1632                                         goto error;
1633                                 }
1634                                 uurb->buffer += u;
1635                         }
1636                         totlen -= u;
1637                 }
1638         } else if (uurb->buffer_length > 0) {
1639                 if (as->usbm) {
1640                         unsigned long uurb_start = (unsigned long)uurb->buffer;
1641
1642                         as->urb->transfer_buffer = as->usbm->mem +
1643                                         (uurb_start - as->usbm->vm_start);
1644                 } else {
1645                         as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1646                                         GFP_KERNEL);
1647                         if (!as->urb->transfer_buffer) {
1648                                 ret = -ENOMEM;
1649                                 goto error;
1650                         }
1651                         if (!is_in) {
1652                                 if (copy_from_user(as->urb->transfer_buffer,
1653                                                    uurb->buffer,
1654                                                    uurb->buffer_length)) {
1655                                         ret = -EFAULT;
1656                                         goto error;
1657                                 }
1658                         } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1659                                 /*
1660                                  * Isochronous input data may end up being
1661                                  * discontiguous if some of the packets are
1662                                  * short. Clear the buffer so that the gaps
1663                                  * don't leak kernel data to userspace.
1664                                  */
1665                                 memset(as->urb->transfer_buffer, 0,
1666                                                 uurb->buffer_length);
1667                         }
1668                 }
1669         }
1670         as->urb->dev = ps->dev;
1671         as->urb->pipe = (uurb->type << 30) |
1672                         __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1673                         (uurb->endpoint & USB_DIR_IN);
1674
1675         /* This tedious sequence is necessary because the URB_* flags
1676          * are internal to the kernel and subject to change, whereas
1677          * the USBDEVFS_URB_* flags are a user API and must not be changed.
1678          */
1679         u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1680         if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1681                 u |= URB_ISO_ASAP;
1682         if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
1683                 u |= URB_SHORT_NOT_OK;
1684         if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1685                 u |= URB_NO_FSBR;
1686         if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1687                 u |= URB_ZERO_PACKET;
1688         if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1689                 u |= URB_NO_INTERRUPT;
1690         as->urb->transfer_flags = u;
1691
1692         as->urb->transfer_buffer_length = uurb->buffer_length;
1693         as->urb->setup_packet = (unsigned char *)dr;
1694         dr = NULL;
1695         as->urb->start_frame = uurb->start_frame;
1696         as->urb->number_of_packets = number_of_packets;
1697         as->urb->stream_id = stream_id;
1698
1699         if (ep->desc.bInterval) {
1700                 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1701                                 ps->dev->speed == USB_SPEED_HIGH ||
1702                                 ps->dev->speed >= USB_SPEED_SUPER)
1703                         as->urb->interval = 1 <<
1704                                         min(15, ep->desc.bInterval - 1);
1705                 else
1706                         as->urb->interval = ep->desc.bInterval;
1707         }
1708
1709         as->urb->context = as;
1710         as->urb->complete = async_completed;
1711         for (totlen = u = 0; u < number_of_packets; u++) {
1712                 as->urb->iso_frame_desc[u].offset = totlen;
1713                 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1714                 totlen += isopkt[u].length;
1715         }
1716         kfree(isopkt);
1717         isopkt = NULL;
1718         as->ps = ps;
1719         as->userurb = arg;
1720         if (as->usbm) {
1721                 unsigned long uurb_start = (unsigned long)uurb->buffer;
1722
1723                 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1724                 as->urb->transfer_dma = as->usbm->dma_handle +
1725                                 (uurb_start - as->usbm->vm_start);
1726         } else if (is_in && uurb->buffer_length > 0)
1727                 as->userbuffer = uurb->buffer;
1728         as->signr = uurb->signr;
1729         as->ifnum = ifnum;
1730         as->pid = get_pid(task_pid(current));
1731         as->cred = get_current_cred();
1732         security_task_getsecid(current, &as->secid);
1733         snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1734                         as->urb->transfer_buffer_length, 0, SUBMIT,
1735                         NULL, 0);
1736         if (!is_in)
1737                 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1738
1739         async_newpending(as);
1740
1741         if (usb_endpoint_xfer_bulk(&ep->desc)) {
1742                 spin_lock_irq(&ps->lock);
1743
1744                 /* Not exactly the endpoint address; the direction bit is
1745                  * shifted to the 0x10 position so that the value will be
1746                  * between 0 and 31.
1747                  */
1748                 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1749                         ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1750                                 >> 3);
1751
1752                 /* If this bulk URB is the start of a new transfer, re-enable
1753                  * the endpoint.  Otherwise mark it as a continuation URB.
1754                  */
1755                 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1756                         as->bulk_status = AS_CONTINUATION;
1757                 else
1758                         ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1759
1760                 /* Don't accept continuation URBs if the endpoint is
1761                  * disabled because of an earlier error.
1762                  */
1763                 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1764                         ret = -EREMOTEIO;
1765                 else
1766                         ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1767                 spin_unlock_irq(&ps->lock);
1768         } else {
1769                 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1770         }
1771
1772         if (ret) {
1773                 dev_printk(KERN_DEBUG, &ps->dev->dev,
1774                            "usbfs: usb_submit_urb returned %d\n", ret);
1775                 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1776                                 0, ret, COMPLETE, NULL, 0);
1777                 async_removepending(as);
1778                 goto error;
1779         }
1780         return 0;
1781
1782  error:
1783         if (as && as->usbm)
1784                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1785         kfree(isopkt);
1786         kfree(dr);
1787         if (as)
1788                 free_async(as);
1789         return ret;
1790 }
1791
1792 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1793 {
1794         struct usbdevfs_urb uurb;
1795
1796         if (copy_from_user(&uurb, arg, sizeof(uurb)))
1797                 return -EFAULT;
1798
1799         return proc_do_submiturb(ps, &uurb,
1800                         (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1801                         arg);
1802 }
1803
1804 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1805 {
1806         struct urb *urb;
1807         struct async *as;
1808         unsigned long flags;
1809
1810         spin_lock_irqsave(&ps->lock, flags);
1811         as = async_getpending(ps, arg);
1812         if (!as) {
1813                 spin_unlock_irqrestore(&ps->lock, flags);
1814                 return -EINVAL;
1815         }
1816
1817         urb = as->urb;
1818         usb_get_urb(urb);
1819         spin_unlock_irqrestore(&ps->lock, flags);
1820
1821         usb_kill_urb(urb);
1822         usb_put_urb(urb);
1823
1824         return 0;
1825 }
1826
1827 static void compute_isochronous_actual_length(struct urb *urb)
1828 {
1829         unsigned int i;
1830
1831         if (urb->number_of_packets > 0) {
1832                 urb->actual_length = 0;
1833                 for (i = 0; i < urb->number_of_packets; i++)
1834                         urb->actual_length +=
1835                                         urb->iso_frame_desc[i].actual_length;
1836         }
1837 }
1838
1839 static int processcompl(struct async *as, void __user * __user *arg)
1840 {
1841         struct urb *urb = as->urb;
1842         struct usbdevfs_urb __user *userurb = as->userurb;
1843         void __user *addr = as->userurb;
1844         unsigned int i;
1845
1846         compute_isochronous_actual_length(urb);
1847         if (as->userbuffer && urb->actual_length) {
1848                 if (copy_urb_data_to_user(as->userbuffer, urb))
1849                         goto err_out;
1850         }
1851         if (put_user(as->status, &userurb->status))
1852                 goto err_out;
1853         if (put_user(urb->actual_length, &userurb->actual_length))
1854                 goto err_out;
1855         if (put_user(urb->error_count, &userurb->error_count))
1856                 goto err_out;
1857
1858         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1859                 for (i = 0; i < urb->number_of_packets; i++) {
1860                         if (put_user(urb->iso_frame_desc[i].actual_length,
1861                                      &userurb->iso_frame_desc[i].actual_length))
1862                                 goto err_out;
1863                         if (put_user(urb->iso_frame_desc[i].status,
1864                                      &userurb->iso_frame_desc[i].status))
1865                                 goto err_out;
1866                 }
1867         }
1868
1869         if (put_user(addr, (void __user * __user *)arg))
1870                 return -EFAULT;
1871         return 0;
1872
1873 err_out:
1874         return -EFAULT;
1875 }
1876
1877 static struct async *reap_as(struct usb_dev_state *ps)
1878 {
1879         DECLARE_WAITQUEUE(wait, current);
1880         struct async *as = NULL;
1881         struct usb_device *dev = ps->dev;
1882
1883         add_wait_queue(&ps->wait, &wait);
1884         for (;;) {
1885                 __set_current_state(TASK_INTERRUPTIBLE);
1886                 as = async_getcompleted(ps);
1887                 if (as || !connected(ps))
1888                         break;
1889                 if (signal_pending(current))
1890                         break;
1891                 usb_unlock_device(dev);
1892                 schedule();
1893                 usb_lock_device(dev);
1894         }
1895         remove_wait_queue(&ps->wait, &wait);
1896         set_current_state(TASK_RUNNING);
1897         return as;
1898 }
1899
1900 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1901 {
1902         struct async *as = reap_as(ps);
1903
1904         if (as) {
1905                 int retval;
1906
1907                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1908                 retval = processcompl(as, (void __user * __user *)arg);
1909                 free_async(as);
1910                 return retval;
1911         }
1912         if (signal_pending(current))
1913                 return -EINTR;
1914         return -ENODEV;
1915 }
1916
1917 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1918 {
1919         int retval;
1920         struct async *as;
1921
1922         as = async_getcompleted(ps);
1923         if (as) {
1924                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1925                 retval = processcompl(as, (void __user * __user *)arg);
1926                 free_async(as);
1927         } else {
1928                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1929         }
1930         return retval;
1931 }
1932
1933 #ifdef CONFIG_COMPAT
1934 static int proc_control_compat(struct usb_dev_state *ps,
1935                                 struct usbdevfs_ctrltransfer32 __user *p32)
1936 {
1937         struct usbdevfs_ctrltransfer __user *p;
1938         __u32 udata;
1939         p = compat_alloc_user_space(sizeof(*p));
1940         if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1941             get_user(udata, &p32->data) ||
1942             put_user(compat_ptr(udata), &p->data))
1943                 return -EFAULT;
1944         return proc_control(ps, p);
1945 }
1946
1947 static int proc_bulk_compat(struct usb_dev_state *ps,
1948                         struct usbdevfs_bulktransfer32 __user *p32)
1949 {
1950         struct usbdevfs_bulktransfer __user *p;
1951         compat_uint_t n;
1952         compat_caddr_t addr;
1953
1954         p = compat_alloc_user_space(sizeof(*p));
1955
1956         if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1957             get_user(n, &p32->len) || put_user(n, &p->len) ||
1958             get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1959             get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1960                 return -EFAULT;
1961
1962         return proc_bulk(ps, p);
1963 }
1964 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1965 {
1966         struct usbdevfs_disconnectsignal32 ds;
1967
1968         if (copy_from_user(&ds, arg, sizeof(ds)))
1969                 return -EFAULT;
1970         ps->discsignr = ds.signr;
1971         ps->disccontext = compat_ptr(ds.context);
1972         return 0;
1973 }
1974
1975 static int get_urb32(struct usbdevfs_urb *kurb,
1976                      struct usbdevfs_urb32 __user *uurb)
1977 {
1978         struct usbdevfs_urb32 urb32;
1979         if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
1980                 return -EFAULT;
1981         kurb->type = urb32.type;
1982         kurb->endpoint = urb32.endpoint;
1983         kurb->status = urb32.status;
1984         kurb->flags = urb32.flags;
1985         kurb->buffer = compat_ptr(urb32.buffer);
1986         kurb->buffer_length = urb32.buffer_length;
1987         kurb->actual_length = urb32.actual_length;
1988         kurb->start_frame = urb32.start_frame;
1989         kurb->number_of_packets = urb32.number_of_packets;
1990         kurb->error_count = urb32.error_count;
1991         kurb->signr = urb32.signr;
1992         kurb->usercontext = compat_ptr(urb32.usercontext);
1993         return 0;
1994 }
1995
1996 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
1997 {
1998         struct usbdevfs_urb uurb;
1999
2000         if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2001                 return -EFAULT;
2002
2003         return proc_do_submiturb(ps, &uurb,
2004                         ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2005                         arg);
2006 }
2007
2008 static int processcompl_compat(struct async *as, void __user * __user *arg)
2009 {
2010         struct urb *urb = as->urb;
2011         struct usbdevfs_urb32 __user *userurb = as->userurb;
2012         void __user *addr = as->userurb;
2013         unsigned int i;
2014
2015         compute_isochronous_actual_length(urb);
2016         if (as->userbuffer && urb->actual_length) {
2017                 if (copy_urb_data_to_user(as->userbuffer, urb))
2018                         return -EFAULT;
2019         }
2020         if (put_user(as->status, &userurb->status))
2021                 return -EFAULT;
2022         if (put_user(urb->actual_length, &userurb->actual_length))
2023                 return -EFAULT;
2024         if (put_user(urb->error_count, &userurb->error_count))
2025                 return -EFAULT;
2026
2027         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2028                 for (i = 0; i < urb->number_of_packets; i++) {
2029                         if (put_user(urb->iso_frame_desc[i].actual_length,
2030                                      &userurb->iso_frame_desc[i].actual_length))
2031                                 return -EFAULT;
2032                         if (put_user(urb->iso_frame_desc[i].status,
2033                                      &userurb->iso_frame_desc[i].status))
2034                                 return -EFAULT;
2035                 }
2036         }
2037
2038         if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2039                 return -EFAULT;
2040         return 0;
2041 }
2042
2043 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2044 {
2045         struct async *as = reap_as(ps);
2046
2047         if (as) {
2048                 int retval;
2049
2050                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2051                 retval = processcompl_compat(as, (void __user * __user *)arg);
2052                 free_async(as);
2053                 return retval;
2054         }
2055         if (signal_pending(current))
2056                 return -EINTR;
2057         return -ENODEV;
2058 }
2059
2060 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2061 {
2062         int retval;
2063         struct async *as;
2064
2065         as = async_getcompleted(ps);
2066         if (as) {
2067                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2068                 retval = processcompl_compat(as, (void __user * __user *)arg);
2069                 free_async(as);
2070         } else {
2071                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2072         }
2073         return retval;
2074 }
2075
2076
2077 #endif
2078
2079 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2080 {
2081         struct usbdevfs_disconnectsignal ds;
2082
2083         if (copy_from_user(&ds, arg, sizeof(ds)))
2084                 return -EFAULT;
2085         ps->discsignr = ds.signr;
2086         ps->disccontext = ds.context;
2087         return 0;
2088 }
2089
2090 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2091 {
2092         unsigned int ifnum;
2093
2094         if (get_user(ifnum, (unsigned int __user *)arg))
2095                 return -EFAULT;
2096         return claimintf(ps, ifnum);
2097 }
2098
2099 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2100 {
2101         unsigned int ifnum;
2102         int ret;
2103
2104         if (get_user(ifnum, (unsigned int __user *)arg))
2105                 return -EFAULT;
2106         ret = releaseintf(ps, ifnum);
2107         if (ret < 0)
2108                 return ret;
2109         destroy_async_on_interface(ps, ifnum);
2110         return 0;
2111 }
2112
2113 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2114 {
2115         int                     size;
2116         void                    *buf = NULL;
2117         int                     retval = 0;
2118         struct usb_interface    *intf = NULL;
2119         struct usb_driver       *driver = NULL;
2120
2121         if (ps->privileges_dropped)
2122                 return -EACCES;
2123
2124         /* alloc buffer */
2125         size = _IOC_SIZE(ctl->ioctl_code);
2126         if (size > 0) {
2127                 buf = kmalloc(size, GFP_KERNEL);
2128                 if (buf == NULL)
2129                         return -ENOMEM;
2130                 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2131                         if (copy_from_user(buf, ctl->data, size)) {
2132                                 kfree(buf);
2133                                 return -EFAULT;
2134                         }
2135                 } else {
2136                         memset(buf, 0, size);
2137                 }
2138         }
2139
2140         if (!connected(ps)) {
2141                 kfree(buf);
2142                 return -ENODEV;
2143         }
2144
2145         if (ps->dev->state != USB_STATE_CONFIGURED)
2146                 retval = -EHOSTUNREACH;
2147         else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2148                 retval = -EINVAL;
2149         else switch (ctl->ioctl_code) {
2150
2151         /* disconnect kernel driver from interface */
2152         case USBDEVFS_DISCONNECT:
2153                 if (intf->dev.driver) {
2154                         driver = to_usb_driver(intf->dev.driver);
2155                         dev_dbg(&intf->dev, "disconnect by usbfs\n");
2156                         usb_driver_release_interface(driver, intf);
2157                 } else
2158                         retval = -ENODATA;
2159                 break;
2160
2161         /* let kernel drivers try to (re)bind to the interface */
2162         case USBDEVFS_CONNECT:
2163                 if (!intf->dev.driver)
2164                         retval = device_attach(&intf->dev);
2165                 else
2166                         retval = -EBUSY;
2167                 break;
2168
2169         /* talk directly to the interface's driver */
2170         default:
2171                 if (intf->dev.driver)
2172                         driver = to_usb_driver(intf->dev.driver);
2173                 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2174                         retval = -ENOTTY;
2175                 } else {
2176                         retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2177                         if (retval == -ENOIOCTLCMD)
2178                                 retval = -ENOTTY;
2179                 }
2180         }
2181
2182         /* cleanup and return */
2183         if (retval >= 0
2184                         && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2185                         && size > 0
2186                         && copy_to_user(ctl->data, buf, size) != 0)
2187                 retval = -EFAULT;
2188
2189         kfree(buf);
2190         return retval;
2191 }
2192
2193 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2194 {
2195         struct usbdevfs_ioctl   ctrl;
2196
2197         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2198                 return -EFAULT;
2199         return proc_ioctl(ps, &ctrl);
2200 }
2201
2202 #ifdef CONFIG_COMPAT
2203 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2204 {
2205         struct usbdevfs_ioctl32 ioc32;
2206         struct usbdevfs_ioctl ctrl;
2207
2208         if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2209                 return -EFAULT;
2210         ctrl.ifno = ioc32.ifno;
2211         ctrl.ioctl_code = ioc32.ioctl_code;
2212         ctrl.data = compat_ptr(ioc32.data);
2213         return proc_ioctl(ps, &ctrl);
2214 }
2215 #endif
2216
2217 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2218 {
2219         unsigned portnum;
2220         int rc;
2221
2222         if (get_user(portnum, (unsigned __user *) arg))
2223                 return -EFAULT;
2224         rc = usb_hub_claim_port(ps->dev, portnum, ps);
2225         if (rc == 0)
2226                 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2227                         portnum, task_pid_nr(current), current->comm);
2228         return rc;
2229 }
2230
2231 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2232 {
2233         unsigned portnum;
2234
2235         if (get_user(portnum, (unsigned __user *) arg))
2236                 return -EFAULT;
2237         return usb_hub_release_port(ps->dev, portnum, ps);
2238 }
2239
2240 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2241 {
2242         __u32 caps;
2243
2244         caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2245                         USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2246                         USBDEVFS_CAP_DROP_PRIVILEGES;
2247         if (!ps->dev->bus->no_stop_on_short)
2248                 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2249         if (ps->dev->bus->sg_tablesize)
2250                 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2251
2252         if (put_user(caps, (__u32 __user *)arg))
2253                 return -EFAULT;
2254
2255         return 0;
2256 }
2257
2258 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2259 {
2260         struct usbdevfs_disconnect_claim dc;
2261         struct usb_interface *intf;
2262
2263         if (copy_from_user(&dc, arg, sizeof(dc)))
2264                 return -EFAULT;
2265
2266         intf = usb_ifnum_to_if(ps->dev, dc.interface);
2267         if (!intf)
2268                 return -EINVAL;
2269
2270         if (intf->dev.driver) {
2271                 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2272
2273                 if (ps->privileges_dropped)
2274                         return -EACCES;
2275
2276                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2277                                 strncmp(dc.driver, intf->dev.driver->name,
2278                                         sizeof(dc.driver)) != 0)
2279                         return -EBUSY;
2280
2281                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2282                                 strncmp(dc.driver, intf->dev.driver->name,
2283                                         sizeof(dc.driver)) == 0)
2284                         return -EBUSY;
2285
2286                 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2287                 usb_driver_release_interface(driver, intf);
2288         }
2289
2290         return claimintf(ps, dc.interface);
2291 }
2292
2293 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2294 {
2295         unsigned num_streams, num_eps;
2296         struct usb_host_endpoint **eps;
2297         struct usb_interface *intf;
2298         int r;
2299
2300         r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2301                                    &eps, &intf);
2302         if (r)
2303                 return r;
2304
2305         destroy_async_on_interface(ps,
2306                                    intf->altsetting[0].desc.bInterfaceNumber);
2307
2308         r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2309         kfree(eps);
2310         return r;
2311 }
2312
2313 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2314 {
2315         unsigned num_eps;
2316         struct usb_host_endpoint **eps;
2317         struct usb_interface *intf;
2318         int r;
2319
2320         r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2321         if (r)
2322                 return r;
2323
2324         destroy_async_on_interface(ps,
2325                                    intf->altsetting[0].desc.bInterfaceNumber);
2326
2327         r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2328         kfree(eps);
2329         return r;
2330 }
2331
2332 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2333 {
2334         u32 data;
2335
2336         if (copy_from_user(&data, arg, sizeof(data)))
2337                 return -EFAULT;
2338
2339         /* This is a one way operation. Once privileges are
2340          * dropped, you cannot regain them. You may however reissue
2341          * this ioctl to shrink the allowed interfaces mask.
2342          */
2343         ps->interface_allowed_mask &= data;
2344         ps->privileges_dropped = true;
2345
2346         return 0;
2347 }
2348
2349 /*
2350  * NOTE:  All requests here that have interface numbers as parameters
2351  * are assuming that somehow the configuration has been prevented from
2352  * changing.  But there's no mechanism to ensure that...
2353  */
2354 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2355                                 void __user *p)
2356 {
2357         struct usb_dev_state *ps = file->private_data;
2358         struct inode *inode = file_inode(file);
2359         struct usb_device *dev = ps->dev;
2360         int ret = -ENOTTY;
2361
2362         if (!(file->f_mode & FMODE_WRITE))
2363                 return -EPERM;
2364
2365         usb_lock_device(dev);
2366
2367         /* Reap operations are allowed even after disconnection */
2368         switch (cmd) {
2369         case USBDEVFS_REAPURB:
2370                 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2371                 ret = proc_reapurb(ps, p);
2372                 goto done;
2373
2374         case USBDEVFS_REAPURBNDELAY:
2375                 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2376                 ret = proc_reapurbnonblock(ps, p);
2377                 goto done;
2378
2379 #ifdef CONFIG_COMPAT
2380         case USBDEVFS_REAPURB32:
2381                 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2382                 ret = proc_reapurb_compat(ps, p);
2383                 goto done;
2384
2385         case USBDEVFS_REAPURBNDELAY32:
2386                 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2387                 ret = proc_reapurbnonblock_compat(ps, p);
2388                 goto done;
2389 #endif
2390         }
2391
2392         if (!connected(ps)) {
2393                 usb_unlock_device(dev);
2394                 return -ENODEV;
2395         }
2396
2397         switch (cmd) {
2398         case USBDEVFS_CONTROL:
2399                 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2400                 ret = proc_control(ps, p);
2401                 if (ret >= 0)
2402                         inode->i_mtime = current_time(inode);
2403                 break;
2404
2405         case USBDEVFS_BULK:
2406                 snoop(&dev->dev, "%s: BULK\n", __func__);
2407                 ret = proc_bulk(ps, p);
2408                 if (ret >= 0)
2409                         inode->i_mtime = current_time(inode);
2410                 break;
2411
2412         case USBDEVFS_RESETEP:
2413                 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2414                 ret = proc_resetep(ps, p);
2415                 if (ret >= 0)
2416                         inode->i_mtime = current_time(inode);
2417                 break;
2418
2419         case USBDEVFS_RESET:
2420                 snoop(&dev->dev, "%s: RESET\n", __func__);
2421                 ret = proc_resetdevice(ps);
2422                 break;
2423
2424         case USBDEVFS_CLEAR_HALT:
2425                 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2426                 ret = proc_clearhalt(ps, p);
2427                 if (ret >= 0)
2428                         inode->i_mtime = current_time(inode);
2429                 break;
2430
2431         case USBDEVFS_GETDRIVER:
2432                 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2433                 ret = proc_getdriver(ps, p);
2434                 break;
2435
2436         case USBDEVFS_CONNECTINFO:
2437                 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2438                 ret = proc_connectinfo(ps, p);
2439                 break;
2440
2441         case USBDEVFS_SETINTERFACE:
2442                 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2443                 ret = proc_setintf(ps, p);
2444                 break;
2445
2446         case USBDEVFS_SETCONFIGURATION:
2447                 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2448                 ret = proc_setconfig(ps, p);
2449                 break;
2450
2451         case USBDEVFS_SUBMITURB:
2452                 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2453                 ret = proc_submiturb(ps, p);
2454                 if (ret >= 0)
2455                         inode->i_mtime = current_time(inode);
2456                 break;
2457
2458 #ifdef CONFIG_COMPAT
2459         case USBDEVFS_CONTROL32:
2460                 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2461                 ret = proc_control_compat(ps, p);
2462                 if (ret >= 0)
2463                         inode->i_mtime = current_time(inode);
2464                 break;
2465
2466         case USBDEVFS_BULK32:
2467                 snoop(&dev->dev, "%s: BULK32\n", __func__);
2468                 ret = proc_bulk_compat(ps, p);
2469                 if (ret >= 0)
2470                         inode->i_mtime = current_time(inode);
2471                 break;
2472
2473         case USBDEVFS_DISCSIGNAL32:
2474                 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2475                 ret = proc_disconnectsignal_compat(ps, p);
2476                 break;
2477
2478         case USBDEVFS_SUBMITURB32:
2479                 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2480                 ret = proc_submiturb_compat(ps, p);
2481                 if (ret >= 0)
2482                         inode->i_mtime = current_time(inode);
2483                 break;
2484
2485         case USBDEVFS_IOCTL32:
2486                 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2487                 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2488                 break;
2489 #endif
2490
2491         case USBDEVFS_DISCARDURB:
2492                 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2493                 ret = proc_unlinkurb(ps, p);
2494                 break;
2495
2496         case USBDEVFS_DISCSIGNAL:
2497                 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2498                 ret = proc_disconnectsignal(ps, p);
2499                 break;
2500
2501         case USBDEVFS_CLAIMINTERFACE:
2502                 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2503                 ret = proc_claiminterface(ps, p);
2504                 break;
2505
2506         case USBDEVFS_RELEASEINTERFACE:
2507                 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2508                 ret = proc_releaseinterface(ps, p);
2509                 break;
2510
2511         case USBDEVFS_IOCTL:
2512                 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2513                 ret = proc_ioctl_default(ps, p);
2514                 break;
2515
2516         case USBDEVFS_CLAIM_PORT:
2517                 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2518                 ret = proc_claim_port(ps, p);
2519                 break;
2520
2521         case USBDEVFS_RELEASE_PORT:
2522                 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2523                 ret = proc_release_port(ps, p);
2524                 break;
2525         case USBDEVFS_GET_CAPABILITIES:
2526                 ret = proc_get_capabilities(ps, p);
2527                 break;
2528         case USBDEVFS_DISCONNECT_CLAIM:
2529                 ret = proc_disconnect_claim(ps, p);
2530                 break;
2531         case USBDEVFS_ALLOC_STREAMS:
2532                 ret = proc_alloc_streams(ps, p);
2533                 break;
2534         case USBDEVFS_FREE_STREAMS:
2535                 ret = proc_free_streams(ps, p);
2536                 break;
2537         case USBDEVFS_DROP_PRIVILEGES:
2538                 ret = proc_drop_privileges(ps, p);
2539                 break;
2540         case USBDEVFS_GET_SPEED:
2541                 ret = ps->dev->speed;
2542                 break;
2543         }
2544
2545  done:
2546         usb_unlock_device(dev);
2547         if (ret >= 0)
2548                 inode->i_atime = current_time(inode);
2549         return ret;
2550 }
2551
2552 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2553                         unsigned long arg)
2554 {
2555         int ret;
2556
2557         ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2558
2559         return ret;
2560 }
2561
2562 #ifdef CONFIG_COMPAT
2563 static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2564                         unsigned long arg)
2565 {
2566         int ret;
2567
2568         ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2569
2570         return ret;
2571 }
2572 #endif
2573
2574 /* No kernel lock - fine */
2575 static unsigned int usbdev_poll(struct file *file,
2576                                 struct poll_table_struct *wait)
2577 {
2578         struct usb_dev_state *ps = file->private_data;
2579         unsigned int mask = 0;
2580
2581         poll_wait(file, &ps->wait, wait);
2582         if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2583                 mask |= POLLOUT | POLLWRNORM;
2584         if (!connected(ps))
2585                 mask |= POLLHUP;
2586         if (list_empty(&ps->list))
2587                 mask |= POLLERR;
2588         return mask;
2589 }
2590
2591 const struct file_operations usbdev_file_operations = {
2592         .owner =          THIS_MODULE,
2593         .llseek =         no_seek_end_llseek,
2594         .read =           usbdev_read,
2595         .poll =           usbdev_poll,
2596         .unlocked_ioctl = usbdev_ioctl,
2597 #ifdef CONFIG_COMPAT
2598         .compat_ioctl =   usbdev_compat_ioctl,
2599 #endif
2600         .mmap =           usbdev_mmap,
2601         .open =           usbdev_open,
2602         .release =        usbdev_release,
2603 };
2604
2605 static void usbdev_remove(struct usb_device *udev)
2606 {
2607         struct usb_dev_state *ps;
2608         struct siginfo sinfo;
2609
2610         while (!list_empty(&udev->filelist)) {
2611                 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2612                 destroy_all_async(ps);
2613                 wake_up_all(&ps->wait);
2614                 list_del_init(&ps->list);
2615                 if (ps->discsignr) {
2616                         memset(&sinfo, 0, sizeof(sinfo));
2617                         sinfo.si_signo = ps->discsignr;
2618                         sinfo.si_errno = EPIPE;
2619                         sinfo.si_code = SI_ASYNCIO;
2620                         sinfo.si_addr = ps->disccontext;
2621                         kill_pid_info_as_cred(ps->discsignr, &sinfo,
2622                                         ps->disc_pid, ps->cred, ps->secid);
2623                 }
2624         }
2625 }
2626
2627 static int usbdev_notify(struct notifier_block *self,
2628                                unsigned long action, void *dev)
2629 {
2630         switch (action) {
2631         case USB_DEVICE_ADD:
2632                 break;
2633         case USB_DEVICE_REMOVE:
2634                 usbdev_remove(dev);
2635                 break;
2636         }
2637         return NOTIFY_OK;
2638 }
2639
2640 static struct notifier_block usbdev_nb = {
2641         .notifier_call =        usbdev_notify,
2642 };
2643
2644 static struct cdev usb_device_cdev;
2645
2646 int __init usb_devio_init(void)
2647 {
2648         int retval;
2649
2650         retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2651                                         "usb_device");
2652         if (retval) {
2653                 printk(KERN_ERR "Unable to register minors for usb_device\n");
2654                 goto out;
2655         }
2656         cdev_init(&usb_device_cdev, &usbdev_file_operations);
2657         retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2658         if (retval) {
2659                 printk(KERN_ERR "Unable to get usb_device major %d\n",
2660                        USB_DEVICE_MAJOR);
2661                 goto error_cdev;
2662         }
2663         usb_register_notify(&usbdev_nb);
2664 out:
2665         return retval;
2666
2667 error_cdev:
2668         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2669         goto out;
2670 }
2671
2672 void usb_devio_cleanup(void)
2673 {
2674         usb_unregister_notify(&usbdev_nb);
2675         cdev_del(&usb_device_cdev);
2676         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2677 }