drivers/usb/core/devio.c

   1 // SPDX-License-Identifier: GPL-2.0+
   2 /*****************************************************************************/
   3
   4 /*
   5  *      devio.c  --  User space communication with USB devices.
   6  *
   7  *      Copyright (C) 1999-2000  Thomas Sailer ([email protected])
   8  *
   9  *  This file implements the usbfs/x/y files, where
  10  *  x is the bus number and y the device number.
  11  *
  12  *  It allows user space programs/"drivers" to communicate directly
  13  *  with USB devices without intervening kernel driver.
  14  *
  15  *  Revision history
  16  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  17  *    04.01.2000   0.2   Turned into its own filesystem
  18  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  19  *                       (CAN-2005-3055)
  20  */
  21
  22 /*****************************************************************************/
  23
  24 #include <linux/fs.h>
  25 #include <linux/mm.h>
  26 #include <linux/sched/signal.h>
  27 #include <linux/slab.h>
  28 #include <linux/signal.h>
  29 #include <linux/poll.h>
  30 #include <linux/module.h>
  31 #include <linux/string.h>
  32 #include <linux/usb.h>
  33 #include <linux/usbdevice_fs.h>
  34 #include <linux/usb/hcd.h>      /* for usbcore internals */
  35 #include <linux/cdev.h>
  36 #include <linux/notifier.h>
  37 #include <linux/security.h>
  38 #include <linux/user_namespace.h>
  39 #include <linux/scatterlist.h>
  40 #include <linux/uaccess.h>
  41 #include <linux/dma-mapping.h>
  42 #include <asm/byteorder.h>
  43 #include <linux/moduleparam.h>
  44
  45 #include "usb.h"
  46
  47 #define USB_MAXBUS                      64
  48 #define USB_DEVICE_MAX                  (USB_MAXBUS * 128)
  49 #define USB_SG_SIZE                     16384 /* split-size for large txs */
  50
  51 struct usb_dev_state {
  52         struct list_head list;      /* state list */
  53         struct usb_device *dev;
  54         struct file *file;
  55         spinlock_t lock;            /* protects the async urb lists */
  56         struct list_head async_pending;
  57         struct list_head async_completed;
  58         struct list_head memory_list;
  59         wait_queue_head_t wait;     /* wake up if a request completed */
  60         unsigned int discsignr;
  61         struct pid *disc_pid;
  62         const struct cred *cred;
  63         sigval_t disccontext;
  64         unsigned long ifclaimed;
  65         u32 disabled_bulk_eps;
  66         bool privileges_dropped;
  67         unsigned long interface_allowed_mask;
  68 };
  69
  70 struct usb_memory {
  71         struct list_head memlist;
  72         int vma_use_count;
  73         int urb_use_count;
  74         u32 size;
  75         void *mem;
  76         dma_addr_t dma_handle;
  77         unsigned long vm_start;
  78         struct usb_dev_state *ps;
  79 };
  80
  81 struct async {
  82         struct list_head asynclist;
  83         struct usb_dev_state *ps;
  84         struct pid *pid;
  85         const struct cred *cred;
  86         unsigned int signr;
  87         unsigned int ifnum;
  88         void __user *userbuffer;
  89         void __user *userurb;
  90         sigval_t userurb_sigval;
  91         struct urb *urb;
  92         struct usb_memory *usbm;
  93         unsigned int mem_usage;
  94         int status;
  95         u8 bulk_addr;
  96         u8 bulk_status;
  97 };
  98
  99 static bool usbfs_snoop;
 100 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 101 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 102
 103 static unsigned usbfs_snoop_max = 65536;
 104 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
 105 MODULE_PARM_DESC(usbfs_snoop_max,
 106                 "maximum number of bytes to print while snooping");
 107
 108 #define snoop(dev, format, arg...)                              \
 109         do {                                                    \
 110                 if (usbfs_snoop)                                \
 111                         dev_info(dev, format, ## arg);          \
 112         } while (0)
 113
 114 enum snoop_when {
 115         SUBMIT, COMPLETE
 116 };
 117
 118 #define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 119
 120 /* Limit on the total amount of memory we can allocate for transfers */
 121 static u32 usbfs_memory_mb = 16;
 122 module_param(usbfs_memory_mb, uint, 0644);
 123 MODULE_PARM_DESC(usbfs_memory_mb,
 124                 "maximum MB allowed for usbfs buffers (0 = no limit)");
 125
 126 /* Hard limit, necessary to avoid arithmetic overflow */
 127 #define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
 128
 129 static atomic64_t usbfs_memory_usage;   /* Total memory currently allocated */
 130
 131 /* Check whether it's okay to allocate more memory for a transfer */
 132 static int usbfs_increase_memory_usage(u64 amount)
 133 {
 134         u64 lim;
 135
 136         lim = READ_ONCE(usbfs_memory_mb);
 137         lim <<= 20;
 138
 139         atomic64_add(amount, &usbfs_memory_usage);
 140
 141         if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
 142                 atomic64_sub(amount, &usbfs_memory_usage);
 143                 return -ENOMEM;
 144         }
 145
 146         return 0;
 147 }
 148
 149 /* Memory for a transfer is being deallocated */
 150 static void usbfs_decrease_memory_usage(u64 amount)
 151 {
 152         atomic64_sub(amount, &usbfs_memory_usage);
 153 }
 154
 155 static int connected(struct usb_dev_state *ps)
 156 {
 157         return (!list_empty(&ps->list) &&
 158                         ps->dev->state != USB_STATE_NOTATTACHED);
 159 }
 160
 161 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
 162 {
 163         struct usb_dev_state *ps = usbm->ps;
 164         unsigned long flags;
 165
 166         spin_lock_irqsave(&ps->lock, flags);
 167         --*count;
 168         if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
 169                 list_del(&usbm->memlist);
 170                 spin_unlock_irqrestore(&ps->lock, flags);
 171
 172                 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
 173                                 usbm->dma_handle);
 174                 usbfs_decrease_memory_usage(
 175                         usbm->size + sizeof(struct usb_memory));
 176                 kfree(usbm);
 177         } else {
 178                 spin_unlock_irqrestore(&ps->lock, flags);
 179         }
 180 }
 181
 182 static void usbdev_vm_open(struct vm_area_struct *vma)
 183 {
 184         struct usb_memory *usbm = vma->vm_private_data;
 185         unsigned long flags;
 186
 187         spin_lock_irqsave(&usbm->ps->lock, flags);
 188         ++usbm->vma_use_count;
 189         spin_unlock_irqrestore(&usbm->ps->lock, flags);
 190 }
 191
 192 static void usbdev_vm_close(struct vm_area_struct *vma)
 193 {
 194         struct usb_memory *usbm = vma->vm_private_data;
 195
 196         dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 197 }
 198
 199 static const struct vm_operations_struct usbdev_vm_ops = {
 200         .open = usbdev_vm_open,
 201         .close = usbdev_vm_close
 202 };
 203
 204 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 205 {
 206         struct usb_memory *usbm = NULL;
 207         struct usb_dev_state *ps = file->private_data;
 208         size_t size = vma->vm_end - vma->vm_start;
 209         void *mem;
 210         unsigned long flags;
 211         dma_addr_t dma_handle;
 212         int ret;
 213
 214         ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 215         if (ret)
 216                 goto error;
 217
 218         usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
 219         if (!usbm) {
 220                 ret = -ENOMEM;
 221                 goto error_decrease_mem;
 222         }
 223
 224         mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
 225                         &dma_handle);
 226         if (!mem) {
 227                 ret = -ENOMEM;
 228                 goto error_free_usbm;
 229         }
 230
 231         memset(mem, 0, size);
 232
 233         usbm->mem = mem;
 234         usbm->dma_handle = dma_handle;
 235         usbm->size = size;
 236         usbm->ps = ps;
 237         usbm->vm_start = vma->vm_start;
 238         usbm->vma_use_count = 1;
 239         INIT_LIST_HEAD(&usbm->memlist);
 240
 241         if (remap_pfn_range(vma, vma->vm_start,
 242                         virt_to_phys(usbm->mem) >> PAGE_SHIFT,
 243                         size, vma->vm_page_prot) < 0) {
 244                 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 245                 return -EAGAIN;
 246         }
 247
 248         vma->vm_flags |= VM_IO;
 249         vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
 250         vma->vm_ops = &usbdev_vm_ops;
 251         vma->vm_private_data = usbm;
 252
 253         spin_lock_irqsave(&ps->lock, flags);
 254         list_add_tail(&usbm->memlist, &ps->memory_list);
 255         spin_unlock_irqrestore(&ps->lock, flags);
 256
 257         return 0;
 258
 259 error_free_usbm:
 260         kfree(usbm);
 261 error_decrease_mem:
 262         usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
 263 error:
 264         return ret;
 265 }
 266
 267 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 268                            loff_t *ppos)
 269 {
 270         struct usb_dev_state *ps = file->private_data;
 271         struct usb_device *dev = ps->dev;
 272         ssize_t ret = 0;
 273         unsigned len;
 274         loff_t pos;
 275         int i;
 276
 277         pos = *ppos;
 278         usb_lock_device(dev);
 279         if (!connected(ps)) {
 280                 ret = -ENODEV;
 281                 goto err;
 282         } else if (pos < 0) {
 283                 ret = -EINVAL;
 284                 goto err;
 285         }
 286
 287         if (pos < sizeof(struct usb_device_descriptor)) {
 288                 /* 18 bytes - fits on the stack */
 289                 struct usb_device_descriptor temp_desc;
 290
 291                 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 292                 le16_to_cpus(&temp_desc.bcdUSB);
 293                 le16_to_cpus(&temp_desc.idVendor);
 294                 le16_to_cpus(&temp_desc.idProduct);
 295                 le16_to_cpus(&temp_desc.bcdDevice);
 296
 297                 len = sizeof(struct usb_device_descriptor) - pos;
 298                 if (len > nbytes)
 299                         len = nbytes;
 300                 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 301                         ret = -EFAULT;
 302                         goto err;
 303                 }
 304
 305                 *ppos += len;
 306                 buf += len;
 307                 nbytes -= len;
 308                 ret += len;
 309         }
 310
 311         pos = sizeof(struct usb_device_descriptor);
 312         for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 313                 struct usb_config_descriptor *config =
 314                         (struct usb_config_descriptor *)dev->rawdescriptors[i];
 315                 unsigned int length = le16_to_cpu(config->wTotalLength);
 316
 317                 if (*ppos < pos + length) {
 318
 319                         /* The descriptor may claim to be longer than it
 320                          * really is.  Here is the actual allocated length. */
 321                         unsigned alloclen =
 322                                 le16_to_cpu(dev->config[i].desc.wTotalLength);
 323
 324                         len = length - (*ppos - pos);
 325                         if (len > nbytes)
 326                                 len = nbytes;
 327
 328                         /* Simply don't write (skip over) unallocated parts */
 329                         if (alloclen > (*ppos - pos)) {
 330                                 alloclen -= (*ppos - pos);
 331                                 if (copy_to_user(buf,
 332                                     dev->rawdescriptors[i] + (*ppos - pos),
 333                                     min(len, alloclen))) {
 334                                         ret = -EFAULT;
 335                                         goto err;
 336                                 }
 337                         }
 338
 339                         *ppos += len;
 340                         buf += len;
 341                         nbytes -= len;
 342                         ret += len;
 343                 }
 344
 345                 pos += length;
 346         }
 347
 348 err:
 349         usb_unlock_device(dev);
 350         return ret;
 351 }
 352
 353 /*
 354  * async list handling
 355  */
 356
 357 static struct async *alloc_async(unsigned int numisoframes)
 358 {
 359         struct async *as;
 360
 361         as = kzalloc(sizeof(struct async), GFP_KERNEL);
 362         if (!as)
 363                 return NULL;
 364         as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 365         if (!as->urb) {
 366                 kfree(as);
 367                 return NULL;
 368         }
 369         return as;
 370 }
 371
 372 static void free_async(struct async *as)
 373 {
 374         int i;
 375
 376         put_pid(as->pid);
 377         if (as->cred)
 378                 put_cred(as->cred);
 379         for (i = 0; i < as->urb->num_sgs; i++) {
 380                 if (sg_page(&as->urb->sg[i]))
 381                         kfree(sg_virt(&as->urb->sg[i]));
 382         }
 383
 384         kfree(as->urb->sg);
 385         if (as->usbm == NULL)
 386                 kfree(as->urb->transfer_buffer);
 387         else
 388                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 389
 390         kfree(as->urb->setup_packet);
 391         usb_free_urb(as->urb);
 392         usbfs_decrease_memory_usage(as->mem_usage);
 393         kfree(as);
 394 }
 395
 396 static void async_newpending(struct async *as)
 397 {
 398         struct usb_dev_state *ps = as->ps;
 399         unsigned long flags;
 400
 401         spin_lock_irqsave(&ps->lock, flags);
 402         list_add_tail(&as->asynclist, &ps->async_pending);
 403         spin_unlock_irqrestore(&ps->lock, flags);
 404 }
 405
 406 static void async_removepending(struct async *as)
 407 {
 408         struct usb_dev_state *ps = as->ps;
 409         unsigned long flags;
 410
 411         spin_lock_irqsave(&ps->lock, flags);
 412         list_del_init(&as->asynclist);
 413         spin_unlock_irqrestore(&ps->lock, flags);
 414 }
 415
 416 static struct async *async_getcompleted(struct usb_dev_state *ps)
 417 {
 418         unsigned long flags;
 419         struct async *as = NULL;
 420
 421         spin_lock_irqsave(&ps->lock, flags);
 422         if (!list_empty(&ps->async_completed)) {
 423                 as = list_entry(ps->async_completed.next, struct async,
 424                                 asynclist);
 425                 list_del_init(&as->asynclist);
 426         }
 427         spin_unlock_irqrestore(&ps->lock, flags);
 428         return as;
 429 }
 430
 431 static struct async *async_getpending(struct usb_dev_state *ps,
 432                                              void __user *userurb)
 433 {
 434         struct async *as;
 435
 436         list_for_each_entry(as, &ps->async_pending, asynclist)
 437                 if (as->userurb == userurb) {
 438                         list_del_init(&as->asynclist);
 439                         return as;
 440                 }
 441
 442         return NULL;
 443 }
 444
 445 static void snoop_urb(struct usb_device *udev,
 446                 void __user *userurb, int pipe, unsigned length,
 447                 int timeout_or_status, enum snoop_when when,
 448                 unsigned char *data, unsigned data_len)
 449 {
 450         static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 451         static const char *dirs[] = {"out", "in"};
 452         int ep;
 453         const char *t, *d;
 454
 455         if (!usbfs_snoop)
 456                 return;
 457
 458         ep = usb_pipeendpoint(pipe);
 459         t = types[usb_pipetype(pipe)];
 460         d = dirs[!!usb_pipein(pipe)];
 461
 462         if (userurb) {          /* Async */
 463                 if (when == SUBMIT)
 464                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 465                                         "length %u\n",
 466                                         userurb, ep, t, d, length);
 467                 else
 468                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 469                                         "actual_length %u status %d\n",
 470                                         userurb, ep, t, d, length,
 471                                         timeout_or_status);
 472         } else {
 473                 if (when == SUBMIT)
 474                         dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 475                                         "timeout %d\n",
 476                                         ep, t, d, length, timeout_or_status);
 477                 else
 478                         dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 479                                         "status %d\n",
 480                                         ep, t, d, length, timeout_or_status);
 481         }
 482
 483         data_len = min(data_len, usbfs_snoop_max);
 484         if (data && data_len > 0) {
 485                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 486                         data, data_len, 1);
 487         }
 488 }
 489
 490 static void snoop_urb_data(struct urb *urb, unsigned len)
 491 {
 492         int i, size;
 493
 494         len = min(len, usbfs_snoop_max);
 495         if (!usbfs_snoop || len == 0)
 496                 return;
 497
 498         if (urb->num_sgs == 0) {
 499                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 500                         urb->transfer_buffer, len, 1);
 501                 return;
 502         }
 503
 504         for (i = 0; i < urb->num_sgs && len; i++) {
 505                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 506                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 507                         sg_virt(&urb->sg[i]), size, 1);
 508                 len -= size;
 509         }
 510 }
 511
 512 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
 513 {
 514         unsigned i, len, size;
 515
 516         if (urb->number_of_packets > 0)         /* Isochronous */
 517                 len = urb->transfer_buffer_length;
 518         else                                    /* Non-Isoc */
 519                 len = urb->actual_length;
 520
 521         if (urb->num_sgs == 0) {
 522                 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
 523                         return -EFAULT;
 524                 return 0;
 525         }
 526
 527         for (i = 0; i < urb->num_sgs && len; i++) {
 528                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 529                 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
 530                         return -EFAULT;
 531                 userbuffer += size;
 532                 len -= size;
 533         }
 534
 535         return 0;
 536 }
 537
 538 #define AS_CONTINUATION 1
 539 #define AS_UNLINK       2
 540
 541 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
 542 __releases(ps->lock)
 543 __acquires(ps->lock)
 544 {
 545         struct urb *urb;
 546         struct async *as;
 547
 548         /* Mark all the pending URBs that match bulk_addr, up to but not
 549          * including the first one without AS_CONTINUATION.  If such an
 550          * URB is encountered then a new transfer has already started so
 551          * the endpoint doesn't need to be disabled; otherwise it does.
 552          */
 553         list_for_each_entry(as, &ps->async_pending, asynclist) {
 554                 if (as->bulk_addr == bulk_addr) {
 555                         if (as->bulk_status != AS_CONTINUATION)
 556                                 goto rescan;
 557                         as->bulk_status = AS_UNLINK;
 558                         as->bulk_addr = 0;
 559                 }
 560         }
 561         ps->disabled_bulk_eps |= (1 << bulk_addr);
 562
 563         /* Now carefully unlink all the marked pending URBs */
 564  rescan:
 565         list_for_each_entry(as, &ps->async_pending, asynclist) {
 566                 if (as->bulk_status == AS_UNLINK) {
 567                         as->bulk_status = 0;            /* Only once */
 568                         urb = as->urb;
 569                         usb_get_urb(urb);
 570                         spin_unlock(&ps->lock);         /* Allow completions */
 571                         usb_unlink_urb(urb);
 572                         usb_put_urb(urb);
 573                         spin_lock(&ps->lock);
 574                         goto rescan;
 575                 }
 576         }
 577 }
 578
 579 static void async_completed(struct urb *urb)
 580 {
 581         struct async *as = urb->context;
 582         struct usb_dev_state *ps = as->ps;
 583         struct pid *pid = NULL;
 584         const struct cred *cred = NULL;
 585         unsigned long flags;
 586         sigval_t addr;
 587         int signr, errno;
 588
 589         spin_lock_irqsave(&ps->lock, flags);
 590         list_move_tail(&as->asynclist, &ps->async_completed);
 591         as->status = urb->status;
 592         signr = as->signr;
 593         if (signr) {
 594                 errno = as->status;
 595                 addr = as->userurb_sigval;
 596                 pid = get_pid(as->pid);
 597                 cred = get_cred(as->cred);
 598         }
 599         snoop(&urb->dev->dev, "urb complete\n");
 600         snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 601                         as->status, COMPLETE, NULL, 0);
 602         if (usb_urb_dir_in(urb))
 603                 snoop_urb_data(urb, urb->actual_length);
 604
 605         if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 606                         as->status != -ENOENT)
 607                 cancel_bulk_urbs(ps, as->bulk_addr);
 608
 609         wake_up(&ps->wait);
 610         spin_unlock_irqrestore(&ps->lock, flags);
 611
 612         if (signr) {
 613                 kill_pid_usb_asyncio(signr, errno, addr, pid, cred);
 614                 put_pid(pid);
 615                 put_cred(cred);
 616         }
 617 }
 618
 619 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
 620 {
 621         struct urb *urb;
 622         struct async *as;
 623         unsigned long flags;
 624
 625         spin_lock_irqsave(&ps->lock, flags);
 626         while (!list_empty(list)) {
 627                 as = list_entry(list->next, struct async, asynclist);
 628                 list_del_init(&as->asynclist);
 629                 urb = as->urb;
 630                 usb_get_urb(urb);
 631
 632                 /* drop the spinlock so the completion handler can run */
 633                 spin_unlock_irqrestore(&ps->lock, flags);
 634                 usb_kill_urb(urb);
 635                 usb_put_urb(urb);
 636                 spin_lock_irqsave(&ps->lock, flags);
 637         }
 638         spin_unlock_irqrestore(&ps->lock, flags);
 639 }
 640
 641 static void destroy_async_on_interface(struct usb_dev_state *ps,
 642                                        unsigned int ifnum)
 643 {
 644         struct list_head *p, *q, hitlist;
 645         unsigned long flags;
 646
 647         INIT_LIST_HEAD(&hitlist);
 648         spin_lock_irqsave(&ps->lock, flags);
 649         list_for_each_safe(p, q, &ps->async_pending)
 650                 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 651                         list_move_tail(p, &hitlist);
 652         spin_unlock_irqrestore(&ps->lock, flags);
 653         destroy_async(ps, &hitlist);
 654 }
 655
 656 static void destroy_all_async(struct usb_dev_state *ps)
 657 {
 658         destroy_async(ps, &ps->async_pending);
 659 }
 660
 661 /*
 662  * interface claims are made only at the request of user level code,
 663  * which can also release them (explicitly or by closing files).
 664  * they're also undone when devices disconnect.
 665  */
 666
 667 static int driver_probe(struct usb_interface *intf,
 668                         const struct usb_device_id *id)
 669 {
 670         return -ENODEV;
 671 }
 672
 673 static void driver_disconnect(struct usb_interface *intf)
 674 {
 675         struct usb_dev_state *ps = usb_get_intfdata(intf);
 676         unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 677
 678         if (!ps)
 679                 return;
 680
 681         /* NOTE:  this relies on usbcore having canceled and completed
 682          * all pending I/O requests; 2.6 does that.
 683          */
 684
 685         if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 686                 clear_bit(ifnum, &ps->ifclaimed);
 687         else
 688                 dev_warn(&intf->dev, "interface number %u out of range\n",
 689                          ifnum);
 690
 691         usb_set_intfdata(intf, NULL);
 692
 693         /* force async requests to complete */
 694         destroy_async_on_interface(ps, ifnum);
 695 }
 696
 697 /* The following routines are merely placeholders.  There is no way
 698  * to inform a user task about suspend or resumes.
 699  */
 700 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 701 {
 702         return 0;
 703 }
 704
 705 static int driver_resume(struct usb_interface *intf)
 706 {
 707         return 0;
 708 }
 709
 710 struct usb_driver usbfs_driver = {
 711         .name =         "usbfs",
 712         .probe =        driver_probe,
 713         .disconnect =   driver_disconnect,
 714         .suspend =      driver_suspend,
 715         .resume =       driver_resume,
 716 };
 717
 718 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 719 {
 720         struct usb_device *dev = ps->dev;
 721         struct usb_interface *intf;
 722         int err;
 723
 724         if (ifnum >= 8*sizeof(ps->ifclaimed))
 725                 return -EINVAL;
 726         /* already claimed */
 727         if (test_bit(ifnum, &ps->ifclaimed))
 728                 return 0;
 729
 730         if (ps->privileges_dropped &&
 731                         !test_bit(ifnum, &ps->interface_allowed_mask))
 732                 return -EACCES;
 733
 734         intf = usb_ifnum_to_if(dev, ifnum);
 735         if (!intf)
 736                 err = -ENOENT;
 737         else
 738                 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 739         if (err == 0)
 740                 set_bit(ifnum, &ps->ifclaimed);
 741         return err;
 742 }
 743
 744 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 745 {
 746         struct usb_device *dev;
 747         struct usb_interface *intf;
 748         int err;
 749
 750         err = -EINVAL;
 751         if (ifnum >= 8*sizeof(ps->ifclaimed))
 752                 return err;
 753         dev = ps->dev;
 754         intf = usb_ifnum_to_if(dev, ifnum);
 755         if (!intf)
 756                 err = -ENOENT;
 757         else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 758                 usb_driver_release_interface(&usbfs_driver, intf);
 759                 err = 0;
 760         }
 761         return err;
 762 }
 763
 764 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
 765 {
 766         if (ps->dev->state != USB_STATE_CONFIGURED)
 767                 return -EHOSTUNREACH;
 768         if (ifnum >= 8*sizeof(ps->ifclaimed))
 769                 return -EINVAL;
 770         if (test_bit(ifnum, &ps->ifclaimed))
 771                 return 0;
 772         /* if not yet claimed, claim it for the driver */
 773         dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 774                  "interface %u before use\n", task_pid_nr(current),
 775                  current->comm, ifnum);
 776         return claimintf(ps, ifnum);
 777 }
 778
 779 static int findintfep(struct usb_device *dev, unsigned int ep)
 780 {
 781         unsigned int i, j, e;
 782         struct usb_interface *intf;
 783         struct usb_host_interface *alts;
 784         struct usb_endpoint_descriptor *endpt;
 785
 786         if (ep & ~(USB_DIR_IN|0xf))
 787                 return -EINVAL;
 788         if (!dev->actconfig)
 789                 return -ESRCH;
 790         for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 791                 intf = dev->actconfig->interface[i];
 792                 for (j = 0; j < intf->num_altsetting; j++) {
 793                         alts = &intf->altsetting[j];
 794                         for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 795                                 endpt = &alts->endpoint[e].desc;
 796                                 if (endpt->bEndpointAddress == ep)
 797                                         return alts->desc.bInterfaceNumber;
 798                         }
 799                 }
 800         }
 801         return -ENOENT;
 802 }
 803
 804 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 805                            unsigned int request, unsigned int index)
 806 {
 807         int ret = 0;
 808         struct usb_host_interface *alt_setting;
 809
 810         if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 811          && ps->dev->state != USB_STATE_ADDRESS
 812          && ps->dev->state != USB_STATE_CONFIGURED)
 813                 return -EHOSTUNREACH;
 814         if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 815                 return 0;
 816
 817         /*
 818          * check for the special corner case 'get_device_id' in the printer
 819          * class specification, which we always want to allow as it is used
 820          * to query things like ink level, etc.
 821          */
 822         if (requesttype == 0xa1 && request == 0) {
 823                 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 824                                                    index >> 8, index & 0xff);
 825                 if (alt_setting
 826                  && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
 827                         return 0;
 828         }
 829
 830         index &= 0xff;
 831         switch (requesttype & USB_RECIP_MASK) {
 832         case USB_RECIP_ENDPOINT:
 833                 if ((index & ~USB_DIR_IN) == 0)
 834                         return 0;
 835                 ret = findintfep(ps->dev, index);
 836                 if (ret < 0) {
 837                         /*
 838                          * Some not fully compliant Win apps seem to get
 839                          * index wrong and have the endpoint number here
 840                          * rather than the endpoint address (with the
 841                          * correct direction). Win does let this through,
 842                          * so we'll not reject it here but leave it to
 843                          * the device to not break KVM. But we warn.
 844                          */
 845                         ret = findintfep(ps->dev, index ^ 0x80);
 846                         if (ret >= 0)
 847                                 dev_info(&ps->dev->dev,
 848                                         "%s: process %i (%s) requesting ep %02x but needs %02x\n",
 849                                         __func__, task_pid_nr(current),
 850                                         current->comm, index, index ^ 0x80);
 851                 }
 852                 if (ret >= 0)
 853                         ret = checkintf(ps, ret);
 854                 break;
 855
 856         case USB_RECIP_INTERFACE:
 857                 ret = checkintf(ps, index);
 858                 break;
 859         }
 860         return ret;
 861 }
 862
 863 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
 864                                                      unsigned char ep)
 865 {
 866         if (ep & USB_ENDPOINT_DIR_MASK)
 867                 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
 868         else
 869                 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
 870 }
 871
 872 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
 873                                   struct usbdevfs_streams __user *streams,
 874                                   unsigned int *num_streams_ret,
 875                                   unsigned int *num_eps_ret,
 876                                   struct usb_host_endpoint ***eps_ret,
 877                                   struct usb_interface **intf_ret)
 878 {
 879         unsigned int i, num_streams, num_eps;
 880         struct usb_host_endpoint **eps;
 881         struct usb_interface *intf = NULL;
 882         unsigned char ep;
 883         int ifnum, ret;
 884
 885         if (get_user(num_streams, &streams->num_streams) ||
 886             get_user(num_eps, &streams->num_eps))
 887                 return -EFAULT;
 888
 889         if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
 890                 return -EINVAL;
 891
 892         /* The XHCI controller allows max 2 ^ 16 streams */
 893         if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
 894                 return -EINVAL;
 895
 896         eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL);
 897         if (!eps)
 898                 return -ENOMEM;
 899
 900         for (i = 0; i < num_eps; i++) {
 901                 if (get_user(ep, &streams->eps[i])) {
 902                         ret = -EFAULT;
 903                         goto error;
 904                 }
 905                 eps[i] = ep_to_host_endpoint(ps->dev, ep);
 906                 if (!eps[i]) {
 907                         ret = -EINVAL;
 908                         goto error;
 909                 }
 910
 911                 /* usb_alloc/free_streams operate on an usb_interface */
 912                 ifnum = findintfep(ps->dev, ep);
 913                 if (ifnum < 0) {
 914                         ret = ifnum;
 915                         goto error;
 916                 }
 917
 918                 if (i == 0) {
 919                         ret = checkintf(ps, ifnum);
 920                         if (ret < 0)
 921                                 goto error;
 922                         intf = usb_ifnum_to_if(ps->dev, ifnum);
 923                 } else {
 924                         /* Verify all eps belong to the same interface */
 925                         if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
 926                                 ret = -EINVAL;
 927                                 goto error;
 928                         }
 929                 }
 930         }
 931
 932         if (num_streams_ret)
 933                 *num_streams_ret = num_streams;
 934         *num_eps_ret = num_eps;
 935         *eps_ret = eps;
 936         *intf_ret = intf;
 937
 938         return 0;
 939
 940 error:
 941         kfree(eps);
 942         return ret;
 943 }
 944
 945 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 946 {
 947         struct device *dev;
 948
 949         dev = bus_find_device_by_devt(&usb_bus_type, devt);
 950         if (!dev)
 951                 return NULL;
 952         return to_usb_device(dev);
 953 }
 954
 955 /*
 956  * file operations
 957  */
 958 static int usbdev_open(struct inode *inode, struct file *file)
 959 {
 960         struct usb_device *dev = NULL;
 961         struct usb_dev_state *ps;
 962         int ret;
 963
 964         ret = -ENOMEM;
 965         ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
 966         if (!ps)
 967                 goto out_free_ps;
 968
 969         ret = -ENODEV;
 970
 971         /* usbdev device-node */
 972         if (imajor(inode) == USB_DEVICE_MAJOR)
 973                 dev = usbdev_lookup_by_devt(inode->i_rdev);
 974         if (!dev)
 975                 goto out_free_ps;
 976
 977         usb_lock_device(dev);
 978         if (dev->state == USB_STATE_NOTATTACHED)
 979                 goto out_unlock_device;
 980
 981         ret = usb_autoresume_device(dev);
 982         if (ret)
 983                 goto out_unlock_device;
 984
 985         ps->dev = dev;
 986         ps->file = file;
 987         ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
 988         spin_lock_init(&ps->lock);
 989         INIT_LIST_HEAD(&ps->list);
 990         INIT_LIST_HEAD(&ps->async_pending);
 991         INIT_LIST_HEAD(&ps->async_completed);
 992         INIT_LIST_HEAD(&ps->memory_list);
 993         init_waitqueue_head(&ps->wait);
 994         ps->disc_pid = get_pid(task_pid(current));
 995         ps->cred = get_current_cred();
 996         smp_wmb();
 997         list_add_tail(&ps->list, &dev->filelist);
 998         file->private_data = ps;
 999         usb_unlock_device(dev);
1000         snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1001                         current->comm);
1002         return ret;
1003
1004  out_unlock_device:
1005         usb_unlock_device(dev);
1006         usb_put_dev(dev);
1007  out_free_ps:
1008         kfree(ps);
1009         return ret;
1010 }
1011
1012 static int usbdev_release(struct inode *inode, struct file *file)
1013 {
1014         struct usb_dev_state *ps = file->private_data;
1015         struct usb_device *dev = ps->dev;
1016         unsigned int ifnum;
1017         struct async *as;
1018
1019         usb_lock_device(dev);
1020         usb_hub_release_all_ports(dev, ps);
1021
1022         list_del_init(&ps->list);
1023
1024         for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1025                         ifnum++) {
1026                 if (test_bit(ifnum, &ps->ifclaimed))
1027                         releaseintf(ps, ifnum);
1028         }
1029         destroy_all_async(ps);
1030         usb_autosuspend_device(dev);
1031         usb_unlock_device(dev);
1032         usb_put_dev(dev);
1033         put_pid(ps->disc_pid);
1034         put_cred(ps->cred);
1035
1036         as = async_getcompleted(ps);
1037         while (as) {
1038                 free_async(as);
1039                 as = async_getcompleted(ps);
1040         }
1041
1042         kfree(ps);
1043         return 0;
1044 }
1045
1046 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1047 {
1048         struct usb_device *dev = ps->dev;
1049         struct usbdevfs_ctrltransfer ctrl;
1050         unsigned int tmo;
1051         unsigned char *tbuf;
1052         unsigned wLength;
1053         int i, pipe, ret;
1054
1055         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1056                 return -EFAULT;
1057         ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1058                               ctrl.wIndex);
1059         if (ret)
1060                 return ret;
1061         wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
1062         if (wLength > PAGE_SIZE)
1063                 return -EINVAL;
1064         ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1065                         sizeof(struct usb_ctrlrequest));
1066         if (ret)
1067                 return ret;
1068         tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1069         if (!tbuf) {
1070                 ret = -ENOMEM;
1071                 goto done;
1072         }
1073         tmo = ctrl.timeout;
1074         snoop(&dev->dev, "control urb: bRequestType=%02x "
1075                 "bRequest=%02x wValue=%04x "
1076                 "wIndex=%04x wLength=%04x\n",
1077                 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1078                 ctrl.wIndex, ctrl.wLength);
1079         if (ctrl.bRequestType & 0x80) {
1080                 if (ctrl.wLength && !access_ok(ctrl.data,
1081                                                ctrl.wLength)) {
1082                         ret = -EINVAL;
1083                         goto done;
1084                 }
1085                 pipe = usb_rcvctrlpipe(dev, 0);
1086                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1087
1088                 usb_unlock_device(dev);
1089                 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1090                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1091                                     tbuf, ctrl.wLength, tmo);
1092                 usb_lock_device(dev);
1093                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1094                           tbuf, max(i, 0));
1095                 if ((i > 0) && ctrl.wLength) {
1096                         if (copy_to_user(ctrl.data, tbuf, i)) {
1097                                 ret = -EFAULT;
1098                                 goto done;
1099                         }
1100                 }
1101         } else {
1102                 if (ctrl.wLength) {
1103                         if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1104                                 ret = -EFAULT;
1105                                 goto done;
1106                         }
1107                 }
1108                 pipe = usb_sndctrlpipe(dev, 0);
1109                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1110                         tbuf, ctrl.wLength);
1111
1112                 usb_unlock_device(dev);
1113                 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1114                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1115                                     tbuf, ctrl.wLength, tmo);
1116                 usb_lock_device(dev);
1117                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1118         }
1119         if (i < 0 && i != -EPIPE) {
1120                 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1121                            "failed cmd %s rqt %u rq %u len %u ret %d\n",
1122                            current->comm, ctrl.bRequestType, ctrl.bRequest,
1123                            ctrl.wLength, i);
1124         }
1125         ret = i;
1126  done:
1127         free_page((unsigned long) tbuf);
1128         usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1129                         sizeof(struct usb_ctrlrequest));
1130         return ret;
1131 }
1132
1133 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1134 {
1135         struct usb_device *dev = ps->dev;
1136         struct usbdevfs_bulktransfer bulk;
1137         unsigned int tmo, len1, pipe;
1138         int len2;
1139         unsigned char *tbuf;
1140         int i, ret;
1141
1142         if (copy_from_user(&bulk, arg, sizeof(bulk)))
1143                 return -EFAULT;
1144         ret = findintfep(ps->dev, bulk.ep);
1145         if (ret < 0)
1146                 return ret;
1147         ret = checkintf(ps, ret);
1148         if (ret)
1149                 return ret;
1150         if (bulk.ep & USB_DIR_IN)
1151                 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1152         else
1153                 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1154         if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1155                 return -EINVAL;
1156         len1 = bulk.len;
1157         if (len1 >= (INT_MAX - sizeof(struct urb)))
1158                 return -EINVAL;
1159         ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1160         if (ret)
1161                 return ret;
1162         tbuf = kmalloc(len1, GFP_KERNEL);
1163         if (!tbuf) {
1164                 ret = -ENOMEM;
1165                 goto done;
1166         }
1167         tmo = bulk.timeout;
1168         if (bulk.ep & 0x80) {
1169                 if (len1 && !access_ok(bulk.data, len1)) {
1170                         ret = -EINVAL;
1171                         goto done;
1172                 }
1173                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1174
1175                 usb_unlock_device(dev);
1176                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1177                 usb_lock_device(dev);
1178                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1179
1180                 if (!i && len2) {
1181                         if (copy_to_user(bulk.data, tbuf, len2)) {
1182                                 ret = -EFAULT;
1183                                 goto done;
1184                         }
1185                 }
1186         } else {
1187                 if (len1) {
1188                         if (copy_from_user(tbuf, bulk.data, len1)) {
1189                                 ret = -EFAULT;
1190                                 goto done;
1191                         }
1192                 }
1193                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1194
1195                 usb_unlock_device(dev);
1196                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1197                 usb_lock_device(dev);
1198                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1199         }
1200         ret = (i < 0 ? i : len2);
1201  done:
1202         kfree(tbuf);
1203         usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1204         return ret;
1205 }
1206
1207 static void check_reset_of_active_ep(struct usb_device *udev,
1208                 unsigned int epnum, char *ioctl_name)
1209 {
1210         struct usb_host_endpoint **eps;
1211         struct usb_host_endpoint *ep;
1212
1213         eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1214         ep = eps[epnum & 0x0f];
1215         if (ep && !list_empty(&ep->urb_list))
1216                 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1217                                 task_pid_nr(current), current->comm,
1218                                 ioctl_name, epnum);
1219 }
1220
1221 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1222 {
1223         unsigned int ep;
1224         int ret;
1225
1226         if (get_user(ep, (unsigned int __user *)arg))
1227                 return -EFAULT;
1228         ret = findintfep(ps->dev, ep);
1229         if (ret < 0)
1230                 return ret;
1231         ret = checkintf(ps, ret);
1232         if (ret)
1233                 return ret;
1234         check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1235         usb_reset_endpoint(ps->dev, ep);
1236         return 0;
1237 }
1238
1239 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1240 {
1241         unsigned int ep;
1242         int pipe;
1243         int ret;
1244
1245         if (get_user(ep, (unsigned int __user *)arg))
1246                 return -EFAULT;
1247         ret = findintfep(ps->dev, ep);
1248         if (ret < 0)
1249                 return ret;
1250         ret = checkintf(ps, ret);
1251         if (ret)
1252                 return ret;
1253         check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1254         if (ep & USB_DIR_IN)
1255                 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1256         else
1257                 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1258
1259         return usb_clear_halt(ps->dev, pipe);
1260 }
1261
1262 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1263 {
1264         struct usbdevfs_getdriver gd;
1265         struct usb_interface *intf;
1266         int ret;
1267
1268         if (copy_from_user(&gd, arg, sizeof(gd)))
1269                 return -EFAULT;
1270         intf = usb_ifnum_to_if(ps->dev, gd.interface);
1271         if (!intf || !intf->dev.driver)
1272                 ret = -ENODATA;
1273         else {
1274                 strlcpy(gd.driver, intf->dev.driver->name,
1275                                 sizeof(gd.driver));
1276                 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1277         }
1278         return ret;
1279 }
1280
1281 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1282 {
1283         struct usbdevfs_connectinfo ci;
1284
1285         memset(&ci, 0, sizeof(ci));
1286         ci.devnum = ps->dev->devnum;
1287         ci.slow = ps->dev->speed == USB_SPEED_LOW;
1288
1289         if (copy_to_user(arg, &ci, sizeof(ci)))
1290                 return -EFAULT;
1291         return 0;
1292 }
1293
1294 static int proc_conninfo_ex(struct usb_dev_state *ps,
1295                             void __user *arg, size_t size)
1296 {
1297         struct usbdevfs_conninfo_ex ci;
1298         struct usb_device *udev = ps->dev;
1299
1300         if (size < sizeof(ci.size))
1301                 return -EINVAL;
1302
1303         memset(&ci, 0, sizeof(ci));
1304         ci.size = sizeof(ci);
1305         ci.busnum = udev->bus->busnum;
1306         ci.devnum = udev->devnum;
1307         ci.speed = udev->speed;
1308
1309         while (udev && udev->portnum != 0) {
1310                 if (++ci.num_ports <= ARRAY_SIZE(ci.ports))
1311                         ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] =
1312                                         udev->portnum;
1313                 udev = udev->parent;
1314         }
1315
1316         if (ci.num_ports < ARRAY_SIZE(ci.ports))
1317                 memmove(&ci.ports[0],
1318                         &ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports],
1319                         ci.num_ports);
1320
1321         if (copy_to_user(arg, &ci, min(sizeof(ci), size)))
1322                 return -EFAULT;
1323
1324         return 0;
1325 }
1326
1327 static int proc_resetdevice(struct usb_dev_state *ps)
1328 {
1329         struct usb_host_config *actconfig = ps->dev->actconfig;
1330         struct usb_interface *interface;
1331         int i, number;
1332
1333         /* Don't allow a device reset if the process has dropped the
1334          * privilege to do such things and any of the interfaces are
1335          * currently claimed.
1336          */
1337         if (ps->privileges_dropped && actconfig) {
1338                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1339                         interface = actconfig->interface[i];
1340                         number = interface->cur_altsetting->desc.bInterfaceNumber;
1341                         if (usb_interface_claimed(interface) &&
1342                                         !test_bit(number, &ps->ifclaimed)) {
1343                                 dev_warn(&ps->dev->dev,
1344                                         "usbfs: interface %d claimed by %s while '%s' resets device\n",
1345                                         number, interface->dev.driver->name, current->comm);
1346                                 return -EACCES;
1347                         }
1348                 }
1349         }
1350
1351         return usb_reset_device(ps->dev);
1352 }
1353
1354 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1355 {
1356         struct usbdevfs_setinterface setintf;
1357         int ret;
1358
1359         if (copy_from_user(&setintf, arg, sizeof(setintf)))
1360                 return -EFAULT;
1361         ret = checkintf(ps, setintf.interface);
1362         if (ret)
1363                 return ret;
1364
1365         destroy_async_on_interface(ps, setintf.interface);
1366
1367         return usb_set_interface(ps->dev, setintf.interface,
1368                         setintf.altsetting);
1369 }
1370
1371 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1372 {
1373         int u;
1374         int status = 0;
1375         struct usb_host_config *actconfig;
1376
1377         if (get_user(u, (int __user *)arg))
1378                 return -EFAULT;
1379
1380         actconfig = ps->dev->actconfig;
1381
1382         /* Don't touch the device if any interfaces are claimed.
1383          * It could interfere with other drivers' operations, and if
1384          * an interface is claimed by usbfs it could easily deadlock.
1385          */
1386         if (actconfig) {
1387                 int i;
1388
1389                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1390                         if (usb_interface_claimed(actconfig->interface[i])) {
1391                                 dev_warn(&ps->dev->dev,
1392                                         "usbfs: interface %d claimed by %s "
1393                                         "while '%s' sets config #%d\n",
1394                                         actconfig->interface[i]
1395                                                 ->cur_altsetting
1396                                                 ->desc.bInterfaceNumber,
1397                                         actconfig->interface[i]
1398                                                 ->dev.driver->name,
1399                                         current->comm, u);
1400                                 status = -EBUSY;
1401                                 break;
1402                         }
1403                 }
1404         }
1405
1406         /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1407          * so avoid usb_set_configuration()'s kick to sysfs
1408          */
1409         if (status == 0) {
1410                 if (actconfig && actconfig->desc.bConfigurationValue == u)
1411                         status = usb_reset_configuration(ps->dev);
1412                 else
1413                         status = usb_set_configuration(ps->dev, u);
1414         }
1415
1416         return status;
1417 }
1418
1419 static struct usb_memory *
1420 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1421 {
1422         struct usb_memory *usbm = NULL, *iter;
1423         unsigned long flags;
1424         unsigned long uurb_start = (unsigned long)uurb->buffer;
1425
1426         spin_lock_irqsave(&ps->lock, flags);
1427         list_for_each_entry(iter, &ps->memory_list, memlist) {
1428                 if (uurb_start >= iter->vm_start &&
1429                                 uurb_start < iter->vm_start + iter->size) {
1430                         if (uurb->buffer_length > iter->vm_start + iter->size -
1431                                         uurb_start) {
1432                                 usbm = ERR_PTR(-EINVAL);
1433                         } else {
1434                                 usbm = iter;
1435                                 usbm->urb_use_count++;
1436                         }
1437                         break;
1438                 }
1439         }
1440         spin_unlock_irqrestore(&ps->lock, flags);
1441         return usbm;
1442 }
1443
1444 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1445                         struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1446                         void __user *arg, sigval_t userurb_sigval)
1447 {
1448         struct usbdevfs_iso_packet_desc *isopkt = NULL;
1449         struct usb_host_endpoint *ep;
1450         struct async *as = NULL;
1451         struct usb_ctrlrequest *dr = NULL;
1452         unsigned int u, totlen, isofrmlen;
1453         int i, ret, num_sgs = 0, ifnum = -1;
1454         int number_of_packets = 0;
1455         unsigned int stream_id = 0;
1456         void *buf;
1457         bool is_in;
1458         bool allow_short = false;
1459         bool allow_zero = false;
1460         unsigned long mask =    USBDEVFS_URB_SHORT_NOT_OK |
1461                                 USBDEVFS_URB_BULK_CONTINUATION |
1462                                 USBDEVFS_URB_NO_FSBR |
1463                                 USBDEVFS_URB_ZERO_PACKET |
1464                                 USBDEVFS_URB_NO_INTERRUPT;
1465         /* USBDEVFS_URB_ISO_ASAP is a special case */
1466         if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1467                 mask |= USBDEVFS_URB_ISO_ASAP;
1468
1469         if (uurb->flags & ~mask)
1470                         return -EINVAL;
1471
1472         if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1473                 return -EINVAL;
1474         if (uurb->buffer_length > 0 && !uurb->buffer)
1475                 return -EINVAL;
1476         if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1477             (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1478                 ifnum = findintfep(ps->dev, uurb->endpoint);
1479                 if (ifnum < 0)
1480                         return ifnum;
1481                 ret = checkintf(ps, ifnum);
1482                 if (ret)
1483                         return ret;
1484         }
1485         ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1486         if (!ep)
1487                 return -ENOENT;
1488         is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1489
1490         u = 0;
1491         switch (uurb->type) {
1492         case USBDEVFS_URB_TYPE_CONTROL:
1493                 if (!usb_endpoint_xfer_control(&ep->desc))
1494                         return -EINVAL;
1495                 /* min 8 byte setup packet */
1496                 if (uurb->buffer_length < 8)
1497                         return -EINVAL;
1498                 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1499                 if (!dr)
1500                         return -ENOMEM;
1501                 if (copy_from_user(dr, uurb->buffer, 8)) {
1502                         ret = -EFAULT;
1503                         goto error;
1504                 }
1505                 if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) {
1506                         ret = -EINVAL;
1507                         goto error;
1508                 }
1509                 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1510                                       le16_to_cpu(dr->wIndex));
1511                 if (ret)
1512                         goto error;
1513                 uurb->buffer_length = le16_to_cpu(dr->wLength);
1514                 uurb->buffer += 8;
1515                 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1516                         is_in = 1;
1517                         uurb->endpoint |= USB_DIR_IN;
1518                 } else {
1519                         is_in = 0;
1520                         uurb->endpoint &= ~USB_DIR_IN;
1521                 }
1522                 if (is_in)
1523                         allow_short = true;
1524                 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1525                         "bRequest=%02x wValue=%04x "
1526                         "wIndex=%04x wLength=%04x\n",
1527                         dr->bRequestType, dr->bRequest,
1528                         __le16_to_cpu(dr->wValue),
1529                         __le16_to_cpu(dr->wIndex),
1530                         __le16_to_cpu(dr->wLength));
1531                 u = sizeof(struct usb_ctrlrequest);
1532                 break;
1533
1534         case USBDEVFS_URB_TYPE_BULK:
1535                 if (!is_in)
1536                         allow_zero = true;
1537                 else
1538                         allow_short = true;
1539                 switch (usb_endpoint_type(&ep->desc)) {
1540                 case USB_ENDPOINT_XFER_CONTROL:
1541                 case USB_ENDPOINT_XFER_ISOC:
1542                         return -EINVAL;
1543                 case USB_ENDPOINT_XFER_INT:
1544                         /* allow single-shot interrupt transfers */
1545                         uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1546                         goto interrupt_urb;
1547                 }
1548                 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1549                 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1550                         num_sgs = 0;
1551                 if (ep->streams)
1552                         stream_id = uurb->stream_id;
1553                 break;
1554
1555         case USBDEVFS_URB_TYPE_INTERRUPT:
1556                 if (!usb_endpoint_xfer_int(&ep->desc))
1557                         return -EINVAL;
1558  interrupt_urb:
1559                 if (!is_in)
1560                         allow_zero = true;
1561                 else
1562                         allow_short = true;
1563                 break;
1564
1565         case USBDEVFS_URB_TYPE_ISO:
1566                 /* arbitrary limit */
1567                 if (uurb->number_of_packets < 1 ||
1568                     uurb->number_of_packets > 128)
1569                         return -EINVAL;
1570                 if (!usb_endpoint_xfer_isoc(&ep->desc))
1571                         return -EINVAL;
1572                 number_of_packets = uurb->number_of_packets;
1573                 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1574                                    number_of_packets;
1575                 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1576                 if (IS_ERR(isopkt)) {
1577                         ret = PTR_ERR(isopkt);
1578                         isopkt = NULL;
1579                         goto error;
1580                 }
1581                 for (totlen = u = 0; u < number_of_packets; u++) {
1582                         /*
1583                          * arbitrary limit need for USB 3.1 Gen2
1584                          * sizemax: 96 DPs at SSP, 96 * 1024 = 98304
1585                          */
1586                         if (isopkt[u].length > 98304) {
1587                                 ret = -EINVAL;
1588                                 goto error;
1589                         }
1590                         totlen += isopkt[u].length;
1591                 }
1592                 u *= sizeof(struct usb_iso_packet_descriptor);
1593                 uurb->buffer_length = totlen;
1594                 break;
1595
1596         default:
1597                 return -EINVAL;
1598         }
1599
1600         if (uurb->buffer_length > 0 &&
1601                         !access_ok(uurb->buffer, uurb->buffer_length)) {
1602                 ret = -EFAULT;
1603                 goto error;
1604         }
1605         as = alloc_async(number_of_packets);
1606         if (!as) {
1607                 ret = -ENOMEM;
1608                 goto error;
1609         }
1610
1611         as->usbm = find_memory_area(ps, uurb);
1612         if (IS_ERR(as->usbm)) {
1613                 ret = PTR_ERR(as->usbm);
1614                 as->usbm = NULL;
1615                 goto error;
1616         }
1617
1618         /* do not use SG buffers when memory mapped segments
1619          * are in use
1620          */
1621         if (as->usbm)
1622                 num_sgs = 0;
1623
1624         u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1625              num_sgs * sizeof(struct scatterlist);
1626         ret = usbfs_increase_memory_usage(u);
1627         if (ret)
1628                 goto error;
1629         as->mem_usage = u;
1630
1631         if (num_sgs) {
1632                 as->urb->sg = kmalloc_array(num_sgs,
1633                                             sizeof(struct scatterlist),
1634                                             GFP_KERNEL);
1635                 if (!as->urb->sg) {
1636                         ret = -ENOMEM;
1637                         goto error;
1638                 }
1639                 as->urb->num_sgs = num_sgs;
1640                 sg_init_table(as->urb->sg, as->urb->num_sgs);
1641
1642                 totlen = uurb->buffer_length;
1643                 for (i = 0; i < as->urb->num_sgs; i++) {
1644                         u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1645                         buf = kmalloc(u, GFP_KERNEL);
1646                         if (!buf) {
1647                                 ret = -ENOMEM;
1648                                 goto error;
1649                         }
1650                         sg_set_buf(&as->urb->sg[i], buf, u);
1651
1652                         if (!is_in) {
1653                                 if (copy_from_user(buf, uurb->buffer, u)) {
1654                                         ret = -EFAULT;
1655                                         goto error;
1656                                 }
1657                                 uurb->buffer += u;
1658                         }
1659                         totlen -= u;
1660                 }
1661         } else if (uurb->buffer_length > 0) {
1662                 if (as->usbm) {
1663                         unsigned long uurb_start = (unsigned long)uurb->buffer;
1664
1665                         as->urb->transfer_buffer = as->usbm->mem +
1666                                         (uurb_start - as->usbm->vm_start);
1667                 } else {
1668                         as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1669                                         GFP_KERNEL);
1670                         if (!as->urb->transfer_buffer) {
1671                                 ret = -ENOMEM;
1672                                 goto error;
1673                         }
1674                         if (!is_in) {
1675                                 if (copy_from_user(as->urb->transfer_buffer,
1676                                                    uurb->buffer,
1677                                                    uurb->buffer_length)) {
1678                                         ret = -EFAULT;
1679                                         goto error;
1680                                 }
1681                         } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1682                                 /*
1683                                  * Isochronous input data may end up being
1684                                  * discontiguous if some of the packets are
1685                                  * short. Clear the buffer so that the gaps
1686                                  * don't leak kernel data to userspace.
1687                                  */
1688                                 memset(as->urb->transfer_buffer, 0,
1689                                                 uurb->buffer_length);
1690                         }
1691                 }
1692         }
1693         as->urb->dev = ps->dev;
1694         as->urb->pipe = (uurb->type << 30) |
1695                         __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1696                         (uurb->endpoint & USB_DIR_IN);
1697
1698         /* This tedious sequence is necessary because the URB_* flags
1699          * are internal to the kernel and subject to change, whereas
1700          * the USBDEVFS_URB_* flags are a user API and must not be changed.
1701          */
1702         u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1703         if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1704                 u |= URB_ISO_ASAP;
1705         if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1706                 u |= URB_SHORT_NOT_OK;
1707         if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1708                 u |= URB_ZERO_PACKET;
1709         if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1710                 u |= URB_NO_INTERRUPT;
1711         as->urb->transfer_flags = u;
1712
1713         if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1714                 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1715         if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1716                 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1717
1718         as->urb->transfer_buffer_length = uurb->buffer_length;
1719         as->urb->setup_packet = (unsigned char *)dr;
1720         dr = NULL;
1721         as->urb->start_frame = uurb->start_frame;
1722         as->urb->number_of_packets = number_of_packets;
1723         as->urb->stream_id = stream_id;
1724
1725         if (ep->desc.bInterval) {
1726                 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1727                                 ps->dev->speed == USB_SPEED_HIGH ||
1728                                 ps->dev->speed >= USB_SPEED_SUPER)
1729                         as->urb->interval = 1 <<
1730                                         min(15, ep->desc.bInterval - 1);
1731                 else
1732                         as->urb->interval = ep->desc.bInterval;
1733         }
1734
1735         as->urb->context = as;
1736         as->urb->complete = async_completed;
1737         for (totlen = u = 0; u < number_of_packets; u++) {
1738                 as->urb->iso_frame_desc[u].offset = totlen;
1739                 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1740                 totlen += isopkt[u].length;
1741         }
1742         kfree(isopkt);
1743         isopkt = NULL;
1744         as->ps = ps;
1745         as->userurb = arg;
1746         as->userurb_sigval = userurb_sigval;
1747         if (as->usbm) {
1748                 unsigned long uurb_start = (unsigned long)uurb->buffer;
1749
1750                 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1751                 as->urb->transfer_dma = as->usbm->dma_handle +
1752                                 (uurb_start - as->usbm->vm_start);
1753         } else if (is_in && uurb->buffer_length > 0)
1754                 as->userbuffer = uurb->buffer;
1755         as->signr = uurb->signr;
1756         as->ifnum = ifnum;
1757         as->pid = get_pid(task_pid(current));
1758         as->cred = get_current_cred();
1759         snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1760                         as->urb->transfer_buffer_length, 0, SUBMIT,
1761                         NULL, 0);
1762         if (!is_in)
1763                 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1764
1765         async_newpending(as);
1766
1767         if (usb_endpoint_xfer_bulk(&ep->desc)) {
1768                 spin_lock_irq(&ps->lock);
1769
1770                 /* Not exactly the endpoint address; the direction bit is
1771                  * shifted to the 0x10 position so that the value will be
1772                  * between 0 and 31.
1773                  */
1774                 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1775                         ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1776                                 >> 3);
1777
1778                 /* If this bulk URB is the start of a new transfer, re-enable
1779                  * the endpoint.  Otherwise mark it as a continuation URB.
1780                  */
1781                 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1782                         as->bulk_status = AS_CONTINUATION;
1783                 else
1784                         ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1785
1786                 /* Don't accept continuation URBs if the endpoint is
1787                  * disabled because of an earlier error.
1788                  */
1789                 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1790                         ret = -EREMOTEIO;
1791                 else
1792                         ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1793                 spin_unlock_irq(&ps->lock);
1794         } else {
1795                 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1796         }
1797
1798         if (ret) {
1799                 dev_printk(KERN_DEBUG, &ps->dev->dev,
1800                            "usbfs: usb_submit_urb returned %d\n", ret);
1801                 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1802                                 0, ret, COMPLETE, NULL, 0);
1803                 async_removepending(as);
1804                 goto error;
1805         }
1806         return 0;
1807
1808  error:
1809         kfree(isopkt);
1810         kfree(dr);
1811         if (as)
1812                 free_async(as);
1813         return ret;
1814 }
1815
1816 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1817 {
1818         struct usbdevfs_urb uurb;
1819         sigval_t userurb_sigval;
1820
1821         if (copy_from_user(&uurb, arg, sizeof(uurb)))
1822                 return -EFAULT;
1823
1824         memset(&userurb_sigval, 0, sizeof(userurb_sigval));
1825         userurb_sigval.sival_ptr = arg;
1826
1827         return proc_do_submiturb(ps, &uurb,
1828                         (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1829                         arg, userurb_sigval);
1830 }
1831
1832 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1833 {
1834         struct urb *urb;
1835         struct async *as;
1836         unsigned long flags;
1837
1838         spin_lock_irqsave(&ps->lock, flags);
1839         as = async_getpending(ps, arg);
1840         if (!as) {
1841                 spin_unlock_irqrestore(&ps->lock, flags);
1842                 return -EINVAL;
1843         }
1844
1845         urb = as->urb;
1846         usb_get_urb(urb);
1847         spin_unlock_irqrestore(&ps->lock, flags);
1848
1849         usb_kill_urb(urb);
1850         usb_put_urb(urb);
1851
1852         return 0;
1853 }
1854
1855 static void compute_isochronous_actual_length(struct urb *urb)
1856 {
1857         unsigned int i;
1858
1859         if (urb->number_of_packets > 0) {
1860                 urb->actual_length = 0;
1861                 for (i = 0; i < urb->number_of_packets; i++)
1862                         urb->actual_length +=
1863                                         urb->iso_frame_desc[i].actual_length;
1864         }
1865 }
1866
1867 static int processcompl(struct async *as, void __user * __user *arg)
1868 {
1869         struct urb *urb = as->urb;
1870         struct usbdevfs_urb __user *userurb = as->userurb;
1871         void __user *addr = as->userurb;
1872         unsigned int i;
1873
1874         compute_isochronous_actual_length(urb);
1875         if (as->userbuffer && urb->actual_length) {
1876                 if (copy_urb_data_to_user(as->userbuffer, urb))
1877                         goto err_out;
1878         }
1879         if (put_user(as->status, &userurb->status))
1880                 goto err_out;
1881         if (put_user(urb->actual_length, &userurb->actual_length))
1882                 goto err_out;
1883         if (put_user(urb->error_count, &userurb->error_count))
1884                 goto err_out;
1885
1886         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1887                 for (i = 0; i < urb->number_of_packets; i++) {
1888                         if (put_user(urb->iso_frame_desc[i].actual_length,
1889                                      &userurb->iso_frame_desc[i].actual_length))
1890                                 goto err_out;
1891                         if (put_user(urb->iso_frame_desc[i].status,
1892                                      &userurb->iso_frame_desc[i].status))
1893                                 goto err_out;
1894                 }
1895         }
1896
1897         if (put_user(addr, (void __user * __user *)arg))
1898                 return -EFAULT;
1899         return 0;
1900
1901 err_out:
1902         return -EFAULT;
1903 }
1904
1905 static struct async *reap_as(struct usb_dev_state *ps)
1906 {
1907         DECLARE_WAITQUEUE(wait, current);
1908         struct async *as = NULL;
1909         struct usb_device *dev = ps->dev;
1910
1911         add_wait_queue(&ps->wait, &wait);
1912         for (;;) {
1913                 __set_current_state(TASK_INTERRUPTIBLE);
1914                 as = async_getcompleted(ps);
1915                 if (as || !connected(ps))
1916                         break;
1917                 if (signal_pending(current))
1918                         break;
1919                 usb_unlock_device(dev);
1920                 schedule();
1921                 usb_lock_device(dev);
1922         }
1923         remove_wait_queue(&ps->wait, &wait);
1924         set_current_state(TASK_RUNNING);
1925         return as;
1926 }
1927
1928 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1929 {
1930         struct async *as = reap_as(ps);
1931
1932         if (as) {
1933                 int retval;
1934
1935                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1936                 retval = processcompl(as, (void __user * __user *)arg);
1937                 free_async(as);
1938                 return retval;
1939         }
1940         if (signal_pending(current))
1941                 return -EINTR;
1942         return -ENODEV;
1943 }
1944
1945 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1946 {
1947         int retval;
1948         struct async *as;
1949
1950         as = async_getcompleted(ps);
1951         if (as) {
1952                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1953                 retval = processcompl(as, (void __user * __user *)arg);
1954                 free_async(as);
1955         } else {
1956                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1957         }
1958         return retval;
1959 }
1960
1961 #ifdef CONFIG_COMPAT
1962 static int proc_control_compat(struct usb_dev_state *ps,
1963                                 struct usbdevfs_ctrltransfer32 __user *p32)
1964 {
1965         struct usbdevfs_ctrltransfer __user *p;
1966         __u32 udata;
1967         p = compat_alloc_user_space(sizeof(*p));
1968         if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1969             get_user(udata, &p32->data) ||
1970             put_user(compat_ptr(udata), &p->data))
1971                 return -EFAULT;
1972         return proc_control(ps, p);
1973 }
1974
1975 static int proc_bulk_compat(struct usb_dev_state *ps,
1976                         struct usbdevfs_bulktransfer32 __user *p32)
1977 {
1978         struct usbdevfs_bulktransfer __user *p;
1979         compat_uint_t n;
1980         compat_caddr_t addr;
1981
1982         p = compat_alloc_user_space(sizeof(*p));
1983
1984         if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1985             get_user(n, &p32->len) || put_user(n, &p->len) ||
1986             get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1987             get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1988                 return -EFAULT;
1989
1990         return proc_bulk(ps, p);
1991 }
1992 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1993 {
1994         struct usbdevfs_disconnectsignal32 ds;
1995
1996         if (copy_from_user(&ds, arg, sizeof(ds)))
1997                 return -EFAULT;
1998         ps->discsignr = ds.signr;
1999         ps->disccontext.sival_int = ds.context;
2000         return 0;
2001 }
2002
2003 static int get_urb32(struct usbdevfs_urb *kurb,
2004                      struct usbdevfs_urb32 __user *uurb)
2005 {
2006         struct usbdevfs_urb32 urb32;
2007         if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
2008                 return -EFAULT;
2009         kurb->type = urb32.type;
2010         kurb->endpoint = urb32.endpoint;
2011         kurb->status = urb32.status;
2012         kurb->flags = urb32.flags;
2013         kurb->buffer = compat_ptr(urb32.buffer);
2014         kurb->buffer_length = urb32.buffer_length;
2015         kurb->actual_length = urb32.actual_length;
2016         kurb->start_frame = urb32.start_frame;
2017         kurb->number_of_packets = urb32.number_of_packets;
2018         kurb->error_count = urb32.error_count;
2019         kurb->signr = urb32.signr;
2020         kurb->usercontext = compat_ptr(urb32.usercontext);
2021         return 0;
2022 }
2023
2024 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2025 {
2026         struct usbdevfs_urb uurb;
2027         sigval_t userurb_sigval;
2028
2029         if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2030                 return -EFAULT;
2031
2032         memset(&userurb_sigval, 0, sizeof(userurb_sigval));
2033         userurb_sigval.sival_int = ptr_to_compat(arg);
2034
2035         return proc_do_submiturb(ps, &uurb,
2036                         ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2037                         arg, userurb_sigval);
2038 }
2039
2040 static int processcompl_compat(struct async *as, void __user * __user *arg)
2041 {
2042         struct urb *urb = as->urb;
2043         struct usbdevfs_urb32 __user *userurb = as->userurb;
2044         void __user *addr = as->userurb;
2045         unsigned int i;
2046
2047         compute_isochronous_actual_length(urb);
2048         if (as->userbuffer && urb->actual_length) {
2049                 if (copy_urb_data_to_user(as->userbuffer, urb))
2050                         return -EFAULT;
2051         }
2052         if (put_user(as->status, &userurb->status))
2053                 return -EFAULT;
2054         if (put_user(urb->actual_length, &userurb->actual_length))
2055                 return -EFAULT;
2056         if (put_user(urb->error_count, &userurb->error_count))
2057                 return -EFAULT;
2058
2059         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2060                 for (i = 0; i < urb->number_of_packets; i++) {
2061                         if (put_user(urb->iso_frame_desc[i].actual_length,
2062                                      &userurb->iso_frame_desc[i].actual_length))
2063                                 return -EFAULT;
2064                         if (put_user(urb->iso_frame_desc[i].status,
2065                                      &userurb->iso_frame_desc[i].status))
2066                                 return -EFAULT;
2067                 }
2068         }
2069
2070         if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2071                 return -EFAULT;
2072         return 0;
2073 }
2074
2075 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2076 {
2077         struct async *as = reap_as(ps);
2078
2079         if (as) {
2080                 int retval;
2081
2082                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2083                 retval = processcompl_compat(as, (void __user * __user *)arg);
2084                 free_async(as);
2085                 return retval;
2086         }
2087         if (signal_pending(current))
2088                 return -EINTR;
2089         return -ENODEV;
2090 }
2091
2092 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2093 {
2094         int retval;
2095         struct async *as;
2096
2097         as = async_getcompleted(ps);
2098         if (as) {
2099                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2100                 retval = processcompl_compat(as, (void __user * __user *)arg);
2101                 free_async(as);
2102         } else {
2103                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2104         }
2105         return retval;
2106 }
2107
2108
2109 #endif
2110
2111 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2112 {
2113         struct usbdevfs_disconnectsignal ds;
2114
2115         if (copy_from_user(&ds, arg, sizeof(ds)))
2116                 return -EFAULT;
2117         ps->discsignr = ds.signr;
2118         ps->disccontext.sival_ptr = ds.context;
2119         return 0;
2120 }
2121
2122 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2123 {
2124         unsigned int ifnum;
2125
2126         if (get_user(ifnum, (unsigned int __user *)arg))
2127                 return -EFAULT;
2128         return claimintf(ps, ifnum);
2129 }
2130
2131 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2132 {
2133         unsigned int ifnum;
2134         int ret;
2135
2136         if (get_user(ifnum, (unsigned int __user *)arg))
2137                 return -EFAULT;
2138         ret = releaseintf(ps, ifnum);
2139         if (ret < 0)
2140                 return ret;
2141         destroy_async_on_interface(ps, ifnum);
2142         return 0;
2143 }
2144
2145 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2146 {
2147         int                     size;
2148         void                    *buf = NULL;
2149         int                     retval = 0;
2150         struct usb_interface    *intf = NULL;
2151         struct usb_driver       *driver = NULL;
2152
2153         if (ps->privileges_dropped)
2154                 return -EACCES;
2155
2156         if (!connected(ps))
2157                 return -ENODEV;
2158
2159         /* alloc buffer */
2160         size = _IOC_SIZE(ctl->ioctl_code);
2161         if (size > 0) {
2162                 buf = kmalloc(size, GFP_KERNEL);
2163                 if (buf == NULL)
2164                         return -ENOMEM;
2165                 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2166                         if (copy_from_user(buf, ctl->data, size)) {
2167                                 kfree(buf);
2168                                 return -EFAULT;
2169                         }
2170                 } else {
2171                         memset(buf, 0, size);
2172                 }
2173         }
2174
2175         if (ps->dev->state != USB_STATE_CONFIGURED)
2176                 retval = -EHOSTUNREACH;
2177         else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2178                 retval = -EINVAL;
2179         else switch (ctl->ioctl_code) {
2180
2181         /* disconnect kernel driver from interface */
2182         case USBDEVFS_DISCONNECT:
2183                 if (intf->dev.driver) {
2184                         driver = to_usb_driver(intf->dev.driver);
2185                         dev_dbg(&intf->dev, "disconnect by usbfs\n");
2186                         usb_driver_release_interface(driver, intf);
2187                 } else
2188                         retval = -ENODATA;
2189                 break;
2190
2191         /* let kernel drivers try to (re)bind to the interface */
2192         case USBDEVFS_CONNECT:
2193                 if (!intf->dev.driver)
2194                         retval = device_attach(&intf->dev);
2195                 else
2196                         retval = -EBUSY;
2197                 break;
2198
2199         /* talk directly to the interface's driver */
2200         default:
2201                 if (intf->dev.driver)
2202                         driver = to_usb_driver(intf->dev.driver);
2203                 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2204                         retval = -ENOTTY;
2205                 } else {
2206                         retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2207                         if (retval == -ENOIOCTLCMD)
2208                                 retval = -ENOTTY;
2209                 }
2210         }
2211
2212         /* cleanup and return */
2213         if (retval >= 0
2214                         && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2215                         && size > 0
2216                         && copy_to_user(ctl->data, buf, size) != 0)
2217                 retval = -EFAULT;
2218
2219         kfree(buf);
2220         return retval;
2221 }
2222
2223 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2224 {
2225         struct usbdevfs_ioctl   ctrl;
2226
2227         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2228                 return -EFAULT;
2229         return proc_ioctl(ps, &ctrl);
2230 }
2231
2232 #ifdef CONFIG_COMPAT
2233 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2234 {
2235         struct usbdevfs_ioctl32 ioc32;
2236         struct usbdevfs_ioctl ctrl;
2237
2238         if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2239                 return -EFAULT;
2240         ctrl.ifno = ioc32.ifno;
2241         ctrl.ioctl_code = ioc32.ioctl_code;
2242         ctrl.data = compat_ptr(ioc32.data);
2243         return proc_ioctl(ps, &ctrl);
2244 }
2245 #endif
2246
2247 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2248 {
2249         unsigned portnum;
2250         int rc;
2251
2252         if (get_user(portnum, (unsigned __user *) arg))
2253                 return -EFAULT;
2254         rc = usb_hub_claim_port(ps->dev, portnum, ps);
2255         if (rc == 0)
2256                 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2257                         portnum, task_pid_nr(current), current->comm);
2258         return rc;
2259 }
2260
2261 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2262 {
2263         unsigned portnum;
2264
2265         if (get_user(portnum, (unsigned __user *) arg))
2266                 return -EFAULT;
2267         return usb_hub_release_port(ps->dev, portnum, ps);
2268 }
2269
2270 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2271 {
2272         __u32 caps;
2273
2274         caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2275                         USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2276                         USBDEVFS_CAP_DROP_PRIVILEGES | USBDEVFS_CAP_CONNINFO_EX;
2277         if (!ps->dev->bus->no_stop_on_short)
2278                 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2279         if (ps->dev->bus->sg_tablesize)
2280                 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2281
2282         if (put_user(caps, (__u32 __user *)arg))
2283                 return -EFAULT;
2284
2285         return 0;
2286 }
2287
2288 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2289 {
2290         struct usbdevfs_disconnect_claim dc;
2291         struct usb_interface *intf;
2292
2293         if (copy_from_user(&dc, arg, sizeof(dc)))
2294                 return -EFAULT;
2295
2296         intf = usb_ifnum_to_if(ps->dev, dc.interface);
2297         if (!intf)
2298                 return -EINVAL;
2299
2300         if (intf->dev.driver) {
2301                 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2302
2303                 if (ps->privileges_dropped)
2304                         return -EACCES;
2305
2306                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2307                                 strncmp(dc.driver, intf->dev.driver->name,
2308                                         sizeof(dc.driver)) != 0)
2309                         return -EBUSY;
2310
2311                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2312                                 strncmp(dc.driver, intf->dev.driver->name,
2313                                         sizeof(dc.driver)) == 0)
2314                         return -EBUSY;
2315
2316                 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2317                 usb_driver_release_interface(driver, intf);
2318         }
2319
2320         return claimintf(ps, dc.interface);
2321 }
2322
2323 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2324 {
2325         unsigned num_streams, num_eps;
2326         struct usb_host_endpoint **eps;
2327         struct usb_interface *intf;
2328         int r;
2329
2330         r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2331                                    &eps, &intf);
2332         if (r)
2333                 return r;
2334
2335         destroy_async_on_interface(ps,
2336                                    intf->altsetting[0].desc.bInterfaceNumber);
2337
2338         r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2339         kfree(eps);
2340         return r;
2341 }
2342
2343 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2344 {
2345         unsigned num_eps;
2346         struct usb_host_endpoint **eps;
2347         struct usb_interface *intf;
2348         int r;
2349
2350         r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2351         if (r)
2352                 return r;
2353
2354         destroy_async_on_interface(ps,
2355                                    intf->altsetting[0].desc.bInterfaceNumber);
2356
2357         r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2358         kfree(eps);
2359         return r;
2360 }
2361
2362 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2363 {
2364         u32 data;
2365
2366         if (copy_from_user(&data, arg, sizeof(data)))
2367                 return -EFAULT;
2368
2369         /* This is a one way operation. Once privileges are
2370          * dropped, you cannot regain them. You may however reissue
2371          * this ioctl to shrink the allowed interfaces mask.
2372          */
2373         ps->interface_allowed_mask &= data;
2374         ps->privileges_dropped = true;
2375
2376         return 0;
2377 }
2378
2379 /*
2380  * NOTE:  All requests here that have interface numbers as parameters
2381  * are assuming that somehow the configuration has been prevented from
2382  * changing.  But there's no mechanism to ensure that...
2383  */
2384 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2385                                 void __user *p)
2386 {
2387         struct usb_dev_state *ps = file->private_data;
2388         struct inode *inode = file_inode(file);
2389         struct usb_device *dev = ps->dev;
2390         int ret = -ENOTTY;
2391
2392         if (!(file->f_mode & FMODE_WRITE))
2393                 return -EPERM;
2394
2395         usb_lock_device(dev);
2396
2397         /* Reap operations are allowed even after disconnection */
2398         switch (cmd) {
2399         case USBDEVFS_REAPURB:
2400                 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2401                 ret = proc_reapurb(ps, p);
2402                 goto done;
2403
2404         case USBDEVFS_REAPURBNDELAY:
2405                 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2406                 ret = proc_reapurbnonblock(ps, p);
2407                 goto done;
2408
2409 #ifdef CONFIG_COMPAT
2410         case USBDEVFS_REAPURB32:
2411                 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2412                 ret = proc_reapurb_compat(ps, p);
2413                 goto done;
2414
2415         case USBDEVFS_REAPURBNDELAY32:
2416                 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2417                 ret = proc_reapurbnonblock_compat(ps, p);
2418                 goto done;
2419 #endif
2420         }
2421
2422         if (!connected(ps)) {
2423                 usb_unlock_device(dev);
2424                 return -ENODEV;
2425         }
2426
2427         switch (cmd) {
2428         case USBDEVFS_CONTROL:
2429                 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2430                 ret = proc_control(ps, p);
2431                 if (ret >= 0)
2432                         inode->i_mtime = current_time(inode);
2433                 break;
2434
2435         case USBDEVFS_BULK:
2436                 snoop(&dev->dev, "%s: BULK\n", __func__);
2437                 ret = proc_bulk(ps, p);
2438                 if (ret >= 0)
2439                         inode->i_mtime = current_time(inode);
2440                 break;
2441
2442         case USBDEVFS_RESETEP:
2443                 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2444                 ret = proc_resetep(ps, p);
2445                 if (ret >= 0)
2446                         inode->i_mtime = current_time(inode);
2447                 break;
2448
2449         case USBDEVFS_RESET:
2450                 snoop(&dev->dev, "%s: RESET\n", __func__);
2451                 ret = proc_resetdevice(ps);
2452                 break;
2453
2454         case USBDEVFS_CLEAR_HALT:
2455                 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2456                 ret = proc_clearhalt(ps, p);
2457                 if (ret >= 0)
2458                         inode->i_mtime = current_time(inode);
2459                 break;
2460
2461         case USBDEVFS_GETDRIVER:
2462                 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2463                 ret = proc_getdriver(ps, p);
2464                 break;
2465
2466         case USBDEVFS_CONNECTINFO:
2467                 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2468                 ret = proc_connectinfo(ps, p);
2469                 break;
2470
2471         case USBDEVFS_SETINTERFACE:
2472                 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2473                 ret = proc_setintf(ps, p);
2474                 break;
2475
2476         case USBDEVFS_SETCONFIGURATION:
2477                 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2478                 ret = proc_setconfig(ps, p);
2479                 break;
2480
2481         case USBDEVFS_SUBMITURB:
2482                 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2483                 ret = proc_submiturb(ps, p);
2484                 if (ret >= 0)
2485                         inode->i_mtime = current_time(inode);
2486                 break;
2487
2488 #ifdef CONFIG_COMPAT
2489         case USBDEVFS_CONTROL32:
2490                 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2491                 ret = proc_control_compat(ps, p);
2492                 if (ret >= 0)
2493                         inode->i_mtime = current_time(inode);
2494                 break;
2495
2496         case USBDEVFS_BULK32:
2497                 snoop(&dev->dev, "%s: BULK32\n", __func__);
2498                 ret = proc_bulk_compat(ps, p);
2499                 if (ret >= 0)
2500                         inode->i_mtime = current_time(inode);
2501                 break;
2502
2503         case USBDEVFS_DISCSIGNAL32:
2504                 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2505                 ret = proc_disconnectsignal_compat(ps, p);
2506                 break;
2507
2508         case USBDEVFS_SUBMITURB32:
2509                 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2510                 ret = proc_submiturb_compat(ps, p);
2511                 if (ret >= 0)
2512                         inode->i_mtime = current_time(inode);
2513                 break;
2514
2515         case USBDEVFS_IOCTL32:
2516                 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2517                 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2518                 break;
2519 #endif
2520
2521         case USBDEVFS_DISCARDURB:
2522                 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2523                 ret = proc_unlinkurb(ps, p);
2524                 break;
2525
2526         case USBDEVFS_DISCSIGNAL:
2527                 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2528                 ret = proc_disconnectsignal(ps, p);
2529                 break;
2530
2531         case USBDEVFS_CLAIMINTERFACE:
2532                 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2533                 ret = proc_claiminterface(ps, p);
2534                 break;
2535
2536         case USBDEVFS_RELEASEINTERFACE:
2537                 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2538                 ret = proc_releaseinterface(ps, p);
2539                 break;
2540
2541         case USBDEVFS_IOCTL:
2542                 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2543                 ret = proc_ioctl_default(ps, p);
2544                 break;
2545
2546         case USBDEVFS_CLAIM_PORT:
2547                 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2548                 ret = proc_claim_port(ps, p);
2549                 break;
2550
2551         case USBDEVFS_RELEASE_PORT:
2552                 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2553                 ret = proc_release_port(ps, p);
2554                 break;
2555         case USBDEVFS_GET_CAPABILITIES:
2556                 ret = proc_get_capabilities(ps, p);
2557                 break;
2558         case USBDEVFS_DISCONNECT_CLAIM:
2559                 ret = proc_disconnect_claim(ps, p);
2560                 break;
2561         case USBDEVFS_ALLOC_STREAMS:
2562                 ret = proc_alloc_streams(ps, p);
2563                 break;
2564         case USBDEVFS_FREE_STREAMS:
2565                 ret = proc_free_streams(ps, p);
2566                 break;
2567         case USBDEVFS_DROP_PRIVILEGES:
2568                 ret = proc_drop_privileges(ps, p);
2569                 break;
2570         case USBDEVFS_GET_SPEED:
2571                 ret = ps->dev->speed;
2572                 break;
2573         }
2574
2575         /* Handle variable-length commands */
2576         switch (cmd & ~IOCSIZE_MASK) {
2577         case USBDEVFS_CONNINFO_EX(0):
2578                 ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd));
2579                 break;
2580         }
2581
2582  done:
2583         usb_unlock_device(dev);
2584         if (ret >= 0)
2585                 inode->i_atime = current_time(inode);
2586         return ret;
2587 }
2588
2589 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2590                         unsigned long arg)
2591 {
2592         int ret;
2593
2594         ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2595
2596         return ret;
2597 }
2598
2599 #ifdef CONFIG_COMPAT
2600 static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2601                         unsigned long arg)
2602 {
2603         int ret;
2604
2605         ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2606
2607         return ret;
2608 }
2609 #endif
2610
2611 /* No kernel lock - fine */
2612 static __poll_t usbdev_poll(struct file *file,
2613                                 struct poll_table_struct *wait)
2614 {
2615         struct usb_dev_state *ps = file->private_data;
2616         __poll_t mask = 0;
2617
2618         poll_wait(file, &ps->wait, wait);
2619         if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2620                 mask |= EPOLLOUT | EPOLLWRNORM;
2621         if (!connected(ps))
2622                 mask |= EPOLLHUP;
2623         if (list_empty(&ps->list))
2624                 mask |= EPOLLERR;
2625         return mask;
2626 }
2627
2628 const struct file_operations usbdev_file_operations = {
2629         .owner =          THIS_MODULE,
2630         .llseek =         no_seek_end_llseek,
2631         .read =           usbdev_read,
2632         .poll =           usbdev_poll,
2633         .unlocked_ioctl = usbdev_ioctl,
2634 #ifdef CONFIG_COMPAT
2635         .compat_ioctl =   usbdev_compat_ioctl,
2636 #endif
2637         .mmap =           usbdev_mmap,
2638         .open =           usbdev_open,
2639         .release =        usbdev_release,
2640 };
2641
2642 static void usbdev_remove(struct usb_device *udev)
2643 {
2644         struct usb_dev_state *ps;
2645
2646         while (!list_empty(&udev->filelist)) {
2647                 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2648                 destroy_all_async(ps);
2649                 wake_up_all(&ps->wait);
2650                 list_del_init(&ps->list);
2651                 if (ps->discsignr)
2652                         kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext,
2653                                              ps->disc_pid, ps->cred);
2654         }
2655 }
2656
2657 static int usbdev_notify(struct notifier_block *self,
2658                                unsigned long action, void *dev)
2659 {
2660         switch (action) {
2661         case USB_DEVICE_ADD:
2662                 break;
2663         case USB_DEVICE_REMOVE:
2664                 usbdev_remove(dev);
2665                 break;
2666         }
2667         return NOTIFY_OK;
2668 }
2669
2670 static struct notifier_block usbdev_nb = {
2671         .notifier_call =        usbdev_notify,
2672 };
2673
2674 static struct cdev usb_device_cdev;
2675
2676 int __init usb_devio_init(void)
2677 {
2678         int retval;
2679
2680         retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2681                                         "usb_device");
2682         if (retval) {
2683                 printk(KERN_ERR "Unable to register minors for usb_device\n");
2684                 goto out;
2685         }
2686         cdev_init(&usb_device_cdev, &usbdev_file_operations);
2687         retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2688         if (retval) {
2689                 printk(KERN_ERR "Unable to get usb_device major %d\n",
2690                        USB_DEVICE_MAJOR);
2691                 goto error_cdev;
2692         }
2693         usb_register_notify(&usbdev_nb);
2694 out:
2695         return retval;
2696
2697 error_cdev:
2698         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2699         goto out;
2700 }
2701
2702 void usb_devio_cleanup(void)
2703 {
2704         usb_unregister_notify(&usbdev_nb);
2705         cdev_del(&usb_device_cdev);
2706         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2707 }