1 /*****************************************************************************/
2
3 /*
4 * devio.c -- User space communication with USB devices.
5 *
6 * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch)
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 *
22 * $Id: devio.c,v 1.7 2000/02/01 17:28:48 fliegl Exp $
23 *
24 * This file implements the usbfs/x/y files, where
25 * x is the bus number and y the device number.
26 *
27 * It allows user space programs/"drivers" to communicate directly
28 * with USB devices without intervening kernel driver.
29 *
30 * Revision history
31 * 22.12.1999 0.1 Initial release (split from proc_usb.c)
32 * 04.01.2000 0.2 Turned into its own filesystem
33 * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery
34 * (CAN-2005-3055)
35 */
36
37 /*****************************************************************************/
38
39 #include <linux/fs.h>
40 #include <linux/mm.h>
41 #include <linux/slab.h>
42 #include <linux/smp_lock.h>
43 #include <linux/signal.h>
44 #include <linux/poll.h>
45 #include <linux/module.h>
46 #include <linux/usb.h>
47 #include <linux/usbdevice_fs.h>
48 #include <linux/cdev.h>
49 #include <linux/notifier.h>
50 #include <linux/security.h>
51 #include <asm/uaccess.h>
52 #include <asm/byteorder.h>
53 #include <linux/moduleparam.h>
54
55 #include "hcd.h" /* for usbcore internals */
56 #include "usb.h"
57
58 #define USB_MAXBUS 64
59 #define USB_DEVICE_MAX USB_MAXBUS * 128
60
61 /* Mutual exclusion for removal, open, and release */
62 DEFINE_MUTEX(usbfs_mutex);
63
64 struct async {
65 struct list_head asynclist;
66 struct dev_state *ps;
67 struct pid *pid;
68 uid_t uid, euid;
69 unsigned int signr;
70 unsigned int ifnum;
71 void __user *userbuffer;
72 void __user *userurb;
73 struct urb *urb;
74 int status;
75 u32 secid;
76 };
77
78 static int usbfs_snoop;
79 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
80 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
81
82 #define snoop(dev, format, arg...) \
83 do { \
84 if (usbfs_snoop) \
85 dev_info(dev , format , ## arg); \
86 } while (0)
87
88 #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
89
90
91 #define MAX_USBFS_BUFFER_SIZE 16384
92
93 static inline int connected(struct dev_state *ps)
94 {
95 return (!list_empty(&ps->list) &&
96 ps->dev->state != USB_STATE_NOTATTACHED);
97 }
98
99 static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
100 {
101 loff_t ret;
102
103 lock_kernel();
104
105 switch (orig) {
106 case 0:
107 file->f_pos = offset;
108 ret = file->f_pos;
109 break;
110 case 1:
111 file->f_pos += offset;
112 ret = file->f_pos;
113 break;
114 case 2:
115 default:
116 ret = -EINVAL;
117 }
118
119 unlock_kernel();
120 return ret;
121 }
122
123 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
124 loff_t *ppos)
125 {
126 struct dev_state *ps = file->private_data;
127 struct usb_device *dev = ps->dev;
128 ssize_t ret = 0;
129 unsigned len;
130 loff_t pos;
131 int i;
132
133 pos = *ppos;
134 usb_lock_device(dev);
135 if (!connected(ps)) {
136 ret = -ENODEV;
137 goto err;
138 } else if (pos < 0) {
139 ret = -EINVAL;
140 goto err;
141 }
142
143 if (pos < sizeof(struct usb_device_descriptor)) {
144 /* 18 bytes - fits on the stack */
145 struct usb_device_descriptor temp_desc;
146
147 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
148 le16_to_cpus(&temp_desc.bcdUSB);
149 le16_to_cpus(&temp_desc.idVendor);
150 le16_to_cpus(&temp_desc.idProduct);
151 le16_to_cpus(&temp_desc.bcdDevice);
152
153 len = sizeof(struct usb_device_descriptor) - pos;
154 if (len > nbytes)
155 len = nbytes;
156 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
157 ret = -EFAULT;
158 goto err;
159 }
160
161 *ppos += len;
162 buf += len;
163 nbytes -= len;
164 ret += len;
165 }
166
167 pos = sizeof(struct usb_device_descriptor);
168 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
169 struct usb_config_descriptor *config =
170 (struct usb_config_descriptor *)dev->rawdescriptors[i];
171 unsigned int length = le16_to_cpu(config->wTotalLength);
172
173 if (*ppos < pos + length) {
174
175 /* The descriptor may claim to be longer than it
176 * really is. Here is the actual allocated length. */
177 unsigned alloclen =
178 le16_to_cpu(dev->config[i].desc.wTotalLength);
179
180 len = length - (*ppos - pos);
181 if (len > nbytes)
182 len = nbytes;
183
184 /* Simply don't write (skip over) unallocated parts */
185 if (alloclen > (*ppos - pos)) {
186 alloclen -= (*ppos - pos);
187 if (copy_to_user(buf,
188 dev->rawdescriptors[i] + (*ppos - pos),
189 min(len, alloclen))) {
190 ret = -EFAULT;
191 goto err;
192 }
193 }
194
195 *ppos += len;
196 buf += len;
197 nbytes -= len;
198 ret += len;
199 }
200
201 pos += length;
202 }
203
204 err:
205 usb_unlock_device(dev);
206 return ret;
207 }
208
209 /*
210 * async list handling
211 */
212
213 static struct async *alloc_async(unsigned int numisoframes)
214 {
215 struct async *as;
216
217 as = kzalloc(sizeof(struct async), GFP_KERNEL);
218 if (!as)
219 return NULL;
220 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
221 if (!as->urb) {
222 kfree(as);
223 return NULL;
224 }
225 return as;
226 }
227
228 static void free_async(struct async *as)
229 {
230 put_pid(as->pid);
231 kfree(as->urb->transfer_buffer);
232 kfree(as->urb->setup_packet);
233 usb_free_urb(as->urb);
234 kfree(as);
235 }
236
237 static inline void async_newpending(struct async *as)
238 {
239 struct dev_state *ps = as->ps;
240 unsigned long flags;
241
242 spin_lock_irqsave(&ps->lock, flags);
243 list_add_tail(&as->asynclist, &ps->async_pending);
244 spin_unlock_irqrestore(&ps->lock, flags);
245 }
246
247 static inline void async_removepending(struct async *as)
248 {
249 struct dev_state *ps = as->ps;
250 unsigned long flags;
251
252 spin_lock_irqsave(&ps->lock, flags);
253 list_del_init(&as->asynclist);
254 spin_unlock_irqrestore(&ps->lock, flags);
255 }
256
257 static inline struct async *async_getcompleted(struct dev_state *ps)
258 {
259 unsigned long flags;
260 struct async *as = NULL;
261
262 spin_lock_irqsave(&ps->lock, flags);
263 if (!list_empty(&ps->async_completed)) {
264 as = list_entry(ps->async_completed.next, struct async,
265 asynclist);
266 list_del_init(&as->asynclist);
267 }
268 spin_unlock_irqrestore(&ps->lock, flags);
269 return as;
270 }
271
272 static inline struct async *async_getpending(struct dev_state *ps,
273 void __user *userurb)
274 {
275 unsigned long flags;
276 struct async *as;
277
278 spin_lock_irqsave(&ps->lock, flags);
279 list_for_each_entry(as, &ps->async_pending, asynclist)
280 if (as->userurb == userurb) {
281 list_del_init(&as->asynclist);
282 spin_unlock_irqrestore(&ps->lock, flags);
283 return as;
284 }
285 spin_unlock_irqrestore(&ps->lock, flags);
286 return NULL;
287 }
288
289 static void snoop_urb(struct urb *urb, void __user *userurb)
290 {
291 int j;
292 unsigned char *data = urb->transfer_buffer;
293
294 if (!usbfs_snoop)
295 return;
296
297 dev_info(&urb->dev->dev, "direction=%s\n",
298 usb_urb_dir_in(urb) ? "IN" : "OUT");
299 dev_info(&urb->dev->dev, "userurb=%p\n", userurb);
300 dev_info(&urb->dev->dev, "transfer_buffer_length=%d\n",
301 urb->transfer_buffer_length);
302 dev_info(&urb->dev->dev, "actual_length=%d\n", urb->actual_length);
303 dev_info(&urb->dev->dev, "data: ");
304 for (j = 0; j < urb->transfer_buffer_length; ++j)
305 printk("%02x ", data[j]);
306 printk("\n");
307 }
308
309 static void async_completed(struct urb *urb)
310 {
311 struct async *as = urb->context;
312 struct dev_state *ps = as->ps;
313 struct siginfo sinfo;
314 unsigned long flags;
315
316 spin_lock_irqsave(&ps->lock, flags);
317 list_move_tail(&as->asynclist, &ps->async_completed);
318 spin_unlock_irqrestore(&ps->lock, flags);
319 as->status = urb->status;
320 if (as->signr) {
321 sinfo.si_signo = as->signr;
322 sinfo.si_errno = as->status;
323 sinfo.si_code = SI_ASYNCIO;
324 sinfo.si_addr = as->userurb;
325 kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid,
326 as->euid, as->secid);
327 }
328 snoop(&urb->dev->dev, "urb complete\n");
329 snoop_urb(urb, as->userurb);
330 wake_up(&ps->wait);
331 }
332
333 static void destroy_async(struct dev_state *ps, struct list_head *list)
334 {
335 struct async *as;
336 unsigned long flags;
337
338 spin_lock_irqsave(&ps->lock, flags);
339 while (!list_empty(list)) {
340 as = list_entry(list->next, struct async, asynclist);
341 list_del_init(&as->asynclist);
342
343 /* drop the spinlock so the completion handler can run */
344 spin_unlock_irqrestore(&ps->lock, flags);
345 usb_kill_urb(as->urb);
346 spin_lock_irqsave(&ps->lock, flags);
347 }
348 spin_unlock_irqrestore(&ps->lock, flags);
349 as = async_getcompleted(ps);
350 while (as) {
351 free_async(as);
352 as = async_getcompleted(ps);
353 }
354 }
355
356 static void destroy_async_on_interface(struct dev_state *ps,
357 unsigned int ifnum)
358 {
359 struct list_head *p, *q, hitlist;
360 unsigned long flags;
361
362 INIT_LIST_HEAD(&hitlist);
363 spin_lock_irqsave(&ps->lock, flags);
364 list_for_each_safe(p, q, &ps->async_pending)
365 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
366 list_move_tail(p, &hitlist);
367 spin_unlock_irqrestore(&ps->lock, flags);
368 destroy_async(ps, &hitlist);
369 }
370
371 static inline void destroy_all_async(struct dev_state *ps)
372 {
373 destroy_async(ps, &ps->async_pending);
374 }
375
376 /*
377 * interface claims are made only at the request of user level code,
378 * which can also release them (explicitly or by closing files).
379 * they're also undone when devices disconnect.
380 */
381
382 static int driver_probe(struct usb_interface *intf,
383 const struct usb_device_id *id)
384 {
385 return -ENODEV;
386 }
387
388 static void driver_disconnect(struct usb_interface *intf)
389 {
390 struct dev_state *ps = usb_get_intfdata(intf);
391 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
392
393 if (!ps)
394 return;
395
396 /* NOTE: this relies on usbcore having canceled and completed
397 * all pending I/O requests; 2.6 does that.
398 */
399
400 if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
401 clear_bit(ifnum, &ps->ifclaimed);
402 else
403 warn("interface number %u out of range", ifnum);
404
405 usb_set_intfdata(intf, NULL);
406
407 /* force async requests to complete */
408 destroy_async_on_interface(ps, ifnum);
409 }
410
411 /* The following routines are merely placeholders. There is no way
412 * to inform a user task about suspend or resumes.
413 */
414 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
415 {
416 return 0;
417 }
418
419 static int driver_resume(struct usb_interface *intf)
420 {
421 return 0;
422 }
423
424 struct usb_driver usbfs_driver = {
425 .name = "usbfs",
426 .probe = driver_probe,
427 .disconnect = driver_disconnect,
428 .suspend = driver_suspend,
429 .resume = driver_resume,
430 };
431
432 static int claimintf(struct dev_state *ps, unsigned int ifnum)
433 {
434 struct usb_device *dev = ps->dev;
435 struct usb_interface *intf;
436 int err;
437
438 if (ifnum >= 8*sizeof(ps->ifclaimed))
439 return -EINVAL;
440 /* already claimed */
441 if (test_bit(ifnum, &ps->ifclaimed))
442 return 0;
443
444 intf = usb_ifnum_to_if(dev, ifnum);
445 if (!intf)
446 err = -ENOENT;
447 else
448 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
449 if (err == 0)
450 set_bit(ifnum, &ps->ifclaimed);
451 return err;
452 }
453
454 static int releaseintf(struct dev_state *ps, unsigned int ifnum)
455 {
456 struct usb_device *dev;
457 struct usb_interface *intf;
458 int err;
459
460 err = -EINVAL;
461 if (ifnum >= 8*sizeof(ps->ifclaimed))
462 return err;
463 dev = ps->dev;
464 intf = usb_ifnum_to_if(dev, ifnum);
465 if (!intf)
466 err = -ENOENT;
467 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
468 usb_driver_release_interface(&usbfs_driver, intf);
469 err = 0;
470 }
471 return err;
472 }
473
474 static int checkintf(struct dev_state *ps, unsigned int ifnum)
475 {
476 if (ps->dev->state != USB_STATE_CONFIGURED)
477 return -EHOSTUNREACH;
478 if (ifnum >= 8*sizeof(ps->ifclaimed))
479 return -EINVAL;
480 if (test_bit(ifnum, &ps->ifclaimed))
481 return 0;
482 /* if not yet claimed, claim it for the driver */
483 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
484 "interface %u before use\n", task_pid_nr(current),
485 current->comm, ifnum);
486 return claimintf(ps, ifnum);
487 }
488
489 static int findintfep(struct usb_device *dev, unsigned int ep)
490 {
491 unsigned int i, j, e;
492 struct usb_interface *intf;
493 struct usb_host_interface *alts;
494 struct usb_endpoint_descriptor *endpt;
495
496 if (ep & ~(USB_DIR_IN|0xf))
497 return -EINVAL;
498 if (!dev->actconfig)
499 return -ESRCH;
500 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
501 intf = dev->actconfig->interface[i];
502 for (j = 0; j < intf->num_altsetting; j++) {
503 alts = &intf->altsetting[j];
504 for (e = 0; e < alts->desc.bNumEndpoints; e++) {
505 endpt = &alts->endpoint[e].desc;
506 if (endpt->bEndpointAddress == ep)
507 return alts->desc.bInterfaceNumber;
508 }
509 }
510 }
511 return -ENOENT;
512 }
513
514 static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
515 unsigned int index)
516 {
517 int ret = 0;
518
519 if (ps->dev->state != USB_STATE_ADDRESS
520 && ps->dev->state != USB_STATE_CONFIGURED)
521 return -EHOSTUNREACH;
522 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
523 return 0;
524
525 index &= 0xff;
526 switch (requesttype & USB_RECIP_MASK) {
527 case USB_RECIP_ENDPOINT:
528 ret = findintfep(ps->dev, index);
529 if (ret >= 0)
530 ret = checkintf(ps, ret);
531 break;
532
533 case USB_RECIP_INTERFACE:
534 ret = checkintf(ps, index);
535 break;
536 }
537 return ret;
538 }
539
540 static int __match_minor(struct device *dev, void *data)
541 {
542 int minor = *((int *)data);
543
544 if (dev->devt == MKDEV(USB_DEVICE_MAJOR, minor))
545 return 1;
546 return 0;
547 }
548
549 static struct usb_device *usbdev_lookup_by_minor(int minor)
550 {
551 struct device *dev;
552
553 dev = bus_find_device(&usb_bus_type, NULL, &minor, __match_minor);
554 if (!dev)
555 return NULL;
556 put_device(dev);
557 return container_of(dev, struct usb_device, dev);
558 }
559
560 /*
561 * file operations
562 */
563 static int usbdev_open(struct inode *inode, struct file *file)
564 {
565 struct usb_device *dev = NULL;
566 struct dev_state *ps;
567 int ret;
568
569 /* Protect against simultaneous removal or release */
570 mutex_lock(&usbfs_mutex);
571
572 ret = -ENOMEM;
573 ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL);
574 if (!ps)
575 goto out;
576
577 ret = -ENOENT;
578 /* usbdev device-node */
579 if (imajor(inode) == USB_DEVICE_MAJOR)
580 dev = usbdev_lookup_by_minor(iminor(inode));
581 #ifdef CONFIG_USB_DEVICEFS
582 /* procfs file */
583 if (!dev)
584 dev = inode->i_private;
585 #endif
586 if (!dev)
587 goto out;
588 ret = usb_autoresume_device(dev);
589 if (ret)
590 goto out;
591
592 usb_get_dev(dev);
593 ret = 0;
594 ps->dev = dev;
595 ps->file = file;
596 spin_lock_init(&ps->lock);
597 INIT_LIST_HEAD(&ps->list);
598 INIT_LIST_HEAD(&ps->async_pending);
599 INIT_LIST_HEAD(&ps->async_completed);
600 init_waitqueue_head(&ps->wait);
601 ps->discsignr = 0;
602 ps->disc_pid = get_pid(task_pid(current));
603 ps->disc_uid = current->uid;
604 ps->disc_euid = current->euid;
605 ps->disccontext = NULL;
606 ps->ifclaimed = 0;
607 security_task_getsecid(current, &ps->secid);
608 smp_wmb();
609 list_add_tail(&ps->list, &dev->filelist);
610 file->private_data = ps;
611 out:
612 if (ret)
613 kfree(ps);
614 mutex_unlock(&usbfs_mutex);
615 return ret;
616 }
617
618 static int usbdev_release(struct inode *inode, struct file *file)
619 {
620 struct dev_state *ps = file->private_data;
621 struct usb_device *dev = ps->dev;
622 unsigned int ifnum;
623
624 usb_lock_device(dev);
625
626 /* Protect against simultaneous open */
627 mutex_lock(&usbfs_mutex);
628 list_del_init(&ps->list);
629 mutex_unlock(&usbfs_mutex);
630
631 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
632 ifnum++) {
633 if (test_bit(ifnum, &ps->ifclaimed))
634 releaseintf(ps, ifnum);
635 }
636 destroy_all_async(ps);
637 usb_autosuspend_device(dev);
638 usb_unlock_device(dev);
639 usb_put_dev(dev);
640 put_pid(ps->disc_pid);
641 kfree(ps);
642 return 0;
643 }
644
645 static int proc_control(struct dev_state *ps, void __user *arg)
646 {
647 struct usb_device *dev = ps->dev;
648 struct usbdevfs_ctrltransfer ctrl;
649 unsigned int tmo;
650 unsigned char *tbuf;
651 int i, j, ret;
652
653 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
654 return -EFAULT;
655 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex);
656 if (ret)
657 return ret;
658 if (ctrl.wLength > PAGE_SIZE)
659 return -EINVAL;
660 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
661 if (!tbuf)
662 return -ENOMEM;
663 tmo = ctrl.timeout;
664 if (ctrl.bRequestType & 0x80) {
665 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
666 ctrl.wLength)) {
667 free_page((unsigned long)tbuf);
668 return -EINVAL;
669 }
670 snoop(&dev->dev, "control read: bRequest=%02x "
671 "bRrequestType=%02x wValue=%04x "
672 "wIndex=%04x wLength=%04x\n",
673 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
674 ctrl.wIndex, ctrl.wLength);
675
676 usb_unlock_device(dev);
677 i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest,
678 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
679 tbuf, ctrl.wLength, tmo);
680 usb_lock_device(dev);
681 if ((i > 0) && ctrl.wLength) {
682 if (usbfs_snoop) {
683 dev_info(&dev->dev, "control read: data ");
684 for (j = 0; j < i; ++j)
685 printk("%02x ", (u8)(tbuf)[j]);
686 printk("\n");
687 }
688 if (copy_to_user(ctrl.data, tbuf, i)) {
689 free_page((unsigned long)tbuf);
690 return -EFAULT;
691 }
692 }
693 } else {
694 if (ctrl.wLength) {
695 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
696 free_page((unsigned long)tbuf);
697 return -EFAULT;
698 }
699 }
700 snoop(&dev->dev, "control write: bRequest=%02x "
701 "bRrequestType=%02x wValue=%04x "
702 "wIndex=%04x wLength=%04x\n",
703 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
704 ctrl.wIndex, ctrl.wLength);
705 if (usbfs_snoop) {
706 dev_info(&dev->dev, "control write: data: ");
707 for (j = 0; j < ctrl.wLength; ++j)
708 printk("%02x ", (unsigned char)(tbuf)[j]);
709 printk("\n");
710 }
711 usb_unlock_device(dev);
712 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
713 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
714 tbuf, ctrl.wLength, tmo);
715 usb_lock_device(dev);
716 }
717 free_page((unsigned long)tbuf);
718 if (i < 0 && i != -EPIPE) {
719 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
720 "failed cmd %s rqt %u rq %u len %u ret %d\n",
721 current->comm, ctrl.bRequestType, ctrl.bRequest,
722 ctrl.wLength, i);
723 }
724 return i;
725 }
726
727 static int proc_bulk(struct dev_state *ps, void __user *arg)
728 {
729 struct usb_device *dev = ps->dev;
730 struct usbdevfs_bulktransfer bulk;
731 unsigned int tmo, len1, pipe;
732 int len2;
733 unsigned char *tbuf;
734 int i, j, ret;
735
736 if (copy_from_user(&bulk, arg, sizeof(bulk)))
737 return -EFAULT;
738 ret = findintfep(ps->dev, bulk.ep);
739 if (ret < 0)
740 return ret;
741 ret = checkintf(ps, ret);
742 if (ret)
743 return ret;
744 if (bulk.ep & USB_DIR_IN)
745 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
746 else
747 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
748 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
749 return -EINVAL;
750 len1 = bulk.len;
751 if (len1 > MAX_USBFS_BUFFER_SIZE)
752 return -EINVAL;
753 if (!(tbuf = kmalloc(len1, GFP_KERNEL)))
754 return -ENOMEM;
755 tmo = bulk.timeout;
756 if (bulk.ep & 0x80) {
757 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
758 kfree(tbuf);
759 return -EINVAL;
760 }
761 snoop(&dev->dev, "bulk read: len=0x%02x timeout=%04d\n",
762 bulk.len, bulk.timeout);
763 usb_unlock_device(dev);
764 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
765 usb_lock_device(dev);
766 if (!i && len2) {
767 if (usbfs_snoop) {
768 dev_info(&dev->dev, "bulk read: data ");
769 for (j = 0; j < len2; ++j)
770 printk("%02x ", (u8)(tbuf)[j]);
771 printk("\n");
772 }
773 if (copy_to_user(bulk.data, tbuf, len2)) {
774 kfree(tbuf);
775 return -EFAULT;
776 }
777 }
778 } else {
779 if (len1) {
780 if (copy_from_user(tbuf, bulk.data, len1)) {
781 kfree(tbuf);
782 return -EFAULT;
783 }
784 }
785 snoop(&dev->dev, "bulk write: len=0x%02x timeout=%04d\n",
786 bulk.len, bulk.timeout);
787 if (usbfs_snoop) {
788 dev_info(&dev->dev, "bulk write: data: ");
789 for (j = 0; j < len1; ++j)
790 printk("%02x ", (unsigned char)(tbuf)[j]);
791 printk("\n");
792 }
793 usb_unlock_device(dev);
794 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
795 usb_lock_device(dev);
796 }
797 kfree(tbuf);
798 if (i < 0)
799 return i;
800 return len2;
801 }
802
803 static int proc_resetep(struct dev_state *ps, void __user *arg)
804 {
805 unsigned int ep;
806 int ret;
807
808 if (get_user(ep, (unsigned int __user *)arg))
809 return -EFAULT;
810 ret = findintfep(ps->dev, ep);
811 if (ret < 0)
812 return ret;
813 ret = checkintf(ps, ret);
814 if (ret)
815 return ret;
816 usb_settoggle(ps->dev, ep & 0xf, !(ep & USB_DIR_IN), 0);
817 return 0;
818 }
819
820 static int proc_clearhalt(struct dev_state *ps, void __user *arg)
821 {
822 unsigned int ep;
823 int pipe;
824 int ret;
825
826 if (get_user(ep, (unsigned int __user *)arg))
827 return -EFAULT;
828 ret = findintfep(ps->dev, ep);
829 if (ret < 0)
830 return ret;
831 ret = checkintf(ps, ret);
832 if (ret)
833 return ret;
834 if (ep & USB_DIR_IN)
835 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
836 else
837 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
838
839 return usb_clear_halt(ps->dev, pipe);
840 }
841
842 static int proc_getdriver(struct dev_state *ps, void __user *arg)
843 {
844 struct usbdevfs_getdriver gd;
845 struct usb_interface *intf;
846 int ret;
847
848 if (copy_from_user(&gd, arg, sizeof(gd)))
849 return -EFAULT;
850 intf = usb_ifnum_to_if(ps->dev, gd.interface);
851 if (!intf || !intf->dev.driver)
852 ret = -ENODATA;
853 else {
854 strncpy(gd.driver, intf->dev.driver->name,
855 sizeof(gd.driver));
856 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
857 }
858 return ret;
859 }
860
861 static int proc_connectinfo(struct dev_state *ps, void __user *arg)
862 {
863 struct usbdevfs_connectinfo ci;
864
865 ci.devnum = ps->dev->devnum;
866 ci.slow = ps->dev->speed == USB_SPEED_LOW;
867 if (copy_to_user(arg, &ci, sizeof(ci)))
868 return -EFAULT;
869 return 0;
870 }
871
872 static int proc_resetdevice(struct dev_state *ps)
873 {
874 return usb_reset_composite_device(ps->dev, NULL);
875 }
876
877 static int proc_setintf(struct dev_state *ps, void __user *arg)
878 {
879 struct usbdevfs_setinterface setintf;
880 int ret;
881
882 if (copy_from_user(&setintf, arg, sizeof(setintf)))
883 return -EFAULT;
884 if ((ret = checkintf(ps, setintf.interface)))
885 return ret;
886 return usb_set_interface(ps->dev, setintf.interface,
887 setintf.altsetting);
888 }
889
890 static int proc_setconfig(struct dev_state *ps, void __user *arg)
891 {
892 int u;
893 int status = 0;
894 struct usb_host_config *actconfig;
895
896 if (get_user(u, (int __user *)arg))
897 return -EFAULT;
898
899 actconfig = ps->dev->actconfig;
900
901 /* Don't touch the device if any interfaces are claimed.
902 * It could interfere with other drivers' operations, and if
903 * an interface is claimed by usbfs it could easily deadlock.
904 */
905 if (actconfig) {
906 int i;
907
908 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
909 if (usb_interface_claimed(actconfig->interface[i])) {
910 dev_warn(&ps->dev->dev,
911 "usbfs: interface %d claimed by %s "
912 "while '%s' sets config #%d\n",
913 actconfig->interface[i]
914 ->cur_altsetting
915 ->desc.bInterfaceNumber,
916 actconfig->interface[i]
917 ->dev.driver->name,
918 current->comm, u);
919 status = -EBUSY;
920 break;
921 }
922 }
923 }
924
925 /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
926 * so avoid usb_set_configuration()'s kick to sysfs
927 */
928 if (status == 0) {
929 if (actconfig && actconfig->desc.bConfigurationValue == u)
930 status = usb_reset_configuration(ps->dev);
931 else
932 status = usb_set_configuration(ps->dev, u);
933 }
934
935 return status;
936 }
937
938 static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
939 struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
940 void __user *arg)
941 {
942 struct usbdevfs_iso_packet_desc *isopkt = NULL;
943 struct usb_host_endpoint *ep;
944 struct async *as;
945 struct usb_ctrlrequest *dr = NULL;
946 unsigned int u, totlen, isofrmlen;
947 int ret, ifnum = -1;
948 int is_in;
949
950 if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP|USBDEVFS_URB_SHORT_NOT_OK|
951 URB_NO_FSBR|URB_ZERO_PACKET))
952 return -EINVAL;
953 if (!uurb->buffer)
954 return -EINVAL;
955 if (uurb->signr != 0 && (uurb->signr < SIGRTMIN ||
956 uurb->signr > SIGRTMAX))
957 return -EINVAL;
958 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
959 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
960 ifnum = findintfep(ps->dev, uurb->endpoint);
961 if (ifnum < 0)
962 return ifnum;
963 ret = checkintf(ps, ifnum);
964 if (ret)
965 return ret;
966 }
967 if ((uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0) {
968 is_in = 1;
969 ep = ps->dev->ep_in[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
970 } else {
971 is_in = 0;
972 ep = ps->dev->ep_out[uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
973 }
974 if (!ep)
975 return -ENOENT;
976 switch(uurb->type) {
977 case USBDEVFS_URB_TYPE_CONTROL:
978 if (!usb_endpoint_xfer_control(&ep->desc))
979 return -EINVAL;
980 /* min 8 byte setup packet,
981 * max 8 byte setup plus an arbitrary data stage */
982 if (uurb->buffer_length < 8 ||
983 uurb->buffer_length > (8 + MAX_USBFS_BUFFER_SIZE))
984 return -EINVAL;
985 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
986 if (!dr)
987 return -ENOMEM;
988 if (copy_from_user(dr, uurb->buffer, 8)) {
989 kfree(dr);
990 return -EFAULT;
991 }
992 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
993 kfree(dr);
994 return -EINVAL;
995 }
996 ret = check_ctrlrecip(ps, dr->bRequestType,
997 le16_to_cpup(&dr->wIndex));
998 if (ret) {
999 kfree(dr);
1000 return ret;
1001 }
1002 uurb->number_of_packets = 0;
1003 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1004 uurb->buffer += 8;
1005 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1006 is_in = 1;
1007 uurb->endpoint |= USB_DIR_IN;
1008 } else {
1009 is_in = 0;
1010 uurb->endpoint &= ~USB_DIR_IN;
1011 }
1012 if (!access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1013 uurb->buffer, uurb->buffer_length)) {
1014 kfree(dr);
1015 return -EFAULT;
1016 }
1017 snoop(&ps->dev->dev, "control urb: bRequest=%02x "
1018 "bRrequestType=%02x wValue=%04x "
1019 "wIndex=%04x wLength=%04x\n",
1020 dr->bRequest, dr->bRequestType,
1021 __le16_to_cpup(&dr->wValue),
1022 __le16_to_cpup(&dr->wIndex),
1023 __le16_to_cpup(&dr->wLength));
1024 break;
1025
1026 case USBDEVFS_URB_TYPE_BULK:
1027 switch (usb_endpoint_type(&ep->desc)) {
1028 case USB_ENDPOINT_XFER_CONTROL:
1029 case USB_ENDPOINT_XFER_ISOC:
1030 return -EINVAL;
1031 /* allow single-shot interrupt transfers, at bogus rates */
1032 }
1033 uurb->number_of_packets = 0;
1034 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1035 return -EINVAL;
1036 if (!access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1037 uurb->buffer, uurb->buffer_length))
1038 return -EFAULT;
1039 snoop(&ps->dev->dev, "bulk urb\n");
1040 break;
1041
1042 case USBDEVFS_URB_TYPE_ISO:
1043 /* arbitrary limit */
1044 if (uurb->number_of_packets < 1 ||
1045 uurb->number_of_packets > 128)
1046 return -EINVAL;
1047 if (!usb_endpoint_xfer_isoc(&ep->desc))
1048 return -EINVAL;
1049 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1050 uurb->number_of_packets;
1051 if (!(isopkt = kmalloc(isofrmlen, GFP_KERNEL)))
1052 return -ENOMEM;
1053 if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
1054 kfree(isopkt);
1055 return -EFAULT;
1056 }
1057 for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1058 /* arbitrary limit,
1059 * sufficient for USB 2.0 high-bandwidth iso */
1060 if (isopkt[u].length > 8192) {
1061 kfree(isopkt);
1062 return -EINVAL;
1063 }
1064 totlen += isopkt[u].length;
1065 }
1066 if (totlen > 32768) {
1067 kfree(isopkt);
1068 return -EINVAL;
1069 }
1070 uurb->buffer_length = totlen;
1071 snoop(&ps->dev->dev, "iso urb\n");
1072 break;
1073
1074 case USBDEVFS_URB_TYPE_INTERRUPT:
1075 uurb->number_of_packets = 0;
1076 if (!usb_endpoint_xfer_int(&ep->desc))
1077 return -EINVAL;
1078 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
1079 return -EINVAL;
1080 if (!access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1081 uurb->buffer, uurb->buffer_length))
1082 return -EFAULT;
1083 snoop(&ps->dev->dev, "interrupt urb\n");
1084 break;
1085
1086 default:
1087 return -EINVAL;
1088 }
1089 as = alloc_async(uurb->number_of_packets);
1090 if (!as) {
1091 kfree(isopkt);
1092 kfree(dr);
1093 return -ENOMEM;
1094 }
1095 as->urb->transfer_buffer = kmalloc(uurb->buffer_length, GFP_KERNEL);
1096 if (!as->urb->transfer_buffer) {
1097 kfree(isopkt);
1098 kfree(dr);
1099 free_async(as);
1100 return -ENOMEM;
1101 }
1102 as->urb->dev = ps->dev;
1103 as->urb->pipe = (uurb->type << 30) |
1104 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1105 (uurb->endpoint & USB_DIR_IN);
1106 as->urb->transfer_flags = uurb->flags |
1107 (is_in ? URB_DIR_IN : URB_DIR_OUT);
1108 as->urb->transfer_buffer_length = uurb->buffer_length;
1109 as->urb->setup_packet = (unsigned char *)dr;
1110 as->urb->start_frame = uurb->start_frame;
1111 as->urb->number_of_packets = uurb->number_of_packets;
1112 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1113 ps->dev->speed == USB_SPEED_HIGH)
1114 as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
1115 else
1116 as->urb->interval = ep->desc.bInterval;
1117 as->urb->context = as;
1118 as->urb->complete = async_completed;
1119 for (totlen = u = 0; u < uurb->number_of_packets; u++) {
1120 as->urb->iso_frame_desc[u].offset = totlen;
1121 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1122 totlen += isopkt[u].length;
1123 }
1124 kfree(isopkt);
1125 as->ps = ps;
1126 as->userurb = arg;
1127 if (uurb->endpoint & USB_DIR_IN)
1128 as->userbuffer = uurb->buffer;
1129 else
1130 as->userbuffer = NULL;
1131 as->signr = uurb->signr;
1132 as->ifnum = ifnum;
1133 as->pid = get_pid(task_pid(current));
1134 as->uid = current->uid;
1135 as->euid = current->euid;
1136 security_task_getsecid(current, &as->secid);
1137 if (!is_in) {
1138 if (copy_from_user(as->urb->transfer_buffer, uurb->buffer,
1139 as->urb->transfer_buffer_length)) {
1140 free_async(as);
1141 return -EFAULT;
1142 }
1143 }
1144 snoop_urb(as->urb, as->userurb);
1145 async_newpending(as);
1146 if ((ret = usb_submit_urb(as->urb, GFP_KERNEL))) {
1147 dev_printk(KERN_DEBUG, &ps->dev->dev,
1148 "usbfs: usb_submit_urb returned %d\n", ret);
1149 async_removepending(as);
1150 free_async(as);
1151 return ret;
1152 }
1153 return 0;
1154 }
1155
1156 static int proc_submiturb(struct dev_state *ps, void __user *arg)
1157 {
1158 struct usbdevfs_urb uurb;
1159
1160 if (copy_from_user(&uurb, arg, sizeof(uurb)))
1161 return -EFAULT;
1162
1163 return proc_do_submiturb(ps, &uurb,
1164 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1165 arg);
1166 }
1167
1168 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
1169 {
1170 struct async *as;
1171
1172 as = async_getpending(ps, arg);
1173 if (!as)
1174 return -EINVAL;
1175 usb_kill_urb(as->urb);
1176 return 0;
1177 }
1178
1179 static int processcompl(struct async *as, void __user * __user *arg)
1180 {
1181 struct urb *urb = as->urb;
1182 struct usbdevfs_urb __user *userurb = as->userurb;
1183 void __user *addr = as->userurb;
1184 unsigned int i;
1185
1186 if (as->userbuffer)
1187 if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1188 urb->transfer_buffer_length))
1189 return -EFAULT;
1190 if (put_user(as->status, &userurb->status))
1191 return -EFAULT;
1192 if (put_user(urb->actual_length, &userurb->actual_length))
1193 return -EFAULT;
1194 if (put_user(urb->error_count, &userurb->error_count))
1195 return -EFAULT;
1196
1197 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1198 for (i = 0; i < urb->number_of_packets; i++) {
1199 if (put_user(urb->iso_frame_desc[i].actual_length,
1200 &userurb->iso_frame_desc[i].actual_length))
1201 return -EFAULT;
1202 if (put_user(urb->iso_frame_desc[i].status,
1203 &userurb->iso_frame_desc[i].status))
1204 return -EFAULT;
1205 }
1206 }
1207
1208 free_async(as);
1209
1210 if (put_user(addr, (void __user * __user *)arg))
1211 return -EFAULT;
1212 return 0;
1213 }
1214
1215 static struct async *reap_as(struct dev_state *ps)
1216 {
1217 DECLARE_WAITQUEUE(wait, current);
1218 struct async *as = NULL;
1219 struct usb_device *dev = ps->dev;
1220
1221 add_wait_queue(&ps->wait, &wait);
1222 for (;;) {
1223 __set_current_state(TASK_INTERRUPTIBLE);
1224 as = async_getcompleted(ps);
1225 if (as)
1226 break;
1227 if (signal_pending(current))
1228 break;
1229 usb_unlock_device(dev);
1230 schedule();
1231 usb_lock_device(dev);
1232 }
1233 remove_wait_queue(&ps->wait, &wait);
1234 set_current_state(TASK_RUNNING);
1235 return as;
1236 }
1237
1238 static int proc_reapurb(struct dev_state *ps, void __user *arg)
1239 {
1240 struct async *as = reap_as(ps);
1241 if (as)
1242 return processcompl(as, (void __user * __user *)arg);
1243 if (signal_pending(current))
1244 return -EINTR;
1245 return -EIO;
1246 }
1247
1248 static int proc_reapurbnonblock(struct dev_state *ps, void __user *arg)
1249 {
1250 struct async *as;
1251
1252 if (!(as = async_getcompleted(ps)))
1253 return -EAGAIN;
1254 return processcompl(as, (void __user * __user *)arg);
1255 }
1256
1257 #ifdef CONFIG_COMPAT
1258
1259 static int get_urb32(struct usbdevfs_urb *kurb,
1260 struct usbdevfs_urb32 __user *uurb)
1261 {
1262 __u32 uptr;
1263 if (get_user(kurb->type, &uurb->type) ||
1264 __get_user(kurb->endpoint, &uurb->endpoint) ||
1265 __get_user(kurb->status, &uurb->status) ||
1266 __get_user(kurb->flags, &uurb->flags) ||
1267 __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1268 __get_user(kurb->actual_length, &uurb->actual_length) ||
1269 __get_user(kurb->start_frame, &uurb->start_frame) ||
1270 __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1271 __get_user(kurb->error_count, &uurb->error_count) ||
1272 __get_user(kurb->signr, &uurb->signr))
1273 return -EFAULT;
1274
1275 if (__get_user(uptr, &uurb->buffer))
1276 return -EFAULT;
1277 kurb->buffer = compat_ptr(uptr);
1278 if (__get_user(uptr, &uurb->buffer))
1279 return -EFAULT;
1280 kurb->usercontext = compat_ptr(uptr);
1281
1282 return 0;
1283 }
1284
1285 static int proc_submiturb_compat(struct dev_state *ps, void __user *arg)
1286 {
1287 struct usbdevfs_urb uurb;
1288
1289 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
1290 return -EFAULT;
1291
1292 return proc_do_submiturb(ps, &uurb,
1293 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
1294 arg);
1295 }
1296
1297 static int processcompl_compat(struct async *as, void __user * __user *arg)
1298 {
1299 struct urb *urb = as->urb;
1300 struct usbdevfs_urb32 __user *userurb = as->userurb;
1301 void __user *addr = as->userurb;
1302 unsigned int i;
1303
1304 if (as->userbuffer)
1305 if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1306 urb->transfer_buffer_length))
1307 return -EFAULT;
1308 if (put_user(as->status, &userurb->status))
1309 return -EFAULT;
1310 if (put_user(urb->actual_length, &userurb->actual_length))
1311 return -EFAULT;
1312 if (put_user(urb->error_count, &userurb->error_count))
1313 return -EFAULT;
1314
1315 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1316 for (i = 0; i < urb->number_of_packets; i++) {
1317 if (put_user(urb->iso_frame_desc[i].actual_length,
1318 &userurb->iso_frame_desc[i].actual_length))
1319 return -EFAULT;
1320 if (put_user(urb->iso_frame_desc[i].status,
1321 &userurb->iso_frame_desc[i].status))
1322 return -EFAULT;
1323 }
1324 }
1325
1326 free_async(as);
1327 if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
1328 return -EFAULT;
1329 return 0;
1330 }
1331
1332 static int proc_reapurb_compat(struct dev_state *ps, void __user *arg)
1333 {
1334 struct async *as = reap_as(ps);
1335 if (as)
1336 return processcompl_compat(as, (void __user * __user *)arg);
1337 if (signal_pending(current))
1338 return -EINTR;
1339 return -EIO;
1340 }
1341
1342 static int proc_reapurbnonblock_compat(struct dev_state *ps, void __user *arg)
1343 {
1344 struct async *as;
1345
1346 if (!(as = async_getcompleted(ps)))
1347 return -EAGAIN;
1348 return processcompl_compat(as, (void __user * __user *)arg);
1349 }
1350
1351 #endif
1352
1353 static int proc_disconnectsignal(struct dev_state *ps, void __user *arg)
1354 {
1355 struct usbdevfs_disconnectsignal ds;
1356
1357 if (copy_from_user(&ds, arg, sizeof(ds)))
1358 return -EFAULT;
1359 if (ds.signr != 0 && (ds.signr < SIGRTMIN || ds.signr > SIGRTMAX))
1360 return -EINVAL;
1361 ps->discsignr = ds.signr;
1362 ps->disccontext = ds.context;
1363 return 0;
1364 }
1365
1366 static int proc_claiminterface(struct dev_state *ps, void __user *arg)
1367 {
1368 unsigned int ifnum;
1369
1370 if (get_user(ifnum, (unsigned int __user *)arg))
1371 return -EFAULT;
1372 return claimintf(ps, ifnum);
1373 }
1374
1375 static int proc_releaseinterface(struct dev_state *ps, void __user *arg)
1376 {
1377 unsigned int ifnum;
1378 int ret;
1379
1380 if (get_user(ifnum, (unsigned int __user *)arg))
1381 return -EFAULT;
1382 if ((ret = releaseintf(ps, ifnum)) < 0)
1383 return ret;
1384 destroy_async_on_interface (ps, ifnum);
1385 return 0;
1386 }
1387
1388 static int proc_ioctl(struct dev_state *ps, struct usbdevfs_ioctl *ctl)
1389 {
1390 int size;
1391 void *buf = NULL;
1392 int retval = 0;
1393 struct usb_interface *intf = NULL;
1394 struct usb_driver *driver = NULL;
1395
1396 /* alloc buffer */
1397 if ((size = _IOC_SIZE(ctl->ioctl_code)) > 0) {
1398 if ((buf = kmalloc(size, GFP_KERNEL)) == NULL)
1399 return -ENOMEM;
1400 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
1401 if (copy_from_user(buf, ctl->data, size)) {
1402 kfree(buf);
1403 return -EFAULT;
1404 }
1405 } else {
1406 memset(buf, 0, size);
1407 }
1408 }
1409
1410 if (!connected(ps)) {
1411 kfree(buf);
1412 return -ENODEV;
1413 }
1414
1415 if (ps->dev->state != USB_STATE_CONFIGURED)
1416 retval = -EHOSTUNREACH;
1417 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
1418 retval = -EINVAL;
1419 else switch (ctl->ioctl_code) {
1420
1421 /* disconnect kernel driver from interface */
1422 case USBDEVFS_DISCONNECT:
1423 if (intf->dev.driver) {
1424 driver = to_usb_driver(intf->dev.driver);
1425 dev_dbg(&intf->dev, "disconnect by usbfs\n");
1426 usb_driver_release_interface(driver, intf);
1427 } else
1428 retval = -ENODATA;
1429 break;
1430
1431 /* let kernel drivers try to (re)bind to the interface */
1432 case USBDEVFS_CONNECT:
1433 if (!intf->dev.driver)
1434 retval = device_attach(&intf->dev);
1435 else
1436 retval = -EBUSY;
1437 break;
1438
1439 /* talk directly to the interface's driver */
1440 default:
1441 if (intf->dev.driver)
1442 driver = to_usb_driver(intf->dev.driver);
1443 if (driver == NULL || driver->ioctl == NULL) {
1444 retval = -ENOTTY;
1445 } else {
1446 retval = driver->ioctl(intf, ctl->ioctl_code, buf);
1447 if (retval == -ENOIOCTLCMD)
1448 retval = -ENOTTY;
1449 }
1450 }
1451
1452 /* cleanup and return */
1453 if (retval >= 0
1454 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
1455 && size > 0
1456 && copy_to_user(ctl->data, buf, size) != 0)
1457 retval = -EFAULT;
1458
1459 kfree(buf);
1460 return retval;
1461 }
1462
1463 static int proc_ioctl_default(struct dev_state *ps, void __user *arg)
1464 {
1465 struct usbdevfs_ioctl ctrl;
1466
1467 if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1468 return -EFAULT;
1469 return proc_ioctl(ps, &ctrl);
1470 }
1471
1472 #ifdef CONFIG_COMPAT
1473 static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
1474 {
1475 struct usbdevfs_ioctl32 __user *uioc;
1476 struct usbdevfs_ioctl ctrl;
1477 u32 udata;
1478
1479 uioc = compat_ptr((long)arg);
1480 if (get_user(ctrl.ifno, &uioc->ifno) ||
1481 get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
1482 __get_user(udata, &uioc->data))
1483 return -EFAULT;
1484 ctrl.data = compat_ptr(udata);
1485
1486 return proc_ioctl(ps, &ctrl);
1487 }
1488 #endif
1489
1490 /*
1491 * NOTE: All requests here that have interface numbers as parameters
1492 * are assuming that somehow the configuration has been prevented from
1493 * changing. But there's no mechanism to ensure that...
1494 */
1495 static int usbdev_ioctl(struct inode *inode, struct file *file,
1496 unsigned int cmd, unsigned long arg)
1497 {
1498 struct dev_state *ps = file->private_data;
1499 struct usb_device *dev = ps->dev;
1500 void __user *p = (void __user *)arg;
1501 int ret = -ENOTTY;
1502
1503 if (!(file->f_mode & FMODE_WRITE))
1504 return -EPERM;
1505 usb_lock_device(dev);
1506 if (!connected(ps)) {
1507 usb_unlock_device(dev);
1508 return -ENODEV;
1509 }
1510
1511 switch (cmd) {
1512 case USBDEVFS_CONTROL:
1513 snoop(&dev->dev, "%s: CONTROL\n", __FUNCTION__);
1514 ret = proc_control(ps, p);
1515 if (ret >= 0)
1516 inode->i_mtime = CURRENT_TIME;
1517 break;
1518
1519 case USBDEVFS_BULK:
1520 snoop(&dev->dev, "%s: BULK\n", __FUNCTION__);
1521 ret = proc_bulk(ps, p);
1522 if (ret >= 0)
1523 inode->i_mtime = CURRENT_TIME;
1524 break;
1525
1526 case USBDEVFS_RESETEP:
1527 snoop(&dev->dev, "%s: RESETEP\n", __FUNCTION__);
1528 ret = proc_resetep(ps, p);
1529 if (ret >= 0)
1530 inode->i_mtime = CURRENT_TIME;
1531 break;
1532
1533 case USBDEVFS_RESET:
1534 snoop(&dev->dev, "%s: RESET\n", __FUNCTION__);
1535 ret = proc_resetdevice(ps);
1536 break;
1537
1538 case USBDEVFS_CLEAR_HALT:
1539 snoop(&dev->dev, "%s: CLEAR_HALT\n", __FUNCTION__);
1540 ret = proc_clearhalt(ps, p);
1541 if (ret >= 0)
1542 inode->i_mtime = CURRENT_TIME;
1543 break;
1544
1545 case USBDEVFS_GETDRIVER:
1546 snoop(&dev->dev, "%s: GETDRIVER\n", __FUNCTION__);
1547 ret = proc_getdriver(ps, p);
1548 break;
1549
1550 case USBDEVFS_CONNECTINFO:
1551 snoop(&dev->dev, "%s: CONNECTINFO\n", __FUNCTION__);
1552 ret = proc_connectinfo(ps, p);
1553 break;
1554
1555 case USBDEVFS_SETINTERFACE:
1556 snoop(&dev->dev, "%s: SETINTERFACE\n", __FUNCTION__);
1557 ret = proc_setintf(ps, p);
1558 break;
1559
1560 case USBDEVFS_SETCONFIGURATION:
1561 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __FUNCTION__);
1562 ret = proc_setconfig(ps, p);
1563 break;
1564
1565 case USBDEVFS_SUBMITURB:
1566 snoop(&dev->dev, "%s: SUBMITURB\n", __FUNCTION__);
1567 ret = proc_submiturb(ps, p);
1568 if (ret >= 0)
1569 inode->i_mtime = CURRENT_TIME;
1570 break;
1571
1572 #ifdef CONFIG_COMPAT
1573
1574 case USBDEVFS_SUBMITURB32:
1575 snoop(&dev->dev, "%s: SUBMITURB32\n", __FUNCTION__);
1576 ret = proc_submiturb_compat(ps, p);
1577 if (ret >= 0)
1578 inode->i_mtime = CURRENT_TIME;
1579 break;
1580
1581 case USBDEVFS_REAPURB32:
1582 snoop(&dev->dev, "%s: REAPURB32\n", __FUNCTION__);
1583 ret = proc_reapurb_compat(ps, p);
1584 break;
1585
1586 case USBDEVFS_REAPURBNDELAY32:
1587 snoop(&dev->dev, "%s: REAPURBDELAY32\n", __FUNCTION__);
1588 ret = proc_reapurbnonblock_compat(ps, p);
1589 break;
1590
1591 case USBDEVFS_IOCTL32:
1592 snoop(&dev->dev, "%s: IOCTL\n", __FUNCTION__);
1593 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
1594 break;
1595 #endif
1596
1597 case USBDEVFS_DISCARDURB:
1598 snoop(&dev->dev, "%s: DISCARDURB\n", __FUNCTION__);
1599 ret = proc_unlinkurb(ps, p);
1600 break;
1601
1602 case USBDEVFS_REAPURB:
1603 snoop(&dev->dev, "%s: REAPURB\n", __FUNCTION__);
1604 ret = proc_reapurb(ps, p);
1605 break;
1606
1607 case USBDEVFS_REAPURBNDELAY:
1608 snoop(&dev->dev, "%s: REAPURBDELAY\n", __FUNCTION__);
1609 ret = proc_reapurbnonblock(ps, p);
1610 break;
1611
1612 case USBDEVFS_DISCSIGNAL:
1613 snoop(&dev->dev, "%s: DISCSIGNAL\n", __FUNCTION__);
1614 ret = proc_disconnectsignal(ps, p);
1615 break;
1616
1617 case USBDEVFS_CLAIMINTERFACE:
1618 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __FUNCTION__);
1619 ret = proc_claiminterface(ps, p);
1620 break;
1621
1622 case USBDEVFS_RELEASEINTERFACE:
1623 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __FUNCTION__);
1624 ret = proc_releaseinterface(ps, p);
1625 break;
1626
1627 case USBDEVFS_IOCTL:
1628 snoop(&dev->dev, "%s: IOCTL\n", __FUNCTION__);
1629 ret = proc_ioctl_default(ps, p);
1630 break;
1631 }
1632 usb_unlock_device(dev);
1633 if (ret >= 0)
1634 inode->i_atime = CURRENT_TIME;
1635 return ret;
1636 }
1637
1638 /* No kernel lock - fine */
1639 static unsigned int usbdev_poll(struct file *file,
1640 struct poll_table_struct *wait)
1641 {
1642 struct dev_state *ps = file->private_data;
1643 unsigned int mask = 0;
1644
1645 poll_wait(file, &ps->wait, wait);
1646 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
1647 mask |= POLLOUT | POLLWRNORM;
1648 if (!connected(ps))
1649 mask |= POLLERR | POLLHUP;
1650 return mask;
1651 }
1652
1653 const struct file_operations usbdev_file_operations = {
1654 .owner = THIS_MODULE,
1655 .llseek = usbdev_lseek,
1656 .read = usbdev_read,
1657 .poll = usbdev_poll,
1658 .ioctl = usbdev_ioctl,
1659 .open = usbdev_open,
1660 .release = usbdev_release,
1661 };
1662
1663 #ifdef CONFIG_USB_DEVICE_CLASS
1664 static struct class *usb_classdev_class;
1665
1666 static int usb_classdev_add(struct usb_device *dev)
1667 {
1668 int minor = ((dev->bus->busnum-1) * 128) + (dev->devnum-1);
1669
1670 dev->usb_classdev = device_create(usb_classdev_class, &dev->dev,
1671 MKDEV(USB_DEVICE_MAJOR, minor),
1672 "usbdev%d.%d", dev->bus->busnum, dev->devnum);
1673 if (IS_ERR(dev->usb_classdev))
1674 return PTR_ERR(dev->usb_classdev);
1675
1676 return 0;
1677 }
1678
1679 static void usb_classdev_remove(struct usb_device *dev)
1680 {
1681 device_unregister(dev->usb_classdev);
1682 }
1683
1684 static int usb_classdev_notify(struct notifier_block *self,
1685 unsigned long action, void *dev)
1686 {
1687 switch (action) {
1688 case USB_DEVICE_ADD:
1689 if (usb_classdev_add(dev))
1690 return NOTIFY_BAD;
1691 break;
1692 case USB_DEVICE_REMOVE:
1693 usb_classdev_remove(dev);
1694 break;
1695 }
1696 return NOTIFY_OK;
1697 }
1698
1699 static struct notifier_block usbdev_nb = {
1700 .notifier_call = usb_classdev_notify,
1701 };
1702 #endif
1703
1704 static struct cdev usb_device_cdev;
1705
1706 int __init usb_devio_init(void)
1707 {
1708 int retval;
1709
1710 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
1711 "usb_device");
1712 if (retval) {
1713 err("unable to register minors for usb_device");
1714 goto out;
1715 }
1716 cdev_init(&usb_device_cdev, &usbdev_file_operations);
1717 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
1718 if (retval) {
1719 err("unable to get usb_device major %d", USB_DEVICE_MAJOR);
1720 goto error_cdev;
1721 }
1722 #ifdef CONFIG_USB_DEVICE_CLASS
1723 usb_classdev_class = class_create(THIS_MODULE, "usb_device");
1724 if (IS_ERR(usb_classdev_class)) {
1725 err("unable to register usb_device class");
1726 retval = PTR_ERR(usb_classdev_class);
1727 cdev_del(&usb_device_cdev);
1728 usb_classdev_class = NULL;
1729 goto out;
1730 }
1731
1732 usb_register_notify(&usbdev_nb);
1733 #endif
1734 out:
1735 return retval;
1736
1737 error_cdev:
1738 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1739 goto out;
1740 }
1741
1742 void usb_devio_cleanup(void)
1743 {
1744 #ifdef CONFIG_USB_DEVICE_CLASS
1745 usb_unregister_notify(&usbdev_nb);
1746 class_destroy(usb_classdev_class);
1747 #endif
1748 cdev_del(&usb_device_cdev);
1749 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1750 }
1751
|
This page was automatically generated by the
LXR engine.
|