drivers/usb/core/devio.c

   1 /*****************************************************************************/
   2
   3 /*
   4  *      devio.c  --  User space communication with USB devices.
   5  *
   6  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
   7  *
   8  *      This program is free software; you can redistribute it and/or modify
   9  *      it under the terms of the GNU General Public License as published by
  10  *      the Free Software Foundation; either version 2 of the License, or
  11  *      (at your option) any later version.
  12  *
  13  *      This program is distributed in the hope that it will be useful,
  14  *      but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *      GNU General Public License for more details.
  17  *
  18  *      You should have received a copy of the GNU General Public License
  19  *      along with this program; if not, write to the Free Software
  20  *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21  *
  22  *  This file implements the usbfs/x/y files, where
  23  *  x is the bus number and y the device number.
  24  *
  25  *  It allows user space programs/"drivers" to communicate directly
  26  *  with USB devices without intervening kernel driver.
  27  *
  28  *  Revision history
  29  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  30  *    04.01.2000   0.2   Turned into its own filesystem
  31  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  32  *                       (CAN-2005-3055)
  33  */
  34
  35 /*****************************************************************************/
  36
  37 #include <linux/fs.h>
  38 #include <linux/mm.h>
  39 #include <linux/slab.h>
  40 #include <linux/signal.h>
  41 #include <linux/poll.h>
  42 #include <linux/module.h>
  43 #include <linux/string.h>
  44 #include <linux/usb.h>
  45 #include <linux/usbdevice_fs.h>
  46 #include <linux/usb/hcd.h>      /* for usbcore internals */
  47 #include <linux/cdev.h>
  48 #include <linux/notifier.h>
  49 #include <linux/security.h>
  50 #include <linux/user_namespace.h>
  51 #include <linux/scatterlist.h>
  52 #include <linux/uaccess.h>
  53 #include <linux/dma-mapping.h>
  54 #include <asm/byteorder.h>
  55 #include <linux/moduleparam.h>
  56
  57 #include "usb.h"
  58
  59 #define USB_MAXBUS                      64
  60 #define USB_DEVICE_MAX                  (USB_MAXBUS * 128)
  61 #define USB_SG_SIZE                     16384 /* split-size for large txs */
  62
  63 /* Mutual exclusion for removal, open, and release */
  64 DEFINE_MUTEX(usbfs_mutex);
  65
  66 struct usb_dev_state {
  67         struct list_head list;      /* state list */
  68         struct usb_device *dev;
  69         struct file *file;
  70         spinlock_t lock;            /* protects the async urb lists */
  71         struct list_head async_pending;
  72         struct list_head async_completed;
  73         struct list_head memory_list;
  74         wait_queue_head_t wait;     /* wake up if a request completed */
  75         unsigned int discsignr;
  76         struct pid *disc_pid;
  77         const struct cred *cred;
  78         void __user *disccontext;
  79         unsigned long ifclaimed;
  80         u32 secid;
  81         u32 disabled_bulk_eps;
  82         bool privileges_dropped;
  83         unsigned long interface_allowed_mask;
  84 };
  85
  86 struct usb_memory {
  87         struct list_head memlist;
  88         int vma_use_count;
  89         int urb_use_count;
  90         u32 size;
  91         void *mem;
  92         dma_addr_t dma_handle;
  93         unsigned long vm_start;
  94         struct usb_dev_state *ps;
  95 };
  96
  97 struct async {
  98         struct list_head asynclist;
  99         struct usb_dev_state *ps;
 100         struct pid *pid;
 101         const struct cred *cred;
 102         unsigned int signr;
 103         unsigned int ifnum;
 104         void __user *userbuffer;
 105         void __user *userurb;
 106         struct urb *urb;
 107         struct usb_memory *usbm;
 108         unsigned int mem_usage;
 109         int status;
 110         u32 secid;
 111         u8 bulk_addr;
 112         u8 bulk_status;
 113 };
 114
 115 static bool usbfs_snoop;
 116 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 117 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 118
 119 static unsigned usbfs_snoop_max = 65536;
 120 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
 121 MODULE_PARM_DESC(usbfs_snoop_max,
 122                 "maximum number of bytes to print while snooping");
 123
 124 #define snoop(dev, format, arg...)                              \
 125         do {                                                    \
 126                 if (usbfs_snoop)                                \
 127                         dev_info(dev, format, ## arg);          \
 128         } while (0)
 129
 130 enum snoop_when {
 131         SUBMIT, COMPLETE
 132 };
 133
 134 #define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 135
 136 /* Limit on the total amount of memory we can allocate for transfers */
 137 static unsigned usbfs_memory_mb = 16;
 138 module_param(usbfs_memory_mb, uint, 0644);
 139 MODULE_PARM_DESC(usbfs_memory_mb,
 140                 "maximum MB allowed for usbfs buffers (0 = no limit)");
 141
 142 /* Hard limit, necessary to avoid arithmetic overflow */
 143 #define USBFS_XFER_MAX          (UINT_MAX / 2 - 1000000)
 144
 145 static atomic_t usbfs_memory_usage;     /* Total memory currently allocated */
 146
 147 /* Check whether it's okay to allocate more memory for a transfer */
 148 static int usbfs_increase_memory_usage(unsigned amount)
 149 {
 150         unsigned lim;
 151
 152         /*
 153          * Convert usbfs_memory_mb to bytes, avoiding overflows.
 154          * 0 means use the hard limit (effectively unlimited).
 155          */
 156         lim = ACCESS_ONCE(usbfs_memory_mb);
 157         if (lim == 0 || lim > (USBFS_XFER_MAX >> 20))
 158                 lim = USBFS_XFER_MAX;
 159         else
 160                 lim <<= 20;
 161
 162         atomic_add(amount, &usbfs_memory_usage);
 163         if (atomic_read(&usbfs_memory_usage) <= lim)
 164                 return 0;
 165         atomic_sub(amount, &usbfs_memory_usage);
 166         return -ENOMEM;
 167 }
 168
 169 /* Memory for a transfer is being deallocated */
 170 static void usbfs_decrease_memory_usage(unsigned amount)
 171 {
 172         atomic_sub(amount, &usbfs_memory_usage);
 173 }
 174
 175 static int connected(struct usb_dev_state *ps)
 176 {
 177         return (!list_empty(&ps->list) &&
 178                         ps->dev->state != USB_STATE_NOTATTACHED);
 179 }
 180
 181 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
 182 {
 183         struct usb_dev_state *ps = usbm->ps;
 184         unsigned long flags;
 185
 186         spin_lock_irqsave(&ps->lock, flags);
 187         --*count;
 188         if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
 189                 list_del(&usbm->memlist);
 190                 spin_unlock_irqrestore(&ps->lock, flags);
 191
 192                 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
 193                                 usbm->dma_handle);
 194                 usbfs_decrease_memory_usage(
 195                         usbm->size + sizeof(struct usb_memory));
 196                 kfree(usbm);
 197         } else {
 198                 spin_unlock_irqrestore(&ps->lock, flags);
 199         }
 200 }
 201
 202 static void usbdev_vm_open(struct vm_area_struct *vma)
 203 {
 204         struct usb_memory *usbm = vma->vm_private_data;
 205         unsigned long flags;
 206
 207         spin_lock_irqsave(&usbm->ps->lock, flags);
 208         ++usbm->vma_use_count;
 209         spin_unlock_irqrestore(&usbm->ps->lock, flags);
 210 }
 211
 212 static void usbdev_vm_close(struct vm_area_struct *vma)
 213 {
 214         struct usb_memory *usbm = vma->vm_private_data;
 215
 216         dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 217 }
 218
 219 static struct vm_operations_struct usbdev_vm_ops = {
 220         .open = usbdev_vm_open,
 221         .close = usbdev_vm_close
 222 };
 223
 224 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 225 {
 226         struct usb_memory *usbm = NULL;
 227         struct usb_dev_state *ps = file->private_data;
 228         size_t size = vma->vm_end - vma->vm_start;
 229         void *mem;
 230         unsigned long flags;
 231         dma_addr_t dma_handle;
 232         int ret;
 233
 234         ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 235         if (ret)
 236                 goto error;
 237
 238         usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
 239         if (!usbm) {
 240                 ret = -ENOMEM;
 241                 goto error_decrease_mem;
 242         }
 243
 244         mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
 245                         &dma_handle);
 246         if (!mem) {
 247                 ret = -ENOMEM;
 248                 goto error_free_usbm;
 249         }
 250
 251         memset(mem, 0, size);
 252
 253         usbm->mem = mem;
 254         usbm->dma_handle = dma_handle;
 255         usbm->size = size;
 256         usbm->ps = ps;
 257         usbm->vm_start = vma->vm_start;
 258         usbm->vma_use_count = 1;
 259         INIT_LIST_HEAD(&usbm->memlist);
 260
 261         if (remap_pfn_range(vma, vma->vm_start,
 262                         virt_to_phys(usbm->mem) >> PAGE_SHIFT,
 263                         size, vma->vm_page_prot) < 0) {
 264                 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 265                 return -EAGAIN;
 266         }
 267
 268         vma->vm_flags |= VM_IO;
 269         vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
 270         vma->vm_ops = &usbdev_vm_ops;
 271         vma->vm_private_data = usbm;
 272
 273         spin_lock_irqsave(&ps->lock, flags);
 274         list_add_tail(&usbm->memlist, &ps->memory_list);
 275         spin_unlock_irqrestore(&ps->lock, flags);
 276
 277         return 0;
 278
 279 error_free_usbm:
 280         kfree(usbm);
 281 error_decrease_mem:
 282         usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
 283 error:
 284         return ret;
 285 }
 286
 287 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 288                            loff_t *ppos)
 289 {
 290         struct usb_dev_state *ps = file->private_data;
 291         struct usb_device *dev = ps->dev;
 292         ssize_t ret = 0;
 293         unsigned len;
 294         loff_t pos;
 295         int i;
 296
 297         pos = *ppos;
 298         usb_lock_device(dev);
 299         if (!connected(ps)) {
 300                 ret = -ENODEV;
 301                 goto err;
 302         } else if (pos < 0) {
 303                 ret = -EINVAL;
 304                 goto err;
 305         }
 306
 307         if (pos < sizeof(struct usb_device_descriptor)) {
 308                 /* 18 bytes - fits on the stack */
 309                 struct usb_device_descriptor temp_desc;
 310
 311                 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 312                 le16_to_cpus(&temp_desc.bcdUSB);
 313                 le16_to_cpus(&temp_desc.idVendor);
 314                 le16_to_cpus(&temp_desc.idProduct);
 315                 le16_to_cpus(&temp_desc.bcdDevice);
 316
 317                 len = sizeof(struct usb_device_descriptor) - pos;
 318                 if (len > nbytes)
 319                         len = nbytes;
 320                 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 321                         ret = -EFAULT;
 322                         goto err;
 323                 }
 324
 325                 *ppos += len;
 326                 buf += len;
 327                 nbytes -= len;
 328                 ret += len;
 329         }
 330
 331         pos = sizeof(struct usb_device_descriptor);
 332         for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 333                 struct usb_config_descriptor *config =
 334                         (struct usb_config_descriptor *)dev->rawdescriptors[i];
 335                 unsigned int length = le16_to_cpu(config->wTotalLength);
 336
 337                 if (*ppos < pos + length) {
 338
 339                         /* The descriptor may claim to be longer than it
 340                          * really is.  Here is the actual allocated length. */
 341                         unsigned alloclen =
 342                                 le16_to_cpu(dev->config[i].desc.wTotalLength);
 343
 344                         len = length - (*ppos - pos);
 345                         if (len > nbytes)
 346                                 len = nbytes;
 347
 348                         /* Simply don't write (skip over) unallocated parts */
 349                         if (alloclen > (*ppos - pos)) {
 350                                 alloclen -= (*ppos - pos);
 351                                 if (copy_to_user(buf,
 352                                     dev->rawdescriptors[i] + (*ppos - pos),
 353                                     min(len, alloclen))) {
 354                                         ret = -EFAULT;
 355                                         goto err;
 356                                 }
 357                         }
 358
 359                         *ppos += len;
 360                         buf += len;
 361                         nbytes -= len;
 362                         ret += len;
 363                 }
 364
 365                 pos += length;
 366         }
 367
 368 err:
 369         usb_unlock_device(dev);
 370         return ret;
 371 }
 372
 373 /*
 374  * async list handling
 375  */
 376
 377 static struct async *alloc_async(unsigned int numisoframes)
 378 {
 379         struct async *as;
 380
 381         as = kzalloc(sizeof(struct async), GFP_KERNEL);
 382         if (!as)
 383                 return NULL;
 384         as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 385         if (!as->urb) {
 386                 kfree(as);
 387                 return NULL;
 388         }
 389         return as;
 390 }
 391
 392 static void free_async(struct async *as)
 393 {
 394         int i;
 395
 396         put_pid(as->pid);
 397         if (as->cred)
 398                 put_cred(as->cred);
 399         for (i = 0; i < as->urb->num_sgs; i++) {
 400                 if (sg_page(&as->urb->sg[i]))
 401                         kfree(sg_virt(&as->urb->sg[i]));
 402         }
 403
 404         kfree(as->urb->sg);
 405         if (as->usbm == NULL)
 406                 kfree(as->urb->transfer_buffer);
 407         else
 408                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 409
 410         kfree(as->urb->setup_packet);
 411         usb_free_urb(as->urb);
 412         usbfs_decrease_memory_usage(as->mem_usage);
 413         kfree(as);
 414 }
 415
 416 static void async_newpending(struct async *as)
 417 {
 418         struct usb_dev_state *ps = as->ps;
 419         unsigned long flags;
 420
 421         spin_lock_irqsave(&ps->lock, flags);
 422         list_add_tail(&as->asynclist, &ps->async_pending);
 423         spin_unlock_irqrestore(&ps->lock, flags);
 424 }
 425
 426 static void async_removepending(struct async *as)
 427 {
 428         struct usb_dev_state *ps = as->ps;
 429         unsigned long flags;
 430
 431         spin_lock_irqsave(&ps->lock, flags);
 432         list_del_init(&as->asynclist);
 433         spin_unlock_irqrestore(&ps->lock, flags);
 434 }
 435
 436 static struct async *async_getcompleted(struct usb_dev_state *ps)
 437 {
 438         unsigned long flags;
 439         struct async *as = NULL;
 440
 441         spin_lock_irqsave(&ps->lock, flags);
 442         if (!list_empty(&ps->async_completed)) {
 443                 as = list_entry(ps->async_completed.next, struct async,
 444                                 asynclist);
 445                 list_del_init(&as->asynclist);
 446         }
 447         spin_unlock_irqrestore(&ps->lock, flags);
 448         return as;
 449 }
 450
 451 static struct async *async_getpending(struct usb_dev_state *ps,
 452                                              void __user *userurb)
 453 {
 454         struct async *as;
 455
 456         list_for_each_entry(as, &ps->async_pending, asynclist)
 457                 if (as->userurb == userurb) {
 458                         list_del_init(&as->asynclist);
 459                         return as;
 460                 }
 461
 462         return NULL;
 463 }
 464
 465 static void snoop_urb(struct usb_device *udev,
 466                 void __user *userurb, int pipe, unsigned length,
 467                 int timeout_or_status, enum snoop_when when,
 468                 unsigned char *data, unsigned data_len)
 469 {
 470         static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 471         static const char *dirs[] = {"out", "in"};
 472         int ep;
 473         const char *t, *d;
 474
 475         if (!usbfs_snoop)
 476                 return;
 477
 478         ep = usb_pipeendpoint(pipe);
 479         t = types[usb_pipetype(pipe)];
 480         d = dirs[!!usb_pipein(pipe)];
 481
 482         if (userurb) {          /* Async */
 483                 if (when == SUBMIT)
 484                         dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
 485                                         "length %u\n",
 486                                         userurb, ep, t, d, length);
 487                 else
 488                         dev_info(&udev->dev, "userurb %p, ep%d %s-%s, "
 489                                         "actual_length %u status %d\n",
 490                                         userurb, ep, t, d, length,
 491                                         timeout_or_status);
 492         } else {
 493                 if (when == SUBMIT)
 494                         dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 495                                         "timeout %d\n",
 496                                         ep, t, d, length, timeout_or_status);
 497                 else
 498                         dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 499                                         "status %d\n",
 500                                         ep, t, d, length, timeout_or_status);
 501         }
 502
 503         data_len = min(data_len, usbfs_snoop_max);
 504         if (data && data_len > 0) {
 505                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 506                         data, data_len, 1);
 507         }
 508 }
 509
 510 static void snoop_urb_data(struct urb *urb, unsigned len)
 511 {
 512         int i, size;
 513
 514         len = min(len, usbfs_snoop_max);
 515         if (!usbfs_snoop || len == 0)
 516                 return;
 517
 518         if (urb->num_sgs == 0) {
 519                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 520                         urb->transfer_buffer, len, 1);
 521                 return;
 522         }
 523
 524         for (i = 0; i < urb->num_sgs && len; i++) {
 525                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 526                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 527                         sg_virt(&urb->sg[i]), size, 1);
 528                 len -= size;
 529         }
 530 }
 531
 532 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
 533 {
 534         unsigned i, len, size;
 535
 536         if (urb->number_of_packets > 0)         /* Isochronous */
 537                 len = urb->transfer_buffer_length;
 538         else                                    /* Non-Isoc */
 539                 len = urb->actual_length;
 540
 541         if (urb->num_sgs == 0) {
 542                 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
 543                         return -EFAULT;
 544                 return 0;
 545         }
 546
 547         for (i = 0; i < urb->num_sgs && len; i++) {
 548                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 549                 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
 550                         return -EFAULT;
 551                 userbuffer += size;
 552                 len -= size;
 553         }
 554
 555         return 0;
 556 }
 557
 558 #define AS_CONTINUATION 1
 559 #define AS_UNLINK       2
 560
 561 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
 562 __releases(ps->lock)
 563 __acquires(ps->lock)
 564 {
 565         struct urb *urb;
 566         struct async *as;
 567
 568         /* Mark all the pending URBs that match bulk_addr, up to but not
 569          * including the first one without AS_CONTINUATION.  If such an
 570          * URB is encountered then a new transfer has already started so
 571          * the endpoint doesn't need to be disabled; otherwise it does.
 572          */
 573         list_for_each_entry(as, &ps->async_pending, asynclist) {
 574                 if (as->bulk_addr == bulk_addr) {
 575                         if (as->bulk_status != AS_CONTINUATION)
 576                                 goto rescan;
 577                         as->bulk_status = AS_UNLINK;
 578                         as->bulk_addr = 0;
 579                 }
 580         }
 581         ps->disabled_bulk_eps |= (1 << bulk_addr);
 582
 583         /* Now carefully unlink all the marked pending URBs */
 584  rescan:
 585         list_for_each_entry(as, &ps->async_pending, asynclist) {
 586                 if (as->bulk_status == AS_UNLINK) {
 587                         as->bulk_status = 0;            /* Only once */
 588                         urb = as->urb;
 589                         usb_get_urb(urb);
 590                         spin_unlock(&ps->lock);         /* Allow completions */
 591                         usb_unlink_urb(urb);
 592                         usb_put_urb(urb);
 593                         spin_lock(&ps->lock);
 594                         goto rescan;
 595                 }
 596         }
 597 }
 598
 599 static void async_completed(struct urb *urb)
 600 {
 601         struct async *as = urb->context;
 602         struct usb_dev_state *ps = as->ps;
 603         struct siginfo sinfo;
 604         struct pid *pid = NULL;
 605         u32 secid = 0;
 606         const struct cred *cred = NULL;
 607         int signr;
 608
 609         spin_lock(&ps->lock);
 610         list_move_tail(&as->asynclist, &ps->async_completed);
 611         as->status = urb->status;
 612         signr = as->signr;
 613         if (signr) {
 614                 memset(&sinfo, 0, sizeof(sinfo));
 615                 sinfo.si_signo = as->signr;
 616                 sinfo.si_errno = as->status;
 617                 sinfo.si_code = SI_ASYNCIO;
 618                 sinfo.si_addr = as->userurb;
 619                 pid = get_pid(as->pid);
 620                 cred = get_cred(as->cred);
 621                 secid = as->secid;
 622         }
 623         snoop(&urb->dev->dev, "urb complete\n");
 624         snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 625                         as->status, COMPLETE, NULL, 0);
 626         if ((urb->transfer_flags & URB_DIR_MASK) == URB_DIR_IN)
 627                 snoop_urb_data(urb, urb->actual_length);
 628
 629         if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 630                         as->status != -ENOENT)
 631                 cancel_bulk_urbs(ps, as->bulk_addr);
 632         spin_unlock(&ps->lock);
 633
 634         if (signr) {
 635                 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
 636                 put_pid(pid);
 637                 put_cred(cred);
 638         }
 639
 640         wake_up(&ps->wait);
 641 }
 642
 643 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
 644 {
 645         struct urb *urb;
 646         struct async *as;
 647         unsigned long flags;
 648
 649         spin_lock_irqsave(&ps->lock, flags);
 650         while (!list_empty(list)) {
 651                 as = list_entry(list->next, struct async, asynclist);
 652                 list_del_init(&as->asynclist);
 653                 urb = as->urb;
 654                 usb_get_urb(urb);
 655
 656                 /* drop the spinlock so the completion handler can run */
 657                 spin_unlock_irqrestore(&ps->lock, flags);
 658                 usb_kill_urb(urb);
 659                 usb_put_urb(urb);
 660                 spin_lock_irqsave(&ps->lock, flags);
 661         }
 662         spin_unlock_irqrestore(&ps->lock, flags);
 663 }
 664
 665 static void destroy_async_on_interface(struct usb_dev_state *ps,
 666                                        unsigned int ifnum)
 667 {
 668         struct list_head *p, *q, hitlist;
 669         unsigned long flags;
 670
 671         INIT_LIST_HEAD(&hitlist);
 672         spin_lock_irqsave(&ps->lock, flags);
 673         list_for_each_safe(p, q, &ps->async_pending)
 674                 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 675                         list_move_tail(p, &hitlist);
 676         spin_unlock_irqrestore(&ps->lock, flags);
 677         destroy_async(ps, &hitlist);
 678 }
 679
 680 static void destroy_all_async(struct usb_dev_state *ps)
 681 {
 682         destroy_async(ps, &ps->async_pending);
 683 }
 684
 685 /*
 686  * interface claims are made only at the request of user level code,
 687  * which can also release them (explicitly or by closing files).
 688  * they're also undone when devices disconnect.
 689  */
 690
 691 static int driver_probe(struct usb_interface *intf,
 692                         const struct usb_device_id *id)
 693 {
 694         return -ENODEV;
 695 }
 696
 697 static void driver_disconnect(struct usb_interface *intf)
 698 {
 699         struct usb_dev_state *ps = usb_get_intfdata(intf);
 700         unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 701
 702         if (!ps)
 703                 return;
 704
 705         /* NOTE:  this relies on usbcore having canceled and completed
 706          * all pending I/O requests; 2.6 does that.
 707          */
 708
 709         if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 710                 clear_bit(ifnum, &ps->ifclaimed);
 711         else
 712                 dev_warn(&intf->dev, "interface number %u out of range\n",
 713                          ifnum);
 714
 715         usb_set_intfdata(intf, NULL);
 716
 717         /* force async requests to complete */
 718         destroy_async_on_interface(ps, ifnum);
 719 }
 720
 721 /* The following routines are merely placeholders.  There is no way
 722  * to inform a user task about suspend or resumes.
 723  */
 724 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 725 {
 726         return 0;
 727 }
 728
 729 static int driver_resume(struct usb_interface *intf)
 730 {
 731         return 0;
 732 }
 733
 734 struct usb_driver usbfs_driver = {
 735         .name =         "usbfs",
 736         .probe =        driver_probe,
 737         .disconnect =   driver_disconnect,
 738         .suspend =      driver_suspend,
 739         .resume =       driver_resume,
 740 };
 741
 742 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 743 {
 744         struct usb_device *dev = ps->dev;
 745         struct usb_interface *intf;
 746         int err;
 747
 748         if (ifnum >= 8*sizeof(ps->ifclaimed))
 749                 return -EINVAL;
 750         /* already claimed */
 751         if (test_bit(ifnum, &ps->ifclaimed))
 752                 return 0;
 753
 754         if (ps->privileges_dropped &&
 755                         !test_bit(ifnum, &ps->interface_allowed_mask))
 756                 return -EACCES;
 757
 758         intf = usb_ifnum_to_if(dev, ifnum);
 759         if (!intf)
 760                 err = -ENOENT;
 761         else
 762                 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 763         if (err == 0)
 764                 set_bit(ifnum, &ps->ifclaimed);
 765         return err;
 766 }
 767
 768 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 769 {
 770         struct usb_device *dev;
 771         struct usb_interface *intf;
 772         int err;
 773
 774         err = -EINVAL;
 775         if (ifnum >= 8*sizeof(ps->ifclaimed))
 776                 return err;
 777         dev = ps->dev;
 778         intf = usb_ifnum_to_if(dev, ifnum);
 779         if (!intf)
 780                 err = -ENOENT;
 781         else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 782                 usb_driver_release_interface(&usbfs_driver, intf);
 783                 err = 0;
 784         }
 785         return err;
 786 }
 787
 788 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
 789 {
 790         if (ps->dev->state != USB_STATE_CONFIGURED)
 791                 return -EHOSTUNREACH;
 792         if (ifnum >= 8*sizeof(ps->ifclaimed))
 793                 return -EINVAL;
 794         if (test_bit(ifnum, &ps->ifclaimed))
 795                 return 0;
 796         /* if not yet claimed, claim it for the driver */
 797         dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 798                  "interface %u before use\n", task_pid_nr(current),
 799                  current->comm, ifnum);
 800         return claimintf(ps, ifnum);
 801 }
 802
 803 static int findintfep(struct usb_device *dev, unsigned int ep)
 804 {
 805         unsigned int i, j, e;
 806         struct usb_interface *intf;
 807         struct usb_host_interface *alts;
 808         struct usb_endpoint_descriptor *endpt;
 809
 810         if (ep & ~(USB_DIR_IN|0xf))
 811                 return -EINVAL;
 812         if (!dev->actconfig)
 813                 return -ESRCH;
 814         for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 815                 intf = dev->actconfig->interface[i];
 816                 for (j = 0; j < intf->num_altsetting; j++) {
 817                         alts = &intf->altsetting[j];
 818                         for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 819                                 endpt = &alts->endpoint[e].desc;
 820                                 if (endpt->bEndpointAddress == ep)
 821                                         return alts->desc.bInterfaceNumber;
 822                         }
 823                 }
 824         }
 825         return -ENOENT;
 826 }
 827
 828 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 829                            unsigned int request, unsigned int index)
 830 {
 831         int ret = 0;
 832         struct usb_host_interface *alt_setting;
 833
 834         if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 835          && ps->dev->state != USB_STATE_ADDRESS
 836          && ps->dev->state != USB_STATE_CONFIGURED)
 837                 return -EHOSTUNREACH;
 838         if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 839                 return 0;
 840
 841         /*
 842          * check for the special corner case 'get_device_id' in the printer
 843          * class specification, which we always want to allow as it is used
 844          * to query things like ink level, etc.
 845          */
 846         if (requesttype == 0xa1 && request == 0) {
 847                 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 848                                                    index >> 8, index & 0xff);
 849                 if (alt_setting
 850                  && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
 851                         return 0;
 852         }
 853
 854         index &= 0xff;
 855         switch (requesttype & USB_RECIP_MASK) {
 856         case USB_RECIP_ENDPOINT:
 857                 if ((index & ~USB_DIR_IN) == 0)
 858                         return 0;
 859                 ret = findintfep(ps->dev, index);
 860                 if (ret < 0) {
 861                         /*
 862                          * Some not fully compliant Win apps seem to get
 863                          * index wrong and have the endpoint number here
 864                          * rather than the endpoint address (with the
 865                          * correct direction). Win does let this through,
 866                          * so we'll not reject it here but leave it to
 867                          * the device to not break KVM. But we warn.
 868                          */
 869                         ret = findintfep(ps->dev, index ^ 0x80);
 870                         if (ret >= 0)
 871                                 dev_info(&ps->dev->dev,
 872                                         "%s: process %i (%s) requesting ep %02x but needs %02x\n",
 873                                         __func__, task_pid_nr(current),
 874                                         current->comm, index, index ^ 0x80);
 875                 }
 876                 if (ret >= 0)
 877                         ret = checkintf(ps, ret);
 878                 break;
 879
 880         case USB_RECIP_INTERFACE:
 881                 ret = checkintf(ps, index);
 882                 break;
 883         }
 884         return ret;
 885 }
 886
 887 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
 888                                                      unsigned char ep)
 889 {
 890         if (ep & USB_ENDPOINT_DIR_MASK)
 891                 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
 892         else
 893                 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
 894 }
 895
 896 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
 897                                   struct usbdevfs_streams __user *streams,
 898                                   unsigned int *num_streams_ret,
 899                                   unsigned int *num_eps_ret,
 900                                   struct usb_host_endpoint ***eps_ret,
 901                                   struct usb_interface **intf_ret)
 902 {
 903         unsigned int i, num_streams, num_eps;
 904         struct usb_host_endpoint **eps;
 905         struct usb_interface *intf = NULL;
 906         unsigned char ep;
 907         int ifnum, ret;
 908
 909         if (get_user(num_streams, &streams->num_streams) ||
 910             get_user(num_eps, &streams->num_eps))
 911                 return -EFAULT;
 912
 913         if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
 914                 return -EINVAL;
 915
 916         /* The XHCI controller allows max 2 ^ 16 streams */
 917         if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
 918                 return -EINVAL;
 919
 920         eps = kmalloc(num_eps * sizeof(*eps), GFP_KERNEL);
 921         if (!eps)
 922                 return -ENOMEM;
 923
 924         for (i = 0; i < num_eps; i++) {
 925                 if (get_user(ep, &streams->eps[i])) {
 926                         ret = -EFAULT;
 927                         goto error;
 928                 }
 929                 eps[i] = ep_to_host_endpoint(ps->dev, ep);
 930                 if (!eps[i]) {
 931                         ret = -EINVAL;
 932                         goto error;
 933                 }
 934
 935                 /* usb_alloc/free_streams operate on an usb_interface */
 936                 ifnum = findintfep(ps->dev, ep);
 937                 if (ifnum < 0) {
 938                         ret = ifnum;
 939                         goto error;
 940                 }
 941
 942                 if (i == 0) {
 943                         ret = checkintf(ps, ifnum);
 944                         if (ret < 0)
 945                                 goto error;
 946                         intf = usb_ifnum_to_if(ps->dev, ifnum);
 947                 } else {
 948                         /* Verify all eps belong to the same interface */
 949                         if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
 950                                 ret = -EINVAL;
 951                                 goto error;
 952                         }
 953                 }
 954         }
 955
 956         if (num_streams_ret)
 957                 *num_streams_ret = num_streams;
 958         *num_eps_ret = num_eps;
 959         *eps_ret = eps;
 960         *intf_ret = intf;
 961
 962         return 0;
 963
 964 error:
 965         kfree(eps);
 966         return ret;
 967 }
 968
 969 static int match_devt(struct device *dev, void *data)
 970 {
 971         return dev->devt == (dev_t) (unsigned long) data;
 972 }
 973
 974 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 975 {
 976         struct device *dev;
 977
 978         dev = bus_find_device(&usb_bus_type, NULL,
 979                               (void *) (unsigned long) devt, match_devt);
 980         if (!dev)
 981                 return NULL;
 982         return to_usb_device(dev);
 983 }
 984
 985 /*
 986  * file operations
 987  */
 988 static int usbdev_open(struct inode *inode, struct file *file)
 989 {
 990         struct usb_device *dev = NULL;
 991         struct usb_dev_state *ps;
 992         int ret;
 993
 994         ret = -ENOMEM;
 995         ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
 996         if (!ps)
 997                 goto out_free_ps;
 998
 999         ret = -ENODEV;
1000
1001         /* Protect against simultaneous removal or release */
1002         mutex_lock(&usbfs_mutex);
1003
1004         /* usbdev device-node */
1005         if (imajor(inode) == USB_DEVICE_MAJOR)
1006                 dev = usbdev_lookup_by_devt(inode->i_rdev);
1007
1008         mutex_unlock(&usbfs_mutex);
1009
1010         if (!dev)
1011                 goto out_free_ps;
1012
1013         usb_lock_device(dev);
1014         if (dev->state == USB_STATE_NOTATTACHED)
1015                 goto out_unlock_device;
1016
1017         ret = usb_autoresume_device(dev);
1018         if (ret)
1019                 goto out_unlock_device;
1020
1021         ps->dev = dev;
1022         ps->file = file;
1023         ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1024         spin_lock_init(&ps->lock);
1025         INIT_LIST_HEAD(&ps->list);
1026         INIT_LIST_HEAD(&ps->async_pending);
1027         INIT_LIST_HEAD(&ps->async_completed);
1028         INIT_LIST_HEAD(&ps->memory_list);
1029         init_waitqueue_head(&ps->wait);
1030         ps->disc_pid = get_pid(task_pid(current));
1031         ps->cred = get_current_cred();
1032         security_task_getsecid(current, &ps->secid);
1033         smp_wmb();
1034         list_add_tail(&ps->list, &dev->filelist);
1035         file->private_data = ps;
1036         usb_unlock_device(dev);
1037         snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1038                         current->comm);
1039         return ret;
1040
1041  out_unlock_device:
1042         usb_unlock_device(dev);
1043         usb_put_dev(dev);
1044  out_free_ps:
1045         kfree(ps);
1046         return ret;
1047 }
1048
1049 static int usbdev_release(struct inode *inode, struct file *file)
1050 {
1051         struct usb_dev_state *ps = file->private_data;
1052         struct usb_device *dev = ps->dev;
1053         unsigned int ifnum;
1054         struct async *as;
1055
1056         usb_lock_device(dev);
1057         usb_hub_release_all_ports(dev, ps);
1058
1059         list_del_init(&ps->list);
1060
1061         for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1062                         ifnum++) {
1063                 if (test_bit(ifnum, &ps->ifclaimed))
1064                         releaseintf(ps, ifnum);
1065         }
1066         destroy_all_async(ps);
1067         usb_autosuspend_device(dev);
1068         usb_unlock_device(dev);
1069         usb_put_dev(dev);
1070         put_pid(ps->disc_pid);
1071         put_cred(ps->cred);
1072
1073         as = async_getcompleted(ps);
1074         while (as) {
1075                 free_async(as);
1076                 as = async_getcompleted(ps);
1077         }
1078
1079         kfree(ps);
1080         return 0;
1081 }
1082
1083 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1084 {
1085         struct usb_device *dev = ps->dev;
1086         struct usbdevfs_ctrltransfer ctrl;
1087         unsigned int tmo;
1088         unsigned char *tbuf;
1089         unsigned wLength;
1090         int i, pipe, ret;
1091
1092         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1093                 return -EFAULT;
1094         ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1095                               ctrl.wIndex);
1096         if (ret)
1097                 return ret;
1098         wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
1099         if (wLength > PAGE_SIZE)
1100                 return -EINVAL;
1101         ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1102                         sizeof(struct usb_ctrlrequest));
1103         if (ret)
1104                 return ret;
1105         tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1106         if (!tbuf) {
1107                 ret = -ENOMEM;
1108                 goto done;
1109         }
1110         tmo = ctrl.timeout;
1111         snoop(&dev->dev, "control urb: bRequestType=%02x "
1112                 "bRequest=%02x wValue=%04x "
1113                 "wIndex=%04x wLength=%04x\n",
1114                 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1115                 ctrl.wIndex, ctrl.wLength);
1116         if (ctrl.bRequestType & 0x80) {
1117                 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
1118                                                ctrl.wLength)) {
1119                         ret = -EINVAL;
1120                         goto done;
1121                 }
1122                 pipe = usb_rcvctrlpipe(dev, 0);
1123                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1124
1125                 usb_unlock_device(dev);
1126                 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1127                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1128                                     tbuf, ctrl.wLength, tmo);
1129                 usb_lock_device(dev);
1130                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1131                           tbuf, max(i, 0));
1132                 if ((i > 0) && ctrl.wLength) {
1133                         if (copy_to_user(ctrl.data, tbuf, i)) {
1134                                 ret = -EFAULT;
1135                                 goto done;
1136                         }
1137                 }
1138         } else {
1139                 if (ctrl.wLength) {
1140                         if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1141                                 ret = -EFAULT;
1142                                 goto done;
1143                         }
1144                 }
1145                 pipe = usb_sndctrlpipe(dev, 0);
1146                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1147                         tbuf, ctrl.wLength);
1148
1149                 usb_unlock_device(dev);
1150                 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1151                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1152                                     tbuf, ctrl.wLength, tmo);
1153                 usb_lock_device(dev);
1154                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1155         }
1156         if (i < 0 && i != -EPIPE) {
1157                 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1158                            "failed cmd %s rqt %u rq %u len %u ret %d\n",
1159                            current->comm, ctrl.bRequestType, ctrl.bRequest,
1160                            ctrl.wLength, i);
1161         }
1162         ret = i;
1163  done:
1164         free_page((unsigned long) tbuf);
1165         usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1166                         sizeof(struct usb_ctrlrequest));
1167         return ret;
1168 }
1169
1170 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1171 {
1172         struct usb_device *dev = ps->dev;
1173         struct usbdevfs_bulktransfer bulk;
1174         unsigned int tmo, len1, pipe;
1175         int len2;
1176         unsigned char *tbuf;
1177         int i, ret;
1178
1179         if (copy_from_user(&bulk, arg, sizeof(bulk)))
1180                 return -EFAULT;
1181         ret = findintfep(ps->dev, bulk.ep);
1182         if (ret < 0)
1183                 return ret;
1184         ret = checkintf(ps, ret);
1185         if (ret)
1186                 return ret;
1187         if (bulk.ep & USB_DIR_IN)
1188                 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1189         else
1190                 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1191         if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1192                 return -EINVAL;
1193         len1 = bulk.len;
1194         if (len1 >= USBFS_XFER_MAX)
1195                 return -EINVAL;
1196         ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1197         if (ret)
1198                 return ret;
1199         tbuf = kmalloc(len1, GFP_KERNEL);
1200         if (!tbuf) {
1201                 ret = -ENOMEM;
1202                 goto done;
1203         }
1204         tmo = bulk.timeout;
1205         if (bulk.ep & 0x80) {
1206                 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
1207                         ret = -EINVAL;
1208                         goto done;
1209                 }
1210                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1211
1212                 usb_unlock_device(dev);
1213                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1214                 usb_lock_device(dev);
1215                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1216
1217                 if (!i && len2) {
1218                         if (copy_to_user(bulk.data, tbuf, len2)) {
1219                                 ret = -EFAULT;
1220                                 goto done;
1221                         }
1222                 }
1223         } else {
1224                 if (len1) {
1225                         if (copy_from_user(tbuf, bulk.data, len1)) {
1226                                 ret = -EFAULT;
1227                                 goto done;
1228                         }
1229                 }
1230                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1231
1232                 usb_unlock_device(dev);
1233                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1234                 usb_lock_device(dev);
1235                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1236         }
1237         ret = (i < 0 ? i : len2);
1238  done:
1239         kfree(tbuf);
1240         usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1241         return ret;
1242 }
1243
1244 static void check_reset_of_active_ep(struct usb_device *udev,
1245                 unsigned int epnum, char *ioctl_name)
1246 {
1247         struct usb_host_endpoint **eps;
1248         struct usb_host_endpoint *ep;
1249
1250         eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1251         ep = eps[epnum & 0x0f];
1252         if (ep && !list_empty(&ep->urb_list))
1253                 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1254                                 task_pid_nr(current), current->comm,
1255                                 ioctl_name, epnum);
1256 }
1257
1258 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1259 {
1260         unsigned int ep;
1261         int ret;
1262
1263         if (get_user(ep, (unsigned int __user *)arg))
1264                 return -EFAULT;
1265         ret = findintfep(ps->dev, ep);
1266         if (ret < 0)
1267                 return ret;
1268         ret = checkintf(ps, ret);
1269         if (ret)
1270                 return ret;
1271         check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1272         usb_reset_endpoint(ps->dev, ep);
1273         return 0;
1274 }
1275
1276 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1277 {
1278         unsigned int ep;
1279         int pipe;
1280         int ret;
1281
1282         if (get_user(ep, (unsigned int __user *)arg))
1283                 return -EFAULT;
1284         ret = findintfep(ps->dev, ep);
1285         if (ret < 0)
1286                 return ret;
1287         ret = checkintf(ps, ret);
1288         if (ret)
1289                 return ret;
1290         check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1291         if (ep & USB_DIR_IN)
1292                 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1293         else
1294                 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1295
1296         return usb_clear_halt(ps->dev, pipe);
1297 }
1298
1299 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1300 {
1301         struct usbdevfs_getdriver gd;
1302         struct usb_interface *intf;
1303         int ret;
1304
1305         if (copy_from_user(&gd, arg, sizeof(gd)))
1306                 return -EFAULT;
1307         intf = usb_ifnum_to_if(ps->dev, gd.interface);
1308         if (!intf || !intf->dev.driver)
1309                 ret = -ENODATA;
1310         else {
1311                 strlcpy(gd.driver, intf->dev.driver->name,
1312                                 sizeof(gd.driver));
1313                 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1314         }
1315         return ret;
1316 }
1317
1318 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1319 {
1320         struct usbdevfs_connectinfo ci;
1321
1322         memset(&ci, 0, sizeof(ci));
1323         ci.devnum = ps->dev->devnum;
1324         ci.slow = ps->dev->speed == USB_SPEED_LOW;
1325
1326         if (copy_to_user(arg, &ci, sizeof(ci)))
1327                 return -EFAULT;
1328         return 0;
1329 }
1330
1331 static int proc_resetdevice(struct usb_dev_state *ps)
1332 {
1333         struct usb_host_config *actconfig = ps->dev->actconfig;
1334         struct usb_interface *interface;
1335         int i, number;
1336
1337         /* Don't allow a device reset if the process has dropped the
1338          * privilege to do such things and any of the interfaces are
1339          * currently claimed.
1340          */
1341         if (ps->privileges_dropped && actconfig) {
1342                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1343                         interface = actconfig->interface[i];
1344                         number = interface->cur_altsetting->desc.bInterfaceNumber;
1345                         if (usb_interface_claimed(interface) &&
1346                                         !test_bit(number, &ps->ifclaimed)) {
1347                                 dev_warn(&ps->dev->dev,
1348                                         "usbfs: interface %d claimed by %s while '%s' resets device\n",
1349                                         number, interface->dev.driver->name, current->comm);
1350                                 return -EACCES;
1351                         }
1352                 }
1353         }
1354
1355         return usb_reset_device(ps->dev);
1356 }
1357
1358 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1359 {
1360         struct usbdevfs_setinterface setintf;
1361         int ret;
1362
1363         if (copy_from_user(&setintf, arg, sizeof(setintf)))
1364                 return -EFAULT;
1365         ret = checkintf(ps, setintf.interface);
1366         if (ret)
1367                 return ret;
1368
1369         destroy_async_on_interface(ps, setintf.interface);
1370
1371         return usb_set_interface(ps->dev, setintf.interface,
1372                         setintf.altsetting);
1373 }
1374
1375 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1376 {
1377         int u;
1378         int status = 0;
1379         struct usb_host_config *actconfig;
1380
1381         if (get_user(u, (int __user *)arg))
1382                 return -EFAULT;
1383
1384         actconfig = ps->dev->actconfig;
1385
1386         /* Don't touch the device if any interfaces are claimed.
1387          * It could interfere with other drivers' operations, and if
1388          * an interface is claimed by usbfs it could easily deadlock.
1389          */
1390         if (actconfig) {
1391                 int i;
1392
1393                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1394                         if (usb_interface_claimed(actconfig->interface[i])) {
1395                                 dev_warn(&ps->dev->dev,
1396                                         "usbfs: interface %d claimed by %s "
1397                                         "while '%s' sets config #%d\n",
1398                                         actconfig->interface[i]
1399                                                 ->cur_altsetting
1400                                                 ->desc.bInterfaceNumber,
1401                                         actconfig->interface[i]
1402                                                 ->dev.driver->name,
1403                                         current->comm, u);
1404                                 status = -EBUSY;
1405                                 break;
1406                         }
1407                 }
1408         }
1409
1410         /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1411          * so avoid usb_set_configuration()'s kick to sysfs
1412          */
1413         if (status == 0) {
1414                 if (actconfig && actconfig->desc.bConfigurationValue == u)
1415                         status = usb_reset_configuration(ps->dev);
1416                 else
1417                         status = usb_set_configuration(ps->dev, u);
1418         }
1419
1420         return status;
1421 }
1422
1423 static struct usb_memory *
1424 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1425 {
1426         struct usb_memory *usbm = NULL, *iter;
1427         unsigned long flags;
1428         unsigned long uurb_start = (unsigned long)uurb->buffer;
1429
1430         spin_lock_irqsave(&ps->lock, flags);
1431         list_for_each_entry(iter, &ps->memory_list, memlist) {
1432                 if (uurb_start >= iter->vm_start &&
1433                                 uurb_start < iter->vm_start + iter->size) {
1434                         if (uurb->buffer_length > iter->vm_start + iter->size -
1435                                         uurb_start) {
1436                                 usbm = ERR_PTR(-EINVAL);
1437                         } else {
1438                                 usbm = iter;
1439                                 usbm->urb_use_count++;
1440                         }
1441                         break;
1442                 }
1443         }
1444         spin_unlock_irqrestore(&ps->lock, flags);
1445         return usbm;
1446 }
1447
1448 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1449                         struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1450                         void __user *arg)
1451 {
1452         struct usbdevfs_iso_packet_desc *isopkt = NULL;
1453         struct usb_host_endpoint *ep;
1454         struct async *as = NULL;
1455         struct usb_ctrlrequest *dr = NULL;
1456         unsigned int u, totlen, isofrmlen;
1457         int i, ret, is_in, num_sgs = 0, ifnum = -1;
1458         int number_of_packets = 0;
1459         unsigned int stream_id = 0;
1460         void *buf;
1461
1462         if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
1463                                 USBDEVFS_URB_SHORT_NOT_OK |
1464                                 USBDEVFS_URB_BULK_CONTINUATION |
1465                                 USBDEVFS_URB_NO_FSBR |
1466                                 USBDEVFS_URB_ZERO_PACKET |
1467                                 USBDEVFS_URB_NO_INTERRUPT))
1468                 return -EINVAL;
1469         if (uurb->buffer_length > 0 && !uurb->buffer)
1470                 return -EINVAL;
1471         if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1472             (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1473                 ifnum = findintfep(ps->dev, uurb->endpoint);
1474                 if (ifnum < 0)
1475                         return ifnum;
1476                 ret = checkintf(ps, ifnum);
1477                 if (ret)
1478                         return ret;
1479         }
1480         ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1481         if (!ep)
1482                 return -ENOENT;
1483         is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1484
1485         u = 0;
1486         switch (uurb->type) {
1487         case USBDEVFS_URB_TYPE_CONTROL:
1488                 if (!usb_endpoint_xfer_control(&ep->desc))
1489                         return -EINVAL;
1490                 /* min 8 byte setup packet */
1491                 if (uurb->buffer_length < 8)
1492                         return -EINVAL;
1493                 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1494                 if (!dr)
1495                         return -ENOMEM;
1496                 if (copy_from_user(dr, uurb->buffer, 8)) {
1497                         ret = -EFAULT;
1498                         goto error;
1499                 }
1500                 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
1501                         ret = -EINVAL;
1502                         goto error;
1503                 }
1504                 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1505                                       le16_to_cpup(&dr->wIndex));
1506                 if (ret)
1507                         goto error;
1508                 uurb->buffer_length = le16_to_cpup(&dr->wLength);
1509                 uurb->buffer += 8;
1510                 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1511                         is_in = 1;
1512                         uurb->endpoint |= USB_DIR_IN;
1513                 } else {
1514                         is_in = 0;
1515                         uurb->endpoint &= ~USB_DIR_IN;
1516                 }
1517                 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1518                         "bRequest=%02x wValue=%04x "
1519                         "wIndex=%04x wLength=%04x\n",
1520                         dr->bRequestType, dr->bRequest,
1521                         __le16_to_cpup(&dr->wValue),
1522                         __le16_to_cpup(&dr->wIndex),
1523                         __le16_to_cpup(&dr->wLength));
1524                 u = sizeof(struct usb_ctrlrequest);
1525                 break;
1526
1527         case USBDEVFS_URB_TYPE_BULK:
1528                 switch (usb_endpoint_type(&ep->desc)) {
1529                 case USB_ENDPOINT_XFER_CONTROL:
1530                 case USB_ENDPOINT_XFER_ISOC:
1531                         return -EINVAL;
1532                 case USB_ENDPOINT_XFER_INT:
1533                         /* allow single-shot interrupt transfers */
1534                         uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1535                         goto interrupt_urb;
1536                 }
1537                 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1538                 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1539                         num_sgs = 0;
1540                 if (ep->streams)
1541                         stream_id = uurb->stream_id;
1542                 break;
1543
1544         case USBDEVFS_URB_TYPE_INTERRUPT:
1545                 if (!usb_endpoint_xfer_int(&ep->desc))
1546                         return -EINVAL;
1547  interrupt_urb:
1548                 break;
1549
1550         case USBDEVFS_URB_TYPE_ISO:
1551                 /* arbitrary limit */
1552                 if (uurb->number_of_packets < 1 ||
1553                     uurb->number_of_packets > 128)
1554                         return -EINVAL;
1555                 if (!usb_endpoint_xfer_isoc(&ep->desc))
1556                         return -EINVAL;
1557                 number_of_packets = uurb->number_of_packets;
1558                 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1559                                    number_of_packets;
1560                 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1561                 if (IS_ERR(isopkt)) {
1562                         ret = PTR_ERR(isopkt);
1563                         isopkt = NULL;
1564                         goto error;
1565                 }
1566                 for (totlen = u = 0; u < number_of_packets; u++) {
1567                         /*
1568                          * arbitrary limit need for USB 3.0
1569                          * bMaxBurst (0~15 allowed, 1~16 packets)
1570                          * bmAttributes (bit 1:0, mult 0~2, 1~3 packets)
1571                          * sizemax: 1024 * 16 * 3 = 49152
1572                          */
1573                         if (isopkt[u].length > 49152) {
1574                                 ret = -EINVAL;
1575                                 goto error;
1576                         }
1577                         totlen += isopkt[u].length;
1578                 }
1579                 u *= sizeof(struct usb_iso_packet_descriptor);
1580                 uurb->buffer_length = totlen;
1581                 break;
1582
1583         default:
1584                 return -EINVAL;
1585         }
1586
1587         if (uurb->buffer_length >= USBFS_XFER_MAX) {
1588                 ret = -EINVAL;
1589                 goto error;
1590         }
1591         if (uurb->buffer_length > 0 &&
1592                         !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
1593                                 uurb->buffer, uurb->buffer_length)) {
1594                 ret = -EFAULT;
1595                 goto error;
1596         }
1597         as = alloc_async(number_of_packets);
1598         if (!as) {
1599                 ret = -ENOMEM;
1600                 goto error;
1601         }
1602
1603         as->usbm = find_memory_area(ps, uurb);
1604         if (IS_ERR(as->usbm)) {
1605                 ret = PTR_ERR(as->usbm);
1606                 as->usbm = NULL;
1607                 goto error;
1608         }
1609
1610         /* do not use SG buffers when memory mapped segments
1611          * are in use
1612          */
1613         if (as->usbm)
1614                 num_sgs = 0;
1615
1616         u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1617              num_sgs * sizeof(struct scatterlist);
1618         ret = usbfs_increase_memory_usage(u);
1619         if (ret)
1620                 goto error;
1621         as->mem_usage = u;
1622
1623         if (num_sgs) {
1624                 as->urb->sg = kmalloc(num_sgs * sizeof(struct scatterlist),
1625                                       GFP_KERNEL);
1626                 if (!as->urb->sg) {
1627                         ret = -ENOMEM;
1628                         goto error;
1629                 }
1630                 as->urb->num_sgs = num_sgs;
1631                 sg_init_table(as->urb->sg, as->urb->num_sgs);
1632
1633                 totlen = uurb->buffer_length;
1634                 for (i = 0; i < as->urb->num_sgs; i++) {
1635                         u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1636                         buf = kmalloc(u, GFP_KERNEL);
1637                         if (!buf) {
1638                                 ret = -ENOMEM;
1639                                 goto error;
1640                         }
1641                         sg_set_buf(&as->urb->sg[i], buf, u);
1642
1643                         if (!is_in) {
1644                                 if (copy_from_user(buf, uurb->buffer, u)) {
1645                                         ret = -EFAULT;
1646                                         goto error;
1647                                 }
1648                                 uurb->buffer += u;
1649                         }
1650                         totlen -= u;
1651                 }
1652         } else if (uurb->buffer_length > 0) {
1653                 if (as->usbm) {
1654                         unsigned long uurb_start = (unsigned long)uurb->buffer;
1655
1656                         as->urb->transfer_buffer = as->usbm->mem +
1657                                         (uurb_start - as->usbm->vm_start);
1658                 } else {
1659                         as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1660                                         GFP_KERNEL);
1661                         if (!as->urb->transfer_buffer) {
1662                                 ret = -ENOMEM;
1663                                 goto error;
1664                         }
1665                         if (!is_in) {
1666                                 if (copy_from_user(as->urb->transfer_buffer,
1667                                                    uurb->buffer,
1668                                                    uurb->buffer_length)) {
1669                                         ret = -EFAULT;
1670                                         goto error;
1671                                 }
1672                         } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1673                                 /*
1674                                  * Isochronous input data may end up being
1675                                  * discontiguous if some of the packets are
1676                                  * short. Clear the buffer so that the gaps
1677                                  * don't leak kernel data to userspace.
1678                                  */
1679                                 memset(as->urb->transfer_buffer, 0,
1680                                                 uurb->buffer_length);
1681                         }
1682                 }
1683         }
1684         as->urb->dev = ps->dev;
1685         as->urb->pipe = (uurb->type << 30) |
1686                         __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1687                         (uurb->endpoint & USB_DIR_IN);
1688
1689         /* This tedious sequence is necessary because the URB_* flags
1690          * are internal to the kernel and subject to change, whereas
1691          * the USBDEVFS_URB_* flags are a user API and must not be changed.
1692          */
1693         u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1694         if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1695                 u |= URB_ISO_ASAP;
1696         if (uurb->flags & USBDEVFS_URB_SHORT_NOT_OK && is_in)
1697                 u |= URB_SHORT_NOT_OK;
1698         if (uurb->flags & USBDEVFS_URB_NO_FSBR)
1699                 u |= URB_NO_FSBR;
1700         if (uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1701                 u |= URB_ZERO_PACKET;
1702         if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1703                 u |= URB_NO_INTERRUPT;
1704         as->urb->transfer_flags = u;
1705
1706         as->urb->transfer_buffer_length = uurb->buffer_length;
1707         as->urb->setup_packet = (unsigned char *)dr;
1708         dr = NULL;
1709         as->urb->start_frame = uurb->start_frame;
1710         as->urb->number_of_packets = number_of_packets;
1711         as->urb->stream_id = stream_id;
1712
1713         if (ep->desc.bInterval) {
1714                 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1715                                 ps->dev->speed == USB_SPEED_HIGH ||
1716                                 ps->dev->speed >= USB_SPEED_SUPER)
1717                         as->urb->interval = 1 <<
1718                                         min(15, ep->desc.bInterval - 1);
1719                 else
1720                         as->urb->interval = ep->desc.bInterval;
1721         }
1722
1723         as->urb->context = as;
1724         as->urb->complete = async_completed;
1725         for (totlen = u = 0; u < number_of_packets; u++) {
1726                 as->urb->iso_frame_desc[u].offset = totlen;
1727                 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1728                 totlen += isopkt[u].length;
1729         }
1730         kfree(isopkt);
1731         isopkt = NULL;
1732         as->ps = ps;
1733         as->userurb = arg;
1734         if (as->usbm) {
1735                 unsigned long uurb_start = (unsigned long)uurb->buffer;
1736
1737                 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1738                 as->urb->transfer_dma = as->usbm->dma_handle +
1739                                 (uurb_start - as->usbm->vm_start);
1740         } else if (is_in && uurb->buffer_length > 0)
1741                 as->userbuffer = uurb->buffer;
1742         as->signr = uurb->signr;
1743         as->ifnum = ifnum;
1744         as->pid = get_pid(task_pid(current));
1745         as->cred = get_current_cred();
1746         security_task_getsecid(current, &as->secid);
1747         snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1748                         as->urb->transfer_buffer_length, 0, SUBMIT,
1749                         NULL, 0);
1750         if (!is_in)
1751                 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1752
1753         async_newpending(as);
1754
1755         if (usb_endpoint_xfer_bulk(&ep->desc)) {
1756                 spin_lock_irq(&ps->lock);
1757
1758                 /* Not exactly the endpoint address; the direction bit is
1759                  * shifted to the 0x10 position so that the value will be
1760                  * between 0 and 31.
1761                  */
1762                 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1763                         ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1764                                 >> 3);
1765
1766                 /* If this bulk URB is the start of a new transfer, re-enable
1767                  * the endpoint.  Otherwise mark it as a continuation URB.
1768                  */
1769                 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1770                         as->bulk_status = AS_CONTINUATION;
1771                 else
1772                         ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1773
1774                 /* Don't accept continuation URBs if the endpoint is
1775                  * disabled because of an earlier error.
1776                  */
1777                 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1778                         ret = -EREMOTEIO;
1779                 else
1780                         ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1781                 spin_unlock_irq(&ps->lock);
1782         } else {
1783                 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1784         }
1785
1786         if (ret) {
1787                 dev_printk(KERN_DEBUG, &ps->dev->dev,
1788                            "usbfs: usb_submit_urb returned %d\n", ret);
1789                 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1790                                 0, ret, COMPLETE, NULL, 0);
1791                 async_removepending(as);
1792                 goto error;
1793         }
1794         return 0;
1795
1796  error:
1797         if (as && as->usbm)
1798                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
1799         kfree(isopkt);
1800         kfree(dr);
1801         if (as)
1802                 free_async(as);
1803         return ret;
1804 }
1805
1806 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1807 {
1808         struct usbdevfs_urb uurb;
1809
1810         if (copy_from_user(&uurb, arg, sizeof(uurb)))
1811                 return -EFAULT;
1812
1813         return proc_do_submiturb(ps, &uurb,
1814                         (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1815                         arg);
1816 }
1817
1818 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1819 {
1820         struct urb *urb;
1821         struct async *as;
1822         unsigned long flags;
1823
1824         spin_lock_irqsave(&ps->lock, flags);
1825         as = async_getpending(ps, arg);
1826         if (!as) {
1827                 spin_unlock_irqrestore(&ps->lock, flags);
1828                 return -EINVAL;
1829         }
1830
1831         urb = as->urb;
1832         usb_get_urb(urb);
1833         spin_unlock_irqrestore(&ps->lock, flags);
1834
1835         usb_kill_urb(urb);
1836         usb_put_urb(urb);
1837
1838         return 0;
1839 }
1840
1841 static int processcompl(struct async *as, void __user * __user *arg)
1842 {
1843         struct urb *urb = as->urb;
1844         struct usbdevfs_urb __user *userurb = as->userurb;
1845         void __user *addr = as->userurb;
1846         unsigned int i;
1847
1848         if (as->userbuffer && urb->actual_length) {
1849                 if (copy_urb_data_to_user(as->userbuffer, urb))
1850                         goto err_out;
1851         }
1852         if (put_user(as->status, &userurb->status))
1853                 goto err_out;
1854         if (put_user(urb->actual_length, &userurb->actual_length))
1855                 goto err_out;
1856         if (put_user(urb->error_count, &userurb->error_count))
1857                 goto err_out;
1858
1859         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1860                 for (i = 0; i < urb->number_of_packets; i++) {
1861                         if (put_user(urb->iso_frame_desc[i].actual_length,
1862                                      &userurb->iso_frame_desc[i].actual_length))
1863                                 goto err_out;
1864                         if (put_user(urb->iso_frame_desc[i].status,
1865                                      &userurb->iso_frame_desc[i].status))
1866                                 goto err_out;
1867                 }
1868         }
1869
1870         if (put_user(addr, (void __user * __user *)arg))
1871                 return -EFAULT;
1872         return 0;
1873
1874 err_out:
1875         return -EFAULT;
1876 }
1877
1878 static struct async *reap_as(struct usb_dev_state *ps)
1879 {
1880         DECLARE_WAITQUEUE(wait, current);
1881         struct async *as = NULL;
1882         struct usb_device *dev = ps->dev;
1883
1884         add_wait_queue(&ps->wait, &wait);
1885         for (;;) {
1886                 __set_current_state(TASK_INTERRUPTIBLE);
1887                 as = async_getcompleted(ps);
1888                 if (as || !connected(ps))
1889                         break;
1890                 if (signal_pending(current))
1891                         break;
1892                 usb_unlock_device(dev);
1893                 schedule();
1894                 usb_lock_device(dev);
1895         }
1896         remove_wait_queue(&ps->wait, &wait);
1897         set_current_state(TASK_RUNNING);
1898         return as;
1899 }
1900
1901 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1902 {
1903         struct async *as = reap_as(ps);
1904
1905         if (as) {
1906                 int retval;
1907
1908                 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
1909                 retval = processcompl(as, (void __user * __user *)arg);
1910                 free_async(as);
1911                 return retval;
1912         }
1913         if (signal_pending(current))
1914                 return -EINTR;
1915         return -ENODEV;
1916 }
1917
1918 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1919 {
1920         int retval;
1921         struct async *as;
1922
1923         as = async_getcompleted(ps);
1924         if (as) {
1925                 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
1926                 retval = processcompl(as, (void __user * __user *)arg);
1927                 free_async(as);
1928         } else {
1929                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1930         }
1931         return retval;
1932 }
1933
1934 #ifdef CONFIG_COMPAT
1935 static int proc_control_compat(struct usb_dev_state *ps,
1936                                 struct usbdevfs_ctrltransfer32 __user *p32)
1937 {
1938         struct usbdevfs_ctrltransfer __user *p;
1939         __u32 udata;
1940         p = compat_alloc_user_space(sizeof(*p));
1941         if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1942             get_user(udata, &p32->data) ||
1943             put_user(compat_ptr(udata), &p->data))
1944                 return -EFAULT;
1945         return proc_control(ps, p);
1946 }
1947
1948 static int proc_bulk_compat(struct usb_dev_state *ps,
1949                         struct usbdevfs_bulktransfer32 __user *p32)
1950 {
1951         struct usbdevfs_bulktransfer __user *p;
1952         compat_uint_t n;
1953         compat_caddr_t addr;
1954
1955         p = compat_alloc_user_space(sizeof(*p));
1956
1957         if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1958             get_user(n, &p32->len) || put_user(n, &p->len) ||
1959             get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1960             get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1961                 return -EFAULT;
1962
1963         return proc_bulk(ps, p);
1964 }
1965 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1966 {
1967         struct usbdevfs_disconnectsignal32 ds;
1968
1969         if (copy_from_user(&ds, arg, sizeof(ds)))
1970                 return -EFAULT;
1971         ps->discsignr = ds.signr;
1972         ps->disccontext = compat_ptr(ds.context);
1973         return 0;
1974 }
1975
1976 static int get_urb32(struct usbdevfs_urb *kurb,
1977                      struct usbdevfs_urb32 __user *uurb)
1978 {
1979         __u32  uptr;
1980         if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
1981             __get_user(kurb->type, &uurb->type) ||
1982             __get_user(kurb->endpoint, &uurb->endpoint) ||
1983             __get_user(kurb->status, &uurb->status) ||
1984             __get_user(kurb->flags, &uurb->flags) ||
1985             __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1986             __get_user(kurb->actual_length, &uurb->actual_length) ||
1987             __get_user(kurb->start_frame, &uurb->start_frame) ||
1988             __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1989             __get_user(kurb->error_count, &uurb->error_count) ||
1990             __get_user(kurb->signr, &uurb->signr))
1991                 return -EFAULT;
1992
1993         if (__get_user(uptr, &uurb->buffer))
1994                 return -EFAULT;
1995         kurb->buffer = compat_ptr(uptr);
1996         if (__get_user(uptr, &uurb->usercontext))
1997                 return -EFAULT;
1998         kurb->usercontext = compat_ptr(uptr);
1999
2000         return 0;
2001 }
2002
2003 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2004 {
2005         struct usbdevfs_urb uurb;
2006
2007         if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2008                 return -EFAULT;
2009
2010         return proc_do_submiturb(ps, &uurb,
2011                         ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2012                         arg);
2013 }
2014
2015 static int processcompl_compat(struct async *as, void __user * __user *arg)
2016 {
2017         struct urb *urb = as->urb;
2018         struct usbdevfs_urb32 __user *userurb = as->userurb;
2019         void __user *addr = as->userurb;
2020         unsigned int i;
2021
2022         if (as->userbuffer && urb->actual_length) {
2023                 if (copy_urb_data_to_user(as->userbuffer, urb))
2024                         return -EFAULT;
2025         }
2026         if (put_user(as->status, &userurb->status))
2027                 return -EFAULT;
2028         if (put_user(urb->actual_length, &userurb->actual_length))
2029                 return -EFAULT;
2030         if (put_user(urb->error_count, &userurb->error_count))
2031                 return -EFAULT;
2032
2033         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2034                 for (i = 0; i < urb->number_of_packets; i++) {
2035                         if (put_user(urb->iso_frame_desc[i].actual_length,
2036                                      &userurb->iso_frame_desc[i].actual_length))
2037                                 return -EFAULT;
2038                         if (put_user(urb->iso_frame_desc[i].status,
2039                                      &userurb->iso_frame_desc[i].status))
2040                                 return -EFAULT;
2041                 }
2042         }
2043
2044         if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2045                 return -EFAULT;
2046         return 0;
2047 }
2048
2049 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2050 {
2051         struct async *as = reap_as(ps);
2052
2053         if (as) {
2054                 int retval;
2055
2056                 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
2057                 retval = processcompl_compat(as, (void __user * __user *)arg);
2058                 free_async(as);
2059                 return retval;
2060         }
2061         if (signal_pending(current))
2062                 return -EINTR;
2063         return -ENODEV;
2064 }
2065
2066 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2067 {
2068         int retval;
2069         struct async *as;
2070
2071         as = async_getcompleted(ps);
2072         if (as) {
2073                 snoop(&ps->dev->dev, "reap %p\n", as->userurb);
2074                 retval = processcompl_compat(as, (void __user * __user *)arg);
2075                 free_async(as);
2076         } else {
2077                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2078         }
2079         return retval;
2080 }
2081
2082
2083 #endif
2084
2085 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2086 {
2087         struct usbdevfs_disconnectsignal ds;
2088
2089         if (copy_from_user(&ds, arg, sizeof(ds)))
2090                 return -EFAULT;
2091         ps->discsignr = ds.signr;
2092         ps->disccontext = ds.context;
2093         return 0;
2094 }
2095
2096 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2097 {
2098         unsigned int ifnum;
2099
2100         if (get_user(ifnum, (unsigned int __user *)arg))
2101                 return -EFAULT;
2102         return claimintf(ps, ifnum);
2103 }
2104
2105 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2106 {
2107         unsigned int ifnum;
2108         int ret;
2109
2110         if (get_user(ifnum, (unsigned int __user *)arg))
2111                 return -EFAULT;
2112         ret = releaseintf(ps, ifnum);
2113         if (ret < 0)
2114                 return ret;
2115         destroy_async_on_interface(ps, ifnum);
2116         return 0;
2117 }
2118
2119 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2120 {
2121         int                     size;
2122         void                    *buf = NULL;
2123         int                     retval = 0;
2124         struct usb_interface    *intf = NULL;
2125         struct usb_driver       *driver = NULL;
2126
2127         if (ps->privileges_dropped)
2128                 return -EACCES;
2129
2130         /* alloc buffer */
2131         size = _IOC_SIZE(ctl->ioctl_code);
2132         if (size > 0) {
2133                 buf = kmalloc(size, GFP_KERNEL);
2134                 if (buf == NULL)
2135                         return -ENOMEM;
2136                 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2137                         if (copy_from_user(buf, ctl->data, size)) {
2138                                 kfree(buf);
2139                                 return -EFAULT;
2140                         }
2141                 } else {
2142                         memset(buf, 0, size);
2143                 }
2144         }
2145
2146         if (!connected(ps)) {
2147                 kfree(buf);
2148                 return -ENODEV;
2149         }
2150
2151         if (ps->dev->state != USB_STATE_CONFIGURED)
2152                 retval = -EHOSTUNREACH;
2153         else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2154                 retval = -EINVAL;
2155         else switch (ctl->ioctl_code) {
2156
2157         /* disconnect kernel driver from interface */
2158         case USBDEVFS_DISCONNECT:
2159                 if (intf->dev.driver) {
2160                         driver = to_usb_driver(intf->dev.driver);
2161                         dev_dbg(&intf->dev, "disconnect by usbfs\n");
2162                         usb_driver_release_interface(driver, intf);
2163                 } else
2164                         retval = -ENODATA;
2165                 break;
2166
2167         /* let kernel drivers try to (re)bind to the interface */
2168         case USBDEVFS_CONNECT:
2169                 if (!intf->dev.driver)
2170                         retval = device_attach(&intf->dev);
2171                 else
2172                         retval = -EBUSY;
2173                 break;
2174
2175         /* talk directly to the interface's driver */
2176         default:
2177                 if (intf->dev.driver)
2178                         driver = to_usb_driver(intf->dev.driver);
2179                 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2180                         retval = -ENOTTY;
2181                 } else {
2182                         retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2183                         if (retval == -ENOIOCTLCMD)
2184                                 retval = -ENOTTY;
2185                 }
2186         }
2187
2188         /* cleanup and return */
2189         if (retval >= 0
2190                         && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2191                         && size > 0
2192                         && copy_to_user(ctl->data, buf, size) != 0)
2193                 retval = -EFAULT;
2194
2195         kfree(buf);
2196         return retval;
2197 }
2198
2199 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2200 {
2201         struct usbdevfs_ioctl   ctrl;
2202
2203         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2204                 return -EFAULT;
2205         return proc_ioctl(ps, &ctrl);
2206 }
2207
2208 #ifdef CONFIG_COMPAT
2209 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2210 {
2211         struct usbdevfs_ioctl32 __user *uioc;
2212         struct usbdevfs_ioctl ctrl;
2213         u32 udata;
2214
2215         uioc = compat_ptr((long)arg);
2216         if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
2217             __get_user(ctrl.ifno, &uioc->ifno) ||
2218             __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
2219             __get_user(udata, &uioc->data))
2220                 return -EFAULT;
2221         ctrl.data = compat_ptr(udata);
2222
2223         return proc_ioctl(ps, &ctrl);
2224 }
2225 #endif
2226
2227 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2228 {
2229         unsigned portnum;
2230         int rc;
2231
2232         if (get_user(portnum, (unsigned __user *) arg))
2233                 return -EFAULT;
2234         rc = usb_hub_claim_port(ps->dev, portnum, ps);
2235         if (rc == 0)
2236                 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2237                         portnum, task_pid_nr(current), current->comm);
2238         return rc;
2239 }
2240
2241 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2242 {
2243         unsigned portnum;
2244
2245         if (get_user(portnum, (unsigned __user *) arg))
2246                 return -EFAULT;
2247         return usb_hub_release_port(ps->dev, portnum, ps);
2248 }
2249
2250 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2251 {
2252         __u32 caps;
2253
2254         caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2255                         USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2256                         USBDEVFS_CAP_DROP_PRIVILEGES;
2257         if (!ps->dev->bus->no_stop_on_short)
2258                 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2259         if (ps->dev->bus->sg_tablesize)
2260                 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2261
2262         if (put_user(caps, (__u32 __user *)arg))
2263                 return -EFAULT;
2264
2265         return 0;
2266 }
2267
2268 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2269 {
2270         struct usbdevfs_disconnect_claim dc;
2271         struct usb_interface *intf;
2272
2273         if (copy_from_user(&dc, arg, sizeof(dc)))
2274                 return -EFAULT;
2275
2276         intf = usb_ifnum_to_if(ps->dev, dc.interface);
2277         if (!intf)
2278                 return -EINVAL;
2279
2280         if (intf->dev.driver) {
2281                 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2282
2283                 if (ps->privileges_dropped)
2284                         return -EACCES;
2285
2286                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2287                                 strncmp(dc.driver, intf->dev.driver->name,
2288                                         sizeof(dc.driver)) != 0)
2289                         return -EBUSY;
2290
2291                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2292                                 strncmp(dc.driver, intf->dev.driver->name,
2293                                         sizeof(dc.driver)) == 0)
2294                         return -EBUSY;
2295
2296                 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2297                 usb_driver_release_interface(driver, intf);
2298         }
2299
2300         return claimintf(ps, dc.interface);
2301 }
2302
2303 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2304 {
2305         unsigned num_streams, num_eps;
2306         struct usb_host_endpoint **eps;
2307         struct usb_interface *intf;
2308         int r;
2309
2310         r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2311                                    &eps, &intf);
2312         if (r)
2313                 return r;
2314
2315         destroy_async_on_interface(ps,
2316                                    intf->altsetting[0].desc.bInterfaceNumber);
2317
2318         r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2319         kfree(eps);
2320         return r;
2321 }
2322
2323 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2324 {
2325         unsigned num_eps;
2326         struct usb_host_endpoint **eps;
2327         struct usb_interface *intf;
2328         int r;
2329
2330         r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2331         if (r)
2332                 return r;
2333
2334         destroy_async_on_interface(ps,
2335                                    intf->altsetting[0].desc.bInterfaceNumber);
2336
2337         r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2338         kfree(eps);
2339         return r;
2340 }
2341
2342 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2343 {
2344         u32 data;
2345
2346         if (copy_from_user(&data, arg, sizeof(data)))
2347                 return -EFAULT;
2348
2349         /* This is an one way operation. Once privileges are
2350          * dropped, you cannot regain them. You may however reissue
2351          * this ioctl to shrink the allowed interfaces mask.
2352          */
2353         ps->interface_allowed_mask &= data;
2354         ps->privileges_dropped = true;
2355
2356         return 0;
2357 }
2358
2359 /*
2360  * NOTE:  All requests here that have interface numbers as parameters
2361  * are assuming that somehow the configuration has been prevented from
2362  * changing.  But there's no mechanism to ensure that...
2363  */
2364 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2365                                 void __user *p)
2366 {
2367         struct usb_dev_state *ps = file->private_data;
2368         struct inode *inode = file_inode(file);
2369         struct usb_device *dev = ps->dev;
2370         int ret = -ENOTTY;
2371
2372         if (!(file->f_mode & FMODE_WRITE))
2373                 return -EPERM;
2374
2375         usb_lock_device(dev);
2376
2377         /* Reap operations are allowed even after disconnection */
2378         switch (cmd) {
2379         case USBDEVFS_REAPURB:
2380                 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2381                 ret = proc_reapurb(ps, p);
2382                 goto done;
2383
2384         case USBDEVFS_REAPURBNDELAY:
2385                 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2386                 ret = proc_reapurbnonblock(ps, p);
2387                 goto done;
2388
2389 #ifdef CONFIG_COMPAT
2390         case USBDEVFS_REAPURB32:
2391                 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2392                 ret = proc_reapurb_compat(ps, p);
2393                 goto done;
2394
2395         case USBDEVFS_REAPURBNDELAY32:
2396                 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2397                 ret = proc_reapurbnonblock_compat(ps, p);
2398                 goto done;
2399 #endif
2400         }
2401
2402         if (!connected(ps)) {
2403                 usb_unlock_device(dev);
2404                 return -ENODEV;
2405         }
2406
2407         switch (cmd) {
2408         case USBDEVFS_CONTROL:
2409                 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2410                 ret = proc_control(ps, p);
2411                 if (ret >= 0)
2412                         inode->i_mtime = current_time(inode);
2413                 break;
2414
2415         case USBDEVFS_BULK:
2416                 snoop(&dev->dev, "%s: BULK\n", __func__);
2417                 ret = proc_bulk(ps, p);
2418                 if (ret >= 0)
2419                         inode->i_mtime = current_time(inode);
2420                 break;
2421
2422         case USBDEVFS_RESETEP:
2423                 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2424                 ret = proc_resetep(ps, p);
2425                 if (ret >= 0)
2426                         inode->i_mtime = current_time(inode);
2427                 break;
2428
2429         case USBDEVFS_RESET:
2430                 snoop(&dev->dev, "%s: RESET\n", __func__);
2431                 ret = proc_resetdevice(ps);
2432                 break;
2433
2434         case USBDEVFS_CLEAR_HALT:
2435                 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2436                 ret = proc_clearhalt(ps, p);
2437                 if (ret >= 0)
2438                         inode->i_mtime = current_time(inode);
2439                 break;
2440
2441         case USBDEVFS_GETDRIVER:
2442                 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2443                 ret = proc_getdriver(ps, p);
2444                 break;
2445
2446         case USBDEVFS_CONNECTINFO:
2447                 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2448                 ret = proc_connectinfo(ps, p);
2449                 break;
2450
2451         case USBDEVFS_SETINTERFACE:
2452                 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2453                 ret = proc_setintf(ps, p);
2454                 break;
2455
2456         case USBDEVFS_SETCONFIGURATION:
2457                 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2458                 ret = proc_setconfig(ps, p);
2459                 break;
2460
2461         case USBDEVFS_SUBMITURB:
2462                 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2463                 ret = proc_submiturb(ps, p);
2464                 if (ret >= 0)
2465                         inode->i_mtime = current_time(inode);
2466                 break;
2467
2468 #ifdef CONFIG_COMPAT
2469         case USBDEVFS_CONTROL32:
2470                 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2471                 ret = proc_control_compat(ps, p);
2472                 if (ret >= 0)
2473                         inode->i_mtime = current_time(inode);
2474                 break;
2475
2476         case USBDEVFS_BULK32:
2477                 snoop(&dev->dev, "%s: BULK32\n", __func__);
2478                 ret = proc_bulk_compat(ps, p);
2479                 if (ret >= 0)
2480                         inode->i_mtime = current_time(inode);
2481                 break;
2482
2483         case USBDEVFS_DISCSIGNAL32:
2484                 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2485                 ret = proc_disconnectsignal_compat(ps, p);
2486                 break;
2487
2488         case USBDEVFS_SUBMITURB32:
2489                 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2490                 ret = proc_submiturb_compat(ps, p);
2491                 if (ret >= 0)
2492                         inode->i_mtime = current_time(inode);
2493                 break;
2494
2495         case USBDEVFS_IOCTL32:
2496                 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2497                 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2498                 break;
2499 #endif
2500
2501         case USBDEVFS_DISCARDURB:
2502                 snoop(&dev->dev, "%s: DISCARDURB %p\n", __func__, p);
2503                 ret = proc_unlinkurb(ps, p);
2504                 break;
2505
2506         case USBDEVFS_DISCSIGNAL:
2507                 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2508                 ret = proc_disconnectsignal(ps, p);
2509                 break;
2510
2511         case USBDEVFS_CLAIMINTERFACE:
2512                 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2513                 ret = proc_claiminterface(ps, p);
2514                 break;
2515
2516         case USBDEVFS_RELEASEINTERFACE:
2517                 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2518                 ret = proc_releaseinterface(ps, p);
2519                 break;
2520
2521         case USBDEVFS_IOCTL:
2522                 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2523                 ret = proc_ioctl_default(ps, p);
2524                 break;
2525
2526         case USBDEVFS_CLAIM_PORT:
2527                 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2528                 ret = proc_claim_port(ps, p);
2529                 break;
2530
2531         case USBDEVFS_RELEASE_PORT:
2532                 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2533                 ret = proc_release_port(ps, p);
2534                 break;
2535         case USBDEVFS_GET_CAPABILITIES:
2536                 ret = proc_get_capabilities(ps, p);
2537                 break;
2538         case USBDEVFS_DISCONNECT_CLAIM:
2539                 ret = proc_disconnect_claim(ps, p);
2540                 break;
2541         case USBDEVFS_ALLOC_STREAMS:
2542                 ret = proc_alloc_streams(ps, p);
2543                 break;
2544         case USBDEVFS_FREE_STREAMS:
2545                 ret = proc_free_streams(ps, p);
2546                 break;
2547         case USBDEVFS_DROP_PRIVILEGES:
2548                 ret = proc_drop_privileges(ps, p);
2549                 break;
2550         }
2551
2552  done:
2553         usb_unlock_device(dev);
2554         if (ret >= 0)
2555                 inode->i_atime = current_time(inode);
2556         return ret;
2557 }
2558
2559 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2560                         unsigned long arg)
2561 {
2562         int ret;
2563
2564         ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2565
2566         return ret;
2567 }
2568
2569 #ifdef CONFIG_COMPAT
2570 static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2571                         unsigned long arg)
2572 {
2573         int ret;
2574
2575         ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2576
2577         return ret;
2578 }
2579 #endif
2580
2581 /* No kernel lock - fine */
2582 static unsigned int usbdev_poll(struct file *file,
2583                                 struct poll_table_struct *wait)
2584 {
2585         struct usb_dev_state *ps = file->private_data;
2586         unsigned int mask = 0;
2587
2588         poll_wait(file, &ps->wait, wait);
2589         if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2590                 mask |= POLLOUT | POLLWRNORM;
2591         if (!connected(ps))
2592                 mask |= POLLHUP;
2593         if (list_empty(&ps->list))
2594                 mask |= POLLERR;
2595         return mask;
2596 }
2597
2598 const struct file_operations usbdev_file_operations = {
2599         .owner =          THIS_MODULE,
2600         .llseek =         no_seek_end_llseek,
2601         .read =           usbdev_read,
2602         .poll =           usbdev_poll,
2603         .unlocked_ioctl = usbdev_ioctl,
2604 #ifdef CONFIG_COMPAT
2605         .compat_ioctl =   usbdev_compat_ioctl,
2606 #endif
2607         .mmap =           usbdev_mmap,
2608         .open =           usbdev_open,
2609         .release =        usbdev_release,
2610 };
2611
2612 static void usbdev_remove(struct usb_device *udev)
2613 {
2614         struct usb_dev_state *ps;
2615         struct siginfo sinfo;
2616
2617         while (!list_empty(&udev->filelist)) {
2618                 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2619                 destroy_all_async(ps);
2620                 wake_up_all(&ps->wait);
2621                 list_del_init(&ps->list);
2622                 if (ps->discsignr) {
2623                         memset(&sinfo, 0, sizeof(sinfo));
2624                         sinfo.si_signo = ps->discsignr;
2625                         sinfo.si_errno = EPIPE;
2626                         sinfo.si_code = SI_ASYNCIO;
2627                         sinfo.si_addr = ps->disccontext;
2628                         kill_pid_info_as_cred(ps->discsignr, &sinfo,
2629                                         ps->disc_pid, ps->cred, ps->secid);
2630                 }
2631         }
2632 }
2633
2634 static int usbdev_notify(struct notifier_block *self,
2635                                unsigned long action, void *dev)
2636 {
2637         switch (action) {
2638         case USB_DEVICE_ADD:
2639                 break;
2640         case USB_DEVICE_REMOVE:
2641                 usbdev_remove(dev);
2642                 break;
2643         }
2644         return NOTIFY_OK;
2645 }
2646
2647 static struct notifier_block usbdev_nb = {
2648         .notifier_call =        usbdev_notify,
2649 };
2650
2651 static struct cdev usb_device_cdev;
2652
2653 int __init usb_devio_init(void)
2654 {
2655         int retval;
2656
2657         retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2658                                         "usb_device");
2659         if (retval) {
2660                 printk(KERN_ERR "Unable to register minors for usb_device\n");
2661                 goto out;
2662         }
2663         cdev_init(&usb_device_cdev, &usbdev_file_operations);
2664         retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2665         if (retval) {
2666                 printk(KERN_ERR "Unable to get usb_device major %d\n",
2667                        USB_DEVICE_MAJOR);
2668                 goto error_cdev;
2669         }
2670         usb_register_notify(&usbdev_nb);
2671 out:
2672         return retval;
2673
2674 error_cdev:
2675         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2676         goto out;
2677 }
2678
2679 void usb_devio_cleanup(void)
2680 {
2681         usb_unregister_notify(&usbdev_nb);
2682         cdev_del(&usb_device_cdev);
2683         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2684 }