1	// SPDX-License-Identifier: GPL-2.0+
2	/*****************************************************************************/
3
4	/*
5	* devio.c -- User space communication with USB devices.
6	*
7	* Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch)
8	*
9	* This file implements the usbfs/x/y files, where
10	* x is the bus number and y the device number.
11	*
12	* It allows user space programs/"drivers" to communicate directly
13	* with USB devices without intervening kernel driver.
14	*
15	* Revision history
16	* 22.12.1999 0.1 Initial release (split from proc_usb.c)
17	* 04.01.2000 0.2 Turned into its own filesystem
18	* 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery
19	* (CAN-2005-3055)
20	*/
21
22	/*****************************************************************************/
23
24	#include <linux/fs.h>
25	#include <linux/mm.h>
26	#include <linux/sched/signal.h>
27	#include <linux/slab.h>
28	#include <linux/signal.h>
29	#include <linux/poll.h>
30	#include <linux/module.h>
31	#include <linux/string.h>
32	#include <linux/usb.h>
33	#include <linux/usbdevice_fs.h>
34	#include <linux/usb/hcd.h> /* for usbcore internals */
35	#include <linux/usb/quirks.h>
36	#include <linux/cdev.h>
37	#include <linux/notifier.h>
38	#include <linux/security.h>
39	#include <linux/user_namespace.h>
40	#include <linux/scatterlist.h>
41	#include <linux/uaccess.h>
42	#include <linux/dma-mapping.h>
43	#include <asm/byteorder.h>
44	#include <linux/moduleparam.h>
45
46	#include "usb.h"
47
48	#ifdef CONFIG_PM
49	#define MAYBE_CAP_SUSPEND USBDEVFS_CAP_SUSPEND
50	#else
51	#define MAYBE_CAP_SUSPEND 0
52	#endif
53
54	#define USB_MAXBUS 64
55	#define USB_DEVICE_MAX (USB_MAXBUS * 128)
56	#define USB_SG_SIZE 16384 /* split-size for large txs */
57
58	/* Mutual exclusion for ps->list in resume vs. release and remove */
59	static DEFINE_MUTEX(usbfs_mutex);
60
61	struct usb_dev_state {
62	struct list_head list; /* state list */
63	struct usb_device *dev;
64	struct file *file;
65	spinlock_t lock; /* protects the async urb lists */
66	struct list_head async_pending;
67	struct list_head async_completed;
68	struct list_head memory_list;
69	wait_queue_head_t wait; /* wake up if a request completed */
70	wait_queue_head_t wait_for_resume; /* wake up upon runtime resume */
71	unsigned int discsignr;
72	struct pid *disc_pid;
73	const struct cred *cred;
74	sigval_t disccontext;
75	unsigned long ifclaimed;
76	u32 disabled_bulk_eps;
77	unsigned long interface_allowed_mask;
78	int not_yet_resumed;
79	bool suspend_allowed;
80	bool privileges_dropped;
81	};
82
83	struct usb_memory {
84	struct list_head memlist;
85	int vma_use_count;
86	int urb_use_count;
87	u32 size;
88	void *mem;
89	dma_addr_t dma_handle;
90	unsigned long vm_start;
91	struct usb_dev_state *ps;
92	};
93
94	struct async {
95	struct list_head asynclist;
96	struct usb_dev_state *ps;
97	struct pid *pid;
98	const struct cred *cred;
99	unsigned int signr;
100	unsigned int ifnum;
101	void __user *userbuffer;
102	void __user *userurb;
103	sigval_t userurb_sigval;
104	struct urb *urb;
105	struct usb_memory *usbm;
106	unsigned int mem_usage;
107	int status;
108	u8 bulk_addr;
109	u8 bulk_status;
110	};
111
112	static bool usbfs_snoop;
113	module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
114	MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
115
116	static unsigned usbfs_snoop_max = 65536;
117	module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
118	MODULE_PARM_DESC(usbfs_snoop_max,
119	"maximum number of bytes to print while snooping");
120
121	#define snoop(dev, format, arg...) \
122	do { \
123	if (usbfs_snoop) \
124	dev_info(dev, format, ## arg); \
125	} while (0)
126
127	enum snoop_when {
128	SUBMIT, COMPLETE
129	};
130
131	#define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0)
132
133	/* Limit on the total amount of memory we can allocate for transfers */
134	static u32 usbfs_memory_mb = 16;
135	module_param(usbfs_memory_mb, uint, 0644);
136	MODULE_PARM_DESC(usbfs_memory_mb,
137	"maximum MB allowed for usbfs buffers (0 = no limit)");
138
139	/* Hard limit, necessary to avoid arithmetic overflow */
140	#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000)
141
142	static DEFINE_SPINLOCK(usbfs_memory_usage_lock);
143	static u64 usbfs_memory_usage; /* Total memory currently allocated */
144
145	/* Check whether it's okay to allocate more memory for a transfer */
146	static int usbfs_increase_memory_usage(u64 amount)
147	{
148	u64 lim, total_mem;
149	unsigned long flags;
150	int ret;
151
152	lim = READ_ONCE(usbfs_memory_mb);
153	lim <<= 20;
154
155	ret = 0;
156	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
157	total_mem = usbfs_memory_usage + amount;
158	if (lim > 0 && total_mem > lim)
159	ret = -ENOMEM;
160	else
161	usbfs_memory_usage = total_mem;
162	spin_unlock_irqrestore(lock: &usbfs_memory_usage_lock, flags);
163
164	return ret;
165	}
166
167	/* Memory for a transfer is being deallocated */
168	static void usbfs_decrease_memory_usage(u64 amount)
169	{
170	unsigned long flags;
171
172	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
173	if (amount > usbfs_memory_usage)
174	usbfs_memory_usage = 0;
175	else
176	usbfs_memory_usage -= amount;
177	spin_unlock_irqrestore(lock: &usbfs_memory_usage_lock, flags);
178	}
179
180	static int connected(struct usb_dev_state *ps)
181	{
182	return (!list_empty(head: &ps->list) &&
183	ps->dev->state != USB_STATE_NOTATTACHED);
184	}
185
186	static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
187	{
188	struct usb_dev_state *ps = usbm->ps;
189	struct usb_hcd *hcd = bus_to_hcd(bus: ps->dev->bus);
190	unsigned long flags;
191
192	spin_lock_irqsave(&ps->lock, flags);
193	--*count;
194	if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
195	list_del(entry: &usbm->memlist);
196	spin_unlock_irqrestore(lock: &ps->lock, flags);
197
198	hcd_buffer_free_pages(hcd, size: usbm->size,
199	addr: usbm->mem, dma: usbm->dma_handle);
200	usbfs_decrease_memory_usage(
201	amount: usbm->size + sizeof(struct usb_memory));
202	kfree(objp: usbm);
203	} else {
204	spin_unlock_irqrestore(lock: &ps->lock, flags);
205	}
206	}
207
208	static void usbdev_vm_open(struct vm_area_struct *vma)
209	{
210	struct usb_memory *usbm = vma->vm_private_data;
211	unsigned long flags;
212
213	spin_lock_irqsave(&usbm->ps->lock, flags);
214	++usbm->vma_use_count;
215	spin_unlock_irqrestore(lock: &usbm->ps->lock, flags);
216	}
217
218	static void usbdev_vm_close(struct vm_area_struct *vma)
219	{
220	struct usb_memory *usbm = vma->vm_private_data;
221
222	dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count);
223	}
224
225	static const struct vm_operations_struct usbdev_vm_ops = {
226	.open = usbdev_vm_open,
227	.close = usbdev_vm_close
228	};
229
230	static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
231	{
232	struct usb_memory *usbm = NULL;
233	struct usb_dev_state *ps = file->private_data;
234	struct usb_hcd *hcd = bus_to_hcd(bus: ps->dev->bus);
235	size_t size = vma->vm_end - vma->vm_start;
236	void *mem;
237	unsigned long flags;
238	dma_addr_t dma_handle = DMA_MAPPING_ERROR;
239	int ret;
240
241	ret = usbfs_increase_memory_usage(amount: size + sizeof(struct usb_memory));
242	if (ret)
243	goto error;
244
245	usbm = kzalloc(size: sizeof(struct usb_memory), GFP_KERNEL);
246	if (!usbm) {
247	ret = -ENOMEM;
248	goto error_decrease_mem;
249	}
250
251	mem = hcd_buffer_alloc_pages(hcd,
252	size, GFP_USER | __GFP_NOWARN, dma: &dma_handle);
253	if (!mem) {
254	ret = -ENOMEM;
255	goto error_free_usbm;
256	}
257
258	memset(mem, 0, size);
259
260	usbm->mem = mem;
261	usbm->dma_handle = dma_handle;
262	usbm->size = size;
263	usbm->ps = ps;
264	usbm->vm_start = vma->vm_start;
265	usbm->vma_use_count = 1;
266	INIT_LIST_HEAD(list: &usbm->memlist);
267
268	/*
269	* In DMA-unavailable cases, hcd_buffer_alloc_pages allocates
270	* normal pages and assigns DMA_MAPPING_ERROR to dma_handle. Check
271	* whether we are in such cases, and then use remap_pfn_range (or
272	* dma_mmap_coherent) to map normal (or DMA) pages into the user
273	* space, respectively.
274	*/
275	if (dma_handle == DMA_MAPPING_ERROR) {
276	if (remap_pfn_range(vma, addr: vma->vm_start,
277	virt_to_phys(address: usbm->mem) >> PAGE_SHIFT,
278	size, vma->vm_page_prot) < 0) {
279	dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count);
280	return -EAGAIN;
281	}
282	} else {
283	if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle,
284	size)) {
285	dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count);
286	return -EAGAIN;
287	}
288	}
289
290	vm_flags_set(vma, VM_IO | VM_DONTEXPAND | VM_DONTDUMP);
291	vma->vm_ops = &usbdev_vm_ops;
292	vma->vm_private_data = usbm;
293
294	spin_lock_irqsave(&ps->lock, flags);
295	list_add_tail(new: &usbm->memlist, head: &ps->memory_list);
296	spin_unlock_irqrestore(lock: &ps->lock, flags);
297
298	return 0;
299
300	error_free_usbm:
301	kfree(objp: usbm);
302	error_decrease_mem:
303	usbfs_decrease_memory_usage(amount: size + sizeof(struct usb_memory));
304	error:
305	return ret;
306	}
307
308	static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
309	loff_t *ppos)
310	{
311	struct usb_dev_state *ps = file->private_data;
312	struct usb_device *dev = ps->dev;
313	ssize_t ret = 0;
314	unsigned len;
315	loff_t pos;
316	int i;
317
318	pos = *ppos;
319	usb_lock_device(dev);
320	if (!connected(ps)) {
321	ret = -ENODEV;
322	goto err;
323	} else if (pos < 0) {
324	ret = -EINVAL;
325	goto err;
326	}
327
328	if (pos < sizeof(struct usb_device_descriptor)) {
329	/* 18 bytes - fits on the stack */
330	struct usb_device_descriptor temp_desc;
331
332	memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
333	le16_to_cpus(&temp_desc.bcdUSB);
334	le16_to_cpus(&temp_desc.idVendor);
335	le16_to_cpus(&temp_desc.idProduct);
336	le16_to_cpus(&temp_desc.bcdDevice);
337
338	len = sizeof(struct usb_device_descriptor) - pos;
339	if (len > nbytes)
340	len = nbytes;
341	if (copy_to_user(to: buf, from: ((char *)&temp_desc) + pos, n: len)) {
342	ret = -EFAULT;
343	goto err;
344	}
345
346	*ppos += len;
347	buf += len;
348	nbytes -= len;
349	ret += len;
350	}
351
352	pos = sizeof(struct usb_device_descriptor);
353	for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
354	struct usb_config_descriptor *config =
355	(struct usb_config_descriptor *)dev->rawdescriptors[i];
356	unsigned int length = le16_to_cpu(config->wTotalLength);
357
358	if (*ppos < pos + length) {
359
360	/* The descriptor may claim to be longer than it
361	* really is. Here is the actual allocated length. */
362	unsigned alloclen =
363	le16_to_cpu(dev->config[i].desc.wTotalLength);
364
365	len = length - (*ppos - pos);
366	if (len > nbytes)
367	len = nbytes;
368
369	/* Simply don't write (skip over) unallocated parts */
370	if (alloclen > (*ppos - pos)) {
371	alloclen -= (*ppos - pos);
372	if (copy_to_user(to: buf,
373	from: dev->rawdescriptors[i] + (*ppos - pos),
374	min(len, alloclen))) {
375	ret = -EFAULT;
376	goto err;
377	}
378	}
379
380	*ppos += len;
381	buf += len;
382	nbytes -= len;
383	ret += len;
384	}
385
386	pos += length;
387	}
388
389	err:
390	usb_unlock_device(dev);
391	return ret;
392	}
393
394	/*
395	* async list handling
396	*/
397
398	static struct async *alloc_async(unsigned int numisoframes)
399	{
400	struct async *as;
401
402	as = kzalloc(size: sizeof(struct async), GFP_KERNEL);
403	if (!as)
404	return NULL;
405	as->urb = usb_alloc_urb(iso_packets: numisoframes, GFP_KERNEL);
406	if (!as->urb) {
407	kfree(objp: as);
408	return NULL;
409	}
410	return as;
411	}
412
413	static void free_async(struct async *as)
414	{
415	int i;
416
417	put_pid(pid: as->pid);
418	if (as->cred)
419	put_cred(cred: as->cred);
420	for (i = 0; i < as->urb->num_sgs; i++) {
421	if (sg_page(sg: &as->urb->sg[i]))
422	kfree(objp: sg_virt(sg: &as->urb->sg[i]));
423	}
424
425	kfree(objp: as->urb->sg);
426	if (as->usbm == NULL)
427	kfree(objp: as->urb->transfer_buffer);
428	else
429	dec_usb_memory_use_count(usbm: as->usbm, count: &as->usbm->urb_use_count);
430
431	kfree(objp: as->urb->setup_packet);
432	usb_free_urb(urb: as->urb);
433	usbfs_decrease_memory_usage(amount: as->mem_usage);
434	kfree(objp: as);
435	}
436
437	static void async_newpending(struct async *as)
438	{
439	struct usb_dev_state *ps = as->ps;
440	unsigned long flags;
441
442	spin_lock_irqsave(&ps->lock, flags);
443	list_add_tail(new: &as->asynclist, head: &ps->async_pending);
444	spin_unlock_irqrestore(lock: &ps->lock, flags);
445	}
446
447	static void async_removepending(struct async *as)
448	{
449	struct usb_dev_state *ps = as->ps;
450	unsigned long flags;
451
452	spin_lock_irqsave(&ps->lock, flags);
453	list_del_init(entry: &as->asynclist);
454	spin_unlock_irqrestore(lock: &ps->lock, flags);
455	}
456
457	static struct async *async_getcompleted(struct usb_dev_state *ps)
458	{
459	unsigned long flags;
460	struct async *as = NULL;
461
462	spin_lock_irqsave(&ps->lock, flags);
463	if (!list_empty(head: &ps->async_completed)) {
464	as = list_entry(ps->async_completed.next, struct async,
465	asynclist);
466	list_del_init(entry: &as->asynclist);
467	}
468	spin_unlock_irqrestore(lock: &ps->lock, flags);
469	return as;
470	}
471
472	static struct async *async_getpending(struct usb_dev_state *ps,
473	void __user *userurb)
474	{
475	struct async *as;
476
477	list_for_each_entry(as, &ps->async_pending, asynclist)
478	if (as->userurb == userurb) {
479	list_del_init(entry: &as->asynclist);
480	return as;
481	}
482
483	return NULL;
484	}
485
486	static void snoop_urb(struct usb_device *udev,
487	void __user *userurb, int pipe, unsigned length,
488	int timeout_or_status, enum snoop_when when,
489	unsigned char *data, unsigned data_len)
490	{
491	static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
492	static const char *dirs[] = {"out", "in"};
493	int ep;
494	const char *t, *d;
495
496	if (!usbfs_snoop)
497	return;
498
499	ep = usb_pipeendpoint(pipe);
500	t = types[usb_pipetype(pipe)];
501	d = dirs[!!usb_pipein(pipe)];
502
503	if (userurb) { /* Async */
504	if (when == SUBMIT)
505	dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
506	"length %u\n",
507	userurb, ep, t, d, length);
508	else
509	dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
510	"actual_length %u status %d\n",
511	userurb, ep, t, d, length,
512	timeout_or_status);
513	} else {
514	if (when == SUBMIT)
515	dev_info(&udev->dev, "ep%d %s-%s, length %u, "
516	"timeout %d\n",
517	ep, t, d, length, timeout_or_status);
518	else
519	dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
520	"status %d\n",
521	ep, t, d, length, timeout_or_status);
522	}
523
524	data_len = min(data_len, usbfs_snoop_max);
525	if (data && data_len > 0) {
526	print_hex_dump(KERN_DEBUG, prefix_str: "data: ", prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1,
527	buf: data, len: data_len, ascii: 1);
528	}
529	}
530
531	static void snoop_urb_data(struct urb *urb, unsigned len)
532	{
533	int i, size;
534
535	len = min(len, usbfs_snoop_max);
536	if (!usbfs_snoop || len == 0)
537	return;
538
539	if (urb->num_sgs == 0) {
540	print_hex_dump(KERN_DEBUG, prefix_str: "data: ", prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1,
541	buf: urb->transfer_buffer, len, ascii: 1);
542	return;
543	}
544
545	for (i = 0; i < urb->num_sgs && len; i++) {
546	size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
547	print_hex_dump(KERN_DEBUG, prefix_str: "data: ", prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1,
548	buf: sg_virt(sg: &urb->sg[i]), len: size, ascii: 1);
549	len -= size;
550	}
551	}
552
553	static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
554	{
555	unsigned i, len, size;
556
557	if (urb->number_of_packets > 0) /* Isochronous */
558	len = urb->transfer_buffer_length;
559	else /* Non-Isoc */
560	len = urb->actual_length;
561
562	if (urb->num_sgs == 0) {
563	if (copy_to_user(to: userbuffer, from: urb->transfer_buffer, n: len))
564	return -EFAULT;
565	return 0;
566	}
567
568	for (i = 0; i < urb->num_sgs && len; i++) {
569	size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
570	if (copy_to_user(to: userbuffer, from: sg_virt(sg: &urb->sg[i]), n: size))
571	return -EFAULT;
572	userbuffer += size;
573	len -= size;
574	}
575
576	return 0;
577	}
578
579	#define AS_CONTINUATION 1
580	#define AS_UNLINK 2
581
582	static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
583	__releases(ps->lock)
584	__acquires(ps->lock)
585	{
586	struct urb *urb;
587	struct async *as;
588
589	/* Mark all the pending URBs that match bulk_addr, up to but not
590	* including the first one without AS_CONTINUATION. If such an
591	* URB is encountered then a new transfer has already started so
592	* the endpoint doesn't need to be disabled; otherwise it does.
593	*/
594	list_for_each_entry(as, &ps->async_pending, asynclist) {
595	if (as->bulk_addr == bulk_addr) {
596	if (as->bulk_status != AS_CONTINUATION)
597	goto rescan;
598	as->bulk_status = AS_UNLINK;
599	as->bulk_addr = 0;
600	}
601	}
602	ps->disabled_bulk_eps |= (1 << bulk_addr);
603
604	/* Now carefully unlink all the marked pending URBs */
605	rescan:
606	list_for_each_entry_reverse(as, &ps->async_pending, asynclist) {
607	if (as->bulk_status == AS_UNLINK) {
608	as->bulk_status = 0; /* Only once */
609	urb = as->urb;
610	usb_get_urb(urb);
611	spin_unlock(lock: &ps->lock); /* Allow completions */
612	usb_unlink_urb(urb);
613	usb_put_urb(urb);
614	spin_lock(lock: &ps->lock);
615	goto rescan;
616	}
617	}
618	}
619
620	static void async_completed(struct urb *urb)
621	{
622	struct async *as = urb->context;
623	struct usb_dev_state *ps = as->ps;
624	struct pid *pid = NULL;
625	const struct cred *cred = NULL;
626	unsigned long flags;
627	sigval_t addr;
628	int signr, errno;
629
630	spin_lock_irqsave(&ps->lock, flags);
631	list_move_tail(list: &as->asynclist, head: &ps->async_completed);
632	as->status = urb->status;
633	signr = as->signr;
634	if (signr) {
635	errno = as->status;
636	addr = as->userurb_sigval;
637	pid = get_pid(pid: as->pid);
638	cred = get_cred(cred: as->cred);
639	}
640	snoop(&urb->dev->dev, "urb complete\n");
641	snoop_urb(udev: urb->dev, userurb: as->userurb, pipe: urb->pipe, length: urb->actual_length,
642	timeout_or_status: as->status, when: COMPLETE, NULL, data_len: 0);
643	if (usb_urb_dir_in(urb))
644	snoop_urb_data(urb, len: urb->actual_length);
645
646	if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
647	as->status != -ENOENT)
648	cancel_bulk_urbs(ps, bulk_addr: as->bulk_addr);
649
650	wake_up(&ps->wait);
651	spin_unlock_irqrestore(lock: &ps->lock, flags);
652
653	if (signr) {
654	kill_pid_usb_asyncio(sig: signr, errno, addr, pid, cred);
655	put_pid(pid);
656	put_cred(cred);
657	}
658	}
659
660	static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
661	{
662	struct urb *urb;
663	struct async *as;
664	unsigned long flags;
665
666	spin_lock_irqsave(&ps->lock, flags);
667	while (!list_empty(head: list)) {
668	as = list_last_entry(list, struct async, asynclist);
669	list_del_init(entry: &as->asynclist);
670	urb = as->urb;
671	usb_get_urb(urb);
672
673	/* drop the spinlock so the completion handler can run */
674	spin_unlock_irqrestore(lock: &ps->lock, flags);
675	usb_kill_urb(urb);
676	usb_put_urb(urb);
677	spin_lock_irqsave(&ps->lock, flags);
678	}
679	spin_unlock_irqrestore(lock: &ps->lock, flags);
680	}
681
682	static void destroy_async_on_interface(struct usb_dev_state *ps,
683	unsigned int ifnum)
684	{
685	struct list_head *p, *q, hitlist;
686	unsigned long flags;
687
688	INIT_LIST_HEAD(list: &hitlist);
689	spin_lock_irqsave(&ps->lock, flags);
690	list_for_each_safe(p, q, &ps->async_pending)
691	if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
692	list_move_tail(list: p, head: &hitlist);
693	spin_unlock_irqrestore(lock: &ps->lock, flags);
694	destroy_async(ps, list: &hitlist);
695	}
696
697	static void destroy_all_async(struct usb_dev_state *ps)
698	{
699	destroy_async(ps, list: &ps->async_pending);
700	}
701
702	/*
703	* interface claims are made only at the request of user level code,
704	* which can also release them (explicitly or by closing files).
705	* they're also undone when devices disconnect.
706	*/
707
708	static int driver_probe(struct usb_interface *intf,
709	const struct usb_device_id *id)
710	{
711	return -ENODEV;
712	}
713
714	static void driver_disconnect(struct usb_interface *intf)
715	{
716	struct usb_dev_state *ps = usb_get_intfdata(intf);
717	unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
718
719	if (!ps)
720	return;
721
722	/* NOTE: this relies on usbcore having canceled and completed
723	* all pending I/O requests; 2.6 does that.
724	*/
725
726	if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
727	clear_bit(nr: ifnum, addr: &ps->ifclaimed);
728	else
729	dev_warn(&intf->dev, "interface number %u out of range\n",
730	ifnum);
731
732	usb_set_intfdata(intf, NULL);
733
734	/* force async requests to complete */
735	destroy_async_on_interface(ps, ifnum);
736	}
737
738	/* We don't care about suspend/resume of claimed interfaces */
739	static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
740	{
741	return 0;
742	}
743
744	static int driver_resume(struct usb_interface *intf)
745	{
746	return 0;
747	}
748
749	#ifdef CONFIG_PM
750	/* The following routines apply to the entire device, not interfaces */
751	void usbfs_notify_suspend(struct usb_device *udev)
752	{
753	/* We don't need to handle this */
754	}
755
756	void usbfs_notify_resume(struct usb_device *udev)
757	{
758	struct usb_dev_state *ps;
759
760	/* Protect against simultaneous remove or release */
761	mutex_lock(&usbfs_mutex);
762	list_for_each_entry(ps, &udev->filelist, list) {
763	WRITE_ONCE(ps->not_yet_resumed, 0);
764	wake_up_all(&ps->wait_for_resume);
765	}
766	mutex_unlock(lock: &usbfs_mutex);
767	}
768	#endif
769
770	struct usb_driver usbfs_driver = {
771	.name = "usbfs",
772	.probe = driver_probe,
773	.disconnect = driver_disconnect,
774	.suspend = driver_suspend,
775	.resume = driver_resume,
776	.supports_autosuspend = 1,
777	};
778
779	static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
780	{
781	struct usb_device *dev = ps->dev;
782	struct usb_interface *intf;
783	int err;
784
785	if (ifnum >= 8*sizeof(ps->ifclaimed))
786	return -EINVAL;
787	/* already claimed */
788	if (test_bit(ifnum, &ps->ifclaimed))
789	return 0;
790
791	if (ps->privileges_dropped &&
792	!test_bit(ifnum, &ps->interface_allowed_mask))
793	return -EACCES;
794
795	intf = usb_ifnum_to_if(dev, ifnum);
796	if (!intf)
797	err = -ENOENT;
798	else {
799	unsigned int old_suppress;
800
801	/* suppress uevents while claiming interface */
802	old_suppress = dev_get_uevent_suppress(dev: &intf->dev);
803	dev_set_uevent_suppress(dev: &intf->dev, val: 1);
804	err = usb_driver_claim_interface(driver: &usbfs_driver, iface: intf, data: ps);
805	dev_set_uevent_suppress(dev: &intf->dev, val: old_suppress);
806	}
807	if (err == 0)
808	set_bit(nr: ifnum, addr: &ps->ifclaimed);
809	return err;
810	}
811
812	static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
813	{
814	struct usb_device *dev;
815	struct usb_interface *intf;
816	int err;
817
818	err = -EINVAL;
819	if (ifnum >= 8*sizeof(ps->ifclaimed))
820	return err;
821	dev = ps->dev;
822	intf = usb_ifnum_to_if(dev, ifnum);
823	if (!intf)
824	err = -ENOENT;
825	else if (test_and_clear_bit(nr: ifnum, addr: &ps->ifclaimed)) {
826	unsigned int old_suppress;
827
828	/* suppress uevents while releasing interface */
829	old_suppress = dev_get_uevent_suppress(dev: &intf->dev);
830	dev_set_uevent_suppress(dev: &intf->dev, val: 1);
831	usb_driver_release_interface(driver: &usbfs_driver, iface: intf);
832	dev_set_uevent_suppress(dev: &intf->dev, val: old_suppress);
833	err = 0;
834	}
835	return err;
836	}
837
838	static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
839	{
840	if (ps->dev->state != USB_STATE_CONFIGURED)
841	return -EHOSTUNREACH;
842	if (ifnum >= 8*sizeof(ps->ifclaimed))
843	return -EINVAL;
844	if (test_bit(ifnum, &ps->ifclaimed))
845	return 0;
846	/* if not yet claimed, claim it for the driver */
847	dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
848	"interface %u before use\n", task_pid_nr(current),
849	current->comm, ifnum);
850	return claimintf(ps, ifnum);
851	}
852
853	static int findintfep(struct usb_device *dev, unsigned int ep)
854	{
855	unsigned int i, j, e;
856	struct usb_interface *intf;
857	struct usb_host_interface *alts;
858	struct usb_endpoint_descriptor *endpt;
859
860	if (ep & ~(USB_DIR_IN|0xf))
861	return -EINVAL;
862	if (!dev->actconfig)
863	return -ESRCH;
864	for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
865	intf = dev->actconfig->interface[i];
866	for (j = 0; j < intf->num_altsetting; j++) {
867	alts = &intf->altsetting[j];
868	for (e = 0; e < alts->desc.bNumEndpoints; e++) {
869	endpt = &alts->endpoint[e].desc;
870	if (endpt->bEndpointAddress == ep)
871	return alts->desc.bInterfaceNumber;
872	}
873	}
874	}
875	return -ENOENT;
876	}
877
878	static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
879	unsigned int request, unsigned int index)
880	{
881	int ret = 0;
882	struct usb_host_interface *alt_setting;
883
884	if (ps->dev->state != USB_STATE_UNAUTHENTICATED
885	&& ps->dev->state != USB_STATE_ADDRESS
886	&& ps->dev->state != USB_STATE_CONFIGURED)
887	return -EHOSTUNREACH;
888	if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
889	return 0;
890
891	/*
892	* check for the special corner case 'get_device_id' in the printer
893	* class specification, which we always want to allow as it is used
894	* to query things like ink level, etc.
895	*/
896	if (requesttype == 0xa1 && request == 0) {
897	alt_setting = usb_find_alt_setting(config: ps->dev->actconfig,
898	iface_num: index >> 8, alt_num: index & 0xff);
899	if (alt_setting
900	&& alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
901	return 0;
902	}
903
904	index &= 0xff;
905	switch (requesttype & USB_RECIP_MASK) {
906	case USB_RECIP_ENDPOINT:
907	if ((index & ~USB_DIR_IN) == 0)
908	return 0;
909	ret = findintfep(dev: ps->dev, ep: index);
910	if (ret < 0) {
911	/*
912	* Some not fully compliant Win apps seem to get
913	* index wrong and have the endpoint number here
914	* rather than the endpoint address (with the
915	* correct direction). Win does let this through,
916	* so we'll not reject it here but leave it to
917	* the device to not break KVM. But we warn.
918	*/
919	ret = findintfep(dev: ps->dev, ep: index ^ 0x80);
920	if (ret >= 0)
921	dev_info(&ps->dev->dev,
922	"%s: process %i (%s) requesting ep %02x but needs %02x\n",
923	__func__, task_pid_nr(current),
924	current->comm, index, index ^ 0x80);
925	}
926	if (ret >= 0)
927	ret = checkintf(ps, ifnum: ret);
928	break;
929
930	case USB_RECIP_INTERFACE:
931	ret = checkintf(ps, ifnum: index);
932	break;
933	}
934	return ret;
935	}
936
937	static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
938	unsigned char ep)
939	{
940	if (ep & USB_ENDPOINT_DIR_MASK)
941	return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
942	else
943	return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
944	}
945
946	static int parse_usbdevfs_streams(struct usb_dev_state *ps,
947	struct usbdevfs_streams __user *streams,
948	unsigned int *num_streams_ret,
949	unsigned int *num_eps_ret,
950	struct usb_host_endpoint ***eps_ret,
951	struct usb_interface **intf_ret)
952	{
953	unsigned int i, num_streams, num_eps;
954	struct usb_host_endpoint **eps;
955	struct usb_interface *intf = NULL;
956	unsigned char ep;
957	int ifnum, ret;
958
959	if (get_user(num_streams, &streams->num_streams) ||
960	get_user(num_eps, &streams->num_eps))
961	return -EFAULT;
962
963	if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
964	return -EINVAL;
965
966	/* The XHCI controller allows max 2 ^ 16 streams */
967	if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
968	return -EINVAL;
969
970	eps = kmalloc_array(n: num_eps, size: sizeof(*eps), GFP_KERNEL);
971	if (!eps)
972	return -ENOMEM;
973
974	for (i = 0; i < num_eps; i++) {
975	if (get_user(ep, &streams->eps[i])) {
976	ret = -EFAULT;
977	goto error;
978	}
979	eps[i] = ep_to_host_endpoint(dev: ps->dev, ep);
980	if (!eps[i]) {
981	ret = -EINVAL;
982	goto error;
983	}
984
985	/* usb_alloc/free_streams operate on an usb_interface */
986	ifnum = findintfep(dev: ps->dev, ep);
987	if (ifnum < 0) {
988	ret = ifnum;
989	goto error;
990	}
991
992	if (i == 0) {
993	ret = checkintf(ps, ifnum);
994	if (ret < 0)
995	goto error;
996	intf = usb_ifnum_to_if(dev: ps->dev, ifnum);
997	} else {
998	/* Verify all eps belong to the same interface */
999	if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
1000	ret = -EINVAL;
1001	goto error;
1002	}
1003	}
1004	}
1005
1006	if (num_streams_ret)
1007	*num_streams_ret = num_streams;
1008	*num_eps_ret = num_eps;
1009	*eps_ret = eps;
1010	*intf_ret = intf;
1011
1012	return 0;
1013
1014	error:
1015	kfree(objp: eps);
1016	return ret;
1017	}
1018
1019	static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
1020	{
1021	struct device *dev;
1022
1023	dev = bus_find_device_by_devt(bus: &usb_bus_type, devt);
1024	if (!dev)
1025	return NULL;
1026	return to_usb_device(dev);
1027	}
1028
1029	/*
1030	* file operations
1031	*/
1032	static int usbdev_open(struct inode *inode, struct file *file)
1033	{
1034	struct usb_device *dev = NULL;
1035	struct usb_dev_state *ps;
1036	int ret;
1037
1038	ret = -ENOMEM;
1039	ps = kzalloc(size: sizeof(struct usb_dev_state), GFP_KERNEL);
1040	if (!ps)
1041	goto out_free_ps;
1042
1043	ret = -ENODEV;
1044
1045	/* usbdev device-node */
1046	if (imajor(inode) == USB_DEVICE_MAJOR)
1047	dev = usbdev_lookup_by_devt(devt: inode->i_rdev);
1048	if (!dev)
1049	goto out_free_ps;
1050
1051	usb_lock_device(dev);
1052	if (dev->state == USB_STATE_NOTATTACHED)
1053	goto out_unlock_device;
1054
1055	ret = usb_autoresume_device(udev: dev);
1056	if (ret)
1057	goto out_unlock_device;
1058
1059	ps->dev = dev;
1060	ps->file = file;
1061	ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1062	spin_lock_init(&ps->lock);
1063	INIT_LIST_HEAD(list: &ps->list);
1064	INIT_LIST_HEAD(list: &ps->async_pending);
1065	INIT_LIST_HEAD(list: &ps->async_completed);
1066	INIT_LIST_HEAD(list: &ps->memory_list);
1067	init_waitqueue_head(&ps->wait);
1068	init_waitqueue_head(&ps->wait_for_resume);
1069	ps->disc_pid = get_pid(pid: task_pid(current));
1070	ps->cred = get_current_cred();
1071	smp_wmb();
1072
1073	/* Can't race with resume; the device is already active */
1074	list_add_tail(new: &ps->list, head: &dev->filelist);
1075	file->private_data = ps;
1076	usb_unlock_device(dev);
1077	snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1078	current->comm);
1079	return ret;
1080
1081	out_unlock_device:
1082	usb_unlock_device(dev);
1083	usb_put_dev(dev);
1084	out_free_ps:
1085	kfree(objp: ps);
1086	return ret;
1087	}
1088
1089	static int usbdev_release(struct inode *inode, struct file *file)
1090	{
1091	struct usb_dev_state *ps = file->private_data;
1092	struct usb_device *dev = ps->dev;
1093	unsigned int ifnum;
1094	struct async *as;
1095
1096	usb_lock_device(dev);
1097	usb_hub_release_all_ports(hdev: dev, owner: ps);
1098
1099	/* Protect against simultaneous resume */
1100	mutex_lock(&usbfs_mutex);
1101	list_del_init(entry: &ps->list);
1102	mutex_unlock(lock: &usbfs_mutex);
1103
1104	for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1105	ifnum++) {
1106	if (test_bit(ifnum, &ps->ifclaimed))
1107	releaseintf(ps, ifnum);
1108	}
1109	destroy_all_async(ps);
1110	if (!ps->suspend_allowed)
1111	usb_autosuspend_device(udev: dev);
1112	usb_unlock_device(dev);
1113	usb_put_dev(dev);
1114	put_pid(pid: ps->disc_pid);
1115	put_cred(cred: ps->cred);
1116
1117	as = async_getcompleted(ps);
1118	while (as) {
1119	free_async(as);
1120	as = async_getcompleted(ps);
1121	}
1122
1123	kfree(objp: ps);
1124	return 0;
1125	}
1126
1127	static void usbfs_blocking_completion(struct urb *urb)
1128	{
1129	complete((struct completion *) urb->context);
1130	}
1131
1132	/*
1133	* Much like usb_start_wait_urb, but returns status separately from
1134	* actual_length and uses a killable wait.
1135	*/
1136	static int usbfs_start_wait_urb(struct urb *urb, int timeout,
1137	unsigned int *actlen)
1138	{
1139	DECLARE_COMPLETION_ONSTACK(ctx);
1140	unsigned long expire;
1141	int rc;
1142
1143	urb->context = &ctx;
1144	urb->complete = usbfs_blocking_completion;
1145	*actlen = 0;
1146	rc = usb_submit_urb(urb, GFP_KERNEL);
1147	if (unlikely(rc))
1148	return rc;
1149
1150	expire = (timeout ? msecs_to_jiffies(m: timeout) : MAX_SCHEDULE_TIMEOUT);
1151	rc = wait_for_completion_killable_timeout(x: &ctx, timeout: expire);
1152	if (rc <= 0) {
1153	usb_kill_urb(urb);
1154	*actlen = urb->actual_length;
1155	if (urb->status != -ENOENT)
1156	; /* Completed before it was killed */
1157	else if (rc < 0)
1158	return -EINTR;
1159	else
1160	return -ETIMEDOUT;
1161	}
1162	*actlen = urb->actual_length;
1163	return urb->status;
1164	}
1165
1166	static int do_proc_control(struct usb_dev_state *ps,
1167	struct usbdevfs_ctrltransfer *ctrl)
1168	{
1169	struct usb_device *dev = ps->dev;
1170	unsigned int tmo;
1171	unsigned char *tbuf;
1172	unsigned int wLength, actlen;
1173	int i, pipe, ret;
1174	struct urb *urb = NULL;
1175	struct usb_ctrlrequest *dr = NULL;
1176
1177	ret = check_ctrlrecip(ps, requesttype: ctrl->bRequestType, request: ctrl->bRequest,
1178	index: ctrl->wIndex);
1179	if (ret)
1180	return ret;
1181	wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
1182	if (wLength > PAGE_SIZE)
1183	return -EINVAL;
1184	ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1185	sizeof(struct usb_ctrlrequest));
1186	if (ret)
1187	return ret;
1188
1189	ret = -ENOMEM;
1190	tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1191	if (!tbuf)
1192	goto done;
1193	urb = usb_alloc_urb(iso_packets: 0, GFP_NOIO);
1194	if (!urb)
1195	goto done;
1196	dr = kmalloc(size: sizeof(struct usb_ctrlrequest), GFP_NOIO);
1197	if (!dr)
1198	goto done;
1199
1200	dr->bRequestType = ctrl->bRequestType;
1201	dr->bRequest = ctrl->bRequest;
1202	dr->wValue = cpu_to_le16(ctrl->wValue);
1203	dr->wIndex = cpu_to_le16(ctrl->wIndex);
1204	dr->wLength = cpu_to_le16(ctrl->wLength);
1205
1206	tmo = ctrl->timeout;
1207	snoop(&dev->dev, "control urb: bRequestType=%02x "
1208	"bRequest=%02x wValue=%04x "
1209	"wIndex=%04x wLength=%04x\n",
1210	ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
1211	ctrl->wIndex, ctrl->wLength);
1212
1213	if ((ctrl->bRequestType & USB_DIR_IN) && wLength) {
1214	pipe = usb_rcvctrlpipe(dev, 0);
1215	usb_fill_control_urb(urb, dev, pipe, setup_packet: (unsigned char *) dr, transfer_buffer: tbuf,
1216	buffer_length: wLength, NULL, NULL);
1217	snoop_urb(udev: dev, NULL, pipe, length: wLength, timeout_or_status: tmo, when: SUBMIT, NULL, data_len: 0);
1218
1219	usb_unlock_device(dev);
1220	i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &actlen);
1221
1222	/* Linger a bit, prior to the next control message. */
1223	if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
1224	msleep(msecs: 200);
1225	usb_lock_device(dev);
1226	snoop_urb(udev: dev, NULL, pipe, length: actlen, timeout_or_status: i, when: COMPLETE, data: tbuf, data_len: actlen);
1227	if (!i && actlen) {
1228	if (copy_to_user(to: ctrl->data, from: tbuf, n: actlen)) {
1229	ret = -EFAULT;
1230	goto done;
1231	}
1232	}
1233	} else {
1234	if (wLength) {
1235	if (copy_from_user(to: tbuf, from: ctrl->data, n: wLength)) {
1236	ret = -EFAULT;
1237	goto done;
1238	}
1239	}
1240	pipe = usb_sndctrlpipe(dev, 0);
1241	usb_fill_control_urb(urb, dev, pipe, setup_packet: (unsigned char *) dr, transfer_buffer: tbuf,
1242	buffer_length: wLength, NULL, NULL);
1243	snoop_urb(udev: dev, NULL, pipe, length: wLength, timeout_or_status: tmo, when: SUBMIT, data: tbuf, data_len: wLength);
1244
1245	usb_unlock_device(dev);
1246	i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &actlen);
1247
1248	/* Linger a bit, prior to the next control message. */
1249	if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
1250	msleep(msecs: 200);
1251	usb_lock_device(dev);
1252	snoop_urb(udev: dev, NULL, pipe, length: actlen, timeout_or_status: i, when: COMPLETE, NULL, data_len: 0);
1253	}
1254	if (i < 0 && i != -EPIPE) {
1255	dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1256	"failed cmd %s rqt %u rq %u len %u ret %d\n",
1257	current->comm, ctrl->bRequestType, ctrl->bRequest,
1258	ctrl->wLength, i);
1259	}
1260	ret = (i < 0 ? i : actlen);
1261
1262	done:
1263	kfree(objp: dr);
1264	usb_free_urb(urb);
1265	free_page((unsigned long) tbuf);
1266	usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1267	sizeof(struct usb_ctrlrequest));
1268	return ret;
1269	}
1270
1271	static int proc_control(struct usb_dev_state *ps, void __user *arg)
1272	{
1273	struct usbdevfs_ctrltransfer ctrl;
1274
1275	if (copy_from_user(to: &ctrl, from: arg, n: sizeof(ctrl)))
1276	return -EFAULT;
1277	return do_proc_control(ps, ctrl: &ctrl);
1278	}
1279
1280	static int do_proc_bulk(struct usb_dev_state *ps,
1281	struct usbdevfs_bulktransfer *bulk)
1282	{
1283	struct usb_device *dev = ps->dev;
1284	unsigned int tmo, len1, len2, pipe;
1285	unsigned char *tbuf;
1286	int i, ret;
1287	struct urb *urb = NULL;
1288	struct usb_host_endpoint *ep;
1289
1290	ret = findintfep(dev: ps->dev, ep: bulk->ep);
1291	if (ret < 0)
1292	return ret;
1293	ret = checkintf(ps, ifnum: ret);
1294	if (ret)
1295	return ret;
1296
1297	len1 = bulk->len;
1298	if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb)))
1299	return -EINVAL;
1300
1301	if (bulk->ep & USB_DIR_IN)
1302	pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f);
1303	else
1304	pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f);
1305	ep = usb_pipe_endpoint(dev, pipe);
1306	if (!ep || !usb_endpoint_maxp(epd: &ep->desc))
1307	return -EINVAL;
1308	ret = usbfs_increase_memory_usage(amount: len1 + sizeof(struct urb));
1309	if (ret)
1310	return ret;
1311
1312	/*
1313	* len1 can be almost arbitrarily large. Don't WARN if it's
1314	* too big, just fail the request.
1315	*/
1316	ret = -ENOMEM;
1317	tbuf = kmalloc(size: len1, GFP_KERNEL | __GFP_NOWARN);
1318	if (!tbuf)
1319	goto done;
1320	urb = usb_alloc_urb(iso_packets: 0, GFP_KERNEL);
1321	if (!urb)
1322	goto done;
1323
1324	if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
1325	USB_ENDPOINT_XFER_INT) {
1326	pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
1327	usb_fill_int_urb(urb, dev, pipe, transfer_buffer: tbuf, buffer_length: len1,
1328	NULL, NULL, interval: ep->desc.bInterval);
1329	} else {
1330	usb_fill_bulk_urb(urb, dev, pipe, transfer_buffer: tbuf, buffer_length: len1, NULL, NULL);
1331	}
1332
1333	tmo = bulk->timeout;
1334	if (bulk->ep & 0x80) {
1335	snoop_urb(udev: dev, NULL, pipe, length: len1, timeout_or_status: tmo, when: SUBMIT, NULL, data_len: 0);
1336
1337	usb_unlock_device(dev);
1338	i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &len2);
1339	usb_lock_device(dev);
1340	snoop_urb(udev: dev, NULL, pipe, length: len2, timeout_or_status: i, when: COMPLETE, data: tbuf, data_len: len2);
1341
1342	if (!i && len2) {
1343	if (copy_to_user(to: bulk->data, from: tbuf, n: len2)) {
1344	ret = -EFAULT;
1345	goto done;
1346	}
1347	}
1348	} else {
1349	if (len1) {
1350	if (copy_from_user(to: tbuf, from: bulk->data, n: len1)) {
1351	ret = -EFAULT;
1352	goto done;
1353	}
1354	}
1355	snoop_urb(udev: dev, NULL, pipe, length: len1, timeout_or_status: tmo, when: SUBMIT, data: tbuf, data_len: len1);
1356
1357	usb_unlock_device(dev);
1358	i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &len2);
1359	usb_lock_device(dev);
1360	snoop_urb(udev: dev, NULL, pipe, length: len2, timeout_or_status: i, when: COMPLETE, NULL, data_len: 0);
1361	}
1362	ret = (i < 0 ? i : len2);
1363	done:
1364	usb_free_urb(urb);
1365	kfree(objp: tbuf);
1366	usbfs_decrease_memory_usage(amount: len1 + sizeof(struct urb));
1367	return ret;
1368	}
1369
1370	static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1371	{
1372	struct usbdevfs_bulktransfer bulk;
1373
1374	if (copy_from_user(to: &bulk, from: arg, n: sizeof(bulk)))
1375	return -EFAULT;
1376	return do_proc_bulk(ps, bulk: &bulk);
1377	}
1378
1379	static void check_reset_of_active_ep(struct usb_device *udev,
1380	unsigned int epnum, char *ioctl_name)
1381	{
1382	struct usb_host_endpoint **eps;
1383	struct usb_host_endpoint *ep;
1384
1385	eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1386	ep = eps[epnum & 0x0f];
1387	if (ep && !list_empty(head: &ep->urb_list))
1388	dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1389	task_pid_nr(current), current->comm,
1390	ioctl_name, epnum);
1391	}
1392
1393	static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1394	{
1395	unsigned int ep;
1396	int ret;
1397
1398	if (get_user(ep, (unsigned int __user *)arg))
1399	return -EFAULT;
1400	ret = findintfep(dev: ps->dev, ep);
1401	if (ret < 0)
1402	return ret;
1403	ret = checkintf(ps, ifnum: ret);
1404	if (ret)
1405	return ret;
1406	check_reset_of_active_ep(udev: ps->dev, epnum: ep, ioctl_name: "RESETEP");
1407	usb_reset_endpoint(dev: ps->dev, epaddr: ep);
1408	return 0;
1409	}
1410
1411	static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1412	{
1413	unsigned int ep;
1414	int pipe;
1415	int ret;
1416
1417	if (get_user(ep, (unsigned int __user *)arg))
1418	return -EFAULT;
1419	ret = findintfep(dev: ps->dev, ep);
1420	if (ret < 0)
1421	return ret;
1422	ret = checkintf(ps, ifnum: ret);
1423	if (ret)
1424	return ret;
1425	check_reset_of_active_ep(udev: ps->dev, epnum: ep, ioctl_name: "CLEAR_HALT");
1426	if (ep & USB_DIR_IN)
1427	pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1428	else
1429	pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1430
1431	return usb_clear_halt(dev: ps->dev, pipe);
1432	}
1433
1434	static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1435	{
1436	struct usbdevfs_getdriver gd;
1437	struct usb_interface *intf;
1438	int ret;
1439
1440	if (copy_from_user(to: &gd, from: arg, n: sizeof(gd)))
1441	return -EFAULT;
1442	intf = usb_ifnum_to_if(dev: ps->dev, ifnum: gd.interface);
1443	if (!intf || !intf->dev.driver)
1444	ret = -ENODATA;
1445	else {
1446	strscpy(p: gd.driver, q: intf->dev.driver->name,
1447	size: sizeof(gd.driver));
1448	ret = (copy_to_user(to: arg, from: &gd, n: sizeof(gd)) ? -EFAULT : 0);
1449	}
1450	return ret;
1451	}
1452
1453	static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1454	{
1455	struct usbdevfs_connectinfo ci;
1456
1457	memset(&ci, 0, sizeof(ci));
1458	ci.devnum = ps->dev->devnum;
1459	ci.slow = ps->dev->speed == USB_SPEED_LOW;
1460
1461	if (copy_to_user(to: arg, from: &ci, n: sizeof(ci)))
1462	return -EFAULT;
1463	return 0;
1464	}
1465
1466	static int proc_conninfo_ex(struct usb_dev_state *ps,
1467	void __user *arg, size_t size)
1468	{
1469	struct usbdevfs_conninfo_ex ci;
1470	struct usb_device *udev = ps->dev;
1471
1472	if (size < sizeof(ci.size))
1473	return -EINVAL;
1474
1475	memset(&ci, 0, sizeof(ci));
1476	ci.size = sizeof(ci);
1477	ci.busnum = udev->bus->busnum;
1478	ci.devnum = udev->devnum;
1479	ci.speed = udev->speed;
1480
1481	while (udev && udev->portnum != 0) {
1482	if (++ci.num_ports <= ARRAY_SIZE(ci.ports))
1483	ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] =
1484	udev->portnum;
1485	udev = udev->parent;
1486	}
1487
1488	if (ci.num_ports < ARRAY_SIZE(ci.ports))
1489	memmove(&ci.ports[0],
1490	&ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports],
1491	ci.num_ports);
1492
1493	if (copy_to_user(to: arg, from: &ci, min(sizeof(ci), size)))
1494	return -EFAULT;
1495
1496	return 0;
1497	}
1498
1499	static int proc_resetdevice(struct usb_dev_state *ps)
1500	{
1501	struct usb_host_config *actconfig = ps->dev->actconfig;
1502	struct usb_interface *interface;
1503	int i, number;
1504
1505	/* Don't allow a device reset if the process has dropped the
1506	* privilege to do such things and any of the interfaces are
1507	* currently claimed.
1508	*/
1509	if (ps->privileges_dropped && actconfig) {
1510	for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1511	interface = actconfig->interface[i];
1512	number = interface->cur_altsetting->desc.bInterfaceNumber;
1513	if (usb_interface_claimed(iface: interface) &&
1514	!test_bit(number, &ps->ifclaimed)) {
1515	dev_warn(&ps->dev->dev,
1516	"usbfs: interface %d claimed by %s while '%s' resets device\n",
1517	number, interface->dev.driver->name, current->comm);
1518	return -EACCES;
1519	}
1520	}
1521	}
1522
1523	return usb_reset_device(dev: ps->dev);
1524	}
1525
1526	static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1527	{
1528	struct usbdevfs_setinterface setintf;
1529	int ret;
1530
1531	if (copy_from_user(to: &setintf, from: arg, n: sizeof(setintf)))
1532	return -EFAULT;
1533	ret = checkintf(ps, ifnum: setintf.interface);
1534	if (ret)
1535	return ret;
1536
1537	destroy_async_on_interface(ps, ifnum: setintf.interface);
1538
1539	return usb_set_interface(dev: ps->dev, ifnum: setintf.interface,
1540	alternate: setintf.altsetting);
1541	}
1542
1543	static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1544	{
1545	int u;
1546	int status = 0;
1547	struct usb_host_config *actconfig;
1548
1549	if (get_user(u, (int __user *)arg))
1550	return -EFAULT;
1551
1552	actconfig = ps->dev->actconfig;
1553
1554	/* Don't touch the device if any interfaces are claimed.
1555	* It could interfere with other drivers' operations, and if
1556	* an interface is claimed by usbfs it could easily deadlock.
1557	*/
1558	if (actconfig) {
1559	int i;
1560
1561	for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1562	if (usb_interface_claimed(iface: actconfig->interface[i])) {
1563	dev_warn(&ps->dev->dev,
1564	"usbfs: interface %d claimed by %s "
1565	"while '%s' sets config #%d\n",
1566	actconfig->interface[i]
1567	->cur_altsetting
1568	->desc.bInterfaceNumber,
1569	actconfig->interface[i]
1570	->dev.driver->name,
1571	current->comm, u);
1572	status = -EBUSY;
1573	break;
1574	}
1575	}
1576	}
1577
1578	/* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1579	* so avoid usb_set_configuration()'s kick to sysfs
1580	*/
1581	if (status == 0) {
1582	if (actconfig && actconfig->desc.bConfigurationValue == u)
1583	status = usb_reset_configuration(dev: ps->dev);
1584	else
1585	status = usb_set_configuration(dev: ps->dev, configuration: u);
1586	}
1587
1588	return status;
1589	}
1590
1591	static struct usb_memory *
1592	find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1593	{
1594	struct usb_memory *usbm = NULL, *iter;
1595	unsigned long flags;
1596	unsigned long uurb_start = (unsigned long)uurb->buffer;
1597
1598	spin_lock_irqsave(&ps->lock, flags);
1599	list_for_each_entry(iter, &ps->memory_list, memlist) {
1600	if (uurb_start >= iter->vm_start &&
1601	uurb_start < iter->vm_start + iter->size) {
1602	if (uurb->buffer_length > iter->vm_start + iter->size -
1603	uurb_start) {
1604	usbm = ERR_PTR(error: -EINVAL);
1605	} else {
1606	usbm = iter;
1607	usbm->urb_use_count++;
1608	}
1609	break;
1610	}
1611	}
1612	spin_unlock_irqrestore(lock: &ps->lock, flags);
1613	return usbm;
1614	}
1615
1616	static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1617	struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1618	void __user *arg, sigval_t userurb_sigval)
1619	{
1620	struct usbdevfs_iso_packet_desc *isopkt = NULL;
1621	struct usb_host_endpoint *ep;
1622	struct async *as = NULL;
1623	struct usb_ctrlrequest *dr = NULL;
1624	unsigned int u, totlen, isofrmlen;
1625	int i, ret, num_sgs = 0, ifnum = -1;
1626	int number_of_packets = 0;
1627	unsigned int stream_id = 0;
1628	void *buf;
1629	bool is_in;
1630	bool allow_short = false;
1631	bool allow_zero = false;
1632	unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK |
1633	USBDEVFS_URB_BULK_CONTINUATION |
1634	USBDEVFS_URB_NO_FSBR |
1635	USBDEVFS_URB_ZERO_PACKET |
1636	USBDEVFS_URB_NO_INTERRUPT;
1637	/* USBDEVFS_URB_ISO_ASAP is a special case */
1638	if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1639	mask |= USBDEVFS_URB_ISO_ASAP;
1640
1641	if (uurb->flags & ~mask)
1642	return -EINVAL;
1643
1644	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1645	return -EINVAL;
1646	if (uurb->buffer_length > 0 && !uurb->buffer)
1647	return -EINVAL;
1648	if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1649	(uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1650	ifnum = findintfep(dev: ps->dev, ep: uurb->endpoint);
1651	if (ifnum < 0)
1652	return ifnum;
1653	ret = checkintf(ps, ifnum);
1654	if (ret)
1655	return ret;
1656	}
1657	ep = ep_to_host_endpoint(dev: ps->dev, ep: uurb->endpoint);
1658	if (!ep)
1659	return -ENOENT;
1660	is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1661
1662	u = 0;
1663	switch (uurb->type) {
1664	case USBDEVFS_URB_TYPE_CONTROL:
1665	if (!usb_endpoint_xfer_control(epd: &ep->desc))
1666	return -EINVAL;
1667	/* min 8 byte setup packet */
1668	if (uurb->buffer_length < 8)
1669	return -EINVAL;
1670	dr = kmalloc(size: sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1671	if (!dr)
1672	return -ENOMEM;
1673	if (copy_from_user(to: dr, from: uurb->buffer, n: 8)) {
1674	ret = -EFAULT;
1675	goto error;
1676	}
1677	if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) {
1678	ret = -EINVAL;
1679	goto error;
1680	}
1681	ret = check_ctrlrecip(ps, requesttype: dr->bRequestType, request: dr->bRequest,
1682	le16_to_cpu(dr->wIndex));
1683	if (ret)
1684	goto error;
1685	uurb->buffer_length = le16_to_cpu(dr->wLength);
1686	uurb->buffer += 8;
1687	if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1688	is_in = true;
1689	uurb->endpoint |= USB_DIR_IN;
1690	} else {
1691	is_in = false;
1692	uurb->endpoint &= ~USB_DIR_IN;
1693	}
1694	if (is_in)
1695	allow_short = true;
1696	snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1697	"bRequest=%02x wValue=%04x "
1698	"wIndex=%04x wLength=%04x\n",
1699	dr->bRequestType, dr->bRequest,
1700	__le16_to_cpu(dr->wValue),
1701	__le16_to_cpu(dr->wIndex),
1702	__le16_to_cpu(dr->wLength));
1703	u = sizeof(struct usb_ctrlrequest);
1704	break;
1705
1706	case USBDEVFS_URB_TYPE_BULK:
1707	if (!is_in)
1708	allow_zero = true;
1709	else
1710	allow_short = true;
1711	switch (usb_endpoint_type(epd: &ep->desc)) {
1712	case USB_ENDPOINT_XFER_CONTROL:
1713	case USB_ENDPOINT_XFER_ISOC:
1714	return -EINVAL;
1715	case USB_ENDPOINT_XFER_INT:
1716	/* allow single-shot interrupt transfers */
1717	uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1718	goto interrupt_urb;
1719	}
1720	num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1721	if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1722	num_sgs = 0;
1723	if (ep->streams)
1724	stream_id = uurb->stream_id;
1725	break;
1726
1727	case USBDEVFS_URB_TYPE_INTERRUPT:
1728	if (!usb_endpoint_xfer_int(epd: &ep->desc))
1729	return -EINVAL;
1730	interrupt_urb:
1731	if (!is_in)
1732	allow_zero = true;
1733	else
1734	allow_short = true;
1735	break;
1736
1737	case USBDEVFS_URB_TYPE_ISO:
1738	/* arbitrary limit */
1739	if (uurb->number_of_packets < 1 ||
1740	uurb->number_of_packets > 128)
1741	return -EINVAL;
1742	if (!usb_endpoint_xfer_isoc(epd: &ep->desc))
1743	return -EINVAL;
1744	number_of_packets = uurb->number_of_packets;
1745	isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1746	number_of_packets;
1747	isopkt = memdup_user(iso_frame_desc, isofrmlen);
1748	if (IS_ERR(ptr: isopkt)) {
1749	ret = PTR_ERR(ptr: isopkt);
1750	isopkt = NULL;
1751	goto error;
1752	}
1753	for (totlen = u = 0; u < number_of_packets; u++) {
1754	/*
1755	* arbitrary limit need for USB 3.1 Gen2
1756	* sizemax: 96 DPs at SSP, 96 * 1024 = 98304
1757	*/
1758	if (isopkt[u].length > 98304) {
1759	ret = -EINVAL;
1760	goto error;
1761	}
1762	totlen += isopkt[u].length;
1763	}
1764	u *= sizeof(struct usb_iso_packet_descriptor);
1765	uurb->buffer_length = totlen;
1766	break;
1767
1768	default:
1769	return -EINVAL;
1770	}
1771
1772	if (uurb->buffer_length > 0 &&
1773	!access_ok(uurb->buffer, uurb->buffer_length)) {
1774	ret = -EFAULT;
1775	goto error;
1776	}
1777	as = alloc_async(numisoframes: number_of_packets);
1778	if (!as) {
1779	ret = -ENOMEM;
1780	goto error;
1781	}
1782
1783	as->usbm = find_memory_area(ps, uurb);
1784	if (IS_ERR(ptr: as->usbm)) {
1785	ret = PTR_ERR(ptr: as->usbm);
1786	as->usbm = NULL;
1787	goto error;
1788	}
1789
1790	/* do not use SG buffers when memory mapped segments
1791	* are in use
1792	*/
1793	if (as->usbm)
1794	num_sgs = 0;
1795
1796	u += sizeof(struct async) + sizeof(struct urb) +
1797	(as->usbm ? 0 : uurb->buffer_length) +
1798	num_sgs * sizeof(struct scatterlist);
1799	ret = usbfs_increase_memory_usage(amount: u);
1800	if (ret)
1801	goto error;
1802	as->mem_usage = u;
1803
1804	if (num_sgs) {
1805	as->urb->sg = kmalloc_array(n: num_sgs,
1806	size: sizeof(struct scatterlist),
1807	GFP_KERNEL | __GFP_NOWARN);
1808	if (!as->urb->sg) {
1809	ret = -ENOMEM;
1810	goto error;
1811	}
1812	as->urb->num_sgs = num_sgs;
1813	sg_init_table(as->urb->sg, as->urb->num_sgs);
1814
1815	totlen = uurb->buffer_length;
1816	for (i = 0; i < as->urb->num_sgs; i++) {
1817	u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1818	buf = kmalloc(size: u, GFP_KERNEL);
1819	if (!buf) {
1820	ret = -ENOMEM;
1821	goto error;
1822	}
1823	sg_set_buf(sg: &as->urb->sg[i], buf, buflen: u);
1824
1825	if (!is_in) {
1826	if (copy_from_user(to: buf, from: uurb->buffer, n: u)) {
1827	ret = -EFAULT;
1828	goto error;
1829	}
1830	uurb->buffer += u;
1831	}
1832	totlen -= u;
1833	}
1834	} else if (uurb->buffer_length > 0) {
1835	if (as->usbm) {
1836	unsigned long uurb_start = (unsigned long)uurb->buffer;
1837
1838	as->urb->transfer_buffer = as->usbm->mem +
1839	(uurb_start - as->usbm->vm_start);
1840	} else {
1841	as->urb->transfer_buffer = kmalloc(size: uurb->buffer_length,
1842	GFP_KERNEL | __GFP_NOWARN);
1843	if (!as->urb->transfer_buffer) {
1844	ret = -ENOMEM;
1845	goto error;
1846	}
1847	if (!is_in) {
1848	if (copy_from_user(to: as->urb->transfer_buffer,
1849	from: uurb->buffer,
1850	n: uurb->buffer_length)) {
1851	ret = -EFAULT;
1852	goto error;
1853	}
1854	} else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1855	/*
1856	* Isochronous input data may end up being
1857	* discontiguous if some of the packets are
1858	* short. Clear the buffer so that the gaps
1859	* don't leak kernel data to userspace.
1860	*/
1861	memset(as->urb->transfer_buffer, 0,
1862	uurb->buffer_length);
1863	}
1864	}
1865	}
1866	as->urb->dev = ps->dev;
1867	as->urb->pipe = (uurb->type << 30) |
1868	__create_pipe(dev: ps->dev, endpoint: uurb->endpoint & 0xf) |
1869	(uurb->endpoint & USB_DIR_IN);
1870
1871	/* This tedious sequence is necessary because the URB_* flags
1872	* are internal to the kernel and subject to change, whereas
1873	* the USBDEVFS_URB_* flags are a user API and must not be changed.
1874	*/
1875	u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1876	if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1877	u |= URB_ISO_ASAP;
1878	if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1879	u |= URB_SHORT_NOT_OK;
1880	if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1881	u |= URB_ZERO_PACKET;
1882	if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1883	u |= URB_NO_INTERRUPT;
1884	as->urb->transfer_flags = u;
1885
1886	if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1887	dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1888	if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1889	dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1890
1891	as->urb->transfer_buffer_length = uurb->buffer_length;
1892	as->urb->setup_packet = (unsigned char *)dr;
1893	dr = NULL;
1894	as->urb->start_frame = uurb->start_frame;
1895	as->urb->number_of_packets = number_of_packets;
1896	as->urb->stream_id = stream_id;
1897
1898	if (ep->desc.bInterval) {
1899	if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1900	ps->dev->speed == USB_SPEED_HIGH ||
1901	ps->dev->speed >= USB_SPEED_SUPER)
1902	as->urb->interval = 1 <<
1903	min(15, ep->desc.bInterval - 1);
1904	else
1905	as->urb->interval = ep->desc.bInterval;
1906	}
1907
1908	as->urb->context = as;
1909	as->urb->complete = async_completed;
1910	for (totlen = u = 0; u < number_of_packets; u++) {
1911	as->urb->iso_frame_desc[u].offset = totlen;
1912	as->urb->iso_frame_desc[u].length = isopkt[u].length;
1913	totlen += isopkt[u].length;
1914	}
1915	kfree(objp: isopkt);
1916	isopkt = NULL;
1917	as->ps = ps;
1918	as->userurb = arg;
1919	as->userurb_sigval = userurb_sigval;
1920	if (as->usbm) {
1921	unsigned long uurb_start = (unsigned long)uurb->buffer;
1922
1923	as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1924	as->urb->transfer_dma = as->usbm->dma_handle +
1925	(uurb_start - as->usbm->vm_start);
1926	} else if (is_in && uurb->buffer_length > 0)
1927	as->userbuffer = uurb->buffer;
1928	as->signr = uurb->signr;
1929	as->ifnum = ifnum;
1930	as->pid = get_pid(pid: task_pid(current));
1931	as->cred = get_current_cred();
1932	snoop_urb(udev: ps->dev, userurb: as->userurb, pipe: as->urb->pipe,
1933	length: as->urb->transfer_buffer_length, timeout_or_status: 0, when: SUBMIT,
1934	NULL, data_len: 0);
1935	if (!is_in)
1936	snoop_urb_data(urb: as->urb, len: as->urb->transfer_buffer_length);
1937
1938	async_newpending(as);
1939
1940	if (usb_endpoint_xfer_bulk(epd: &ep->desc)) {
1941	spin_lock_irq(lock: &ps->lock);
1942
1943	/* Not exactly the endpoint address; the direction bit is
1944	* shifted to the 0x10 position so that the value will be
1945	* between 0 and 31.
1946	*/
1947	as->bulk_addr = usb_endpoint_num(epd: &ep->desc) |
1948	((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1949	>> 3);
1950
1951	/* If this bulk URB is the start of a new transfer, re-enable
1952	* the endpoint. Otherwise mark it as a continuation URB.
1953	*/
1954	if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1955	as->bulk_status = AS_CONTINUATION;
1956	else
1957	ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1958
1959	/* Don't accept continuation URBs if the endpoint is
1960	* disabled because of an earlier error.
1961	*/
1962	if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1963	ret = -EREMOTEIO;
1964	else
1965	ret = usb_submit_urb(urb: as->urb, GFP_ATOMIC);
1966	spin_unlock_irq(lock: &ps->lock);
1967	} else {
1968	ret = usb_submit_urb(urb: as->urb, GFP_KERNEL);
1969	}
1970
1971	if (ret) {
1972	dev_printk(KERN_DEBUG, &ps->dev->dev,
1973	"usbfs: usb_submit_urb returned %d\n", ret);
1974	snoop_urb(udev: ps->dev, userurb: as->userurb, pipe: as->urb->pipe,
1975	length: 0, timeout_or_status: ret, when: COMPLETE, NULL, data_len: 0);
1976	async_removepending(as);
1977	goto error;
1978	}
1979	return 0;
1980
1981	error:
1982	kfree(objp: isopkt);
1983	kfree(objp: dr);
1984	if (as)
1985	free_async(as);
1986	return ret;
1987	}
1988
1989	static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1990	{
1991	struct usbdevfs_urb uurb;
1992	sigval_t userurb_sigval;
1993
1994	if (copy_from_user(to: &uurb, from: arg, n: sizeof(uurb)))
1995	return -EFAULT;
1996
1997	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
1998	userurb_sigval.sival_ptr = arg;
1999
2000	return proc_do_submiturb(ps, uurb: &uurb,
2001	iso_frame_desc: (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
2002	arg, userurb_sigval);
2003	}
2004
2005	static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
2006	{
2007	struct urb *urb;
2008	struct async *as;
2009	unsigned long flags;
2010
2011	spin_lock_irqsave(&ps->lock, flags);
2012	as = async_getpending(ps, userurb: arg);
2013	if (!as) {
2014	spin_unlock_irqrestore(lock: &ps->lock, flags);
2015	return -EINVAL;
2016	}
2017
2018	urb = as->urb;
2019	usb_get_urb(urb);
2020	spin_unlock_irqrestore(lock: &ps->lock, flags);
2021
2022	usb_kill_urb(urb);
2023	usb_put_urb(urb);
2024
2025	return 0;
2026	}
2027
2028	static void compute_isochronous_actual_length(struct urb *urb)
2029	{
2030	unsigned int i;
2031
2032	if (urb->number_of_packets > 0) {
2033	urb->actual_length = 0;
2034	for (i = 0; i < urb->number_of_packets; i++)
2035	urb->actual_length +=
2036	urb->iso_frame_desc[i].actual_length;
2037	}
2038	}
2039
2040	static int processcompl(struct async *as, void __user * __user *arg)
2041	{
2042	struct urb *urb = as->urb;
2043	struct usbdevfs_urb __user *userurb = as->userurb;
2044	void __user *addr = as->userurb;
2045	unsigned int i;
2046
2047	compute_isochronous_actual_length(urb);
2048	if (as->userbuffer && urb->actual_length) {
2049	if (copy_urb_data_to_user(userbuffer: as->userbuffer, urb))
2050	goto err_out;
2051	}
2052	if (put_user(as->status, &userurb->status))
2053	goto err_out;
2054	if (put_user(urb->actual_length, &userurb->actual_length))
2055	goto err_out;
2056	if (put_user(urb->error_count, &userurb->error_count))
2057	goto err_out;
2058
2059	if (usb_endpoint_xfer_isoc(epd: &urb->ep->desc)) {
2060	for (i = 0; i < urb->number_of_packets; i++) {
2061	if (put_user(urb->iso_frame_desc[i].actual_length,
2062	&userurb->iso_frame_desc[i].actual_length))
2063	goto err_out;
2064	if (put_user(urb->iso_frame_desc[i].status,
2065	&userurb->iso_frame_desc[i].status))
2066	goto err_out;
2067	}
2068	}
2069
2070	if (put_user(addr, (void __user * __user *)arg))
2071	return -EFAULT;
2072	return 0;
2073
2074	err_out:
2075	return -EFAULT;
2076	}
2077
2078	static struct async *reap_as(struct usb_dev_state *ps)
2079	{
2080	DECLARE_WAITQUEUE(wait, current);
2081	struct async *as = NULL;
2082	struct usb_device *dev = ps->dev;
2083
2084	add_wait_queue(wq_head: &ps->wait, wq_entry: &wait);
2085	for (;;) {
2086	__set_current_state(TASK_INTERRUPTIBLE);
2087	as = async_getcompleted(ps);
2088	if (as || !connected(ps))
2089	break;
2090	if (signal_pending(current))
2091	break;
2092	usb_unlock_device(dev);
2093	schedule();
2094	usb_lock_device(dev);
2095	}
2096	remove_wait_queue(wq_head: &ps->wait, wq_entry: &wait);
2097	set_current_state(TASK_RUNNING);
2098	return as;
2099	}
2100
2101	static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
2102	{
2103	struct async *as = reap_as(ps);
2104
2105	if (as) {
2106	int retval;
2107
2108	snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2109	retval = processcompl(as, arg: (void __user * __user *)arg);
2110	free_async(as);
2111	return retval;
2112	}
2113	if (signal_pending(current))
2114	return -EINTR;
2115	return -ENODEV;
2116	}
2117
2118	static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
2119	{
2120	int retval;
2121	struct async *as;
2122
2123	as = async_getcompleted(ps);
2124	if (as) {
2125	snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2126	retval = processcompl(as, arg: (void __user * __user *)arg);
2127	free_async(as);
2128	} else {
2129	retval = (connected(ps) ? -EAGAIN : -ENODEV);
2130	}
2131	return retval;
2132	}
2133
2134	#ifdef CONFIG_COMPAT
2135	static int proc_control_compat(struct usb_dev_state *ps,
2136	struct usbdevfs_ctrltransfer32 __user *p32)
2137	{
2138	struct usbdevfs_ctrltransfer ctrl;
2139	u32 udata;
2140
2141	if (copy_from_user(to: &ctrl, from: p32, n: sizeof(*p32) - sizeof(compat_caddr_t)) ||
2142	get_user(udata, &p32->data))
2143	return -EFAULT;
2144	ctrl.data = compat_ptr(uptr: udata);
2145	return do_proc_control(ps, ctrl: &ctrl);
2146	}
2147
2148	static int proc_bulk_compat(struct usb_dev_state *ps,
2149	struct usbdevfs_bulktransfer32 __user *p32)
2150	{
2151	struct usbdevfs_bulktransfer bulk;
2152	compat_caddr_t addr;
2153
2154	if (get_user(bulk.ep, &p32->ep) ||
2155	get_user(bulk.len, &p32->len) ||
2156	get_user(bulk.timeout, &p32->timeout) ||
2157	get_user(addr, &p32->data))
2158	return -EFAULT;
2159	bulk.data = compat_ptr(uptr: addr);
2160	return do_proc_bulk(ps, bulk: &bulk);
2161	}
2162
2163	static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
2164	{
2165	struct usbdevfs_disconnectsignal32 ds;
2166
2167	if (copy_from_user(to: &ds, from: arg, n: sizeof(ds)))
2168	return -EFAULT;
2169	ps->discsignr = ds.signr;
2170	ps->disccontext.sival_int = ds.context;
2171	return 0;
2172	}
2173
2174	static int get_urb32(struct usbdevfs_urb *kurb,
2175	struct usbdevfs_urb32 __user *uurb)
2176	{
2177	struct usbdevfs_urb32 urb32;
2178	if (copy_from_user(to: &urb32, from: uurb, n: sizeof(*uurb)))
2179	return -EFAULT;
2180	kurb->type = urb32.type;
2181	kurb->endpoint = urb32.endpoint;
2182	kurb->status = urb32.status;
2183	kurb->flags = urb32.flags;
2184	kurb->buffer = compat_ptr(uptr: urb32.buffer);
2185	kurb->buffer_length = urb32.buffer_length;
2186	kurb->actual_length = urb32.actual_length;
2187	kurb->start_frame = urb32.start_frame;
2188	kurb->number_of_packets = urb32.number_of_packets;
2189	kurb->error_count = urb32.error_count;
2190	kurb->signr = urb32.signr;
2191	kurb->usercontext = compat_ptr(uptr: urb32.usercontext);
2192	return 0;
2193	}
2194
2195	static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2196	{
2197	struct usbdevfs_urb uurb;
2198	sigval_t userurb_sigval;
2199
2200	if (get_urb32(kurb: &uurb, uurb: (struct usbdevfs_urb32 __user *)arg))
2201	return -EFAULT;
2202
2203	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
2204	userurb_sigval.sival_int = ptr_to_compat(uptr: arg);
2205
2206	return proc_do_submiturb(ps, uurb: &uurb,
2207	iso_frame_desc: ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2208	arg, userurb_sigval);
2209	}
2210
2211	static int processcompl_compat(struct async *as, void __user * __user *arg)
2212	{
2213	struct urb *urb = as->urb;
2214	struct usbdevfs_urb32 __user *userurb = as->userurb;
2215	void __user *addr = as->userurb;
2216	unsigned int i;
2217
2218	compute_isochronous_actual_length(urb);
2219	if (as->userbuffer && urb->actual_length) {
2220	if (copy_urb_data_to_user(userbuffer: as->userbuffer, urb))
2221	return -EFAULT;
2222	}
2223	if (put_user(as->status, &userurb->status))
2224	return -EFAULT;
2225	if (put_user(urb->actual_length, &userurb->actual_length))
2226	return -EFAULT;
2227	if (put_user(urb->error_count, &userurb->error_count))
2228	return -EFAULT;
2229
2230	if (usb_endpoint_xfer_isoc(epd: &urb->ep->desc)) {
2231	for (i = 0; i < urb->number_of_packets; i++) {
2232	if (put_user(urb->iso_frame_desc[i].actual_length,
2233	&userurb->iso_frame_desc[i].actual_length))
2234	return -EFAULT;
2235	if (put_user(urb->iso_frame_desc[i].status,
2236	&userurb->iso_frame_desc[i].status))
2237	return -EFAULT;
2238	}
2239	}
2240
2241	if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2242	return -EFAULT;
2243	return 0;
2244	}
2245
2246	static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2247	{
2248	struct async *as = reap_as(ps);
2249
2250	if (as) {
2251	int retval;
2252
2253	snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2254	retval = processcompl_compat(as, arg: (void __user * __user *)arg);
2255	free_async(as);
2256	return retval;
2257	}
2258	if (signal_pending(current))
2259	return -EINTR;
2260	return -ENODEV;
2261	}
2262
2263	static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2264	{
2265	int retval;
2266	struct async *as;
2267
2268	as = async_getcompleted(ps);
2269	if (as) {
2270	snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2271	retval = processcompl_compat(as, arg: (void __user * __user *)arg);
2272	free_async(as);
2273	} else {
2274	retval = (connected(ps) ? -EAGAIN : -ENODEV);
2275	}
2276	return retval;
2277	}
2278
2279
2280	#endif
2281
2282	static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2283	{
2284	struct usbdevfs_disconnectsignal ds;
2285
2286	if (copy_from_user(to: &ds, from: arg, n: sizeof(ds)))
2287	return -EFAULT;
2288	ps->discsignr = ds.signr;
2289	ps->disccontext.sival_ptr = ds.context;
2290	return 0;
2291	}
2292
2293	static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2294	{
2295	unsigned int ifnum;
2296
2297	if (get_user(ifnum, (unsigned int __user *)arg))
2298	return -EFAULT;
2299	return claimintf(ps, ifnum);
2300	}
2301
2302	static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2303	{
2304	unsigned int ifnum;
2305	int ret;
2306
2307	if (get_user(ifnum, (unsigned int __user *)arg))
2308	return -EFAULT;
2309	ret = releaseintf(ps, ifnum);
2310	if (ret < 0)
2311	return ret;
2312	destroy_async_on_interface(ps, ifnum);
2313	return 0;
2314	}
2315
2316	static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2317	{
2318	int size;
2319	void *buf = NULL;
2320	int retval = 0;
2321	struct usb_interface *intf = NULL;
2322	struct usb_driver *driver = NULL;
2323
2324	if (ps->privileges_dropped)
2325	return -EACCES;
2326
2327	if (!connected(ps))
2328	return -ENODEV;
2329
2330	/* alloc buffer */
2331	size = _IOC_SIZE(ctl->ioctl_code);
2332	if (size > 0) {
2333	buf = kmalloc(size, GFP_KERNEL);
2334	if (buf == NULL)
2335	return -ENOMEM;
2336	if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2337	if (copy_from_user(to: buf, from: ctl->data, n: size)) {
2338	kfree(objp: buf);
2339	return -EFAULT;
2340	}
2341	} else {
2342	memset(buf, 0, size);
2343	}
2344	}
2345
2346	if (ps->dev->state != USB_STATE_CONFIGURED)
2347	retval = -EHOSTUNREACH;
2348	else if (!(intf = usb_ifnum_to_if(dev: ps->dev, ifnum: ctl->ifno)))
2349	retval = -EINVAL;
2350	else switch (ctl->ioctl_code) {
2351
2352	/* disconnect kernel driver from interface */
2353	case USBDEVFS_DISCONNECT:
2354	if (intf->dev.driver) {
2355	driver = to_usb_driver(intf->dev.driver);
2356	dev_dbg(&intf->dev, "disconnect by usbfs\n");
2357	usb_driver_release_interface(driver, iface: intf);
2358	} else
2359	retval = -ENODATA;
2360	break;
2361
2362	/* let kernel drivers try to (re)bind to the interface */
2363	case USBDEVFS_CONNECT:
2364	if (!intf->dev.driver)
2365	retval = device_attach(dev: &intf->dev);
2366	else
2367	retval = -EBUSY;
2368	break;
2369
2370	/* talk directly to the interface's driver */
2371	default:
2372	if (intf->dev.driver)
2373	driver = to_usb_driver(intf->dev.driver);
2374	if (driver == NULL || driver->unlocked_ioctl == NULL) {
2375	retval = -ENOTTY;
2376	} else {
2377	retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2378	if (retval == -ENOIOCTLCMD)
2379	retval = -ENOTTY;
2380	}
2381	}
2382
2383	/* cleanup and return */
2384	if (retval >= 0
2385	&& (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2386	&& size > 0
2387	&& copy_to_user(to: ctl->data, from: buf, n: size) != 0)
2388	retval = -EFAULT;
2389
2390	kfree(objp: buf);
2391	return retval;
2392	}
2393
2394	static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2395	{
2396	struct usbdevfs_ioctl ctrl;
2397
2398	if (copy_from_user(to: &ctrl, from: arg, n: sizeof(ctrl)))
2399	return -EFAULT;
2400	return proc_ioctl(ps, ctl: &ctrl);
2401	}
2402
2403	#ifdef CONFIG_COMPAT
2404	static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2405	{
2406	struct usbdevfs_ioctl32 ioc32;
2407	struct usbdevfs_ioctl ctrl;
2408
2409	if (copy_from_user(to: &ioc32, from: compat_ptr(uptr: arg), n: sizeof(ioc32)))
2410	return -EFAULT;
2411	ctrl.ifno = ioc32.ifno;
2412	ctrl.ioctl_code = ioc32.ioctl_code;
2413	ctrl.data = compat_ptr(uptr: ioc32.data);
2414	return proc_ioctl(ps, ctl: &ctrl);
2415	}
2416	#endif
2417
2418	static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2419	{
2420	unsigned portnum;
2421	int rc;
2422
2423	if (get_user(portnum, (unsigned __user *) arg))
2424	return -EFAULT;
2425	rc = usb_hub_claim_port(hdev: ps->dev, port1: portnum, owner: ps);
2426	if (rc == 0)
2427	snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2428	portnum, task_pid_nr(current), current->comm);
2429	return rc;
2430	}
2431
2432	static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2433	{
2434	unsigned portnum;
2435
2436	if (get_user(portnum, (unsigned __user *) arg))
2437	return -EFAULT;
2438	return usb_hub_release_port(hdev: ps->dev, port1: portnum, owner: ps);
2439	}
2440
2441	static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2442	{
2443	__u32 caps;
2444
2445	caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2446	USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2447	USBDEVFS_CAP_DROP_PRIVILEGES |
2448	USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND;
2449	if (!ps->dev->bus->no_stop_on_short)
2450	caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2451	if (ps->dev->bus->sg_tablesize)
2452	caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2453
2454	if (put_user(caps, (__u32 __user *)arg))
2455	return -EFAULT;
2456
2457	return 0;
2458	}
2459
2460	static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2461	{
2462	struct usbdevfs_disconnect_claim dc;
2463	struct usb_interface *intf;
2464
2465	if (copy_from_user(to: &dc, from: arg, n: sizeof(dc)))
2466	return -EFAULT;
2467
2468	intf = usb_ifnum_to_if(dev: ps->dev, ifnum: dc.interface);
2469	if (!intf)
2470	return -EINVAL;
2471
2472	if (intf->dev.driver) {
2473	struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2474
2475	if (ps->privileges_dropped)
2476	return -EACCES;
2477
2478	if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2479	strncmp(dc.driver, intf->dev.driver->name,
2480	sizeof(dc.driver)) != 0)
2481	return -EBUSY;
2482
2483	if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2484	strncmp(dc.driver, intf->dev.driver->name,
2485	sizeof(dc.driver)) == 0)
2486	return -EBUSY;
2487
2488	dev_dbg(&intf->dev, "disconnect by usbfs\n");
2489	usb_driver_release_interface(driver, iface: intf);
2490	}
2491
2492	return claimintf(ps, ifnum: dc.interface);
2493	}
2494
2495	static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2496	{
2497	unsigned num_streams, num_eps;
2498	struct usb_host_endpoint **eps;
2499	struct usb_interface *intf;
2500	int r;
2501
2502	r = parse_usbdevfs_streams(ps, streams: arg, num_streams_ret: &num_streams, num_eps_ret: &num_eps,
2503	eps_ret: &eps, intf_ret: &intf);
2504	if (r)
2505	return r;
2506
2507	destroy_async_on_interface(ps,
2508	ifnum: intf->altsetting[0].desc.bInterfaceNumber);
2509
2510	r = usb_alloc_streams(interface: intf, eps, num_eps, num_streams, GFP_KERNEL);
2511	kfree(objp: eps);
2512	return r;
2513	}
2514
2515	static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2516	{
2517	unsigned num_eps;
2518	struct usb_host_endpoint **eps;
2519	struct usb_interface *intf;
2520	int r;
2521
2522	r = parse_usbdevfs_streams(ps, streams: arg, NULL, num_eps_ret: &num_eps, eps_ret: &eps, intf_ret: &intf);
2523	if (r)
2524	return r;
2525
2526	destroy_async_on_interface(ps,
2527	ifnum: intf->altsetting[0].desc.bInterfaceNumber);
2528
2529	r = usb_free_streams(interface: intf, eps, num_eps, GFP_KERNEL);
2530	kfree(objp: eps);
2531	return r;
2532	}
2533
2534	static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2535	{
2536	u32 data;
2537
2538	if (copy_from_user(to: &data, from: arg, n: sizeof(data)))
2539	return -EFAULT;
2540
2541	/* This is a one way operation. Once privileges are
2542	* dropped, you cannot regain them. You may however reissue
2543	* this ioctl to shrink the allowed interfaces mask.
2544	*/
2545	ps->interface_allowed_mask &= data;
2546	ps->privileges_dropped = true;
2547
2548	return 0;
2549	}
2550
2551	static int proc_forbid_suspend(struct usb_dev_state *ps)
2552	{
2553	int ret = 0;
2554
2555	if (ps->suspend_allowed) {
2556	ret = usb_autoresume_device(udev: ps->dev);
2557	if (ret == 0)
2558	ps->suspend_allowed = false;
2559	else if (ret != -ENODEV)
2560	ret = -EIO;
2561	}
2562	return ret;
2563	}
2564
2565	static int proc_allow_suspend(struct usb_dev_state *ps)
2566	{
2567	if (!connected(ps))
2568	return -ENODEV;
2569
2570	WRITE_ONCE(ps->not_yet_resumed, 1);
2571	if (!ps->suspend_allowed) {
2572	usb_autosuspend_device(udev: ps->dev);
2573	ps->suspend_allowed = true;
2574	}
2575	return 0;
2576	}
2577
2578	static int proc_wait_for_resume(struct usb_dev_state *ps)
2579	{
2580	int ret;
2581
2582	usb_unlock_device(ps->dev);
2583	ret = wait_event_interruptible(ps->wait_for_resume,
2584	READ_ONCE(ps->not_yet_resumed) == 0);
2585	usb_lock_device(ps->dev);
2586
2587	if (ret != 0)
2588	return -EINTR;
2589	return proc_forbid_suspend(ps);
2590	}
2591
2592	/*
2593	* NOTE: All requests here that have interface numbers as parameters
2594	* are assuming that somehow the configuration has been prevented from
2595	* changing. But there's no mechanism to ensure that...
2596	*/
2597	static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2598	void __user *p)
2599	{
2600	struct usb_dev_state *ps = file->private_data;
2601	struct inode *inode = file_inode(f: file);
2602	struct usb_device *dev = ps->dev;
2603	int ret = -ENOTTY;
2604
2605	if (!(file->f_mode & FMODE_WRITE))
2606	return -EPERM;
2607
2608	usb_lock_device(dev);
2609
2610	/* Reap operations are allowed even after disconnection */
2611	switch (cmd) {
2612	case USBDEVFS_REAPURB:
2613	snoop(&dev->dev, "%s: REAPURB\n", __func__);
2614	ret = proc_reapurb(ps, arg: p);
2615	goto done;
2616
2617	case USBDEVFS_REAPURBNDELAY:
2618	snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2619	ret = proc_reapurbnonblock(ps, arg: p);
2620	goto done;
2621
2622	#ifdef CONFIG_COMPAT
2623	case USBDEVFS_REAPURB32:
2624	snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2625	ret = proc_reapurb_compat(ps, arg: p);
2626	goto done;
2627
2628	case USBDEVFS_REAPURBNDELAY32:
2629	snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2630	ret = proc_reapurbnonblock_compat(ps, arg: p);
2631	goto done;
2632	#endif
2633	}
2634
2635	if (!connected(ps)) {
2636	usb_unlock_device(dev);
2637	return -ENODEV;
2638	}
2639
2640	switch (cmd) {
2641	case USBDEVFS_CONTROL:
2642	snoop(&dev->dev, "%s: CONTROL\n", __func__);
2643	ret = proc_control(ps, arg: p);
2644	if (ret >= 0)
2645	inode_set_mtime_to_ts(inode,
2646	ts: inode_set_ctime_current(inode));
2647	break;
2648
2649	case USBDEVFS_BULK:
2650	snoop(&dev->dev, "%s: BULK\n", __func__);
2651	ret = proc_bulk(ps, arg: p);
2652	if (ret >= 0)
2653	inode_set_mtime_to_ts(inode,
2654	ts: inode_set_ctime_current(inode));
2655	break;
2656
2657	case USBDEVFS_RESETEP:
2658	snoop(&dev->dev, "%s: RESETEP\n", __func__);
2659	ret = proc_resetep(ps, arg: p);
2660	if (ret >= 0)
2661	inode_set_mtime_to_ts(inode,
2662	ts: inode_set_ctime_current(inode));
2663	break;
2664
2665	case USBDEVFS_RESET:
2666	snoop(&dev->dev, "%s: RESET\n", __func__);
2667	ret = proc_resetdevice(ps);
2668	break;
2669
2670	case USBDEVFS_CLEAR_HALT:
2671	snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2672	ret = proc_clearhalt(ps, arg: p);
2673	if (ret >= 0)
2674	inode_set_mtime_to_ts(inode,
2675	ts: inode_set_ctime_current(inode));
2676	break;
2677
2678	case USBDEVFS_GETDRIVER:
2679	snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2680	ret = proc_getdriver(ps, arg: p);
2681	break;
2682
2683	case USBDEVFS_CONNECTINFO:
2684	snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2685	ret = proc_connectinfo(ps, arg: p);
2686	break;
2687
2688	case USBDEVFS_SETINTERFACE:
2689	snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2690	ret = proc_setintf(ps, arg: p);
2691	break;
2692
2693	case USBDEVFS_SETCONFIGURATION:
2694	snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2695	ret = proc_setconfig(ps, arg: p);
2696	break;
2697
2698	case USBDEVFS_SUBMITURB:
2699	snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2700	ret = proc_submiturb(ps, arg: p);
2701	if (ret >= 0)
2702	inode_set_mtime_to_ts(inode,
2703	ts: inode_set_ctime_current(inode));
2704	break;
2705
2706	#ifdef CONFIG_COMPAT
2707	case USBDEVFS_CONTROL32:
2708	snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2709	ret = proc_control_compat(ps, p32: p);
2710	if (ret >= 0)
2711	inode_set_mtime_to_ts(inode,
2712	ts: inode_set_ctime_current(inode));
2713	break;
2714
2715	case USBDEVFS_BULK32:
2716	snoop(&dev->dev, "%s: BULK32\n", __func__);
2717	ret = proc_bulk_compat(ps, p32: p);
2718	if (ret >= 0)
2719	inode_set_mtime_to_ts(inode,
2720	ts: inode_set_ctime_current(inode));
2721	break;
2722
2723	case USBDEVFS_DISCSIGNAL32:
2724	snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2725	ret = proc_disconnectsignal_compat(ps, arg: p);
2726	break;
2727
2728	case USBDEVFS_SUBMITURB32:
2729	snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2730	ret = proc_submiturb_compat(ps, arg: p);
2731	if (ret >= 0)
2732	inode_set_mtime_to_ts(inode,
2733	ts: inode_set_ctime_current(inode));
2734	break;
2735
2736	case USBDEVFS_IOCTL32:
2737	snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2738	ret = proc_ioctl_compat(ps, arg: ptr_to_compat(uptr: p));
2739	break;
2740	#endif
2741
2742	case USBDEVFS_DISCARDURB:
2743	snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p);
2744	ret = proc_unlinkurb(ps, arg: p);
2745	break;
2746
2747	case USBDEVFS_DISCSIGNAL:
2748	snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2749	ret = proc_disconnectsignal(ps, arg: p);
2750	break;
2751
2752	case USBDEVFS_CLAIMINTERFACE:
2753	snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2754	ret = proc_claiminterface(ps, arg: p);
2755	break;
2756
2757	case USBDEVFS_RELEASEINTERFACE:
2758	snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2759	ret = proc_releaseinterface(ps, arg: p);
2760	break;
2761
2762	case USBDEVFS_IOCTL:
2763	snoop(&dev->dev, "%s: IOCTL\n", __func__);
2764	ret = proc_ioctl_default(ps, arg: p);
2765	break;
2766
2767	case USBDEVFS_CLAIM_PORT:
2768	snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2769	ret = proc_claim_port(ps, arg: p);
2770	break;
2771
2772	case USBDEVFS_RELEASE_PORT:
2773	snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2774	ret = proc_release_port(ps, arg: p);
2775	break;
2776	case USBDEVFS_GET_CAPABILITIES:
2777	ret = proc_get_capabilities(ps, arg: p);
2778	break;
2779	case USBDEVFS_DISCONNECT_CLAIM:
2780	ret = proc_disconnect_claim(ps, arg: p);
2781	break;
2782	case USBDEVFS_ALLOC_STREAMS:
2783	ret = proc_alloc_streams(ps, arg: p);
2784	break;
2785	case USBDEVFS_FREE_STREAMS:
2786	ret = proc_free_streams(ps, arg: p);
2787	break;
2788	case USBDEVFS_DROP_PRIVILEGES:
2789	ret = proc_drop_privileges(ps, arg: p);
2790	break;
2791	case USBDEVFS_GET_SPEED:
2792	ret = ps->dev->speed;
2793	break;
2794	case USBDEVFS_FORBID_SUSPEND:
2795	ret = proc_forbid_suspend(ps);
2796	break;
2797	case USBDEVFS_ALLOW_SUSPEND:
2798	ret = proc_allow_suspend(ps);
2799	break;
2800	case USBDEVFS_WAIT_FOR_RESUME:
2801	ret = proc_wait_for_resume(ps);
2802	break;
2803	}
2804
2805	/* Handle variable-length commands */
2806	switch (cmd & ~IOCSIZE_MASK) {
2807	case USBDEVFS_CONNINFO_EX(0):
2808	ret = proc_conninfo_ex(ps, arg: p, _IOC_SIZE(cmd));
2809	break;
2810	}
2811
2812	done:
2813	usb_unlock_device(dev);
2814	if (ret >= 0)
2815	inode_set_atime_to_ts(inode, ts: current_time(inode));
2816	return ret;
2817	}
2818
2819	static long usbdev_ioctl(struct file *file, unsigned int cmd,
2820	unsigned long arg)
2821	{
2822	int ret;
2823
2824	ret = usbdev_do_ioctl(file, cmd, p: (void __user *)arg);
2825
2826	return ret;
2827	}
2828
2829	/* No kernel lock - fine */
2830	static __poll_t usbdev_poll(struct file *file,
2831	struct poll_table_struct *wait)
2832	{
2833	struct usb_dev_state *ps = file->private_data;
2834	__poll_t mask = 0;
2835
2836	poll_wait(filp: file, wait_address: &ps->wait, p: wait);
2837	if (file->f_mode & FMODE_WRITE && !list_empty(head: &ps->async_completed))
2838	mask |= EPOLLOUT | EPOLLWRNORM;
2839	if (!connected(ps))
2840	mask |= EPOLLHUP;
2841	if (list_empty(head: &ps->list))
2842	mask |= EPOLLERR;
2843	return mask;
2844	}
2845
2846	const struct file_operations usbdev_file_operations = {
2847	.owner = THIS_MODULE,
2848	.llseek = no_seek_end_llseek,
2849	.read = usbdev_read,
2850	.poll = usbdev_poll,
2851	.unlocked_ioctl = usbdev_ioctl,
2852	.compat_ioctl = compat_ptr_ioctl,
2853	.mmap = usbdev_mmap,
2854	.open = usbdev_open,
2855	.release = usbdev_release,
2856	};
2857
2858	static void usbdev_remove(struct usb_device *udev)
2859	{
2860	struct usb_dev_state *ps;
2861
2862	/* Protect against simultaneous resume */
2863	mutex_lock(&usbfs_mutex);
2864	while (!list_empty(head: &udev->filelist)) {
2865	ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2866	destroy_all_async(ps);
2867	wake_up_all(&ps->wait);
2868	WRITE_ONCE(ps->not_yet_resumed, 0);
2869	wake_up_all(&ps->wait_for_resume);
2870	list_del_init(entry: &ps->list);
2871	if (ps->discsignr)
2872	kill_pid_usb_asyncio(sig: ps->discsignr, EPIPE, addr: ps->disccontext,
2873	ps->disc_pid, ps->cred);
2874	}
2875	mutex_unlock(lock: &usbfs_mutex);
2876	}
2877
2878	static int usbdev_notify(struct notifier_block *self,
2879	unsigned long action, void *dev)
2880	{
2881	switch (action) {
2882	case USB_DEVICE_ADD:
2883	break;
2884	case USB_DEVICE_REMOVE:
2885	usbdev_remove(udev: dev);
2886	break;
2887	}
2888	return NOTIFY_OK;
2889	}
2890
2891	static struct notifier_block usbdev_nb = {
2892	.notifier_call = usbdev_notify,
2893	};
2894
2895	static struct cdev usb_device_cdev;
2896
2897	int __init usb_devio_init(void)
2898	{
2899	int retval;
2900
2901	retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2902	"usb_device");
2903	if (retval) {
2904	printk(KERN_ERR "Unable to register minors for usb_device\n");
2905	goto out;
2906	}
2907	cdev_init(&usb_device_cdev, &usbdev_file_operations);
2908	retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2909	if (retval) {
2910	printk(KERN_ERR "Unable to get usb_device major %d\n",
2911	USB_DEVICE_MAJOR);
2912	goto error_cdev;
2913	}
2914	usb_register_notify(nb: &usbdev_nb);
2915	out:
2916	return retval;
2917
2918	error_cdev:
2919	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2920	goto out;
2921	}
2922
2923	void usb_devio_cleanup(void)
2924	{
2925	usb_unregister_notify(nb: &usbdev_nb);
2926	cdev_del(&usb_device_cdev);
2927	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2928	}
2929