1 | // SPDX-License-Identifier: GPL-2.0+ |
2 | /*****************************************************************************/ |
3 | |
4 | /* |
5 | * devio.c -- User space communication with USB devices. |
6 | * |
7 | * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch) |
8 | * |
9 | * This file implements the usbfs/x/y files, where |
10 | * x is the bus number and y the device number. |
11 | * |
12 | * It allows user space programs/"drivers" to communicate directly |
13 | * with USB devices without intervening kernel driver. |
14 | * |
15 | * Revision history |
16 | * 22.12.1999 0.1 Initial release (split from proc_usb.c) |
17 | * 04.01.2000 0.2 Turned into its own filesystem |
18 | * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery |
19 | * (CAN-2005-3055) |
20 | */ |
21 | |
22 | /*****************************************************************************/ |
23 | |
24 | #include <linux/fs.h> |
25 | #include <linux/mm.h> |
26 | #include <linux/sched/signal.h> |
27 | #include <linux/slab.h> |
28 | #include <linux/signal.h> |
29 | #include <linux/poll.h> |
30 | #include <linux/module.h> |
31 | #include <linux/string.h> |
32 | #include <linux/usb.h> |
33 | #include <linux/usbdevice_fs.h> |
34 | #include <linux/usb/hcd.h> /* for usbcore internals */ |
35 | #include <linux/usb/quirks.h> |
36 | #include <linux/cdev.h> |
37 | #include <linux/notifier.h> |
38 | #include <linux/security.h> |
39 | #include <linux/user_namespace.h> |
40 | #include <linux/scatterlist.h> |
41 | #include <linux/uaccess.h> |
42 | #include <linux/dma-mapping.h> |
43 | #include <asm/byteorder.h> |
44 | #include <linux/moduleparam.h> |
45 | |
46 | #include "usb.h" |
47 | |
48 | #ifdef CONFIG_PM |
49 | #define MAYBE_CAP_SUSPEND USBDEVFS_CAP_SUSPEND |
50 | #else |
51 | #define MAYBE_CAP_SUSPEND 0 |
52 | #endif |
53 | |
54 | #define USB_MAXBUS 64 |
55 | #define USB_DEVICE_MAX (USB_MAXBUS * 128) |
56 | #define USB_SG_SIZE 16384 /* split-size for large txs */ |
57 | |
58 | /* Mutual exclusion for ps->list in resume vs. release and remove */ |
59 | static DEFINE_MUTEX(usbfs_mutex); |
60 | |
61 | struct usb_dev_state { |
62 | struct list_head list; /* state list */ |
63 | struct usb_device *dev; |
64 | struct file *file; |
65 | spinlock_t lock; /* protects the async urb lists */ |
66 | struct list_head async_pending; |
67 | struct list_head async_completed; |
68 | struct list_head memory_list; |
69 | wait_queue_head_t wait; /* wake up if a request completed */ |
70 | wait_queue_head_t wait_for_resume; /* wake up upon runtime resume */ |
71 | unsigned int discsignr; |
72 | struct pid *disc_pid; |
73 | const struct cred *cred; |
74 | sigval_t disccontext; |
75 | unsigned long ifclaimed; |
76 | u32 disabled_bulk_eps; |
77 | unsigned long interface_allowed_mask; |
78 | int not_yet_resumed; |
79 | bool suspend_allowed; |
80 | bool privileges_dropped; |
81 | }; |
82 | |
83 | struct usb_memory { |
84 | struct list_head memlist; |
85 | int vma_use_count; |
86 | int urb_use_count; |
87 | u32 size; |
88 | void *mem; |
89 | dma_addr_t dma_handle; |
90 | unsigned long vm_start; |
91 | struct usb_dev_state *ps; |
92 | }; |
93 | |
94 | struct async { |
95 | struct list_head asynclist; |
96 | struct usb_dev_state *ps; |
97 | struct pid *pid; |
98 | const struct cred *cred; |
99 | unsigned int signr; |
100 | unsigned int ifnum; |
101 | void __user *userbuffer; |
102 | void __user *userurb; |
103 | sigval_t userurb_sigval; |
104 | struct urb *urb; |
105 | struct usb_memory *usbm; |
106 | unsigned int mem_usage; |
107 | int status; |
108 | u8 bulk_addr; |
109 | u8 bulk_status; |
110 | }; |
111 | |
112 | static bool usbfs_snoop; |
113 | module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR); |
114 | MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic" ); |
115 | |
116 | static unsigned usbfs_snoop_max = 65536; |
117 | module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR); |
118 | MODULE_PARM_DESC(usbfs_snoop_max, |
119 | "maximum number of bytes to print while snooping" ); |
120 | |
121 | #define snoop(dev, format, arg...) \ |
122 | do { \ |
123 | if (usbfs_snoop) \ |
124 | dev_info(dev, format, ## arg); \ |
125 | } while (0) |
126 | |
127 | enum snoop_when { |
128 | SUBMIT, COMPLETE |
129 | }; |
130 | |
131 | #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) |
132 | |
133 | /* Limit on the total amount of memory we can allocate for transfers */ |
134 | static u32 usbfs_memory_mb = 16; |
135 | module_param(usbfs_memory_mb, uint, 0644); |
136 | MODULE_PARM_DESC(usbfs_memory_mb, |
137 | "maximum MB allowed for usbfs buffers (0 = no limit)" ); |
138 | |
139 | /* Hard limit, necessary to avoid arithmetic overflow */ |
140 | #define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) |
141 | |
142 | static DEFINE_SPINLOCK(usbfs_memory_usage_lock); |
143 | static u64 usbfs_memory_usage; /* Total memory currently allocated */ |
144 | |
145 | /* Check whether it's okay to allocate more memory for a transfer */ |
146 | static int usbfs_increase_memory_usage(u64 amount) |
147 | { |
148 | u64 lim, total_mem; |
149 | unsigned long flags; |
150 | int ret; |
151 | |
152 | lim = READ_ONCE(usbfs_memory_mb); |
153 | lim <<= 20; |
154 | |
155 | ret = 0; |
156 | spin_lock_irqsave(&usbfs_memory_usage_lock, flags); |
157 | total_mem = usbfs_memory_usage + amount; |
158 | if (lim > 0 && total_mem > lim) |
159 | ret = -ENOMEM; |
160 | else |
161 | usbfs_memory_usage = total_mem; |
162 | spin_unlock_irqrestore(lock: &usbfs_memory_usage_lock, flags); |
163 | |
164 | return ret; |
165 | } |
166 | |
167 | /* Memory for a transfer is being deallocated */ |
168 | static void usbfs_decrease_memory_usage(u64 amount) |
169 | { |
170 | unsigned long flags; |
171 | |
172 | spin_lock_irqsave(&usbfs_memory_usage_lock, flags); |
173 | if (amount > usbfs_memory_usage) |
174 | usbfs_memory_usage = 0; |
175 | else |
176 | usbfs_memory_usage -= amount; |
177 | spin_unlock_irqrestore(lock: &usbfs_memory_usage_lock, flags); |
178 | } |
179 | |
180 | static int connected(struct usb_dev_state *ps) |
181 | { |
182 | return (!list_empty(head: &ps->list) && |
183 | ps->dev->state != USB_STATE_NOTATTACHED); |
184 | } |
185 | |
186 | static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) |
187 | { |
188 | struct usb_dev_state *ps = usbm->ps; |
189 | struct usb_hcd *hcd = bus_to_hcd(bus: ps->dev->bus); |
190 | unsigned long flags; |
191 | |
192 | spin_lock_irqsave(&ps->lock, flags); |
193 | --*count; |
194 | if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) { |
195 | list_del(entry: &usbm->memlist); |
196 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
197 | |
198 | hcd_buffer_free_pages(hcd, size: usbm->size, |
199 | addr: usbm->mem, dma: usbm->dma_handle); |
200 | usbfs_decrease_memory_usage( |
201 | amount: usbm->size + sizeof(struct usb_memory)); |
202 | kfree(objp: usbm); |
203 | } else { |
204 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
205 | } |
206 | } |
207 | |
208 | static void usbdev_vm_open(struct vm_area_struct *vma) |
209 | { |
210 | struct usb_memory *usbm = vma->vm_private_data; |
211 | unsigned long flags; |
212 | |
213 | spin_lock_irqsave(&usbm->ps->lock, flags); |
214 | ++usbm->vma_use_count; |
215 | spin_unlock_irqrestore(lock: &usbm->ps->lock, flags); |
216 | } |
217 | |
218 | static void usbdev_vm_close(struct vm_area_struct *vma) |
219 | { |
220 | struct usb_memory *usbm = vma->vm_private_data; |
221 | |
222 | dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count); |
223 | } |
224 | |
225 | static const struct vm_operations_struct usbdev_vm_ops = { |
226 | .open = usbdev_vm_open, |
227 | .close = usbdev_vm_close |
228 | }; |
229 | |
230 | static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) |
231 | { |
232 | struct usb_memory *usbm = NULL; |
233 | struct usb_dev_state *ps = file->private_data; |
234 | struct usb_hcd *hcd = bus_to_hcd(bus: ps->dev->bus); |
235 | size_t size = vma->vm_end - vma->vm_start; |
236 | void *mem; |
237 | unsigned long flags; |
238 | dma_addr_t dma_handle = DMA_MAPPING_ERROR; |
239 | int ret; |
240 | |
241 | ret = usbfs_increase_memory_usage(amount: size + sizeof(struct usb_memory)); |
242 | if (ret) |
243 | goto error; |
244 | |
245 | usbm = kzalloc(size: sizeof(struct usb_memory), GFP_KERNEL); |
246 | if (!usbm) { |
247 | ret = -ENOMEM; |
248 | goto error_decrease_mem; |
249 | } |
250 | |
251 | mem = hcd_buffer_alloc_pages(hcd, |
252 | size, GFP_USER | __GFP_NOWARN, dma: &dma_handle); |
253 | if (!mem) { |
254 | ret = -ENOMEM; |
255 | goto error_free_usbm; |
256 | } |
257 | |
258 | memset(mem, 0, size); |
259 | |
260 | usbm->mem = mem; |
261 | usbm->dma_handle = dma_handle; |
262 | usbm->size = size; |
263 | usbm->ps = ps; |
264 | usbm->vm_start = vma->vm_start; |
265 | usbm->vma_use_count = 1; |
266 | INIT_LIST_HEAD(list: &usbm->memlist); |
267 | |
268 | /* |
269 | * In DMA-unavailable cases, hcd_buffer_alloc_pages allocates |
270 | * normal pages and assigns DMA_MAPPING_ERROR to dma_handle. Check |
271 | * whether we are in such cases, and then use remap_pfn_range (or |
272 | * dma_mmap_coherent) to map normal (or DMA) pages into the user |
273 | * space, respectively. |
274 | */ |
275 | if (dma_handle == DMA_MAPPING_ERROR) { |
276 | if (remap_pfn_range(vma, addr: vma->vm_start, |
277 | virt_to_phys(address: usbm->mem) >> PAGE_SHIFT, |
278 | size, vma->vm_page_prot) < 0) { |
279 | dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count); |
280 | return -EAGAIN; |
281 | } |
282 | } else { |
283 | if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, |
284 | size)) { |
285 | dec_usb_memory_use_count(usbm, count: &usbm->vma_use_count); |
286 | return -EAGAIN; |
287 | } |
288 | } |
289 | |
290 | vm_flags_set(vma, VM_IO | VM_DONTEXPAND | VM_DONTDUMP); |
291 | vma->vm_ops = &usbdev_vm_ops; |
292 | vma->vm_private_data = usbm; |
293 | |
294 | spin_lock_irqsave(&ps->lock, flags); |
295 | list_add_tail(new: &usbm->memlist, head: &ps->memory_list); |
296 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
297 | |
298 | return 0; |
299 | |
300 | error_free_usbm: |
301 | kfree(objp: usbm); |
302 | error_decrease_mem: |
303 | usbfs_decrease_memory_usage(amount: size + sizeof(struct usb_memory)); |
304 | error: |
305 | return ret; |
306 | } |
307 | |
308 | static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, |
309 | loff_t *ppos) |
310 | { |
311 | struct usb_dev_state *ps = file->private_data; |
312 | struct usb_device *dev = ps->dev; |
313 | ssize_t ret = 0; |
314 | unsigned len; |
315 | loff_t pos; |
316 | int i; |
317 | |
318 | pos = *ppos; |
319 | usb_lock_device(dev); |
320 | if (!connected(ps)) { |
321 | ret = -ENODEV; |
322 | goto err; |
323 | } else if (pos < 0) { |
324 | ret = -EINVAL; |
325 | goto err; |
326 | } |
327 | |
328 | if (pos < sizeof(struct usb_device_descriptor)) { |
329 | /* 18 bytes - fits on the stack */ |
330 | struct usb_device_descriptor temp_desc; |
331 | |
332 | memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor)); |
333 | le16_to_cpus(&temp_desc.bcdUSB); |
334 | le16_to_cpus(&temp_desc.idVendor); |
335 | le16_to_cpus(&temp_desc.idProduct); |
336 | le16_to_cpus(&temp_desc.bcdDevice); |
337 | |
338 | len = sizeof(struct usb_device_descriptor) - pos; |
339 | if (len > nbytes) |
340 | len = nbytes; |
341 | if (copy_to_user(to: buf, from: ((char *)&temp_desc) + pos, n: len)) { |
342 | ret = -EFAULT; |
343 | goto err; |
344 | } |
345 | |
346 | *ppos += len; |
347 | buf += len; |
348 | nbytes -= len; |
349 | ret += len; |
350 | } |
351 | |
352 | pos = sizeof(struct usb_device_descriptor); |
353 | for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { |
354 | struct usb_config_descriptor *config = |
355 | (struct usb_config_descriptor *)dev->rawdescriptors[i]; |
356 | unsigned int length = le16_to_cpu(config->wTotalLength); |
357 | |
358 | if (*ppos < pos + length) { |
359 | |
360 | /* The descriptor may claim to be longer than it |
361 | * really is. Here is the actual allocated length. */ |
362 | unsigned alloclen = |
363 | le16_to_cpu(dev->config[i].desc.wTotalLength); |
364 | |
365 | len = length - (*ppos - pos); |
366 | if (len > nbytes) |
367 | len = nbytes; |
368 | |
369 | /* Simply don't write (skip over) unallocated parts */ |
370 | if (alloclen > (*ppos - pos)) { |
371 | alloclen -= (*ppos - pos); |
372 | if (copy_to_user(to: buf, |
373 | from: dev->rawdescriptors[i] + (*ppos - pos), |
374 | min(len, alloclen))) { |
375 | ret = -EFAULT; |
376 | goto err; |
377 | } |
378 | } |
379 | |
380 | *ppos += len; |
381 | buf += len; |
382 | nbytes -= len; |
383 | ret += len; |
384 | } |
385 | |
386 | pos += length; |
387 | } |
388 | |
389 | err: |
390 | usb_unlock_device(dev); |
391 | return ret; |
392 | } |
393 | |
394 | /* |
395 | * async list handling |
396 | */ |
397 | |
398 | static struct async *alloc_async(unsigned int numisoframes) |
399 | { |
400 | struct async *as; |
401 | |
402 | as = kzalloc(size: sizeof(struct async), GFP_KERNEL); |
403 | if (!as) |
404 | return NULL; |
405 | as->urb = usb_alloc_urb(iso_packets: numisoframes, GFP_KERNEL); |
406 | if (!as->urb) { |
407 | kfree(objp: as); |
408 | return NULL; |
409 | } |
410 | return as; |
411 | } |
412 | |
413 | static void free_async(struct async *as) |
414 | { |
415 | int i; |
416 | |
417 | put_pid(pid: as->pid); |
418 | if (as->cred) |
419 | put_cred(cred: as->cred); |
420 | for (i = 0; i < as->urb->num_sgs; i++) { |
421 | if (sg_page(sg: &as->urb->sg[i])) |
422 | kfree(objp: sg_virt(sg: &as->urb->sg[i])); |
423 | } |
424 | |
425 | kfree(objp: as->urb->sg); |
426 | if (as->usbm == NULL) |
427 | kfree(objp: as->urb->transfer_buffer); |
428 | else |
429 | dec_usb_memory_use_count(usbm: as->usbm, count: &as->usbm->urb_use_count); |
430 | |
431 | kfree(objp: as->urb->setup_packet); |
432 | usb_free_urb(urb: as->urb); |
433 | usbfs_decrease_memory_usage(amount: as->mem_usage); |
434 | kfree(objp: as); |
435 | } |
436 | |
437 | static void async_newpending(struct async *as) |
438 | { |
439 | struct usb_dev_state *ps = as->ps; |
440 | unsigned long flags; |
441 | |
442 | spin_lock_irqsave(&ps->lock, flags); |
443 | list_add_tail(new: &as->asynclist, head: &ps->async_pending); |
444 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
445 | } |
446 | |
447 | static void async_removepending(struct async *as) |
448 | { |
449 | struct usb_dev_state *ps = as->ps; |
450 | unsigned long flags; |
451 | |
452 | spin_lock_irqsave(&ps->lock, flags); |
453 | list_del_init(entry: &as->asynclist); |
454 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
455 | } |
456 | |
457 | static struct async *async_getcompleted(struct usb_dev_state *ps) |
458 | { |
459 | unsigned long flags; |
460 | struct async *as = NULL; |
461 | |
462 | spin_lock_irqsave(&ps->lock, flags); |
463 | if (!list_empty(head: &ps->async_completed)) { |
464 | as = list_entry(ps->async_completed.next, struct async, |
465 | asynclist); |
466 | list_del_init(entry: &as->asynclist); |
467 | } |
468 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
469 | return as; |
470 | } |
471 | |
472 | static struct async *async_getpending(struct usb_dev_state *ps, |
473 | void __user *userurb) |
474 | { |
475 | struct async *as; |
476 | |
477 | list_for_each_entry(as, &ps->async_pending, asynclist) |
478 | if (as->userurb == userurb) { |
479 | list_del_init(entry: &as->asynclist); |
480 | return as; |
481 | } |
482 | |
483 | return NULL; |
484 | } |
485 | |
486 | static void snoop_urb(struct usb_device *udev, |
487 | void __user *userurb, int pipe, unsigned length, |
488 | int timeout_or_status, enum snoop_when when, |
489 | unsigned char *data, unsigned data_len) |
490 | { |
491 | static const char *types[] = {"isoc" , "int" , "ctrl" , "bulk" }; |
492 | static const char *dirs[] = {"out" , "in" }; |
493 | int ep; |
494 | const char *t, *d; |
495 | |
496 | if (!usbfs_snoop) |
497 | return; |
498 | |
499 | ep = usb_pipeendpoint(pipe); |
500 | t = types[usb_pipetype(pipe)]; |
501 | d = dirs[!!usb_pipein(pipe)]; |
502 | |
503 | if (userurb) { /* Async */ |
504 | if (when == SUBMIT) |
505 | dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " |
506 | "length %u\n" , |
507 | userurb, ep, t, d, length); |
508 | else |
509 | dev_info(&udev->dev, "userurb %px, ep%d %s-%s, " |
510 | "actual_length %u status %d\n" , |
511 | userurb, ep, t, d, length, |
512 | timeout_or_status); |
513 | } else { |
514 | if (when == SUBMIT) |
515 | dev_info(&udev->dev, "ep%d %s-%s, length %u, " |
516 | "timeout %d\n" , |
517 | ep, t, d, length, timeout_or_status); |
518 | else |
519 | dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, " |
520 | "status %d\n" , |
521 | ep, t, d, length, timeout_or_status); |
522 | } |
523 | |
524 | data_len = min(data_len, usbfs_snoop_max); |
525 | if (data && data_len > 0) { |
526 | print_hex_dump(KERN_DEBUG, prefix_str: "data: " , prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1, |
527 | buf: data, len: data_len, ascii: 1); |
528 | } |
529 | } |
530 | |
531 | static void snoop_urb_data(struct urb *urb, unsigned len) |
532 | { |
533 | int i, size; |
534 | |
535 | len = min(len, usbfs_snoop_max); |
536 | if (!usbfs_snoop || len == 0) |
537 | return; |
538 | |
539 | if (urb->num_sgs == 0) { |
540 | print_hex_dump(KERN_DEBUG, prefix_str: "data: " , prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1, |
541 | buf: urb->transfer_buffer, len, ascii: 1); |
542 | return; |
543 | } |
544 | |
545 | for (i = 0; i < urb->num_sgs && len; i++) { |
546 | size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; |
547 | print_hex_dump(KERN_DEBUG, prefix_str: "data: " , prefix_type: DUMP_PREFIX_NONE, rowsize: 32, groupsize: 1, |
548 | buf: sg_virt(sg: &urb->sg[i]), len: size, ascii: 1); |
549 | len -= size; |
550 | } |
551 | } |
552 | |
553 | static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb) |
554 | { |
555 | unsigned i, len, size; |
556 | |
557 | if (urb->number_of_packets > 0) /* Isochronous */ |
558 | len = urb->transfer_buffer_length; |
559 | else /* Non-Isoc */ |
560 | len = urb->actual_length; |
561 | |
562 | if (urb->num_sgs == 0) { |
563 | if (copy_to_user(to: userbuffer, from: urb->transfer_buffer, n: len)) |
564 | return -EFAULT; |
565 | return 0; |
566 | } |
567 | |
568 | for (i = 0; i < urb->num_sgs && len; i++) { |
569 | size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; |
570 | if (copy_to_user(to: userbuffer, from: sg_virt(sg: &urb->sg[i]), n: size)) |
571 | return -EFAULT; |
572 | userbuffer += size; |
573 | len -= size; |
574 | } |
575 | |
576 | return 0; |
577 | } |
578 | |
579 | #define AS_CONTINUATION 1 |
580 | #define AS_UNLINK 2 |
581 | |
582 | static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr) |
583 | __releases(ps->lock) |
584 | __acquires(ps->lock) |
585 | { |
586 | struct urb *urb; |
587 | struct async *as; |
588 | |
589 | /* Mark all the pending URBs that match bulk_addr, up to but not |
590 | * including the first one without AS_CONTINUATION. If such an |
591 | * URB is encountered then a new transfer has already started so |
592 | * the endpoint doesn't need to be disabled; otherwise it does. |
593 | */ |
594 | list_for_each_entry(as, &ps->async_pending, asynclist) { |
595 | if (as->bulk_addr == bulk_addr) { |
596 | if (as->bulk_status != AS_CONTINUATION) |
597 | goto rescan; |
598 | as->bulk_status = AS_UNLINK; |
599 | as->bulk_addr = 0; |
600 | } |
601 | } |
602 | ps->disabled_bulk_eps |= (1 << bulk_addr); |
603 | |
604 | /* Now carefully unlink all the marked pending URBs */ |
605 | rescan: |
606 | list_for_each_entry_reverse(as, &ps->async_pending, asynclist) { |
607 | if (as->bulk_status == AS_UNLINK) { |
608 | as->bulk_status = 0; /* Only once */ |
609 | urb = as->urb; |
610 | usb_get_urb(urb); |
611 | spin_unlock(lock: &ps->lock); /* Allow completions */ |
612 | usb_unlink_urb(urb); |
613 | usb_put_urb(urb); |
614 | spin_lock(lock: &ps->lock); |
615 | goto rescan; |
616 | } |
617 | } |
618 | } |
619 | |
620 | static void async_completed(struct urb *urb) |
621 | { |
622 | struct async *as = urb->context; |
623 | struct usb_dev_state *ps = as->ps; |
624 | struct pid *pid = NULL; |
625 | const struct cred *cred = NULL; |
626 | unsigned long flags; |
627 | sigval_t addr; |
628 | int signr, errno; |
629 | |
630 | spin_lock_irqsave(&ps->lock, flags); |
631 | list_move_tail(list: &as->asynclist, head: &ps->async_completed); |
632 | as->status = urb->status; |
633 | signr = as->signr; |
634 | if (signr) { |
635 | errno = as->status; |
636 | addr = as->userurb_sigval; |
637 | pid = get_pid(pid: as->pid); |
638 | cred = get_cred(cred: as->cred); |
639 | } |
640 | snoop(&urb->dev->dev, "urb complete\n" ); |
641 | snoop_urb(udev: urb->dev, userurb: as->userurb, pipe: urb->pipe, length: urb->actual_length, |
642 | timeout_or_status: as->status, when: COMPLETE, NULL, data_len: 0); |
643 | if (usb_urb_dir_in(urb)) |
644 | snoop_urb_data(urb, len: urb->actual_length); |
645 | |
646 | if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET && |
647 | as->status != -ENOENT) |
648 | cancel_bulk_urbs(ps, bulk_addr: as->bulk_addr); |
649 | |
650 | wake_up(&ps->wait); |
651 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
652 | |
653 | if (signr) { |
654 | kill_pid_usb_asyncio(sig: signr, errno, addr, pid, cred); |
655 | put_pid(pid); |
656 | put_cred(cred); |
657 | } |
658 | } |
659 | |
660 | static void destroy_async(struct usb_dev_state *ps, struct list_head *list) |
661 | { |
662 | struct urb *urb; |
663 | struct async *as; |
664 | unsigned long flags; |
665 | |
666 | spin_lock_irqsave(&ps->lock, flags); |
667 | while (!list_empty(head: list)) { |
668 | as = list_last_entry(list, struct async, asynclist); |
669 | list_del_init(entry: &as->asynclist); |
670 | urb = as->urb; |
671 | usb_get_urb(urb); |
672 | |
673 | /* drop the spinlock so the completion handler can run */ |
674 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
675 | usb_kill_urb(urb); |
676 | usb_put_urb(urb); |
677 | spin_lock_irqsave(&ps->lock, flags); |
678 | } |
679 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
680 | } |
681 | |
682 | static void destroy_async_on_interface(struct usb_dev_state *ps, |
683 | unsigned int ifnum) |
684 | { |
685 | struct list_head *p, *q, hitlist; |
686 | unsigned long flags; |
687 | |
688 | INIT_LIST_HEAD(list: &hitlist); |
689 | spin_lock_irqsave(&ps->lock, flags); |
690 | list_for_each_safe(p, q, &ps->async_pending) |
691 | if (ifnum == list_entry(p, struct async, asynclist)->ifnum) |
692 | list_move_tail(list: p, head: &hitlist); |
693 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
694 | destroy_async(ps, list: &hitlist); |
695 | } |
696 | |
697 | static void destroy_all_async(struct usb_dev_state *ps) |
698 | { |
699 | destroy_async(ps, list: &ps->async_pending); |
700 | } |
701 | |
702 | /* |
703 | * interface claims are made only at the request of user level code, |
704 | * which can also release them (explicitly or by closing files). |
705 | * they're also undone when devices disconnect. |
706 | */ |
707 | |
708 | static int driver_probe(struct usb_interface *intf, |
709 | const struct usb_device_id *id) |
710 | { |
711 | return -ENODEV; |
712 | } |
713 | |
714 | static void driver_disconnect(struct usb_interface *intf) |
715 | { |
716 | struct usb_dev_state *ps = usb_get_intfdata(intf); |
717 | unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber; |
718 | |
719 | if (!ps) |
720 | return; |
721 | |
722 | /* NOTE: this relies on usbcore having canceled and completed |
723 | * all pending I/O requests; 2.6 does that. |
724 | */ |
725 | |
726 | if (likely(ifnum < 8*sizeof(ps->ifclaimed))) |
727 | clear_bit(nr: ifnum, addr: &ps->ifclaimed); |
728 | else |
729 | dev_warn(&intf->dev, "interface number %u out of range\n" , |
730 | ifnum); |
731 | |
732 | usb_set_intfdata(intf, NULL); |
733 | |
734 | /* force async requests to complete */ |
735 | destroy_async_on_interface(ps, ifnum); |
736 | } |
737 | |
738 | /* We don't care about suspend/resume of claimed interfaces */ |
739 | static int driver_suspend(struct usb_interface *intf, pm_message_t msg) |
740 | { |
741 | return 0; |
742 | } |
743 | |
744 | static int driver_resume(struct usb_interface *intf) |
745 | { |
746 | return 0; |
747 | } |
748 | |
749 | #ifdef CONFIG_PM |
750 | /* The following routines apply to the entire device, not interfaces */ |
751 | void usbfs_notify_suspend(struct usb_device *udev) |
752 | { |
753 | /* We don't need to handle this */ |
754 | } |
755 | |
756 | void usbfs_notify_resume(struct usb_device *udev) |
757 | { |
758 | struct usb_dev_state *ps; |
759 | |
760 | /* Protect against simultaneous remove or release */ |
761 | mutex_lock(&usbfs_mutex); |
762 | list_for_each_entry(ps, &udev->filelist, list) { |
763 | WRITE_ONCE(ps->not_yet_resumed, 0); |
764 | wake_up_all(&ps->wait_for_resume); |
765 | } |
766 | mutex_unlock(lock: &usbfs_mutex); |
767 | } |
768 | #endif |
769 | |
770 | struct usb_driver usbfs_driver = { |
771 | .name = "usbfs" , |
772 | .probe = driver_probe, |
773 | .disconnect = driver_disconnect, |
774 | .suspend = driver_suspend, |
775 | .resume = driver_resume, |
776 | .supports_autosuspend = 1, |
777 | }; |
778 | |
779 | static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) |
780 | { |
781 | struct usb_device *dev = ps->dev; |
782 | struct usb_interface *intf; |
783 | int err; |
784 | |
785 | if (ifnum >= 8*sizeof(ps->ifclaimed)) |
786 | return -EINVAL; |
787 | /* already claimed */ |
788 | if (test_bit(ifnum, &ps->ifclaimed)) |
789 | return 0; |
790 | |
791 | if (ps->privileges_dropped && |
792 | !test_bit(ifnum, &ps->interface_allowed_mask)) |
793 | return -EACCES; |
794 | |
795 | intf = usb_ifnum_to_if(dev, ifnum); |
796 | if (!intf) |
797 | err = -ENOENT; |
798 | else { |
799 | unsigned int old_suppress; |
800 | |
801 | /* suppress uevents while claiming interface */ |
802 | old_suppress = dev_get_uevent_suppress(dev: &intf->dev); |
803 | dev_set_uevent_suppress(dev: &intf->dev, val: 1); |
804 | err = usb_driver_claim_interface(driver: &usbfs_driver, iface: intf, data: ps); |
805 | dev_set_uevent_suppress(dev: &intf->dev, val: old_suppress); |
806 | } |
807 | if (err == 0) |
808 | set_bit(nr: ifnum, addr: &ps->ifclaimed); |
809 | return err; |
810 | } |
811 | |
812 | static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) |
813 | { |
814 | struct usb_device *dev; |
815 | struct usb_interface *intf; |
816 | int err; |
817 | |
818 | err = -EINVAL; |
819 | if (ifnum >= 8*sizeof(ps->ifclaimed)) |
820 | return err; |
821 | dev = ps->dev; |
822 | intf = usb_ifnum_to_if(dev, ifnum); |
823 | if (!intf) |
824 | err = -ENOENT; |
825 | else if (test_and_clear_bit(nr: ifnum, addr: &ps->ifclaimed)) { |
826 | unsigned int old_suppress; |
827 | |
828 | /* suppress uevents while releasing interface */ |
829 | old_suppress = dev_get_uevent_suppress(dev: &intf->dev); |
830 | dev_set_uevent_suppress(dev: &intf->dev, val: 1); |
831 | usb_driver_release_interface(driver: &usbfs_driver, iface: intf); |
832 | dev_set_uevent_suppress(dev: &intf->dev, val: old_suppress); |
833 | err = 0; |
834 | } |
835 | return err; |
836 | } |
837 | |
838 | static int checkintf(struct usb_dev_state *ps, unsigned int ifnum) |
839 | { |
840 | if (ps->dev->state != USB_STATE_CONFIGURED) |
841 | return -EHOSTUNREACH; |
842 | if (ifnum >= 8*sizeof(ps->ifclaimed)) |
843 | return -EINVAL; |
844 | if (test_bit(ifnum, &ps->ifclaimed)) |
845 | return 0; |
846 | /* if not yet claimed, claim it for the driver */ |
847 | dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim " |
848 | "interface %u before use\n" , task_pid_nr(current), |
849 | current->comm, ifnum); |
850 | return claimintf(ps, ifnum); |
851 | } |
852 | |
853 | static int findintfep(struct usb_device *dev, unsigned int ep) |
854 | { |
855 | unsigned int i, j, e; |
856 | struct usb_interface *intf; |
857 | struct usb_host_interface *alts; |
858 | struct usb_endpoint_descriptor *endpt; |
859 | |
860 | if (ep & ~(USB_DIR_IN|0xf)) |
861 | return -EINVAL; |
862 | if (!dev->actconfig) |
863 | return -ESRCH; |
864 | for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { |
865 | intf = dev->actconfig->interface[i]; |
866 | for (j = 0; j < intf->num_altsetting; j++) { |
867 | alts = &intf->altsetting[j]; |
868 | for (e = 0; e < alts->desc.bNumEndpoints; e++) { |
869 | endpt = &alts->endpoint[e].desc; |
870 | if (endpt->bEndpointAddress == ep) |
871 | return alts->desc.bInterfaceNumber; |
872 | } |
873 | } |
874 | } |
875 | return -ENOENT; |
876 | } |
877 | |
878 | static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype, |
879 | unsigned int request, unsigned int index) |
880 | { |
881 | int ret = 0; |
882 | struct usb_host_interface *alt_setting; |
883 | |
884 | if (ps->dev->state != USB_STATE_UNAUTHENTICATED |
885 | && ps->dev->state != USB_STATE_ADDRESS |
886 | && ps->dev->state != USB_STATE_CONFIGURED) |
887 | return -EHOSTUNREACH; |
888 | if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) |
889 | return 0; |
890 | |
891 | /* |
892 | * check for the special corner case 'get_device_id' in the printer |
893 | * class specification, which we always want to allow as it is used |
894 | * to query things like ink level, etc. |
895 | */ |
896 | if (requesttype == 0xa1 && request == 0) { |
897 | alt_setting = usb_find_alt_setting(config: ps->dev->actconfig, |
898 | iface_num: index >> 8, alt_num: index & 0xff); |
899 | if (alt_setting |
900 | && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER) |
901 | return 0; |
902 | } |
903 | |
904 | index &= 0xff; |
905 | switch (requesttype & USB_RECIP_MASK) { |
906 | case USB_RECIP_ENDPOINT: |
907 | if ((index & ~USB_DIR_IN) == 0) |
908 | return 0; |
909 | ret = findintfep(dev: ps->dev, ep: index); |
910 | if (ret < 0) { |
911 | /* |
912 | * Some not fully compliant Win apps seem to get |
913 | * index wrong and have the endpoint number here |
914 | * rather than the endpoint address (with the |
915 | * correct direction). Win does let this through, |
916 | * so we'll not reject it here but leave it to |
917 | * the device to not break KVM. But we warn. |
918 | */ |
919 | ret = findintfep(dev: ps->dev, ep: index ^ 0x80); |
920 | if (ret >= 0) |
921 | dev_info(&ps->dev->dev, |
922 | "%s: process %i (%s) requesting ep %02x but needs %02x\n" , |
923 | __func__, task_pid_nr(current), |
924 | current->comm, index, index ^ 0x80); |
925 | } |
926 | if (ret >= 0) |
927 | ret = checkintf(ps, ifnum: ret); |
928 | break; |
929 | |
930 | case USB_RECIP_INTERFACE: |
931 | ret = checkintf(ps, ifnum: index); |
932 | break; |
933 | } |
934 | return ret; |
935 | } |
936 | |
937 | static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev, |
938 | unsigned char ep) |
939 | { |
940 | if (ep & USB_ENDPOINT_DIR_MASK) |
941 | return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK]; |
942 | else |
943 | return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK]; |
944 | } |
945 | |
946 | static int parse_usbdevfs_streams(struct usb_dev_state *ps, |
947 | struct usbdevfs_streams __user *streams, |
948 | unsigned int *num_streams_ret, |
949 | unsigned int *num_eps_ret, |
950 | struct usb_host_endpoint ***eps_ret, |
951 | struct usb_interface **intf_ret) |
952 | { |
953 | unsigned int i, num_streams, num_eps; |
954 | struct usb_host_endpoint **eps; |
955 | struct usb_interface *intf = NULL; |
956 | unsigned char ep; |
957 | int ifnum, ret; |
958 | |
959 | if (get_user(num_streams, &streams->num_streams) || |
960 | get_user(num_eps, &streams->num_eps)) |
961 | return -EFAULT; |
962 | |
963 | if (num_eps < 1 || num_eps > USB_MAXENDPOINTS) |
964 | return -EINVAL; |
965 | |
966 | /* The XHCI controller allows max 2 ^ 16 streams */ |
967 | if (num_streams_ret && (num_streams < 2 || num_streams > 65536)) |
968 | return -EINVAL; |
969 | |
970 | eps = kmalloc_array(n: num_eps, size: sizeof(*eps), GFP_KERNEL); |
971 | if (!eps) |
972 | return -ENOMEM; |
973 | |
974 | for (i = 0; i < num_eps; i++) { |
975 | if (get_user(ep, &streams->eps[i])) { |
976 | ret = -EFAULT; |
977 | goto error; |
978 | } |
979 | eps[i] = ep_to_host_endpoint(dev: ps->dev, ep); |
980 | if (!eps[i]) { |
981 | ret = -EINVAL; |
982 | goto error; |
983 | } |
984 | |
985 | /* usb_alloc/free_streams operate on an usb_interface */ |
986 | ifnum = findintfep(dev: ps->dev, ep); |
987 | if (ifnum < 0) { |
988 | ret = ifnum; |
989 | goto error; |
990 | } |
991 | |
992 | if (i == 0) { |
993 | ret = checkintf(ps, ifnum); |
994 | if (ret < 0) |
995 | goto error; |
996 | intf = usb_ifnum_to_if(dev: ps->dev, ifnum); |
997 | } else { |
998 | /* Verify all eps belong to the same interface */ |
999 | if (ifnum != intf->altsetting->desc.bInterfaceNumber) { |
1000 | ret = -EINVAL; |
1001 | goto error; |
1002 | } |
1003 | } |
1004 | } |
1005 | |
1006 | if (num_streams_ret) |
1007 | *num_streams_ret = num_streams; |
1008 | *num_eps_ret = num_eps; |
1009 | *eps_ret = eps; |
1010 | *intf_ret = intf; |
1011 | |
1012 | return 0; |
1013 | |
1014 | error: |
1015 | kfree(objp: eps); |
1016 | return ret; |
1017 | } |
1018 | |
1019 | static struct usb_device *usbdev_lookup_by_devt(dev_t devt) |
1020 | { |
1021 | struct device *dev; |
1022 | |
1023 | dev = bus_find_device_by_devt(bus: &usb_bus_type, devt); |
1024 | if (!dev) |
1025 | return NULL; |
1026 | return to_usb_device(dev); |
1027 | } |
1028 | |
1029 | /* |
1030 | * file operations |
1031 | */ |
1032 | static int usbdev_open(struct inode *inode, struct file *file) |
1033 | { |
1034 | struct usb_device *dev = NULL; |
1035 | struct usb_dev_state *ps; |
1036 | int ret; |
1037 | |
1038 | ret = -ENOMEM; |
1039 | ps = kzalloc(size: sizeof(struct usb_dev_state), GFP_KERNEL); |
1040 | if (!ps) |
1041 | goto out_free_ps; |
1042 | |
1043 | ret = -ENODEV; |
1044 | |
1045 | /* usbdev device-node */ |
1046 | if (imajor(inode) == USB_DEVICE_MAJOR) |
1047 | dev = usbdev_lookup_by_devt(devt: inode->i_rdev); |
1048 | if (!dev) |
1049 | goto out_free_ps; |
1050 | |
1051 | usb_lock_device(dev); |
1052 | if (dev->state == USB_STATE_NOTATTACHED) |
1053 | goto out_unlock_device; |
1054 | |
1055 | ret = usb_autoresume_device(udev: dev); |
1056 | if (ret) |
1057 | goto out_unlock_device; |
1058 | |
1059 | ps->dev = dev; |
1060 | ps->file = file; |
1061 | ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */ |
1062 | spin_lock_init(&ps->lock); |
1063 | INIT_LIST_HEAD(list: &ps->list); |
1064 | INIT_LIST_HEAD(list: &ps->async_pending); |
1065 | INIT_LIST_HEAD(list: &ps->async_completed); |
1066 | INIT_LIST_HEAD(list: &ps->memory_list); |
1067 | init_waitqueue_head(&ps->wait); |
1068 | init_waitqueue_head(&ps->wait_for_resume); |
1069 | ps->disc_pid = get_pid(pid: task_pid(current)); |
1070 | ps->cred = get_current_cred(); |
1071 | smp_wmb(); |
1072 | |
1073 | /* Can't race with resume; the device is already active */ |
1074 | list_add_tail(new: &ps->list, head: &dev->filelist); |
1075 | file->private_data = ps; |
1076 | usb_unlock_device(dev); |
1077 | snoop(&dev->dev, "opened by process %d: %s\n" , task_pid_nr(current), |
1078 | current->comm); |
1079 | return ret; |
1080 | |
1081 | out_unlock_device: |
1082 | usb_unlock_device(dev); |
1083 | usb_put_dev(dev); |
1084 | out_free_ps: |
1085 | kfree(objp: ps); |
1086 | return ret; |
1087 | } |
1088 | |
1089 | static int usbdev_release(struct inode *inode, struct file *file) |
1090 | { |
1091 | struct usb_dev_state *ps = file->private_data; |
1092 | struct usb_device *dev = ps->dev; |
1093 | unsigned int ifnum; |
1094 | struct async *as; |
1095 | |
1096 | usb_lock_device(dev); |
1097 | usb_hub_release_all_ports(hdev: dev, owner: ps); |
1098 | |
1099 | /* Protect against simultaneous resume */ |
1100 | mutex_lock(&usbfs_mutex); |
1101 | list_del_init(entry: &ps->list); |
1102 | mutex_unlock(lock: &usbfs_mutex); |
1103 | |
1104 | for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed); |
1105 | ifnum++) { |
1106 | if (test_bit(ifnum, &ps->ifclaimed)) |
1107 | releaseintf(ps, ifnum); |
1108 | } |
1109 | destroy_all_async(ps); |
1110 | if (!ps->suspend_allowed) |
1111 | usb_autosuspend_device(udev: dev); |
1112 | usb_unlock_device(dev); |
1113 | usb_put_dev(dev); |
1114 | put_pid(pid: ps->disc_pid); |
1115 | put_cred(cred: ps->cred); |
1116 | |
1117 | as = async_getcompleted(ps); |
1118 | while (as) { |
1119 | free_async(as); |
1120 | as = async_getcompleted(ps); |
1121 | } |
1122 | |
1123 | kfree(objp: ps); |
1124 | return 0; |
1125 | } |
1126 | |
1127 | static void usbfs_blocking_completion(struct urb *urb) |
1128 | { |
1129 | complete((struct completion *) urb->context); |
1130 | } |
1131 | |
1132 | /* |
1133 | * Much like usb_start_wait_urb, but returns status separately from |
1134 | * actual_length and uses a killable wait. |
1135 | */ |
1136 | static int usbfs_start_wait_urb(struct urb *urb, int timeout, |
1137 | unsigned int *actlen) |
1138 | { |
1139 | DECLARE_COMPLETION_ONSTACK(ctx); |
1140 | unsigned long expire; |
1141 | int rc; |
1142 | |
1143 | urb->context = &ctx; |
1144 | urb->complete = usbfs_blocking_completion; |
1145 | *actlen = 0; |
1146 | rc = usb_submit_urb(urb, GFP_KERNEL); |
1147 | if (unlikely(rc)) |
1148 | return rc; |
1149 | |
1150 | expire = (timeout ? msecs_to_jiffies(m: timeout) : MAX_SCHEDULE_TIMEOUT); |
1151 | rc = wait_for_completion_killable_timeout(x: &ctx, timeout: expire); |
1152 | if (rc <= 0) { |
1153 | usb_kill_urb(urb); |
1154 | *actlen = urb->actual_length; |
1155 | if (urb->status != -ENOENT) |
1156 | ; /* Completed before it was killed */ |
1157 | else if (rc < 0) |
1158 | return -EINTR; |
1159 | else |
1160 | return -ETIMEDOUT; |
1161 | } |
1162 | *actlen = urb->actual_length; |
1163 | return urb->status; |
1164 | } |
1165 | |
1166 | static int do_proc_control(struct usb_dev_state *ps, |
1167 | struct usbdevfs_ctrltransfer *ctrl) |
1168 | { |
1169 | struct usb_device *dev = ps->dev; |
1170 | unsigned int tmo; |
1171 | unsigned char *tbuf; |
1172 | unsigned int wLength, actlen; |
1173 | int i, pipe, ret; |
1174 | struct urb *urb = NULL; |
1175 | struct usb_ctrlrequest *dr = NULL; |
1176 | |
1177 | ret = check_ctrlrecip(ps, requesttype: ctrl->bRequestType, request: ctrl->bRequest, |
1178 | index: ctrl->wIndex); |
1179 | if (ret) |
1180 | return ret; |
1181 | wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */ |
1182 | if (wLength > PAGE_SIZE) |
1183 | return -EINVAL; |
1184 | ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) + |
1185 | sizeof(struct usb_ctrlrequest)); |
1186 | if (ret) |
1187 | return ret; |
1188 | |
1189 | ret = -ENOMEM; |
1190 | tbuf = (unsigned char *)__get_free_page(GFP_KERNEL); |
1191 | if (!tbuf) |
1192 | goto done; |
1193 | urb = usb_alloc_urb(iso_packets: 0, GFP_NOIO); |
1194 | if (!urb) |
1195 | goto done; |
1196 | dr = kmalloc(size: sizeof(struct usb_ctrlrequest), GFP_NOIO); |
1197 | if (!dr) |
1198 | goto done; |
1199 | |
1200 | dr->bRequestType = ctrl->bRequestType; |
1201 | dr->bRequest = ctrl->bRequest; |
1202 | dr->wValue = cpu_to_le16(ctrl->wValue); |
1203 | dr->wIndex = cpu_to_le16(ctrl->wIndex); |
1204 | dr->wLength = cpu_to_le16(ctrl->wLength); |
1205 | |
1206 | tmo = ctrl->timeout; |
1207 | snoop(&dev->dev, "control urb: bRequestType=%02x " |
1208 | "bRequest=%02x wValue=%04x " |
1209 | "wIndex=%04x wLength=%04x\n" , |
1210 | ctrl->bRequestType, ctrl->bRequest, ctrl->wValue, |
1211 | ctrl->wIndex, ctrl->wLength); |
1212 | |
1213 | if ((ctrl->bRequestType & USB_DIR_IN) && wLength) { |
1214 | pipe = usb_rcvctrlpipe(dev, 0); |
1215 | usb_fill_control_urb(urb, dev, pipe, setup_packet: (unsigned char *) dr, transfer_buffer: tbuf, |
1216 | buffer_length: wLength, NULL, NULL); |
1217 | snoop_urb(udev: dev, NULL, pipe, length: wLength, timeout_or_status: tmo, when: SUBMIT, NULL, data_len: 0); |
1218 | |
1219 | usb_unlock_device(dev); |
1220 | i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &actlen); |
1221 | |
1222 | /* Linger a bit, prior to the next control message. */ |
1223 | if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) |
1224 | msleep(msecs: 200); |
1225 | usb_lock_device(dev); |
1226 | snoop_urb(udev: dev, NULL, pipe, length: actlen, timeout_or_status: i, when: COMPLETE, data: tbuf, data_len: actlen); |
1227 | if (!i && actlen) { |
1228 | if (copy_to_user(to: ctrl->data, from: tbuf, n: actlen)) { |
1229 | ret = -EFAULT; |
1230 | goto done; |
1231 | } |
1232 | } |
1233 | } else { |
1234 | if (wLength) { |
1235 | if (copy_from_user(to: tbuf, from: ctrl->data, n: wLength)) { |
1236 | ret = -EFAULT; |
1237 | goto done; |
1238 | } |
1239 | } |
1240 | pipe = usb_sndctrlpipe(dev, 0); |
1241 | usb_fill_control_urb(urb, dev, pipe, setup_packet: (unsigned char *) dr, transfer_buffer: tbuf, |
1242 | buffer_length: wLength, NULL, NULL); |
1243 | snoop_urb(udev: dev, NULL, pipe, length: wLength, timeout_or_status: tmo, when: SUBMIT, data: tbuf, data_len: wLength); |
1244 | |
1245 | usb_unlock_device(dev); |
1246 | i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &actlen); |
1247 | |
1248 | /* Linger a bit, prior to the next control message. */ |
1249 | if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) |
1250 | msleep(msecs: 200); |
1251 | usb_lock_device(dev); |
1252 | snoop_urb(udev: dev, NULL, pipe, length: actlen, timeout_or_status: i, when: COMPLETE, NULL, data_len: 0); |
1253 | } |
1254 | if (i < 0 && i != -EPIPE) { |
1255 | dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL " |
1256 | "failed cmd %s rqt %u rq %u len %u ret %d\n" , |
1257 | current->comm, ctrl->bRequestType, ctrl->bRequest, |
1258 | ctrl->wLength, i); |
1259 | } |
1260 | ret = (i < 0 ? i : actlen); |
1261 | |
1262 | done: |
1263 | kfree(objp: dr); |
1264 | usb_free_urb(urb); |
1265 | free_page((unsigned long) tbuf); |
1266 | usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) + |
1267 | sizeof(struct usb_ctrlrequest)); |
1268 | return ret; |
1269 | } |
1270 | |
1271 | static int proc_control(struct usb_dev_state *ps, void __user *arg) |
1272 | { |
1273 | struct usbdevfs_ctrltransfer ctrl; |
1274 | |
1275 | if (copy_from_user(to: &ctrl, from: arg, n: sizeof(ctrl))) |
1276 | return -EFAULT; |
1277 | return do_proc_control(ps, ctrl: &ctrl); |
1278 | } |
1279 | |
1280 | static int do_proc_bulk(struct usb_dev_state *ps, |
1281 | struct usbdevfs_bulktransfer *bulk) |
1282 | { |
1283 | struct usb_device *dev = ps->dev; |
1284 | unsigned int tmo, len1, len2, pipe; |
1285 | unsigned char *tbuf; |
1286 | int i, ret; |
1287 | struct urb *urb = NULL; |
1288 | struct usb_host_endpoint *ep; |
1289 | |
1290 | ret = findintfep(dev: ps->dev, ep: bulk->ep); |
1291 | if (ret < 0) |
1292 | return ret; |
1293 | ret = checkintf(ps, ifnum: ret); |
1294 | if (ret) |
1295 | return ret; |
1296 | |
1297 | len1 = bulk->len; |
1298 | if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb))) |
1299 | return -EINVAL; |
1300 | |
1301 | if (bulk->ep & USB_DIR_IN) |
1302 | pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f); |
1303 | else |
1304 | pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f); |
1305 | ep = usb_pipe_endpoint(dev, pipe); |
1306 | if (!ep || !usb_endpoint_maxp(epd: &ep->desc)) |
1307 | return -EINVAL; |
1308 | ret = usbfs_increase_memory_usage(amount: len1 + sizeof(struct urb)); |
1309 | if (ret) |
1310 | return ret; |
1311 | |
1312 | /* |
1313 | * len1 can be almost arbitrarily large. Don't WARN if it's |
1314 | * too big, just fail the request. |
1315 | */ |
1316 | ret = -ENOMEM; |
1317 | tbuf = kmalloc(size: len1, GFP_KERNEL | __GFP_NOWARN); |
1318 | if (!tbuf) |
1319 | goto done; |
1320 | urb = usb_alloc_urb(iso_packets: 0, GFP_KERNEL); |
1321 | if (!urb) |
1322 | goto done; |
1323 | |
1324 | if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) == |
1325 | USB_ENDPOINT_XFER_INT) { |
1326 | pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30); |
1327 | usb_fill_int_urb(urb, dev, pipe, transfer_buffer: tbuf, buffer_length: len1, |
1328 | NULL, NULL, interval: ep->desc.bInterval); |
1329 | } else { |
1330 | usb_fill_bulk_urb(urb, dev, pipe, transfer_buffer: tbuf, buffer_length: len1, NULL, NULL); |
1331 | } |
1332 | |
1333 | tmo = bulk->timeout; |
1334 | if (bulk->ep & 0x80) { |
1335 | snoop_urb(udev: dev, NULL, pipe, length: len1, timeout_or_status: tmo, when: SUBMIT, NULL, data_len: 0); |
1336 | |
1337 | usb_unlock_device(dev); |
1338 | i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &len2); |
1339 | usb_lock_device(dev); |
1340 | snoop_urb(udev: dev, NULL, pipe, length: len2, timeout_or_status: i, when: COMPLETE, data: tbuf, data_len: len2); |
1341 | |
1342 | if (!i && len2) { |
1343 | if (copy_to_user(to: bulk->data, from: tbuf, n: len2)) { |
1344 | ret = -EFAULT; |
1345 | goto done; |
1346 | } |
1347 | } |
1348 | } else { |
1349 | if (len1) { |
1350 | if (copy_from_user(to: tbuf, from: bulk->data, n: len1)) { |
1351 | ret = -EFAULT; |
1352 | goto done; |
1353 | } |
1354 | } |
1355 | snoop_urb(udev: dev, NULL, pipe, length: len1, timeout_or_status: tmo, when: SUBMIT, data: tbuf, data_len: len1); |
1356 | |
1357 | usb_unlock_device(dev); |
1358 | i = usbfs_start_wait_urb(urb, timeout: tmo, actlen: &len2); |
1359 | usb_lock_device(dev); |
1360 | snoop_urb(udev: dev, NULL, pipe, length: len2, timeout_or_status: i, when: COMPLETE, NULL, data_len: 0); |
1361 | } |
1362 | ret = (i < 0 ? i : len2); |
1363 | done: |
1364 | usb_free_urb(urb); |
1365 | kfree(objp: tbuf); |
1366 | usbfs_decrease_memory_usage(amount: len1 + sizeof(struct urb)); |
1367 | return ret; |
1368 | } |
1369 | |
1370 | static int proc_bulk(struct usb_dev_state *ps, void __user *arg) |
1371 | { |
1372 | struct usbdevfs_bulktransfer bulk; |
1373 | |
1374 | if (copy_from_user(to: &bulk, from: arg, n: sizeof(bulk))) |
1375 | return -EFAULT; |
1376 | return do_proc_bulk(ps, bulk: &bulk); |
1377 | } |
1378 | |
1379 | static void check_reset_of_active_ep(struct usb_device *udev, |
1380 | unsigned int epnum, char *ioctl_name) |
1381 | { |
1382 | struct usb_host_endpoint **eps; |
1383 | struct usb_host_endpoint *ep; |
1384 | |
1385 | eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out; |
1386 | ep = eps[epnum & 0x0f]; |
1387 | if (ep && !list_empty(head: &ep->urb_list)) |
1388 | dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n" , |
1389 | task_pid_nr(current), current->comm, |
1390 | ioctl_name, epnum); |
1391 | } |
1392 | |
1393 | static int proc_resetep(struct usb_dev_state *ps, void __user *arg) |
1394 | { |
1395 | unsigned int ep; |
1396 | int ret; |
1397 | |
1398 | if (get_user(ep, (unsigned int __user *)arg)) |
1399 | return -EFAULT; |
1400 | ret = findintfep(dev: ps->dev, ep); |
1401 | if (ret < 0) |
1402 | return ret; |
1403 | ret = checkintf(ps, ifnum: ret); |
1404 | if (ret) |
1405 | return ret; |
1406 | check_reset_of_active_ep(udev: ps->dev, epnum: ep, ioctl_name: "RESETEP" ); |
1407 | usb_reset_endpoint(dev: ps->dev, epaddr: ep); |
1408 | return 0; |
1409 | } |
1410 | |
1411 | static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg) |
1412 | { |
1413 | unsigned int ep; |
1414 | int pipe; |
1415 | int ret; |
1416 | |
1417 | if (get_user(ep, (unsigned int __user *)arg)) |
1418 | return -EFAULT; |
1419 | ret = findintfep(dev: ps->dev, ep); |
1420 | if (ret < 0) |
1421 | return ret; |
1422 | ret = checkintf(ps, ifnum: ret); |
1423 | if (ret) |
1424 | return ret; |
1425 | check_reset_of_active_ep(udev: ps->dev, epnum: ep, ioctl_name: "CLEAR_HALT" ); |
1426 | if (ep & USB_DIR_IN) |
1427 | pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f); |
1428 | else |
1429 | pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f); |
1430 | |
1431 | return usb_clear_halt(dev: ps->dev, pipe); |
1432 | } |
1433 | |
1434 | static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) |
1435 | { |
1436 | struct usbdevfs_getdriver gd; |
1437 | struct usb_interface *intf; |
1438 | int ret; |
1439 | |
1440 | if (copy_from_user(to: &gd, from: arg, n: sizeof(gd))) |
1441 | return -EFAULT; |
1442 | intf = usb_ifnum_to_if(dev: ps->dev, ifnum: gd.interface); |
1443 | if (!intf || !intf->dev.driver) |
1444 | ret = -ENODATA; |
1445 | else { |
1446 | strscpy(p: gd.driver, q: intf->dev.driver->name, |
1447 | size: sizeof(gd.driver)); |
1448 | ret = (copy_to_user(to: arg, from: &gd, n: sizeof(gd)) ? -EFAULT : 0); |
1449 | } |
1450 | return ret; |
1451 | } |
1452 | |
1453 | static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) |
1454 | { |
1455 | struct usbdevfs_connectinfo ci; |
1456 | |
1457 | memset(&ci, 0, sizeof(ci)); |
1458 | ci.devnum = ps->dev->devnum; |
1459 | ci.slow = ps->dev->speed == USB_SPEED_LOW; |
1460 | |
1461 | if (copy_to_user(to: arg, from: &ci, n: sizeof(ci))) |
1462 | return -EFAULT; |
1463 | return 0; |
1464 | } |
1465 | |
1466 | static int proc_conninfo_ex(struct usb_dev_state *ps, |
1467 | void __user *arg, size_t size) |
1468 | { |
1469 | struct usbdevfs_conninfo_ex ci; |
1470 | struct usb_device *udev = ps->dev; |
1471 | |
1472 | if (size < sizeof(ci.size)) |
1473 | return -EINVAL; |
1474 | |
1475 | memset(&ci, 0, sizeof(ci)); |
1476 | ci.size = sizeof(ci); |
1477 | ci.busnum = udev->bus->busnum; |
1478 | ci.devnum = udev->devnum; |
1479 | ci.speed = udev->speed; |
1480 | |
1481 | while (udev && udev->portnum != 0) { |
1482 | if (++ci.num_ports <= ARRAY_SIZE(ci.ports)) |
1483 | ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] = |
1484 | udev->portnum; |
1485 | udev = udev->parent; |
1486 | } |
1487 | |
1488 | if (ci.num_ports < ARRAY_SIZE(ci.ports)) |
1489 | memmove(&ci.ports[0], |
1490 | &ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports], |
1491 | ci.num_ports); |
1492 | |
1493 | if (copy_to_user(to: arg, from: &ci, min(sizeof(ci), size))) |
1494 | return -EFAULT; |
1495 | |
1496 | return 0; |
1497 | } |
1498 | |
1499 | static int proc_resetdevice(struct usb_dev_state *ps) |
1500 | { |
1501 | struct usb_host_config *actconfig = ps->dev->actconfig; |
1502 | struct usb_interface *interface; |
1503 | int i, number; |
1504 | |
1505 | /* Don't allow a device reset if the process has dropped the |
1506 | * privilege to do such things and any of the interfaces are |
1507 | * currently claimed. |
1508 | */ |
1509 | if (ps->privileges_dropped && actconfig) { |
1510 | for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { |
1511 | interface = actconfig->interface[i]; |
1512 | number = interface->cur_altsetting->desc.bInterfaceNumber; |
1513 | if (usb_interface_claimed(iface: interface) && |
1514 | !test_bit(number, &ps->ifclaimed)) { |
1515 | dev_warn(&ps->dev->dev, |
1516 | "usbfs: interface %d claimed by %s while '%s' resets device\n" , |
1517 | number, interface->dev.driver->name, current->comm); |
1518 | return -EACCES; |
1519 | } |
1520 | } |
1521 | } |
1522 | |
1523 | return usb_reset_device(dev: ps->dev); |
1524 | } |
1525 | |
1526 | static int proc_setintf(struct usb_dev_state *ps, void __user *arg) |
1527 | { |
1528 | struct usbdevfs_setinterface setintf; |
1529 | int ret; |
1530 | |
1531 | if (copy_from_user(to: &setintf, from: arg, n: sizeof(setintf))) |
1532 | return -EFAULT; |
1533 | ret = checkintf(ps, ifnum: setintf.interface); |
1534 | if (ret) |
1535 | return ret; |
1536 | |
1537 | destroy_async_on_interface(ps, ifnum: setintf.interface); |
1538 | |
1539 | return usb_set_interface(dev: ps->dev, ifnum: setintf.interface, |
1540 | alternate: setintf.altsetting); |
1541 | } |
1542 | |
1543 | static int proc_setconfig(struct usb_dev_state *ps, void __user *arg) |
1544 | { |
1545 | int u; |
1546 | int status = 0; |
1547 | struct usb_host_config *actconfig; |
1548 | |
1549 | if (get_user(u, (int __user *)arg)) |
1550 | return -EFAULT; |
1551 | |
1552 | actconfig = ps->dev->actconfig; |
1553 | |
1554 | /* Don't touch the device if any interfaces are claimed. |
1555 | * It could interfere with other drivers' operations, and if |
1556 | * an interface is claimed by usbfs it could easily deadlock. |
1557 | */ |
1558 | if (actconfig) { |
1559 | int i; |
1560 | |
1561 | for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { |
1562 | if (usb_interface_claimed(iface: actconfig->interface[i])) { |
1563 | dev_warn(&ps->dev->dev, |
1564 | "usbfs: interface %d claimed by %s " |
1565 | "while '%s' sets config #%d\n" , |
1566 | actconfig->interface[i] |
1567 | ->cur_altsetting |
1568 | ->desc.bInterfaceNumber, |
1569 | actconfig->interface[i] |
1570 | ->dev.driver->name, |
1571 | current->comm, u); |
1572 | status = -EBUSY; |
1573 | break; |
1574 | } |
1575 | } |
1576 | } |
1577 | |
1578 | /* SET_CONFIGURATION is often abused as a "cheap" driver reset, |
1579 | * so avoid usb_set_configuration()'s kick to sysfs |
1580 | */ |
1581 | if (status == 0) { |
1582 | if (actconfig && actconfig->desc.bConfigurationValue == u) |
1583 | status = usb_reset_configuration(dev: ps->dev); |
1584 | else |
1585 | status = usb_set_configuration(dev: ps->dev, configuration: u); |
1586 | } |
1587 | |
1588 | return status; |
1589 | } |
1590 | |
1591 | static struct usb_memory * |
1592 | find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb) |
1593 | { |
1594 | struct usb_memory *usbm = NULL, *iter; |
1595 | unsigned long flags; |
1596 | unsigned long uurb_start = (unsigned long)uurb->buffer; |
1597 | |
1598 | spin_lock_irqsave(&ps->lock, flags); |
1599 | list_for_each_entry(iter, &ps->memory_list, memlist) { |
1600 | if (uurb_start >= iter->vm_start && |
1601 | uurb_start < iter->vm_start + iter->size) { |
1602 | if (uurb->buffer_length > iter->vm_start + iter->size - |
1603 | uurb_start) { |
1604 | usbm = ERR_PTR(error: -EINVAL); |
1605 | } else { |
1606 | usbm = iter; |
1607 | usbm->urb_use_count++; |
1608 | } |
1609 | break; |
1610 | } |
1611 | } |
1612 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
1613 | return usbm; |
1614 | } |
1615 | |
1616 | static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb, |
1617 | struct usbdevfs_iso_packet_desc __user *iso_frame_desc, |
1618 | void __user *arg, sigval_t userurb_sigval) |
1619 | { |
1620 | struct usbdevfs_iso_packet_desc *isopkt = NULL; |
1621 | struct usb_host_endpoint *ep; |
1622 | struct async *as = NULL; |
1623 | struct usb_ctrlrequest *dr = NULL; |
1624 | unsigned int u, totlen, isofrmlen; |
1625 | int i, ret, num_sgs = 0, ifnum = -1; |
1626 | int number_of_packets = 0; |
1627 | unsigned int stream_id = 0; |
1628 | void *buf; |
1629 | bool is_in; |
1630 | bool allow_short = false; |
1631 | bool allow_zero = false; |
1632 | unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | |
1633 | USBDEVFS_URB_BULK_CONTINUATION | |
1634 | USBDEVFS_URB_NO_FSBR | |
1635 | USBDEVFS_URB_ZERO_PACKET | |
1636 | USBDEVFS_URB_NO_INTERRUPT; |
1637 | /* USBDEVFS_URB_ISO_ASAP is a special case */ |
1638 | if (uurb->type == USBDEVFS_URB_TYPE_ISO) |
1639 | mask |= USBDEVFS_URB_ISO_ASAP; |
1640 | |
1641 | if (uurb->flags & ~mask) |
1642 | return -EINVAL; |
1643 | |
1644 | if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) |
1645 | return -EINVAL; |
1646 | if (uurb->buffer_length > 0 && !uurb->buffer) |
1647 | return -EINVAL; |
1648 | if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && |
1649 | (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) { |
1650 | ifnum = findintfep(dev: ps->dev, ep: uurb->endpoint); |
1651 | if (ifnum < 0) |
1652 | return ifnum; |
1653 | ret = checkintf(ps, ifnum); |
1654 | if (ret) |
1655 | return ret; |
1656 | } |
1657 | ep = ep_to_host_endpoint(dev: ps->dev, ep: uurb->endpoint); |
1658 | if (!ep) |
1659 | return -ENOENT; |
1660 | is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0; |
1661 | |
1662 | u = 0; |
1663 | switch (uurb->type) { |
1664 | case USBDEVFS_URB_TYPE_CONTROL: |
1665 | if (!usb_endpoint_xfer_control(epd: &ep->desc)) |
1666 | return -EINVAL; |
1667 | /* min 8 byte setup packet */ |
1668 | if (uurb->buffer_length < 8) |
1669 | return -EINVAL; |
1670 | dr = kmalloc(size: sizeof(struct usb_ctrlrequest), GFP_KERNEL); |
1671 | if (!dr) |
1672 | return -ENOMEM; |
1673 | if (copy_from_user(to: dr, from: uurb->buffer, n: 8)) { |
1674 | ret = -EFAULT; |
1675 | goto error; |
1676 | } |
1677 | if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) { |
1678 | ret = -EINVAL; |
1679 | goto error; |
1680 | } |
1681 | ret = check_ctrlrecip(ps, requesttype: dr->bRequestType, request: dr->bRequest, |
1682 | le16_to_cpu(dr->wIndex)); |
1683 | if (ret) |
1684 | goto error; |
1685 | uurb->buffer_length = le16_to_cpu(dr->wLength); |
1686 | uurb->buffer += 8; |
1687 | if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) { |
1688 | is_in = true; |
1689 | uurb->endpoint |= USB_DIR_IN; |
1690 | } else { |
1691 | is_in = false; |
1692 | uurb->endpoint &= ~USB_DIR_IN; |
1693 | } |
1694 | if (is_in) |
1695 | allow_short = true; |
1696 | snoop(&ps->dev->dev, "control urb: bRequestType=%02x " |
1697 | "bRequest=%02x wValue=%04x " |
1698 | "wIndex=%04x wLength=%04x\n" , |
1699 | dr->bRequestType, dr->bRequest, |
1700 | __le16_to_cpu(dr->wValue), |
1701 | __le16_to_cpu(dr->wIndex), |
1702 | __le16_to_cpu(dr->wLength)); |
1703 | u = sizeof(struct usb_ctrlrequest); |
1704 | break; |
1705 | |
1706 | case USBDEVFS_URB_TYPE_BULK: |
1707 | if (!is_in) |
1708 | allow_zero = true; |
1709 | else |
1710 | allow_short = true; |
1711 | switch (usb_endpoint_type(epd: &ep->desc)) { |
1712 | case USB_ENDPOINT_XFER_CONTROL: |
1713 | case USB_ENDPOINT_XFER_ISOC: |
1714 | return -EINVAL; |
1715 | case USB_ENDPOINT_XFER_INT: |
1716 | /* allow single-shot interrupt transfers */ |
1717 | uurb->type = USBDEVFS_URB_TYPE_INTERRUPT; |
1718 | goto interrupt_urb; |
1719 | } |
1720 | num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); |
1721 | if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize) |
1722 | num_sgs = 0; |
1723 | if (ep->streams) |
1724 | stream_id = uurb->stream_id; |
1725 | break; |
1726 | |
1727 | case USBDEVFS_URB_TYPE_INTERRUPT: |
1728 | if (!usb_endpoint_xfer_int(epd: &ep->desc)) |
1729 | return -EINVAL; |
1730 | interrupt_urb: |
1731 | if (!is_in) |
1732 | allow_zero = true; |
1733 | else |
1734 | allow_short = true; |
1735 | break; |
1736 | |
1737 | case USBDEVFS_URB_TYPE_ISO: |
1738 | /* arbitrary limit */ |
1739 | if (uurb->number_of_packets < 1 || |
1740 | uurb->number_of_packets > 128) |
1741 | return -EINVAL; |
1742 | if (!usb_endpoint_xfer_isoc(epd: &ep->desc)) |
1743 | return -EINVAL; |
1744 | number_of_packets = uurb->number_of_packets; |
1745 | isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * |
1746 | number_of_packets; |
1747 | isopkt = memdup_user(iso_frame_desc, isofrmlen); |
1748 | if (IS_ERR(ptr: isopkt)) { |
1749 | ret = PTR_ERR(ptr: isopkt); |
1750 | isopkt = NULL; |
1751 | goto error; |
1752 | } |
1753 | for (totlen = u = 0; u < number_of_packets; u++) { |
1754 | /* |
1755 | * arbitrary limit need for USB 3.1 Gen2 |
1756 | * sizemax: 96 DPs at SSP, 96 * 1024 = 98304 |
1757 | */ |
1758 | if (isopkt[u].length > 98304) { |
1759 | ret = -EINVAL; |
1760 | goto error; |
1761 | } |
1762 | totlen += isopkt[u].length; |
1763 | } |
1764 | u *= sizeof(struct usb_iso_packet_descriptor); |
1765 | uurb->buffer_length = totlen; |
1766 | break; |
1767 | |
1768 | default: |
1769 | return -EINVAL; |
1770 | } |
1771 | |
1772 | if (uurb->buffer_length > 0 && |
1773 | !access_ok(uurb->buffer, uurb->buffer_length)) { |
1774 | ret = -EFAULT; |
1775 | goto error; |
1776 | } |
1777 | as = alloc_async(numisoframes: number_of_packets); |
1778 | if (!as) { |
1779 | ret = -ENOMEM; |
1780 | goto error; |
1781 | } |
1782 | |
1783 | as->usbm = find_memory_area(ps, uurb); |
1784 | if (IS_ERR(ptr: as->usbm)) { |
1785 | ret = PTR_ERR(ptr: as->usbm); |
1786 | as->usbm = NULL; |
1787 | goto error; |
1788 | } |
1789 | |
1790 | /* do not use SG buffers when memory mapped segments |
1791 | * are in use |
1792 | */ |
1793 | if (as->usbm) |
1794 | num_sgs = 0; |
1795 | |
1796 | u += sizeof(struct async) + sizeof(struct urb) + |
1797 | (as->usbm ? 0 : uurb->buffer_length) + |
1798 | num_sgs * sizeof(struct scatterlist); |
1799 | ret = usbfs_increase_memory_usage(amount: u); |
1800 | if (ret) |
1801 | goto error; |
1802 | as->mem_usage = u; |
1803 | |
1804 | if (num_sgs) { |
1805 | as->urb->sg = kmalloc_array(n: num_sgs, |
1806 | size: sizeof(struct scatterlist), |
1807 | GFP_KERNEL | __GFP_NOWARN); |
1808 | if (!as->urb->sg) { |
1809 | ret = -ENOMEM; |
1810 | goto error; |
1811 | } |
1812 | as->urb->num_sgs = num_sgs; |
1813 | sg_init_table(as->urb->sg, as->urb->num_sgs); |
1814 | |
1815 | totlen = uurb->buffer_length; |
1816 | for (i = 0; i < as->urb->num_sgs; i++) { |
1817 | u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen; |
1818 | buf = kmalloc(size: u, GFP_KERNEL); |
1819 | if (!buf) { |
1820 | ret = -ENOMEM; |
1821 | goto error; |
1822 | } |
1823 | sg_set_buf(sg: &as->urb->sg[i], buf, buflen: u); |
1824 | |
1825 | if (!is_in) { |
1826 | if (copy_from_user(to: buf, from: uurb->buffer, n: u)) { |
1827 | ret = -EFAULT; |
1828 | goto error; |
1829 | } |
1830 | uurb->buffer += u; |
1831 | } |
1832 | totlen -= u; |
1833 | } |
1834 | } else if (uurb->buffer_length > 0) { |
1835 | if (as->usbm) { |
1836 | unsigned long uurb_start = (unsigned long)uurb->buffer; |
1837 | |
1838 | as->urb->transfer_buffer = as->usbm->mem + |
1839 | (uurb_start - as->usbm->vm_start); |
1840 | } else { |
1841 | as->urb->transfer_buffer = kmalloc(size: uurb->buffer_length, |
1842 | GFP_KERNEL | __GFP_NOWARN); |
1843 | if (!as->urb->transfer_buffer) { |
1844 | ret = -ENOMEM; |
1845 | goto error; |
1846 | } |
1847 | if (!is_in) { |
1848 | if (copy_from_user(to: as->urb->transfer_buffer, |
1849 | from: uurb->buffer, |
1850 | n: uurb->buffer_length)) { |
1851 | ret = -EFAULT; |
1852 | goto error; |
1853 | } |
1854 | } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) { |
1855 | /* |
1856 | * Isochronous input data may end up being |
1857 | * discontiguous if some of the packets are |
1858 | * short. Clear the buffer so that the gaps |
1859 | * don't leak kernel data to userspace. |
1860 | */ |
1861 | memset(as->urb->transfer_buffer, 0, |
1862 | uurb->buffer_length); |
1863 | } |
1864 | } |
1865 | } |
1866 | as->urb->dev = ps->dev; |
1867 | as->urb->pipe = (uurb->type << 30) | |
1868 | __create_pipe(dev: ps->dev, endpoint: uurb->endpoint & 0xf) | |
1869 | (uurb->endpoint & USB_DIR_IN); |
1870 | |
1871 | /* This tedious sequence is necessary because the URB_* flags |
1872 | * are internal to the kernel and subject to change, whereas |
1873 | * the USBDEVFS_URB_* flags are a user API and must not be changed. |
1874 | */ |
1875 | u = (is_in ? URB_DIR_IN : URB_DIR_OUT); |
1876 | if (uurb->flags & USBDEVFS_URB_ISO_ASAP) |
1877 | u |= URB_ISO_ASAP; |
1878 | if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) |
1879 | u |= URB_SHORT_NOT_OK; |
1880 | if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) |
1881 | u |= URB_ZERO_PACKET; |
1882 | if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) |
1883 | u |= URB_NO_INTERRUPT; |
1884 | as->urb->transfer_flags = u; |
1885 | |
1886 | if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) |
1887 | dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n" ); |
1888 | if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) |
1889 | dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n" ); |
1890 | |
1891 | as->urb->transfer_buffer_length = uurb->buffer_length; |
1892 | as->urb->setup_packet = (unsigned char *)dr; |
1893 | dr = NULL; |
1894 | as->urb->start_frame = uurb->start_frame; |
1895 | as->urb->number_of_packets = number_of_packets; |
1896 | as->urb->stream_id = stream_id; |
1897 | |
1898 | if (ep->desc.bInterval) { |
1899 | if (uurb->type == USBDEVFS_URB_TYPE_ISO || |
1900 | ps->dev->speed == USB_SPEED_HIGH || |
1901 | ps->dev->speed >= USB_SPEED_SUPER) |
1902 | as->urb->interval = 1 << |
1903 | min(15, ep->desc.bInterval - 1); |
1904 | else |
1905 | as->urb->interval = ep->desc.bInterval; |
1906 | } |
1907 | |
1908 | as->urb->context = as; |
1909 | as->urb->complete = async_completed; |
1910 | for (totlen = u = 0; u < number_of_packets; u++) { |
1911 | as->urb->iso_frame_desc[u].offset = totlen; |
1912 | as->urb->iso_frame_desc[u].length = isopkt[u].length; |
1913 | totlen += isopkt[u].length; |
1914 | } |
1915 | kfree(objp: isopkt); |
1916 | isopkt = NULL; |
1917 | as->ps = ps; |
1918 | as->userurb = arg; |
1919 | as->userurb_sigval = userurb_sigval; |
1920 | if (as->usbm) { |
1921 | unsigned long uurb_start = (unsigned long)uurb->buffer; |
1922 | |
1923 | as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; |
1924 | as->urb->transfer_dma = as->usbm->dma_handle + |
1925 | (uurb_start - as->usbm->vm_start); |
1926 | } else if (is_in && uurb->buffer_length > 0) |
1927 | as->userbuffer = uurb->buffer; |
1928 | as->signr = uurb->signr; |
1929 | as->ifnum = ifnum; |
1930 | as->pid = get_pid(pid: task_pid(current)); |
1931 | as->cred = get_current_cred(); |
1932 | snoop_urb(udev: ps->dev, userurb: as->userurb, pipe: as->urb->pipe, |
1933 | length: as->urb->transfer_buffer_length, timeout_or_status: 0, when: SUBMIT, |
1934 | NULL, data_len: 0); |
1935 | if (!is_in) |
1936 | snoop_urb_data(urb: as->urb, len: as->urb->transfer_buffer_length); |
1937 | |
1938 | async_newpending(as); |
1939 | |
1940 | if (usb_endpoint_xfer_bulk(epd: &ep->desc)) { |
1941 | spin_lock_irq(lock: &ps->lock); |
1942 | |
1943 | /* Not exactly the endpoint address; the direction bit is |
1944 | * shifted to the 0x10 position so that the value will be |
1945 | * between 0 and 31. |
1946 | */ |
1947 | as->bulk_addr = usb_endpoint_num(epd: &ep->desc) | |
1948 | ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK) |
1949 | >> 3); |
1950 | |
1951 | /* If this bulk URB is the start of a new transfer, re-enable |
1952 | * the endpoint. Otherwise mark it as a continuation URB. |
1953 | */ |
1954 | if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION) |
1955 | as->bulk_status = AS_CONTINUATION; |
1956 | else |
1957 | ps->disabled_bulk_eps &= ~(1 << as->bulk_addr); |
1958 | |
1959 | /* Don't accept continuation URBs if the endpoint is |
1960 | * disabled because of an earlier error. |
1961 | */ |
1962 | if (ps->disabled_bulk_eps & (1 << as->bulk_addr)) |
1963 | ret = -EREMOTEIO; |
1964 | else |
1965 | ret = usb_submit_urb(urb: as->urb, GFP_ATOMIC); |
1966 | spin_unlock_irq(lock: &ps->lock); |
1967 | } else { |
1968 | ret = usb_submit_urb(urb: as->urb, GFP_KERNEL); |
1969 | } |
1970 | |
1971 | if (ret) { |
1972 | dev_printk(KERN_DEBUG, &ps->dev->dev, |
1973 | "usbfs: usb_submit_urb returned %d\n" , ret); |
1974 | snoop_urb(udev: ps->dev, userurb: as->userurb, pipe: as->urb->pipe, |
1975 | length: 0, timeout_or_status: ret, when: COMPLETE, NULL, data_len: 0); |
1976 | async_removepending(as); |
1977 | goto error; |
1978 | } |
1979 | return 0; |
1980 | |
1981 | error: |
1982 | kfree(objp: isopkt); |
1983 | kfree(objp: dr); |
1984 | if (as) |
1985 | free_async(as); |
1986 | return ret; |
1987 | } |
1988 | |
1989 | static int proc_submiturb(struct usb_dev_state *ps, void __user *arg) |
1990 | { |
1991 | struct usbdevfs_urb uurb; |
1992 | sigval_t userurb_sigval; |
1993 | |
1994 | if (copy_from_user(to: &uurb, from: arg, n: sizeof(uurb))) |
1995 | return -EFAULT; |
1996 | |
1997 | memset(&userurb_sigval, 0, sizeof(userurb_sigval)); |
1998 | userurb_sigval.sival_ptr = arg; |
1999 | |
2000 | return proc_do_submiturb(ps, uurb: &uurb, |
2001 | iso_frame_desc: (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), |
2002 | arg, userurb_sigval); |
2003 | } |
2004 | |
2005 | static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg) |
2006 | { |
2007 | struct urb *urb; |
2008 | struct async *as; |
2009 | unsigned long flags; |
2010 | |
2011 | spin_lock_irqsave(&ps->lock, flags); |
2012 | as = async_getpending(ps, userurb: arg); |
2013 | if (!as) { |
2014 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
2015 | return -EINVAL; |
2016 | } |
2017 | |
2018 | urb = as->urb; |
2019 | usb_get_urb(urb); |
2020 | spin_unlock_irqrestore(lock: &ps->lock, flags); |
2021 | |
2022 | usb_kill_urb(urb); |
2023 | usb_put_urb(urb); |
2024 | |
2025 | return 0; |
2026 | } |
2027 | |
2028 | static void compute_isochronous_actual_length(struct urb *urb) |
2029 | { |
2030 | unsigned int i; |
2031 | |
2032 | if (urb->number_of_packets > 0) { |
2033 | urb->actual_length = 0; |
2034 | for (i = 0; i < urb->number_of_packets; i++) |
2035 | urb->actual_length += |
2036 | urb->iso_frame_desc[i].actual_length; |
2037 | } |
2038 | } |
2039 | |
2040 | static int processcompl(struct async *as, void __user * __user *arg) |
2041 | { |
2042 | struct urb *urb = as->urb; |
2043 | struct usbdevfs_urb __user *userurb = as->userurb; |
2044 | void __user *addr = as->userurb; |
2045 | unsigned int i; |
2046 | |
2047 | compute_isochronous_actual_length(urb); |
2048 | if (as->userbuffer && urb->actual_length) { |
2049 | if (copy_urb_data_to_user(userbuffer: as->userbuffer, urb)) |
2050 | goto err_out; |
2051 | } |
2052 | if (put_user(as->status, &userurb->status)) |
2053 | goto err_out; |
2054 | if (put_user(urb->actual_length, &userurb->actual_length)) |
2055 | goto err_out; |
2056 | if (put_user(urb->error_count, &userurb->error_count)) |
2057 | goto err_out; |
2058 | |
2059 | if (usb_endpoint_xfer_isoc(epd: &urb->ep->desc)) { |
2060 | for (i = 0; i < urb->number_of_packets; i++) { |
2061 | if (put_user(urb->iso_frame_desc[i].actual_length, |
2062 | &userurb->iso_frame_desc[i].actual_length)) |
2063 | goto err_out; |
2064 | if (put_user(urb->iso_frame_desc[i].status, |
2065 | &userurb->iso_frame_desc[i].status)) |
2066 | goto err_out; |
2067 | } |
2068 | } |
2069 | |
2070 | if (put_user(addr, (void __user * __user *)arg)) |
2071 | return -EFAULT; |
2072 | return 0; |
2073 | |
2074 | err_out: |
2075 | return -EFAULT; |
2076 | } |
2077 | |
2078 | static struct async *reap_as(struct usb_dev_state *ps) |
2079 | { |
2080 | DECLARE_WAITQUEUE(wait, current); |
2081 | struct async *as = NULL; |
2082 | struct usb_device *dev = ps->dev; |
2083 | |
2084 | add_wait_queue(wq_head: &ps->wait, wq_entry: &wait); |
2085 | for (;;) { |
2086 | __set_current_state(TASK_INTERRUPTIBLE); |
2087 | as = async_getcompleted(ps); |
2088 | if (as || !connected(ps)) |
2089 | break; |
2090 | if (signal_pending(current)) |
2091 | break; |
2092 | usb_unlock_device(dev); |
2093 | schedule(); |
2094 | usb_lock_device(dev); |
2095 | } |
2096 | remove_wait_queue(wq_head: &ps->wait, wq_entry: &wait); |
2097 | set_current_state(TASK_RUNNING); |
2098 | return as; |
2099 | } |
2100 | |
2101 | static int proc_reapurb(struct usb_dev_state *ps, void __user *arg) |
2102 | { |
2103 | struct async *as = reap_as(ps); |
2104 | |
2105 | if (as) { |
2106 | int retval; |
2107 | |
2108 | snoop(&ps->dev->dev, "reap %px\n" , as->userurb); |
2109 | retval = processcompl(as, arg: (void __user * __user *)arg); |
2110 | free_async(as); |
2111 | return retval; |
2112 | } |
2113 | if (signal_pending(current)) |
2114 | return -EINTR; |
2115 | return -ENODEV; |
2116 | } |
2117 | |
2118 | static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg) |
2119 | { |
2120 | int retval; |
2121 | struct async *as; |
2122 | |
2123 | as = async_getcompleted(ps); |
2124 | if (as) { |
2125 | snoop(&ps->dev->dev, "reap %px\n" , as->userurb); |
2126 | retval = processcompl(as, arg: (void __user * __user *)arg); |
2127 | free_async(as); |
2128 | } else { |
2129 | retval = (connected(ps) ? -EAGAIN : -ENODEV); |
2130 | } |
2131 | return retval; |
2132 | } |
2133 | |
2134 | #ifdef CONFIG_COMPAT |
2135 | static int proc_control_compat(struct usb_dev_state *ps, |
2136 | struct usbdevfs_ctrltransfer32 __user *p32) |
2137 | { |
2138 | struct usbdevfs_ctrltransfer ctrl; |
2139 | u32 udata; |
2140 | |
2141 | if (copy_from_user(to: &ctrl, from: p32, n: sizeof(*p32) - sizeof(compat_caddr_t)) || |
2142 | get_user(udata, &p32->data)) |
2143 | return -EFAULT; |
2144 | ctrl.data = compat_ptr(uptr: udata); |
2145 | return do_proc_control(ps, ctrl: &ctrl); |
2146 | } |
2147 | |
2148 | static int proc_bulk_compat(struct usb_dev_state *ps, |
2149 | struct usbdevfs_bulktransfer32 __user *p32) |
2150 | { |
2151 | struct usbdevfs_bulktransfer bulk; |
2152 | compat_caddr_t addr; |
2153 | |
2154 | if (get_user(bulk.ep, &p32->ep) || |
2155 | get_user(bulk.len, &p32->len) || |
2156 | get_user(bulk.timeout, &p32->timeout) || |
2157 | get_user(addr, &p32->data)) |
2158 | return -EFAULT; |
2159 | bulk.data = compat_ptr(uptr: addr); |
2160 | return do_proc_bulk(ps, bulk: &bulk); |
2161 | } |
2162 | |
2163 | static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg) |
2164 | { |
2165 | struct usbdevfs_disconnectsignal32 ds; |
2166 | |
2167 | if (copy_from_user(to: &ds, from: arg, n: sizeof(ds))) |
2168 | return -EFAULT; |
2169 | ps->discsignr = ds.signr; |
2170 | ps->disccontext.sival_int = ds.context; |
2171 | return 0; |
2172 | } |
2173 | |
2174 | static int get_urb32(struct usbdevfs_urb *kurb, |
2175 | struct usbdevfs_urb32 __user *uurb) |
2176 | { |
2177 | struct usbdevfs_urb32 urb32; |
2178 | if (copy_from_user(to: &urb32, from: uurb, n: sizeof(*uurb))) |
2179 | return -EFAULT; |
2180 | kurb->type = urb32.type; |
2181 | kurb->endpoint = urb32.endpoint; |
2182 | kurb->status = urb32.status; |
2183 | kurb->flags = urb32.flags; |
2184 | kurb->buffer = compat_ptr(uptr: urb32.buffer); |
2185 | kurb->buffer_length = urb32.buffer_length; |
2186 | kurb->actual_length = urb32.actual_length; |
2187 | kurb->start_frame = urb32.start_frame; |
2188 | kurb->number_of_packets = urb32.number_of_packets; |
2189 | kurb->error_count = urb32.error_count; |
2190 | kurb->signr = urb32.signr; |
2191 | kurb->usercontext = compat_ptr(uptr: urb32.usercontext); |
2192 | return 0; |
2193 | } |
2194 | |
2195 | static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg) |
2196 | { |
2197 | struct usbdevfs_urb uurb; |
2198 | sigval_t userurb_sigval; |
2199 | |
2200 | if (get_urb32(kurb: &uurb, uurb: (struct usbdevfs_urb32 __user *)arg)) |
2201 | return -EFAULT; |
2202 | |
2203 | memset(&userurb_sigval, 0, sizeof(userurb_sigval)); |
2204 | userurb_sigval.sival_int = ptr_to_compat(uptr: arg); |
2205 | |
2206 | return proc_do_submiturb(ps, uurb: &uurb, |
2207 | iso_frame_desc: ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, |
2208 | arg, userurb_sigval); |
2209 | } |
2210 | |
2211 | static int processcompl_compat(struct async *as, void __user * __user *arg) |
2212 | { |
2213 | struct urb *urb = as->urb; |
2214 | struct usbdevfs_urb32 __user *userurb = as->userurb; |
2215 | void __user *addr = as->userurb; |
2216 | unsigned int i; |
2217 | |
2218 | compute_isochronous_actual_length(urb); |
2219 | if (as->userbuffer && urb->actual_length) { |
2220 | if (copy_urb_data_to_user(userbuffer: as->userbuffer, urb)) |
2221 | return -EFAULT; |
2222 | } |
2223 | if (put_user(as->status, &userurb->status)) |
2224 | return -EFAULT; |
2225 | if (put_user(urb->actual_length, &userurb->actual_length)) |
2226 | return -EFAULT; |
2227 | if (put_user(urb->error_count, &userurb->error_count)) |
2228 | return -EFAULT; |
2229 | |
2230 | if (usb_endpoint_xfer_isoc(epd: &urb->ep->desc)) { |
2231 | for (i = 0; i < urb->number_of_packets; i++) { |
2232 | if (put_user(urb->iso_frame_desc[i].actual_length, |
2233 | &userurb->iso_frame_desc[i].actual_length)) |
2234 | return -EFAULT; |
2235 | if (put_user(urb->iso_frame_desc[i].status, |
2236 | &userurb->iso_frame_desc[i].status)) |
2237 | return -EFAULT; |
2238 | } |
2239 | } |
2240 | |
2241 | if (put_user(ptr_to_compat(addr), (u32 __user *)arg)) |
2242 | return -EFAULT; |
2243 | return 0; |
2244 | } |
2245 | |
2246 | static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg) |
2247 | { |
2248 | struct async *as = reap_as(ps); |
2249 | |
2250 | if (as) { |
2251 | int retval; |
2252 | |
2253 | snoop(&ps->dev->dev, "reap %px\n" , as->userurb); |
2254 | retval = processcompl_compat(as, arg: (void __user * __user *)arg); |
2255 | free_async(as); |
2256 | return retval; |
2257 | } |
2258 | if (signal_pending(current)) |
2259 | return -EINTR; |
2260 | return -ENODEV; |
2261 | } |
2262 | |
2263 | static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg) |
2264 | { |
2265 | int retval; |
2266 | struct async *as; |
2267 | |
2268 | as = async_getcompleted(ps); |
2269 | if (as) { |
2270 | snoop(&ps->dev->dev, "reap %px\n" , as->userurb); |
2271 | retval = processcompl_compat(as, arg: (void __user * __user *)arg); |
2272 | free_async(as); |
2273 | } else { |
2274 | retval = (connected(ps) ? -EAGAIN : -ENODEV); |
2275 | } |
2276 | return retval; |
2277 | } |
2278 | |
2279 | |
2280 | #endif |
2281 | |
2282 | static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg) |
2283 | { |
2284 | struct usbdevfs_disconnectsignal ds; |
2285 | |
2286 | if (copy_from_user(to: &ds, from: arg, n: sizeof(ds))) |
2287 | return -EFAULT; |
2288 | ps->discsignr = ds.signr; |
2289 | ps->disccontext.sival_ptr = ds.context; |
2290 | return 0; |
2291 | } |
2292 | |
2293 | static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg) |
2294 | { |
2295 | unsigned int ifnum; |
2296 | |
2297 | if (get_user(ifnum, (unsigned int __user *)arg)) |
2298 | return -EFAULT; |
2299 | return claimintf(ps, ifnum); |
2300 | } |
2301 | |
2302 | static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg) |
2303 | { |
2304 | unsigned int ifnum; |
2305 | int ret; |
2306 | |
2307 | if (get_user(ifnum, (unsigned int __user *)arg)) |
2308 | return -EFAULT; |
2309 | ret = releaseintf(ps, ifnum); |
2310 | if (ret < 0) |
2311 | return ret; |
2312 | destroy_async_on_interface(ps, ifnum); |
2313 | return 0; |
2314 | } |
2315 | |
2316 | static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl) |
2317 | { |
2318 | int size; |
2319 | void *buf = NULL; |
2320 | int retval = 0; |
2321 | struct usb_interface *intf = NULL; |
2322 | struct usb_driver *driver = NULL; |
2323 | |
2324 | if (ps->privileges_dropped) |
2325 | return -EACCES; |
2326 | |
2327 | if (!connected(ps)) |
2328 | return -ENODEV; |
2329 | |
2330 | /* alloc buffer */ |
2331 | size = _IOC_SIZE(ctl->ioctl_code); |
2332 | if (size > 0) { |
2333 | buf = kmalloc(size, GFP_KERNEL); |
2334 | if (buf == NULL) |
2335 | return -ENOMEM; |
2336 | if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) { |
2337 | if (copy_from_user(to: buf, from: ctl->data, n: size)) { |
2338 | kfree(objp: buf); |
2339 | return -EFAULT; |
2340 | } |
2341 | } else { |
2342 | memset(buf, 0, size); |
2343 | } |
2344 | } |
2345 | |
2346 | if (ps->dev->state != USB_STATE_CONFIGURED) |
2347 | retval = -EHOSTUNREACH; |
2348 | else if (!(intf = usb_ifnum_to_if(dev: ps->dev, ifnum: ctl->ifno))) |
2349 | retval = -EINVAL; |
2350 | else switch (ctl->ioctl_code) { |
2351 | |
2352 | /* disconnect kernel driver from interface */ |
2353 | case USBDEVFS_DISCONNECT: |
2354 | if (intf->dev.driver) { |
2355 | driver = to_usb_driver(intf->dev.driver); |
2356 | dev_dbg(&intf->dev, "disconnect by usbfs\n" ); |
2357 | usb_driver_release_interface(driver, iface: intf); |
2358 | } else |
2359 | retval = -ENODATA; |
2360 | break; |
2361 | |
2362 | /* let kernel drivers try to (re)bind to the interface */ |
2363 | case USBDEVFS_CONNECT: |
2364 | if (!intf->dev.driver) |
2365 | retval = device_attach(dev: &intf->dev); |
2366 | else |
2367 | retval = -EBUSY; |
2368 | break; |
2369 | |
2370 | /* talk directly to the interface's driver */ |
2371 | default: |
2372 | if (intf->dev.driver) |
2373 | driver = to_usb_driver(intf->dev.driver); |
2374 | if (driver == NULL || driver->unlocked_ioctl == NULL) { |
2375 | retval = -ENOTTY; |
2376 | } else { |
2377 | retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf); |
2378 | if (retval == -ENOIOCTLCMD) |
2379 | retval = -ENOTTY; |
2380 | } |
2381 | } |
2382 | |
2383 | /* cleanup and return */ |
2384 | if (retval >= 0 |
2385 | && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0 |
2386 | && size > 0 |
2387 | && copy_to_user(to: ctl->data, from: buf, n: size) != 0) |
2388 | retval = -EFAULT; |
2389 | |
2390 | kfree(objp: buf); |
2391 | return retval; |
2392 | } |
2393 | |
2394 | static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg) |
2395 | { |
2396 | struct usbdevfs_ioctl ctrl; |
2397 | |
2398 | if (copy_from_user(to: &ctrl, from: arg, n: sizeof(ctrl))) |
2399 | return -EFAULT; |
2400 | return proc_ioctl(ps, ctl: &ctrl); |
2401 | } |
2402 | |
2403 | #ifdef CONFIG_COMPAT |
2404 | static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg) |
2405 | { |
2406 | struct usbdevfs_ioctl32 ioc32; |
2407 | struct usbdevfs_ioctl ctrl; |
2408 | |
2409 | if (copy_from_user(to: &ioc32, from: compat_ptr(uptr: arg), n: sizeof(ioc32))) |
2410 | return -EFAULT; |
2411 | ctrl.ifno = ioc32.ifno; |
2412 | ctrl.ioctl_code = ioc32.ioctl_code; |
2413 | ctrl.data = compat_ptr(uptr: ioc32.data); |
2414 | return proc_ioctl(ps, ctl: &ctrl); |
2415 | } |
2416 | #endif |
2417 | |
2418 | static int proc_claim_port(struct usb_dev_state *ps, void __user *arg) |
2419 | { |
2420 | unsigned portnum; |
2421 | int rc; |
2422 | |
2423 | if (get_user(portnum, (unsigned __user *) arg)) |
2424 | return -EFAULT; |
2425 | rc = usb_hub_claim_port(hdev: ps->dev, port1: portnum, owner: ps); |
2426 | if (rc == 0) |
2427 | snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n" , |
2428 | portnum, task_pid_nr(current), current->comm); |
2429 | return rc; |
2430 | } |
2431 | |
2432 | static int proc_release_port(struct usb_dev_state *ps, void __user *arg) |
2433 | { |
2434 | unsigned portnum; |
2435 | |
2436 | if (get_user(portnum, (unsigned __user *) arg)) |
2437 | return -EFAULT; |
2438 | return usb_hub_release_port(hdev: ps->dev, port1: portnum, owner: ps); |
2439 | } |
2440 | |
2441 | static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg) |
2442 | { |
2443 | __u32 caps; |
2444 | |
2445 | caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM | |
2446 | USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP | |
2447 | USBDEVFS_CAP_DROP_PRIVILEGES | |
2448 | USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND; |
2449 | if (!ps->dev->bus->no_stop_on_short) |
2450 | caps |= USBDEVFS_CAP_BULK_CONTINUATION; |
2451 | if (ps->dev->bus->sg_tablesize) |
2452 | caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER; |
2453 | |
2454 | if (put_user(caps, (__u32 __user *)arg)) |
2455 | return -EFAULT; |
2456 | |
2457 | return 0; |
2458 | } |
2459 | |
2460 | static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg) |
2461 | { |
2462 | struct usbdevfs_disconnect_claim dc; |
2463 | struct usb_interface *intf; |
2464 | |
2465 | if (copy_from_user(to: &dc, from: arg, n: sizeof(dc))) |
2466 | return -EFAULT; |
2467 | |
2468 | intf = usb_ifnum_to_if(dev: ps->dev, ifnum: dc.interface); |
2469 | if (!intf) |
2470 | return -EINVAL; |
2471 | |
2472 | if (intf->dev.driver) { |
2473 | struct usb_driver *driver = to_usb_driver(intf->dev.driver); |
2474 | |
2475 | if (ps->privileges_dropped) |
2476 | return -EACCES; |
2477 | |
2478 | if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) && |
2479 | strncmp(dc.driver, intf->dev.driver->name, |
2480 | sizeof(dc.driver)) != 0) |
2481 | return -EBUSY; |
2482 | |
2483 | if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) && |
2484 | strncmp(dc.driver, intf->dev.driver->name, |
2485 | sizeof(dc.driver)) == 0) |
2486 | return -EBUSY; |
2487 | |
2488 | dev_dbg(&intf->dev, "disconnect by usbfs\n" ); |
2489 | usb_driver_release_interface(driver, iface: intf); |
2490 | } |
2491 | |
2492 | return claimintf(ps, ifnum: dc.interface); |
2493 | } |
2494 | |
2495 | static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg) |
2496 | { |
2497 | unsigned num_streams, num_eps; |
2498 | struct usb_host_endpoint **eps; |
2499 | struct usb_interface *intf; |
2500 | int r; |
2501 | |
2502 | r = parse_usbdevfs_streams(ps, streams: arg, num_streams_ret: &num_streams, num_eps_ret: &num_eps, |
2503 | eps_ret: &eps, intf_ret: &intf); |
2504 | if (r) |
2505 | return r; |
2506 | |
2507 | destroy_async_on_interface(ps, |
2508 | ifnum: intf->altsetting[0].desc.bInterfaceNumber); |
2509 | |
2510 | r = usb_alloc_streams(interface: intf, eps, num_eps, num_streams, GFP_KERNEL); |
2511 | kfree(objp: eps); |
2512 | return r; |
2513 | } |
2514 | |
2515 | static int proc_free_streams(struct usb_dev_state *ps, void __user *arg) |
2516 | { |
2517 | unsigned num_eps; |
2518 | struct usb_host_endpoint **eps; |
2519 | struct usb_interface *intf; |
2520 | int r; |
2521 | |
2522 | r = parse_usbdevfs_streams(ps, streams: arg, NULL, num_eps_ret: &num_eps, eps_ret: &eps, intf_ret: &intf); |
2523 | if (r) |
2524 | return r; |
2525 | |
2526 | destroy_async_on_interface(ps, |
2527 | ifnum: intf->altsetting[0].desc.bInterfaceNumber); |
2528 | |
2529 | r = usb_free_streams(interface: intf, eps, num_eps, GFP_KERNEL); |
2530 | kfree(objp: eps); |
2531 | return r; |
2532 | } |
2533 | |
2534 | static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg) |
2535 | { |
2536 | u32 data; |
2537 | |
2538 | if (copy_from_user(to: &data, from: arg, n: sizeof(data))) |
2539 | return -EFAULT; |
2540 | |
2541 | /* This is a one way operation. Once privileges are |
2542 | * dropped, you cannot regain them. You may however reissue |
2543 | * this ioctl to shrink the allowed interfaces mask. |
2544 | */ |
2545 | ps->interface_allowed_mask &= data; |
2546 | ps->privileges_dropped = true; |
2547 | |
2548 | return 0; |
2549 | } |
2550 | |
2551 | static int proc_forbid_suspend(struct usb_dev_state *ps) |
2552 | { |
2553 | int ret = 0; |
2554 | |
2555 | if (ps->suspend_allowed) { |
2556 | ret = usb_autoresume_device(udev: ps->dev); |
2557 | if (ret == 0) |
2558 | ps->suspend_allowed = false; |
2559 | else if (ret != -ENODEV) |
2560 | ret = -EIO; |
2561 | } |
2562 | return ret; |
2563 | } |
2564 | |
2565 | static int proc_allow_suspend(struct usb_dev_state *ps) |
2566 | { |
2567 | if (!connected(ps)) |
2568 | return -ENODEV; |
2569 | |
2570 | WRITE_ONCE(ps->not_yet_resumed, 1); |
2571 | if (!ps->suspend_allowed) { |
2572 | usb_autosuspend_device(udev: ps->dev); |
2573 | ps->suspend_allowed = true; |
2574 | } |
2575 | return 0; |
2576 | } |
2577 | |
2578 | static int proc_wait_for_resume(struct usb_dev_state *ps) |
2579 | { |
2580 | int ret; |
2581 | |
2582 | usb_unlock_device(ps->dev); |
2583 | ret = wait_event_interruptible(ps->wait_for_resume, |
2584 | READ_ONCE(ps->not_yet_resumed) == 0); |
2585 | usb_lock_device(ps->dev); |
2586 | |
2587 | if (ret != 0) |
2588 | return -EINTR; |
2589 | return proc_forbid_suspend(ps); |
2590 | } |
2591 | |
2592 | /* |
2593 | * NOTE: All requests here that have interface numbers as parameters |
2594 | * are assuming that somehow the configuration has been prevented from |
2595 | * changing. But there's no mechanism to ensure that... |
2596 | */ |
2597 | static long usbdev_do_ioctl(struct file *file, unsigned int cmd, |
2598 | void __user *p) |
2599 | { |
2600 | struct usb_dev_state *ps = file->private_data; |
2601 | struct inode *inode = file_inode(f: file); |
2602 | struct usb_device *dev = ps->dev; |
2603 | int ret = -ENOTTY; |
2604 | |
2605 | if (!(file->f_mode & FMODE_WRITE)) |
2606 | return -EPERM; |
2607 | |
2608 | usb_lock_device(dev); |
2609 | |
2610 | /* Reap operations are allowed even after disconnection */ |
2611 | switch (cmd) { |
2612 | case USBDEVFS_REAPURB: |
2613 | snoop(&dev->dev, "%s: REAPURB\n" , __func__); |
2614 | ret = proc_reapurb(ps, arg: p); |
2615 | goto done; |
2616 | |
2617 | case USBDEVFS_REAPURBNDELAY: |
2618 | snoop(&dev->dev, "%s: REAPURBNDELAY\n" , __func__); |
2619 | ret = proc_reapurbnonblock(ps, arg: p); |
2620 | goto done; |
2621 | |
2622 | #ifdef CONFIG_COMPAT |
2623 | case USBDEVFS_REAPURB32: |
2624 | snoop(&dev->dev, "%s: REAPURB32\n" , __func__); |
2625 | ret = proc_reapurb_compat(ps, arg: p); |
2626 | goto done; |
2627 | |
2628 | case USBDEVFS_REAPURBNDELAY32: |
2629 | snoop(&dev->dev, "%s: REAPURBNDELAY32\n" , __func__); |
2630 | ret = proc_reapurbnonblock_compat(ps, arg: p); |
2631 | goto done; |
2632 | #endif |
2633 | } |
2634 | |
2635 | if (!connected(ps)) { |
2636 | usb_unlock_device(dev); |
2637 | return -ENODEV; |
2638 | } |
2639 | |
2640 | switch (cmd) { |
2641 | case USBDEVFS_CONTROL: |
2642 | snoop(&dev->dev, "%s: CONTROL\n" , __func__); |
2643 | ret = proc_control(ps, arg: p); |
2644 | if (ret >= 0) |
2645 | inode_set_mtime_to_ts(inode, |
2646 | ts: inode_set_ctime_current(inode)); |
2647 | break; |
2648 | |
2649 | case USBDEVFS_BULK: |
2650 | snoop(&dev->dev, "%s: BULK\n" , __func__); |
2651 | ret = proc_bulk(ps, arg: p); |
2652 | if (ret >= 0) |
2653 | inode_set_mtime_to_ts(inode, |
2654 | ts: inode_set_ctime_current(inode)); |
2655 | break; |
2656 | |
2657 | case USBDEVFS_RESETEP: |
2658 | snoop(&dev->dev, "%s: RESETEP\n" , __func__); |
2659 | ret = proc_resetep(ps, arg: p); |
2660 | if (ret >= 0) |
2661 | inode_set_mtime_to_ts(inode, |
2662 | ts: inode_set_ctime_current(inode)); |
2663 | break; |
2664 | |
2665 | case USBDEVFS_RESET: |
2666 | snoop(&dev->dev, "%s: RESET\n" , __func__); |
2667 | ret = proc_resetdevice(ps); |
2668 | break; |
2669 | |
2670 | case USBDEVFS_CLEAR_HALT: |
2671 | snoop(&dev->dev, "%s: CLEAR_HALT\n" , __func__); |
2672 | ret = proc_clearhalt(ps, arg: p); |
2673 | if (ret >= 0) |
2674 | inode_set_mtime_to_ts(inode, |
2675 | ts: inode_set_ctime_current(inode)); |
2676 | break; |
2677 | |
2678 | case USBDEVFS_GETDRIVER: |
2679 | snoop(&dev->dev, "%s: GETDRIVER\n" , __func__); |
2680 | ret = proc_getdriver(ps, arg: p); |
2681 | break; |
2682 | |
2683 | case USBDEVFS_CONNECTINFO: |
2684 | snoop(&dev->dev, "%s: CONNECTINFO\n" , __func__); |
2685 | ret = proc_connectinfo(ps, arg: p); |
2686 | break; |
2687 | |
2688 | case USBDEVFS_SETINTERFACE: |
2689 | snoop(&dev->dev, "%s: SETINTERFACE\n" , __func__); |
2690 | ret = proc_setintf(ps, arg: p); |
2691 | break; |
2692 | |
2693 | case USBDEVFS_SETCONFIGURATION: |
2694 | snoop(&dev->dev, "%s: SETCONFIGURATION\n" , __func__); |
2695 | ret = proc_setconfig(ps, arg: p); |
2696 | break; |
2697 | |
2698 | case USBDEVFS_SUBMITURB: |
2699 | snoop(&dev->dev, "%s: SUBMITURB\n" , __func__); |
2700 | ret = proc_submiturb(ps, arg: p); |
2701 | if (ret >= 0) |
2702 | inode_set_mtime_to_ts(inode, |
2703 | ts: inode_set_ctime_current(inode)); |
2704 | break; |
2705 | |
2706 | #ifdef CONFIG_COMPAT |
2707 | case USBDEVFS_CONTROL32: |
2708 | snoop(&dev->dev, "%s: CONTROL32\n" , __func__); |
2709 | ret = proc_control_compat(ps, p32: p); |
2710 | if (ret >= 0) |
2711 | inode_set_mtime_to_ts(inode, |
2712 | ts: inode_set_ctime_current(inode)); |
2713 | break; |
2714 | |
2715 | case USBDEVFS_BULK32: |
2716 | snoop(&dev->dev, "%s: BULK32\n" , __func__); |
2717 | ret = proc_bulk_compat(ps, p32: p); |
2718 | if (ret >= 0) |
2719 | inode_set_mtime_to_ts(inode, |
2720 | ts: inode_set_ctime_current(inode)); |
2721 | break; |
2722 | |
2723 | case USBDEVFS_DISCSIGNAL32: |
2724 | snoop(&dev->dev, "%s: DISCSIGNAL32\n" , __func__); |
2725 | ret = proc_disconnectsignal_compat(ps, arg: p); |
2726 | break; |
2727 | |
2728 | case USBDEVFS_SUBMITURB32: |
2729 | snoop(&dev->dev, "%s: SUBMITURB32\n" , __func__); |
2730 | ret = proc_submiturb_compat(ps, arg: p); |
2731 | if (ret >= 0) |
2732 | inode_set_mtime_to_ts(inode, |
2733 | ts: inode_set_ctime_current(inode)); |
2734 | break; |
2735 | |
2736 | case USBDEVFS_IOCTL32: |
2737 | snoop(&dev->dev, "%s: IOCTL32\n" , __func__); |
2738 | ret = proc_ioctl_compat(ps, arg: ptr_to_compat(uptr: p)); |
2739 | break; |
2740 | #endif |
2741 | |
2742 | case USBDEVFS_DISCARDURB: |
2743 | snoop(&dev->dev, "%s: DISCARDURB %px\n" , __func__, p); |
2744 | ret = proc_unlinkurb(ps, arg: p); |
2745 | break; |
2746 | |
2747 | case USBDEVFS_DISCSIGNAL: |
2748 | snoop(&dev->dev, "%s: DISCSIGNAL\n" , __func__); |
2749 | ret = proc_disconnectsignal(ps, arg: p); |
2750 | break; |
2751 | |
2752 | case USBDEVFS_CLAIMINTERFACE: |
2753 | snoop(&dev->dev, "%s: CLAIMINTERFACE\n" , __func__); |
2754 | ret = proc_claiminterface(ps, arg: p); |
2755 | break; |
2756 | |
2757 | case USBDEVFS_RELEASEINTERFACE: |
2758 | snoop(&dev->dev, "%s: RELEASEINTERFACE\n" , __func__); |
2759 | ret = proc_releaseinterface(ps, arg: p); |
2760 | break; |
2761 | |
2762 | case USBDEVFS_IOCTL: |
2763 | snoop(&dev->dev, "%s: IOCTL\n" , __func__); |
2764 | ret = proc_ioctl_default(ps, arg: p); |
2765 | break; |
2766 | |
2767 | case USBDEVFS_CLAIM_PORT: |
2768 | snoop(&dev->dev, "%s: CLAIM_PORT\n" , __func__); |
2769 | ret = proc_claim_port(ps, arg: p); |
2770 | break; |
2771 | |
2772 | case USBDEVFS_RELEASE_PORT: |
2773 | snoop(&dev->dev, "%s: RELEASE_PORT\n" , __func__); |
2774 | ret = proc_release_port(ps, arg: p); |
2775 | break; |
2776 | case USBDEVFS_GET_CAPABILITIES: |
2777 | ret = proc_get_capabilities(ps, arg: p); |
2778 | break; |
2779 | case USBDEVFS_DISCONNECT_CLAIM: |
2780 | ret = proc_disconnect_claim(ps, arg: p); |
2781 | break; |
2782 | case USBDEVFS_ALLOC_STREAMS: |
2783 | ret = proc_alloc_streams(ps, arg: p); |
2784 | break; |
2785 | case USBDEVFS_FREE_STREAMS: |
2786 | ret = proc_free_streams(ps, arg: p); |
2787 | break; |
2788 | case USBDEVFS_DROP_PRIVILEGES: |
2789 | ret = proc_drop_privileges(ps, arg: p); |
2790 | break; |
2791 | case USBDEVFS_GET_SPEED: |
2792 | ret = ps->dev->speed; |
2793 | break; |
2794 | case USBDEVFS_FORBID_SUSPEND: |
2795 | ret = proc_forbid_suspend(ps); |
2796 | break; |
2797 | case USBDEVFS_ALLOW_SUSPEND: |
2798 | ret = proc_allow_suspend(ps); |
2799 | break; |
2800 | case USBDEVFS_WAIT_FOR_RESUME: |
2801 | ret = proc_wait_for_resume(ps); |
2802 | break; |
2803 | } |
2804 | |
2805 | /* Handle variable-length commands */ |
2806 | switch (cmd & ~IOCSIZE_MASK) { |
2807 | case USBDEVFS_CONNINFO_EX(0): |
2808 | ret = proc_conninfo_ex(ps, arg: p, _IOC_SIZE(cmd)); |
2809 | break; |
2810 | } |
2811 | |
2812 | done: |
2813 | usb_unlock_device(dev); |
2814 | if (ret >= 0) |
2815 | inode_set_atime_to_ts(inode, ts: current_time(inode)); |
2816 | return ret; |
2817 | } |
2818 | |
2819 | static long usbdev_ioctl(struct file *file, unsigned int cmd, |
2820 | unsigned long arg) |
2821 | { |
2822 | int ret; |
2823 | |
2824 | ret = usbdev_do_ioctl(file, cmd, p: (void __user *)arg); |
2825 | |
2826 | return ret; |
2827 | } |
2828 | |
2829 | /* No kernel lock - fine */ |
2830 | static __poll_t usbdev_poll(struct file *file, |
2831 | struct poll_table_struct *wait) |
2832 | { |
2833 | struct usb_dev_state *ps = file->private_data; |
2834 | __poll_t mask = 0; |
2835 | |
2836 | poll_wait(filp: file, wait_address: &ps->wait, p: wait); |
2837 | if (file->f_mode & FMODE_WRITE && !list_empty(head: &ps->async_completed)) |
2838 | mask |= EPOLLOUT | EPOLLWRNORM; |
2839 | if (!connected(ps)) |
2840 | mask |= EPOLLHUP; |
2841 | if (list_empty(head: &ps->list)) |
2842 | mask |= EPOLLERR; |
2843 | return mask; |
2844 | } |
2845 | |
2846 | const struct file_operations usbdev_file_operations = { |
2847 | .owner = THIS_MODULE, |
2848 | .llseek = no_seek_end_llseek, |
2849 | .read = usbdev_read, |
2850 | .poll = usbdev_poll, |
2851 | .unlocked_ioctl = usbdev_ioctl, |
2852 | .compat_ioctl = compat_ptr_ioctl, |
2853 | .mmap = usbdev_mmap, |
2854 | .open = usbdev_open, |
2855 | .release = usbdev_release, |
2856 | }; |
2857 | |
2858 | static void usbdev_remove(struct usb_device *udev) |
2859 | { |
2860 | struct usb_dev_state *ps; |
2861 | |
2862 | /* Protect against simultaneous resume */ |
2863 | mutex_lock(&usbfs_mutex); |
2864 | while (!list_empty(head: &udev->filelist)) { |
2865 | ps = list_entry(udev->filelist.next, struct usb_dev_state, list); |
2866 | destroy_all_async(ps); |
2867 | wake_up_all(&ps->wait); |
2868 | WRITE_ONCE(ps->not_yet_resumed, 0); |
2869 | wake_up_all(&ps->wait_for_resume); |
2870 | list_del_init(entry: &ps->list); |
2871 | if (ps->discsignr) |
2872 | kill_pid_usb_asyncio(sig: ps->discsignr, EPIPE, addr: ps->disccontext, |
2873 | ps->disc_pid, ps->cred); |
2874 | } |
2875 | mutex_unlock(lock: &usbfs_mutex); |
2876 | } |
2877 | |
2878 | static int usbdev_notify(struct notifier_block *self, |
2879 | unsigned long action, void *dev) |
2880 | { |
2881 | switch (action) { |
2882 | case USB_DEVICE_ADD: |
2883 | break; |
2884 | case USB_DEVICE_REMOVE: |
2885 | usbdev_remove(udev: dev); |
2886 | break; |
2887 | } |
2888 | return NOTIFY_OK; |
2889 | } |
2890 | |
2891 | static struct notifier_block usbdev_nb = { |
2892 | .notifier_call = usbdev_notify, |
2893 | }; |
2894 | |
2895 | static struct cdev usb_device_cdev; |
2896 | |
2897 | int __init usb_devio_init(void) |
2898 | { |
2899 | int retval; |
2900 | |
2901 | retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX, |
2902 | "usb_device" ); |
2903 | if (retval) { |
2904 | printk(KERN_ERR "Unable to register minors for usb_device\n" ); |
2905 | goto out; |
2906 | } |
2907 | cdev_init(&usb_device_cdev, &usbdev_file_operations); |
2908 | retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX); |
2909 | if (retval) { |
2910 | printk(KERN_ERR "Unable to get usb_device major %d\n" , |
2911 | USB_DEVICE_MAJOR); |
2912 | goto error_cdev; |
2913 | } |
2914 | usb_register_notify(nb: &usbdev_nb); |
2915 | out: |
2916 | return retval; |
2917 | |
2918 | error_cdev: |
2919 | unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); |
2920 | goto out; |
2921 | } |
2922 | |
2923 | void usb_devio_cleanup(void) |
2924 | { |
2925 | usb_unregister_notify(nb: &usbdev_nb); |
2926 | cdev_del(&usb_device_cdev); |
2927 | unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); |
2928 | } |
2929 | |