drivers/usb/core/devio.c

   1 // SPDX-License-Identifier: GPL-2.0+
   2 /*****************************************************************************/
   3
   4 /*
   5  *      devio.c  --  User space communication with USB devices.
   6  *
   7  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
   8  *
   9  *  This file implements the usbfs/x/y files, where
  10  *  x is the bus number and y the device number.
  11  *
  12  *  It allows user space programs/"drivers" to communicate directly
  13  *  with USB devices without intervening kernel driver.
  14  *
  15  *  Revision history
  16  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
  17  *    04.01.2000   0.2   Turned into its own filesystem
  18  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
  19  *                       (CAN-2005-3055)
  20  */
  21
  22 /*****************************************************************************/
  23
  24 #include <linux/fs.h>
  25 #include <linux/mm.h>
  26 #include <linux/sched/signal.h>
  27 #include <linux/slab.h>
  28 #include <linux/signal.h>
  29 #include <linux/poll.h>
  30 #include <linux/module.h>
  31 #include <linux/string.h>
  32 #include <linux/usb.h>
  33 #include <linux/usbdevice_fs.h>
  34 #include <linux/usb/hcd.h>      /* for usbcore internals */
  35 #include <linux/cdev.h>
  36 #include <linux/notifier.h>
  37 #include <linux/security.h>
  38 #include <linux/user_namespace.h>
  39 #include <linux/scatterlist.h>
  40 #include <linux/uaccess.h>
  41 #include <linux/dma-mapping.h>
  42 #include <asm/byteorder.h>
  43 #include <linux/moduleparam.h>
  44
  45 #include "usb.h"
  46
  47 #define USB_MAXBUS                      64
  48 #define USB_DEVICE_MAX                  (USB_MAXBUS * 128)
  49 #define USB_SG_SIZE                     16384 /* split-size for large txs */
  50
  51 struct usb_dev_state {
  52         struct list_head list;      /* state list */
  53         struct usb_device *dev;
  54         struct file *file;
  55         spinlock_t lock;            /* protects the async urb lists */
  56         struct list_head async_pending;
  57         struct list_head async_completed;
  58         struct list_head memory_list;
  59         wait_queue_head_t wait;     /* wake up if a request completed */
  60         unsigned int discsignr;
  61         struct pid *disc_pid;
  62         const struct cred *cred;
  63         sigval_t disccontext;
  64         unsigned long ifclaimed;
  65         u32 disabled_bulk_eps;
  66         bool privileges_dropped;
  67         unsigned long interface_allowed_mask;
  68 };
  69
  70 struct usb_memory {
  71         struct list_head memlist;
  72         int vma_use_count;
  73         int urb_use_count;
  74         u32 size;
  75         void *mem;
  76         dma_addr_t dma_handle;
  77         unsigned long vm_start;
  78         struct usb_dev_state *ps;
  79 };
  80
  81 struct async {
  82         struct list_head asynclist;
  83         struct usb_dev_state *ps;
  84         struct pid *pid;
  85         const struct cred *cred;
  86         unsigned int signr;
  87         unsigned int ifnum;
  88         void __user *userbuffer;
  89         void __user *userurb;
  90         sigval_t userurb_sigval;
  91         struct urb *urb;
  92         struct usb_memory *usbm;
  93         unsigned int mem_usage;
  94         int status;
  95         u8 bulk_addr;
  96         u8 bulk_status;
  97 };
  98
  99 static bool usbfs_snoop;
 100 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 101 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 102
 103 static unsigned usbfs_snoop_max = 65536;
 104 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
 105 MODULE_PARM_DESC(usbfs_snoop_max,
 106                 "maximum number of bytes to print while snooping");
 107
 108 #define snoop(dev, format, arg...)                              \
 109         do {                                                    \
 110                 if (usbfs_snoop)                                \
 111                         dev_info(dev, format, ## arg);          \
 112         } while (0)
 113
 114 enum snoop_when {
 115         SUBMIT, COMPLETE
 116 };
 117
 118 #define USB_DEVICE_DEV          MKDEV(USB_DEVICE_MAJOR, 0)
 119
 120 /* Limit on the total amount of memory we can allocate for transfers */
 121 static u32 usbfs_memory_mb = 16;
 122 module_param(usbfs_memory_mb, uint, 0644);
 123 MODULE_PARM_DESC(usbfs_memory_mb,
 124                 "maximum MB allowed for usbfs buffers (0 = no limit)");
 125
 126 /* Hard limit, necessary to avoid arithmetic overflow */
 127 #define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
 128
 129 static atomic64_t usbfs_memory_usage;   /* Total memory currently allocated */
 130
 131 /* Check whether it's okay to allocate more memory for a transfer */
 132 static int usbfs_increase_memory_usage(u64 amount)
 133 {
 134         u64 lim;
 135
 136         lim = READ_ONCE(usbfs_memory_mb);
 137         lim <<= 20;
 138
 139         atomic64_add(amount, &usbfs_memory_usage);
 140
 141         if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) {
 142                 atomic64_sub(amount, &usbfs_memory_usage);
 143                 return -ENOMEM;
 144         }
 145
 146         return 0;
 147 }
 148
 149 /* Memory for a transfer is being deallocated */
 150 static void usbfs_decrease_memory_usage(u64 amount)
 151 {
 152         atomic64_sub(amount, &usbfs_memory_usage);
 153 }
 154
 155 static int connected(struct usb_dev_state *ps)
 156 {
 157         return (!list_empty(&ps->list) &&
 158                         ps->dev->state != USB_STATE_NOTATTACHED);
 159 }
 160
 161 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
 162 {
 163         struct usb_dev_state *ps = usbm->ps;
 164         unsigned long flags;
 165
 166         spin_lock_irqsave(&ps->lock, flags);
 167         --*count;
 168         if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
 169                 list_del(&usbm->memlist);
 170                 spin_unlock_irqrestore(&ps->lock, flags);
 171
 172                 usb_free_coherent(ps->dev, usbm->size, usbm->mem,
 173                                 usbm->dma_handle);
 174                 usbfs_decrease_memory_usage(
 175                         usbm->size + sizeof(struct usb_memory));
 176                 kfree(usbm);
 177         } else {
 178                 spin_unlock_irqrestore(&ps->lock, flags);
 179         }
 180 }
 181
 182 static void usbdev_vm_open(struct vm_area_struct *vma)
 183 {
 184         struct usb_memory *usbm = vma->vm_private_data;
 185         unsigned long flags;
 186
 187         spin_lock_irqsave(&usbm->ps->lock, flags);
 188         ++usbm->vma_use_count;
 189         spin_unlock_irqrestore(&usbm->ps->lock, flags);
 190 }
 191
 192 static void usbdev_vm_close(struct vm_area_struct *vma)
 193 {
 194         struct usb_memory *usbm = vma->vm_private_data;
 195
 196         dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 197 }
 198
 199 static const struct vm_operations_struct usbdev_vm_ops = {
 200         .open = usbdev_vm_open,
 201         .close = usbdev_vm_close
 202 };
 203
 204 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
 205 {
 206         struct usb_memory *usbm = NULL;
 207         struct usb_dev_state *ps = file->private_data;
 208         size_t size = vma->vm_end - vma->vm_start;
 209         void *mem;
 210         unsigned long flags;
 211         dma_addr_t dma_handle;
 212         int ret;
 213
 214         ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
 215         if (ret)
 216                 goto error;
 217
 218         usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
 219         if (!usbm) {
 220                 ret = -ENOMEM;
 221                 goto error_decrease_mem;
 222         }
 223
 224         mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
 225                         &dma_handle);
 226         if (!mem) {
 227                 ret = -ENOMEM;
 228                 goto error_free_usbm;
 229         }
 230
 231         memset(mem, 0, size);
 232
 233         usbm->mem = mem;
 234         usbm->dma_handle = dma_handle;
 235         usbm->size = size;
 236         usbm->ps = ps;
 237         usbm->vm_start = vma->vm_start;
 238         usbm->vma_use_count = 1;
 239         INIT_LIST_HEAD(&usbm->memlist);
 240
 241         if (remap_pfn_range(vma, vma->vm_start,
 242                         virt_to_phys(usbm->mem) >> PAGE_SHIFT,
 243                         size, vma->vm_page_prot) < 0) {
 244                 dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
 245                 return -EAGAIN;
 246         }
 247
 248         vma->vm_flags |= VM_IO;
 249         vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
 250         vma->vm_ops = &usbdev_vm_ops;
 251         vma->vm_private_data = usbm;
 252
 253         spin_lock_irqsave(&ps->lock, flags);
 254         list_add_tail(&usbm->memlist, &ps->memory_list);
 255         spin_unlock_irqrestore(&ps->lock, flags);
 256
 257         return 0;
 258
 259 error_free_usbm:
 260         kfree(usbm);
 261 error_decrease_mem:
 262         usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
 263 error:
 264         return ret;
 265 }
 266
 267 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
 268                            loff_t *ppos)
 269 {
 270         struct usb_dev_state *ps = file->private_data;
 271         struct usb_device *dev = ps->dev;
 272         ssize_t ret = 0;
 273         unsigned len;
 274         loff_t pos;
 275         int i;
 276
 277         pos = *ppos;
 278         usb_lock_device(dev);
 279         if (!connected(ps)) {
 280                 ret = -ENODEV;
 281                 goto err;
 282         } else if (pos < 0) {
 283                 ret = -EINVAL;
 284                 goto err;
 285         }
 286
 287         if (pos < sizeof(struct usb_device_descriptor)) {
 288                 /* 18 bytes - fits on the stack */
 289                 struct usb_device_descriptor temp_desc;
 290
 291                 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
 292                 le16_to_cpus(&temp_desc.bcdUSB);
 293                 le16_to_cpus(&temp_desc.idVendor);
 294                 le16_to_cpus(&temp_desc.idProduct);
 295                 le16_to_cpus(&temp_desc.bcdDevice);
 296
 297                 len = sizeof(struct usb_device_descriptor) - pos;
 298                 if (len > nbytes)
 299                         len = nbytes;
 300                 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
 301                         ret = -EFAULT;
 302                         goto err;
 303                 }
 304
 305                 *ppos += len;
 306                 buf += len;
 307                 nbytes -= len;
 308                 ret += len;
 309         }
 310
 311         pos = sizeof(struct usb_device_descriptor);
 312         for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
 313                 struct usb_config_descriptor *config =
 314                         (struct usb_config_descriptor *)dev->rawdescriptors[i];
 315                 unsigned int length = le16_to_cpu(config->wTotalLength);
 316
 317                 if (*ppos < pos + length) {
 318
 319                         /* The descriptor may claim to be longer than it
 320                          * really is.  Here is the actual allocated length. */
 321                         unsigned alloclen =
 322                                 le16_to_cpu(dev->config[i].desc.wTotalLength);
 323
 324                         len = length - (*ppos - pos);
 325                         if (len > nbytes)
 326                                 len = nbytes;
 327
 328                         /* Simply don't write (skip over) unallocated parts */
 329                         if (alloclen > (*ppos - pos)) {
 330                                 alloclen -= (*ppos - pos);
 331                                 if (copy_to_user(buf,
 332                                     dev->rawdescriptors[i] + (*ppos - pos),
 333                                     min(len, alloclen))) {
 334                                         ret = -EFAULT;
 335                                         goto err;
 336                                 }
 337                         }
 338
 339                         *ppos += len;
 340                         buf += len;
 341                         nbytes -= len;
 342                         ret += len;
 343                 }
 344
 345                 pos += length;
 346         }
 347
 348 err:
 349         usb_unlock_device(dev);
 350         return ret;
 351 }
 352
 353 /*
 354  * async list handling
 355  */
 356
 357 static struct async *alloc_async(unsigned int numisoframes)
 358 {
 359         struct async *as;
 360
 361         as = kzalloc(sizeof(struct async), GFP_KERNEL);
 362         if (!as)
 363                 return NULL;
 364         as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
 365         if (!as->urb) {
 366                 kfree(as);
 367                 return NULL;
 368         }
 369         return as;
 370 }
 371
 372 static void free_async(struct async *as)
 373 {
 374         int i;
 375
 376         put_pid(as->pid);
 377         if (as->cred)
 378                 put_cred(as->cred);
 379         for (i = 0; i < as->urb->num_sgs; i++) {
 380                 if (sg_page(&as->urb->sg[i]))
 381                         kfree(sg_virt(&as->urb->sg[i]));
 382         }
 383
 384         kfree(as->urb->sg);
 385         if (as->usbm == NULL)
 386                 kfree(as->urb->transfer_buffer);
 387         else
 388                 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
 389
 390         kfree(as->urb->setup_packet);
 391         usb_free_urb(as->urb);
 392         usbfs_decrease_memory_usage(as->mem_usage);
 393         kfree(as);
 394 }
 395
 396 static void async_newpending(struct async *as)
 397 {
 398         struct usb_dev_state *ps = as->ps;
 399         unsigned long flags;
 400
 401         spin_lock_irqsave(&ps->lock, flags);
 402         list_add_tail(&as->asynclist, &ps->async_pending);
 403         spin_unlock_irqrestore(&ps->lock, flags);
 404 }
 405
 406 static void async_removepending(struct async *as)
 407 {
 408         struct usb_dev_state *ps = as->ps;
 409         unsigned long flags;
 410
 411         spin_lock_irqsave(&ps->lock, flags);
 412         list_del_init(&as->asynclist);
 413         spin_unlock_irqrestore(&ps->lock, flags);
 414 }
 415
 416 static struct async *async_getcompleted(struct usb_dev_state *ps)
 417 {
 418         unsigned long flags;
 419         struct async *as = NULL;
 420
 421         spin_lock_irqsave(&ps->lock, flags);
 422         if (!list_empty(&ps->async_completed)) {
 423                 as = list_entry(ps->async_completed.next, struct async,
 424                                 asynclist);
 425                 list_del_init(&as->asynclist);
 426         }
 427         spin_unlock_irqrestore(&ps->lock, flags);
 428         return as;
 429 }
 430
 431 static struct async *async_getpending(struct usb_dev_state *ps,
 432                                              void __user *userurb)
 433 {
 434         struct async *as;
 435
 436         list_for_each_entry(as, &ps->async_pending, asynclist)
 437                 if (as->userurb == userurb) {
 438                         list_del_init(&as->asynclist);
 439                         return as;
 440                 }
 441
 442         return NULL;
 443 }
 444
 445 static void snoop_urb(struct usb_device *udev,
 446                 void __user *userurb, int pipe, unsigned length,
 447                 int timeout_or_status, enum snoop_when when,
 448                 unsigned char *data, unsigned data_len)
 449 {
 450         static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
 451         static const char *dirs[] = {"out", "in"};
 452         int ep;
 453         const char *t, *d;
 454
 455         if (!usbfs_snoop)
 456                 return;
 457
 458         ep = usb_pipeendpoint(pipe);
 459         t = types[usb_pipetype(pipe)];
 460         d = dirs[!!usb_pipein(pipe)];
 461
 462         if (userurb) {          /* Async */
 463                 if (when == SUBMIT)
 464                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 465                                         "length %u\n",
 466                                         userurb, ep, t, d, length);
 467                 else
 468                         dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, "
 469                                         "actual_length %u status %d\n",
 470                                         userurb, ep, t, d, length,
 471                                         timeout_or_status);
 472         } else {
 473                 if (when == SUBMIT)
 474                         dev_info(&udev->dev, "ep%d %s-%s, length %u, "
 475                                         "timeout %d\n",
 476                                         ep, t, d, length, timeout_or_status);
 477                 else
 478                         dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
 479                                         "status %d\n",
 480                                         ep, t, d, length, timeout_or_status);
 481         }
 482
 483         data_len = min(data_len, usbfs_snoop_max);
 484         if (data && data_len > 0) {
 485                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 486                         data, data_len, 1);
 487         }
 488 }
 489
 490 static void snoop_urb_data(struct urb *urb, unsigned len)
 491 {
 492         int i, size;
 493
 494         len = min(len, usbfs_snoop_max);
 495         if (!usbfs_snoop || len == 0)
 496                 return;
 497
 498         if (urb->num_sgs == 0) {
 499                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 500                         urb->transfer_buffer, len, 1);
 501                 return;
 502         }
 503
 504         for (i = 0; i < urb->num_sgs && len; i++) {
 505                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 506                 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
 507                         sg_virt(&urb->sg[i]), size, 1);
 508                 len -= size;
 509         }
 510 }
 511
 512 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
 513 {
 514         unsigned i, len, size;
 515
 516         if (urb->number_of_packets > 0)         /* Isochronous */
 517                 len = urb->transfer_buffer_length;
 518         else                                    /* Non-Isoc */
 519                 len = urb->actual_length;
 520
 521         if (urb->num_sgs == 0) {
 522                 if (copy_to_user(userbuffer, urb->transfer_buffer, len))
 523                         return -EFAULT;
 524                 return 0;
 525         }
 526
 527         for (i = 0; i < urb->num_sgs && len; i++) {
 528                 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
 529                 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
 530                         return -EFAULT;
 531                 userbuffer += size;
 532                 len -= size;
 533         }
 534
 535         return 0;
 536 }
 537
 538 #define AS_CONTINUATION 1
 539 #define AS_UNLINK       2
 540
 541 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
 542 __releases(ps->lock)
 543 __acquires(ps->lock)
 544 {
 545         struct urb *urb;
 546         struct async *as;
 547
 548         /* Mark all the pending URBs that match bulk_addr, up to but not
 549          * including the first one without AS_CONTINUATION.  If such an
 550          * URB is encountered then a new transfer has already started so
 551          * the endpoint doesn't need to be disabled; otherwise it does.
 552          */
 553         list_for_each_entry(as, &ps->async_pending, asynclist) {
 554                 if (as->bulk_addr == bulk_addr) {
 555                         if (as->bulk_status != AS_CONTINUATION)
 556                                 goto rescan;
 557                         as->bulk_status = AS_UNLINK;
 558                         as->bulk_addr = 0;
 559                 }
 560         }
 561         ps->disabled_bulk_eps |= (1 << bulk_addr);
 562
 563         /* Now carefully unlink all the marked pending URBs */
 564  rescan:
 565         list_for_each_entry(as, &ps->async_pending, asynclist) {
 566                 if (as->bulk_status == AS_UNLINK) {
 567                         as->bulk_status = 0;            /* Only once */
 568                         urb = as->urb;
 569                         usb_get_urb(urb);
 570                         spin_unlock(&ps->lock);         /* Allow completions */
 571                         usb_unlink_urb(urb);
 572                         usb_put_urb(urb);
 573                         spin_lock(&ps->lock);
 574                         goto rescan;
 575                 }
 576         }
 577 }
 578
 579 static void async_completed(struct urb *urb)
 580 {
 581         struct async *as = urb->context;
 582         struct usb_dev_state *ps = as->ps;
 583         struct pid *pid = NULL;
 584         const struct cred *cred = NULL;
 585         unsigned long flags;
 586         sigval_t addr;
 587         int signr, errno;
 588
 589         spin_lock_irqsave(&ps->lock, flags);
 590         list_move_tail(&as->asynclist, &ps->async_completed);
 591         as->status = urb->status;
 592         signr = as->signr;
 593         if (signr) {
 594                 errno = as->status;
 595                 addr = as->userurb_sigval;
 596                 pid = get_pid(as->pid);
 597                 cred = get_cred(as->cred);
 598         }
 599         snoop(&urb->dev->dev, "urb complete\n");
 600         snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
 601                         as->status, COMPLETE, NULL, 0);
 602         if (usb_urb_dir_in(urb))
 603                 snoop_urb_data(urb, urb->actual_length);
 604
 605         if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
 606                         as->status != -ENOENT)
 607                 cancel_bulk_urbs(ps, as->bulk_addr);
 608
 609         wake_up(&ps->wait);
 610         spin_unlock_irqrestore(&ps->lock, flags);
 611
 612         if (signr) {
 613                 kill_pid_usb_asyncio(signr, errno, addr, pid, cred);
 614                 put_pid(pid);
 615                 put_cred(cred);
 616         }
 617 }
 618
 619 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
 620 {
 621         struct urb *urb;
 622         struct async *as;
 623         unsigned long flags;
 624
 625         spin_lock_irqsave(&ps->lock, flags);
 626         while (!list_empty(list)) {
 627                 as = list_entry(list->next, struct async, asynclist);
 628                 list_del_init(&as->asynclist);
 629                 urb = as->urb;
 630                 usb_get_urb(urb);
 631
 632                 /* drop the spinlock so the completion handler can run */
 633                 spin_unlock_irqrestore(&ps->lock, flags);
 634                 usb_kill_urb(urb);
 635                 usb_put_urb(urb);
 636                 spin_lock_irqsave(&ps->lock, flags);
 637         }
 638         spin_unlock_irqrestore(&ps->lock, flags);
 639 }
 640
 641 static void destroy_async_on_interface(struct usb_dev_state *ps,
 642                                        unsigned int ifnum)
 643 {
 644         struct list_head *p, *q, hitlist;
 645         unsigned long flags;
 646
 647         INIT_LIST_HEAD(&hitlist);
 648         spin_lock_irqsave(&ps->lock, flags);
 649         list_for_each_safe(p, q, &ps->async_pending)
 650                 if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
 651                         list_move_tail(p, &hitlist);
 652         spin_unlock_irqrestore(&ps->lock, flags);
 653         destroy_async(ps, &hitlist);
 654 }
 655
 656 static void destroy_all_async(struct usb_dev_state *ps)
 657 {
 658         destroy_async(ps, &ps->async_pending);
 659 }
 660
 661 /*
 662  * interface claims are made only at the request of user level code,
 663  * which can also release them (explicitly or by closing files).
 664  * they're also undone when devices disconnect.
 665  */
 666
 667 static int driver_probe(struct usb_interface *intf,
 668                         const struct usb_device_id *id)
 669 {
 670         return -ENODEV;
 671 }
 672
 673 static void driver_disconnect(struct usb_interface *intf)
 674 {
 675         struct usb_dev_state *ps = usb_get_intfdata(intf);
 676         unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
 677
 678         if (!ps)
 679                 return;
 680
 681         /* NOTE:  this relies on usbcore having canceled and completed
 682          * all pending I/O requests; 2.6 does that.
 683          */
 684
 685         if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
 686                 clear_bit(ifnum, &ps->ifclaimed);
 687         else
 688                 dev_warn(&intf->dev, "interface number %u out of range\n",
 689                          ifnum);
 690
 691         usb_set_intfdata(intf, NULL);
 692
 693         /* force async requests to complete */
 694         destroy_async_on_interface(ps, ifnum);
 695 }
 696
 697 /* The following routines are merely placeholders.  There is no way
 698  * to inform a user task about suspend or resumes.
 699  */
 700 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
 701 {
 702         return 0;
 703 }
 704
 705 static int driver_resume(struct usb_interface *intf)
 706 {
 707         return 0;
 708 }
 709
 710 struct usb_driver usbfs_driver = {
 711         .name =         "usbfs",
 712         .probe =        driver_probe,
 713         .disconnect =   driver_disconnect,
 714         .suspend =      driver_suspend,
 715         .resume =       driver_resume,
 716 };
 717
 718 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
 719 {
 720         struct usb_device *dev = ps->dev;
 721         struct usb_interface *intf;
 722         int err;
 723
 724         if (ifnum >= 8*sizeof(ps->ifclaimed))
 725                 return -EINVAL;
 726         /* already claimed */
 727         if (test_bit(ifnum, &ps->ifclaimed))
 728                 return 0;
 729
 730         if (ps->privileges_dropped &&
 731                         !test_bit(ifnum, &ps->interface_allowed_mask))
 732                 return -EACCES;
 733
 734         intf = usb_ifnum_to_if(dev, ifnum);
 735         if (!intf)
 736                 err = -ENOENT;
 737         else
 738                 err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
 739         if (err == 0)
 740                 set_bit(ifnum, &ps->ifclaimed);
 741         return err;
 742 }
 743
 744 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
 745 {
 746         struct usb_device *dev;
 747         struct usb_interface *intf;
 748         int err;
 749
 750         err = -EINVAL;
 751         if (ifnum >= 8*sizeof(ps->ifclaimed))
 752                 return err;
 753         dev = ps->dev;
 754         intf = usb_ifnum_to_if(dev, ifnum);
 755         if (!intf)
 756                 err = -ENOENT;
 757         else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
 758                 usb_driver_release_interface(&usbfs_driver, intf);
 759                 err = 0;
 760         }
 761         return err;
 762 }
 763
 764 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
 765 {
 766         if (ps->dev->state != USB_STATE_CONFIGURED)
 767                 return -EHOSTUNREACH;
 768         if (ifnum >= 8*sizeof(ps->ifclaimed))
 769                 return -EINVAL;
 770         if (test_bit(ifnum, &ps->ifclaimed))
 771                 return 0;
 772         /* if not yet claimed, claim it for the driver */
 773         dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
 774                  "interface %u before use\n", task_pid_nr(current),
 775                  current->comm, ifnum);
 776         return claimintf(ps, ifnum);
 777 }
 778
 779 static int findintfep(struct usb_device *dev, unsigned int ep)
 780 {
 781         unsigned int i, j, e;
 782         struct usb_interface *intf;
 783         struct usb_host_interface *alts;
 784         struct usb_endpoint_descriptor *endpt;
 785
 786         if (ep & ~(USB_DIR_IN|0xf))
 787                 return -EINVAL;
 788         if (!dev->actconfig)
 789                 return -ESRCH;
 790         for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
 791                 intf = dev->actconfig->interface[i];
 792                 for (j = 0; j < intf->num_altsetting; j++) {
 793                         alts = &intf->altsetting[j];
 794                         for (e = 0; e < alts->desc.bNumEndpoints; e++) {
 795                                 endpt = &alts->endpoint[e].desc;
 796                                 if (endpt->bEndpointAddress == ep)
 797                                         return alts->desc.bInterfaceNumber;
 798                         }
 799                 }
 800         }
 801         return -ENOENT;
 802 }
 803
 804 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
 805                            unsigned int request, unsigned int index)
 806 {
 807         int ret = 0;
 808         struct usb_host_interface *alt_setting;
 809
 810         if (ps->dev->state != USB_STATE_UNAUTHENTICATED
 811          && ps->dev->state != USB_STATE_ADDRESS
 812          && ps->dev->state != USB_STATE_CONFIGURED)
 813                 return -EHOSTUNREACH;
 814         if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
 815                 return 0;
 816
 817         /*
 818          * check for the special corner case 'get_device_id' in the printer
 819          * class specification, which we always want to allow as it is used
 820          * to query things like ink level, etc.
 821          */
 822         if (requesttype == 0xa1 && request == 0) {
 823                 alt_setting = usb_find_alt_setting(ps->dev->actconfig,
 824                                                    index >> 8, index & 0xff);
 825                 if (alt_setting
 826                  && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
 827                         return 0;
 828         }
 829
 830         index &= 0xff;
 831         switch (requesttype & USB_RECIP_MASK) {
 832         case USB_RECIP_ENDPOINT:
 833                 if ((index & ~USB_DIR_IN) == 0)
 834                         return 0;
 835                 ret = findintfep(ps->dev, index);
 836                 if (ret < 0) {
 837                         /*
 838                          * Some not fully compliant Win apps seem to get
 839                          * index wrong and have the endpoint number here
 840                          * rather than the endpoint address (with the
 841                          * correct direction). Win does let this through,
 842                          * so we'll not reject it here but leave it to
 843                          * the device to not break KVM. But we warn.
 844                          */
 845                         ret = findintfep(ps->dev, index ^ 0x80);
 846                         if (ret >= 0)
 847                                 dev_info(&ps->dev->dev,
 848                                         "%s: process %i (%s) requesting ep %02x but needs %02x\n",
 849                                         __func__, task_pid_nr(current),
 850                                         current->comm, index, index ^ 0x80);
 851                 }
 852                 if (ret >= 0)
 853                         ret = checkintf(ps, ret);
 854                 break;
 855
 856         case USB_RECIP_INTERFACE:
 857                 ret = checkintf(ps, index);
 858                 break;
 859         }
 860         return ret;
 861 }
 862
 863 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
 864                                                      unsigned char ep)
 865 {
 866         if (ep & USB_ENDPOINT_DIR_MASK)
 867                 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
 868         else
 869                 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
 870 }
 871
 872 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
 873                                   struct usbdevfs_streams __user *streams,
 874                                   unsigned int *num_streams_ret,
 875                                   unsigned int *num_eps_ret,
 876                                   struct usb_host_endpoint ***eps_ret,
 877                                   struct usb_interface **intf_ret)
 878 {
 879         unsigned int i, num_streams, num_eps;
 880         struct usb_host_endpoint **eps;
 881         struct usb_interface *intf = NULL;
 882         unsigned char ep;
 883         int ifnum, ret;
 884
 885         if (get_user(num_streams, &streams->num_streams) ||
 886             get_user(num_eps, &streams->num_eps))
 887                 return -EFAULT;
 888
 889         if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
 890                 return -EINVAL;
 891
 892         /* The XHCI controller allows max 2 ^ 16 streams */
 893         if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
 894                 return -EINVAL;
 895
 896         eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL);
 897         if (!eps)
 898                 return -ENOMEM;
 899
 900         for (i = 0; i < num_eps; i++) {
 901                 if (get_user(ep, &streams->eps[i])) {
 902                         ret = -EFAULT;
 903                         goto error;
 904                 }
 905                 eps[i] = ep_to_host_endpoint(ps->dev, ep);
 906                 if (!eps[i]) {
 907                         ret = -EINVAL;
 908                         goto error;
 909                 }
 910
 911                 /* usb_alloc/free_streams operate on an usb_interface */
 912                 ifnum = findintfep(ps->dev, ep);
 913                 if (ifnum < 0) {
 914                         ret = ifnum;
 915                         goto error;
 916                 }
 917
 918                 if (i == 0) {
 919                         ret = checkintf(ps, ifnum);
 920                         if (ret < 0)
 921                                 goto error;
 922                         intf = usb_ifnum_to_if(ps->dev, ifnum);
 923                 } else {
 924                         /* Verify all eps belong to the same interface */
 925                         if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
 926                                 ret = -EINVAL;
 927                                 goto error;
 928                         }
 929                 }
 930         }
 931
 932         if (num_streams_ret)
 933                 *num_streams_ret = num_streams;
 934         *num_eps_ret = num_eps;
 935         *eps_ret = eps;
 936         *intf_ret = intf;
 937
 938         return 0;
 939
 940 error:
 941         kfree(eps);
 942         return ret;
 943 }
 944
 945 static int match_devt(struct device *dev, const void *data)
 946 {
 947         return dev->devt == (dev_t)(unsigned long)(void *)data;
 948 }
 949
 950 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
 951 {
 952         struct device *dev;
 953
 954         dev = bus_find_device(&usb_bus_type, NULL,
 955                               (void *) (unsigned long) devt, match_devt);
 956         if (!dev)
 957                 return NULL;
 958         return to_usb_device(dev);
 959 }
 960
 961 /*
 962  * file operations
 963  */
 964 static int usbdev_open(struct inode *inode, struct file *file)
 965 {
 966         struct usb_device *dev = NULL;
 967         struct usb_dev_state *ps;
 968         int ret;
 969
 970         ret = -ENOMEM;
 971         ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
 972         if (!ps)
 973                 goto out_free_ps;
 974
 975         ret = -ENODEV;
 976
 977         /* usbdev device-node */
 978         if (imajor(inode) == USB_DEVICE_MAJOR)
 979                 dev = usbdev_lookup_by_devt(inode->i_rdev);
 980         if (!dev)
 981                 goto out_free_ps;
 982
 983         usb_lock_device(dev);
 984         if (dev->state == USB_STATE_NOTATTACHED)
 985                 goto out_unlock_device;
 986
 987         ret = usb_autoresume_device(dev);
 988         if (ret)
 989                 goto out_unlock_device;
 990
 991         ps->dev = dev;
 992         ps->file = file;
 993         ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
 994         spin_lock_init(&ps->lock);
 995         INIT_LIST_HEAD(&ps->list);
 996         INIT_LIST_HEAD(&ps->async_pending);
 997         INIT_LIST_HEAD(&ps->async_completed);
 998         INIT_LIST_HEAD(&ps->memory_list);
 999         init_waitqueue_head(&ps->wait);
1000         ps->disc_pid = get_pid(task_pid(current));
1001         ps->cred = get_current_cred();
1002         smp_wmb();
1003         list_add_tail(&ps->list, &dev->filelist);
1004         file->private_data = ps;
1005         usb_unlock_device(dev);
1006         snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1007                         current->comm);
1008         return ret;
1009
1010  out_unlock_device:
1011         usb_unlock_device(dev);
1012         usb_put_dev(dev);
1013  out_free_ps:
1014         kfree(ps);
1015         return ret;
1016 }
1017
1018 static int usbdev_release(struct inode *inode, struct file *file)
1019 {
1020         struct usb_dev_state *ps = file->private_data;
1021         struct usb_device *dev = ps->dev;
1022         unsigned int ifnum;
1023         struct async *as;
1024
1025         usb_lock_device(dev);
1026         usb_hub_release_all_ports(dev, ps);
1027
1028         list_del_init(&ps->list);
1029
1030         for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1031                         ifnum++) {
1032                 if (test_bit(ifnum, &ps->ifclaimed))
1033                         releaseintf(ps, ifnum);
1034         }
1035         destroy_all_async(ps);
1036         usb_autosuspend_device(dev);
1037         usb_unlock_device(dev);
1038         usb_put_dev(dev);
1039         put_pid(ps->disc_pid);
1040         put_cred(ps->cred);
1041
1042         as = async_getcompleted(ps);
1043         while (as) {
1044                 free_async(as);
1045                 as = async_getcompleted(ps);
1046         }
1047
1048         kfree(ps);
1049         return 0;
1050 }
1051
1052 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1053 {
1054         struct usb_device *dev = ps->dev;
1055         struct usbdevfs_ctrltransfer ctrl;
1056         unsigned int tmo;
1057         unsigned char *tbuf;
1058         unsigned wLength;
1059         int i, pipe, ret;
1060
1061         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1062                 return -EFAULT;
1063         ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
1064                               ctrl.wIndex);
1065         if (ret)
1066                 return ret;
1067         wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
1068         if (wLength > PAGE_SIZE)
1069                 return -EINVAL;
1070         ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1071                         sizeof(struct usb_ctrlrequest));
1072         if (ret)
1073                 return ret;
1074         tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1075         if (!tbuf) {
1076                 ret = -ENOMEM;
1077                 goto done;
1078         }
1079         tmo = ctrl.timeout;
1080         snoop(&dev->dev, "control urb: bRequestType=%02x "
1081                 "bRequest=%02x wValue=%04x "
1082                 "wIndex=%04x wLength=%04x\n",
1083                 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
1084                 ctrl.wIndex, ctrl.wLength);
1085         if (ctrl.bRequestType & 0x80) {
1086                 if (ctrl.wLength && !access_ok(ctrl.data,
1087                                                ctrl.wLength)) {
1088                         ret = -EINVAL;
1089                         goto done;
1090                 }
1091                 pipe = usb_rcvctrlpipe(dev, 0);
1092                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0);
1093
1094                 usb_unlock_device(dev);
1095                 i = usb_control_msg(dev, pipe, ctrl.bRequest,
1096                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1097                                     tbuf, ctrl.wLength, tmo);
1098                 usb_lock_device(dev);
1099                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1100                           tbuf, max(i, 0));
1101                 if ((i > 0) && ctrl.wLength) {
1102                         if (copy_to_user(ctrl.data, tbuf, i)) {
1103                                 ret = -EFAULT;
1104                                 goto done;
1105                         }
1106                 }
1107         } else {
1108                 if (ctrl.wLength) {
1109                         if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
1110                                 ret = -EFAULT;
1111                                 goto done;
1112                         }
1113                 }
1114                 pipe = usb_sndctrlpipe(dev, 0);
1115                 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT,
1116                         tbuf, ctrl.wLength);
1117
1118                 usb_unlock_device(dev);
1119                 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest,
1120                                     ctrl.bRequestType, ctrl.wValue, ctrl.wIndex,
1121                                     tbuf, ctrl.wLength, tmo);
1122                 usb_lock_device(dev);
1123                 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1124         }
1125         if (i < 0 && i != -EPIPE) {
1126                 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1127                            "failed cmd %s rqt %u rq %u len %u ret %d\n",
1128                            current->comm, ctrl.bRequestType, ctrl.bRequest,
1129                            ctrl.wLength, i);
1130         }
1131         ret = i;
1132  done:
1133         free_page((unsigned long) tbuf);
1134         usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1135                         sizeof(struct usb_ctrlrequest));
1136         return ret;
1137 }
1138
1139 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1140 {
1141         struct usb_device *dev = ps->dev;
1142         struct usbdevfs_bulktransfer bulk;
1143         unsigned int tmo, len1, pipe;
1144         int len2;
1145         unsigned char *tbuf;
1146         int i, ret;
1147
1148         if (copy_from_user(&bulk, arg, sizeof(bulk)))
1149                 return -EFAULT;
1150         ret = findintfep(ps->dev, bulk.ep);
1151         if (ret < 0)
1152                 return ret;
1153         ret = checkintf(ps, ret);
1154         if (ret)
1155                 return ret;
1156         if (bulk.ep & USB_DIR_IN)
1157                 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
1158         else
1159                 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
1160         if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
1161                 return -EINVAL;
1162         len1 = bulk.len;
1163         if (len1 >= (INT_MAX - sizeof(struct urb)))
1164                 return -EINVAL;
1165         ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1166         if (ret)
1167                 return ret;
1168         tbuf = kmalloc(len1, GFP_KERNEL);
1169         if (!tbuf) {
1170                 ret = -ENOMEM;
1171                 goto done;
1172         }
1173         tmo = bulk.timeout;
1174         if (bulk.ep & 0x80) {
1175                 if (len1 && !access_ok(bulk.data, len1)) {
1176                         ret = -EINVAL;
1177                         goto done;
1178                 }
1179                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1180
1181                 usb_unlock_device(dev);
1182                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1183                 usb_lock_device(dev);
1184                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1185
1186                 if (!i && len2) {
1187                         if (copy_to_user(bulk.data, tbuf, len2)) {
1188                                 ret = -EFAULT;
1189                                 goto done;
1190                         }
1191                 }
1192         } else {
1193                 if (len1) {
1194                         if (copy_from_user(tbuf, bulk.data, len1)) {
1195                                 ret = -EFAULT;
1196                                 goto done;
1197                         }
1198                 }
1199                 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1200
1201                 usb_unlock_device(dev);
1202                 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
1203                 usb_lock_device(dev);
1204                 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1205         }
1206         ret = (i < 0 ? i : len2);
1207  done:
1208         kfree(tbuf);
1209         usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1210         return ret;
1211 }
1212
1213 static void check_reset_of_active_ep(struct usb_device *udev,
1214                 unsigned int epnum, char *ioctl_name)
1215 {
1216         struct usb_host_endpoint **eps;
1217         struct usb_host_endpoint *ep;
1218
1219         eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1220         ep = eps[epnum & 0x0f];
1221         if (ep && !list_empty(&ep->urb_list))
1222                 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1223                                 task_pid_nr(current), current->comm,
1224                                 ioctl_name, epnum);
1225 }
1226
1227 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1228 {
1229         unsigned int ep;
1230         int ret;
1231
1232         if (get_user(ep, (unsigned int __user *)arg))
1233                 return -EFAULT;
1234         ret = findintfep(ps->dev, ep);
1235         if (ret < 0)
1236                 return ret;
1237         ret = checkintf(ps, ret);
1238         if (ret)
1239                 return ret;
1240         check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1241         usb_reset_endpoint(ps->dev, ep);
1242         return 0;
1243 }
1244
1245 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1246 {
1247         unsigned int ep;
1248         int pipe;
1249         int ret;
1250
1251         if (get_user(ep, (unsigned int __user *)arg))
1252                 return -EFAULT;
1253         ret = findintfep(ps->dev, ep);
1254         if (ret < 0)
1255                 return ret;
1256         ret = checkintf(ps, ret);
1257         if (ret)
1258                 return ret;
1259         check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1260         if (ep & USB_DIR_IN)
1261                 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1262         else
1263                 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1264
1265         return usb_clear_halt(ps->dev, pipe);
1266 }
1267
1268 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1269 {
1270         struct usbdevfs_getdriver gd;
1271         struct usb_interface *intf;
1272         int ret;
1273
1274         if (copy_from_user(&gd, arg, sizeof(gd)))
1275                 return -EFAULT;
1276         intf = usb_ifnum_to_if(ps->dev, gd.interface);
1277         if (!intf || !intf->dev.driver)
1278                 ret = -ENODATA;
1279         else {
1280                 strlcpy(gd.driver, intf->dev.driver->name,
1281                                 sizeof(gd.driver));
1282                 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1283         }
1284         return ret;
1285 }
1286
1287 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1288 {
1289         struct usbdevfs_connectinfo ci;
1290
1291         memset(&ci, 0, sizeof(ci));
1292         ci.devnum = ps->dev->devnum;
1293         ci.slow = ps->dev->speed == USB_SPEED_LOW;
1294
1295         if (copy_to_user(arg, &ci, sizeof(ci)))
1296                 return -EFAULT;
1297         return 0;
1298 }
1299
1300 static int proc_conninfo_ex(struct usb_dev_state *ps,
1301                             void __user *arg, size_t size)
1302 {
1303         struct usbdevfs_conninfo_ex ci;
1304         struct usb_device *udev = ps->dev;
1305
1306         if (size < sizeof(ci.size))
1307                 return -EINVAL;
1308
1309         memset(&ci, 0, sizeof(ci));
1310         ci.size = sizeof(ci);
1311         ci.busnum = udev->bus->busnum;
1312         ci.devnum = udev->devnum;
1313         ci.speed = udev->speed;
1314
1315         while (udev && udev->portnum != 0) {
1316                 if (++ci.num_ports <= ARRAY_SIZE(ci.ports))
1317                         ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] =
1318                                         udev->portnum;
1319                 udev = udev->parent;
1320         }
1321
1322         if (ci.num_ports < ARRAY_SIZE(ci.ports))
1323                 memmove(&ci.ports[0],
1324                         &ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports],
1325                         ci.num_ports);
1326
1327         if (copy_to_user(arg, &ci, min(sizeof(ci), size)))
1328                 return -EFAULT;
1329
1330         return 0;
1331 }
1332
1333 static int proc_resetdevice(struct usb_dev_state *ps)
1334 {
1335         struct usb_host_config *actconfig = ps->dev->actconfig;
1336         struct usb_interface *interface;
1337         int i, number;
1338
1339         /* Don't allow a device reset if the process has dropped the
1340          * privilege to do such things and any of the interfaces are
1341          * currently claimed.
1342          */
1343         if (ps->privileges_dropped && actconfig) {
1344                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1345                         interface = actconfig->interface[i];
1346                         number = interface->cur_altsetting->desc.bInterfaceNumber;
1347                         if (usb_interface_claimed(interface) &&
1348                                         !test_bit(number, &ps->ifclaimed)) {
1349                                 dev_warn(&ps->dev->dev,
1350                                         "usbfs: interface %d claimed by %s while '%s' resets device\n",
1351                                         number, interface->dev.driver->name, current->comm);
1352                                 return -EACCES;
1353                         }
1354                 }
1355         }
1356
1357         return usb_reset_device(ps->dev);
1358 }
1359
1360 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1361 {
1362         struct usbdevfs_setinterface setintf;
1363         int ret;
1364
1365         if (copy_from_user(&setintf, arg, sizeof(setintf)))
1366                 return -EFAULT;
1367         ret = checkintf(ps, setintf.interface);
1368         if (ret)
1369                 return ret;
1370
1371         destroy_async_on_interface(ps, setintf.interface);
1372
1373         return usb_set_interface(ps->dev, setintf.interface,
1374                         setintf.altsetting);
1375 }
1376
1377 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1378 {
1379         int u;
1380         int status = 0;
1381         struct usb_host_config *actconfig;
1382
1383         if (get_user(u, (int __user *)arg))
1384                 return -EFAULT;
1385
1386         actconfig = ps->dev->actconfig;
1387
1388         /* Don't touch the device if any interfaces are claimed.
1389          * It could interfere with other drivers' operations, and if
1390          * an interface is claimed by usbfs it could easily deadlock.
1391          */
1392         if (actconfig) {
1393                 int i;
1394
1395                 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1396                         if (usb_interface_claimed(actconfig->interface[i])) {
1397                                 dev_warn(&ps->dev->dev,
1398                                         "usbfs: interface %d claimed by %s "
1399                                         "while '%s' sets config #%d\n",
1400                                         actconfig->interface[i]
1401                                                 ->cur_altsetting
1402                                                 ->desc.bInterfaceNumber,
1403                                         actconfig->interface[i]
1404                                                 ->dev.driver->name,
1405                                         current->comm, u);
1406                                 status = -EBUSY;
1407                                 break;
1408                         }
1409                 }
1410         }
1411
1412         /* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1413          * so avoid usb_set_configuration()'s kick to sysfs
1414          */
1415         if (status == 0) {
1416                 if (actconfig && actconfig->desc.bConfigurationValue == u)
1417                         status = usb_reset_configuration(ps->dev);
1418                 else
1419                         status = usb_set_configuration(ps->dev, u);
1420         }
1421
1422         return status;
1423 }
1424
1425 static struct usb_memory *
1426 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1427 {
1428         struct usb_memory *usbm = NULL, *iter;
1429         unsigned long flags;
1430         unsigned long uurb_start = (unsigned long)uurb->buffer;
1431
1432         spin_lock_irqsave(&ps->lock, flags);
1433         list_for_each_entry(iter, &ps->memory_list, memlist) {
1434                 if (uurb_start >= iter->vm_start &&
1435                                 uurb_start < iter->vm_start + iter->size) {
1436                         if (uurb->buffer_length > iter->vm_start + iter->size -
1437                                         uurb_start) {
1438                                 usbm = ERR_PTR(-EINVAL);
1439                         } else {
1440                                 usbm = iter;
1441                                 usbm->urb_use_count++;
1442                         }
1443                         break;
1444                 }
1445         }
1446         spin_unlock_irqrestore(&ps->lock, flags);
1447         return usbm;
1448 }
1449
1450 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1451                         struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1452                         void __user *arg, sigval_t userurb_sigval)
1453 {
1454         struct usbdevfs_iso_packet_desc *isopkt = NULL;
1455         struct usb_host_endpoint *ep;
1456         struct async *as = NULL;
1457         struct usb_ctrlrequest *dr = NULL;
1458         unsigned int u, totlen, isofrmlen;
1459         int i, ret, num_sgs = 0, ifnum = -1;
1460         int number_of_packets = 0;
1461         unsigned int stream_id = 0;
1462         void *buf;
1463         bool is_in;
1464         bool allow_short = false;
1465         bool allow_zero = false;
1466         unsigned long mask =    USBDEVFS_URB_SHORT_NOT_OK |
1467                                 USBDEVFS_URB_BULK_CONTINUATION |
1468                                 USBDEVFS_URB_NO_FSBR |
1469                                 USBDEVFS_URB_ZERO_PACKET |
1470                                 USBDEVFS_URB_NO_INTERRUPT;
1471         /* USBDEVFS_URB_ISO_ASAP is a special case */
1472         if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1473                 mask |= USBDEVFS_URB_ISO_ASAP;
1474
1475         if (uurb->flags & ~mask)
1476                         return -EINVAL;
1477
1478         if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1479                 return -EINVAL;
1480         if (uurb->buffer_length > 0 && !uurb->buffer)
1481                 return -EINVAL;
1482         if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1483             (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1484                 ifnum = findintfep(ps->dev, uurb->endpoint);
1485                 if (ifnum < 0)
1486                         return ifnum;
1487                 ret = checkintf(ps, ifnum);
1488                 if (ret)
1489                         return ret;
1490         }
1491         ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1492         if (!ep)
1493                 return -ENOENT;
1494         is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1495
1496         u = 0;
1497         switch (uurb->type) {
1498         case USBDEVFS_URB_TYPE_CONTROL:
1499                 if (!usb_endpoint_xfer_control(&ep->desc))
1500                         return -EINVAL;
1501                 /* min 8 byte setup packet */
1502                 if (uurb->buffer_length < 8)
1503                         return -EINVAL;
1504                 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1505                 if (!dr)
1506                         return -ENOMEM;
1507                 if (copy_from_user(dr, uurb->buffer, 8)) {
1508                         ret = -EFAULT;
1509                         goto error;
1510                 }
1511                 if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) {
1512                         ret = -EINVAL;
1513                         goto error;
1514                 }
1515                 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1516                                       le16_to_cpu(dr->wIndex));
1517                 if (ret)
1518                         goto error;
1519                 uurb->buffer_length = le16_to_cpu(dr->wLength);
1520                 uurb->buffer += 8;
1521                 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1522                         is_in = 1;
1523                         uurb->endpoint |= USB_DIR_IN;
1524                 } else {
1525                         is_in = 0;
1526                         uurb->endpoint &= ~USB_DIR_IN;
1527                 }
1528                 if (is_in)
1529                         allow_short = true;
1530                 snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1531                         "bRequest=%02x wValue=%04x "
1532                         "wIndex=%04x wLength=%04x\n",
1533                         dr->bRequestType, dr->bRequest,
1534                         __le16_to_cpu(dr->wValue),
1535                         __le16_to_cpu(dr->wIndex),
1536                         __le16_to_cpu(dr->wLength));
1537                 u = sizeof(struct usb_ctrlrequest);
1538                 break;
1539
1540         case USBDEVFS_URB_TYPE_BULK:
1541                 if (!is_in)
1542                         allow_zero = true;
1543                 else
1544                         allow_short = true;
1545                 switch (usb_endpoint_type(&ep->desc)) {
1546                 case USB_ENDPOINT_XFER_CONTROL:
1547                 case USB_ENDPOINT_XFER_ISOC:
1548                         return -EINVAL;
1549                 case USB_ENDPOINT_XFER_INT:
1550                         /* allow single-shot interrupt transfers */
1551                         uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1552                         goto interrupt_urb;
1553                 }
1554                 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1555                 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1556                         num_sgs = 0;
1557                 if (ep->streams)
1558                         stream_id = uurb->stream_id;
1559                 break;
1560
1561         case USBDEVFS_URB_TYPE_INTERRUPT:
1562                 if (!usb_endpoint_xfer_int(&ep->desc))
1563                         return -EINVAL;
1564  interrupt_urb:
1565                 if (!is_in)
1566                         allow_zero = true;
1567                 else
1568                         allow_short = true;
1569                 break;
1570
1571         case USBDEVFS_URB_TYPE_ISO:
1572                 /* arbitrary limit */
1573                 if (uurb->number_of_packets < 1 ||
1574                     uurb->number_of_packets > 128)
1575                         return -EINVAL;
1576                 if (!usb_endpoint_xfer_isoc(&ep->desc))
1577                         return -EINVAL;
1578                 number_of_packets = uurb->number_of_packets;
1579                 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1580                                    number_of_packets;
1581                 isopkt = memdup_user(iso_frame_desc, isofrmlen);
1582                 if (IS_ERR(isopkt)) {
1583                         ret = PTR_ERR(isopkt);
1584                         isopkt = NULL;
1585                         goto error;
1586                 }
1587                 for (totlen = u = 0; u < number_of_packets; u++) {
1588                         /*
1589                          * arbitrary limit need for USB 3.1 Gen2
1590                          * sizemax: 96 DPs at SSP, 96 * 1024 = 98304
1591                          */
1592                         if (isopkt[u].length > 98304) {
1593                                 ret = -EINVAL;
1594                                 goto error;
1595                         }
1596                         totlen += isopkt[u].length;
1597                 }
1598                 u *= sizeof(struct usb_iso_packet_descriptor);
1599                 uurb->buffer_length = totlen;
1600                 break;
1601
1602         default:
1603                 return -EINVAL;
1604         }
1605
1606         if (uurb->buffer_length > 0 &&
1607                         !access_ok(uurb->buffer, uurb->buffer_length)) {
1608                 ret = -EFAULT;
1609                 goto error;
1610         }
1611         as = alloc_async(number_of_packets);
1612         if (!as) {
1613                 ret = -ENOMEM;
1614                 goto error;
1615         }
1616
1617         as->usbm = find_memory_area(ps, uurb);
1618         if (IS_ERR(as->usbm)) {
1619                 ret = PTR_ERR(as->usbm);
1620                 as->usbm = NULL;
1621                 goto error;
1622         }
1623
1624         /* do not use SG buffers when memory mapped segments
1625          * are in use
1626          */
1627         if (as->usbm)
1628                 num_sgs = 0;
1629
1630         u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length +
1631              num_sgs * sizeof(struct scatterlist);
1632         ret = usbfs_increase_memory_usage(u);
1633         if (ret)
1634                 goto error;
1635         as->mem_usage = u;
1636
1637         if (num_sgs) {
1638                 as->urb->sg = kmalloc_array(num_sgs,
1639                                             sizeof(struct scatterlist),
1640                                             GFP_KERNEL);
1641                 if (!as->urb->sg) {
1642                         ret = -ENOMEM;
1643                         goto error;
1644                 }
1645                 as->urb->num_sgs = num_sgs;
1646                 sg_init_table(as->urb->sg, as->urb->num_sgs);
1647
1648                 totlen = uurb->buffer_length;
1649                 for (i = 0; i < as->urb->num_sgs; i++) {
1650                         u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1651                         buf = kmalloc(u, GFP_KERNEL);
1652                         if (!buf) {
1653                                 ret = -ENOMEM;
1654                                 goto error;
1655                         }
1656                         sg_set_buf(&as->urb->sg[i], buf, u);
1657
1658                         if (!is_in) {
1659                                 if (copy_from_user(buf, uurb->buffer, u)) {
1660                                         ret = -EFAULT;
1661                                         goto error;
1662                                 }
1663                                 uurb->buffer += u;
1664                         }
1665                         totlen -= u;
1666                 }
1667         } else if (uurb->buffer_length > 0) {
1668                 if (as->usbm) {
1669                         unsigned long uurb_start = (unsigned long)uurb->buffer;
1670
1671                         as->urb->transfer_buffer = as->usbm->mem +
1672                                         (uurb_start - as->usbm->vm_start);
1673                 } else {
1674                         as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1675                                         GFP_KERNEL);
1676                         if (!as->urb->transfer_buffer) {
1677                                 ret = -ENOMEM;
1678                                 goto error;
1679                         }
1680                         if (!is_in) {
1681                                 if (copy_from_user(as->urb->transfer_buffer,
1682                                                    uurb->buffer,
1683                                                    uurb->buffer_length)) {
1684                                         ret = -EFAULT;
1685                                         goto error;
1686                                 }
1687                         } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1688                                 /*
1689                                  * Isochronous input data may end up being
1690                                  * discontiguous if some of the packets are
1691                                  * short. Clear the buffer so that the gaps
1692                                  * don't leak kernel data to userspace.
1693                                  */
1694                                 memset(as->urb->transfer_buffer, 0,
1695                                                 uurb->buffer_length);
1696                         }
1697                 }
1698         }
1699         as->urb->dev = ps->dev;
1700         as->urb->pipe = (uurb->type << 30) |
1701                         __create_pipe(ps->dev, uurb->endpoint & 0xf) |
1702                         (uurb->endpoint & USB_DIR_IN);
1703
1704         /* This tedious sequence is necessary because the URB_* flags
1705          * are internal to the kernel and subject to change, whereas
1706          * the USBDEVFS_URB_* flags are a user API and must not be changed.
1707          */
1708         u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1709         if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1710                 u |= URB_ISO_ASAP;
1711         if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1712                 u |= URB_SHORT_NOT_OK;
1713         if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1714                 u |= URB_ZERO_PACKET;
1715         if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1716                 u |= URB_NO_INTERRUPT;
1717         as->urb->transfer_flags = u;
1718
1719         if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1720                 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1721         if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1722                 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1723
1724         as->urb->transfer_buffer_length = uurb->buffer_length;
1725         as->urb->setup_packet = (unsigned char *)dr;
1726         dr = NULL;
1727         as->urb->start_frame = uurb->start_frame;
1728         as->urb->number_of_packets = number_of_packets;
1729         as->urb->stream_id = stream_id;
1730
1731         if (ep->desc.bInterval) {
1732                 if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1733                                 ps->dev->speed == USB_SPEED_HIGH ||
1734                                 ps->dev->speed >= USB_SPEED_SUPER)
1735                         as->urb->interval = 1 <<
1736                                         min(15, ep->desc.bInterval - 1);
1737                 else
1738                         as->urb->interval = ep->desc.bInterval;
1739         }
1740
1741         as->urb->context = as;
1742         as->urb->complete = async_completed;
1743         for (totlen = u = 0; u < number_of_packets; u++) {
1744                 as->urb->iso_frame_desc[u].offset = totlen;
1745                 as->urb->iso_frame_desc[u].length = isopkt[u].length;
1746                 totlen += isopkt[u].length;
1747         }
1748         kfree(isopkt);
1749         isopkt = NULL;
1750         as->ps = ps;
1751         as->userurb = arg;
1752         as->userurb_sigval = userurb_sigval;
1753         if (as->usbm) {
1754                 unsigned long uurb_start = (unsigned long)uurb->buffer;
1755
1756                 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1757                 as->urb->transfer_dma = as->usbm->dma_handle +
1758                                 (uurb_start - as->usbm->vm_start);
1759         } else if (is_in && uurb->buffer_length > 0)
1760                 as->userbuffer = uurb->buffer;
1761         as->signr = uurb->signr;
1762         as->ifnum = ifnum;
1763         as->pid = get_pid(task_pid(current));
1764         as->cred = get_current_cred();
1765         snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1766                         as->urb->transfer_buffer_length, 0, SUBMIT,
1767                         NULL, 0);
1768         if (!is_in)
1769                 snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1770
1771         async_newpending(as);
1772
1773         if (usb_endpoint_xfer_bulk(&ep->desc)) {
1774                 spin_lock_irq(&ps->lock);
1775
1776                 /* Not exactly the endpoint address; the direction bit is
1777                  * shifted to the 0x10 position so that the value will be
1778                  * between 0 and 31.
1779                  */
1780                 as->bulk_addr = usb_endpoint_num(&ep->desc) |
1781                         ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1782                                 >> 3);
1783
1784                 /* If this bulk URB is the start of a new transfer, re-enable
1785                  * the endpoint.  Otherwise mark it as a continuation URB.
1786                  */
1787                 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1788                         as->bulk_status = AS_CONTINUATION;
1789                 else
1790                         ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1791
1792                 /* Don't accept continuation URBs if the endpoint is
1793                  * disabled because of an earlier error.
1794                  */
1795                 if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1796                         ret = -EREMOTEIO;
1797                 else
1798                         ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1799                 spin_unlock_irq(&ps->lock);
1800         } else {
1801                 ret = usb_submit_urb(as->urb, GFP_KERNEL);
1802         }
1803
1804         if (ret) {
1805                 dev_printk(KERN_DEBUG, &ps->dev->dev,
1806                            "usbfs: usb_submit_urb returned %d\n", ret);
1807                 snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1808                                 0, ret, COMPLETE, NULL, 0);
1809                 async_removepending(as);
1810                 goto error;
1811         }
1812         return 0;
1813
1814  error:
1815         kfree(isopkt);
1816         kfree(dr);
1817         if (as)
1818                 free_async(as);
1819         return ret;
1820 }
1821
1822 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1823 {
1824         struct usbdevfs_urb uurb;
1825         sigval_t userurb_sigval;
1826
1827         if (copy_from_user(&uurb, arg, sizeof(uurb)))
1828                 return -EFAULT;
1829
1830         memset(&userurb_sigval, 0, sizeof(userurb_sigval));
1831         userurb_sigval.sival_ptr = arg;
1832
1833         return proc_do_submiturb(ps, &uurb,
1834                         (((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1835                         arg, userurb_sigval);
1836 }
1837
1838 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1839 {
1840         struct urb *urb;
1841         struct async *as;
1842         unsigned long flags;
1843
1844         spin_lock_irqsave(&ps->lock, flags);
1845         as = async_getpending(ps, arg);
1846         if (!as) {
1847                 spin_unlock_irqrestore(&ps->lock, flags);
1848                 return -EINVAL;
1849         }
1850
1851         urb = as->urb;
1852         usb_get_urb(urb);
1853         spin_unlock_irqrestore(&ps->lock, flags);
1854
1855         usb_kill_urb(urb);
1856         usb_put_urb(urb);
1857
1858         return 0;
1859 }
1860
1861 static void compute_isochronous_actual_length(struct urb *urb)
1862 {
1863         unsigned int i;
1864
1865         if (urb->number_of_packets > 0) {
1866                 urb->actual_length = 0;
1867                 for (i = 0; i < urb->number_of_packets; i++)
1868                         urb->actual_length +=
1869                                         urb->iso_frame_desc[i].actual_length;
1870         }
1871 }
1872
1873 static int processcompl(struct async *as, void __user * __user *arg)
1874 {
1875         struct urb *urb = as->urb;
1876         struct usbdevfs_urb __user *userurb = as->userurb;
1877         void __user *addr = as->userurb;
1878         unsigned int i;
1879
1880         compute_isochronous_actual_length(urb);
1881         if (as->userbuffer && urb->actual_length) {
1882                 if (copy_urb_data_to_user(as->userbuffer, urb))
1883                         goto err_out;
1884         }
1885         if (put_user(as->status, &userurb->status))
1886                 goto err_out;
1887         if (put_user(urb->actual_length, &userurb->actual_length))
1888                 goto err_out;
1889         if (put_user(urb->error_count, &userurb->error_count))
1890                 goto err_out;
1891
1892         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1893                 for (i = 0; i < urb->number_of_packets; i++) {
1894                         if (put_user(urb->iso_frame_desc[i].actual_length,
1895                                      &userurb->iso_frame_desc[i].actual_length))
1896                                 goto err_out;
1897                         if (put_user(urb->iso_frame_desc[i].status,
1898                                      &userurb->iso_frame_desc[i].status))
1899                                 goto err_out;
1900                 }
1901         }
1902
1903         if (put_user(addr, (void __user * __user *)arg))
1904                 return -EFAULT;
1905         return 0;
1906
1907 err_out:
1908         return -EFAULT;
1909 }
1910
1911 static struct async *reap_as(struct usb_dev_state *ps)
1912 {
1913         DECLARE_WAITQUEUE(wait, current);
1914         struct async *as = NULL;
1915         struct usb_device *dev = ps->dev;
1916
1917         add_wait_queue(&ps->wait, &wait);
1918         for (;;) {
1919                 __set_current_state(TASK_INTERRUPTIBLE);
1920                 as = async_getcompleted(ps);
1921                 if (as || !connected(ps))
1922                         break;
1923                 if (signal_pending(current))
1924                         break;
1925                 usb_unlock_device(dev);
1926                 schedule();
1927                 usb_lock_device(dev);
1928         }
1929         remove_wait_queue(&ps->wait, &wait);
1930         set_current_state(TASK_RUNNING);
1931         return as;
1932 }
1933
1934 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
1935 {
1936         struct async *as = reap_as(ps);
1937
1938         if (as) {
1939                 int retval;
1940
1941                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1942                 retval = processcompl(as, (void __user * __user *)arg);
1943                 free_async(as);
1944                 return retval;
1945         }
1946         if (signal_pending(current))
1947                 return -EINTR;
1948         return -ENODEV;
1949 }
1950
1951 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
1952 {
1953         int retval;
1954         struct async *as;
1955
1956         as = async_getcompleted(ps);
1957         if (as) {
1958                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
1959                 retval = processcompl(as, (void __user * __user *)arg);
1960                 free_async(as);
1961         } else {
1962                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
1963         }
1964         return retval;
1965 }
1966
1967 #ifdef CONFIG_COMPAT
1968 static int proc_control_compat(struct usb_dev_state *ps,
1969                                 struct usbdevfs_ctrltransfer32 __user *p32)
1970 {
1971         struct usbdevfs_ctrltransfer __user *p;
1972         __u32 udata;
1973         p = compat_alloc_user_space(sizeof(*p));
1974         if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) ||
1975             get_user(udata, &p32->data) ||
1976             put_user(compat_ptr(udata), &p->data))
1977                 return -EFAULT;
1978         return proc_control(ps, p);
1979 }
1980
1981 static int proc_bulk_compat(struct usb_dev_state *ps,
1982                         struct usbdevfs_bulktransfer32 __user *p32)
1983 {
1984         struct usbdevfs_bulktransfer __user *p;
1985         compat_uint_t n;
1986         compat_caddr_t addr;
1987
1988         p = compat_alloc_user_space(sizeof(*p));
1989
1990         if (get_user(n, &p32->ep) || put_user(n, &p->ep) ||
1991             get_user(n, &p32->len) || put_user(n, &p->len) ||
1992             get_user(n, &p32->timeout) || put_user(n, &p->timeout) ||
1993             get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data))
1994                 return -EFAULT;
1995
1996         return proc_bulk(ps, p);
1997 }
1998 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
1999 {
2000         struct usbdevfs_disconnectsignal32 ds;
2001
2002         if (copy_from_user(&ds, arg, sizeof(ds)))
2003                 return -EFAULT;
2004         ps->discsignr = ds.signr;
2005         ps->disccontext.sival_int = ds.context;
2006         return 0;
2007 }
2008
2009 static int get_urb32(struct usbdevfs_urb *kurb,
2010                      struct usbdevfs_urb32 __user *uurb)
2011 {
2012         struct usbdevfs_urb32 urb32;
2013         if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
2014                 return -EFAULT;
2015         kurb->type = urb32.type;
2016         kurb->endpoint = urb32.endpoint;
2017         kurb->status = urb32.status;
2018         kurb->flags = urb32.flags;
2019         kurb->buffer = compat_ptr(urb32.buffer);
2020         kurb->buffer_length = urb32.buffer_length;
2021         kurb->actual_length = urb32.actual_length;
2022         kurb->start_frame = urb32.start_frame;
2023         kurb->number_of_packets = urb32.number_of_packets;
2024         kurb->error_count = urb32.error_count;
2025         kurb->signr = urb32.signr;
2026         kurb->usercontext = compat_ptr(urb32.usercontext);
2027         return 0;
2028 }
2029
2030 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2031 {
2032         struct usbdevfs_urb uurb;
2033         sigval_t userurb_sigval;
2034
2035         if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2036                 return -EFAULT;
2037
2038         memset(&userurb_sigval, 0, sizeof(userurb_sigval));
2039         userurb_sigval.sival_int = ptr_to_compat(arg);
2040
2041         return proc_do_submiturb(ps, &uurb,
2042                         ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2043                         arg, userurb_sigval);
2044 }
2045
2046 static int processcompl_compat(struct async *as, void __user * __user *arg)
2047 {
2048         struct urb *urb = as->urb;
2049         struct usbdevfs_urb32 __user *userurb = as->userurb;
2050         void __user *addr = as->userurb;
2051         unsigned int i;
2052
2053         compute_isochronous_actual_length(urb);
2054         if (as->userbuffer && urb->actual_length) {
2055                 if (copy_urb_data_to_user(as->userbuffer, urb))
2056                         return -EFAULT;
2057         }
2058         if (put_user(as->status, &userurb->status))
2059                 return -EFAULT;
2060         if (put_user(urb->actual_length, &userurb->actual_length))
2061                 return -EFAULT;
2062         if (put_user(urb->error_count, &userurb->error_count))
2063                 return -EFAULT;
2064
2065         if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2066                 for (i = 0; i < urb->number_of_packets; i++) {
2067                         if (put_user(urb->iso_frame_desc[i].actual_length,
2068                                      &userurb->iso_frame_desc[i].actual_length))
2069                                 return -EFAULT;
2070                         if (put_user(urb->iso_frame_desc[i].status,
2071                                      &userurb->iso_frame_desc[i].status))
2072                                 return -EFAULT;
2073                 }
2074         }
2075
2076         if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2077                 return -EFAULT;
2078         return 0;
2079 }
2080
2081 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2082 {
2083         struct async *as = reap_as(ps);
2084
2085         if (as) {
2086                 int retval;
2087
2088                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2089                 retval = processcompl_compat(as, (void __user * __user *)arg);
2090                 free_async(as);
2091                 return retval;
2092         }
2093         if (signal_pending(current))
2094                 return -EINTR;
2095         return -ENODEV;
2096 }
2097
2098 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2099 {
2100         int retval;
2101         struct async *as;
2102
2103         as = async_getcompleted(ps);
2104         if (as) {
2105                 snoop(&ps->dev->dev, "reap %pK\n", as->userurb);
2106                 retval = processcompl_compat(as, (void __user * __user *)arg);
2107                 free_async(as);
2108         } else {
2109                 retval = (connected(ps) ? -EAGAIN : -ENODEV);
2110         }
2111         return retval;
2112 }
2113
2114
2115 #endif
2116
2117 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2118 {
2119         struct usbdevfs_disconnectsignal ds;
2120
2121         if (copy_from_user(&ds, arg, sizeof(ds)))
2122                 return -EFAULT;
2123         ps->discsignr = ds.signr;
2124         ps->disccontext.sival_ptr = ds.context;
2125         return 0;
2126 }
2127
2128 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2129 {
2130         unsigned int ifnum;
2131
2132         if (get_user(ifnum, (unsigned int __user *)arg))
2133                 return -EFAULT;
2134         return claimintf(ps, ifnum);
2135 }
2136
2137 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2138 {
2139         unsigned int ifnum;
2140         int ret;
2141
2142         if (get_user(ifnum, (unsigned int __user *)arg))
2143                 return -EFAULT;
2144         ret = releaseintf(ps, ifnum);
2145         if (ret < 0)
2146                 return ret;
2147         destroy_async_on_interface(ps, ifnum);
2148         return 0;
2149 }
2150
2151 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2152 {
2153         int                     size;
2154         void                    *buf = NULL;
2155         int                     retval = 0;
2156         struct usb_interface    *intf = NULL;
2157         struct usb_driver       *driver = NULL;
2158
2159         if (ps->privileges_dropped)
2160                 return -EACCES;
2161
2162         if (!connected(ps))
2163                 return -ENODEV;
2164
2165         /* alloc buffer */
2166         size = _IOC_SIZE(ctl->ioctl_code);
2167         if (size > 0) {
2168                 buf = kmalloc(size, GFP_KERNEL);
2169                 if (buf == NULL)
2170                         return -ENOMEM;
2171                 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2172                         if (copy_from_user(buf, ctl->data, size)) {
2173                                 kfree(buf);
2174                                 return -EFAULT;
2175                         }
2176                 } else {
2177                         memset(buf, 0, size);
2178                 }
2179         }
2180
2181         if (ps->dev->state != USB_STATE_CONFIGURED)
2182                 retval = -EHOSTUNREACH;
2183         else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2184                 retval = -EINVAL;
2185         else switch (ctl->ioctl_code) {
2186
2187         /* disconnect kernel driver from interface */
2188         case USBDEVFS_DISCONNECT:
2189                 if (intf->dev.driver) {
2190                         driver = to_usb_driver(intf->dev.driver);
2191                         dev_dbg(&intf->dev, "disconnect by usbfs\n");
2192                         usb_driver_release_interface(driver, intf);
2193                 } else
2194                         retval = -ENODATA;
2195                 break;
2196
2197         /* let kernel drivers try to (re)bind to the interface */
2198         case USBDEVFS_CONNECT:
2199                 if (!intf->dev.driver)
2200                         retval = device_attach(&intf->dev);
2201                 else
2202                         retval = -EBUSY;
2203                 break;
2204
2205         /* talk directly to the interface's driver */
2206         default:
2207                 if (intf->dev.driver)
2208                         driver = to_usb_driver(intf->dev.driver);
2209                 if (driver == NULL || driver->unlocked_ioctl == NULL) {
2210                         retval = -ENOTTY;
2211                 } else {
2212                         retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2213                         if (retval == -ENOIOCTLCMD)
2214                                 retval = -ENOTTY;
2215                 }
2216         }
2217
2218         /* cleanup and return */
2219         if (retval >= 0
2220                         && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2221                         && size > 0
2222                         && copy_to_user(ctl->data, buf, size) != 0)
2223                 retval = -EFAULT;
2224
2225         kfree(buf);
2226         return retval;
2227 }
2228
2229 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2230 {
2231         struct usbdevfs_ioctl   ctrl;
2232
2233         if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2234                 return -EFAULT;
2235         return proc_ioctl(ps, &ctrl);
2236 }
2237
2238 #ifdef CONFIG_COMPAT
2239 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2240 {
2241         struct usbdevfs_ioctl32 ioc32;
2242         struct usbdevfs_ioctl ctrl;
2243
2244         if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2245                 return -EFAULT;
2246         ctrl.ifno = ioc32.ifno;
2247         ctrl.ioctl_code = ioc32.ioctl_code;
2248         ctrl.data = compat_ptr(ioc32.data);
2249         return proc_ioctl(ps, &ctrl);
2250 }
2251 #endif
2252
2253 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2254 {
2255         unsigned portnum;
2256         int rc;
2257
2258         if (get_user(portnum, (unsigned __user *) arg))
2259                 return -EFAULT;
2260         rc = usb_hub_claim_port(ps->dev, portnum, ps);
2261         if (rc == 0)
2262                 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2263                         portnum, task_pid_nr(current), current->comm);
2264         return rc;
2265 }
2266
2267 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2268 {
2269         unsigned portnum;
2270
2271         if (get_user(portnum, (unsigned __user *) arg))
2272                 return -EFAULT;
2273         return usb_hub_release_port(ps->dev, portnum, ps);
2274 }
2275
2276 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2277 {
2278         __u32 caps;
2279
2280         caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2281                         USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2282                         USBDEVFS_CAP_DROP_PRIVILEGES | USBDEVFS_CAP_CONNINFO_EX;
2283         if (!ps->dev->bus->no_stop_on_short)
2284                 caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2285         if (ps->dev->bus->sg_tablesize)
2286                 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2287
2288         if (put_user(caps, (__u32 __user *)arg))
2289                 return -EFAULT;
2290
2291         return 0;
2292 }
2293
2294 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2295 {
2296         struct usbdevfs_disconnect_claim dc;
2297         struct usb_interface *intf;
2298
2299         if (copy_from_user(&dc, arg, sizeof(dc)))
2300                 return -EFAULT;
2301
2302         intf = usb_ifnum_to_if(ps->dev, dc.interface);
2303         if (!intf)
2304                 return -EINVAL;
2305
2306         if (intf->dev.driver) {
2307                 struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2308
2309                 if (ps->privileges_dropped)
2310                         return -EACCES;
2311
2312                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2313                                 strncmp(dc.driver, intf->dev.driver->name,
2314                                         sizeof(dc.driver)) != 0)
2315                         return -EBUSY;
2316
2317                 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2318                                 strncmp(dc.driver, intf->dev.driver->name,
2319                                         sizeof(dc.driver)) == 0)
2320                         return -EBUSY;
2321
2322                 dev_dbg(&intf->dev, "disconnect by usbfs\n");
2323                 usb_driver_release_interface(driver, intf);
2324         }
2325
2326         return claimintf(ps, dc.interface);
2327 }
2328
2329 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2330 {
2331         unsigned num_streams, num_eps;
2332         struct usb_host_endpoint **eps;
2333         struct usb_interface *intf;
2334         int r;
2335
2336         r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2337                                    &eps, &intf);
2338         if (r)
2339                 return r;
2340
2341         destroy_async_on_interface(ps,
2342                                    intf->altsetting[0].desc.bInterfaceNumber);
2343
2344         r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2345         kfree(eps);
2346         return r;
2347 }
2348
2349 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2350 {
2351         unsigned num_eps;
2352         struct usb_host_endpoint **eps;
2353         struct usb_interface *intf;
2354         int r;
2355
2356         r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2357         if (r)
2358                 return r;
2359
2360         destroy_async_on_interface(ps,
2361                                    intf->altsetting[0].desc.bInterfaceNumber);
2362
2363         r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2364         kfree(eps);
2365         return r;
2366 }
2367
2368 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2369 {
2370         u32 data;
2371
2372         if (copy_from_user(&data, arg, sizeof(data)))
2373                 return -EFAULT;
2374
2375         /* This is a one way operation. Once privileges are
2376          * dropped, you cannot regain them. You may however reissue
2377          * this ioctl to shrink the allowed interfaces mask.
2378          */
2379         ps->interface_allowed_mask &= data;
2380         ps->privileges_dropped = true;
2381
2382         return 0;
2383 }
2384
2385 /*
2386  * NOTE:  All requests here that have interface numbers as parameters
2387  * are assuming that somehow the configuration has been prevented from
2388  * changing.  But there's no mechanism to ensure that...
2389  */
2390 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2391                                 void __user *p)
2392 {
2393         struct usb_dev_state *ps = file->private_data;
2394         struct inode *inode = file_inode(file);
2395         struct usb_device *dev = ps->dev;
2396         int ret = -ENOTTY;
2397
2398         if (!(file->f_mode & FMODE_WRITE))
2399                 return -EPERM;
2400
2401         usb_lock_device(dev);
2402
2403         /* Reap operations are allowed even after disconnection */
2404         switch (cmd) {
2405         case USBDEVFS_REAPURB:
2406                 snoop(&dev->dev, "%s: REAPURB\n", __func__);
2407                 ret = proc_reapurb(ps, p);
2408                 goto done;
2409
2410         case USBDEVFS_REAPURBNDELAY:
2411                 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2412                 ret = proc_reapurbnonblock(ps, p);
2413                 goto done;
2414
2415 #ifdef CONFIG_COMPAT
2416         case USBDEVFS_REAPURB32:
2417                 snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2418                 ret = proc_reapurb_compat(ps, p);
2419                 goto done;
2420
2421         case USBDEVFS_REAPURBNDELAY32:
2422                 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2423                 ret = proc_reapurbnonblock_compat(ps, p);
2424                 goto done;
2425 #endif
2426         }
2427
2428         if (!connected(ps)) {
2429                 usb_unlock_device(dev);
2430                 return -ENODEV;
2431         }
2432
2433         switch (cmd) {
2434         case USBDEVFS_CONTROL:
2435                 snoop(&dev->dev, "%s: CONTROL\n", __func__);
2436                 ret = proc_control(ps, p);
2437                 if (ret >= 0)
2438                         inode->i_mtime = current_time(inode);
2439                 break;
2440
2441         case USBDEVFS_BULK:
2442                 snoop(&dev->dev, "%s: BULK\n", __func__);
2443                 ret = proc_bulk(ps, p);
2444                 if (ret >= 0)
2445                         inode->i_mtime = current_time(inode);
2446                 break;
2447
2448         case USBDEVFS_RESETEP:
2449                 snoop(&dev->dev, "%s: RESETEP\n", __func__);
2450                 ret = proc_resetep(ps, p);
2451                 if (ret >= 0)
2452                         inode->i_mtime = current_time(inode);
2453                 break;
2454
2455         case USBDEVFS_RESET:
2456                 snoop(&dev->dev, "%s: RESET\n", __func__);
2457                 ret = proc_resetdevice(ps);
2458                 break;
2459
2460         case USBDEVFS_CLEAR_HALT:
2461                 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2462                 ret = proc_clearhalt(ps, p);
2463                 if (ret >= 0)
2464                         inode->i_mtime = current_time(inode);
2465                 break;
2466
2467         case USBDEVFS_GETDRIVER:
2468                 snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2469                 ret = proc_getdriver(ps, p);
2470                 break;
2471
2472         case USBDEVFS_CONNECTINFO:
2473                 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2474                 ret = proc_connectinfo(ps, p);
2475                 break;
2476
2477         case USBDEVFS_SETINTERFACE:
2478                 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2479                 ret = proc_setintf(ps, p);
2480                 break;
2481
2482         case USBDEVFS_SETCONFIGURATION:
2483                 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2484                 ret = proc_setconfig(ps, p);
2485                 break;
2486
2487         case USBDEVFS_SUBMITURB:
2488                 snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2489                 ret = proc_submiturb(ps, p);
2490                 if (ret >= 0)
2491                         inode->i_mtime = current_time(inode);
2492                 break;
2493
2494 #ifdef CONFIG_COMPAT
2495         case USBDEVFS_CONTROL32:
2496                 snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2497                 ret = proc_control_compat(ps, p);
2498                 if (ret >= 0)
2499                         inode->i_mtime = current_time(inode);
2500                 break;
2501
2502         case USBDEVFS_BULK32:
2503                 snoop(&dev->dev, "%s: BULK32\n", __func__);
2504                 ret = proc_bulk_compat(ps, p);
2505                 if (ret >= 0)
2506                         inode->i_mtime = current_time(inode);
2507                 break;
2508
2509         case USBDEVFS_DISCSIGNAL32:
2510                 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2511                 ret = proc_disconnectsignal_compat(ps, p);
2512                 break;
2513
2514         case USBDEVFS_SUBMITURB32:
2515                 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2516                 ret = proc_submiturb_compat(ps, p);
2517                 if (ret >= 0)
2518                         inode->i_mtime = current_time(inode);
2519                 break;
2520
2521         case USBDEVFS_IOCTL32:
2522                 snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2523                 ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2524                 break;
2525 #endif
2526
2527         case USBDEVFS_DISCARDURB:
2528                 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p);
2529                 ret = proc_unlinkurb(ps, p);
2530                 break;
2531
2532         case USBDEVFS_DISCSIGNAL:
2533                 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2534                 ret = proc_disconnectsignal(ps, p);
2535                 break;
2536
2537         case USBDEVFS_CLAIMINTERFACE:
2538                 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2539                 ret = proc_claiminterface(ps, p);
2540                 break;
2541
2542         case USBDEVFS_RELEASEINTERFACE:
2543                 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2544                 ret = proc_releaseinterface(ps, p);
2545                 break;
2546
2547         case USBDEVFS_IOCTL:
2548                 snoop(&dev->dev, "%s: IOCTL\n", __func__);
2549                 ret = proc_ioctl_default(ps, p);
2550                 break;
2551
2552         case USBDEVFS_CLAIM_PORT:
2553                 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2554                 ret = proc_claim_port(ps, p);
2555                 break;
2556
2557         case USBDEVFS_RELEASE_PORT:
2558                 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2559                 ret = proc_release_port(ps, p);
2560                 break;
2561         case USBDEVFS_GET_CAPABILITIES:
2562                 ret = proc_get_capabilities(ps, p);
2563                 break;
2564         case USBDEVFS_DISCONNECT_CLAIM:
2565                 ret = proc_disconnect_claim(ps, p);
2566                 break;
2567         case USBDEVFS_ALLOC_STREAMS:
2568                 ret = proc_alloc_streams(ps, p);
2569                 break;
2570         case USBDEVFS_FREE_STREAMS:
2571                 ret = proc_free_streams(ps, p);
2572                 break;
2573         case USBDEVFS_DROP_PRIVILEGES:
2574                 ret = proc_drop_privileges(ps, p);
2575                 break;
2576         case USBDEVFS_GET_SPEED:
2577                 ret = ps->dev->speed;
2578                 break;
2579         }
2580
2581         /* Handle variable-length commands */
2582         switch (cmd & ~IOCSIZE_MASK) {
2583         case USBDEVFS_CONNINFO_EX(0):
2584                 ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd));
2585                 break;
2586         }
2587
2588  done:
2589         usb_unlock_device(dev);
2590         if (ret >= 0)
2591                 inode->i_atime = current_time(inode);
2592         return ret;
2593 }
2594
2595 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2596                         unsigned long arg)
2597 {
2598         int ret;
2599
2600         ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2601
2602         return ret;
2603 }
2604
2605 #ifdef CONFIG_COMPAT
2606 static long usbdev_compat_ioctl(struct file *file, unsigned int cmd,
2607                         unsigned long arg)
2608 {
2609         int ret;
2610
2611         ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg));
2612
2613         return ret;
2614 }
2615 #endif
2616
2617 /* No kernel lock - fine */
2618 static __poll_t usbdev_poll(struct file *file,
2619                                 struct poll_table_struct *wait)
2620 {
2621         struct usb_dev_state *ps = file->private_data;
2622         __poll_t mask = 0;
2623
2624         poll_wait(file, &ps->wait, wait);
2625         if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2626                 mask |= EPOLLOUT | EPOLLWRNORM;
2627         if (!connected(ps))
2628                 mask |= EPOLLHUP;
2629         if (list_empty(&ps->list))
2630                 mask |= EPOLLERR;
2631         return mask;
2632 }
2633
2634 const struct file_operations usbdev_file_operations = {
2635         .owner =          THIS_MODULE,
2636         .llseek =         no_seek_end_llseek,
2637         .read =           usbdev_read,
2638         .poll =           usbdev_poll,
2639         .unlocked_ioctl = usbdev_ioctl,
2640 #ifdef CONFIG_COMPAT
2641         .compat_ioctl =   usbdev_compat_ioctl,
2642 #endif
2643         .mmap =           usbdev_mmap,
2644         .open =           usbdev_open,
2645         .release =        usbdev_release,
2646 };
2647
2648 static void usbdev_remove(struct usb_device *udev)
2649 {
2650         struct usb_dev_state *ps;
2651
2652         while (!list_empty(&udev->filelist)) {
2653                 ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2654                 destroy_all_async(ps);
2655                 wake_up_all(&ps->wait);
2656                 list_del_init(&ps->list);
2657                 if (ps->discsignr)
2658                         kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext,
2659                                              ps->disc_pid, ps->cred);
2660         }
2661 }
2662
2663 static int usbdev_notify(struct notifier_block *self,
2664                                unsigned long action, void *dev)
2665 {
2666         switch (action) {
2667         case USB_DEVICE_ADD:
2668                 break;
2669         case USB_DEVICE_REMOVE:
2670                 usbdev_remove(dev);
2671                 break;
2672         }
2673         return NOTIFY_OK;
2674 }
2675
2676 static struct notifier_block usbdev_nb = {
2677         .notifier_call =        usbdev_notify,
2678 };
2679
2680 static struct cdev usb_device_cdev;
2681
2682 int __init usb_devio_init(void)
2683 {
2684         int retval;
2685
2686         retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2687                                         "usb_device");
2688         if (retval) {
2689                 printk(KERN_ERR "Unable to register minors for usb_device\n");
2690                 goto out;
2691         }
2692         cdev_init(&usb_device_cdev, &usbdev_file_operations);
2693         retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2694         if (retval) {
2695                 printk(KERN_ERR "Unable to get usb_device major %d\n",
2696                        USB_DEVICE_MAJOR);
2697                 goto error_cdev;
2698         }
2699         usb_register_notify(&usbdev_nb);
2700 out:
2701         return retval;
2702
2703 error_cdev:
2704         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2705         goto out;
2706 }
2707
2708 void usb_devio_cleanup(void)
2709 {
2710         usb_unregister_notify(&usbdev_nb);
2711         cdev_del(&usb_device_cdev);
2712         unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2713 }