xref: /linux/drivers/usb/core/devio.c (revision 2624f124b3b5d550ab2fbef7ee3bc0e1fed09722) 
1 /*****************************************************************************/
2 
3 /*
4  *      devio.c  --  User space communication with USB devices.
5  *
6  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
7  *
8  *      This program is free software; you can redistribute it and/or modify
9  *      it under the terms of the GNU General Public License as published by
10  *      the Free Software Foundation; either version 2 of the License, or
11  *      (at your option) any later version.
12  *
13  *      This program is distributed in the hope that it will be useful,
14  *      but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *      GNU General Public License for more details.
17  *
18  *      You should have received a copy of the GNU General Public License
19  *      along with this program; if not, write to the Free Software
20  *      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21  *
22  *  $Id: devio.c,v 1.7 2000/02/01 17:28:48 fliegl Exp $
23  *
24  *  This file implements the usbfs/x/y files, where
25  *  x is the bus number and y the device number.
26  *
27  *  It allows user space programs/"drivers" to communicate directly
28  *  with USB devices without intervening kernel driver.
29  *
30  *  Revision history
31  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
32  *    04.01.2000   0.2   Turned into its own filesystem
33  */
34 
35 /*****************************************************************************/
36 
37 #include <linux/fs.h>
38 #include <linux/mm.h>
39 #include <linux/slab.h>
40 #include <linux/smp_lock.h>
41 #include <linux/signal.h>
42 #include <linux/poll.h>
43 #include <linux/module.h>
44 #include <linux/usb.h>
45 #include <linux/usbdevice_fs.h>
46 #include <linux/cdev.h>
47 #include <asm/uaccess.h>
48 #include <asm/byteorder.h>
49 #include <linux/moduleparam.h>
50 
51 #include "hcd.h"	/* for usbcore internals */
52 #include "usb.h"
53 
54 #define USB_MAXBUS			64
55 #define USB_DEVICE_MAX			USB_MAXBUS * 128
56 static struct class *usb_device_class;
57 
58 struct async {
59 	struct list_head asynclist;
60 	struct dev_state *ps;
61 	struct task_struct *task;
62 	unsigned int signr;
63 	unsigned int ifnum;
64 	void __user *userbuffer;
65 	void __user *userurb;
66 	struct urb *urb;
67 };
68 
69 static int usbfs_snoop = 0;
70 module_param (usbfs_snoop, bool, S_IRUGO | S_IWUSR);
71 MODULE_PARM_DESC (usbfs_snoop, "true to log all usbfs traffic");
72 
73 #define snoop(dev, format, arg...)				\
74 	do {							\
75 		if (usbfs_snoop)				\
76 			dev_info( dev , format , ## arg);	\
77 	} while (0)
78 
79 #define USB_DEVICE_DEV		MKDEV(USB_DEVICE_MAJOR, 0)
80 
81 
82 #define	MAX_USBFS_BUFFER_SIZE	16384
83 
84 static inline int connected (struct usb_device *dev)
85 {
86 	return dev->state != USB_STATE_NOTATTACHED;
87 }
88 
89 static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig)
90 {
91 	loff_t ret;
92 
93 	lock_kernel();
94 
95 	switch (orig) {
96 	case 0:
97 		file->f_pos = offset;
98 		ret = file->f_pos;
99 		break;
100 	case 1:
101 		file->f_pos += offset;
102 		ret = file->f_pos;
103 		break;
104 	case 2:
105 	default:
106 		ret = -EINVAL;
107 	}
108 
109 	unlock_kernel();
110 	return ret;
111 }
112 
113 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
114 {
115 	struct dev_state *ps = (struct dev_state *)file->private_data;
116 	struct usb_device *dev = ps->dev;
117 	ssize_t ret = 0;
118 	unsigned len;
119 	loff_t pos;
120 	int i;
121 
122 	pos = *ppos;
123 	usb_lock_device(dev);
124 	if (!connected(dev)) {
125 		ret = -ENODEV;
126 		goto err;
127 	} else if (pos < 0) {
128 		ret = -EINVAL;
129 		goto err;
130 	}
131 
132 	if (pos < sizeof(struct usb_device_descriptor)) {
133 		struct usb_device_descriptor *desc = kmalloc(sizeof(*desc), GFP_KERNEL);
134 		if (!desc) {
135 			ret = -ENOMEM;
136 			goto err;
137 		}
138 		memcpy(desc, &dev->descriptor, sizeof(dev->descriptor));
139 		le16_to_cpus(&desc->bcdUSB);
140 		le16_to_cpus(&desc->idVendor);
141 		le16_to_cpus(&desc->idProduct);
142 		le16_to_cpus(&desc->bcdDevice);
143 
144 		len = sizeof(struct usb_device_descriptor) - pos;
145 		if (len > nbytes)
146 			len = nbytes;
147 		if (copy_to_user(buf, ((char *)desc) + pos, len)) {
148 			kfree(desc);
149 			ret = -EFAULT;
150 			goto err;
151 		}
152 		kfree(desc);
153 
154 		*ppos += len;
155 		buf += len;
156 		nbytes -= len;
157 		ret += len;
158 	}
159 
160 	pos = sizeof(struct usb_device_descriptor);
161 	for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
162 		struct usb_config_descriptor *config =
163 			(struct usb_config_descriptor *)dev->rawdescriptors[i];
164 		unsigned int length = le16_to_cpu(config->wTotalLength);
165 
166 		if (*ppos < pos + length) {
167 
168 			/* The descriptor may claim to be longer than it
169 			 * really is.  Here is the actual allocated length. */
170 			unsigned alloclen =
171 				le16_to_cpu(dev->config[i].desc.wTotalLength);
172 
173 			len = length - (*ppos - pos);
174 			if (len > nbytes)
175 				len = nbytes;
176 
177 			/* Simply don't write (skip over) unallocated parts */
178 			if (alloclen > (*ppos - pos)) {
179 				alloclen -= (*ppos - pos);
180 				if (copy_to_user(buf,
181 				    dev->rawdescriptors[i] + (*ppos - pos),
182 				    min(len, alloclen))) {
183 					ret = -EFAULT;
184 					goto err;
185 				}
186 			}
187 
188 			*ppos += len;
189 			buf += len;
190 			nbytes -= len;
191 			ret += len;
192 		}
193 
194 		pos += length;
195 	}
196 
197 err:
198 	usb_unlock_device(dev);
199 	return ret;
200 }
201 
202 /*
203  * async list handling
204  */
205 
206 static struct async *alloc_async(unsigned int numisoframes)
207 {
208         unsigned int assize = sizeof(struct async) + numisoframes * sizeof(struct usb_iso_packet_descriptor);
209         struct async *as = kmalloc(assize, GFP_KERNEL);
210         if (!as)
211                 return NULL;
212         memset(as, 0, assize);
213 	as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
214 	if (!as->urb) {
215 		kfree(as);
216 		return NULL;
217 	}
218         return as;
219 }
220 
221 static void free_async(struct async *as)
222 {
223 	kfree(as->urb->transfer_buffer);
224 	kfree(as->urb->setup_packet);
225 	usb_free_urb(as->urb);
226 	kfree(as);
227 }
228 
229 static inline void async_newpending(struct async *as)
230 {
231         struct dev_state *ps = as->ps;
232         unsigned long flags;
233 
234         spin_lock_irqsave(&ps->lock, flags);
235         list_add_tail(&as->asynclist, &ps->async_pending);
236         spin_unlock_irqrestore(&ps->lock, flags);
237 }
238 
239 static inline void async_removepending(struct async *as)
240 {
241         struct dev_state *ps = as->ps;
242         unsigned long flags;
243 
244         spin_lock_irqsave(&ps->lock, flags);
245         list_del_init(&as->asynclist);
246         spin_unlock_irqrestore(&ps->lock, flags);
247 }
248 
249 static inline struct async *async_getcompleted(struct dev_state *ps)
250 {
251         unsigned long flags;
252         struct async *as = NULL;
253 
254         spin_lock_irqsave(&ps->lock, flags);
255         if (!list_empty(&ps->async_completed)) {
256                 as = list_entry(ps->async_completed.next, struct async, asynclist);
257                 list_del_init(&as->asynclist);
258         }
259         spin_unlock_irqrestore(&ps->lock, flags);
260         return as;
261 }
262 
263 static inline struct async *async_getpending(struct dev_state *ps, void __user *userurb)
264 {
265         unsigned long flags;
266         struct async *as;
267 
268         spin_lock_irqsave(&ps->lock, flags);
269 	list_for_each_entry(as, &ps->async_pending, asynclist)
270 		if (as->userurb == userurb) {
271 			list_del_init(&as->asynclist);
272 			spin_unlock_irqrestore(&ps->lock, flags);
273 			return as;
274 		}
275         spin_unlock_irqrestore(&ps->lock, flags);
276         return NULL;
277 }
278 
279 static void async_completed(struct urb *urb, struct pt_regs *regs)
280 {
281         struct async *as = (struct async *)urb->context;
282         struct dev_state *ps = as->ps;
283 	struct siginfo sinfo;
284 
285         spin_lock(&ps->lock);
286         list_move_tail(&as->asynclist, &ps->async_completed);
287         spin_unlock(&ps->lock);
288 	if (as->signr) {
289 		sinfo.si_signo = as->signr;
290 		sinfo.si_errno = as->urb->status;
291 		sinfo.si_code = SI_ASYNCIO;
292 		sinfo.si_addr = as->userurb;
293 		send_sig_info(as->signr, &sinfo, as->task);
294 	}
295         wake_up(&ps->wait);
296 }
297 
298 static void destroy_async (struct dev_state *ps, struct list_head *list)
299 {
300 	struct async *as;
301 	unsigned long flags;
302 
303 	spin_lock_irqsave(&ps->lock, flags);
304 	while (!list_empty(list)) {
305 		as = list_entry(list->next, struct async, asynclist);
306 		list_del_init(&as->asynclist);
307 
308 		/* drop the spinlock so the completion handler can run */
309 		spin_unlock_irqrestore(&ps->lock, flags);
310 		usb_kill_urb(as->urb);
311 		spin_lock_irqsave(&ps->lock, flags);
312 	}
313 	spin_unlock_irqrestore(&ps->lock, flags);
314 	as = async_getcompleted(ps);
315 	while (as) {
316 		free_async(as);
317 		as = async_getcompleted(ps);
318 	}
319 }
320 
321 static void destroy_async_on_interface (struct dev_state *ps, unsigned int ifnum)
322 {
323 	struct list_head *p, *q, hitlist;
324 	unsigned long flags;
325 
326 	INIT_LIST_HEAD(&hitlist);
327 	spin_lock_irqsave(&ps->lock, flags);
328 	list_for_each_safe(p, q, &ps->async_pending)
329 		if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
330 			list_move_tail(p, &hitlist);
331 	spin_unlock_irqrestore(&ps->lock, flags);
332 	destroy_async(ps, &hitlist);
333 }
334 
335 static inline void destroy_all_async(struct dev_state *ps)
336 {
337 	        destroy_async(ps, &ps->async_pending);
338 }
339 
340 /*
341  * interface claims are made only at the request of user level code,
342  * which can also release them (explicitly or by closing files).
343  * they're also undone when devices disconnect.
344  */
345 
346 static int driver_probe (struct usb_interface *intf,
347 			 const struct usb_device_id *id)
348 {
349 	return -ENODEV;
350 }
351 
352 static void driver_disconnect(struct usb_interface *intf)
353 {
354 	struct dev_state *ps = usb_get_intfdata (intf);
355 	unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
356 
357 	if (!ps)
358 		return;
359 
360 	/* NOTE:  this relies on usbcore having canceled and completed
361 	 * all pending I/O requests; 2.6 does that.
362 	 */
363 
364 	if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
365 		clear_bit(ifnum, &ps->ifclaimed);
366 	else
367 		warn("interface number %u out of range", ifnum);
368 
369 	usb_set_intfdata (intf, NULL);
370 
371 	/* force async requests to complete */
372 	destroy_async_on_interface(ps, ifnum);
373 }
374 
375 struct usb_driver usbfs_driver = {
376 	.owner =	THIS_MODULE,
377 	.name =		"usbfs",
378 	.probe =	driver_probe,
379 	.disconnect =	driver_disconnect,
380 };
381 
382 static int claimintf(struct dev_state *ps, unsigned int ifnum)
383 {
384 	struct usb_device *dev = ps->dev;
385 	struct usb_interface *intf;
386 	int err;
387 
388 	if (ifnum >= 8*sizeof(ps->ifclaimed))
389 		return -EINVAL;
390 	/* already claimed */
391 	if (test_bit(ifnum, &ps->ifclaimed))
392 		return 0;
393 
394 	/* lock against other changes to driver bindings */
395 	down_write(&usb_bus_type.subsys.rwsem);
396 	intf = usb_ifnum_to_if(dev, ifnum);
397 	if (!intf)
398 		err = -ENOENT;
399 	else
400 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
401 	up_write(&usb_bus_type.subsys.rwsem);
402 	if (err == 0)
403 		set_bit(ifnum, &ps->ifclaimed);
404 	return err;
405 }
406 
407 static int releaseintf(struct dev_state *ps, unsigned int ifnum)
408 {
409 	struct usb_device *dev;
410 	struct usb_interface *intf;
411 	int err;
412 
413 	err = -EINVAL;
414 	if (ifnum >= 8*sizeof(ps->ifclaimed))
415 		return err;
416 	dev = ps->dev;
417 	/* lock against other changes to driver bindings */
418 	down_write(&usb_bus_type.subsys.rwsem);
419 	intf = usb_ifnum_to_if(dev, ifnum);
420 	if (!intf)
421 		err = -ENOENT;
422 	else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
423 		usb_driver_release_interface(&usbfs_driver, intf);
424 		err = 0;
425 	}
426 	up_write(&usb_bus_type.subsys.rwsem);
427 	return err;
428 }
429 
430 static int checkintf(struct dev_state *ps, unsigned int ifnum)
431 {
432 	if (ps->dev->state != USB_STATE_CONFIGURED)
433 		return -EHOSTUNREACH;
434 	if (ifnum >= 8*sizeof(ps->ifclaimed))
435 		return -EINVAL;
436 	if (test_bit(ifnum, &ps->ifclaimed))
437 		return 0;
438 	/* if not yet claimed, claim it for the driver */
439 	dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim interface %u before use\n",
440 	       current->pid, current->comm, ifnum);
441 	return claimintf(ps, ifnum);
442 }
443 
444 static int findintfep(struct usb_device *dev, unsigned int ep)
445 {
446 	unsigned int i, j, e;
447         struct usb_interface *intf;
448 	struct usb_host_interface *alts;
449 	struct usb_endpoint_descriptor *endpt;
450 
451 	if (ep & ~(USB_DIR_IN|0xf))
452 		return -EINVAL;
453 	if (!dev->actconfig)
454 		return -ESRCH;
455 	for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
456 		intf = dev->actconfig->interface[i];
457 		for (j = 0; j < intf->num_altsetting; j++) {
458                         alts = &intf->altsetting[j];
459 			for (e = 0; e < alts->desc.bNumEndpoints; e++) {
460 				endpt = &alts->endpoint[e].desc;
461 				if (endpt->bEndpointAddress == ep)
462 					return alts->desc.bInterfaceNumber;
463 			}
464 		}
465 	}
466 	return -ENOENT;
467 }
468 
469 static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype, unsigned int index)
470 {
471 	int ret = 0;
472 
473 	if (ps->dev->state != USB_STATE_CONFIGURED)
474 		return -EHOSTUNREACH;
475 	if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
476 		return 0;
477 
478 	index &= 0xff;
479 	switch (requesttype & USB_RECIP_MASK) {
480 	case USB_RECIP_ENDPOINT:
481 		if ((ret = findintfep(ps->dev, index)) >= 0)
482 			ret = checkintf(ps, ret);
483 		break;
484 
485 	case USB_RECIP_INTERFACE:
486 		ret = checkintf(ps, index);
487 		break;
488 	}
489 	return ret;
490 }
491 
492 /*
493  * file operations
494  */
495 static int usbdev_open(struct inode *inode, struct file *file)
496 {
497 	struct usb_device *dev = NULL;
498 	struct dev_state *ps;
499 	int ret;
500 
501 	/*
502 	 * no locking necessary here, as chrdev_open has the kernel lock
503 	 * (still acquire the kernel lock for safety)
504 	 */
505 	ret = -ENOMEM;
506 	if (!(ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL)))
507 		goto out_nolock;
508 
509 	lock_kernel();
510 	ret = -ENOENT;
511 	/* check if we are called from a real node or usbfs */
512 	if (imajor(inode) == USB_DEVICE_MAJOR)
513 		dev = usbdev_lookup_minor(iminor(inode));
514 	if (!dev)
515 		dev = inode->u.generic_ip;
516 	if (!dev) {
517 		kfree(ps);
518 		goto out;
519 	}
520 	usb_get_dev(dev);
521 	ret = 0;
522 	ps->dev = dev;
523 	ps->file = file;
524 	spin_lock_init(&ps->lock);
525 	INIT_LIST_HEAD(&ps->async_pending);
526 	INIT_LIST_HEAD(&ps->async_completed);
527 	init_waitqueue_head(&ps->wait);
528 	ps->discsignr = 0;
529 	ps->disctask = current;
530 	ps->disccontext = NULL;
531 	ps->ifclaimed = 0;
532 	wmb();
533 	list_add_tail(&ps->list, &dev->filelist);
534 	file->private_data = ps;
535  out:
536 	unlock_kernel();
537  out_nolock:
538         return ret;
539 }
540 
541 static int usbdev_release(struct inode *inode, struct file *file)
542 {
543 	struct dev_state *ps = (struct dev_state *)file->private_data;
544 	struct usb_device *dev = ps->dev;
545 	unsigned int ifnum;
546 
547 	usb_lock_device(dev);
548 	list_del_init(&ps->list);
549 	for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
550 			ifnum++) {
551 		if (test_bit(ifnum, &ps->ifclaimed))
552 			releaseintf(ps, ifnum);
553 	}
554 	destroy_all_async(ps);
555 	usb_unlock_device(dev);
556 	usb_put_dev(dev);
557 	ps->dev = NULL;
558 	kfree(ps);
559         return 0;
560 }
561 
562 static int proc_control(struct dev_state *ps, void __user *arg)
563 {
564 	struct usb_device *dev = ps->dev;
565 	struct usbdevfs_ctrltransfer ctrl;
566 	unsigned int tmo;
567 	unsigned char *tbuf;
568 	int i, j, ret;
569 
570 	if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
571 		return -EFAULT;
572 	if ((ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex)))
573 		return ret;
574 	if (ctrl.wLength > PAGE_SIZE)
575 		return -EINVAL;
576 	if (!(tbuf = (unsigned char *)__get_free_page(GFP_KERNEL)))
577 		return -ENOMEM;
578 	tmo = ctrl.timeout;
579 	if (ctrl.bRequestType & 0x80) {
580 		if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data, ctrl.wLength)) {
581 			free_page((unsigned long)tbuf);
582 			return -EINVAL;
583 		}
584 		snoop(&dev->dev, "control read: bRequest=%02x "
585 				"bRrequestType=%02x wValue=%04x "
586 				"wIndex=%04x wLength=%04x\n",
587 			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
588 				ctrl.wIndex, ctrl.wLength);
589 
590 		usb_unlock_device(dev);
591 		i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
592 				       ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo);
593 		usb_lock_device(dev);
594 		if ((i > 0) && ctrl.wLength) {
595 			if (usbfs_snoop) {
596 				dev_info(&dev->dev, "control read: data ");
597 				for (j = 0; j < i; ++j)
598 					printk ("%02x ", (unsigned char)(tbuf)[j]);
599 				printk("\n");
600 			}
601 			if (copy_to_user(ctrl.data, tbuf, i)) {
602 				free_page((unsigned long)tbuf);
603 				return -EFAULT;
604 			}
605 		}
606 	} else {
607 		if (ctrl.wLength) {
608 			if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) {
609 				free_page((unsigned long)tbuf);
610 				return -EFAULT;
611 			}
612 		}
613 		snoop(&dev->dev, "control write: bRequest=%02x "
614 				"bRrequestType=%02x wValue=%04x "
615 				"wIndex=%04x wLength=%04x\n",
616 			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
617 				ctrl.wIndex, ctrl.wLength);
618 		if (usbfs_snoop) {
619 			dev_info(&dev->dev, "control write: data: ");
620 			for (j = 0; j < ctrl.wLength; ++j)
621 				printk ("%02x ", (unsigned char)(tbuf)[j]);
622 			printk("\n");
623 		}
624 		usb_unlock_device(dev);
625 		i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
626 				       ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo);
627 		usb_lock_device(dev);
628 	}
629 	free_page((unsigned long)tbuf);
630 	if (i<0 && i != -EPIPE) {
631 		dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
632 			   "failed cmd %s rqt %u rq %u len %u ret %d\n",
633 			   current->comm, ctrl.bRequestType, ctrl.bRequest,
634 			   ctrl.wLength, i);
635 	}
636 	return i;
637 }
638 
639 static int proc_bulk(struct dev_state *ps, void __user *arg)
640 {
641 	struct usb_device *dev = ps->dev;
642 	struct usbdevfs_bulktransfer bulk;
643 	unsigned int tmo, len1, pipe;
644 	int len2;
645 	unsigned char *tbuf;
646 	int i, ret;
647 
648 	if (copy_from_user(&bulk, arg, sizeof(bulk)))
649 		return -EFAULT;
650 	if ((ret = findintfep(ps->dev, bulk.ep)) < 0)
651 		return ret;
652 	if ((ret = checkintf(ps, ret)))
653 		return ret;
654 	if (bulk.ep & USB_DIR_IN)
655 		pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f);
656 	else
657 		pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f);
658 	if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN)))
659 		return -EINVAL;
660 	len1 = bulk.len;
661 	if (len1 > MAX_USBFS_BUFFER_SIZE)
662 		return -EINVAL;
663 	if (!(tbuf = kmalloc(len1, GFP_KERNEL)))
664 		return -ENOMEM;
665 	tmo = bulk.timeout;
666 	if (bulk.ep & 0x80) {
667 		if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
668 			kfree(tbuf);
669 			return -EINVAL;
670 		}
671 		usb_unlock_device(dev);
672 		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
673 		usb_lock_device(dev);
674 		if (!i && len2) {
675 			if (copy_to_user(bulk.data, tbuf, len2)) {
676 				kfree(tbuf);
677 				return -EFAULT;
678 			}
679 		}
680 	} else {
681 		if (len1) {
682 			if (copy_from_user(tbuf, bulk.data, len1)) {
683 				kfree(tbuf);
684 				return -EFAULT;
685 			}
686 		}
687 		usb_unlock_device(dev);
688 		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
689 		usb_lock_device(dev);
690 	}
691 	kfree(tbuf);
692 	if (i < 0)
693 		return i;
694 	return len2;
695 }
696 
697 static int proc_resetep(struct dev_state *ps, void __user *arg)
698 {
699 	unsigned int ep;
700 	int ret;
701 
702 	if (get_user(ep, (unsigned int __user *)arg))
703 		return -EFAULT;
704 	if ((ret = findintfep(ps->dev, ep)) < 0)
705 		return ret;
706 	if ((ret = checkintf(ps, ret)))
707 		return ret;
708 	usb_settoggle(ps->dev, ep & 0xf, !(ep & USB_DIR_IN), 0);
709 	return 0;
710 }
711 
712 static int proc_clearhalt(struct dev_state *ps, void __user *arg)
713 {
714 	unsigned int ep;
715 	int pipe;
716 	int ret;
717 
718 	if (get_user(ep, (unsigned int __user *)arg))
719 		return -EFAULT;
720 	if ((ret = findintfep(ps->dev, ep)) < 0)
721 		return ret;
722 	if ((ret = checkintf(ps, ret)))
723 		return ret;
724 	if (ep & USB_DIR_IN)
725                 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
726         else
727                 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
728 
729 	return usb_clear_halt(ps->dev, pipe);
730 }
731 
732 
733 static int proc_getdriver(struct dev_state *ps, void __user *arg)
734 {
735 	struct usbdevfs_getdriver gd;
736 	struct usb_interface *intf;
737 	int ret;
738 
739 	if (copy_from_user(&gd, arg, sizeof(gd)))
740 		return -EFAULT;
741 	down_read(&usb_bus_type.subsys.rwsem);
742 	intf = usb_ifnum_to_if(ps->dev, gd.interface);
743 	if (!intf || !intf->dev.driver)
744 		ret = -ENODATA;
745 	else {
746 		strncpy(gd.driver, intf->dev.driver->name,
747 				sizeof(gd.driver));
748 		ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
749 	}
750 	up_read(&usb_bus_type.subsys.rwsem);
751 	return ret;
752 }
753 
754 static int proc_connectinfo(struct dev_state *ps, void __user *arg)
755 {
756 	struct usbdevfs_connectinfo ci;
757 
758 	ci.devnum = ps->dev->devnum;
759 	ci.slow = ps->dev->speed == USB_SPEED_LOW;
760 	if (copy_to_user(arg, &ci, sizeof(ci)))
761 		return -EFAULT;
762 	return 0;
763 }
764 
765 static int proc_resetdevice(struct dev_state *ps)
766 {
767 	return usb_reset_device(ps->dev);
768 
769 }
770 
771 static int proc_setintf(struct dev_state *ps, void __user *arg)
772 {
773 	struct usbdevfs_setinterface setintf;
774 	int ret;
775 
776 	if (copy_from_user(&setintf, arg, sizeof(setintf)))
777 		return -EFAULT;
778 	if ((ret = checkintf(ps, setintf.interface)))
779 		return ret;
780 	return usb_set_interface(ps->dev, setintf.interface,
781 			setintf.altsetting);
782 }
783 
784 static int proc_setconfig(struct dev_state *ps, void __user *arg)
785 {
786 	unsigned int u;
787 	int status = 0;
788  	struct usb_host_config *actconfig;
789 
790 	if (get_user(u, (unsigned int __user *)arg))
791 		return -EFAULT;
792 
793  	actconfig = ps->dev->actconfig;
794 
795  	/* Don't touch the device if any interfaces are claimed.
796  	 * It could interfere with other drivers' operations, and if
797 	 * an interface is claimed by usbfs it could easily deadlock.
798 	 */
799  	if (actconfig) {
800  		int i;
801 
802  		for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
803  			if (usb_interface_claimed(actconfig->interface[i])) {
804 				dev_warn (&ps->dev->dev,
805 					"usbfs: interface %d claimed by %s "
806 					"while '%s' sets config #%d\n",
807 					actconfig->interface[i]
808 						->cur_altsetting
809 						->desc.bInterfaceNumber,
810 					actconfig->interface[i]
811 						->dev.driver->name,
812 					current->comm, u);
813  				status = -EBUSY;
814 				break;
815 			}
816  		}
817  	}
818 
819 	/* SET_CONFIGURATION is often abused as a "cheap" driver reset,
820 	 * so avoid usb_set_configuration()'s kick to sysfs
821 	 */
822 	if (status == 0) {
823 		if (actconfig && actconfig->desc.bConfigurationValue == u)
824 			status = usb_reset_configuration(ps->dev);
825 		else
826 			status = usb_set_configuration(ps->dev, u);
827 	}
828 
829 	return status;
830 }
831 
832 
833 static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
834 			     struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
835 			     void __user *arg)
836 {
837 	struct usbdevfs_iso_packet_desc *isopkt = NULL;
838 	struct usb_host_endpoint *ep;
839 	struct async *as;
840 	struct usb_ctrlrequest *dr = NULL;
841 	unsigned int u, totlen, isofrmlen;
842 	int ret, interval = 0, ifnum = -1;
843 
844 	if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP|USBDEVFS_URB_SHORT_NOT_OK|
845 			   URB_NO_FSBR|URB_ZERO_PACKET))
846 		return -EINVAL;
847 	if (!uurb->buffer)
848 		return -EINVAL;
849 	if (uurb->signr != 0 && (uurb->signr < SIGRTMIN || uurb->signr > SIGRTMAX))
850 		return -EINVAL;
851 	if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
852 		if ((ifnum = findintfep(ps->dev, uurb->endpoint)) < 0)
853 			return ifnum;
854 		if ((ret = checkintf(ps, ifnum)))
855 			return ret;
856 	}
857 	if ((uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0)
858 		ep = ps->dev->ep_in [uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
859 	else
860 		ep = ps->dev->ep_out [uurb->endpoint & USB_ENDPOINT_NUMBER_MASK];
861 	if (!ep)
862 		return -ENOENT;
863 	switch(uurb->type) {
864 	case USBDEVFS_URB_TYPE_CONTROL:
865 		if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK)
866 				!= USB_ENDPOINT_XFER_CONTROL)
867 			return -EINVAL;
868 		/* min 8 byte setup packet, max arbitrary */
869 		if (uurb->buffer_length < 8 || uurb->buffer_length > PAGE_SIZE)
870 			return -EINVAL;
871 		if (!(dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL)))
872 			return -ENOMEM;
873 		if (copy_from_user(dr, uurb->buffer, 8)) {
874 			kfree(dr);
875 			return -EFAULT;
876 		}
877 		if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) {
878 			kfree(dr);
879 			return -EINVAL;
880 		}
881 		if ((ret = check_ctrlrecip(ps, dr->bRequestType, le16_to_cpup(&dr->wIndex)))) {
882 			kfree(dr);
883 			return ret;
884 		}
885 		uurb->endpoint = (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) | (dr->bRequestType & USB_ENDPOINT_DIR_MASK);
886 		uurb->number_of_packets = 0;
887 		uurb->buffer_length = le16_to_cpup(&dr->wLength);
888 		uurb->buffer += 8;
889 		if (!access_ok((uurb->endpoint & USB_DIR_IN) ?  VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) {
890 			kfree(dr);
891 			return -EFAULT;
892 		}
893 		break;
894 
895 	case USBDEVFS_URB_TYPE_BULK:
896 		switch (ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
897 		case USB_ENDPOINT_XFER_CONTROL:
898 		case USB_ENDPOINT_XFER_ISOC:
899 			return -EINVAL;
900 		/* allow single-shot interrupt transfers, at bogus rates */
901 		}
902 		uurb->number_of_packets = 0;
903 		if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
904 			return -EINVAL;
905 		if (!access_ok((uurb->endpoint & USB_DIR_IN) ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length))
906 			return -EFAULT;
907 		break;
908 
909 	case USBDEVFS_URB_TYPE_ISO:
910 		/* arbitrary limit */
911 		if (uurb->number_of_packets < 1 || uurb->number_of_packets > 128)
912 			return -EINVAL;
913 		if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK)
914 				!= USB_ENDPOINT_XFER_ISOC)
915 			return -EINVAL;
916 		interval = 1 << min (15, ep->desc.bInterval - 1);
917 		isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * uurb->number_of_packets;
918 		if (!(isopkt = kmalloc(isofrmlen, GFP_KERNEL)))
919 			return -ENOMEM;
920 		if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
921 			kfree(isopkt);
922 			return -EFAULT;
923 		}
924 		for (totlen = u = 0; u < uurb->number_of_packets; u++) {
925 			if (isopkt[u].length > 1023) {
926 				kfree(isopkt);
927 				return -EINVAL;
928 			}
929 			totlen += isopkt[u].length;
930 		}
931 		if (totlen > 32768) {
932 			kfree(isopkt);
933 			return -EINVAL;
934 		}
935 		uurb->buffer_length = totlen;
936 		break;
937 
938 	case USBDEVFS_URB_TYPE_INTERRUPT:
939 		uurb->number_of_packets = 0;
940 		if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK)
941 				!= USB_ENDPOINT_XFER_INT)
942 			return -EINVAL;
943 		if (ps->dev->speed == USB_SPEED_HIGH)
944 			interval = 1 << min (15, ep->desc.bInterval - 1);
945 		else
946 			interval = ep->desc.bInterval;
947 		if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE)
948 			return -EINVAL;
949 		if (!access_ok((uurb->endpoint & USB_DIR_IN) ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length))
950 			return -EFAULT;
951 		break;
952 
953 	default:
954 		return -EINVAL;
955 	}
956 	if (!(as = alloc_async(uurb->number_of_packets))) {
957 		kfree(isopkt);
958 		kfree(dr);
959 		return -ENOMEM;
960 	}
961 	if (!(as->urb->transfer_buffer = kmalloc(uurb->buffer_length, GFP_KERNEL))) {
962 		kfree(isopkt);
963 		kfree(dr);
964 		free_async(as);
965 		return -ENOMEM;
966 	}
967         as->urb->dev = ps->dev;
968         as->urb->pipe = (uurb->type << 30) | __create_pipe(ps->dev, uurb->endpoint & 0xf) | (uurb->endpoint & USB_DIR_IN);
969         as->urb->transfer_flags = uurb->flags;
970 	as->urb->transfer_buffer_length = uurb->buffer_length;
971 	as->urb->setup_packet = (unsigned char*)dr;
972 	as->urb->start_frame = uurb->start_frame;
973 	as->urb->number_of_packets = uurb->number_of_packets;
974 	as->urb->interval = interval;
975         as->urb->context = as;
976         as->urb->complete = async_completed;
977 	for (totlen = u = 0; u < uurb->number_of_packets; u++) {
978 		as->urb->iso_frame_desc[u].offset = totlen;
979 		as->urb->iso_frame_desc[u].length = isopkt[u].length;
980 		totlen += isopkt[u].length;
981 	}
982 	kfree(isopkt);
983 	as->ps = ps;
984         as->userurb = arg;
985 	if (uurb->endpoint & USB_DIR_IN)
986 		as->userbuffer = uurb->buffer;
987 	else
988 		as->userbuffer = NULL;
989 	as->signr = uurb->signr;
990 	as->ifnum = ifnum;
991 	as->task = current;
992 	if (!(uurb->endpoint & USB_DIR_IN)) {
993 		if (copy_from_user(as->urb->transfer_buffer, uurb->buffer, as->urb->transfer_buffer_length)) {
994 			free_async(as);
995 			return -EFAULT;
996 		}
997 	}
998         async_newpending(as);
999         if ((ret = usb_submit_urb(as->urb, GFP_KERNEL))) {
1000 		dev_printk(KERN_DEBUG, &ps->dev->dev, "usbfs: usb_submit_urb returned %d\n", ret);
1001                 async_removepending(as);
1002                 free_async(as);
1003                 return ret;
1004         }
1005         return 0;
1006 }
1007 
1008 static int proc_submiturb(struct dev_state *ps, void __user *arg)
1009 {
1010 	struct usbdevfs_urb uurb;
1011 
1012 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
1013 		return -EFAULT;
1014 
1015 	return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
1016 }
1017 
1018 static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
1019 {
1020 	struct async *as;
1021 
1022 	as = async_getpending(ps, arg);
1023 	if (!as)
1024 		return -EINVAL;
1025 	usb_kill_urb(as->urb);
1026 	return 0;
1027 }
1028 
1029 static int processcompl(struct async *as, void __user * __user *arg)
1030 {
1031 	struct urb *urb = as->urb;
1032 	struct usbdevfs_urb __user *userurb = as->userurb;
1033 	void __user *addr = as->userurb;
1034 	unsigned int i;
1035 
1036 	if (as->userbuffer)
1037 		if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length))
1038 			return -EFAULT;
1039 	if (put_user(urb->status, &userurb->status))
1040 		return -EFAULT;
1041 	if (put_user(urb->actual_length, &userurb->actual_length))
1042 		return -EFAULT;
1043 	if (put_user(urb->error_count, &userurb->error_count))
1044 		return -EFAULT;
1045 
1046 	if (usb_pipeisoc(urb->pipe)) {
1047 		for (i = 0; i < urb->number_of_packets; i++) {
1048 			if (put_user(urb->iso_frame_desc[i].actual_length,
1049 				     &userurb->iso_frame_desc[i].actual_length))
1050 				return -EFAULT;
1051 			if (put_user(urb->iso_frame_desc[i].status,
1052 				     &userurb->iso_frame_desc[i].status))
1053 				return -EFAULT;
1054 		}
1055 	}
1056 
1057 	free_async(as);
1058 
1059 	if (put_user(addr, (void __user * __user *)arg))
1060 		return -EFAULT;
1061 	return 0;
1062 }
1063 
1064 static struct async* reap_as(struct dev_state *ps)
1065 {
1066         DECLARE_WAITQUEUE(wait, current);
1067 	struct async *as = NULL;
1068 	struct usb_device *dev = ps->dev;
1069 
1070 	add_wait_queue(&ps->wait, &wait);
1071 	for (;;) {
1072 		__set_current_state(TASK_INTERRUPTIBLE);
1073 		if ((as = async_getcompleted(ps)))
1074 			break;
1075 		if (signal_pending(current))
1076 			break;
1077 		usb_unlock_device(dev);
1078 		schedule();
1079 		usb_lock_device(dev);
1080 	}
1081 	remove_wait_queue(&ps->wait, &wait);
1082 	set_current_state(TASK_RUNNING);
1083 	return as;
1084 }
1085 
1086 static int proc_reapurb(struct dev_state *ps, void __user *arg)
1087 {
1088 	struct async *as = reap_as(ps);
1089 	if (as)
1090 		return processcompl(as, (void __user * __user *)arg);
1091 	if (signal_pending(current))
1092 		return -EINTR;
1093 	return -EIO;
1094 }
1095 
1096 static int proc_reapurbnonblock(struct dev_state *ps, void __user *arg)
1097 {
1098 	struct async *as;
1099 
1100 	if (!(as = async_getcompleted(ps)))
1101 		return -EAGAIN;
1102 	return processcompl(as, (void __user * __user *)arg);
1103 }
1104 
1105 #ifdef CONFIG_COMPAT
1106 
1107 static int get_urb32(struct usbdevfs_urb *kurb,
1108 		     struct usbdevfs_urb32 __user *uurb)
1109 {
1110 	__u32  uptr;
1111 	if (get_user(kurb->type, &uurb->type) ||
1112 	    __get_user(kurb->endpoint, &uurb->endpoint) ||
1113 	    __get_user(kurb->status, &uurb->status) ||
1114 	    __get_user(kurb->flags, &uurb->flags) ||
1115 	    __get_user(kurb->buffer_length, &uurb->buffer_length) ||
1116 	    __get_user(kurb->actual_length, &uurb->actual_length) ||
1117 	    __get_user(kurb->start_frame, &uurb->start_frame) ||
1118 	    __get_user(kurb->number_of_packets, &uurb->number_of_packets) ||
1119 	    __get_user(kurb->error_count, &uurb->error_count) ||
1120 	    __get_user(kurb->signr, &uurb->signr))
1121 		return -EFAULT;
1122 
1123 	if (__get_user(uptr, &uurb->buffer))
1124 		return -EFAULT;
1125 	kurb->buffer = compat_ptr(uptr);
1126 	if (__get_user(uptr, &uurb->buffer))
1127 		return -EFAULT;
1128 	kurb->usercontext = compat_ptr(uptr);
1129 
1130 	return 0;
1131 }
1132 
1133 static int proc_submiturb_compat(struct dev_state *ps, void __user *arg)
1134 {
1135 	struct usbdevfs_urb uurb;
1136 
1137 	if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg))
1138 		return -EFAULT;
1139 
1140 	return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg);
1141 }
1142 
1143 static int processcompl_compat(struct async *as, void __user * __user *arg)
1144 {
1145 	struct urb *urb = as->urb;
1146 	struct usbdevfs_urb32 __user *userurb = as->userurb;
1147 	void __user *addr = as->userurb;
1148 	unsigned int i;
1149 
1150 	if (as->userbuffer)
1151 		if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length))
1152 			return -EFAULT;
1153 	if (put_user(urb->status, &userurb->status))
1154 		return -EFAULT;
1155 	if (put_user(urb->actual_length, &userurb->actual_length))
1156 		return -EFAULT;
1157 	if (put_user(urb->error_count, &userurb->error_count))
1158 		return -EFAULT;
1159 
1160 	if (usb_pipeisoc(urb->pipe)) {
1161 		for (i = 0; i < urb->number_of_packets; i++) {
1162 			if (put_user(urb->iso_frame_desc[i].actual_length,
1163 				     &userurb->iso_frame_desc[i].actual_length))
1164 				return -EFAULT;
1165 			if (put_user(urb->iso_frame_desc[i].status,
1166 				     &userurb->iso_frame_desc[i].status))
1167 				return -EFAULT;
1168 		}
1169 	}
1170 
1171 	free_async(as);
1172 	if (put_user((u32)(u64)addr, (u32 __user *)arg))
1173 		return -EFAULT;
1174 	return 0;
1175 }
1176 
1177 static int proc_reapurb_compat(struct dev_state *ps, void __user *arg)
1178 {
1179 	struct async *as = reap_as(ps);
1180 	if (as)
1181 		return processcompl_compat(as, (void __user * __user *)arg);
1182 	if (signal_pending(current))
1183 		return -EINTR;
1184 	return -EIO;
1185 }
1186 
1187 static int proc_reapurbnonblock_compat(struct dev_state *ps, void __user *arg)
1188 {
1189 	struct async *as;
1190 
1191 	if (!(as = async_getcompleted(ps)))
1192 		return -EAGAIN;
1193 	return processcompl_compat(as, (void __user * __user *)arg);
1194 }
1195 
1196 #endif
1197 
1198 static int proc_disconnectsignal(struct dev_state *ps, void __user *arg)
1199 {
1200 	struct usbdevfs_disconnectsignal ds;
1201 
1202 	if (copy_from_user(&ds, arg, sizeof(ds)))
1203 		return -EFAULT;
1204 	if (ds.signr != 0 && (ds.signr < SIGRTMIN || ds.signr > SIGRTMAX))
1205 		return -EINVAL;
1206 	ps->discsignr = ds.signr;
1207 	ps->disccontext = ds.context;
1208 	return 0;
1209 }
1210 
1211 static int proc_claiminterface(struct dev_state *ps, void __user *arg)
1212 {
1213 	unsigned int ifnum;
1214 
1215 	if (get_user(ifnum, (unsigned int __user *)arg))
1216 		return -EFAULT;
1217 	return claimintf(ps, ifnum);
1218 }
1219 
1220 static int proc_releaseinterface(struct dev_state *ps, void __user *arg)
1221 {
1222 	unsigned int ifnum;
1223 	int ret;
1224 
1225 	if (get_user(ifnum, (unsigned int __user *)arg))
1226 		return -EFAULT;
1227 	if ((ret = releaseintf(ps, ifnum)) < 0)
1228 		return ret;
1229 	destroy_async_on_interface (ps, ifnum);
1230 	return 0;
1231 }
1232 
1233 static int proc_ioctl (struct dev_state *ps, void __user *arg)
1234 {
1235 	struct usbdevfs_ioctl	ctrl;
1236 	int			size;
1237 	void			*buf = NULL;
1238 	int			retval = 0;
1239 	struct usb_interface    *intf = NULL;
1240 	struct usb_driver       *driver = NULL;
1241 
1242 	/* get input parameters and alloc buffer */
1243 	if (copy_from_user(&ctrl, arg, sizeof (ctrl)))
1244 		return -EFAULT;
1245 	if ((size = _IOC_SIZE (ctrl.ioctl_code)) > 0) {
1246 		if ((buf = kmalloc (size, GFP_KERNEL)) == NULL)
1247 			return -ENOMEM;
1248 		if ((_IOC_DIR(ctrl.ioctl_code) & _IOC_WRITE)) {
1249 			if (copy_from_user (buf, ctrl.data, size)) {
1250 				kfree(buf);
1251 				return -EFAULT;
1252 			}
1253 		} else {
1254 			memset (buf, 0, size);
1255 		}
1256 	}
1257 
1258 	if (!connected(ps->dev)) {
1259 		kfree(buf);
1260 		return -ENODEV;
1261 	}
1262 
1263 	if (ps->dev->state != USB_STATE_CONFIGURED)
1264 		retval = -EHOSTUNREACH;
1265 	else if (!(intf = usb_ifnum_to_if (ps->dev, ctrl.ifno)))
1266                retval = -EINVAL;
1267 	else switch (ctrl.ioctl_code) {
1268 
1269 	/* disconnect kernel driver from interface */
1270 	case USBDEVFS_DISCONNECT:
1271 
1272 		down_write(&usb_bus_type.subsys.rwsem);
1273 		if (intf->dev.driver) {
1274 			driver = to_usb_driver(intf->dev.driver);
1275 			dev_dbg (&intf->dev, "disconnect by usbfs\n");
1276 			usb_driver_release_interface(driver, intf);
1277 		} else
1278 			retval = -ENODATA;
1279 		up_write(&usb_bus_type.subsys.rwsem);
1280 		break;
1281 
1282 	/* let kernel drivers try to (re)bind to the interface */
1283 	case USBDEVFS_CONNECT:
1284 		usb_unlock_device(ps->dev);
1285 		usb_lock_all_devices();
1286 		bus_rescan_devices(intf->dev.bus);
1287 		usb_unlock_all_devices();
1288 		usb_lock_device(ps->dev);
1289 		break;
1290 
1291 	/* talk directly to the interface's driver */
1292 	default:
1293 		down_read(&usb_bus_type.subsys.rwsem);
1294 		if (intf->dev.driver)
1295 			driver = to_usb_driver(intf->dev.driver);
1296 		if (driver == NULL || driver->ioctl == NULL) {
1297 			retval = -ENOTTY;
1298 		} else {
1299 			retval = driver->ioctl (intf, ctrl.ioctl_code, buf);
1300 			if (retval == -ENOIOCTLCMD)
1301 				retval = -ENOTTY;
1302 		}
1303 		up_read(&usb_bus_type.subsys.rwsem);
1304 	}
1305 
1306 	/* cleanup and return */
1307 	if (retval >= 0
1308 			&& (_IOC_DIR (ctrl.ioctl_code) & _IOC_READ) != 0
1309 			&& size > 0
1310 			&& copy_to_user (ctrl.data, buf, size) != 0)
1311 		retval = -EFAULT;
1312 
1313 	kfree(buf);
1314 	return retval;
1315 }
1316 
1317 /*
1318  * NOTE:  All requests here that have interface numbers as parameters
1319  * are assuming that somehow the configuration has been prevented from
1320  * changing.  But there's no mechanism to ensure that...
1321  */
1322 static int usbdev_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg)
1323 {
1324 	struct dev_state *ps = (struct dev_state *)file->private_data;
1325 	struct usb_device *dev = ps->dev;
1326 	void __user *p = (void __user *)arg;
1327 	int ret = -ENOTTY;
1328 
1329 	if (!(file->f_mode & FMODE_WRITE))
1330 		return -EPERM;
1331 	usb_lock_device(dev);
1332 	if (!connected(dev)) {
1333 		usb_unlock_device(dev);
1334 		return -ENODEV;
1335 	}
1336 
1337 	switch (cmd) {
1338 	case USBDEVFS_CONTROL:
1339 		snoop(&dev->dev, "%s: CONTROL\n", __FUNCTION__);
1340 		ret = proc_control(ps, p);
1341 		if (ret >= 0)
1342 			inode->i_mtime = CURRENT_TIME;
1343 		break;
1344 
1345 	case USBDEVFS_BULK:
1346 		snoop(&dev->dev, "%s: BULK\n", __FUNCTION__);
1347 		ret = proc_bulk(ps, p);
1348 		if (ret >= 0)
1349 			inode->i_mtime = CURRENT_TIME;
1350 		break;
1351 
1352 	case USBDEVFS_RESETEP:
1353 		snoop(&dev->dev, "%s: RESETEP\n", __FUNCTION__);
1354 		ret = proc_resetep(ps, p);
1355 		if (ret >= 0)
1356 			inode->i_mtime = CURRENT_TIME;
1357 		break;
1358 
1359 	case USBDEVFS_RESET:
1360 		snoop(&dev->dev, "%s: RESET\n", __FUNCTION__);
1361 		ret = proc_resetdevice(ps);
1362 		break;
1363 
1364 	case USBDEVFS_CLEAR_HALT:
1365 		snoop(&dev->dev, "%s: CLEAR_HALT\n", __FUNCTION__);
1366 		ret = proc_clearhalt(ps, p);
1367 		if (ret >= 0)
1368 			inode->i_mtime = CURRENT_TIME;
1369 		break;
1370 
1371 	case USBDEVFS_GETDRIVER:
1372 		snoop(&dev->dev, "%s: GETDRIVER\n", __FUNCTION__);
1373 		ret = proc_getdriver(ps, p);
1374 		break;
1375 
1376 	case USBDEVFS_CONNECTINFO:
1377 		snoop(&dev->dev, "%s: CONNECTINFO\n", __FUNCTION__);
1378 		ret = proc_connectinfo(ps, p);
1379 		break;
1380 
1381 	case USBDEVFS_SETINTERFACE:
1382 		snoop(&dev->dev, "%s: SETINTERFACE\n", __FUNCTION__);
1383 		ret = proc_setintf(ps, p);
1384 		break;
1385 
1386 	case USBDEVFS_SETCONFIGURATION:
1387 		snoop(&dev->dev, "%s: SETCONFIGURATION\n", __FUNCTION__);
1388 		ret = proc_setconfig(ps, p);
1389 		break;
1390 
1391 	case USBDEVFS_SUBMITURB:
1392 		snoop(&dev->dev, "%s: SUBMITURB\n", __FUNCTION__);
1393 		ret = proc_submiturb(ps, p);
1394 		if (ret >= 0)
1395 			inode->i_mtime = CURRENT_TIME;
1396 		break;
1397 
1398 #ifdef CONFIG_COMPAT
1399 
1400 	case USBDEVFS_SUBMITURB32:
1401 		snoop(&dev->dev, "%s: SUBMITURB32\n", __FUNCTION__);
1402 		ret = proc_submiturb_compat(ps, p);
1403 		if (ret >= 0)
1404 			inode->i_mtime = CURRENT_TIME;
1405 		break;
1406 
1407 	case USBDEVFS_REAPURB32:
1408 		snoop(&dev->dev, "%s: REAPURB32\n", __FUNCTION__);
1409 		ret = proc_reapurb_compat(ps, p);
1410 		break;
1411 
1412 	case USBDEVFS_REAPURBNDELAY32:
1413 		snoop(&dev->dev, "%s: REAPURBDELAY32\n", __FUNCTION__);
1414 		ret = proc_reapurbnonblock_compat(ps, p);
1415 		break;
1416 
1417 #endif
1418 
1419 	case USBDEVFS_DISCARDURB:
1420 		snoop(&dev->dev, "%s: DISCARDURB\n", __FUNCTION__);
1421 		ret = proc_unlinkurb(ps, p);
1422 		break;
1423 
1424 	case USBDEVFS_REAPURB:
1425 		snoop(&dev->dev, "%s: REAPURB\n", __FUNCTION__);
1426 		ret = proc_reapurb(ps, p);
1427 		break;
1428 
1429 	case USBDEVFS_REAPURBNDELAY:
1430 		snoop(&dev->dev, "%s: REAPURBDELAY\n", __FUNCTION__);
1431 		ret = proc_reapurbnonblock(ps, p);
1432 		break;
1433 
1434 	case USBDEVFS_DISCSIGNAL:
1435 		snoop(&dev->dev, "%s: DISCSIGNAL\n", __FUNCTION__);
1436 		ret = proc_disconnectsignal(ps, p);
1437 		break;
1438 
1439 	case USBDEVFS_CLAIMINTERFACE:
1440 		snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __FUNCTION__);
1441 		ret = proc_claiminterface(ps, p);
1442 		break;
1443 
1444 	case USBDEVFS_RELEASEINTERFACE:
1445 		snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __FUNCTION__);
1446 		ret = proc_releaseinterface(ps, p);
1447 		break;
1448 
1449 	case USBDEVFS_IOCTL:
1450 		snoop(&dev->dev, "%s: IOCTL\n", __FUNCTION__);
1451 		ret = proc_ioctl(ps, p);
1452 		break;
1453 	}
1454 	usb_unlock_device(dev);
1455 	if (ret >= 0)
1456 		inode->i_atime = CURRENT_TIME;
1457 	return ret;
1458 }
1459 
1460 /* No kernel lock - fine */
1461 static unsigned int usbdev_poll(struct file *file, struct poll_table_struct *wait)
1462 {
1463 	struct dev_state *ps = (struct dev_state *)file->private_data;
1464         unsigned int mask = 0;
1465 
1466 	poll_wait(file, &ps->wait, wait);
1467 	if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
1468 		mask |= POLLOUT | POLLWRNORM;
1469 	if (!connected(ps->dev))
1470 		mask |= POLLERR | POLLHUP;
1471 	return mask;
1472 }
1473 
1474 struct file_operations usbfs_device_file_operations = {
1475 	.llseek =	usbdev_lseek,
1476 	.read =		usbdev_read,
1477 	.poll =		usbdev_poll,
1478 	.ioctl =	usbdev_ioctl,
1479 	.open =		usbdev_open,
1480 	.release =	usbdev_release,
1481 };
1482 
1483 struct usb_device *usbdev_lookup_minor(int minor)
1484 {
1485 	struct class_device *class_dev;
1486 	struct usb_device *dev = NULL;
1487 
1488 	down(&usb_device_class->sem);
1489 	list_for_each_entry(class_dev, &usb_device_class->children, node) {
1490 		if (class_dev->devt == MKDEV(USB_DEVICE_MAJOR, minor)) {
1491 			dev = class_dev->class_data;
1492 			break;
1493 		}
1494 	}
1495 	up(&usb_device_class->sem);
1496 
1497 	return dev;
1498 };
1499 
1500 void usbdev_add(struct usb_device *dev)
1501 {
1502 	int minor = ((dev->bus->busnum-1) * 128) + (dev->devnum-1);
1503 
1504 	dev->class_dev = class_device_create(usb_device_class,
1505 				MKDEV(USB_DEVICE_MAJOR, minor), &dev->dev,
1506 				"usbdev%d.%d", dev->bus->busnum, dev->devnum);
1507 
1508 	dev->class_dev->class_data = dev;
1509 }
1510 
1511 void usbdev_remove(struct usb_device *dev)
1512 {
1513 	class_device_unregister(dev->class_dev);
1514 }
1515 
1516 static struct cdev usb_device_cdev = {
1517 	.kobj   = {.name = "usb_device", },
1518 	.owner  = THIS_MODULE,
1519 };
1520 
1521 int __init usbdev_init(void)
1522 {
1523 	int retval;
1524 
1525 	retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
1526 			"usb_device");
1527 	if (retval) {
1528 		err("unable to register minors for usb_device");
1529 		goto out;
1530 	}
1531 	cdev_init(&usb_device_cdev, &usbfs_device_file_operations);
1532 	retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
1533 	if (retval) {
1534 		err("unable to get usb_device major %d", USB_DEVICE_MAJOR);
1535 		unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1536 		goto out;
1537 	}
1538 	usb_device_class = class_create(THIS_MODULE, "usb_device");
1539 	if (IS_ERR(usb_device_class)) {
1540 		err("unable to register usb_device class");
1541 		retval = PTR_ERR(usb_device_class);
1542 		usb_device_class = NULL;
1543 		cdev_del(&usb_device_cdev);
1544 		unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1545 	}
1546 
1547 out:
1548 	return retval;
1549 }
1550 
1551 void usbdev_cleanup(void)
1552 {
1553 	class_destroy(usb_device_class);
1554 	cdev_del(&usb_device_cdev);
1555 	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
1556 }
1557 
1558