1 /*****************************************************************************/ 2 3 /* 4 * devio.c -- User space communication with USB devices. 5 * 6 * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch) 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 21 * 22 * $Id: devio.c,v 1.7 2000/02/01 17:28:48 fliegl Exp $ 23 * 24 * This file implements the usbfs/x/y files, where 25 * x is the bus number and y the device number. 26 * 27 * It allows user space programs/"drivers" to communicate directly 28 * with USB devices without intervening kernel driver. 29 * 30 * Revision history 31 * 22.12.1999 0.1 Initial release (split from proc_usb.c) 32 * 04.01.2000 0.2 Turned into its own filesystem 33 * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery 34 * (CAN-2005-3055) 35 */ 36 37 /*****************************************************************************/ 38 39 #include <linux/fs.h> 40 #include <linux/mm.h> 41 #include <linux/slab.h> 42 #include <linux/smp_lock.h> 43 #include <linux/signal.h> 44 #include <linux/poll.h> 45 #include <linux/module.h> 46 #include <linux/usb.h> 47 #include <linux/usbdevice_fs.h> 48 #include <linux/cdev.h> 49 #include <linux/notifier.h> 50 #include <asm/uaccess.h> 51 #include <asm/byteorder.h> 52 #include <linux/moduleparam.h> 53 54 #include "hcd.h" /* for usbcore internals */ 55 #include "usb.h" 56 57 #define USB_MAXBUS 64 58 #define USB_DEVICE_MAX USB_MAXBUS * 128 59 static struct class *usb_device_class; 60 61 struct async { 62 struct list_head asynclist; 63 struct dev_state *ps; 64 pid_t pid; 65 uid_t uid, euid; 66 unsigned int signr; 67 unsigned int ifnum; 68 void __user *userbuffer; 69 void __user *userurb; 70 struct urb *urb; 71 }; 72 73 static int usbfs_snoop = 0; 74 module_param (usbfs_snoop, bool, S_IRUGO | S_IWUSR); 75 MODULE_PARM_DESC (usbfs_snoop, "true to log all usbfs traffic"); 76 77 #define snoop(dev, format, arg...) \ 78 do { \ 79 if (usbfs_snoop) \ 80 dev_info( dev , format , ## arg); \ 81 } while (0) 82 83 #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) 84 85 86 #define MAX_USBFS_BUFFER_SIZE 16384 87 88 static inline int connected (struct usb_device *dev) 89 { 90 return dev->state != USB_STATE_NOTATTACHED; 91 } 92 93 static loff_t usbdev_lseek(struct file *file, loff_t offset, int orig) 94 { 95 loff_t ret; 96 97 lock_kernel(); 98 99 switch (orig) { 100 case 0: 101 file->f_pos = offset; 102 ret = file->f_pos; 103 break; 104 case 1: 105 file->f_pos += offset; 106 ret = file->f_pos; 107 break; 108 case 2: 109 default: 110 ret = -EINVAL; 111 } 112 113 unlock_kernel(); 114 return ret; 115 } 116 117 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) 118 { 119 struct dev_state *ps = (struct dev_state *)file->private_data; 120 struct usb_device *dev = ps->dev; 121 ssize_t ret = 0; 122 unsigned len; 123 loff_t pos; 124 int i; 125 126 pos = *ppos; 127 usb_lock_device(dev); 128 if (!connected(dev)) { 129 ret = -ENODEV; 130 goto err; 131 } else if (pos < 0) { 132 ret = -EINVAL; 133 goto err; 134 } 135 136 if (pos < sizeof(struct usb_device_descriptor)) { 137 struct usb_device_descriptor temp_desc ; /* 18 bytes - fits on the stack */ 138 139 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor)); 140 le16_to_cpus(&temp_desc.bcdUSB); 141 le16_to_cpus(&temp_desc.idVendor); 142 le16_to_cpus(&temp_desc.idProduct); 143 le16_to_cpus(&temp_desc.bcdDevice); 144 145 len = sizeof(struct usb_device_descriptor) - pos; 146 if (len > nbytes) 147 len = nbytes; 148 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) { 149 ret = -EFAULT; 150 goto err; 151 } 152 153 *ppos += len; 154 buf += len; 155 nbytes -= len; 156 ret += len; 157 } 158 159 pos = sizeof(struct usb_device_descriptor); 160 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { 161 struct usb_config_descriptor *config = 162 (struct usb_config_descriptor *)dev->rawdescriptors[i]; 163 unsigned int length = le16_to_cpu(config->wTotalLength); 164 165 if (*ppos < pos + length) { 166 167 /* The descriptor may claim to be longer than it 168 * really is. Here is the actual allocated length. */ 169 unsigned alloclen = 170 le16_to_cpu(dev->config[i].desc.wTotalLength); 171 172 len = length - (*ppos - pos); 173 if (len > nbytes) 174 len = nbytes; 175 176 /* Simply don't write (skip over) unallocated parts */ 177 if (alloclen > (*ppos - pos)) { 178 alloclen -= (*ppos - pos); 179 if (copy_to_user(buf, 180 dev->rawdescriptors[i] + (*ppos - pos), 181 min(len, alloclen))) { 182 ret = -EFAULT; 183 goto err; 184 } 185 } 186 187 *ppos += len; 188 buf += len; 189 nbytes -= len; 190 ret += len; 191 } 192 193 pos += length; 194 } 195 196 err: 197 usb_unlock_device(dev); 198 return ret; 199 } 200 201 /* 202 * async list handling 203 */ 204 205 static struct async *alloc_async(unsigned int numisoframes) 206 { 207 unsigned int assize = sizeof(struct async) + numisoframes * sizeof(struct usb_iso_packet_descriptor); 208 struct async *as = kzalloc(assize, GFP_KERNEL); 209 210 if (!as) 211 return NULL; 212 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL); 213 if (!as->urb) { 214 kfree(as); 215 return NULL; 216 } 217 return as; 218 } 219 220 static void free_async(struct async *as) 221 { 222 kfree(as->urb->transfer_buffer); 223 kfree(as->urb->setup_packet); 224 usb_free_urb(as->urb); 225 kfree(as); 226 } 227 228 static inline void async_newpending(struct async *as) 229 { 230 struct dev_state *ps = as->ps; 231 unsigned long flags; 232 233 spin_lock_irqsave(&ps->lock, flags); 234 list_add_tail(&as->asynclist, &ps->async_pending); 235 spin_unlock_irqrestore(&ps->lock, flags); 236 } 237 238 static inline void async_removepending(struct async *as) 239 { 240 struct dev_state *ps = as->ps; 241 unsigned long flags; 242 243 spin_lock_irqsave(&ps->lock, flags); 244 list_del_init(&as->asynclist); 245 spin_unlock_irqrestore(&ps->lock, flags); 246 } 247 248 static inline struct async *async_getcompleted(struct dev_state *ps) 249 { 250 unsigned long flags; 251 struct async *as = NULL; 252 253 spin_lock_irqsave(&ps->lock, flags); 254 if (!list_empty(&ps->async_completed)) { 255 as = list_entry(ps->async_completed.next, struct async, asynclist); 256 list_del_init(&as->asynclist); 257 } 258 spin_unlock_irqrestore(&ps->lock, flags); 259 return as; 260 } 261 262 static inline struct async *async_getpending(struct dev_state *ps, void __user *userurb) 263 { 264 unsigned long flags; 265 struct async *as; 266 267 spin_lock_irqsave(&ps->lock, flags); 268 list_for_each_entry(as, &ps->async_pending, asynclist) 269 if (as->userurb == userurb) { 270 list_del_init(&as->asynclist); 271 spin_unlock_irqrestore(&ps->lock, flags); 272 return as; 273 } 274 spin_unlock_irqrestore(&ps->lock, flags); 275 return NULL; 276 } 277 278 static void snoop_urb(struct urb *urb, void __user *userurb) 279 { 280 int j; 281 unsigned char *data = urb->transfer_buffer; 282 283 if (!usbfs_snoop) 284 return; 285 286 if (urb->pipe & USB_DIR_IN) 287 dev_info(&urb->dev->dev, "direction=IN\n"); 288 else 289 dev_info(&urb->dev->dev, "direction=OUT\n"); 290 dev_info(&urb->dev->dev, "userurb=%p\n", userurb); 291 dev_info(&urb->dev->dev, "transfer_buffer_length=%d\n", 292 urb->transfer_buffer_length); 293 dev_info(&urb->dev->dev, "actual_length=%d\n", urb->actual_length); 294 dev_info(&urb->dev->dev, "data: "); 295 for (j = 0; j < urb->transfer_buffer_length; ++j) 296 printk ("%02x ", data[j]); 297 printk("\n"); 298 } 299 300 static void async_completed(struct urb *urb, struct pt_regs *regs) 301 { 302 struct async *as = (struct async *)urb->context; 303 struct dev_state *ps = as->ps; 304 struct siginfo sinfo; 305 306 spin_lock(&ps->lock); 307 list_move_tail(&as->asynclist, &ps->async_completed); 308 spin_unlock(&ps->lock); 309 if (as->signr) { 310 sinfo.si_signo = as->signr; 311 sinfo.si_errno = as->urb->status; 312 sinfo.si_code = SI_ASYNCIO; 313 sinfo.si_addr = as->userurb; 314 kill_proc_info_as_uid(as->signr, &sinfo, as->pid, as->uid, 315 as->euid); 316 } 317 snoop(&urb->dev->dev, "urb complete\n"); 318 snoop_urb(urb, as->userurb); 319 wake_up(&ps->wait); 320 } 321 322 static void destroy_async (struct dev_state *ps, struct list_head *list) 323 { 324 struct async *as; 325 unsigned long flags; 326 327 spin_lock_irqsave(&ps->lock, flags); 328 while (!list_empty(list)) { 329 as = list_entry(list->next, struct async, asynclist); 330 list_del_init(&as->asynclist); 331 332 /* drop the spinlock so the completion handler can run */ 333 spin_unlock_irqrestore(&ps->lock, flags); 334 usb_kill_urb(as->urb); 335 spin_lock_irqsave(&ps->lock, flags); 336 } 337 spin_unlock_irqrestore(&ps->lock, flags); 338 as = async_getcompleted(ps); 339 while (as) { 340 free_async(as); 341 as = async_getcompleted(ps); 342 } 343 } 344 345 static void destroy_async_on_interface (struct dev_state *ps, unsigned int ifnum) 346 { 347 struct list_head *p, *q, hitlist; 348 unsigned long flags; 349 350 INIT_LIST_HEAD(&hitlist); 351 spin_lock_irqsave(&ps->lock, flags); 352 list_for_each_safe(p, q, &ps->async_pending) 353 if (ifnum == list_entry(p, struct async, asynclist)->ifnum) 354 list_move_tail(p, &hitlist); 355 spin_unlock_irqrestore(&ps->lock, flags); 356 destroy_async(ps, &hitlist); 357 } 358 359 static inline void destroy_all_async(struct dev_state *ps) 360 { 361 destroy_async(ps, &ps->async_pending); 362 } 363 364 /* 365 * interface claims are made only at the request of user level code, 366 * which can also release them (explicitly or by closing files). 367 * they're also undone when devices disconnect. 368 */ 369 370 static int driver_probe (struct usb_interface *intf, 371 const struct usb_device_id *id) 372 { 373 return -ENODEV; 374 } 375 376 static void driver_disconnect(struct usb_interface *intf) 377 { 378 struct dev_state *ps = usb_get_intfdata (intf); 379 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber; 380 381 if (!ps) 382 return; 383 384 /* NOTE: this relies on usbcore having canceled and completed 385 * all pending I/O requests; 2.6 does that. 386 */ 387 388 if (likely(ifnum < 8*sizeof(ps->ifclaimed))) 389 clear_bit(ifnum, &ps->ifclaimed); 390 else 391 warn("interface number %u out of range", ifnum); 392 393 usb_set_intfdata (intf, NULL); 394 395 /* force async requests to complete */ 396 destroy_async_on_interface(ps, ifnum); 397 } 398 399 struct usb_driver usbfs_driver = { 400 .name = "usbfs", 401 .probe = driver_probe, 402 .disconnect = driver_disconnect, 403 }; 404 405 static int claimintf(struct dev_state *ps, unsigned int ifnum) 406 { 407 struct usb_device *dev = ps->dev; 408 struct usb_interface *intf; 409 int err; 410 411 if (ifnum >= 8*sizeof(ps->ifclaimed)) 412 return -EINVAL; 413 /* already claimed */ 414 if (test_bit(ifnum, &ps->ifclaimed)) 415 return 0; 416 417 /* lock against other changes to driver bindings */ 418 down_write(&usb_bus_type.subsys.rwsem); 419 intf = usb_ifnum_to_if(dev, ifnum); 420 if (!intf) 421 err = -ENOENT; 422 else 423 err = usb_driver_claim_interface(&usbfs_driver, intf, ps); 424 up_write(&usb_bus_type.subsys.rwsem); 425 if (err == 0) 426 set_bit(ifnum, &ps->ifclaimed); 427 return err; 428 } 429 430 static int releaseintf(struct dev_state *ps, unsigned int ifnum) 431 { 432 struct usb_device *dev; 433 struct usb_interface *intf; 434 int err; 435 436 err = -EINVAL; 437 if (ifnum >= 8*sizeof(ps->ifclaimed)) 438 return err; 439 dev = ps->dev; 440 /* lock against other changes to driver bindings */ 441 down_write(&usb_bus_type.subsys.rwsem); 442 intf = usb_ifnum_to_if(dev, ifnum); 443 if (!intf) 444 err = -ENOENT; 445 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { 446 usb_driver_release_interface(&usbfs_driver, intf); 447 err = 0; 448 } 449 up_write(&usb_bus_type.subsys.rwsem); 450 return err; 451 } 452 453 static int checkintf(struct dev_state *ps, unsigned int ifnum) 454 { 455 if (ps->dev->state != USB_STATE_CONFIGURED) 456 return -EHOSTUNREACH; 457 if (ifnum >= 8*sizeof(ps->ifclaimed)) 458 return -EINVAL; 459 if (test_bit(ifnum, &ps->ifclaimed)) 460 return 0; 461 /* if not yet claimed, claim it for the driver */ 462 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim interface %u before use\n", 463 current->pid, current->comm, ifnum); 464 return claimintf(ps, ifnum); 465 } 466 467 static int findintfep(struct usb_device *dev, unsigned int ep) 468 { 469 unsigned int i, j, e; 470 struct usb_interface *intf; 471 struct usb_host_interface *alts; 472 struct usb_endpoint_descriptor *endpt; 473 474 if (ep & ~(USB_DIR_IN|0xf)) 475 return -EINVAL; 476 if (!dev->actconfig) 477 return -ESRCH; 478 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { 479 intf = dev->actconfig->interface[i]; 480 for (j = 0; j < intf->num_altsetting; j++) { 481 alts = &intf->altsetting[j]; 482 for (e = 0; e < alts->desc.bNumEndpoints; e++) { 483 endpt = &alts->endpoint[e].desc; 484 if (endpt->bEndpointAddress == ep) 485 return alts->desc.bInterfaceNumber; 486 } 487 } 488 } 489 return -ENOENT; 490 } 491 492 static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype, unsigned int index) 493 { 494 int ret = 0; 495 496 if (ps->dev->state != USB_STATE_ADDRESS 497 && ps->dev->state != USB_STATE_CONFIGURED) 498 return -EHOSTUNREACH; 499 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) 500 return 0; 501 502 index &= 0xff; 503 switch (requesttype & USB_RECIP_MASK) { 504 case USB_RECIP_ENDPOINT: 505 if ((ret = findintfep(ps->dev, index)) >= 0) 506 ret = checkintf(ps, ret); 507 break; 508 509 case USB_RECIP_INTERFACE: 510 ret = checkintf(ps, index); 511 break; 512 } 513 return ret; 514 } 515 516 static struct usb_device *usbdev_lookup_minor(int minor) 517 { 518 struct class_device *class_dev; 519 struct usb_device *dev = NULL; 520 521 down(&usb_device_class->sem); 522 list_for_each_entry(class_dev, &usb_device_class->children, node) { 523 if (class_dev->devt == MKDEV(USB_DEVICE_MAJOR, minor)) { 524 dev = class_dev->class_data; 525 break; 526 } 527 } 528 up(&usb_device_class->sem); 529 530 return dev; 531 }; 532 533 /* 534 * file operations 535 */ 536 static int usbdev_open(struct inode *inode, struct file *file) 537 { 538 struct usb_device *dev = NULL; 539 struct dev_state *ps; 540 int ret; 541 542 /* 543 * no locking necessary here, as chrdev_open has the kernel lock 544 * (still acquire the kernel lock for safety) 545 */ 546 ret = -ENOMEM; 547 if (!(ps = kmalloc(sizeof(struct dev_state), GFP_KERNEL))) 548 goto out_nolock; 549 550 lock_kernel(); 551 ret = -ENOENT; 552 /* check if we are called from a real node or usbfs */ 553 if (imajor(inode) == USB_DEVICE_MAJOR) 554 dev = usbdev_lookup_minor(iminor(inode)); 555 if (!dev) 556 dev = inode->u.generic_ip; 557 if (!dev) { 558 kfree(ps); 559 goto out; 560 } 561 usb_get_dev(dev); 562 ret = 0; 563 ps->dev = dev; 564 ps->file = file; 565 spin_lock_init(&ps->lock); 566 INIT_LIST_HEAD(&ps->async_pending); 567 INIT_LIST_HEAD(&ps->async_completed); 568 init_waitqueue_head(&ps->wait); 569 ps->discsignr = 0; 570 ps->disc_pid = current->pid; 571 ps->disc_uid = current->uid; 572 ps->disc_euid = current->euid; 573 ps->disccontext = NULL; 574 ps->ifclaimed = 0; 575 wmb(); 576 list_add_tail(&ps->list, &dev->filelist); 577 file->private_data = ps; 578 out: 579 unlock_kernel(); 580 out_nolock: 581 return ret; 582 } 583 584 static int usbdev_release(struct inode *inode, struct file *file) 585 { 586 struct dev_state *ps = (struct dev_state *)file->private_data; 587 struct usb_device *dev = ps->dev; 588 unsigned int ifnum; 589 590 usb_lock_device(dev); 591 list_del_init(&ps->list); 592 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed); 593 ifnum++) { 594 if (test_bit(ifnum, &ps->ifclaimed)) 595 releaseintf(ps, ifnum); 596 } 597 destroy_all_async(ps); 598 usb_unlock_device(dev); 599 usb_put_dev(dev); 600 ps->dev = NULL; 601 kfree(ps); 602 return 0; 603 } 604 605 static int proc_control(struct dev_state *ps, void __user *arg) 606 { 607 struct usb_device *dev = ps->dev; 608 struct usbdevfs_ctrltransfer ctrl; 609 unsigned int tmo; 610 unsigned char *tbuf; 611 int i, j, ret; 612 613 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 614 return -EFAULT; 615 if ((ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex))) 616 return ret; 617 if (ctrl.wLength > PAGE_SIZE) 618 return -EINVAL; 619 if (!(tbuf = (unsigned char *)__get_free_page(GFP_KERNEL))) 620 return -ENOMEM; 621 tmo = ctrl.timeout; 622 if (ctrl.bRequestType & 0x80) { 623 if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data, ctrl.wLength)) { 624 free_page((unsigned long)tbuf); 625 return -EINVAL; 626 } 627 snoop(&dev->dev, "control read: bRequest=%02x " 628 "bRrequestType=%02x wValue=%04x " 629 "wIndex=%04x wLength=%04x\n", 630 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, 631 ctrl.wIndex, ctrl.wLength); 632 633 usb_unlock_device(dev); 634 i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType, 635 ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo); 636 usb_lock_device(dev); 637 if ((i > 0) && ctrl.wLength) { 638 if (usbfs_snoop) { 639 dev_info(&dev->dev, "control read: data "); 640 for (j = 0; j < i; ++j) 641 printk("%02x ", (unsigned char)(tbuf)[j]); 642 printk("\n"); 643 } 644 if (copy_to_user(ctrl.data, tbuf, i)) { 645 free_page((unsigned long)tbuf); 646 return -EFAULT; 647 } 648 } 649 } else { 650 if (ctrl.wLength) { 651 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) { 652 free_page((unsigned long)tbuf); 653 return -EFAULT; 654 } 655 } 656 snoop(&dev->dev, "control write: bRequest=%02x " 657 "bRrequestType=%02x wValue=%04x " 658 "wIndex=%04x wLength=%04x\n", 659 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, 660 ctrl.wIndex, ctrl.wLength); 661 if (usbfs_snoop) { 662 dev_info(&dev->dev, "control write: data: "); 663 for (j = 0; j < ctrl.wLength; ++j) 664 printk("%02x ", (unsigned char)(tbuf)[j]); 665 printk("\n"); 666 } 667 usb_unlock_device(dev); 668 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType, 669 ctrl.wValue, ctrl.wIndex, tbuf, ctrl.wLength, tmo); 670 usb_lock_device(dev); 671 } 672 free_page((unsigned long)tbuf); 673 if (i<0 && i != -EPIPE) { 674 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL " 675 "failed cmd %s rqt %u rq %u len %u ret %d\n", 676 current->comm, ctrl.bRequestType, ctrl.bRequest, 677 ctrl.wLength, i); 678 } 679 return i; 680 } 681 682 static int proc_bulk(struct dev_state *ps, void __user *arg) 683 { 684 struct usb_device *dev = ps->dev; 685 struct usbdevfs_bulktransfer bulk; 686 unsigned int tmo, len1, pipe; 687 int len2; 688 unsigned char *tbuf; 689 int i, j, ret; 690 691 if (copy_from_user(&bulk, arg, sizeof(bulk))) 692 return -EFAULT; 693 if ((ret = findintfep(ps->dev, bulk.ep)) < 0) 694 return ret; 695 if ((ret = checkintf(ps, ret))) 696 return ret; 697 if (bulk.ep & USB_DIR_IN) 698 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f); 699 else 700 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f); 701 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) 702 return -EINVAL; 703 len1 = bulk.len; 704 if (len1 > MAX_USBFS_BUFFER_SIZE) 705 return -EINVAL; 706 if (!(tbuf = kmalloc(len1, GFP_KERNEL))) 707 return -ENOMEM; 708 tmo = bulk.timeout; 709 if (bulk.ep & 0x80) { 710 if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) { 711 kfree(tbuf); 712 return -EINVAL; 713 } 714 snoop(&dev->dev, "bulk read: len=0x%02x timeout=%04d\n", 715 bulk.len, bulk.timeout); 716 usb_unlock_device(dev); 717 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 718 usb_lock_device(dev); 719 if (!i && len2) { 720 if (usbfs_snoop) { 721 dev_info(&dev->dev, "bulk read: data "); 722 for (j = 0; j < len2; ++j) 723 printk("%02x ", (unsigned char)(tbuf)[j]); 724 printk("\n"); 725 } 726 if (copy_to_user(bulk.data, tbuf, len2)) { 727 kfree(tbuf); 728 return -EFAULT; 729 } 730 } 731 } else { 732 if (len1) { 733 if (copy_from_user(tbuf, bulk.data, len1)) { 734 kfree(tbuf); 735 return -EFAULT; 736 } 737 } 738 snoop(&dev->dev, "bulk write: len=0x%02x timeout=%04d\n", 739 bulk.len, bulk.timeout); 740 if (usbfs_snoop) { 741 dev_info(&dev->dev, "bulk write: data: "); 742 for (j = 0; j < len1; ++j) 743 printk("%02x ", (unsigned char)(tbuf)[j]); 744 printk("\n"); 745 } 746 usb_unlock_device(dev); 747 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 748 usb_lock_device(dev); 749 } 750 kfree(tbuf); 751 if (i < 0) 752 return i; 753 return len2; 754 } 755 756 static int proc_resetep(struct dev_state *ps, void __user *arg) 757 { 758 unsigned int ep; 759 int ret; 760 761 if (get_user(ep, (unsigned int __user *)arg)) 762 return -EFAULT; 763 if ((ret = findintfep(ps->dev, ep)) < 0) 764 return ret; 765 if ((ret = checkintf(ps, ret))) 766 return ret; 767 usb_settoggle(ps->dev, ep & 0xf, !(ep & USB_DIR_IN), 0); 768 return 0; 769 } 770 771 static int proc_clearhalt(struct dev_state *ps, void __user *arg) 772 { 773 unsigned int ep; 774 int pipe; 775 int ret; 776 777 if (get_user(ep, (unsigned int __user *)arg)) 778 return -EFAULT; 779 if ((ret = findintfep(ps->dev, ep)) < 0) 780 return ret; 781 if ((ret = checkintf(ps, ret))) 782 return ret; 783 if (ep & USB_DIR_IN) 784 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f); 785 else 786 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f); 787 788 return usb_clear_halt(ps->dev, pipe); 789 } 790 791 792 static int proc_getdriver(struct dev_state *ps, void __user *arg) 793 { 794 struct usbdevfs_getdriver gd; 795 struct usb_interface *intf; 796 int ret; 797 798 if (copy_from_user(&gd, arg, sizeof(gd))) 799 return -EFAULT; 800 down_read(&usb_bus_type.subsys.rwsem); 801 intf = usb_ifnum_to_if(ps->dev, gd.interface); 802 if (!intf || !intf->dev.driver) 803 ret = -ENODATA; 804 else { 805 strncpy(gd.driver, intf->dev.driver->name, 806 sizeof(gd.driver)); 807 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0); 808 } 809 up_read(&usb_bus_type.subsys.rwsem); 810 return ret; 811 } 812 813 static int proc_connectinfo(struct dev_state *ps, void __user *arg) 814 { 815 struct usbdevfs_connectinfo ci; 816 817 ci.devnum = ps->dev->devnum; 818 ci.slow = ps->dev->speed == USB_SPEED_LOW; 819 if (copy_to_user(arg, &ci, sizeof(ci))) 820 return -EFAULT; 821 return 0; 822 } 823 824 static int proc_resetdevice(struct dev_state *ps) 825 { 826 return usb_reset_device(ps->dev); 827 828 } 829 830 static int proc_setintf(struct dev_state *ps, void __user *arg) 831 { 832 struct usbdevfs_setinterface setintf; 833 int ret; 834 835 if (copy_from_user(&setintf, arg, sizeof(setintf))) 836 return -EFAULT; 837 if ((ret = checkintf(ps, setintf.interface))) 838 return ret; 839 return usb_set_interface(ps->dev, setintf.interface, 840 setintf.altsetting); 841 } 842 843 static int proc_setconfig(struct dev_state *ps, void __user *arg) 844 { 845 unsigned int u; 846 int status = 0; 847 struct usb_host_config *actconfig; 848 849 if (get_user(u, (unsigned int __user *)arg)) 850 return -EFAULT; 851 852 actconfig = ps->dev->actconfig; 853 854 /* Don't touch the device if any interfaces are claimed. 855 * It could interfere with other drivers' operations, and if 856 * an interface is claimed by usbfs it could easily deadlock. 857 */ 858 if (actconfig) { 859 int i; 860 861 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 862 if (usb_interface_claimed(actconfig->interface[i])) { 863 dev_warn (&ps->dev->dev, 864 "usbfs: interface %d claimed by %s " 865 "while '%s' sets config #%d\n", 866 actconfig->interface[i] 867 ->cur_altsetting 868 ->desc.bInterfaceNumber, 869 actconfig->interface[i] 870 ->dev.driver->name, 871 current->comm, u); 872 status = -EBUSY; 873 break; 874 } 875 } 876 } 877 878 /* SET_CONFIGURATION is often abused as a "cheap" driver reset, 879 * so avoid usb_set_configuration()'s kick to sysfs 880 */ 881 if (status == 0) { 882 if (actconfig && actconfig->desc.bConfigurationValue == u) 883 status = usb_reset_configuration(ps->dev); 884 else 885 status = usb_set_configuration(ps->dev, u); 886 } 887 888 return status; 889 } 890 891 static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb, 892 struct usbdevfs_iso_packet_desc __user *iso_frame_desc, 893 void __user *arg) 894 { 895 struct usbdevfs_iso_packet_desc *isopkt = NULL; 896 struct usb_host_endpoint *ep; 897 struct async *as; 898 struct usb_ctrlrequest *dr = NULL; 899 unsigned int u, totlen, isofrmlen; 900 int ret, interval = 0, ifnum = -1; 901 902 if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP|USBDEVFS_URB_SHORT_NOT_OK| 903 URB_NO_FSBR|URB_ZERO_PACKET)) 904 return -EINVAL; 905 if (!uurb->buffer) 906 return -EINVAL; 907 if (uurb->signr != 0 && (uurb->signr < SIGRTMIN || uurb->signr > SIGRTMAX)) 908 return -EINVAL; 909 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) { 910 if ((ifnum = findintfep(ps->dev, uurb->endpoint)) < 0) 911 return ifnum; 912 if ((ret = checkintf(ps, ifnum))) 913 return ret; 914 } 915 if ((uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0) 916 ep = ps->dev->ep_in [uurb->endpoint & USB_ENDPOINT_NUMBER_MASK]; 917 else 918 ep = ps->dev->ep_out [uurb->endpoint & USB_ENDPOINT_NUMBER_MASK]; 919 if (!ep) 920 return -ENOENT; 921 switch(uurb->type) { 922 case USBDEVFS_URB_TYPE_CONTROL: 923 if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) 924 != USB_ENDPOINT_XFER_CONTROL) 925 return -EINVAL; 926 /* min 8 byte setup packet, max arbitrary */ 927 if (uurb->buffer_length < 8 || uurb->buffer_length > PAGE_SIZE) 928 return -EINVAL; 929 if (!(dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL))) 930 return -ENOMEM; 931 if (copy_from_user(dr, uurb->buffer, 8)) { 932 kfree(dr); 933 return -EFAULT; 934 } 935 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) { 936 kfree(dr); 937 return -EINVAL; 938 } 939 if ((ret = check_ctrlrecip(ps, dr->bRequestType, le16_to_cpup(&dr->wIndex)))) { 940 kfree(dr); 941 return ret; 942 } 943 uurb->endpoint = (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) | (dr->bRequestType & USB_ENDPOINT_DIR_MASK); 944 uurb->number_of_packets = 0; 945 uurb->buffer_length = le16_to_cpup(&dr->wLength); 946 uurb->buffer += 8; 947 if (!access_ok((uurb->endpoint & USB_DIR_IN) ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) { 948 kfree(dr); 949 return -EFAULT; 950 } 951 snoop(&ps->dev->dev, "control urb\n"); 952 break; 953 954 case USBDEVFS_URB_TYPE_BULK: 955 switch (ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { 956 case USB_ENDPOINT_XFER_CONTROL: 957 case USB_ENDPOINT_XFER_ISOC: 958 return -EINVAL; 959 /* allow single-shot interrupt transfers, at bogus rates */ 960 } 961 uurb->number_of_packets = 0; 962 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE) 963 return -EINVAL; 964 if (!access_ok((uurb->endpoint & USB_DIR_IN) ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) 965 return -EFAULT; 966 snoop(&ps->dev->dev, "bulk urb\n"); 967 break; 968 969 case USBDEVFS_URB_TYPE_ISO: 970 /* arbitrary limit */ 971 if (uurb->number_of_packets < 1 || uurb->number_of_packets > 128) 972 return -EINVAL; 973 if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) 974 != USB_ENDPOINT_XFER_ISOC) 975 return -EINVAL; 976 interval = 1 << min (15, ep->desc.bInterval - 1); 977 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * uurb->number_of_packets; 978 if (!(isopkt = kmalloc(isofrmlen, GFP_KERNEL))) 979 return -ENOMEM; 980 if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) { 981 kfree(isopkt); 982 return -EFAULT; 983 } 984 for (totlen = u = 0; u < uurb->number_of_packets; u++) { 985 if (isopkt[u].length > 1023) { 986 kfree(isopkt); 987 return -EINVAL; 988 } 989 totlen += isopkt[u].length; 990 } 991 if (totlen > 32768) { 992 kfree(isopkt); 993 return -EINVAL; 994 } 995 uurb->buffer_length = totlen; 996 snoop(&ps->dev->dev, "iso urb\n"); 997 break; 998 999 case USBDEVFS_URB_TYPE_INTERRUPT: 1000 uurb->number_of_packets = 0; 1001 if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) 1002 != USB_ENDPOINT_XFER_INT) 1003 return -EINVAL; 1004 if (ps->dev->speed == USB_SPEED_HIGH) 1005 interval = 1 << min (15, ep->desc.bInterval - 1); 1006 else 1007 interval = ep->desc.bInterval; 1008 if (uurb->buffer_length > MAX_USBFS_BUFFER_SIZE) 1009 return -EINVAL; 1010 if (!access_ok((uurb->endpoint & USB_DIR_IN) ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) 1011 return -EFAULT; 1012 snoop(&ps->dev->dev, "interrupt urb\n"); 1013 break; 1014 1015 default: 1016 return -EINVAL; 1017 } 1018 if (!(as = alloc_async(uurb->number_of_packets))) { 1019 kfree(isopkt); 1020 kfree(dr); 1021 return -ENOMEM; 1022 } 1023 if (!(as->urb->transfer_buffer = kmalloc(uurb->buffer_length, GFP_KERNEL))) { 1024 kfree(isopkt); 1025 kfree(dr); 1026 free_async(as); 1027 return -ENOMEM; 1028 } 1029 as->urb->dev = ps->dev; 1030 as->urb->pipe = (uurb->type << 30) | __create_pipe(ps->dev, uurb->endpoint & 0xf) | (uurb->endpoint & USB_DIR_IN); 1031 as->urb->transfer_flags = uurb->flags; 1032 as->urb->transfer_buffer_length = uurb->buffer_length; 1033 as->urb->setup_packet = (unsigned char*)dr; 1034 as->urb->start_frame = uurb->start_frame; 1035 as->urb->number_of_packets = uurb->number_of_packets; 1036 as->urb->interval = interval; 1037 as->urb->context = as; 1038 as->urb->complete = async_completed; 1039 for (totlen = u = 0; u < uurb->number_of_packets; u++) { 1040 as->urb->iso_frame_desc[u].offset = totlen; 1041 as->urb->iso_frame_desc[u].length = isopkt[u].length; 1042 totlen += isopkt[u].length; 1043 } 1044 kfree(isopkt); 1045 as->ps = ps; 1046 as->userurb = arg; 1047 if (uurb->endpoint & USB_DIR_IN) 1048 as->userbuffer = uurb->buffer; 1049 else 1050 as->userbuffer = NULL; 1051 as->signr = uurb->signr; 1052 as->ifnum = ifnum; 1053 as->pid = current->pid; 1054 as->uid = current->uid; 1055 as->euid = current->euid; 1056 if (!(uurb->endpoint & USB_DIR_IN)) { 1057 if (copy_from_user(as->urb->transfer_buffer, uurb->buffer, as->urb->transfer_buffer_length)) { 1058 free_async(as); 1059 return -EFAULT; 1060 } 1061 } 1062 snoop(&as->urb->dev->dev, "submit urb\n"); 1063 snoop_urb(as->urb, as->userurb); 1064 async_newpending(as); 1065 if ((ret = usb_submit_urb(as->urb, GFP_KERNEL))) { 1066 dev_printk(KERN_DEBUG, &ps->dev->dev, "usbfs: usb_submit_urb returned %d\n", ret); 1067 async_removepending(as); 1068 free_async(as); 1069 return ret; 1070 } 1071 return 0; 1072 } 1073 1074 static int proc_submiturb(struct dev_state *ps, void __user *arg) 1075 { 1076 struct usbdevfs_urb uurb; 1077 1078 if (copy_from_user(&uurb, arg, sizeof(uurb))) 1079 return -EFAULT; 1080 1081 return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); 1082 } 1083 1084 static int proc_unlinkurb(struct dev_state *ps, void __user *arg) 1085 { 1086 struct async *as; 1087 1088 as = async_getpending(ps, arg); 1089 if (!as) 1090 return -EINVAL; 1091 usb_kill_urb(as->urb); 1092 return 0; 1093 } 1094 1095 static int processcompl(struct async *as, void __user * __user *arg) 1096 { 1097 struct urb *urb = as->urb; 1098 struct usbdevfs_urb __user *userurb = as->userurb; 1099 void __user *addr = as->userurb; 1100 unsigned int i; 1101 1102 if (as->userbuffer) 1103 if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length)) 1104 return -EFAULT; 1105 if (put_user(urb->status, &userurb->status)) 1106 return -EFAULT; 1107 if (put_user(urb->actual_length, &userurb->actual_length)) 1108 return -EFAULT; 1109 if (put_user(urb->error_count, &userurb->error_count)) 1110 return -EFAULT; 1111 1112 if (usb_pipeisoc(urb->pipe)) { 1113 for (i = 0; i < urb->number_of_packets; i++) { 1114 if (put_user(urb->iso_frame_desc[i].actual_length, 1115 &userurb->iso_frame_desc[i].actual_length)) 1116 return -EFAULT; 1117 if (put_user(urb->iso_frame_desc[i].status, 1118 &userurb->iso_frame_desc[i].status)) 1119 return -EFAULT; 1120 } 1121 } 1122 1123 free_async(as); 1124 1125 if (put_user(addr, (void __user * __user *)arg)) 1126 return -EFAULT; 1127 return 0; 1128 } 1129 1130 static struct async* reap_as(struct dev_state *ps) 1131 { 1132 DECLARE_WAITQUEUE(wait, current); 1133 struct async *as = NULL; 1134 struct usb_device *dev = ps->dev; 1135 1136 add_wait_queue(&ps->wait, &wait); 1137 for (;;) { 1138 __set_current_state(TASK_INTERRUPTIBLE); 1139 if ((as = async_getcompleted(ps))) 1140 break; 1141 if (signal_pending(current)) 1142 break; 1143 usb_unlock_device(dev); 1144 schedule(); 1145 usb_lock_device(dev); 1146 } 1147 remove_wait_queue(&ps->wait, &wait); 1148 set_current_state(TASK_RUNNING); 1149 return as; 1150 } 1151 1152 static int proc_reapurb(struct dev_state *ps, void __user *arg) 1153 { 1154 struct async *as = reap_as(ps); 1155 if (as) 1156 return processcompl(as, (void __user * __user *)arg); 1157 if (signal_pending(current)) 1158 return -EINTR; 1159 return -EIO; 1160 } 1161 1162 static int proc_reapurbnonblock(struct dev_state *ps, void __user *arg) 1163 { 1164 struct async *as; 1165 1166 if (!(as = async_getcompleted(ps))) 1167 return -EAGAIN; 1168 return processcompl(as, (void __user * __user *)arg); 1169 } 1170 1171 #ifdef CONFIG_COMPAT 1172 1173 static int get_urb32(struct usbdevfs_urb *kurb, 1174 struct usbdevfs_urb32 __user *uurb) 1175 { 1176 __u32 uptr; 1177 if (get_user(kurb->type, &uurb->type) || 1178 __get_user(kurb->endpoint, &uurb->endpoint) || 1179 __get_user(kurb->status, &uurb->status) || 1180 __get_user(kurb->flags, &uurb->flags) || 1181 __get_user(kurb->buffer_length, &uurb->buffer_length) || 1182 __get_user(kurb->actual_length, &uurb->actual_length) || 1183 __get_user(kurb->start_frame, &uurb->start_frame) || 1184 __get_user(kurb->number_of_packets, &uurb->number_of_packets) || 1185 __get_user(kurb->error_count, &uurb->error_count) || 1186 __get_user(kurb->signr, &uurb->signr)) 1187 return -EFAULT; 1188 1189 if (__get_user(uptr, &uurb->buffer)) 1190 return -EFAULT; 1191 kurb->buffer = compat_ptr(uptr); 1192 if (__get_user(uptr, &uurb->buffer)) 1193 return -EFAULT; 1194 kurb->usercontext = compat_ptr(uptr); 1195 1196 return 0; 1197 } 1198 1199 static int proc_submiturb_compat(struct dev_state *ps, void __user *arg) 1200 { 1201 struct usbdevfs_urb uurb; 1202 1203 if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg)) 1204 return -EFAULT; 1205 1206 return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg); 1207 } 1208 1209 static int processcompl_compat(struct async *as, void __user * __user *arg) 1210 { 1211 struct urb *urb = as->urb; 1212 struct usbdevfs_urb32 __user *userurb = as->userurb; 1213 void __user *addr = as->userurb; 1214 unsigned int i; 1215 1216 if (as->userbuffer) 1217 if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length)) 1218 return -EFAULT; 1219 if (put_user(urb->status, &userurb->status)) 1220 return -EFAULT; 1221 if (put_user(urb->actual_length, &userurb->actual_length)) 1222 return -EFAULT; 1223 if (put_user(urb->error_count, &userurb->error_count)) 1224 return -EFAULT; 1225 1226 if (usb_pipeisoc(urb->pipe)) { 1227 for (i = 0; i < urb->number_of_packets; i++) { 1228 if (put_user(urb->iso_frame_desc[i].actual_length, 1229 &userurb->iso_frame_desc[i].actual_length)) 1230 return -EFAULT; 1231 if (put_user(urb->iso_frame_desc[i].status, 1232 &userurb->iso_frame_desc[i].status)) 1233 return -EFAULT; 1234 } 1235 } 1236 1237 free_async(as); 1238 if (put_user((u32)(u64)addr, (u32 __user *)arg)) 1239 return -EFAULT; 1240 return 0; 1241 } 1242 1243 static int proc_reapurb_compat(struct dev_state *ps, void __user *arg) 1244 { 1245 struct async *as = reap_as(ps); 1246 if (as) 1247 return processcompl_compat(as, (void __user * __user *)arg); 1248 if (signal_pending(current)) 1249 return -EINTR; 1250 return -EIO; 1251 } 1252 1253 static int proc_reapurbnonblock_compat(struct dev_state *ps, void __user *arg) 1254 { 1255 struct async *as; 1256 1257 if (!(as = async_getcompleted(ps))) 1258 return -EAGAIN; 1259 return processcompl_compat(as, (void __user * __user *)arg); 1260 } 1261 1262 #endif 1263 1264 static int proc_disconnectsignal(struct dev_state *ps, void __user *arg) 1265 { 1266 struct usbdevfs_disconnectsignal ds; 1267 1268 if (copy_from_user(&ds, arg, sizeof(ds))) 1269 return -EFAULT; 1270 if (ds.signr != 0 && (ds.signr < SIGRTMIN || ds.signr > SIGRTMAX)) 1271 return -EINVAL; 1272 ps->discsignr = ds.signr; 1273 ps->disccontext = ds.context; 1274 return 0; 1275 } 1276 1277 static int proc_claiminterface(struct dev_state *ps, void __user *arg) 1278 { 1279 unsigned int ifnum; 1280 1281 if (get_user(ifnum, (unsigned int __user *)arg)) 1282 return -EFAULT; 1283 return claimintf(ps, ifnum); 1284 } 1285 1286 static int proc_releaseinterface(struct dev_state *ps, void __user *arg) 1287 { 1288 unsigned int ifnum; 1289 int ret; 1290 1291 if (get_user(ifnum, (unsigned int __user *)arg)) 1292 return -EFAULT; 1293 if ((ret = releaseintf(ps, ifnum)) < 0) 1294 return ret; 1295 destroy_async_on_interface (ps, ifnum); 1296 return 0; 1297 } 1298 1299 static int proc_ioctl(struct dev_state *ps, struct usbdevfs_ioctl *ctl) 1300 { 1301 int size; 1302 void *buf = NULL; 1303 int retval = 0; 1304 struct usb_interface *intf = NULL; 1305 struct usb_driver *driver = NULL; 1306 1307 /* alloc buffer */ 1308 if ((size = _IOC_SIZE (ctl->ioctl_code)) > 0) { 1309 if ((buf = kmalloc (size, GFP_KERNEL)) == NULL) 1310 return -ENOMEM; 1311 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) { 1312 if (copy_from_user (buf, ctl->data, size)) { 1313 kfree(buf); 1314 return -EFAULT; 1315 } 1316 } else { 1317 memset (buf, 0, size); 1318 } 1319 } 1320 1321 if (!connected(ps->dev)) { 1322 kfree(buf); 1323 return -ENODEV; 1324 } 1325 1326 if (ps->dev->state != USB_STATE_CONFIGURED) 1327 retval = -EHOSTUNREACH; 1328 else if (!(intf = usb_ifnum_to_if (ps->dev, ctl->ifno))) 1329 retval = -EINVAL; 1330 else switch (ctl->ioctl_code) { 1331 1332 /* disconnect kernel driver from interface */ 1333 case USBDEVFS_DISCONNECT: 1334 1335 down_write(&usb_bus_type.subsys.rwsem); 1336 if (intf->dev.driver) { 1337 driver = to_usb_driver(intf->dev.driver); 1338 dev_dbg (&intf->dev, "disconnect by usbfs\n"); 1339 usb_driver_release_interface(driver, intf); 1340 } else 1341 retval = -ENODATA; 1342 up_write(&usb_bus_type.subsys.rwsem); 1343 break; 1344 1345 /* let kernel drivers try to (re)bind to the interface */ 1346 case USBDEVFS_CONNECT: 1347 usb_unlock_device(ps->dev); 1348 bus_rescan_devices(intf->dev.bus); 1349 usb_lock_device(ps->dev); 1350 break; 1351 1352 /* talk directly to the interface's driver */ 1353 default: 1354 down_read(&usb_bus_type.subsys.rwsem); 1355 if (intf->dev.driver) 1356 driver = to_usb_driver(intf->dev.driver); 1357 if (driver == NULL || driver->ioctl == NULL) { 1358 retval = -ENOTTY; 1359 } else { 1360 retval = driver->ioctl (intf, ctl->ioctl_code, buf); 1361 if (retval == -ENOIOCTLCMD) 1362 retval = -ENOTTY; 1363 } 1364 up_read(&usb_bus_type.subsys.rwsem); 1365 } 1366 1367 /* cleanup and return */ 1368 if (retval >= 0 1369 && (_IOC_DIR (ctl->ioctl_code) & _IOC_READ) != 0 1370 && size > 0 1371 && copy_to_user (ctl->data, buf, size) != 0) 1372 retval = -EFAULT; 1373 1374 kfree(buf); 1375 return retval; 1376 } 1377 1378 static int proc_ioctl_default(struct dev_state *ps, void __user *arg) 1379 { 1380 struct usbdevfs_ioctl ctrl; 1381 1382 if (copy_from_user(&ctrl, arg, sizeof (ctrl))) 1383 return -EFAULT; 1384 return proc_ioctl(ps, &ctrl); 1385 } 1386 1387 #ifdef CONFIG_COMPAT 1388 static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg) 1389 { 1390 struct usbdevfs_ioctl32 __user *uioc; 1391 struct usbdevfs_ioctl ctrl; 1392 u32 udata; 1393 1394 uioc = compat_ptr((long)arg); 1395 if (get_user(ctrl.ifno, &uioc->ifno) || 1396 get_user(ctrl.ioctl_code, &uioc->ioctl_code) || 1397 __get_user(udata, &uioc->data)) 1398 return -EFAULT; 1399 ctrl.data = compat_ptr(udata); 1400 1401 return proc_ioctl(ps, &ctrl); 1402 } 1403 #endif 1404 1405 /* 1406 * NOTE: All requests here that have interface numbers as parameters 1407 * are assuming that somehow the configuration has been prevented from 1408 * changing. But there's no mechanism to ensure that... 1409 */ 1410 static int usbdev_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg) 1411 { 1412 struct dev_state *ps = (struct dev_state *)file->private_data; 1413 struct usb_device *dev = ps->dev; 1414 void __user *p = (void __user *)arg; 1415 int ret = -ENOTTY; 1416 1417 if (!(file->f_mode & FMODE_WRITE)) 1418 return -EPERM; 1419 usb_lock_device(dev); 1420 if (!connected(dev)) { 1421 usb_unlock_device(dev); 1422 return -ENODEV; 1423 } 1424 1425 switch (cmd) { 1426 case USBDEVFS_CONTROL: 1427 snoop(&dev->dev, "%s: CONTROL\n", __FUNCTION__); 1428 ret = proc_control(ps, p); 1429 if (ret >= 0) 1430 inode->i_mtime = CURRENT_TIME; 1431 break; 1432 1433 case USBDEVFS_BULK: 1434 snoop(&dev->dev, "%s: BULK\n", __FUNCTION__); 1435 ret = proc_bulk(ps, p); 1436 if (ret >= 0) 1437 inode->i_mtime = CURRENT_TIME; 1438 break; 1439 1440 case USBDEVFS_RESETEP: 1441 snoop(&dev->dev, "%s: RESETEP\n", __FUNCTION__); 1442 ret = proc_resetep(ps, p); 1443 if (ret >= 0) 1444 inode->i_mtime = CURRENT_TIME; 1445 break; 1446 1447 case USBDEVFS_RESET: 1448 snoop(&dev->dev, "%s: RESET\n", __FUNCTION__); 1449 ret = proc_resetdevice(ps); 1450 break; 1451 1452 case USBDEVFS_CLEAR_HALT: 1453 snoop(&dev->dev, "%s: CLEAR_HALT\n", __FUNCTION__); 1454 ret = proc_clearhalt(ps, p); 1455 if (ret >= 0) 1456 inode->i_mtime = CURRENT_TIME; 1457 break; 1458 1459 case USBDEVFS_GETDRIVER: 1460 snoop(&dev->dev, "%s: GETDRIVER\n", __FUNCTION__); 1461 ret = proc_getdriver(ps, p); 1462 break; 1463 1464 case USBDEVFS_CONNECTINFO: 1465 snoop(&dev->dev, "%s: CONNECTINFO\n", __FUNCTION__); 1466 ret = proc_connectinfo(ps, p); 1467 break; 1468 1469 case USBDEVFS_SETINTERFACE: 1470 snoop(&dev->dev, "%s: SETINTERFACE\n", __FUNCTION__); 1471 ret = proc_setintf(ps, p); 1472 break; 1473 1474 case USBDEVFS_SETCONFIGURATION: 1475 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __FUNCTION__); 1476 ret = proc_setconfig(ps, p); 1477 break; 1478 1479 case USBDEVFS_SUBMITURB: 1480 snoop(&dev->dev, "%s: SUBMITURB\n", __FUNCTION__); 1481 ret = proc_submiturb(ps, p); 1482 if (ret >= 0) 1483 inode->i_mtime = CURRENT_TIME; 1484 break; 1485 1486 #ifdef CONFIG_COMPAT 1487 1488 case USBDEVFS_SUBMITURB32: 1489 snoop(&dev->dev, "%s: SUBMITURB32\n", __FUNCTION__); 1490 ret = proc_submiturb_compat(ps, p); 1491 if (ret >= 0) 1492 inode->i_mtime = CURRENT_TIME; 1493 break; 1494 1495 case USBDEVFS_REAPURB32: 1496 snoop(&dev->dev, "%s: REAPURB32\n", __FUNCTION__); 1497 ret = proc_reapurb_compat(ps, p); 1498 break; 1499 1500 case USBDEVFS_REAPURBNDELAY32: 1501 snoop(&dev->dev, "%s: REAPURBDELAY32\n", __FUNCTION__); 1502 ret = proc_reapurbnonblock_compat(ps, p); 1503 break; 1504 1505 case USBDEVFS_IOCTL32: 1506 snoop(&dev->dev, "%s: IOCTL\n", __FUNCTION__); 1507 ret = proc_ioctl_compat(ps, (compat_uptr_t)(long)p); 1508 break; 1509 #endif 1510 1511 case USBDEVFS_DISCARDURB: 1512 snoop(&dev->dev, "%s: DISCARDURB\n", __FUNCTION__); 1513 ret = proc_unlinkurb(ps, p); 1514 break; 1515 1516 case USBDEVFS_REAPURB: 1517 snoop(&dev->dev, "%s: REAPURB\n", __FUNCTION__); 1518 ret = proc_reapurb(ps, p); 1519 break; 1520 1521 case USBDEVFS_REAPURBNDELAY: 1522 snoop(&dev->dev, "%s: REAPURBDELAY\n", __FUNCTION__); 1523 ret = proc_reapurbnonblock(ps, p); 1524 break; 1525 1526 case USBDEVFS_DISCSIGNAL: 1527 snoop(&dev->dev, "%s: DISCSIGNAL\n", __FUNCTION__); 1528 ret = proc_disconnectsignal(ps, p); 1529 break; 1530 1531 case USBDEVFS_CLAIMINTERFACE: 1532 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __FUNCTION__); 1533 ret = proc_claiminterface(ps, p); 1534 break; 1535 1536 case USBDEVFS_RELEASEINTERFACE: 1537 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __FUNCTION__); 1538 ret = proc_releaseinterface(ps, p); 1539 break; 1540 1541 case USBDEVFS_IOCTL: 1542 snoop(&dev->dev, "%s: IOCTL\n", __FUNCTION__); 1543 ret = proc_ioctl_default(ps, p); 1544 break; 1545 } 1546 usb_unlock_device(dev); 1547 if (ret >= 0) 1548 inode->i_atime = CURRENT_TIME; 1549 return ret; 1550 } 1551 1552 /* No kernel lock - fine */ 1553 static unsigned int usbdev_poll(struct file *file, struct poll_table_struct *wait) 1554 { 1555 struct dev_state *ps = (struct dev_state *)file->private_data; 1556 unsigned int mask = 0; 1557 1558 poll_wait(file, &ps->wait, wait); 1559 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed)) 1560 mask |= POLLOUT | POLLWRNORM; 1561 if (!connected(ps->dev)) 1562 mask |= POLLERR | POLLHUP; 1563 return mask; 1564 } 1565 1566 struct file_operations usbfs_device_file_operations = { 1567 .llseek = usbdev_lseek, 1568 .read = usbdev_read, 1569 .poll = usbdev_poll, 1570 .ioctl = usbdev_ioctl, 1571 .open = usbdev_open, 1572 .release = usbdev_release, 1573 }; 1574 1575 static void usbdev_add(struct usb_device *dev) 1576 { 1577 int minor = ((dev->bus->busnum-1) * 128) + (dev->devnum-1); 1578 1579 dev->class_dev = class_device_create(usb_device_class, NULL, 1580 MKDEV(USB_DEVICE_MAJOR, minor), &dev->dev, 1581 "usbdev%d.%d", dev->bus->busnum, dev->devnum); 1582 1583 dev->class_dev->class_data = dev; 1584 } 1585 1586 static void usbdev_remove(struct usb_device *dev) 1587 { 1588 class_device_unregister(dev->class_dev); 1589 } 1590 1591 static int usbdev_notify(struct notifier_block *self, unsigned long action, 1592 void *dev) 1593 { 1594 switch (action) { 1595 case USB_DEVICE_ADD: 1596 usbdev_add(dev); 1597 break; 1598 case USB_DEVICE_REMOVE: 1599 usbdev_remove(dev); 1600 break; 1601 } 1602 return NOTIFY_OK; 1603 } 1604 1605 static struct notifier_block usbdev_nb = { 1606 .notifier_call = usbdev_notify, 1607 }; 1608 1609 static struct cdev usb_device_cdev = { 1610 .kobj = {.name = "usb_device", }, 1611 .owner = THIS_MODULE, 1612 }; 1613 1614 int __init usbdev_init(void) 1615 { 1616 int retval; 1617 1618 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX, 1619 "usb_device"); 1620 if (retval) { 1621 err("unable to register minors for usb_device"); 1622 goto out; 1623 } 1624 cdev_init(&usb_device_cdev, &usbfs_device_file_operations); 1625 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX); 1626 if (retval) { 1627 err("unable to get usb_device major %d", USB_DEVICE_MAJOR); 1628 goto error_cdev; 1629 } 1630 usb_device_class = class_create(THIS_MODULE, "usb_device"); 1631 if (IS_ERR(usb_device_class)) { 1632 err("unable to register usb_device class"); 1633 retval = PTR_ERR(usb_device_class); 1634 goto error_class; 1635 } 1636 1637 usb_register_notify(&usbdev_nb); 1638 1639 out: 1640 return retval; 1641 1642 error_class: 1643 usb_device_class = NULL; 1644 cdev_del(&usb_device_cdev); 1645 1646 error_cdev: 1647 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 1648 goto out; 1649 } 1650 1651 void usbdev_cleanup(void) 1652 { 1653 usb_unregister_notify(&usbdev_nb); 1654 class_destroy(usb_device_class); 1655 cdev_del(&usb_device_cdev); 1656 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 1657 } 1658 1659