1 /* 2 * The USB Monitor, inspired by Dave Harding's USBMon. 3 * 4 * This is a text format reader. 5 */ 6 7 #include <linux/kernel.h> 8 #include <linux/list.h> 9 #include <linux/usb.h> 10 #include <linux/time.h> 11 #include <linux/mutex.h> 12 #include <asm/uaccess.h> 13 14 #include "usb_mon.h" 15 16 /* 17 * No, we do not want arbitrarily long data strings. 18 * Use the binary interface if you want to capture bulk data! 19 */ 20 #define DATA_MAX 32 21 22 /* 23 * Defined by USB 2.0 clause 9.3, table 9.2. 24 */ 25 #define SETUP_MAX 8 26 27 /* 28 * This limit exists to prevent OOMs when the user process stops reading. 29 * If usbmon were available to unprivileged processes, it might be open 30 * to a local DoS. But we have to keep to root in order to prevent 31 * password sniffing from HID devices. 32 */ 33 #define EVENT_MAX (2*PAGE_SIZE / sizeof(struct mon_event_text)) 34 35 #define PRINTF_DFL 160 36 37 struct mon_event_text { 38 struct list_head e_link; 39 int type; /* submit, complete, etc. */ 40 unsigned int pipe; /* Pipe */ 41 unsigned long id; /* From pointer, most of the time */ 42 unsigned int tstamp; 43 int length; /* Depends on type: xfer length or act length */ 44 int status; 45 char setup_flag; 46 char data_flag; 47 unsigned char setup[SETUP_MAX]; 48 unsigned char data[DATA_MAX]; 49 }; 50 51 #define SLAB_NAME_SZ 30 52 struct mon_reader_text { 53 kmem_cache_t *e_slab; 54 int nevents; 55 struct list_head e_list; 56 struct mon_reader r; /* In C, parent class can be placed anywhere */ 57 58 wait_queue_head_t wait; 59 int printf_size; 60 char *printf_buf; 61 struct mutex printf_lock; 62 63 char slab_name[SLAB_NAME_SZ]; 64 }; 65 66 static void mon_text_ctor(void *, kmem_cache_t *, unsigned long); 67 68 /* 69 * mon_text_submit 70 * mon_text_complete 71 * 72 * May be called from an interrupt. 73 * 74 * This is called with the whole mon_bus locked, so no additional lock. 75 */ 76 77 static inline char mon_text_get_setup(struct mon_event_text *ep, 78 struct urb *urb, char ev_type) 79 { 80 81 if (!usb_pipecontrol(urb->pipe) || ev_type != 'S') 82 return '-'; 83 84 if (urb->transfer_flags & URB_NO_SETUP_DMA_MAP) 85 return mon_dmapeek(ep->setup, urb->setup_dma, SETUP_MAX); 86 if (urb->setup_packet == NULL) 87 return 'Z'; /* '0' would be not as pretty. */ 88 89 memcpy(ep->setup, urb->setup_packet, SETUP_MAX); 90 return 0; 91 } 92 93 static inline char mon_text_get_data(struct mon_event_text *ep, struct urb *urb, 94 int len, char ev_type) 95 { 96 int pipe = urb->pipe; 97 98 if (len <= 0) 99 return 'L'; 100 if (len >= DATA_MAX) 101 len = DATA_MAX; 102 103 if (usb_pipein(pipe)) { 104 if (ev_type == 'S') 105 return '<'; 106 } else { 107 if (ev_type == 'C') 108 return '>'; 109 } 110 111 /* 112 * The check to see if it's safe to poke at data has an enormous 113 * number of corner cases, but it seems that the following is 114 * more or less safe. 115 * 116 * We do not even try to look at transfer_buffer, because it can 117 * contain non-NULL garbage in case the upper level promised to 118 * set DMA for the HCD. 119 */ 120 if (urb->transfer_flags & URB_NO_TRANSFER_DMA_MAP) 121 return mon_dmapeek(ep->data, urb->transfer_dma, len); 122 123 if (urb->transfer_buffer == NULL) 124 return 'Z'; /* '0' would be not as pretty. */ 125 126 memcpy(ep->data, urb->transfer_buffer, len); 127 return 0; 128 } 129 130 static inline unsigned int mon_get_timestamp(void) 131 { 132 struct timeval tval; 133 unsigned int stamp; 134 135 do_gettimeofday(&tval); 136 stamp = tval.tv_sec & 0xFFFF; /* 2^32 = 4294967296. Limit to 4096s. */ 137 stamp = stamp * 1000000 + tval.tv_usec; 138 return stamp; 139 } 140 141 static void mon_text_event(struct mon_reader_text *rp, struct urb *urb, 142 char ev_type) 143 { 144 struct mon_event_text *ep; 145 unsigned int stamp; 146 147 stamp = mon_get_timestamp(); 148 149 if (rp->nevents >= EVENT_MAX || 150 (ep = kmem_cache_alloc(rp->e_slab, SLAB_ATOMIC)) == NULL) { 151 rp->r.m_bus->cnt_text_lost++; 152 return; 153 } 154 155 ep->type = ev_type; 156 ep->pipe = urb->pipe; 157 ep->id = (unsigned long) urb; 158 ep->tstamp = stamp; 159 ep->length = (ev_type == 'S') ? 160 urb->transfer_buffer_length : urb->actual_length; 161 /* Collecting status makes debugging sense for submits, too */ 162 ep->status = urb->status; 163 164 ep->setup_flag = mon_text_get_setup(ep, urb, ev_type); 165 ep->data_flag = mon_text_get_data(ep, urb, ep->length, ev_type); 166 167 rp->nevents++; 168 list_add_tail(&ep->e_link, &rp->e_list); 169 wake_up(&rp->wait); 170 } 171 172 static void mon_text_submit(void *data, struct urb *urb) 173 { 174 struct mon_reader_text *rp = data; 175 mon_text_event(rp, urb, 'S'); 176 } 177 178 static void mon_text_complete(void *data, struct urb *urb) 179 { 180 struct mon_reader_text *rp = data; 181 mon_text_event(rp, urb, 'C'); 182 } 183 184 static void mon_text_error(void *data, struct urb *urb, int error) 185 { 186 struct mon_reader_text *rp = data; 187 struct mon_event_text *ep; 188 189 if (rp->nevents >= EVENT_MAX || 190 (ep = kmem_cache_alloc(rp->e_slab, SLAB_ATOMIC)) == NULL) { 191 rp->r.m_bus->cnt_text_lost++; 192 return; 193 } 194 195 ep->type = 'E'; 196 ep->pipe = urb->pipe; 197 ep->id = (unsigned long) urb; 198 ep->tstamp = 0; 199 ep->length = 0; 200 ep->status = error; 201 202 ep->setup_flag = '-'; 203 ep->data_flag = 'E'; 204 205 rp->nevents++; 206 list_add_tail(&ep->e_link, &rp->e_list); 207 wake_up(&rp->wait); 208 } 209 210 /* 211 * Fetch next event from the circular buffer. 212 */ 213 static struct mon_event_text *mon_text_fetch(struct mon_reader_text *rp, 214 struct mon_bus *mbus) 215 { 216 struct list_head *p; 217 unsigned long flags; 218 219 spin_lock_irqsave(&mbus->lock, flags); 220 if (list_empty(&rp->e_list)) { 221 spin_unlock_irqrestore(&mbus->lock, flags); 222 return NULL; 223 } 224 p = rp->e_list.next; 225 list_del(p); 226 --rp->nevents; 227 spin_unlock_irqrestore(&mbus->lock, flags); 228 return list_entry(p, struct mon_event_text, e_link); 229 } 230 231 /* 232 */ 233 static int mon_text_open(struct inode *inode, struct file *file) 234 { 235 struct mon_bus *mbus; 236 struct usb_bus *ubus; 237 struct mon_reader_text *rp; 238 int rc; 239 240 mutex_lock(&mon_lock); 241 mbus = inode->u.generic_ip; 242 ubus = mbus->u_bus; 243 244 rp = kzalloc(sizeof(struct mon_reader_text), GFP_KERNEL); 245 if (rp == NULL) { 246 rc = -ENOMEM; 247 goto err_alloc; 248 } 249 INIT_LIST_HEAD(&rp->e_list); 250 init_waitqueue_head(&rp->wait); 251 mutex_init(&rp->printf_lock); 252 253 rp->printf_size = PRINTF_DFL; 254 rp->printf_buf = kmalloc(rp->printf_size, GFP_KERNEL); 255 if (rp->printf_buf == NULL) { 256 rc = -ENOMEM; 257 goto err_alloc_pr; 258 } 259 260 rp->r.m_bus = mbus; 261 rp->r.r_data = rp; 262 rp->r.rnf_submit = mon_text_submit; 263 rp->r.rnf_error = mon_text_error; 264 rp->r.rnf_complete = mon_text_complete; 265 266 snprintf(rp->slab_name, SLAB_NAME_SZ, "mon%dt_%lx", ubus->busnum, 267 (long)rp); 268 rp->e_slab = kmem_cache_create(rp->slab_name, 269 sizeof(struct mon_event_text), sizeof(long), 0, 270 mon_text_ctor, NULL); 271 if (rp->e_slab == NULL) { 272 rc = -ENOMEM; 273 goto err_slab; 274 } 275 276 mon_reader_add(mbus, &rp->r); 277 278 file->private_data = rp; 279 mutex_unlock(&mon_lock); 280 return 0; 281 282 // err_busy: 283 // kmem_cache_destroy(rp->e_slab); 284 err_slab: 285 kfree(rp->printf_buf); 286 err_alloc_pr: 287 kfree(rp); 288 err_alloc: 289 mutex_unlock(&mon_lock); 290 return rc; 291 } 292 293 /* 294 * For simplicity, we read one record in one system call and throw out 295 * what does not fit. This means that the following does not work: 296 * dd if=/dbg/usbmon/0t bs=10 297 * Also, we do not allow seeks and do not bother advancing the offset. 298 */ 299 static ssize_t mon_text_read(struct file *file, char __user *buf, 300 size_t nbytes, loff_t *ppos) 301 { 302 struct mon_reader_text *rp = file->private_data; 303 struct mon_bus *mbus = rp->r.m_bus; 304 DECLARE_WAITQUEUE(waita, current); 305 struct mon_event_text *ep; 306 int cnt, limit; 307 char *pbuf; 308 char udir, utype; 309 int data_len, i; 310 311 add_wait_queue(&rp->wait, &waita); 312 set_current_state(TASK_INTERRUPTIBLE); 313 while ((ep = mon_text_fetch(rp, mbus)) == NULL) { 314 if (file->f_flags & O_NONBLOCK) { 315 set_current_state(TASK_RUNNING); 316 remove_wait_queue(&rp->wait, &waita); 317 return -EWOULDBLOCK; /* Same as EAGAIN in Linux */ 318 } 319 /* 320 * We do not count nwaiters, because ->release is supposed 321 * to be called when all openers are gone only. 322 */ 323 schedule(); 324 if (signal_pending(current)) { 325 remove_wait_queue(&rp->wait, &waita); 326 return -EINTR; 327 } 328 set_current_state(TASK_INTERRUPTIBLE); 329 } 330 set_current_state(TASK_RUNNING); 331 remove_wait_queue(&rp->wait, &waita); 332 333 mutex_lock(&rp->printf_lock); 334 cnt = 0; 335 pbuf = rp->printf_buf; 336 limit = rp->printf_size; 337 338 udir = usb_pipein(ep->pipe) ? 'i' : 'o'; 339 switch (usb_pipetype(ep->pipe)) { 340 case PIPE_ISOCHRONOUS: utype = 'Z'; break; 341 case PIPE_INTERRUPT: utype = 'I'; break; 342 case PIPE_CONTROL: utype = 'C'; break; 343 default: /* PIPE_BULK */ utype = 'B'; 344 } 345 cnt += snprintf(pbuf + cnt, limit - cnt, 346 "%lx %u %c %c%c:%03u:%02u", 347 ep->id, ep->tstamp, ep->type, 348 utype, udir, usb_pipedevice(ep->pipe), usb_pipeendpoint(ep->pipe)); 349 350 if (ep->setup_flag == 0) { /* Setup packet is present and captured */ 351 cnt += snprintf(pbuf + cnt, limit - cnt, 352 " s %02x %02x %04x %04x %04x", 353 ep->setup[0], 354 ep->setup[1], 355 (ep->setup[3] << 8) | ep->setup[2], 356 (ep->setup[5] << 8) | ep->setup[4], 357 (ep->setup[7] << 8) | ep->setup[6]); 358 } else if (ep->setup_flag != '-') { /* Unable to capture setup packet */ 359 cnt += snprintf(pbuf + cnt, limit - cnt, 360 " %c __ __ ____ ____ ____", ep->setup_flag); 361 } else { /* No setup for this kind of URB */ 362 cnt += snprintf(pbuf + cnt, limit - cnt, " %d", ep->status); 363 } 364 cnt += snprintf(pbuf + cnt, limit - cnt, " %d", ep->length); 365 366 if ((data_len = ep->length) > 0) { 367 if (ep->data_flag == 0) { 368 cnt += snprintf(pbuf + cnt, limit - cnt, " ="); 369 if (data_len >= DATA_MAX) 370 data_len = DATA_MAX; 371 for (i = 0; i < data_len; i++) { 372 if (i % 4 == 0) { 373 cnt += snprintf(pbuf + cnt, limit - cnt, 374 " "); 375 } 376 cnt += snprintf(pbuf + cnt, limit - cnt, 377 "%02x", ep->data[i]); 378 } 379 cnt += snprintf(pbuf + cnt, limit - cnt, "\n"); 380 } else { 381 cnt += snprintf(pbuf + cnt, limit - cnt, 382 " %c\n", ep->data_flag); 383 } 384 } else { 385 cnt += snprintf(pbuf + cnt, limit - cnt, "\n"); 386 } 387 388 if (copy_to_user(buf, rp->printf_buf, cnt)) 389 cnt = -EFAULT; 390 mutex_unlock(&rp->printf_lock); 391 kmem_cache_free(rp->e_slab, ep); 392 return cnt; 393 } 394 395 static int mon_text_release(struct inode *inode, struct file *file) 396 { 397 struct mon_reader_text *rp = file->private_data; 398 struct mon_bus *mbus; 399 /* unsigned long flags; */ 400 struct list_head *p; 401 struct mon_event_text *ep; 402 403 mutex_lock(&mon_lock); 404 mbus = inode->u.generic_ip; 405 406 if (mbus->nreaders <= 0) { 407 printk(KERN_ERR TAG ": consistency error on close\n"); 408 mutex_unlock(&mon_lock); 409 return 0; 410 } 411 mon_reader_del(mbus, &rp->r); 412 413 /* 414 * In theory, e_list is protected by mbus->lock. However, 415 * after mon_reader_del has finished, the following is the case: 416 * - we are not on reader list anymore, so new events won't be added; 417 * - whole mbus may be dropped if it was orphaned. 418 * So, we better not touch mbus. 419 */ 420 /* spin_lock_irqsave(&mbus->lock, flags); */ 421 while (!list_empty(&rp->e_list)) { 422 p = rp->e_list.next; 423 ep = list_entry(p, struct mon_event_text, e_link); 424 list_del(p); 425 --rp->nevents; 426 kmem_cache_free(rp->e_slab, ep); 427 } 428 /* spin_unlock_irqrestore(&mbus->lock, flags); */ 429 430 kmem_cache_destroy(rp->e_slab); 431 kfree(rp->printf_buf); 432 kfree(rp); 433 434 mutex_unlock(&mon_lock); 435 return 0; 436 } 437 438 struct file_operations mon_fops_text = { 439 .owner = THIS_MODULE, 440 .open = mon_text_open, 441 .llseek = no_llseek, 442 .read = mon_text_read, 443 /* .write = mon_text_write, */ 444 /* .poll = mon_text_poll, */ 445 /* .ioctl = mon_text_ioctl, */ 446 .release = mon_text_release, 447 }; 448 449 /* 450 * Slab interface: constructor. 451 */ 452 static void mon_text_ctor(void *mem, kmem_cache_t *slab, unsigned long sflags) 453 { 454 /* 455 * Nothing to initialize. No, really! 456 * So, we fill it with garbage to emulate a reused object. 457 */ 458 memset(mem, 0xe5, sizeof(struct mon_event_text)); 459 } 460 461