1 // SPDX-License-Identifier: GPL-2.0+
2 /*****************************************************************************/
3 
4 /*
5  *      devio.c  --  User space communication with USB devices.
6  *
7  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
8  *
9  *  This file implements the usbfs/x/y files, where
10  *  x is the bus number and y the device number.
11  *
12  *  It allows user space programs/"drivers" to communicate directly
13  *  with USB devices without intervening kernel driver.
14  *
15  *  Revision history
16  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
17  *    04.01.2000   0.2   Turned into its own filesystem
18  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
19  *    			 (CAN-2005-3055)
20  */
21 
22 /*****************************************************************************/
23 
24 #include <linux/fs.h>
25 #include <linux/mm.h>
26 #include <linux/sched/signal.h>
27 #include <linux/slab.h>
28 #include <linux/signal.h>
29 #include <linux/poll.h>
30 #include <linux/module.h>
31 #include <linux/string.h>
32 #include <linux/usb.h>
33 #include <linux/usbdevice_fs.h>
34 #include <linux/usb/hcd.h>	/* for usbcore internals */
35 #include <linux/usb/quirks.h>
36 #include <linux/cdev.h>
37 #include <linux/notifier.h>
38 #include <linux/security.h>
39 #include <linux/user_namespace.h>
40 #include <linux/scatterlist.h>
41 #include <linux/uaccess.h>
42 #include <linux/dma-mapping.h>
43 #include <asm/byteorder.h>
44 #include <linux/moduleparam.h>
45 
46 #include "usb.h"
47 
48 #ifdef CONFIG_PM
49 #define MAYBE_CAP_SUSPEND	USBDEVFS_CAP_SUSPEND
50 #else
51 #define MAYBE_CAP_SUSPEND	0
52 #endif
53 
54 #define USB_MAXBUS			64
55 #define USB_DEVICE_MAX			(USB_MAXBUS * 128)
56 #define USB_SG_SIZE			16384 /* split-size for large txs */
57 
58 /* Mutual exclusion for ps->list in resume vs. release and remove */
59 static DEFINE_MUTEX(usbfs_mutex);
60 
61 struct usb_dev_state {
62 	struct list_head list;      /* state list */
63 	struct usb_device *dev;
64 	struct file *file;
65 	spinlock_t lock;            /* protects the async urb lists */
66 	struct list_head async_pending;
67 	struct list_head async_completed;
68 	struct list_head memory_list;
69 	wait_queue_head_t wait;     /* wake up if a request completed */
70 	wait_queue_head_t wait_for_resume;   /* wake up upon runtime resume */
71 	unsigned int discsignr;
72 	struct pid *disc_pid;
73 	const struct cred *cred;
74 	sigval_t disccontext;
75 	unsigned long ifclaimed;
76 	u32 disabled_bulk_eps;
77 	unsigned long interface_allowed_mask;
78 	int not_yet_resumed;
79 	bool suspend_allowed;
80 	bool privileges_dropped;
81 };
82 
83 struct usb_memory {
84 	struct list_head memlist;
85 	int vma_use_count;
86 	int urb_use_count;
87 	u32 size;
88 	void *mem;
89 	dma_addr_t dma_handle;
90 	unsigned long vm_start;
91 	struct usb_dev_state *ps;
92 };
93 
94 struct async {
95 	struct list_head asynclist;
96 	struct usb_dev_state *ps;
97 	struct pid *pid;
98 	const struct cred *cred;
99 	unsigned int signr;
100 	unsigned int ifnum;
101 	void __user *userbuffer;
102 	void __user *userurb;
103 	sigval_t userurb_sigval;
104 	struct urb *urb;
105 	struct usb_memory *usbm;
106 	unsigned int mem_usage;
107 	int status;
108 	u8 bulk_addr;
109 	u8 bulk_status;
110 };
111 
112 static bool usbfs_snoop;
113 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
114 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
115 
116 static unsigned usbfs_snoop_max = 65536;
117 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
118 MODULE_PARM_DESC(usbfs_snoop_max,
119 		"maximum number of bytes to print while snooping");
120 
121 #define snoop(dev, format, arg...)				\
122 	do {							\
123 		if (usbfs_snoop)				\
124 			dev_info(dev, format, ## arg);		\
125 	} while (0)
126 
127 enum snoop_when {
128 	SUBMIT, COMPLETE
129 };
130 
131 #define USB_DEVICE_DEV		MKDEV(USB_DEVICE_MAJOR, 0)
132 
133 /* Limit on the total amount of memory we can allocate for transfers */
134 static u32 usbfs_memory_mb = 16;
135 module_param(usbfs_memory_mb, uint, 0644);
136 MODULE_PARM_DESC(usbfs_memory_mb,
137 		"maximum MB allowed for usbfs buffers (0 = no limit)");
138 
139 /* Hard limit, necessary to avoid arithmetic overflow */
140 #define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
141 
142 static DEFINE_SPINLOCK(usbfs_memory_usage_lock);
143 static u64 usbfs_memory_usage;	/* Total memory currently allocated */
144 
145 /* Check whether it's okay to allocate more memory for a transfer */
usbfs_increase_memory_usage(u64 amount)146 static int usbfs_increase_memory_usage(u64 amount)
147 {
148 	u64 lim, total_mem;
149 	unsigned long flags;
150 	int ret;
151 
152 	lim = READ_ONCE(usbfs_memory_mb);
153 	lim <<= 20;
154 
155 	ret = 0;
156 	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
157 	total_mem = usbfs_memory_usage + amount;
158 	if (lim > 0 && total_mem > lim)
159 		ret = -ENOMEM;
160 	else
161 		usbfs_memory_usage = total_mem;
162 	spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags);
163 
164 	return ret;
165 }
166 
167 /* Memory for a transfer is being deallocated */
usbfs_decrease_memory_usage(u64 amount)168 static void usbfs_decrease_memory_usage(u64 amount)
169 {
170 	unsigned long flags;
171 
172 	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
173 	if (amount > usbfs_memory_usage)
174 		usbfs_memory_usage = 0;
175 	else
176 		usbfs_memory_usage -= amount;
177 	spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags);
178 }
179 
connected(struct usb_dev_state * ps)180 static int connected(struct usb_dev_state *ps)
181 {
182 	return (!list_empty(&ps->list) &&
183 			ps->dev->state != USB_STATE_NOTATTACHED);
184 }
185 
dec_usb_memory_use_count(struct usb_memory * usbm,int * count)186 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
187 {
188 	struct usb_dev_state *ps = usbm->ps;
189 	unsigned long flags;
190 
191 	spin_lock_irqsave(&ps->lock, flags);
192 	--*count;
193 	if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
194 		list_del(&usbm->memlist);
195 		spin_unlock_irqrestore(&ps->lock, flags);
196 
197 		usb_free_coherent(ps->dev, usbm->size, usbm->mem,
198 				usbm->dma_handle);
199 		usbfs_decrease_memory_usage(
200 			usbm->size + sizeof(struct usb_memory));
201 		kfree(usbm);
202 	} else {
203 		spin_unlock_irqrestore(&ps->lock, flags);
204 	}
205 }
206 
usbdev_vm_open(struct vm_area_struct * vma)207 static void usbdev_vm_open(struct vm_area_struct *vma)
208 {
209 	struct usb_memory *usbm = vma->vm_private_data;
210 	unsigned long flags;
211 
212 	spin_lock_irqsave(&usbm->ps->lock, flags);
213 	++usbm->vma_use_count;
214 	spin_unlock_irqrestore(&usbm->ps->lock, flags);
215 }
216 
usbdev_vm_close(struct vm_area_struct * vma)217 static void usbdev_vm_close(struct vm_area_struct *vma)
218 {
219 	struct usb_memory *usbm = vma->vm_private_data;
220 
221 	dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
222 }
223 
224 static const struct vm_operations_struct usbdev_vm_ops = {
225 	.open = usbdev_vm_open,
226 	.close = usbdev_vm_close
227 };
228 
usbdev_mmap(struct file * file,struct vm_area_struct * vma)229 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
230 {
231 	struct usb_memory *usbm = NULL;
232 	struct usb_dev_state *ps = file->private_data;
233 	struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus);
234 	size_t size = vma->vm_end - vma->vm_start;
235 	void *mem;
236 	unsigned long flags;
237 	dma_addr_t dma_handle;
238 	int ret;
239 
240 	ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
241 	if (ret)
242 		goto error;
243 
244 	usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
245 	if (!usbm) {
246 		ret = -ENOMEM;
247 		goto error_decrease_mem;
248 	}
249 
250 	mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
251 			&dma_handle);
252 	if (!mem) {
253 		ret = -ENOMEM;
254 		goto error_free_usbm;
255 	}
256 
257 	memset(mem, 0, size);
258 
259 	usbm->mem = mem;
260 	usbm->dma_handle = dma_handle;
261 	usbm->size = size;
262 	usbm->ps = ps;
263 	usbm->vm_start = vma->vm_start;
264 	usbm->vma_use_count = 1;
265 	INIT_LIST_HEAD(&usbm->memlist);
266 
267 	if (hcd->localmem_pool || !hcd_uses_dma(hcd)) {
268 		if (remap_pfn_range(vma, vma->vm_start,
269 				    virt_to_phys(usbm->mem) >> PAGE_SHIFT,
270 				    size, vma->vm_page_prot) < 0) {
271 			dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
272 			return -EAGAIN;
273 		}
274 	} else {
275 		if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle,
276 				      size)) {
277 			dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
278 			return -EAGAIN;
279 		}
280 	}
281 
282 	vma->vm_flags |= VM_IO;
283 	vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
284 	vma->vm_ops = &usbdev_vm_ops;
285 	vma->vm_private_data = usbm;
286 
287 	spin_lock_irqsave(&ps->lock, flags);
288 	list_add_tail(&usbm->memlist, &ps->memory_list);
289 	spin_unlock_irqrestore(&ps->lock, flags);
290 
291 	return 0;
292 
293 error_free_usbm:
294 	kfree(usbm);
295 error_decrease_mem:
296 	usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
297 error:
298 	return ret;
299 }
300 
usbdev_read(struct file * file,char __user * buf,size_t nbytes,loff_t * ppos)301 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
302 			   loff_t *ppos)
303 {
304 	struct usb_dev_state *ps = file->private_data;
305 	struct usb_device *dev = ps->dev;
306 	ssize_t ret = 0;
307 	unsigned len;
308 	loff_t pos;
309 	int i;
310 
311 	pos = *ppos;
312 	usb_lock_device(dev);
313 	if (!connected(ps)) {
314 		ret = -ENODEV;
315 		goto err;
316 	} else if (pos < 0) {
317 		ret = -EINVAL;
318 		goto err;
319 	}
320 
321 	if (pos < sizeof(struct usb_device_descriptor)) {
322 		/* 18 bytes - fits on the stack */
323 		struct usb_device_descriptor temp_desc;
324 
325 		memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
326 		le16_to_cpus(&temp_desc.bcdUSB);
327 		le16_to_cpus(&temp_desc.idVendor);
328 		le16_to_cpus(&temp_desc.idProduct);
329 		le16_to_cpus(&temp_desc.bcdDevice);
330 
331 		len = sizeof(struct usb_device_descriptor) - pos;
332 		if (len > nbytes)
333 			len = nbytes;
334 		if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
335 			ret = -EFAULT;
336 			goto err;
337 		}
338 
339 		*ppos += len;
340 		buf += len;
341 		nbytes -= len;
342 		ret += len;
343 	}
344 
345 	pos = sizeof(struct usb_device_descriptor);
346 	for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
347 		struct usb_config_descriptor *config =
348 			(struct usb_config_descriptor *)dev->rawdescriptors[i];
349 		unsigned int length = le16_to_cpu(config->wTotalLength);
350 
351 		if (*ppos < pos + length) {
352 
353 			/* The descriptor may claim to be longer than it
354 			 * really is.  Here is the actual allocated length. */
355 			unsigned alloclen =
356 				le16_to_cpu(dev->config[i].desc.wTotalLength);
357 
358 			len = length - (*ppos - pos);
359 			if (len > nbytes)
360 				len = nbytes;
361 
362 			/* Simply don't write (skip over) unallocated parts */
363 			if (alloclen > (*ppos - pos)) {
364 				alloclen -= (*ppos - pos);
365 				if (copy_to_user(buf,
366 				    dev->rawdescriptors[i] + (*ppos - pos),
367 				    min(len, alloclen))) {
368 					ret = -EFAULT;
369 					goto err;
370 				}
371 			}
372 
373 			*ppos += len;
374 			buf += len;
375 			nbytes -= len;
376 			ret += len;
377 		}
378 
379 		pos += length;
380 	}
381 
382 err:
383 	usb_unlock_device(dev);
384 	return ret;
385 }
386 
387 /*
388  * async list handling
389  */
390 
alloc_async(unsigned int numisoframes)391 static struct async *alloc_async(unsigned int numisoframes)
392 {
393 	struct async *as;
394 
395 	as = kzalloc(sizeof(struct async), GFP_KERNEL);
396 	if (!as)
397 		return NULL;
398 	as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
399 	if (!as->urb) {
400 		kfree(as);
401 		return NULL;
402 	}
403 	return as;
404 }
405 
free_async(struct async * as)406 static void free_async(struct async *as)
407 {
408 	int i;
409 
410 	put_pid(as->pid);
411 	if (as->cred)
412 		put_cred(as->cred);
413 	for (i = 0; i < as->urb->num_sgs; i++) {
414 		if (sg_page(&as->urb->sg[i]))
415 			kfree(sg_virt(&as->urb->sg[i]));
416 	}
417 
418 	kfree(as->urb->sg);
419 	if (as->usbm == NULL)
420 		kfree(as->urb->transfer_buffer);
421 	else
422 		dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
423 
424 	kfree(as->urb->setup_packet);
425 	usb_free_urb(as->urb);
426 	usbfs_decrease_memory_usage(as->mem_usage);
427 	kfree(as);
428 }
429 
async_newpending(struct async * as)430 static void async_newpending(struct async *as)
431 {
432 	struct usb_dev_state *ps = as->ps;
433 	unsigned long flags;
434 
435 	spin_lock_irqsave(&ps->lock, flags);
436 	list_add_tail(&as->asynclist, &ps->async_pending);
437 	spin_unlock_irqrestore(&ps->lock, flags);
438 }
439 
async_removepending(struct async * as)440 static void async_removepending(struct async *as)
441 {
442 	struct usb_dev_state *ps = as->ps;
443 	unsigned long flags;
444 
445 	spin_lock_irqsave(&ps->lock, flags);
446 	list_del_init(&as->asynclist);
447 	spin_unlock_irqrestore(&ps->lock, flags);
448 }
449 
async_getcompleted(struct usb_dev_state * ps)450 static struct async *async_getcompleted(struct usb_dev_state *ps)
451 {
452 	unsigned long flags;
453 	struct async *as = NULL;
454 
455 	spin_lock_irqsave(&ps->lock, flags);
456 	if (!list_empty(&ps->async_completed)) {
457 		as = list_entry(ps->async_completed.next, struct async,
458 				asynclist);
459 		list_del_init(&as->asynclist);
460 	}
461 	spin_unlock_irqrestore(&ps->lock, flags);
462 	return as;
463 }
464 
async_getpending(struct usb_dev_state * ps,void __user * userurb)465 static struct async *async_getpending(struct usb_dev_state *ps,
466 					     void __user *userurb)
467 {
468 	struct async *as;
469 
470 	list_for_each_entry(as, &ps->async_pending, asynclist)
471 		if (as->userurb == userurb) {
472 			list_del_init(&as->asynclist);
473 			return as;
474 		}
475 
476 	return NULL;
477 }
478 
snoop_urb(struct usb_device * udev,void __user * userurb,int pipe,unsigned length,int timeout_or_status,enum snoop_when when,unsigned char * data,unsigned data_len)479 static void snoop_urb(struct usb_device *udev,
480 		void __user *userurb, int pipe, unsigned length,
481 		int timeout_or_status, enum snoop_when when,
482 		unsigned char *data, unsigned data_len)
483 {
484 	static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
485 	static const char *dirs[] = {"out", "in"};
486 	int ep;
487 	const char *t, *d;
488 
489 	if (!usbfs_snoop)
490 		return;
491 
492 	ep = usb_pipeendpoint(pipe);
493 	t = types[usb_pipetype(pipe)];
494 	d = dirs[!!usb_pipein(pipe)];
495 
496 	if (userurb) {		/* Async */
497 		if (when == SUBMIT)
498 			dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
499 					"length %u\n",
500 					userurb, ep, t, d, length);
501 		else
502 			dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
503 					"actual_length %u status %d\n",
504 					userurb, ep, t, d, length,
505 					timeout_or_status);
506 	} else {
507 		if (when == SUBMIT)
508 			dev_info(&udev->dev, "ep%d %s-%s, length %u, "
509 					"timeout %d\n",
510 					ep, t, d, length, timeout_or_status);
511 		else
512 			dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
513 					"status %d\n",
514 					ep, t, d, length, timeout_or_status);
515 	}
516 
517 	data_len = min(data_len, usbfs_snoop_max);
518 	if (data && data_len > 0) {
519 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
520 			data, data_len, 1);
521 	}
522 }
523 
snoop_urb_data(struct urb * urb,unsigned len)524 static void snoop_urb_data(struct urb *urb, unsigned len)
525 {
526 	int i, size;
527 
528 	len = min(len, usbfs_snoop_max);
529 	if (!usbfs_snoop || len == 0)
530 		return;
531 
532 	if (urb->num_sgs == 0) {
533 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
534 			urb->transfer_buffer, len, 1);
535 		return;
536 	}
537 
538 	for (i = 0; i < urb->num_sgs && len; i++) {
539 		size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
540 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
541 			sg_virt(&urb->sg[i]), size, 1);
542 		len -= size;
543 	}
544 }
545 
copy_urb_data_to_user(u8 __user * userbuffer,struct urb * urb)546 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
547 {
548 	unsigned i, len, size;
549 
550 	if (urb->number_of_packets > 0)		/* Isochronous */
551 		len = urb->transfer_buffer_length;
552 	else					/* Non-Isoc */
553 		len = urb->actual_length;
554 
555 	if (urb->num_sgs == 0) {
556 		if (copy_to_user(userbuffer, urb->transfer_buffer, len))
557 			return -EFAULT;
558 		return 0;
559 	}
560 
561 	for (i = 0; i < urb->num_sgs && len; i++) {
562 		size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
563 		if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
564 			return -EFAULT;
565 		userbuffer += size;
566 		len -= size;
567 	}
568 
569 	return 0;
570 }
571 
572 #define AS_CONTINUATION	1
573 #define AS_UNLINK	2
574 
cancel_bulk_urbs(struct usb_dev_state * ps,unsigned bulk_addr)575 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
576 __releases(ps->lock)
577 __acquires(ps->lock)
578 {
579 	struct urb *urb;
580 	struct async *as;
581 
582 	/* Mark all the pending URBs that match bulk_addr, up to but not
583 	 * including the first one without AS_CONTINUATION.  If such an
584 	 * URB is encountered then a new transfer has already started so
585 	 * the endpoint doesn't need to be disabled; otherwise it does.
586 	 */
587 	list_for_each_entry(as, &ps->async_pending, asynclist) {
588 		if (as->bulk_addr == bulk_addr) {
589 			if (as->bulk_status != AS_CONTINUATION)
590 				goto rescan;
591 			as->bulk_status = AS_UNLINK;
592 			as->bulk_addr = 0;
593 		}
594 	}
595 	ps->disabled_bulk_eps |= (1 << bulk_addr);
596 
597 	/* Now carefully unlink all the marked pending URBs */
598  rescan:
599 	list_for_each_entry_reverse(as, &ps->async_pending, asynclist) {
600 		if (as->bulk_status == AS_UNLINK) {
601 			as->bulk_status = 0;		/* Only once */
602 			urb = as->urb;
603 			usb_get_urb(urb);
604 			spin_unlock(&ps->lock);		/* Allow completions */
605 			usb_unlink_urb(urb);
606 			usb_put_urb(urb);
607 			spin_lock(&ps->lock);
608 			goto rescan;
609 		}
610 	}
611 }
612 
async_completed(struct urb * urb)613 static void async_completed(struct urb *urb)
614 {
615 	struct async *as = urb->context;
616 	struct usb_dev_state *ps = as->ps;
617 	struct pid *pid = NULL;
618 	const struct cred *cred = NULL;
619 	unsigned long flags;
620 	sigval_t addr;
621 	int signr, errno;
622 
623 	spin_lock_irqsave(&ps->lock, flags);
624 	list_move_tail(&as->asynclist, &ps->async_completed);
625 	as->status = urb->status;
626 	signr = as->signr;
627 	if (signr) {
628 		errno = as->status;
629 		addr = as->userurb_sigval;
630 		pid = get_pid(as->pid);
631 		cred = get_cred(as->cred);
632 	}
633 	snoop(&urb->dev->dev, "urb complete\n");
634 	snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
635 			as->status, COMPLETE, NULL, 0);
636 	if (usb_urb_dir_in(urb))
637 		snoop_urb_data(urb, urb->actual_length);
638 
639 	if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
640 			as->status != -ENOENT)
641 		cancel_bulk_urbs(ps, as->bulk_addr);
642 
643 	wake_up(&ps->wait);
644 	spin_unlock_irqrestore(&ps->lock, flags);
645 
646 	if (signr) {
647 		kill_pid_usb_asyncio(signr, errno, addr, pid, cred);
648 		put_pid(pid);
649 		put_cred(cred);
650 	}
651 }
652 
destroy_async(struct usb_dev_state * ps,struct list_head * list)653 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
654 {
655 	struct urb *urb;
656 	struct async *as;
657 	unsigned long flags;
658 
659 	spin_lock_irqsave(&ps->lock, flags);
660 	while (!list_empty(list)) {
661 		as = list_last_entry(list, struct async, asynclist);
662 		list_del_init(&as->asynclist);
663 		urb = as->urb;
664 		usb_get_urb(urb);
665 
666 		/* drop the spinlock so the completion handler can run */
667 		spin_unlock_irqrestore(&ps->lock, flags);
668 		usb_kill_urb(urb);
669 		usb_put_urb(urb);
670 		spin_lock_irqsave(&ps->lock, flags);
671 	}
672 	spin_unlock_irqrestore(&ps->lock, flags);
673 }
674 
destroy_async_on_interface(struct usb_dev_state * ps,unsigned int ifnum)675 static void destroy_async_on_interface(struct usb_dev_state *ps,
676 				       unsigned int ifnum)
677 {
678 	struct list_head *p, *q, hitlist;
679 	unsigned long flags;
680 
681 	INIT_LIST_HEAD(&hitlist);
682 	spin_lock_irqsave(&ps->lock, flags);
683 	list_for_each_safe(p, q, &ps->async_pending)
684 		if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
685 			list_move_tail(p, &hitlist);
686 	spin_unlock_irqrestore(&ps->lock, flags);
687 	destroy_async(ps, &hitlist);
688 }
689 
destroy_all_async(struct usb_dev_state * ps)690 static void destroy_all_async(struct usb_dev_state *ps)
691 {
692 	destroy_async(ps, &ps->async_pending);
693 }
694 
695 /*
696  * interface claims are made only at the request of user level code,
697  * which can also release them (explicitly or by closing files).
698  * they're also undone when devices disconnect.
699  */
700 
driver_probe(struct usb_interface * intf,const struct usb_device_id * id)701 static int driver_probe(struct usb_interface *intf,
702 			const struct usb_device_id *id)
703 {
704 	return -ENODEV;
705 }
706 
driver_disconnect(struct usb_interface * intf)707 static void driver_disconnect(struct usb_interface *intf)
708 {
709 	struct usb_dev_state *ps = usb_get_intfdata(intf);
710 	unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
711 
712 	if (!ps)
713 		return;
714 
715 	/* NOTE:  this relies on usbcore having canceled and completed
716 	 * all pending I/O requests; 2.6 does that.
717 	 */
718 
719 	if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
720 		clear_bit(ifnum, &ps->ifclaimed);
721 	else
722 		dev_warn(&intf->dev, "interface number %u out of range\n",
723 			 ifnum);
724 
725 	usb_set_intfdata(intf, NULL);
726 
727 	/* force async requests to complete */
728 	destroy_async_on_interface(ps, ifnum);
729 }
730 
731 /* We don't care about suspend/resume of claimed interfaces */
driver_suspend(struct usb_interface * intf,pm_message_t msg)732 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
733 {
734 	return 0;
735 }
736 
driver_resume(struct usb_interface * intf)737 static int driver_resume(struct usb_interface *intf)
738 {
739 	return 0;
740 }
741 
742 /* The following routines apply to the entire device, not interfaces */
usbfs_notify_suspend(struct usb_device * udev)743 void usbfs_notify_suspend(struct usb_device *udev)
744 {
745 	/* We don't need to handle this */
746 }
747 
usbfs_notify_resume(struct usb_device * udev)748 void usbfs_notify_resume(struct usb_device *udev)
749 {
750 	struct usb_dev_state *ps;
751 
752 	/* Protect against simultaneous remove or release */
753 	mutex_lock(&usbfs_mutex);
754 	list_for_each_entry(ps, &udev->filelist, list) {
755 		WRITE_ONCE(ps->not_yet_resumed, 0);
756 		wake_up_all(&ps->wait_for_resume);
757 	}
758 	mutex_unlock(&usbfs_mutex);
759 }
760 
761 struct usb_driver usbfs_driver = {
762 	.name =		"usbfs",
763 	.probe =	driver_probe,
764 	.disconnect =	driver_disconnect,
765 	.suspend =	driver_suspend,
766 	.resume =	driver_resume,
767 	.supports_autosuspend = 1,
768 };
769 
claimintf(struct usb_dev_state * ps,unsigned int ifnum)770 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
771 {
772 	struct usb_device *dev = ps->dev;
773 	struct usb_interface *intf;
774 	int err;
775 
776 	if (ifnum >= 8*sizeof(ps->ifclaimed))
777 		return -EINVAL;
778 	/* already claimed */
779 	if (test_bit(ifnum, &ps->ifclaimed))
780 		return 0;
781 
782 	if (ps->privileges_dropped &&
783 			!test_bit(ifnum, &ps->interface_allowed_mask))
784 		return -EACCES;
785 
786 	intf = usb_ifnum_to_if(dev, ifnum);
787 	if (!intf)
788 		err = -ENOENT;
789 	else {
790 		unsigned int old_suppress;
791 
792 		/* suppress uevents while claiming interface */
793 		old_suppress = dev_get_uevent_suppress(&intf->dev);
794 		dev_set_uevent_suppress(&intf->dev, 1);
795 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
796 		dev_set_uevent_suppress(&intf->dev, old_suppress);
797 	}
798 	if (err == 0)
799 		set_bit(ifnum, &ps->ifclaimed);
800 	return err;
801 }
802 
releaseintf(struct usb_dev_state * ps,unsigned int ifnum)803 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
804 {
805 	struct usb_device *dev;
806 	struct usb_interface *intf;
807 	int err;
808 
809 	err = -EINVAL;
810 	if (ifnum >= 8*sizeof(ps->ifclaimed))
811 		return err;
812 	dev = ps->dev;
813 	intf = usb_ifnum_to_if(dev, ifnum);
814 	if (!intf)
815 		err = -ENOENT;
816 	else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
817 		unsigned int old_suppress;
818 
819 		/* suppress uevents while releasing interface */
820 		old_suppress = dev_get_uevent_suppress(&intf->dev);
821 		dev_set_uevent_suppress(&intf->dev, 1);
822 		usb_driver_release_interface(&usbfs_driver, intf);
823 		dev_set_uevent_suppress(&intf->dev, old_suppress);
824 		err = 0;
825 	}
826 	return err;
827 }
828 
checkintf(struct usb_dev_state * ps,unsigned int ifnum)829 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
830 {
831 	if (ps->dev->state != USB_STATE_CONFIGURED)
832 		return -EHOSTUNREACH;
833 	if (ifnum >= 8*sizeof(ps->ifclaimed))
834 		return -EINVAL;
835 	if (test_bit(ifnum, &ps->ifclaimed))
836 		return 0;
837 	/* if not yet claimed, claim it for the driver */
838 	dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
839 		 "interface %u before use\n", task_pid_nr(current),
840 		 current->comm, ifnum);
841 	return claimintf(ps, ifnum);
842 }
843 
findintfep(struct usb_device * dev,unsigned int ep)844 static int findintfep(struct usb_device *dev, unsigned int ep)
845 {
846 	unsigned int i, j, e;
847 	struct usb_interface *intf;
848 	struct usb_host_interface *alts;
849 	struct usb_endpoint_descriptor *endpt;
850 
851 	if (ep & ~(USB_DIR_IN|0xf))
852 		return -EINVAL;
853 	if (!dev->actconfig)
854 		return -ESRCH;
855 	for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
856 		intf = dev->actconfig->interface[i];
857 		for (j = 0; j < intf->num_altsetting; j++) {
858 			alts = &intf->altsetting[j];
859 			for (e = 0; e < alts->desc.bNumEndpoints; e++) {
860 				endpt = &alts->endpoint[e].desc;
861 				if (endpt->bEndpointAddress == ep)
862 					return alts->desc.bInterfaceNumber;
863 			}
864 		}
865 	}
866 	return -ENOENT;
867 }
868 
check_ctrlrecip(struct usb_dev_state * ps,unsigned int requesttype,unsigned int request,unsigned int index)869 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
870 			   unsigned int request, unsigned int index)
871 {
872 	int ret = 0;
873 	struct usb_host_interface *alt_setting;
874 
875 	if (ps->dev->state != USB_STATE_UNAUTHENTICATED
876 	 && ps->dev->state != USB_STATE_ADDRESS
877 	 && ps->dev->state != USB_STATE_CONFIGURED)
878 		return -EHOSTUNREACH;
879 	if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
880 		return 0;
881 
882 	/*
883 	 * check for the special corner case 'get_device_id' in the printer
884 	 * class specification, which we always want to allow as it is used
885 	 * to query things like ink level, etc.
886 	 */
887 	if (requesttype == 0xa1 && request == 0) {
888 		alt_setting = usb_find_alt_setting(ps->dev->actconfig,
889 						   index >> 8, index & 0xff);
890 		if (alt_setting
891 		 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
892 			return 0;
893 	}
894 
895 	index &= 0xff;
896 	switch (requesttype & USB_RECIP_MASK) {
897 	case USB_RECIP_ENDPOINT:
898 		if ((index & ~USB_DIR_IN) == 0)
899 			return 0;
900 		ret = findintfep(ps->dev, index);
901 		if (ret < 0) {
902 			/*
903 			 * Some not fully compliant Win apps seem to get
904 			 * index wrong and have the endpoint number here
905 			 * rather than the endpoint address (with the
906 			 * correct direction). Win does let this through,
907 			 * so we'll not reject it here but leave it to
908 			 * the device to not break KVM. But we warn.
909 			 */
910 			ret = findintfep(ps->dev, index ^ 0x80);
911 			if (ret >= 0)
912 				dev_info(&ps->dev->dev,
913 					"%s: process %i (%s) requesting ep %02x but needs %02x\n",
914 					__func__, task_pid_nr(current),
915 					current->comm, index, index ^ 0x80);
916 		}
917 		if (ret >= 0)
918 			ret = checkintf(ps, ret);
919 		break;
920 
921 	case USB_RECIP_INTERFACE:
922 		ret = checkintf(ps, index);
923 		break;
924 	}
925 	return ret;
926 }
927 
ep_to_host_endpoint(struct usb_device * dev,unsigned char ep)928 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
929 						     unsigned char ep)
930 {
931 	if (ep & USB_ENDPOINT_DIR_MASK)
932 		return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
933 	else
934 		return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
935 }
936 
parse_usbdevfs_streams(struct usb_dev_state * ps,struct usbdevfs_streams __user * streams,unsigned int * num_streams_ret,unsigned int * num_eps_ret,struct usb_host_endpoint *** eps_ret,struct usb_interface ** intf_ret)937 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
938 				  struct usbdevfs_streams __user *streams,
939 				  unsigned int *num_streams_ret,
940 				  unsigned int *num_eps_ret,
941 				  struct usb_host_endpoint ***eps_ret,
942 				  struct usb_interface **intf_ret)
943 {
944 	unsigned int i, num_streams, num_eps;
945 	struct usb_host_endpoint **eps;
946 	struct usb_interface *intf = NULL;
947 	unsigned char ep;
948 	int ifnum, ret;
949 
950 	if (get_user(num_streams, &streams->num_streams) ||
951 	    get_user(num_eps, &streams->num_eps))
952 		return -EFAULT;
953 
954 	if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
955 		return -EINVAL;
956 
957 	/* The XHCI controller allows max 2 ^ 16 streams */
958 	if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
959 		return -EINVAL;
960 
961 	eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL);
962 	if (!eps)
963 		return -ENOMEM;
964 
965 	for (i = 0; i < num_eps; i++) {
966 		if (get_user(ep, &streams->eps[i])) {
967 			ret = -EFAULT;
968 			goto error;
969 		}
970 		eps[i] = ep_to_host_endpoint(ps->dev, ep);
971 		if (!eps[i]) {
972 			ret = -EINVAL;
973 			goto error;
974 		}
975 
976 		/* usb_alloc/free_streams operate on an usb_interface */
977 		ifnum = findintfep(ps->dev, ep);
978 		if (ifnum < 0) {
979 			ret = ifnum;
980 			goto error;
981 		}
982 
983 		if (i == 0) {
984 			ret = checkintf(ps, ifnum);
985 			if (ret < 0)
986 				goto error;
987 			intf = usb_ifnum_to_if(ps->dev, ifnum);
988 		} else {
989 			/* Verify all eps belong to the same interface */
990 			if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
991 				ret = -EINVAL;
992 				goto error;
993 			}
994 		}
995 	}
996 
997 	if (num_streams_ret)
998 		*num_streams_ret = num_streams;
999 	*num_eps_ret = num_eps;
1000 	*eps_ret = eps;
1001 	*intf_ret = intf;
1002 
1003 	return 0;
1004 
1005 error:
1006 	kfree(eps);
1007 	return ret;
1008 }
1009 
usbdev_lookup_by_devt(dev_t devt)1010 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
1011 {
1012 	struct device *dev;
1013 
1014 	dev = bus_find_device_by_devt(&usb_bus_type, devt);
1015 	if (!dev)
1016 		return NULL;
1017 	return to_usb_device(dev);
1018 }
1019 
1020 /*
1021  * file operations
1022  */
usbdev_open(struct inode * inode,struct file * file)1023 static int usbdev_open(struct inode *inode, struct file *file)
1024 {
1025 	struct usb_device *dev = NULL;
1026 	struct usb_dev_state *ps;
1027 	int ret;
1028 
1029 	ret = -ENOMEM;
1030 	ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
1031 	if (!ps)
1032 		goto out_free_ps;
1033 
1034 	ret = -ENODEV;
1035 
1036 	/* usbdev device-node */
1037 	if (imajor(inode) == USB_DEVICE_MAJOR)
1038 		dev = usbdev_lookup_by_devt(inode->i_rdev);
1039 	if (!dev)
1040 		goto out_free_ps;
1041 
1042 	usb_lock_device(dev);
1043 	if (dev->state == USB_STATE_NOTATTACHED)
1044 		goto out_unlock_device;
1045 
1046 	ret = usb_autoresume_device(dev);
1047 	if (ret)
1048 		goto out_unlock_device;
1049 
1050 	ps->dev = dev;
1051 	ps->file = file;
1052 	ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1053 	spin_lock_init(&ps->lock);
1054 	INIT_LIST_HEAD(&ps->list);
1055 	INIT_LIST_HEAD(&ps->async_pending);
1056 	INIT_LIST_HEAD(&ps->async_completed);
1057 	INIT_LIST_HEAD(&ps->memory_list);
1058 	init_waitqueue_head(&ps->wait);
1059 	init_waitqueue_head(&ps->wait_for_resume);
1060 	ps->disc_pid = get_pid(task_pid(current));
1061 	ps->cred = get_current_cred();
1062 	smp_wmb();
1063 
1064 	/* Can't race with resume; the device is already active */
1065 	list_add_tail(&ps->list, &dev->filelist);
1066 	file->private_data = ps;
1067 	usb_unlock_device(dev);
1068 	snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1069 			current->comm);
1070 	return ret;
1071 
1072  out_unlock_device:
1073 	usb_unlock_device(dev);
1074 	usb_put_dev(dev);
1075  out_free_ps:
1076 	kfree(ps);
1077 	return ret;
1078 }
1079 
usbdev_release(struct inode * inode,struct file * file)1080 static int usbdev_release(struct inode *inode, struct file *file)
1081 {
1082 	struct usb_dev_state *ps = file->private_data;
1083 	struct usb_device *dev = ps->dev;
1084 	unsigned int ifnum;
1085 	struct async *as;
1086 
1087 	usb_lock_device(dev);
1088 	usb_hub_release_all_ports(dev, ps);
1089 
1090 	/* Protect against simultaneous resume */
1091 	mutex_lock(&usbfs_mutex);
1092 	list_del_init(&ps->list);
1093 	mutex_unlock(&usbfs_mutex);
1094 
1095 	for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1096 			ifnum++) {
1097 		if (test_bit(ifnum, &ps->ifclaimed))
1098 			releaseintf(ps, ifnum);
1099 	}
1100 	destroy_all_async(ps);
1101 	if (!ps->suspend_allowed)
1102 		usb_autosuspend_device(dev);
1103 	usb_unlock_device(dev);
1104 	usb_put_dev(dev);
1105 	put_pid(ps->disc_pid);
1106 	put_cred(ps->cred);
1107 
1108 	as = async_getcompleted(ps);
1109 	while (as) {
1110 		free_async(as);
1111 		as = async_getcompleted(ps);
1112 	}
1113 
1114 	kfree(ps);
1115 	return 0;
1116 }
1117 
usbfs_blocking_completion(struct urb * urb)1118 static void usbfs_blocking_completion(struct urb *urb)
1119 {
1120 	complete((struct completion *) urb->context);
1121 }
1122 
1123 /*
1124  * Much like usb_start_wait_urb, but returns status separately from
1125  * actual_length and uses a killable wait.
1126  */
usbfs_start_wait_urb(struct urb * urb,int timeout,unsigned int * actlen)1127 static int usbfs_start_wait_urb(struct urb *urb, int timeout,
1128 		unsigned int *actlen)
1129 {
1130 	DECLARE_COMPLETION_ONSTACK(ctx);
1131 	unsigned long expire;
1132 	int rc;
1133 
1134 	urb->context = &ctx;
1135 	urb->complete = usbfs_blocking_completion;
1136 	*actlen = 0;
1137 	rc = usb_submit_urb(urb, GFP_KERNEL);
1138 	if (unlikely(rc))
1139 		return rc;
1140 
1141 	expire = (timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT);
1142 	rc = wait_for_completion_killable_timeout(&ctx, expire);
1143 	if (rc <= 0) {
1144 		usb_kill_urb(urb);
1145 		*actlen = urb->actual_length;
1146 		if (urb->status != -ENOENT)
1147 			;	/* Completed before it was killed */
1148 		else if (rc < 0)
1149 			return -EINTR;
1150 		else
1151 			return -ETIMEDOUT;
1152 	}
1153 	*actlen = urb->actual_length;
1154 	return urb->status;
1155 }
1156 
do_proc_control(struct usb_dev_state * ps,struct usbdevfs_ctrltransfer * ctrl)1157 static int do_proc_control(struct usb_dev_state *ps,
1158 		struct usbdevfs_ctrltransfer *ctrl)
1159 {
1160 	struct usb_device *dev = ps->dev;
1161 	unsigned int tmo;
1162 	unsigned char *tbuf;
1163 	unsigned int wLength, actlen;
1164 	int i, pipe, ret;
1165 	struct urb *urb = NULL;
1166 	struct usb_ctrlrequest *dr = NULL;
1167 
1168 	ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
1169 			      ctrl->wIndex);
1170 	if (ret)
1171 		return ret;
1172 	wLength = ctrl->wLength;	/* To suppress 64k PAGE_SIZE warning */
1173 	if (wLength > PAGE_SIZE)
1174 		return -EINVAL;
1175 	ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1176 			sizeof(struct usb_ctrlrequest));
1177 	if (ret)
1178 		return ret;
1179 
1180 	ret = -ENOMEM;
1181 	tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1182 	if (!tbuf)
1183 		goto done;
1184 	urb = usb_alloc_urb(0, GFP_NOIO);
1185 	if (!urb)
1186 		goto done;
1187 	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
1188 	if (!dr)
1189 		goto done;
1190 
1191 	dr->bRequestType = ctrl->bRequestType;
1192 	dr->bRequest = ctrl->bRequest;
1193 	dr->wValue = cpu_to_le16(ctrl->wValue);
1194 	dr->wIndex = cpu_to_le16(ctrl->wIndex);
1195 	dr->wLength = cpu_to_le16(ctrl->wLength);
1196 
1197 	tmo = ctrl->timeout;
1198 	snoop(&dev->dev, "control urb: bRequestType=%02x "
1199 		"bRequest=%02x wValue=%04x "
1200 		"wIndex=%04x wLength=%04x\n",
1201 		ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
1202 		ctrl->wIndex, ctrl->wLength);
1203 
1204 	if ((ctrl->bRequestType & USB_DIR_IN) && wLength) {
1205 		pipe = usb_rcvctrlpipe(dev, 0);
1206 		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
1207 				wLength, NULL, NULL);
1208 		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, NULL, 0);
1209 
1210 		usb_unlock_device(dev);
1211 		i = usbfs_start_wait_urb(urb, tmo, &actlen);
1212 
1213 		/* Linger a bit, prior to the next control message. */
1214 		if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
1215 			msleep(200);
1216 		usb_lock_device(dev);
1217 		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, tbuf, actlen);
1218 		if (!i && actlen) {
1219 			if (copy_to_user(ctrl->data, tbuf, actlen)) {
1220 				ret = -EFAULT;
1221 				goto done;
1222 			}
1223 		}
1224 	} else {
1225 		if (wLength) {
1226 			if (copy_from_user(tbuf, ctrl->data, wLength)) {
1227 				ret = -EFAULT;
1228 				goto done;
1229 			}
1230 		}
1231 		pipe = usb_sndctrlpipe(dev, 0);
1232 		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
1233 				wLength, NULL, NULL);
1234 		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, tbuf, wLength);
1235 
1236 		usb_unlock_device(dev);
1237 		i = usbfs_start_wait_urb(urb, tmo, &actlen);
1238 
1239 		/* Linger a bit, prior to the next control message. */
1240 		if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
1241 			msleep(200);
1242 		usb_lock_device(dev);
1243 		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, NULL, 0);
1244 	}
1245 	if (i < 0 && i != -EPIPE) {
1246 		dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1247 			   "failed cmd %s rqt %u rq %u len %u ret %d\n",
1248 			   current->comm, ctrl->bRequestType, ctrl->bRequest,
1249 			   ctrl->wLength, i);
1250 	}
1251 	ret = (i < 0 ? i : actlen);
1252 
1253  done:
1254 	kfree(dr);
1255 	usb_free_urb(urb);
1256 	free_page((unsigned long) tbuf);
1257 	usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1258 			sizeof(struct usb_ctrlrequest));
1259 	return ret;
1260 }
1261 
proc_control(struct usb_dev_state * ps,void __user * arg)1262 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1263 {
1264 	struct usbdevfs_ctrltransfer ctrl;
1265 
1266 	if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1267 		return -EFAULT;
1268 	return do_proc_control(ps, &ctrl);
1269 }
1270 
do_proc_bulk(struct usb_dev_state * ps,struct usbdevfs_bulktransfer * bulk)1271 static int do_proc_bulk(struct usb_dev_state *ps,
1272 		struct usbdevfs_bulktransfer *bulk)
1273 {
1274 	struct usb_device *dev = ps->dev;
1275 	unsigned int tmo, len1, len2, pipe;
1276 	unsigned char *tbuf;
1277 	int i, ret;
1278 	struct urb *urb = NULL;
1279 	struct usb_host_endpoint *ep;
1280 
1281 	ret = findintfep(ps->dev, bulk->ep);
1282 	if (ret < 0)
1283 		return ret;
1284 	ret = checkintf(ps, ret);
1285 	if (ret)
1286 		return ret;
1287 
1288 	len1 = bulk->len;
1289 	if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb)))
1290 		return -EINVAL;
1291 
1292 	if (bulk->ep & USB_DIR_IN)
1293 		pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f);
1294 	else
1295 		pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f);
1296 	ep = usb_pipe_endpoint(dev, pipe);
1297 	if (!ep || !usb_endpoint_maxp(&ep->desc))
1298 		return -EINVAL;
1299 	ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1300 	if (ret)
1301 		return ret;
1302 
1303 	/*
1304 	 * len1 can be almost arbitrarily large.  Don't WARN if it's
1305 	 * too big, just fail the request.
1306 	 */
1307 	ret = -ENOMEM;
1308 	tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN);
1309 	if (!tbuf)
1310 		goto done;
1311 	urb = usb_alloc_urb(0, GFP_KERNEL);
1312 	if (!urb)
1313 		goto done;
1314 
1315 	if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
1316 			USB_ENDPOINT_XFER_INT) {
1317 		pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
1318 		usb_fill_int_urb(urb, dev, pipe, tbuf, len1,
1319 				NULL, NULL, ep->desc.bInterval);
1320 	} else {
1321 		usb_fill_bulk_urb(urb, dev, pipe, tbuf, len1, NULL, NULL);
1322 	}
1323 
1324 	tmo = bulk->timeout;
1325 	if (bulk->ep & 0x80) {
1326 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1327 
1328 		usb_unlock_device(dev);
1329 		i = usbfs_start_wait_urb(urb, tmo, &len2);
1330 		usb_lock_device(dev);
1331 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1332 
1333 		if (!i && len2) {
1334 			if (copy_to_user(bulk->data, tbuf, len2)) {
1335 				ret = -EFAULT;
1336 				goto done;
1337 			}
1338 		}
1339 	} else {
1340 		if (len1) {
1341 			if (copy_from_user(tbuf, bulk->data, len1)) {
1342 				ret = -EFAULT;
1343 				goto done;
1344 			}
1345 		}
1346 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1347 
1348 		usb_unlock_device(dev);
1349 		i = usbfs_start_wait_urb(urb, tmo, &len2);
1350 		usb_lock_device(dev);
1351 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1352 	}
1353 	ret = (i < 0 ? i : len2);
1354  done:
1355 	usb_free_urb(urb);
1356 	kfree(tbuf);
1357 	usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1358 	return ret;
1359 }
1360 
proc_bulk(struct usb_dev_state * ps,void __user * arg)1361 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1362 {
1363 	struct usbdevfs_bulktransfer bulk;
1364 
1365 	if (copy_from_user(&bulk, arg, sizeof(bulk)))
1366 		return -EFAULT;
1367 	return do_proc_bulk(ps, &bulk);
1368 }
1369 
check_reset_of_active_ep(struct usb_device * udev,unsigned int epnum,char * ioctl_name)1370 static void check_reset_of_active_ep(struct usb_device *udev,
1371 		unsigned int epnum, char *ioctl_name)
1372 {
1373 	struct usb_host_endpoint **eps;
1374 	struct usb_host_endpoint *ep;
1375 
1376 	eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1377 	ep = eps[epnum & 0x0f];
1378 	if (ep && !list_empty(&ep->urb_list))
1379 		dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1380 				task_pid_nr(current), current->comm,
1381 				ioctl_name, epnum);
1382 }
1383 
proc_resetep(struct usb_dev_state * ps,void __user * arg)1384 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1385 {
1386 	unsigned int ep;
1387 	int ret;
1388 
1389 	if (get_user(ep, (unsigned int __user *)arg))
1390 		return -EFAULT;
1391 	ret = findintfep(ps->dev, ep);
1392 	if (ret < 0)
1393 		return ret;
1394 	ret = checkintf(ps, ret);
1395 	if (ret)
1396 		return ret;
1397 	check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1398 	usb_reset_endpoint(ps->dev, ep);
1399 	return 0;
1400 }
1401 
proc_clearhalt(struct usb_dev_state * ps,void __user * arg)1402 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1403 {
1404 	unsigned int ep;
1405 	int pipe;
1406 	int ret;
1407 
1408 	if (get_user(ep, (unsigned int __user *)arg))
1409 		return -EFAULT;
1410 	ret = findintfep(ps->dev, ep);
1411 	if (ret < 0)
1412 		return ret;
1413 	ret = checkintf(ps, ret);
1414 	if (ret)
1415 		return ret;
1416 	check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1417 	if (ep & USB_DIR_IN)
1418 		pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1419 	else
1420 		pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1421 
1422 	return usb_clear_halt(ps->dev, pipe);
1423 }
1424 
proc_getdriver(struct usb_dev_state * ps,void __user * arg)1425 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1426 {
1427 	struct usbdevfs_getdriver gd;
1428 	struct usb_interface *intf;
1429 	int ret;
1430 
1431 	if (copy_from_user(&gd, arg, sizeof(gd)))
1432 		return -EFAULT;
1433 	intf = usb_ifnum_to_if(ps->dev, gd.interface);
1434 	if (!intf || !intf->dev.driver)
1435 		ret = -ENODATA;
1436 	else {
1437 		strscpy(gd.driver, intf->dev.driver->name,
1438 				sizeof(gd.driver));
1439 		ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1440 	}
1441 	return ret;
1442 }
1443 
proc_connectinfo(struct usb_dev_state * ps,void __user * arg)1444 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1445 {
1446 	struct usbdevfs_connectinfo ci;
1447 
1448 	memset(&ci, 0, sizeof(ci));
1449 	ci.devnum = ps->dev->devnum;
1450 	ci.slow = ps->dev->speed == USB_SPEED_LOW;
1451 
1452 	if (copy_to_user(arg, &ci, sizeof(ci)))
1453 		return -EFAULT;
1454 	return 0;
1455 }
1456 
proc_conninfo_ex(struct usb_dev_state * ps,void __user * arg,size_t size)1457 static int proc_conninfo_ex(struct usb_dev_state *ps,
1458 			    void __user *arg, size_t size)
1459 {
1460 	struct usbdevfs_conninfo_ex ci;
1461 	struct usb_device *udev = ps->dev;
1462 
1463 	if (size < sizeof(ci.size))
1464 		return -EINVAL;
1465 
1466 	memset(&ci, 0, sizeof(ci));
1467 	ci.size = sizeof(ci);
1468 	ci.busnum = udev->bus->busnum;
1469 	ci.devnum = udev->devnum;
1470 	ci.speed = udev->speed;
1471 
1472 	while (udev && udev->portnum != 0) {
1473 		if (++ci.num_ports <= ARRAY_SIZE(ci.ports))
1474 			ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] =
1475 					udev->portnum;
1476 		udev = udev->parent;
1477 	}
1478 
1479 	if (ci.num_ports < ARRAY_SIZE(ci.ports))
1480 		memmove(&ci.ports[0],
1481 			&ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports],
1482 			ci.num_ports);
1483 
1484 	if (copy_to_user(arg, &ci, min(sizeof(ci), size)))
1485 		return -EFAULT;
1486 
1487 	return 0;
1488 }
1489 
proc_resetdevice(struct usb_dev_state * ps)1490 static int proc_resetdevice(struct usb_dev_state *ps)
1491 {
1492 	struct usb_host_config *actconfig = ps->dev->actconfig;
1493 	struct usb_interface *interface;
1494 	int i, number;
1495 
1496 	/* Don't allow a device reset if the process has dropped the
1497 	 * privilege to do such things and any of the interfaces are
1498 	 * currently claimed.
1499 	 */
1500 	if (ps->privileges_dropped && actconfig) {
1501 		for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1502 			interface = actconfig->interface[i];
1503 			number = interface->cur_altsetting->desc.bInterfaceNumber;
1504 			if (usb_interface_claimed(interface) &&
1505 					!test_bit(number, &ps->ifclaimed)) {
1506 				dev_warn(&ps->dev->dev,
1507 					"usbfs: interface %d claimed by %s while '%s' resets device\n",
1508 					number,	interface->dev.driver->name, current->comm);
1509 				return -EACCES;
1510 			}
1511 		}
1512 	}
1513 
1514 	return usb_reset_device(ps->dev);
1515 }
1516 
proc_setintf(struct usb_dev_state * ps,void __user * arg)1517 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1518 {
1519 	struct usbdevfs_setinterface setintf;
1520 	int ret;
1521 
1522 	if (copy_from_user(&setintf, arg, sizeof(setintf)))
1523 		return -EFAULT;
1524 	ret = checkintf(ps, setintf.interface);
1525 	if (ret)
1526 		return ret;
1527 
1528 	destroy_async_on_interface(ps, setintf.interface);
1529 
1530 	return usb_set_interface(ps->dev, setintf.interface,
1531 			setintf.altsetting);
1532 }
1533 
proc_setconfig(struct usb_dev_state * ps,void __user * arg)1534 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1535 {
1536 	int u;
1537 	int status = 0;
1538 	struct usb_host_config *actconfig;
1539 
1540 	if (get_user(u, (int __user *)arg))
1541 		return -EFAULT;
1542 
1543 	actconfig = ps->dev->actconfig;
1544 
1545 	/* Don't touch the device if any interfaces are claimed.
1546 	 * It could interfere with other drivers' operations, and if
1547 	 * an interface is claimed by usbfs it could easily deadlock.
1548 	 */
1549 	if (actconfig) {
1550 		int i;
1551 
1552 		for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1553 			if (usb_interface_claimed(actconfig->interface[i])) {
1554 				dev_warn(&ps->dev->dev,
1555 					"usbfs: interface %d claimed by %s "
1556 					"while '%s' sets config #%d\n",
1557 					actconfig->interface[i]
1558 						->cur_altsetting
1559 						->desc.bInterfaceNumber,
1560 					actconfig->interface[i]
1561 						->dev.driver->name,
1562 					current->comm, u);
1563 				status = -EBUSY;
1564 				break;
1565 			}
1566 		}
1567 	}
1568 
1569 	/* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1570 	 * so avoid usb_set_configuration()'s kick to sysfs
1571 	 */
1572 	if (status == 0) {
1573 		if (actconfig && actconfig->desc.bConfigurationValue == u)
1574 			status = usb_reset_configuration(ps->dev);
1575 		else
1576 			status = usb_set_configuration(ps->dev, u);
1577 	}
1578 
1579 	return status;
1580 }
1581 
1582 static struct usb_memory *
find_memory_area(struct usb_dev_state * ps,const struct usbdevfs_urb * uurb)1583 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1584 {
1585 	struct usb_memory *usbm = NULL, *iter;
1586 	unsigned long flags;
1587 	unsigned long uurb_start = (unsigned long)uurb->buffer;
1588 
1589 	spin_lock_irqsave(&ps->lock, flags);
1590 	list_for_each_entry(iter, &ps->memory_list, memlist) {
1591 		if (uurb_start >= iter->vm_start &&
1592 				uurb_start < iter->vm_start + iter->size) {
1593 			if (uurb->buffer_length > iter->vm_start + iter->size -
1594 					uurb_start) {
1595 				usbm = ERR_PTR(-EINVAL);
1596 			} else {
1597 				usbm = iter;
1598 				usbm->urb_use_count++;
1599 			}
1600 			break;
1601 		}
1602 	}
1603 	spin_unlock_irqrestore(&ps->lock, flags);
1604 	return usbm;
1605 }
1606 
proc_do_submiturb(struct usb_dev_state * ps,struct usbdevfs_urb * uurb,struct usbdevfs_iso_packet_desc __user * iso_frame_desc,void __user * arg,sigval_t userurb_sigval)1607 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1608 			struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1609 			void __user *arg, sigval_t userurb_sigval)
1610 {
1611 	struct usbdevfs_iso_packet_desc *isopkt = NULL;
1612 	struct usb_host_endpoint *ep;
1613 	struct async *as = NULL;
1614 	struct usb_ctrlrequest *dr = NULL;
1615 	unsigned int u, totlen, isofrmlen;
1616 	int i, ret, num_sgs = 0, ifnum = -1;
1617 	int number_of_packets = 0;
1618 	unsigned int stream_id = 0;
1619 	void *buf;
1620 	bool is_in;
1621 	bool allow_short = false;
1622 	bool allow_zero = false;
1623 	unsigned long mask =	USBDEVFS_URB_SHORT_NOT_OK |
1624 				USBDEVFS_URB_BULK_CONTINUATION |
1625 				USBDEVFS_URB_NO_FSBR |
1626 				USBDEVFS_URB_ZERO_PACKET |
1627 				USBDEVFS_URB_NO_INTERRUPT;
1628 	/* USBDEVFS_URB_ISO_ASAP is a special case */
1629 	if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1630 		mask |= USBDEVFS_URB_ISO_ASAP;
1631 
1632 	if (uurb->flags & ~mask)
1633 			return -EINVAL;
1634 
1635 	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1636 		return -EINVAL;
1637 	if (uurb->buffer_length > 0 && !uurb->buffer)
1638 		return -EINVAL;
1639 	if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1640 	    (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1641 		ifnum = findintfep(ps->dev, uurb->endpoint);
1642 		if (ifnum < 0)
1643 			return ifnum;
1644 		ret = checkintf(ps, ifnum);
1645 		if (ret)
1646 			return ret;
1647 	}
1648 	ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1649 	if (!ep)
1650 		return -ENOENT;
1651 	is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1652 
1653 	u = 0;
1654 	switch (uurb->type) {
1655 	case USBDEVFS_URB_TYPE_CONTROL:
1656 		if (!usb_endpoint_xfer_control(&ep->desc))
1657 			return -EINVAL;
1658 		/* min 8 byte setup packet */
1659 		if (uurb->buffer_length < 8)
1660 			return -EINVAL;
1661 		dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1662 		if (!dr)
1663 			return -ENOMEM;
1664 		if (copy_from_user(dr, uurb->buffer, 8)) {
1665 			ret = -EFAULT;
1666 			goto error;
1667 		}
1668 		if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) {
1669 			ret = -EINVAL;
1670 			goto error;
1671 		}
1672 		ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1673 				      le16_to_cpu(dr->wIndex));
1674 		if (ret)
1675 			goto error;
1676 		uurb->buffer_length = le16_to_cpu(dr->wLength);
1677 		uurb->buffer += 8;
1678 		if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1679 			is_in = true;
1680 			uurb->endpoint |= USB_DIR_IN;
1681 		} else {
1682 			is_in = false;
1683 			uurb->endpoint &= ~USB_DIR_IN;
1684 		}
1685 		if (is_in)
1686 			allow_short = true;
1687 		snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1688 			"bRequest=%02x wValue=%04x "
1689 			"wIndex=%04x wLength=%04x\n",
1690 			dr->bRequestType, dr->bRequest,
1691 			__le16_to_cpu(dr->wValue),
1692 			__le16_to_cpu(dr->wIndex),
1693 			__le16_to_cpu(dr->wLength));
1694 		u = sizeof(struct usb_ctrlrequest);
1695 		break;
1696 
1697 	case USBDEVFS_URB_TYPE_BULK:
1698 		if (!is_in)
1699 			allow_zero = true;
1700 		else
1701 			allow_short = true;
1702 		switch (usb_endpoint_type(&ep->desc)) {
1703 		case USB_ENDPOINT_XFER_CONTROL:
1704 		case USB_ENDPOINT_XFER_ISOC:
1705 			return -EINVAL;
1706 		case USB_ENDPOINT_XFER_INT:
1707 			/* allow single-shot interrupt transfers */
1708 			uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1709 			goto interrupt_urb;
1710 		}
1711 		num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1712 		if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1713 			num_sgs = 0;
1714 		if (ep->streams)
1715 			stream_id = uurb->stream_id;
1716 		break;
1717 
1718 	case USBDEVFS_URB_TYPE_INTERRUPT:
1719 		if (!usb_endpoint_xfer_int(&ep->desc))
1720 			return -EINVAL;
1721  interrupt_urb:
1722 		if (!is_in)
1723 			allow_zero = true;
1724 		else
1725 			allow_short = true;
1726 		break;
1727 
1728 	case USBDEVFS_URB_TYPE_ISO:
1729 		/* arbitrary limit */
1730 		if (uurb->number_of_packets < 1 ||
1731 		    uurb->number_of_packets > 128)
1732 			return -EINVAL;
1733 		if (!usb_endpoint_xfer_isoc(&ep->desc))
1734 			return -EINVAL;
1735 		number_of_packets = uurb->number_of_packets;
1736 		isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1737 				   number_of_packets;
1738 		isopkt = memdup_user(iso_frame_desc, isofrmlen);
1739 		if (IS_ERR(isopkt)) {
1740 			ret = PTR_ERR(isopkt);
1741 			isopkt = NULL;
1742 			goto error;
1743 		}
1744 		for (totlen = u = 0; u < number_of_packets; u++) {
1745 			/*
1746 			 * arbitrary limit need for USB 3.1 Gen2
1747 			 * sizemax: 96 DPs at SSP, 96 * 1024 = 98304
1748 			 */
1749 			if (isopkt[u].length > 98304) {
1750 				ret = -EINVAL;
1751 				goto error;
1752 			}
1753 			totlen += isopkt[u].length;
1754 		}
1755 		u *= sizeof(struct usb_iso_packet_descriptor);
1756 		uurb->buffer_length = totlen;
1757 		break;
1758 
1759 	default:
1760 		return -EINVAL;
1761 	}
1762 
1763 	if (uurb->buffer_length > 0 &&
1764 			!access_ok(uurb->buffer, uurb->buffer_length)) {
1765 		ret = -EFAULT;
1766 		goto error;
1767 	}
1768 	as = alloc_async(number_of_packets);
1769 	if (!as) {
1770 		ret = -ENOMEM;
1771 		goto error;
1772 	}
1773 
1774 	as->usbm = find_memory_area(ps, uurb);
1775 	if (IS_ERR(as->usbm)) {
1776 		ret = PTR_ERR(as->usbm);
1777 		as->usbm = NULL;
1778 		goto error;
1779 	}
1780 
1781 	/* do not use SG buffers when memory mapped segments
1782 	 * are in use
1783 	 */
1784 	if (as->usbm)
1785 		num_sgs = 0;
1786 
1787 	u += sizeof(struct async) + sizeof(struct urb) +
1788 	     (as->usbm ? 0 : uurb->buffer_length) +
1789 	     num_sgs * sizeof(struct scatterlist);
1790 	ret = usbfs_increase_memory_usage(u);
1791 	if (ret)
1792 		goto error;
1793 	as->mem_usage = u;
1794 
1795 	if (num_sgs) {
1796 		as->urb->sg = kmalloc_array(num_sgs,
1797 					    sizeof(struct scatterlist),
1798 					    GFP_KERNEL | __GFP_NOWARN);
1799 		if (!as->urb->sg) {
1800 			ret = -ENOMEM;
1801 			goto error;
1802 		}
1803 		as->urb->num_sgs = num_sgs;
1804 		sg_init_table(as->urb->sg, as->urb->num_sgs);
1805 
1806 		totlen = uurb->buffer_length;
1807 		for (i = 0; i < as->urb->num_sgs; i++) {
1808 			u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1809 			buf = kmalloc(u, GFP_KERNEL);
1810 			if (!buf) {
1811 				ret = -ENOMEM;
1812 				goto error;
1813 			}
1814 			sg_set_buf(&as->urb->sg[i], buf, u);
1815 
1816 			if (!is_in) {
1817 				if (copy_from_user(buf, uurb->buffer, u)) {
1818 					ret = -EFAULT;
1819 					goto error;
1820 				}
1821 				uurb->buffer += u;
1822 			}
1823 			totlen -= u;
1824 		}
1825 	} else if (uurb->buffer_length > 0) {
1826 		if (as->usbm) {
1827 			unsigned long uurb_start = (unsigned long)uurb->buffer;
1828 
1829 			as->urb->transfer_buffer = as->usbm->mem +
1830 					(uurb_start - as->usbm->vm_start);
1831 		} else {
1832 			as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1833 					GFP_KERNEL | __GFP_NOWARN);
1834 			if (!as->urb->transfer_buffer) {
1835 				ret = -ENOMEM;
1836 				goto error;
1837 			}
1838 			if (!is_in) {
1839 				if (copy_from_user(as->urb->transfer_buffer,
1840 						   uurb->buffer,
1841 						   uurb->buffer_length)) {
1842 					ret = -EFAULT;
1843 					goto error;
1844 				}
1845 			} else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1846 				/*
1847 				 * Isochronous input data may end up being
1848 				 * discontiguous if some of the packets are
1849 				 * short. Clear the buffer so that the gaps
1850 				 * don't leak kernel data to userspace.
1851 				 */
1852 				memset(as->urb->transfer_buffer, 0,
1853 						uurb->buffer_length);
1854 			}
1855 		}
1856 	}
1857 	as->urb->dev = ps->dev;
1858 	as->urb->pipe = (uurb->type << 30) |
1859 			__create_pipe(ps->dev, uurb->endpoint & 0xf) |
1860 			(uurb->endpoint & USB_DIR_IN);
1861 
1862 	/* This tedious sequence is necessary because the URB_* flags
1863 	 * are internal to the kernel and subject to change, whereas
1864 	 * the USBDEVFS_URB_* flags are a user API and must not be changed.
1865 	 */
1866 	u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1867 	if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1868 		u |= URB_ISO_ASAP;
1869 	if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1870 		u |= URB_SHORT_NOT_OK;
1871 	if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1872 		u |= URB_ZERO_PACKET;
1873 	if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1874 		u |= URB_NO_INTERRUPT;
1875 	as->urb->transfer_flags = u;
1876 
1877 	if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1878 		dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1879 	if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1880 		dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1881 
1882 	as->urb->transfer_buffer_length = uurb->buffer_length;
1883 	as->urb->setup_packet = (unsigned char *)dr;
1884 	dr = NULL;
1885 	as->urb->start_frame = uurb->start_frame;
1886 	as->urb->number_of_packets = number_of_packets;
1887 	as->urb->stream_id = stream_id;
1888 
1889 	if (ep->desc.bInterval) {
1890 		if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1891 				ps->dev->speed == USB_SPEED_HIGH ||
1892 				ps->dev->speed >= USB_SPEED_SUPER)
1893 			as->urb->interval = 1 <<
1894 					min(15, ep->desc.bInterval - 1);
1895 		else
1896 			as->urb->interval = ep->desc.bInterval;
1897 	}
1898 
1899 	as->urb->context = as;
1900 	as->urb->complete = async_completed;
1901 	for (totlen = u = 0; u < number_of_packets; u++) {
1902 		as->urb->iso_frame_desc[u].offset = totlen;
1903 		as->urb->iso_frame_desc[u].length = isopkt[u].length;
1904 		totlen += isopkt[u].length;
1905 	}
1906 	kfree(isopkt);
1907 	isopkt = NULL;
1908 	as->ps = ps;
1909 	as->userurb = arg;
1910 	as->userurb_sigval = userurb_sigval;
1911 	if (as->usbm) {
1912 		unsigned long uurb_start = (unsigned long)uurb->buffer;
1913 
1914 		as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1915 		as->urb->transfer_dma = as->usbm->dma_handle +
1916 				(uurb_start - as->usbm->vm_start);
1917 	} else if (is_in && uurb->buffer_length > 0)
1918 		as->userbuffer = uurb->buffer;
1919 	as->signr = uurb->signr;
1920 	as->ifnum = ifnum;
1921 	as->pid = get_pid(task_pid(current));
1922 	as->cred = get_current_cred();
1923 	snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1924 			as->urb->transfer_buffer_length, 0, SUBMIT,
1925 			NULL, 0);
1926 	if (!is_in)
1927 		snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1928 
1929 	async_newpending(as);
1930 
1931 	if (usb_endpoint_xfer_bulk(&ep->desc)) {
1932 		spin_lock_irq(&ps->lock);
1933 
1934 		/* Not exactly the endpoint address; the direction bit is
1935 		 * shifted to the 0x10 position so that the value will be
1936 		 * between 0 and 31.
1937 		 */
1938 		as->bulk_addr = usb_endpoint_num(&ep->desc) |
1939 			((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1940 				>> 3);
1941 
1942 		/* If this bulk URB is the start of a new transfer, re-enable
1943 		 * the endpoint.  Otherwise mark it as a continuation URB.
1944 		 */
1945 		if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1946 			as->bulk_status = AS_CONTINUATION;
1947 		else
1948 			ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1949 
1950 		/* Don't accept continuation URBs if the endpoint is
1951 		 * disabled because of an earlier error.
1952 		 */
1953 		if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1954 			ret = -EREMOTEIO;
1955 		else
1956 			ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1957 		spin_unlock_irq(&ps->lock);
1958 	} else {
1959 		ret = usb_submit_urb(as->urb, GFP_KERNEL);
1960 	}
1961 
1962 	if (ret) {
1963 		dev_printk(KERN_DEBUG, &ps->dev->dev,
1964 			   "usbfs: usb_submit_urb returned %d\n", ret);
1965 		snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1966 				0, ret, COMPLETE, NULL, 0);
1967 		async_removepending(as);
1968 		goto error;
1969 	}
1970 	return 0;
1971 
1972  error:
1973 	kfree(isopkt);
1974 	kfree(dr);
1975 	if (as)
1976 		free_async(as);
1977 	return ret;
1978 }
1979 
proc_submiturb(struct usb_dev_state * ps,void __user * arg)1980 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1981 {
1982 	struct usbdevfs_urb uurb;
1983 	sigval_t userurb_sigval;
1984 
1985 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
1986 		return -EFAULT;
1987 
1988 	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
1989 	userurb_sigval.sival_ptr = arg;
1990 
1991 	return proc_do_submiturb(ps, &uurb,
1992 			(((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1993 			arg, userurb_sigval);
1994 }
1995 
proc_unlinkurb(struct usb_dev_state * ps,void __user * arg)1996 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1997 {
1998 	struct urb *urb;
1999 	struct async *as;
2000 	unsigned long flags;
2001 
2002 	spin_lock_irqsave(&ps->lock, flags);
2003 	as = async_getpending(ps, arg);
2004 	if (!as) {
2005 		spin_unlock_irqrestore(&ps->lock, flags);
2006 		return -EINVAL;
2007 	}
2008 
2009 	urb = as->urb;
2010 	usb_get_urb(urb);
2011 	spin_unlock_irqrestore(&ps->lock, flags);
2012 
2013 	usb_kill_urb(urb);
2014 	usb_put_urb(urb);
2015 
2016 	return 0;
2017 }
2018 
compute_isochronous_actual_length(struct urb * urb)2019 static void compute_isochronous_actual_length(struct urb *urb)
2020 {
2021 	unsigned int i;
2022 
2023 	if (urb->number_of_packets > 0) {
2024 		urb->actual_length = 0;
2025 		for (i = 0; i < urb->number_of_packets; i++)
2026 			urb->actual_length +=
2027 					urb->iso_frame_desc[i].actual_length;
2028 	}
2029 }
2030 
processcompl(struct async * as,void __user * __user * arg)2031 static int processcompl(struct async *as, void __user * __user *arg)
2032 {
2033 	struct urb *urb = as->urb;
2034 	struct usbdevfs_urb __user *userurb = as->userurb;
2035 	void __user *addr = as->userurb;
2036 	unsigned int i;
2037 
2038 	compute_isochronous_actual_length(urb);
2039 	if (as->userbuffer && urb->actual_length) {
2040 		if (copy_urb_data_to_user(as->userbuffer, urb))
2041 			goto err_out;
2042 	}
2043 	if (put_user(as->status, &userurb->status))
2044 		goto err_out;
2045 	if (put_user(urb->actual_length, &userurb->actual_length))
2046 		goto err_out;
2047 	if (put_user(urb->error_count, &userurb->error_count))
2048 		goto err_out;
2049 
2050 	if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2051 		for (i = 0; i < urb->number_of_packets; i++) {
2052 			if (put_user(urb->iso_frame_desc[i].actual_length,
2053 				     &userurb->iso_frame_desc[i].actual_length))
2054 				goto err_out;
2055 			if (put_user(urb->iso_frame_desc[i].status,
2056 				     &userurb->iso_frame_desc[i].status))
2057 				goto err_out;
2058 		}
2059 	}
2060 
2061 	if (put_user(addr, (void __user * __user *)arg))
2062 		return -EFAULT;
2063 	return 0;
2064 
2065 err_out:
2066 	return -EFAULT;
2067 }
2068 
reap_as(struct usb_dev_state * ps)2069 static struct async *reap_as(struct usb_dev_state *ps)
2070 {
2071 	DECLARE_WAITQUEUE(wait, current);
2072 	struct async *as = NULL;
2073 	struct usb_device *dev = ps->dev;
2074 
2075 	add_wait_queue(&ps->wait, &wait);
2076 	for (;;) {
2077 		__set_current_state(TASK_INTERRUPTIBLE);
2078 		as = async_getcompleted(ps);
2079 		if (as || !connected(ps))
2080 			break;
2081 		if (signal_pending(current))
2082 			break;
2083 		usb_unlock_device(dev);
2084 		schedule();
2085 		usb_lock_device(dev);
2086 	}
2087 	remove_wait_queue(&ps->wait, &wait);
2088 	set_current_state(TASK_RUNNING);
2089 	return as;
2090 }
2091 
proc_reapurb(struct usb_dev_state * ps,void __user * arg)2092 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
2093 {
2094 	struct async *as = reap_as(ps);
2095 
2096 	if (as) {
2097 		int retval;
2098 
2099 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2100 		retval = processcompl(as, (void __user * __user *)arg);
2101 		free_async(as);
2102 		return retval;
2103 	}
2104 	if (signal_pending(current))
2105 		return -EINTR;
2106 	return -ENODEV;
2107 }
2108 
proc_reapurbnonblock(struct usb_dev_state * ps,void __user * arg)2109 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
2110 {
2111 	int retval;
2112 	struct async *as;
2113 
2114 	as = async_getcompleted(ps);
2115 	if (as) {
2116 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2117 		retval = processcompl(as, (void __user * __user *)arg);
2118 		free_async(as);
2119 	} else {
2120 		retval = (connected(ps) ? -EAGAIN : -ENODEV);
2121 	}
2122 	return retval;
2123 }
2124 
2125 #ifdef CONFIG_COMPAT
proc_control_compat(struct usb_dev_state * ps,struct usbdevfs_ctrltransfer32 __user * p32)2126 static int proc_control_compat(struct usb_dev_state *ps,
2127 				struct usbdevfs_ctrltransfer32 __user *p32)
2128 {
2129 	struct usbdevfs_ctrltransfer ctrl;
2130 	u32 udata;
2131 
2132 	if (copy_from_user(&ctrl, p32, sizeof(*p32) - sizeof(compat_caddr_t)) ||
2133 	    get_user(udata, &p32->data))
2134 		return -EFAULT;
2135 	ctrl.data = compat_ptr(udata);
2136 	return do_proc_control(ps, &ctrl);
2137 }
2138 
proc_bulk_compat(struct usb_dev_state * ps,struct usbdevfs_bulktransfer32 __user * p32)2139 static int proc_bulk_compat(struct usb_dev_state *ps,
2140 			struct usbdevfs_bulktransfer32 __user *p32)
2141 {
2142 	struct usbdevfs_bulktransfer bulk;
2143 	compat_caddr_t addr;
2144 
2145 	if (get_user(bulk.ep, &p32->ep) ||
2146 	    get_user(bulk.len, &p32->len) ||
2147 	    get_user(bulk.timeout, &p32->timeout) ||
2148 	    get_user(addr, &p32->data))
2149 		return -EFAULT;
2150 	bulk.data = compat_ptr(addr);
2151 	return do_proc_bulk(ps, &bulk);
2152 }
2153 
proc_disconnectsignal_compat(struct usb_dev_state * ps,void __user * arg)2154 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
2155 {
2156 	struct usbdevfs_disconnectsignal32 ds;
2157 
2158 	if (copy_from_user(&ds, arg, sizeof(ds)))
2159 		return -EFAULT;
2160 	ps->discsignr = ds.signr;
2161 	ps->disccontext.sival_int = ds.context;
2162 	return 0;
2163 }
2164 
get_urb32(struct usbdevfs_urb * kurb,struct usbdevfs_urb32 __user * uurb)2165 static int get_urb32(struct usbdevfs_urb *kurb,
2166 		     struct usbdevfs_urb32 __user *uurb)
2167 {
2168 	struct usbdevfs_urb32 urb32;
2169 	if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
2170 		return -EFAULT;
2171 	kurb->type = urb32.type;
2172 	kurb->endpoint = urb32.endpoint;
2173 	kurb->status = urb32.status;
2174 	kurb->flags = urb32.flags;
2175 	kurb->buffer = compat_ptr(urb32.buffer);
2176 	kurb->buffer_length = urb32.buffer_length;
2177 	kurb->actual_length = urb32.actual_length;
2178 	kurb->start_frame = urb32.start_frame;
2179 	kurb->number_of_packets = urb32.number_of_packets;
2180 	kurb->error_count = urb32.error_count;
2181 	kurb->signr = urb32.signr;
2182 	kurb->usercontext = compat_ptr(urb32.usercontext);
2183 	return 0;
2184 }
2185 
proc_submiturb_compat(struct usb_dev_state * ps,void __user * arg)2186 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2187 {
2188 	struct usbdevfs_urb uurb;
2189 	sigval_t userurb_sigval;
2190 
2191 	if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2192 		return -EFAULT;
2193 
2194 	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
2195 	userurb_sigval.sival_int = ptr_to_compat(arg);
2196 
2197 	return proc_do_submiturb(ps, &uurb,
2198 			((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2199 			arg, userurb_sigval);
2200 }
2201 
processcompl_compat(struct async * as,void __user * __user * arg)2202 static int processcompl_compat(struct async *as, void __user * __user *arg)
2203 {
2204 	struct urb *urb = as->urb;
2205 	struct usbdevfs_urb32 __user *userurb = as->userurb;
2206 	void __user *addr = as->userurb;
2207 	unsigned int i;
2208 
2209 	compute_isochronous_actual_length(urb);
2210 	if (as->userbuffer && urb->actual_length) {
2211 		if (copy_urb_data_to_user(as->userbuffer, urb))
2212 			return -EFAULT;
2213 	}
2214 	if (put_user(as->status, &userurb->status))
2215 		return -EFAULT;
2216 	if (put_user(urb->actual_length, &userurb->actual_length))
2217 		return -EFAULT;
2218 	if (put_user(urb->error_count, &userurb->error_count))
2219 		return -EFAULT;
2220 
2221 	if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2222 		for (i = 0; i < urb->number_of_packets; i++) {
2223 			if (put_user(urb->iso_frame_desc[i].actual_length,
2224 				     &userurb->iso_frame_desc[i].actual_length))
2225 				return -EFAULT;
2226 			if (put_user(urb->iso_frame_desc[i].status,
2227 				     &userurb->iso_frame_desc[i].status))
2228 				return -EFAULT;
2229 		}
2230 	}
2231 
2232 	if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2233 		return -EFAULT;
2234 	return 0;
2235 }
2236 
proc_reapurb_compat(struct usb_dev_state * ps,void __user * arg)2237 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2238 {
2239 	struct async *as = reap_as(ps);
2240 
2241 	if (as) {
2242 		int retval;
2243 
2244 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2245 		retval = processcompl_compat(as, (void __user * __user *)arg);
2246 		free_async(as);
2247 		return retval;
2248 	}
2249 	if (signal_pending(current))
2250 		return -EINTR;
2251 	return -ENODEV;
2252 }
2253 
proc_reapurbnonblock_compat(struct usb_dev_state * ps,void __user * arg)2254 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2255 {
2256 	int retval;
2257 	struct async *as;
2258 
2259 	as = async_getcompleted(ps);
2260 	if (as) {
2261 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2262 		retval = processcompl_compat(as, (void __user * __user *)arg);
2263 		free_async(as);
2264 	} else {
2265 		retval = (connected(ps) ? -EAGAIN : -ENODEV);
2266 	}
2267 	return retval;
2268 }
2269 
2270 
2271 #endif
2272 
proc_disconnectsignal(struct usb_dev_state * ps,void __user * arg)2273 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2274 {
2275 	struct usbdevfs_disconnectsignal ds;
2276 
2277 	if (copy_from_user(&ds, arg, sizeof(ds)))
2278 		return -EFAULT;
2279 	ps->discsignr = ds.signr;
2280 	ps->disccontext.sival_ptr = ds.context;
2281 	return 0;
2282 }
2283 
proc_claiminterface(struct usb_dev_state * ps,void __user * arg)2284 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2285 {
2286 	unsigned int ifnum;
2287 
2288 	if (get_user(ifnum, (unsigned int __user *)arg))
2289 		return -EFAULT;
2290 	return claimintf(ps, ifnum);
2291 }
2292 
proc_releaseinterface(struct usb_dev_state * ps,void __user * arg)2293 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2294 {
2295 	unsigned int ifnum;
2296 	int ret;
2297 
2298 	if (get_user(ifnum, (unsigned int __user *)arg))
2299 		return -EFAULT;
2300 	ret = releaseintf(ps, ifnum);
2301 	if (ret < 0)
2302 		return ret;
2303 	destroy_async_on_interface(ps, ifnum);
2304 	return 0;
2305 }
2306 
proc_ioctl(struct usb_dev_state * ps,struct usbdevfs_ioctl * ctl)2307 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2308 {
2309 	int			size;
2310 	void			*buf = NULL;
2311 	int			retval = 0;
2312 	struct usb_interface    *intf = NULL;
2313 	struct usb_driver       *driver = NULL;
2314 
2315 	if (ps->privileges_dropped)
2316 		return -EACCES;
2317 
2318 	if (!connected(ps))
2319 		return -ENODEV;
2320 
2321 	/* alloc buffer */
2322 	size = _IOC_SIZE(ctl->ioctl_code);
2323 	if (size > 0) {
2324 		buf = kmalloc(size, GFP_KERNEL);
2325 		if (buf == NULL)
2326 			return -ENOMEM;
2327 		if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2328 			if (copy_from_user(buf, ctl->data, size)) {
2329 				kfree(buf);
2330 				return -EFAULT;
2331 			}
2332 		} else {
2333 			memset(buf, 0, size);
2334 		}
2335 	}
2336 
2337 	if (ps->dev->state != USB_STATE_CONFIGURED)
2338 		retval = -EHOSTUNREACH;
2339 	else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2340 		retval = -EINVAL;
2341 	else switch (ctl->ioctl_code) {
2342 
2343 	/* disconnect kernel driver from interface */
2344 	case USBDEVFS_DISCONNECT:
2345 		if (intf->dev.driver) {
2346 			driver = to_usb_driver(intf->dev.driver);
2347 			dev_dbg(&intf->dev, "disconnect by usbfs\n");
2348 			usb_driver_release_interface(driver, intf);
2349 		} else
2350 			retval = -ENODATA;
2351 		break;
2352 
2353 	/* let kernel drivers try to (re)bind to the interface */
2354 	case USBDEVFS_CONNECT:
2355 		if (!intf->dev.driver)
2356 			retval = device_attach(&intf->dev);
2357 		else
2358 			retval = -EBUSY;
2359 		break;
2360 
2361 	/* talk directly to the interface's driver */
2362 	default:
2363 		if (intf->dev.driver)
2364 			driver = to_usb_driver(intf->dev.driver);
2365 		if (driver == NULL || driver->unlocked_ioctl == NULL) {
2366 			retval = -ENOTTY;
2367 		} else {
2368 			retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2369 			if (retval == -ENOIOCTLCMD)
2370 				retval = -ENOTTY;
2371 		}
2372 	}
2373 
2374 	/* cleanup and return */
2375 	if (retval >= 0
2376 			&& (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2377 			&& size > 0
2378 			&& copy_to_user(ctl->data, buf, size) != 0)
2379 		retval = -EFAULT;
2380 
2381 	kfree(buf);
2382 	return retval;
2383 }
2384 
proc_ioctl_default(struct usb_dev_state * ps,void __user * arg)2385 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2386 {
2387 	struct usbdevfs_ioctl	ctrl;
2388 
2389 	if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2390 		return -EFAULT;
2391 	return proc_ioctl(ps, &ctrl);
2392 }
2393 
2394 #ifdef CONFIG_COMPAT
proc_ioctl_compat(struct usb_dev_state * ps,compat_uptr_t arg)2395 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2396 {
2397 	struct usbdevfs_ioctl32 ioc32;
2398 	struct usbdevfs_ioctl ctrl;
2399 
2400 	if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2401 		return -EFAULT;
2402 	ctrl.ifno = ioc32.ifno;
2403 	ctrl.ioctl_code = ioc32.ioctl_code;
2404 	ctrl.data = compat_ptr(ioc32.data);
2405 	return proc_ioctl(ps, &ctrl);
2406 }
2407 #endif
2408 
proc_claim_port(struct usb_dev_state * ps,void __user * arg)2409 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2410 {
2411 	unsigned portnum;
2412 	int rc;
2413 
2414 	if (get_user(portnum, (unsigned __user *) arg))
2415 		return -EFAULT;
2416 	rc = usb_hub_claim_port(ps->dev, portnum, ps);
2417 	if (rc == 0)
2418 		snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2419 			portnum, task_pid_nr(current), current->comm);
2420 	return rc;
2421 }
2422 
proc_release_port(struct usb_dev_state * ps,void __user * arg)2423 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2424 {
2425 	unsigned portnum;
2426 
2427 	if (get_user(portnum, (unsigned __user *) arg))
2428 		return -EFAULT;
2429 	return usb_hub_release_port(ps->dev, portnum, ps);
2430 }
2431 
proc_get_capabilities(struct usb_dev_state * ps,void __user * arg)2432 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2433 {
2434 	__u32 caps;
2435 
2436 	caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2437 			USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2438 			USBDEVFS_CAP_DROP_PRIVILEGES |
2439 			USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND;
2440 	if (!ps->dev->bus->no_stop_on_short)
2441 		caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2442 	if (ps->dev->bus->sg_tablesize)
2443 		caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2444 
2445 	if (put_user(caps, (__u32 __user *)arg))
2446 		return -EFAULT;
2447 
2448 	return 0;
2449 }
2450 
proc_disconnect_claim(struct usb_dev_state * ps,void __user * arg)2451 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2452 {
2453 	struct usbdevfs_disconnect_claim dc;
2454 	struct usb_interface *intf;
2455 
2456 	if (copy_from_user(&dc, arg, sizeof(dc)))
2457 		return -EFAULT;
2458 
2459 	intf = usb_ifnum_to_if(ps->dev, dc.interface);
2460 	if (!intf)
2461 		return -EINVAL;
2462 
2463 	if (intf->dev.driver) {
2464 		struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2465 
2466 		if (ps->privileges_dropped)
2467 			return -EACCES;
2468 
2469 		if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2470 				strncmp(dc.driver, intf->dev.driver->name,
2471 					sizeof(dc.driver)) != 0)
2472 			return -EBUSY;
2473 
2474 		if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2475 				strncmp(dc.driver, intf->dev.driver->name,
2476 					sizeof(dc.driver)) == 0)
2477 			return -EBUSY;
2478 
2479 		dev_dbg(&intf->dev, "disconnect by usbfs\n");
2480 		usb_driver_release_interface(driver, intf);
2481 	}
2482 
2483 	return claimintf(ps, dc.interface);
2484 }
2485 
proc_alloc_streams(struct usb_dev_state * ps,void __user * arg)2486 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2487 {
2488 	unsigned num_streams, num_eps;
2489 	struct usb_host_endpoint **eps;
2490 	struct usb_interface *intf;
2491 	int r;
2492 
2493 	r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2494 				   &eps, &intf);
2495 	if (r)
2496 		return r;
2497 
2498 	destroy_async_on_interface(ps,
2499 				   intf->altsetting[0].desc.bInterfaceNumber);
2500 
2501 	r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2502 	kfree(eps);
2503 	return r;
2504 }
2505 
proc_free_streams(struct usb_dev_state * ps,void __user * arg)2506 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2507 {
2508 	unsigned num_eps;
2509 	struct usb_host_endpoint **eps;
2510 	struct usb_interface *intf;
2511 	int r;
2512 
2513 	r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2514 	if (r)
2515 		return r;
2516 
2517 	destroy_async_on_interface(ps,
2518 				   intf->altsetting[0].desc.bInterfaceNumber);
2519 
2520 	r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2521 	kfree(eps);
2522 	return r;
2523 }
2524 
proc_drop_privileges(struct usb_dev_state * ps,void __user * arg)2525 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2526 {
2527 	u32 data;
2528 
2529 	if (copy_from_user(&data, arg, sizeof(data)))
2530 		return -EFAULT;
2531 
2532 	/* This is a one way operation. Once privileges are
2533 	 * dropped, you cannot regain them. You may however reissue
2534 	 * this ioctl to shrink the allowed interfaces mask.
2535 	 */
2536 	ps->interface_allowed_mask &= data;
2537 	ps->privileges_dropped = true;
2538 
2539 	return 0;
2540 }
2541 
proc_forbid_suspend(struct usb_dev_state * ps)2542 static int proc_forbid_suspend(struct usb_dev_state *ps)
2543 {
2544 	int ret = 0;
2545 
2546 	if (ps->suspend_allowed) {
2547 		ret = usb_autoresume_device(ps->dev);
2548 		if (ret == 0)
2549 			ps->suspend_allowed = false;
2550 		else if (ret != -ENODEV)
2551 			ret = -EIO;
2552 	}
2553 	return ret;
2554 }
2555 
proc_allow_suspend(struct usb_dev_state * ps)2556 static int proc_allow_suspend(struct usb_dev_state *ps)
2557 {
2558 	if (!connected(ps))
2559 		return -ENODEV;
2560 
2561 	WRITE_ONCE(ps->not_yet_resumed, 1);
2562 	if (!ps->suspend_allowed) {
2563 		usb_autosuspend_device(ps->dev);
2564 		ps->suspend_allowed = true;
2565 	}
2566 	return 0;
2567 }
2568 
proc_wait_for_resume(struct usb_dev_state * ps)2569 static int proc_wait_for_resume(struct usb_dev_state *ps)
2570 {
2571 	int ret;
2572 
2573 	usb_unlock_device(ps->dev);
2574 	ret = wait_event_interruptible(ps->wait_for_resume,
2575 			READ_ONCE(ps->not_yet_resumed) == 0);
2576 	usb_lock_device(ps->dev);
2577 
2578 	if (ret != 0)
2579 		return -EINTR;
2580 	return proc_forbid_suspend(ps);
2581 }
2582 
2583 /*
2584  * NOTE:  All requests here that have interface numbers as parameters
2585  * are assuming that somehow the configuration has been prevented from
2586  * changing.  But there's no mechanism to ensure that...
2587  */
usbdev_do_ioctl(struct file * file,unsigned int cmd,void __user * p)2588 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2589 				void __user *p)
2590 {
2591 	struct usb_dev_state *ps = file->private_data;
2592 	struct inode *inode = file_inode(file);
2593 	struct usb_device *dev = ps->dev;
2594 	int ret = -ENOTTY;
2595 
2596 	if (!(file->f_mode & FMODE_WRITE))
2597 		return -EPERM;
2598 
2599 	usb_lock_device(dev);
2600 
2601 	/* Reap operations are allowed even after disconnection */
2602 	switch (cmd) {
2603 	case USBDEVFS_REAPURB:
2604 		snoop(&dev->dev, "%s: REAPURB\n", __func__);
2605 		ret = proc_reapurb(ps, p);
2606 		goto done;
2607 
2608 	case USBDEVFS_REAPURBNDELAY:
2609 		snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2610 		ret = proc_reapurbnonblock(ps, p);
2611 		goto done;
2612 
2613 #ifdef CONFIG_COMPAT
2614 	case USBDEVFS_REAPURB32:
2615 		snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2616 		ret = proc_reapurb_compat(ps, p);
2617 		goto done;
2618 
2619 	case USBDEVFS_REAPURBNDELAY32:
2620 		snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2621 		ret = proc_reapurbnonblock_compat(ps, p);
2622 		goto done;
2623 #endif
2624 	}
2625 
2626 	if (!connected(ps)) {
2627 		usb_unlock_device(dev);
2628 		return -ENODEV;
2629 	}
2630 
2631 	switch (cmd) {
2632 	case USBDEVFS_CONTROL:
2633 		snoop(&dev->dev, "%s: CONTROL\n", __func__);
2634 		ret = proc_control(ps, p);
2635 		if (ret >= 0)
2636 			inode->i_mtime = current_time(inode);
2637 		break;
2638 
2639 	case USBDEVFS_BULK:
2640 		snoop(&dev->dev, "%s: BULK\n", __func__);
2641 		ret = proc_bulk(ps, p);
2642 		if (ret >= 0)
2643 			inode->i_mtime = current_time(inode);
2644 		break;
2645 
2646 	case USBDEVFS_RESETEP:
2647 		snoop(&dev->dev, "%s: RESETEP\n", __func__);
2648 		ret = proc_resetep(ps, p);
2649 		if (ret >= 0)
2650 			inode->i_mtime = current_time(inode);
2651 		break;
2652 
2653 	case USBDEVFS_RESET:
2654 		snoop(&dev->dev, "%s: RESET\n", __func__);
2655 		ret = proc_resetdevice(ps);
2656 		break;
2657 
2658 	case USBDEVFS_CLEAR_HALT:
2659 		snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2660 		ret = proc_clearhalt(ps, p);
2661 		if (ret >= 0)
2662 			inode->i_mtime = current_time(inode);
2663 		break;
2664 
2665 	case USBDEVFS_GETDRIVER:
2666 		snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2667 		ret = proc_getdriver(ps, p);
2668 		break;
2669 
2670 	case USBDEVFS_CONNECTINFO:
2671 		snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2672 		ret = proc_connectinfo(ps, p);
2673 		break;
2674 
2675 	case USBDEVFS_SETINTERFACE:
2676 		snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2677 		ret = proc_setintf(ps, p);
2678 		break;
2679 
2680 	case USBDEVFS_SETCONFIGURATION:
2681 		snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2682 		ret = proc_setconfig(ps, p);
2683 		break;
2684 
2685 	case USBDEVFS_SUBMITURB:
2686 		snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2687 		ret = proc_submiturb(ps, p);
2688 		if (ret >= 0)
2689 			inode->i_mtime = current_time(inode);
2690 		break;
2691 
2692 #ifdef CONFIG_COMPAT
2693 	case USBDEVFS_CONTROL32:
2694 		snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2695 		ret = proc_control_compat(ps, p);
2696 		if (ret >= 0)
2697 			inode->i_mtime = current_time(inode);
2698 		break;
2699 
2700 	case USBDEVFS_BULK32:
2701 		snoop(&dev->dev, "%s: BULK32\n", __func__);
2702 		ret = proc_bulk_compat(ps, p);
2703 		if (ret >= 0)
2704 			inode->i_mtime = current_time(inode);
2705 		break;
2706 
2707 	case USBDEVFS_DISCSIGNAL32:
2708 		snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2709 		ret = proc_disconnectsignal_compat(ps, p);
2710 		break;
2711 
2712 	case USBDEVFS_SUBMITURB32:
2713 		snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2714 		ret = proc_submiturb_compat(ps, p);
2715 		if (ret >= 0)
2716 			inode->i_mtime = current_time(inode);
2717 		break;
2718 
2719 	case USBDEVFS_IOCTL32:
2720 		snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2721 		ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2722 		break;
2723 #endif
2724 
2725 	case USBDEVFS_DISCARDURB:
2726 		snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p);
2727 		ret = proc_unlinkurb(ps, p);
2728 		break;
2729 
2730 	case USBDEVFS_DISCSIGNAL:
2731 		snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2732 		ret = proc_disconnectsignal(ps, p);
2733 		break;
2734 
2735 	case USBDEVFS_CLAIMINTERFACE:
2736 		snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2737 		ret = proc_claiminterface(ps, p);
2738 		break;
2739 
2740 	case USBDEVFS_RELEASEINTERFACE:
2741 		snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2742 		ret = proc_releaseinterface(ps, p);
2743 		break;
2744 
2745 	case USBDEVFS_IOCTL:
2746 		snoop(&dev->dev, "%s: IOCTL\n", __func__);
2747 		ret = proc_ioctl_default(ps, p);
2748 		break;
2749 
2750 	case USBDEVFS_CLAIM_PORT:
2751 		snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2752 		ret = proc_claim_port(ps, p);
2753 		break;
2754 
2755 	case USBDEVFS_RELEASE_PORT:
2756 		snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2757 		ret = proc_release_port(ps, p);
2758 		break;
2759 	case USBDEVFS_GET_CAPABILITIES:
2760 		ret = proc_get_capabilities(ps, p);
2761 		break;
2762 	case USBDEVFS_DISCONNECT_CLAIM:
2763 		ret = proc_disconnect_claim(ps, p);
2764 		break;
2765 	case USBDEVFS_ALLOC_STREAMS:
2766 		ret = proc_alloc_streams(ps, p);
2767 		break;
2768 	case USBDEVFS_FREE_STREAMS:
2769 		ret = proc_free_streams(ps, p);
2770 		break;
2771 	case USBDEVFS_DROP_PRIVILEGES:
2772 		ret = proc_drop_privileges(ps, p);
2773 		break;
2774 	case USBDEVFS_GET_SPEED:
2775 		ret = ps->dev->speed;
2776 		break;
2777 	case USBDEVFS_FORBID_SUSPEND:
2778 		ret = proc_forbid_suspend(ps);
2779 		break;
2780 	case USBDEVFS_ALLOW_SUSPEND:
2781 		ret = proc_allow_suspend(ps);
2782 		break;
2783 	case USBDEVFS_WAIT_FOR_RESUME:
2784 		ret = proc_wait_for_resume(ps);
2785 		break;
2786 	}
2787 
2788 	/* Handle variable-length commands */
2789 	switch (cmd & ~IOCSIZE_MASK) {
2790 	case USBDEVFS_CONNINFO_EX(0):
2791 		ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd));
2792 		break;
2793 	}
2794 
2795  done:
2796 	usb_unlock_device(dev);
2797 	if (ret >= 0)
2798 		inode->i_atime = current_time(inode);
2799 	return ret;
2800 }
2801 
usbdev_ioctl(struct file * file,unsigned int cmd,unsigned long arg)2802 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2803 			unsigned long arg)
2804 {
2805 	int ret;
2806 
2807 	ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2808 
2809 	return ret;
2810 }
2811 
2812 /* No kernel lock - fine */
usbdev_poll(struct file * file,struct poll_table_struct * wait)2813 static __poll_t usbdev_poll(struct file *file,
2814 				struct poll_table_struct *wait)
2815 {
2816 	struct usb_dev_state *ps = file->private_data;
2817 	__poll_t mask = 0;
2818 
2819 	poll_wait(file, &ps->wait, wait);
2820 	if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2821 		mask |= EPOLLOUT | EPOLLWRNORM;
2822 	if (!connected(ps))
2823 		mask |= EPOLLHUP;
2824 	if (list_empty(&ps->list))
2825 		mask |= EPOLLERR;
2826 	return mask;
2827 }
2828 
2829 const struct file_operations usbdev_file_operations = {
2830 	.owner =	  THIS_MODULE,
2831 	.llseek =	  no_seek_end_llseek,
2832 	.read =		  usbdev_read,
2833 	.poll =		  usbdev_poll,
2834 	.unlocked_ioctl = usbdev_ioctl,
2835 	.compat_ioctl =   compat_ptr_ioctl,
2836 	.mmap =           usbdev_mmap,
2837 	.open =		  usbdev_open,
2838 	.release =	  usbdev_release,
2839 };
2840 
usbdev_remove(struct usb_device * udev)2841 static void usbdev_remove(struct usb_device *udev)
2842 {
2843 	struct usb_dev_state *ps;
2844 
2845 	/* Protect against simultaneous resume */
2846 	mutex_lock(&usbfs_mutex);
2847 	while (!list_empty(&udev->filelist)) {
2848 		ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2849 		destroy_all_async(ps);
2850 		wake_up_all(&ps->wait);
2851 		WRITE_ONCE(ps->not_yet_resumed, 0);
2852 		wake_up_all(&ps->wait_for_resume);
2853 		list_del_init(&ps->list);
2854 		if (ps->discsignr)
2855 			kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext,
2856 					     ps->disc_pid, ps->cred);
2857 	}
2858 	mutex_unlock(&usbfs_mutex);
2859 }
2860 
usbdev_notify(struct notifier_block * self,unsigned long action,void * dev)2861 static int usbdev_notify(struct notifier_block *self,
2862 			       unsigned long action, void *dev)
2863 {
2864 	switch (action) {
2865 	case USB_DEVICE_ADD:
2866 		break;
2867 	case USB_DEVICE_REMOVE:
2868 		usbdev_remove(dev);
2869 		break;
2870 	}
2871 	return NOTIFY_OK;
2872 }
2873 
2874 static struct notifier_block usbdev_nb = {
2875 	.notifier_call =	usbdev_notify,
2876 };
2877 
2878 static struct cdev usb_device_cdev;
2879 
usb_devio_init(void)2880 int __init usb_devio_init(void)
2881 {
2882 	int retval;
2883 
2884 	retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2885 					"usb_device");
2886 	if (retval) {
2887 		printk(KERN_ERR "Unable to register minors for usb_device\n");
2888 		goto out;
2889 	}
2890 	cdev_init(&usb_device_cdev, &usbdev_file_operations);
2891 	retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2892 	if (retval) {
2893 		printk(KERN_ERR "Unable to get usb_device major %d\n",
2894 		       USB_DEVICE_MAJOR);
2895 		goto error_cdev;
2896 	}
2897 	usb_register_notify(&usbdev_nb);
2898 out:
2899 	return retval;
2900 
2901 error_cdev:
2902 	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2903 	goto out;
2904 }
2905 
usb_devio_cleanup(void)2906 void usb_devio_cleanup(void)
2907 {
2908 	usb_unregister_notify(&usbdev_nb);
2909 	cdev_del(&usb_device_cdev);
2910 	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2911 }
2912