1 // SPDX-License-Identifier: GPL-2.0+ 2 /*****************************************************************************/ 3 4 /* 5 * devio.c -- User space communication with USB devices. 6 * 7 * Copyright (C) 1999-2000 Thomas Sailer (sailer@ife.ee.ethz.ch) 8 * 9 * This file implements the usbfs/x/y files, where 10 * x is the bus number and y the device number. 11 * 12 * It allows user space programs/"drivers" to communicate directly 13 * with USB devices without intervening kernel driver. 14 * 15 * Revision history 16 * 22.12.1999 0.1 Initial release (split from proc_usb.c) 17 * 04.01.2000 0.2 Turned into its own filesystem 18 * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery 19 * (CAN-2005-3055) 20 */ 21 22 /*****************************************************************************/ 23 24 #include <linux/fs.h> 25 #include <linux/mm.h> 26 #include <linux/sched/signal.h> 27 #include <linux/slab.h> 28 #include <linux/signal.h> 29 #include <linux/poll.h> 30 #include <linux/module.h> 31 #include <linux/string.h> 32 #include <linux/usb.h> 33 #include <linux/usbdevice_fs.h> 34 #include <linux/usb/hcd.h> /* for usbcore internals */ 35 #include <linux/cdev.h> 36 #include <linux/notifier.h> 37 #include <linux/security.h> 38 #include <linux/user_namespace.h> 39 #include <linux/scatterlist.h> 40 #include <linux/uaccess.h> 41 #include <linux/dma-mapping.h> 42 #include <asm/byteorder.h> 43 #include <linux/moduleparam.h> 44 45 #include "usb.h" 46 47 #define USB_MAXBUS 64 48 #define USB_DEVICE_MAX (USB_MAXBUS * 128) 49 #define USB_SG_SIZE 16384 /* split-size for large txs */ 50 51 /* Mutual exclusion for removal, open, and release */ 52 DEFINE_MUTEX(usbfs_mutex); 53 54 struct usb_dev_state { 55 struct list_head list; /* state list */ 56 struct usb_device *dev; 57 struct file *file; 58 spinlock_t lock; /* protects the async urb lists */ 59 struct list_head async_pending; 60 struct list_head async_completed; 61 struct list_head memory_list; 62 wait_queue_head_t wait; /* wake up if a request completed */ 63 unsigned int discsignr; 64 struct pid *disc_pid; 65 const struct cred *cred; 66 void __user *disccontext; 67 unsigned long ifclaimed; 68 u32 disabled_bulk_eps; 69 bool privileges_dropped; 70 unsigned long interface_allowed_mask; 71 }; 72 73 struct usb_memory { 74 struct list_head memlist; 75 int vma_use_count; 76 int urb_use_count; 77 u32 size; 78 void *mem; 79 dma_addr_t dma_handle; 80 unsigned long vm_start; 81 struct usb_dev_state *ps; 82 }; 83 84 struct async { 85 struct list_head asynclist; 86 struct usb_dev_state *ps; 87 struct pid *pid; 88 const struct cred *cred; 89 unsigned int signr; 90 unsigned int ifnum; 91 void __user *userbuffer; 92 void __user *userurb; 93 struct urb *urb; 94 struct usb_memory *usbm; 95 unsigned int mem_usage; 96 int status; 97 u8 bulk_addr; 98 u8 bulk_status; 99 }; 100 101 static bool usbfs_snoop; 102 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR); 103 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic"); 104 105 static unsigned usbfs_snoop_max = 65536; 106 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR); 107 MODULE_PARM_DESC(usbfs_snoop_max, 108 "maximum number of bytes to print while snooping"); 109 110 #define snoop(dev, format, arg...) \ 111 do { \ 112 if (usbfs_snoop) \ 113 dev_info(dev, format, ## arg); \ 114 } while (0) 115 116 enum snoop_when { 117 SUBMIT, COMPLETE 118 }; 119 120 #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) 121 122 /* Limit on the total amount of memory we can allocate for transfers */ 123 static u32 usbfs_memory_mb = 16; 124 module_param(usbfs_memory_mb, uint, 0644); 125 MODULE_PARM_DESC(usbfs_memory_mb, 126 "maximum MB allowed for usbfs buffers (0 = no limit)"); 127 128 /* Hard limit, necessary to avoid arithmetic overflow */ 129 #define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) 130 131 static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ 132 133 /* Check whether it's okay to allocate more memory for a transfer */ 134 static int usbfs_increase_memory_usage(u64 amount) 135 { 136 u64 lim; 137 138 lim = READ_ONCE(usbfs_memory_mb); 139 lim <<= 20; 140 141 atomic64_add(amount, &usbfs_memory_usage); 142 143 if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) { 144 atomic64_sub(amount, &usbfs_memory_usage); 145 return -ENOMEM; 146 } 147 148 return 0; 149 } 150 151 /* Memory for a transfer is being deallocated */ 152 static void usbfs_decrease_memory_usage(u64 amount) 153 { 154 atomic64_sub(amount, &usbfs_memory_usage); 155 } 156 157 static int connected(struct usb_dev_state *ps) 158 { 159 return (!list_empty(&ps->list) && 160 ps->dev->state != USB_STATE_NOTATTACHED); 161 } 162 163 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) 164 { 165 struct usb_dev_state *ps = usbm->ps; 166 unsigned long flags; 167 168 spin_lock_irqsave(&ps->lock, flags); 169 --*count; 170 if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) { 171 list_del(&usbm->memlist); 172 spin_unlock_irqrestore(&ps->lock, flags); 173 174 usb_free_coherent(ps->dev, usbm->size, usbm->mem, 175 usbm->dma_handle); 176 usbfs_decrease_memory_usage( 177 usbm->size + sizeof(struct usb_memory)); 178 kfree(usbm); 179 } else { 180 spin_unlock_irqrestore(&ps->lock, flags); 181 } 182 } 183 184 static void usbdev_vm_open(struct vm_area_struct *vma) 185 { 186 struct usb_memory *usbm = vma->vm_private_data; 187 unsigned long flags; 188 189 spin_lock_irqsave(&usbm->ps->lock, flags); 190 ++usbm->vma_use_count; 191 spin_unlock_irqrestore(&usbm->ps->lock, flags); 192 } 193 194 static void usbdev_vm_close(struct vm_area_struct *vma) 195 { 196 struct usb_memory *usbm = vma->vm_private_data; 197 198 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 199 } 200 201 static const struct vm_operations_struct usbdev_vm_ops = { 202 .open = usbdev_vm_open, 203 .close = usbdev_vm_close 204 }; 205 206 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) 207 { 208 struct usb_memory *usbm = NULL; 209 struct usb_dev_state *ps = file->private_data; 210 size_t size = vma->vm_end - vma->vm_start; 211 void *mem; 212 unsigned long flags; 213 dma_addr_t dma_handle; 214 int ret; 215 216 ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory)); 217 if (ret) 218 goto error; 219 220 usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL); 221 if (!usbm) { 222 ret = -ENOMEM; 223 goto error_decrease_mem; 224 } 225 226 mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN, 227 &dma_handle); 228 if (!mem) { 229 ret = -ENOMEM; 230 goto error_free_usbm; 231 } 232 233 memset(mem, 0, size); 234 235 usbm->mem = mem; 236 usbm->dma_handle = dma_handle; 237 usbm->size = size; 238 usbm->ps = ps; 239 usbm->vm_start = vma->vm_start; 240 usbm->vma_use_count = 1; 241 INIT_LIST_HEAD(&usbm->memlist); 242 243 if (remap_pfn_range(vma, vma->vm_start, 244 virt_to_phys(usbm->mem) >> PAGE_SHIFT, 245 size, vma->vm_page_prot) < 0) { 246 dec_usb_memory_use_count(usbm, &usbm->vma_use_count); 247 return -EAGAIN; 248 } 249 250 vma->vm_flags |= VM_IO; 251 vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP); 252 vma->vm_ops = &usbdev_vm_ops; 253 vma->vm_private_data = usbm; 254 255 spin_lock_irqsave(&ps->lock, flags); 256 list_add_tail(&usbm->memlist, &ps->memory_list); 257 spin_unlock_irqrestore(&ps->lock, flags); 258 259 return 0; 260 261 error_free_usbm: 262 kfree(usbm); 263 error_decrease_mem: 264 usbfs_decrease_memory_usage(size + sizeof(struct usb_memory)); 265 error: 266 return ret; 267 } 268 269 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes, 270 loff_t *ppos) 271 { 272 struct usb_dev_state *ps = file->private_data; 273 struct usb_device *dev = ps->dev; 274 ssize_t ret = 0; 275 unsigned len; 276 loff_t pos; 277 int i; 278 279 pos = *ppos; 280 usb_lock_device(dev); 281 if (!connected(ps)) { 282 ret = -ENODEV; 283 goto err; 284 } else if (pos < 0) { 285 ret = -EINVAL; 286 goto err; 287 } 288 289 if (pos < sizeof(struct usb_device_descriptor)) { 290 /* 18 bytes - fits on the stack */ 291 struct usb_device_descriptor temp_desc; 292 293 memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor)); 294 le16_to_cpus(&temp_desc.bcdUSB); 295 le16_to_cpus(&temp_desc.idVendor); 296 le16_to_cpus(&temp_desc.idProduct); 297 le16_to_cpus(&temp_desc.bcdDevice); 298 299 len = sizeof(struct usb_device_descriptor) - pos; 300 if (len > nbytes) 301 len = nbytes; 302 if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) { 303 ret = -EFAULT; 304 goto err; 305 } 306 307 *ppos += len; 308 buf += len; 309 nbytes -= len; 310 ret += len; 311 } 312 313 pos = sizeof(struct usb_device_descriptor); 314 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) { 315 struct usb_config_descriptor *config = 316 (struct usb_config_descriptor *)dev->rawdescriptors[i]; 317 unsigned int length = le16_to_cpu(config->wTotalLength); 318 319 if (*ppos < pos + length) { 320 321 /* The descriptor may claim to be longer than it 322 * really is. Here is the actual allocated length. */ 323 unsigned alloclen = 324 le16_to_cpu(dev->config[i].desc.wTotalLength); 325 326 len = length - (*ppos - pos); 327 if (len > nbytes) 328 len = nbytes; 329 330 /* Simply don't write (skip over) unallocated parts */ 331 if (alloclen > (*ppos - pos)) { 332 alloclen -= (*ppos - pos); 333 if (copy_to_user(buf, 334 dev->rawdescriptors[i] + (*ppos - pos), 335 min(len, alloclen))) { 336 ret = -EFAULT; 337 goto err; 338 } 339 } 340 341 *ppos += len; 342 buf += len; 343 nbytes -= len; 344 ret += len; 345 } 346 347 pos += length; 348 } 349 350 err: 351 usb_unlock_device(dev); 352 return ret; 353 } 354 355 /* 356 * async list handling 357 */ 358 359 static struct async *alloc_async(unsigned int numisoframes) 360 { 361 struct async *as; 362 363 as = kzalloc(sizeof(struct async), GFP_KERNEL); 364 if (!as) 365 return NULL; 366 as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL); 367 if (!as->urb) { 368 kfree(as); 369 return NULL; 370 } 371 return as; 372 } 373 374 static void free_async(struct async *as) 375 { 376 int i; 377 378 put_pid(as->pid); 379 if (as->cred) 380 put_cred(as->cred); 381 for (i = 0; i < as->urb->num_sgs; i++) { 382 if (sg_page(&as->urb->sg[i])) 383 kfree(sg_virt(&as->urb->sg[i])); 384 } 385 386 kfree(as->urb->sg); 387 if (as->usbm == NULL) 388 kfree(as->urb->transfer_buffer); 389 else 390 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count); 391 392 kfree(as->urb->setup_packet); 393 usb_free_urb(as->urb); 394 usbfs_decrease_memory_usage(as->mem_usage); 395 kfree(as); 396 } 397 398 static void async_newpending(struct async *as) 399 { 400 struct usb_dev_state *ps = as->ps; 401 unsigned long flags; 402 403 spin_lock_irqsave(&ps->lock, flags); 404 list_add_tail(&as->asynclist, &ps->async_pending); 405 spin_unlock_irqrestore(&ps->lock, flags); 406 } 407 408 static void async_removepending(struct async *as) 409 { 410 struct usb_dev_state *ps = as->ps; 411 unsigned long flags; 412 413 spin_lock_irqsave(&ps->lock, flags); 414 list_del_init(&as->asynclist); 415 spin_unlock_irqrestore(&ps->lock, flags); 416 } 417 418 static struct async *async_getcompleted(struct usb_dev_state *ps) 419 { 420 unsigned long flags; 421 struct async *as = NULL; 422 423 spin_lock_irqsave(&ps->lock, flags); 424 if (!list_empty(&ps->async_completed)) { 425 as = list_entry(ps->async_completed.next, struct async, 426 asynclist); 427 list_del_init(&as->asynclist); 428 } 429 spin_unlock_irqrestore(&ps->lock, flags); 430 return as; 431 } 432 433 static struct async *async_getpending(struct usb_dev_state *ps, 434 void __user *userurb) 435 { 436 struct async *as; 437 438 list_for_each_entry(as, &ps->async_pending, asynclist) 439 if (as->userurb == userurb) { 440 list_del_init(&as->asynclist); 441 return as; 442 } 443 444 return NULL; 445 } 446 447 static void snoop_urb(struct usb_device *udev, 448 void __user *userurb, int pipe, unsigned length, 449 int timeout_or_status, enum snoop_when when, 450 unsigned char *data, unsigned data_len) 451 { 452 static const char *types[] = {"isoc", "int", "ctrl", "bulk"}; 453 static const char *dirs[] = {"out", "in"}; 454 int ep; 455 const char *t, *d; 456 457 if (!usbfs_snoop) 458 return; 459 460 ep = usb_pipeendpoint(pipe); 461 t = types[usb_pipetype(pipe)]; 462 d = dirs[!!usb_pipein(pipe)]; 463 464 if (userurb) { /* Async */ 465 if (when == SUBMIT) 466 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " 467 "length %u\n", 468 userurb, ep, t, d, length); 469 else 470 dev_info(&udev->dev, "userurb %pK, ep%d %s-%s, " 471 "actual_length %u status %d\n", 472 userurb, ep, t, d, length, 473 timeout_or_status); 474 } else { 475 if (when == SUBMIT) 476 dev_info(&udev->dev, "ep%d %s-%s, length %u, " 477 "timeout %d\n", 478 ep, t, d, length, timeout_or_status); 479 else 480 dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, " 481 "status %d\n", 482 ep, t, d, length, timeout_or_status); 483 } 484 485 data_len = min(data_len, usbfs_snoop_max); 486 if (data && data_len > 0) { 487 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 488 data, data_len, 1); 489 } 490 } 491 492 static void snoop_urb_data(struct urb *urb, unsigned len) 493 { 494 int i, size; 495 496 len = min(len, usbfs_snoop_max); 497 if (!usbfs_snoop || len == 0) 498 return; 499 500 if (urb->num_sgs == 0) { 501 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 502 urb->transfer_buffer, len, 1); 503 return; 504 } 505 506 for (i = 0; i < urb->num_sgs && len; i++) { 507 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 508 print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1, 509 sg_virt(&urb->sg[i]), size, 1); 510 len -= size; 511 } 512 } 513 514 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb) 515 { 516 unsigned i, len, size; 517 518 if (urb->number_of_packets > 0) /* Isochronous */ 519 len = urb->transfer_buffer_length; 520 else /* Non-Isoc */ 521 len = urb->actual_length; 522 523 if (urb->num_sgs == 0) { 524 if (copy_to_user(userbuffer, urb->transfer_buffer, len)) 525 return -EFAULT; 526 return 0; 527 } 528 529 for (i = 0; i < urb->num_sgs && len; i++) { 530 size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len; 531 if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size)) 532 return -EFAULT; 533 userbuffer += size; 534 len -= size; 535 } 536 537 return 0; 538 } 539 540 #define AS_CONTINUATION 1 541 #define AS_UNLINK 2 542 543 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr) 544 __releases(ps->lock) 545 __acquires(ps->lock) 546 { 547 struct urb *urb; 548 struct async *as; 549 550 /* Mark all the pending URBs that match bulk_addr, up to but not 551 * including the first one without AS_CONTINUATION. If such an 552 * URB is encountered then a new transfer has already started so 553 * the endpoint doesn't need to be disabled; otherwise it does. 554 */ 555 list_for_each_entry(as, &ps->async_pending, asynclist) { 556 if (as->bulk_addr == bulk_addr) { 557 if (as->bulk_status != AS_CONTINUATION) 558 goto rescan; 559 as->bulk_status = AS_UNLINK; 560 as->bulk_addr = 0; 561 } 562 } 563 ps->disabled_bulk_eps |= (1 << bulk_addr); 564 565 /* Now carefully unlink all the marked pending URBs */ 566 rescan: 567 list_for_each_entry(as, &ps->async_pending, asynclist) { 568 if (as->bulk_status == AS_UNLINK) { 569 as->bulk_status = 0; /* Only once */ 570 urb = as->urb; 571 usb_get_urb(urb); 572 spin_unlock(&ps->lock); /* Allow completions */ 573 usb_unlink_urb(urb); 574 usb_put_urb(urb); 575 spin_lock(&ps->lock); 576 goto rescan; 577 } 578 } 579 } 580 581 static void async_completed(struct urb *urb) 582 { 583 struct async *as = urb->context; 584 struct usb_dev_state *ps = as->ps; 585 struct kernel_siginfo sinfo; 586 struct pid *pid = NULL; 587 const struct cred *cred = NULL; 588 unsigned long flags; 589 int signr; 590 591 spin_lock_irqsave(&ps->lock, flags); 592 list_move_tail(&as->asynclist, &ps->async_completed); 593 as->status = urb->status; 594 signr = as->signr; 595 if (signr) { 596 clear_siginfo(&sinfo); 597 sinfo.si_signo = as->signr; 598 sinfo.si_errno = as->status; 599 sinfo.si_code = SI_ASYNCIO; 600 sinfo.si_addr = as->userurb; 601 pid = get_pid(as->pid); 602 cred = get_cred(as->cred); 603 } 604 snoop(&urb->dev->dev, "urb complete\n"); 605 snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length, 606 as->status, COMPLETE, NULL, 0); 607 if (usb_urb_dir_in(urb)) 608 snoop_urb_data(urb, urb->actual_length); 609 610 if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET && 611 as->status != -ENOENT) 612 cancel_bulk_urbs(ps, as->bulk_addr); 613 614 wake_up(&ps->wait); 615 spin_unlock_irqrestore(&ps->lock, flags); 616 617 if (signr) { 618 kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred); 619 put_pid(pid); 620 put_cred(cred); 621 } 622 } 623 624 static void destroy_async(struct usb_dev_state *ps, struct list_head *list) 625 { 626 struct urb *urb; 627 struct async *as; 628 unsigned long flags; 629 630 spin_lock_irqsave(&ps->lock, flags); 631 while (!list_empty(list)) { 632 as = list_entry(list->next, struct async, asynclist); 633 list_del_init(&as->asynclist); 634 urb = as->urb; 635 usb_get_urb(urb); 636 637 /* drop the spinlock so the completion handler can run */ 638 spin_unlock_irqrestore(&ps->lock, flags); 639 usb_kill_urb(urb); 640 usb_put_urb(urb); 641 spin_lock_irqsave(&ps->lock, flags); 642 } 643 spin_unlock_irqrestore(&ps->lock, flags); 644 } 645 646 static void destroy_async_on_interface(struct usb_dev_state *ps, 647 unsigned int ifnum) 648 { 649 struct list_head *p, *q, hitlist; 650 unsigned long flags; 651 652 INIT_LIST_HEAD(&hitlist); 653 spin_lock_irqsave(&ps->lock, flags); 654 list_for_each_safe(p, q, &ps->async_pending) 655 if (ifnum == list_entry(p, struct async, asynclist)->ifnum) 656 list_move_tail(p, &hitlist); 657 spin_unlock_irqrestore(&ps->lock, flags); 658 destroy_async(ps, &hitlist); 659 } 660 661 static void destroy_all_async(struct usb_dev_state *ps) 662 { 663 destroy_async(ps, &ps->async_pending); 664 } 665 666 /* 667 * interface claims are made only at the request of user level code, 668 * which can also release them (explicitly or by closing files). 669 * they're also undone when devices disconnect. 670 */ 671 672 static int driver_probe(struct usb_interface *intf, 673 const struct usb_device_id *id) 674 { 675 return -ENODEV; 676 } 677 678 static void driver_disconnect(struct usb_interface *intf) 679 { 680 struct usb_dev_state *ps = usb_get_intfdata(intf); 681 unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber; 682 683 if (!ps) 684 return; 685 686 /* NOTE: this relies on usbcore having canceled and completed 687 * all pending I/O requests; 2.6 does that. 688 */ 689 690 if (likely(ifnum < 8*sizeof(ps->ifclaimed))) 691 clear_bit(ifnum, &ps->ifclaimed); 692 else 693 dev_warn(&intf->dev, "interface number %u out of range\n", 694 ifnum); 695 696 usb_set_intfdata(intf, NULL); 697 698 /* force async requests to complete */ 699 destroy_async_on_interface(ps, ifnum); 700 } 701 702 /* The following routines are merely placeholders. There is no way 703 * to inform a user task about suspend or resumes. 704 */ 705 static int driver_suspend(struct usb_interface *intf, pm_message_t msg) 706 { 707 return 0; 708 } 709 710 static int driver_resume(struct usb_interface *intf) 711 { 712 return 0; 713 } 714 715 struct usb_driver usbfs_driver = { 716 .name = "usbfs", 717 .probe = driver_probe, 718 .disconnect = driver_disconnect, 719 .suspend = driver_suspend, 720 .resume = driver_resume, 721 }; 722 723 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum) 724 { 725 struct usb_device *dev = ps->dev; 726 struct usb_interface *intf; 727 int err; 728 729 if (ifnum >= 8*sizeof(ps->ifclaimed)) 730 return -EINVAL; 731 /* already claimed */ 732 if (test_bit(ifnum, &ps->ifclaimed)) 733 return 0; 734 735 if (ps->privileges_dropped && 736 !test_bit(ifnum, &ps->interface_allowed_mask)) 737 return -EACCES; 738 739 intf = usb_ifnum_to_if(dev, ifnum); 740 if (!intf) 741 err = -ENOENT; 742 else 743 err = usb_driver_claim_interface(&usbfs_driver, intf, ps); 744 if (err == 0) 745 set_bit(ifnum, &ps->ifclaimed); 746 return err; 747 } 748 749 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum) 750 { 751 struct usb_device *dev; 752 struct usb_interface *intf; 753 int err; 754 755 err = -EINVAL; 756 if (ifnum >= 8*sizeof(ps->ifclaimed)) 757 return err; 758 dev = ps->dev; 759 intf = usb_ifnum_to_if(dev, ifnum); 760 if (!intf) 761 err = -ENOENT; 762 else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) { 763 usb_driver_release_interface(&usbfs_driver, intf); 764 err = 0; 765 } 766 return err; 767 } 768 769 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum) 770 { 771 if (ps->dev->state != USB_STATE_CONFIGURED) 772 return -EHOSTUNREACH; 773 if (ifnum >= 8*sizeof(ps->ifclaimed)) 774 return -EINVAL; 775 if (test_bit(ifnum, &ps->ifclaimed)) 776 return 0; 777 /* if not yet claimed, claim it for the driver */ 778 dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim " 779 "interface %u before use\n", task_pid_nr(current), 780 current->comm, ifnum); 781 return claimintf(ps, ifnum); 782 } 783 784 static int findintfep(struct usb_device *dev, unsigned int ep) 785 { 786 unsigned int i, j, e; 787 struct usb_interface *intf; 788 struct usb_host_interface *alts; 789 struct usb_endpoint_descriptor *endpt; 790 791 if (ep & ~(USB_DIR_IN|0xf)) 792 return -EINVAL; 793 if (!dev->actconfig) 794 return -ESRCH; 795 for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) { 796 intf = dev->actconfig->interface[i]; 797 for (j = 0; j < intf->num_altsetting; j++) { 798 alts = &intf->altsetting[j]; 799 for (e = 0; e < alts->desc.bNumEndpoints; e++) { 800 endpt = &alts->endpoint[e].desc; 801 if (endpt->bEndpointAddress == ep) 802 return alts->desc.bInterfaceNumber; 803 } 804 } 805 } 806 return -ENOENT; 807 } 808 809 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype, 810 unsigned int request, unsigned int index) 811 { 812 int ret = 0; 813 struct usb_host_interface *alt_setting; 814 815 if (ps->dev->state != USB_STATE_UNAUTHENTICATED 816 && ps->dev->state != USB_STATE_ADDRESS 817 && ps->dev->state != USB_STATE_CONFIGURED) 818 return -EHOSTUNREACH; 819 if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) 820 return 0; 821 822 /* 823 * check for the special corner case 'get_device_id' in the printer 824 * class specification, which we always want to allow as it is used 825 * to query things like ink level, etc. 826 */ 827 if (requesttype == 0xa1 && request == 0) { 828 alt_setting = usb_find_alt_setting(ps->dev->actconfig, 829 index >> 8, index & 0xff); 830 if (alt_setting 831 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER) 832 return 0; 833 } 834 835 index &= 0xff; 836 switch (requesttype & USB_RECIP_MASK) { 837 case USB_RECIP_ENDPOINT: 838 if ((index & ~USB_DIR_IN) == 0) 839 return 0; 840 ret = findintfep(ps->dev, index); 841 if (ret < 0) { 842 /* 843 * Some not fully compliant Win apps seem to get 844 * index wrong and have the endpoint number here 845 * rather than the endpoint address (with the 846 * correct direction). Win does let this through, 847 * so we'll not reject it here but leave it to 848 * the device to not break KVM. But we warn. 849 */ 850 ret = findintfep(ps->dev, index ^ 0x80); 851 if (ret >= 0) 852 dev_info(&ps->dev->dev, 853 "%s: process %i (%s) requesting ep %02x but needs %02x\n", 854 __func__, task_pid_nr(current), 855 current->comm, index, index ^ 0x80); 856 } 857 if (ret >= 0) 858 ret = checkintf(ps, ret); 859 break; 860 861 case USB_RECIP_INTERFACE: 862 ret = checkintf(ps, index); 863 break; 864 } 865 return ret; 866 } 867 868 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev, 869 unsigned char ep) 870 { 871 if (ep & USB_ENDPOINT_DIR_MASK) 872 return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK]; 873 else 874 return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK]; 875 } 876 877 static int parse_usbdevfs_streams(struct usb_dev_state *ps, 878 struct usbdevfs_streams __user *streams, 879 unsigned int *num_streams_ret, 880 unsigned int *num_eps_ret, 881 struct usb_host_endpoint ***eps_ret, 882 struct usb_interface **intf_ret) 883 { 884 unsigned int i, num_streams, num_eps; 885 struct usb_host_endpoint **eps; 886 struct usb_interface *intf = NULL; 887 unsigned char ep; 888 int ifnum, ret; 889 890 if (get_user(num_streams, &streams->num_streams) || 891 get_user(num_eps, &streams->num_eps)) 892 return -EFAULT; 893 894 if (num_eps < 1 || num_eps > USB_MAXENDPOINTS) 895 return -EINVAL; 896 897 /* The XHCI controller allows max 2 ^ 16 streams */ 898 if (num_streams_ret && (num_streams < 2 || num_streams > 65536)) 899 return -EINVAL; 900 901 eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL); 902 if (!eps) 903 return -ENOMEM; 904 905 for (i = 0; i < num_eps; i++) { 906 if (get_user(ep, &streams->eps[i])) { 907 ret = -EFAULT; 908 goto error; 909 } 910 eps[i] = ep_to_host_endpoint(ps->dev, ep); 911 if (!eps[i]) { 912 ret = -EINVAL; 913 goto error; 914 } 915 916 /* usb_alloc/free_streams operate on an usb_interface */ 917 ifnum = findintfep(ps->dev, ep); 918 if (ifnum < 0) { 919 ret = ifnum; 920 goto error; 921 } 922 923 if (i == 0) { 924 ret = checkintf(ps, ifnum); 925 if (ret < 0) 926 goto error; 927 intf = usb_ifnum_to_if(ps->dev, ifnum); 928 } else { 929 /* Verify all eps belong to the same interface */ 930 if (ifnum != intf->altsetting->desc.bInterfaceNumber) { 931 ret = -EINVAL; 932 goto error; 933 } 934 } 935 } 936 937 if (num_streams_ret) 938 *num_streams_ret = num_streams; 939 *num_eps_ret = num_eps; 940 *eps_ret = eps; 941 *intf_ret = intf; 942 943 return 0; 944 945 error: 946 kfree(eps); 947 return ret; 948 } 949 950 static int match_devt(struct device *dev, void *data) 951 { 952 return dev->devt == (dev_t) (unsigned long) data; 953 } 954 955 static struct usb_device *usbdev_lookup_by_devt(dev_t devt) 956 { 957 struct device *dev; 958 959 dev = bus_find_device(&usb_bus_type, NULL, 960 (void *) (unsigned long) devt, match_devt); 961 if (!dev) 962 return NULL; 963 return to_usb_device(dev); 964 } 965 966 /* 967 * file operations 968 */ 969 static int usbdev_open(struct inode *inode, struct file *file) 970 { 971 struct usb_device *dev = NULL; 972 struct usb_dev_state *ps; 973 int ret; 974 975 ret = -ENOMEM; 976 ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL); 977 if (!ps) 978 goto out_free_ps; 979 980 ret = -ENODEV; 981 982 /* Protect against simultaneous removal or release */ 983 mutex_lock(&usbfs_mutex); 984 985 /* usbdev device-node */ 986 if (imajor(inode) == USB_DEVICE_MAJOR) 987 dev = usbdev_lookup_by_devt(inode->i_rdev); 988 989 mutex_unlock(&usbfs_mutex); 990 991 if (!dev) 992 goto out_free_ps; 993 994 usb_lock_device(dev); 995 if (dev->state == USB_STATE_NOTATTACHED) 996 goto out_unlock_device; 997 998 ret = usb_autoresume_device(dev); 999 if (ret) 1000 goto out_unlock_device; 1001 1002 ps->dev = dev; 1003 ps->file = file; 1004 ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */ 1005 spin_lock_init(&ps->lock); 1006 INIT_LIST_HEAD(&ps->list); 1007 INIT_LIST_HEAD(&ps->async_pending); 1008 INIT_LIST_HEAD(&ps->async_completed); 1009 INIT_LIST_HEAD(&ps->memory_list); 1010 init_waitqueue_head(&ps->wait); 1011 ps->disc_pid = get_pid(task_pid(current)); 1012 ps->cred = get_current_cred(); 1013 smp_wmb(); 1014 list_add_tail(&ps->list, &dev->filelist); 1015 file->private_data = ps; 1016 usb_unlock_device(dev); 1017 snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current), 1018 current->comm); 1019 return ret; 1020 1021 out_unlock_device: 1022 usb_unlock_device(dev); 1023 usb_put_dev(dev); 1024 out_free_ps: 1025 kfree(ps); 1026 return ret; 1027 } 1028 1029 static int usbdev_release(struct inode *inode, struct file *file) 1030 { 1031 struct usb_dev_state *ps = file->private_data; 1032 struct usb_device *dev = ps->dev; 1033 unsigned int ifnum; 1034 struct async *as; 1035 1036 usb_lock_device(dev); 1037 usb_hub_release_all_ports(dev, ps); 1038 1039 list_del_init(&ps->list); 1040 1041 for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed); 1042 ifnum++) { 1043 if (test_bit(ifnum, &ps->ifclaimed)) 1044 releaseintf(ps, ifnum); 1045 } 1046 destroy_all_async(ps); 1047 usb_autosuspend_device(dev); 1048 usb_unlock_device(dev); 1049 usb_put_dev(dev); 1050 put_pid(ps->disc_pid); 1051 put_cred(ps->cred); 1052 1053 as = async_getcompleted(ps); 1054 while (as) { 1055 free_async(as); 1056 as = async_getcompleted(ps); 1057 } 1058 1059 kfree(ps); 1060 return 0; 1061 } 1062 1063 static int proc_control(struct usb_dev_state *ps, void __user *arg) 1064 { 1065 struct usb_device *dev = ps->dev; 1066 struct usbdevfs_ctrltransfer ctrl; 1067 unsigned int tmo; 1068 unsigned char *tbuf; 1069 unsigned wLength; 1070 int i, pipe, ret; 1071 1072 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 1073 return -EFAULT; 1074 ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest, 1075 ctrl.wIndex); 1076 if (ret) 1077 return ret; 1078 wLength = ctrl.wLength; /* To suppress 64k PAGE_SIZE warning */ 1079 if (wLength > PAGE_SIZE) 1080 return -EINVAL; 1081 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1082 sizeof(struct usb_ctrlrequest)); 1083 if (ret) 1084 return ret; 1085 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL); 1086 if (!tbuf) { 1087 ret = -ENOMEM; 1088 goto done; 1089 } 1090 tmo = ctrl.timeout; 1091 snoop(&dev->dev, "control urb: bRequestType=%02x " 1092 "bRequest=%02x wValue=%04x " 1093 "wIndex=%04x wLength=%04x\n", 1094 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue, 1095 ctrl.wIndex, ctrl.wLength); 1096 if (ctrl.bRequestType & 0x80) { 1097 if (ctrl.wLength && !access_ok(ctrl.data, 1098 ctrl.wLength)) { 1099 ret = -EINVAL; 1100 goto done; 1101 } 1102 pipe = usb_rcvctrlpipe(dev, 0); 1103 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, NULL, 0); 1104 1105 usb_unlock_device(dev); 1106 i = usb_control_msg(dev, pipe, ctrl.bRequest, 1107 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex, 1108 tbuf, ctrl.wLength, tmo); 1109 usb_lock_device(dev); 1110 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, 1111 tbuf, max(i, 0)); 1112 if ((i > 0) && ctrl.wLength) { 1113 if (copy_to_user(ctrl.data, tbuf, i)) { 1114 ret = -EFAULT; 1115 goto done; 1116 } 1117 } 1118 } else { 1119 if (ctrl.wLength) { 1120 if (copy_from_user(tbuf, ctrl.data, ctrl.wLength)) { 1121 ret = -EFAULT; 1122 goto done; 1123 } 1124 } 1125 pipe = usb_sndctrlpipe(dev, 0); 1126 snoop_urb(dev, NULL, pipe, ctrl.wLength, tmo, SUBMIT, 1127 tbuf, ctrl.wLength); 1128 1129 usb_unlock_device(dev); 1130 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl.bRequest, 1131 ctrl.bRequestType, ctrl.wValue, ctrl.wIndex, 1132 tbuf, ctrl.wLength, tmo); 1133 usb_lock_device(dev); 1134 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0); 1135 } 1136 if (i < 0 && i != -EPIPE) { 1137 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL " 1138 "failed cmd %s rqt %u rq %u len %u ret %d\n", 1139 current->comm, ctrl.bRequestType, ctrl.bRequest, 1140 ctrl.wLength, i); 1141 } 1142 ret = i; 1143 done: 1144 free_page((unsigned long) tbuf); 1145 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) + 1146 sizeof(struct usb_ctrlrequest)); 1147 return ret; 1148 } 1149 1150 static int proc_bulk(struct usb_dev_state *ps, void __user *arg) 1151 { 1152 struct usb_device *dev = ps->dev; 1153 struct usbdevfs_bulktransfer bulk; 1154 unsigned int tmo, len1, pipe; 1155 int len2; 1156 unsigned char *tbuf; 1157 int i, ret; 1158 1159 if (copy_from_user(&bulk, arg, sizeof(bulk))) 1160 return -EFAULT; 1161 ret = findintfep(ps->dev, bulk.ep); 1162 if (ret < 0) 1163 return ret; 1164 ret = checkintf(ps, ret); 1165 if (ret) 1166 return ret; 1167 if (bulk.ep & USB_DIR_IN) 1168 pipe = usb_rcvbulkpipe(dev, bulk.ep & 0x7f); 1169 else 1170 pipe = usb_sndbulkpipe(dev, bulk.ep & 0x7f); 1171 if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) 1172 return -EINVAL; 1173 len1 = bulk.len; 1174 if (len1 >= (INT_MAX - sizeof(struct urb))) 1175 return -EINVAL; 1176 ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); 1177 if (ret) 1178 return ret; 1179 tbuf = kmalloc(len1, GFP_KERNEL); 1180 if (!tbuf) { 1181 ret = -ENOMEM; 1182 goto done; 1183 } 1184 tmo = bulk.timeout; 1185 if (bulk.ep & 0x80) { 1186 if (len1 && !access_ok(bulk.data, len1)) { 1187 ret = -EINVAL; 1188 goto done; 1189 } 1190 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0); 1191 1192 usb_unlock_device(dev); 1193 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 1194 usb_lock_device(dev); 1195 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2); 1196 1197 if (!i && len2) { 1198 if (copy_to_user(bulk.data, tbuf, len2)) { 1199 ret = -EFAULT; 1200 goto done; 1201 } 1202 } 1203 } else { 1204 if (len1) { 1205 if (copy_from_user(tbuf, bulk.data, len1)) { 1206 ret = -EFAULT; 1207 goto done; 1208 } 1209 } 1210 snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1); 1211 1212 usb_unlock_device(dev); 1213 i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo); 1214 usb_lock_device(dev); 1215 snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0); 1216 } 1217 ret = (i < 0 ? i : len2); 1218 done: 1219 kfree(tbuf); 1220 usbfs_decrease_memory_usage(len1 + sizeof(struct urb)); 1221 return ret; 1222 } 1223 1224 static void check_reset_of_active_ep(struct usb_device *udev, 1225 unsigned int epnum, char *ioctl_name) 1226 { 1227 struct usb_host_endpoint **eps; 1228 struct usb_host_endpoint *ep; 1229 1230 eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out; 1231 ep = eps[epnum & 0x0f]; 1232 if (ep && !list_empty(&ep->urb_list)) 1233 dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n", 1234 task_pid_nr(current), current->comm, 1235 ioctl_name, epnum); 1236 } 1237 1238 static int proc_resetep(struct usb_dev_state *ps, void __user *arg) 1239 { 1240 unsigned int ep; 1241 int ret; 1242 1243 if (get_user(ep, (unsigned int __user *)arg)) 1244 return -EFAULT; 1245 ret = findintfep(ps->dev, ep); 1246 if (ret < 0) 1247 return ret; 1248 ret = checkintf(ps, ret); 1249 if (ret) 1250 return ret; 1251 check_reset_of_active_ep(ps->dev, ep, "RESETEP"); 1252 usb_reset_endpoint(ps->dev, ep); 1253 return 0; 1254 } 1255 1256 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg) 1257 { 1258 unsigned int ep; 1259 int pipe; 1260 int ret; 1261 1262 if (get_user(ep, (unsigned int __user *)arg)) 1263 return -EFAULT; 1264 ret = findintfep(ps->dev, ep); 1265 if (ret < 0) 1266 return ret; 1267 ret = checkintf(ps, ret); 1268 if (ret) 1269 return ret; 1270 check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT"); 1271 if (ep & USB_DIR_IN) 1272 pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f); 1273 else 1274 pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f); 1275 1276 return usb_clear_halt(ps->dev, pipe); 1277 } 1278 1279 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) 1280 { 1281 struct usbdevfs_getdriver gd; 1282 struct usb_interface *intf; 1283 int ret; 1284 1285 if (copy_from_user(&gd, arg, sizeof(gd))) 1286 return -EFAULT; 1287 intf = usb_ifnum_to_if(ps->dev, gd.interface); 1288 if (!intf || !intf->dev.driver) 1289 ret = -ENODATA; 1290 else { 1291 strlcpy(gd.driver, intf->dev.driver->name, 1292 sizeof(gd.driver)); 1293 ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0); 1294 } 1295 return ret; 1296 } 1297 1298 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) 1299 { 1300 struct usbdevfs_connectinfo ci; 1301 1302 memset(&ci, 0, sizeof(ci)); 1303 ci.devnum = ps->dev->devnum; 1304 ci.slow = ps->dev->speed == USB_SPEED_LOW; 1305 1306 if (copy_to_user(arg, &ci, sizeof(ci))) 1307 return -EFAULT; 1308 return 0; 1309 } 1310 1311 static int proc_resetdevice(struct usb_dev_state *ps) 1312 { 1313 struct usb_host_config *actconfig = ps->dev->actconfig; 1314 struct usb_interface *interface; 1315 int i, number; 1316 1317 /* Don't allow a device reset if the process has dropped the 1318 * privilege to do such things and any of the interfaces are 1319 * currently claimed. 1320 */ 1321 if (ps->privileges_dropped && actconfig) { 1322 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1323 interface = actconfig->interface[i]; 1324 number = interface->cur_altsetting->desc.bInterfaceNumber; 1325 if (usb_interface_claimed(interface) && 1326 !test_bit(number, &ps->ifclaimed)) { 1327 dev_warn(&ps->dev->dev, 1328 "usbfs: interface %d claimed by %s while '%s' resets device\n", 1329 number, interface->dev.driver->name, current->comm); 1330 return -EACCES; 1331 } 1332 } 1333 } 1334 1335 return usb_reset_device(ps->dev); 1336 } 1337 1338 static int proc_setintf(struct usb_dev_state *ps, void __user *arg) 1339 { 1340 struct usbdevfs_setinterface setintf; 1341 int ret; 1342 1343 if (copy_from_user(&setintf, arg, sizeof(setintf))) 1344 return -EFAULT; 1345 ret = checkintf(ps, setintf.interface); 1346 if (ret) 1347 return ret; 1348 1349 destroy_async_on_interface(ps, setintf.interface); 1350 1351 return usb_set_interface(ps->dev, setintf.interface, 1352 setintf.altsetting); 1353 } 1354 1355 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg) 1356 { 1357 int u; 1358 int status = 0; 1359 struct usb_host_config *actconfig; 1360 1361 if (get_user(u, (int __user *)arg)) 1362 return -EFAULT; 1363 1364 actconfig = ps->dev->actconfig; 1365 1366 /* Don't touch the device if any interfaces are claimed. 1367 * It could interfere with other drivers' operations, and if 1368 * an interface is claimed by usbfs it could easily deadlock. 1369 */ 1370 if (actconfig) { 1371 int i; 1372 1373 for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) { 1374 if (usb_interface_claimed(actconfig->interface[i])) { 1375 dev_warn(&ps->dev->dev, 1376 "usbfs: interface %d claimed by %s " 1377 "while '%s' sets config #%d\n", 1378 actconfig->interface[i] 1379 ->cur_altsetting 1380 ->desc.bInterfaceNumber, 1381 actconfig->interface[i] 1382 ->dev.driver->name, 1383 current->comm, u); 1384 status = -EBUSY; 1385 break; 1386 } 1387 } 1388 } 1389 1390 /* SET_CONFIGURATION is often abused as a "cheap" driver reset, 1391 * so avoid usb_set_configuration()'s kick to sysfs 1392 */ 1393 if (status == 0) { 1394 if (actconfig && actconfig->desc.bConfigurationValue == u) 1395 status = usb_reset_configuration(ps->dev); 1396 else 1397 status = usb_set_configuration(ps->dev, u); 1398 } 1399 1400 return status; 1401 } 1402 1403 static struct usb_memory * 1404 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb) 1405 { 1406 struct usb_memory *usbm = NULL, *iter; 1407 unsigned long flags; 1408 unsigned long uurb_start = (unsigned long)uurb->buffer; 1409 1410 spin_lock_irqsave(&ps->lock, flags); 1411 list_for_each_entry(iter, &ps->memory_list, memlist) { 1412 if (uurb_start >= iter->vm_start && 1413 uurb_start < iter->vm_start + iter->size) { 1414 if (uurb->buffer_length > iter->vm_start + iter->size - 1415 uurb_start) { 1416 usbm = ERR_PTR(-EINVAL); 1417 } else { 1418 usbm = iter; 1419 usbm->urb_use_count++; 1420 } 1421 break; 1422 } 1423 } 1424 spin_unlock_irqrestore(&ps->lock, flags); 1425 return usbm; 1426 } 1427 1428 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb, 1429 struct usbdevfs_iso_packet_desc __user *iso_frame_desc, 1430 void __user *arg) 1431 { 1432 struct usbdevfs_iso_packet_desc *isopkt = NULL; 1433 struct usb_host_endpoint *ep; 1434 struct async *as = NULL; 1435 struct usb_ctrlrequest *dr = NULL; 1436 unsigned int u, totlen, isofrmlen; 1437 int i, ret, num_sgs = 0, ifnum = -1; 1438 int number_of_packets = 0; 1439 unsigned int stream_id = 0; 1440 void *buf; 1441 bool is_in; 1442 bool allow_short = false; 1443 bool allow_zero = false; 1444 unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | 1445 USBDEVFS_URB_BULK_CONTINUATION | 1446 USBDEVFS_URB_NO_FSBR | 1447 USBDEVFS_URB_ZERO_PACKET | 1448 USBDEVFS_URB_NO_INTERRUPT; 1449 /* USBDEVFS_URB_ISO_ASAP is a special case */ 1450 if (uurb->type == USBDEVFS_URB_TYPE_ISO) 1451 mask |= USBDEVFS_URB_ISO_ASAP; 1452 1453 if (uurb->flags & ~mask) 1454 return -EINVAL; 1455 1456 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) 1457 return -EINVAL; 1458 if (uurb->buffer_length > 0 && !uurb->buffer) 1459 return -EINVAL; 1460 if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && 1461 (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) { 1462 ifnum = findintfep(ps->dev, uurb->endpoint); 1463 if (ifnum < 0) 1464 return ifnum; 1465 ret = checkintf(ps, ifnum); 1466 if (ret) 1467 return ret; 1468 } 1469 ep = ep_to_host_endpoint(ps->dev, uurb->endpoint); 1470 if (!ep) 1471 return -ENOENT; 1472 is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0; 1473 1474 u = 0; 1475 switch (uurb->type) { 1476 case USBDEVFS_URB_TYPE_CONTROL: 1477 if (!usb_endpoint_xfer_control(&ep->desc)) 1478 return -EINVAL; 1479 /* min 8 byte setup packet */ 1480 if (uurb->buffer_length < 8) 1481 return -EINVAL; 1482 dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL); 1483 if (!dr) 1484 return -ENOMEM; 1485 if (copy_from_user(dr, uurb->buffer, 8)) { 1486 ret = -EFAULT; 1487 goto error; 1488 } 1489 if (uurb->buffer_length < (le16_to_cpup(&dr->wLength) + 8)) { 1490 ret = -EINVAL; 1491 goto error; 1492 } 1493 ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest, 1494 le16_to_cpup(&dr->wIndex)); 1495 if (ret) 1496 goto error; 1497 uurb->buffer_length = le16_to_cpup(&dr->wLength); 1498 uurb->buffer += 8; 1499 if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) { 1500 is_in = 1; 1501 uurb->endpoint |= USB_DIR_IN; 1502 } else { 1503 is_in = 0; 1504 uurb->endpoint &= ~USB_DIR_IN; 1505 } 1506 if (is_in) 1507 allow_short = true; 1508 snoop(&ps->dev->dev, "control urb: bRequestType=%02x " 1509 "bRequest=%02x wValue=%04x " 1510 "wIndex=%04x wLength=%04x\n", 1511 dr->bRequestType, dr->bRequest, 1512 __le16_to_cpup(&dr->wValue), 1513 __le16_to_cpup(&dr->wIndex), 1514 __le16_to_cpup(&dr->wLength)); 1515 u = sizeof(struct usb_ctrlrequest); 1516 break; 1517 1518 case USBDEVFS_URB_TYPE_BULK: 1519 if (!is_in) 1520 allow_zero = true; 1521 else 1522 allow_short = true; 1523 switch (usb_endpoint_type(&ep->desc)) { 1524 case USB_ENDPOINT_XFER_CONTROL: 1525 case USB_ENDPOINT_XFER_ISOC: 1526 return -EINVAL; 1527 case USB_ENDPOINT_XFER_INT: 1528 /* allow single-shot interrupt transfers */ 1529 uurb->type = USBDEVFS_URB_TYPE_INTERRUPT; 1530 goto interrupt_urb; 1531 } 1532 num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); 1533 if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize) 1534 num_sgs = 0; 1535 if (ep->streams) 1536 stream_id = uurb->stream_id; 1537 break; 1538 1539 case USBDEVFS_URB_TYPE_INTERRUPT: 1540 if (!usb_endpoint_xfer_int(&ep->desc)) 1541 return -EINVAL; 1542 interrupt_urb: 1543 if (!is_in) 1544 allow_zero = true; 1545 else 1546 allow_short = true; 1547 break; 1548 1549 case USBDEVFS_URB_TYPE_ISO: 1550 /* arbitrary limit */ 1551 if (uurb->number_of_packets < 1 || 1552 uurb->number_of_packets > 128) 1553 return -EINVAL; 1554 if (!usb_endpoint_xfer_isoc(&ep->desc)) 1555 return -EINVAL; 1556 number_of_packets = uurb->number_of_packets; 1557 isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) * 1558 number_of_packets; 1559 isopkt = memdup_user(iso_frame_desc, isofrmlen); 1560 if (IS_ERR(isopkt)) { 1561 ret = PTR_ERR(isopkt); 1562 isopkt = NULL; 1563 goto error; 1564 } 1565 for (totlen = u = 0; u < number_of_packets; u++) { 1566 /* 1567 * arbitrary limit need for USB 3.1 Gen2 1568 * sizemax: 96 DPs at SSP, 96 * 1024 = 98304 1569 */ 1570 if (isopkt[u].length > 98304) { 1571 ret = -EINVAL; 1572 goto error; 1573 } 1574 totlen += isopkt[u].length; 1575 } 1576 u *= sizeof(struct usb_iso_packet_descriptor); 1577 uurb->buffer_length = totlen; 1578 break; 1579 1580 default: 1581 return -EINVAL; 1582 } 1583 1584 if (uurb->buffer_length > 0 && 1585 !access_ok(uurb->buffer, uurb->buffer_length)) { 1586 ret = -EFAULT; 1587 goto error; 1588 } 1589 as = alloc_async(number_of_packets); 1590 if (!as) { 1591 ret = -ENOMEM; 1592 goto error; 1593 } 1594 1595 as->usbm = find_memory_area(ps, uurb); 1596 if (IS_ERR(as->usbm)) { 1597 ret = PTR_ERR(as->usbm); 1598 as->usbm = NULL; 1599 goto error; 1600 } 1601 1602 /* do not use SG buffers when memory mapped segments 1603 * are in use 1604 */ 1605 if (as->usbm) 1606 num_sgs = 0; 1607 1608 u += sizeof(struct async) + sizeof(struct urb) + uurb->buffer_length + 1609 num_sgs * sizeof(struct scatterlist); 1610 ret = usbfs_increase_memory_usage(u); 1611 if (ret) 1612 goto error; 1613 as->mem_usage = u; 1614 1615 if (num_sgs) { 1616 as->urb->sg = kmalloc_array(num_sgs, 1617 sizeof(struct scatterlist), 1618 GFP_KERNEL); 1619 if (!as->urb->sg) { 1620 ret = -ENOMEM; 1621 goto error; 1622 } 1623 as->urb->num_sgs = num_sgs; 1624 sg_init_table(as->urb->sg, as->urb->num_sgs); 1625 1626 totlen = uurb->buffer_length; 1627 for (i = 0; i < as->urb->num_sgs; i++) { 1628 u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen; 1629 buf = kmalloc(u, GFP_KERNEL); 1630 if (!buf) { 1631 ret = -ENOMEM; 1632 goto error; 1633 } 1634 sg_set_buf(&as->urb->sg[i], buf, u); 1635 1636 if (!is_in) { 1637 if (copy_from_user(buf, uurb->buffer, u)) { 1638 ret = -EFAULT; 1639 goto error; 1640 } 1641 uurb->buffer += u; 1642 } 1643 totlen -= u; 1644 } 1645 } else if (uurb->buffer_length > 0) { 1646 if (as->usbm) { 1647 unsigned long uurb_start = (unsigned long)uurb->buffer; 1648 1649 as->urb->transfer_buffer = as->usbm->mem + 1650 (uurb_start - as->usbm->vm_start); 1651 } else { 1652 as->urb->transfer_buffer = kmalloc(uurb->buffer_length, 1653 GFP_KERNEL); 1654 if (!as->urb->transfer_buffer) { 1655 ret = -ENOMEM; 1656 goto error; 1657 } 1658 if (!is_in) { 1659 if (copy_from_user(as->urb->transfer_buffer, 1660 uurb->buffer, 1661 uurb->buffer_length)) { 1662 ret = -EFAULT; 1663 goto error; 1664 } 1665 } else if (uurb->type == USBDEVFS_URB_TYPE_ISO) { 1666 /* 1667 * Isochronous input data may end up being 1668 * discontiguous if some of the packets are 1669 * short. Clear the buffer so that the gaps 1670 * don't leak kernel data to userspace. 1671 */ 1672 memset(as->urb->transfer_buffer, 0, 1673 uurb->buffer_length); 1674 } 1675 } 1676 } 1677 as->urb->dev = ps->dev; 1678 as->urb->pipe = (uurb->type << 30) | 1679 __create_pipe(ps->dev, uurb->endpoint & 0xf) | 1680 (uurb->endpoint & USB_DIR_IN); 1681 1682 /* This tedious sequence is necessary because the URB_* flags 1683 * are internal to the kernel and subject to change, whereas 1684 * the USBDEVFS_URB_* flags are a user API and must not be changed. 1685 */ 1686 u = (is_in ? URB_DIR_IN : URB_DIR_OUT); 1687 if (uurb->flags & USBDEVFS_URB_ISO_ASAP) 1688 u |= URB_ISO_ASAP; 1689 if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1690 u |= URB_SHORT_NOT_OK; 1691 if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1692 u |= URB_ZERO_PACKET; 1693 if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT) 1694 u |= URB_NO_INTERRUPT; 1695 as->urb->transfer_flags = u; 1696 1697 if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK) 1698 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n"); 1699 if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET) 1700 dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n"); 1701 1702 as->urb->transfer_buffer_length = uurb->buffer_length; 1703 as->urb->setup_packet = (unsigned char *)dr; 1704 dr = NULL; 1705 as->urb->start_frame = uurb->start_frame; 1706 as->urb->number_of_packets = number_of_packets; 1707 as->urb->stream_id = stream_id; 1708 1709 if (ep->desc.bInterval) { 1710 if (uurb->type == USBDEVFS_URB_TYPE_ISO || 1711 ps->dev->speed == USB_SPEED_HIGH || 1712 ps->dev->speed >= USB_SPEED_SUPER) 1713 as->urb->interval = 1 << 1714 min(15, ep->desc.bInterval - 1); 1715 else 1716 as->urb->interval = ep->desc.bInterval; 1717 } 1718 1719 as->urb->context = as; 1720 as->urb->complete = async_completed; 1721 for (totlen = u = 0; u < number_of_packets; u++) { 1722 as->urb->iso_frame_desc[u].offset = totlen; 1723 as->urb->iso_frame_desc[u].length = isopkt[u].length; 1724 totlen += isopkt[u].length; 1725 } 1726 kfree(isopkt); 1727 isopkt = NULL; 1728 as->ps = ps; 1729 as->userurb = arg; 1730 if (as->usbm) { 1731 unsigned long uurb_start = (unsigned long)uurb->buffer; 1732 1733 as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; 1734 as->urb->transfer_dma = as->usbm->dma_handle + 1735 (uurb_start - as->usbm->vm_start); 1736 } else if (is_in && uurb->buffer_length > 0) 1737 as->userbuffer = uurb->buffer; 1738 as->signr = uurb->signr; 1739 as->ifnum = ifnum; 1740 as->pid = get_pid(task_pid(current)); 1741 as->cred = get_current_cred(); 1742 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1743 as->urb->transfer_buffer_length, 0, SUBMIT, 1744 NULL, 0); 1745 if (!is_in) 1746 snoop_urb_data(as->urb, as->urb->transfer_buffer_length); 1747 1748 async_newpending(as); 1749 1750 if (usb_endpoint_xfer_bulk(&ep->desc)) { 1751 spin_lock_irq(&ps->lock); 1752 1753 /* Not exactly the endpoint address; the direction bit is 1754 * shifted to the 0x10 position so that the value will be 1755 * between 0 and 31. 1756 */ 1757 as->bulk_addr = usb_endpoint_num(&ep->desc) | 1758 ((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK) 1759 >> 3); 1760 1761 /* If this bulk URB is the start of a new transfer, re-enable 1762 * the endpoint. Otherwise mark it as a continuation URB. 1763 */ 1764 if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION) 1765 as->bulk_status = AS_CONTINUATION; 1766 else 1767 ps->disabled_bulk_eps &= ~(1 << as->bulk_addr); 1768 1769 /* Don't accept continuation URBs if the endpoint is 1770 * disabled because of an earlier error. 1771 */ 1772 if (ps->disabled_bulk_eps & (1 << as->bulk_addr)) 1773 ret = -EREMOTEIO; 1774 else 1775 ret = usb_submit_urb(as->urb, GFP_ATOMIC); 1776 spin_unlock_irq(&ps->lock); 1777 } else { 1778 ret = usb_submit_urb(as->urb, GFP_KERNEL); 1779 } 1780 1781 if (ret) { 1782 dev_printk(KERN_DEBUG, &ps->dev->dev, 1783 "usbfs: usb_submit_urb returned %d\n", ret); 1784 snoop_urb(ps->dev, as->userurb, as->urb->pipe, 1785 0, ret, COMPLETE, NULL, 0); 1786 async_removepending(as); 1787 goto error; 1788 } 1789 return 0; 1790 1791 error: 1792 if (as && as->usbm) 1793 dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count); 1794 kfree(isopkt); 1795 kfree(dr); 1796 if (as) 1797 free_async(as); 1798 return ret; 1799 } 1800 1801 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg) 1802 { 1803 struct usbdevfs_urb uurb; 1804 1805 if (copy_from_user(&uurb, arg, sizeof(uurb))) 1806 return -EFAULT; 1807 1808 return proc_do_submiturb(ps, &uurb, 1809 (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), 1810 arg); 1811 } 1812 1813 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg) 1814 { 1815 struct urb *urb; 1816 struct async *as; 1817 unsigned long flags; 1818 1819 spin_lock_irqsave(&ps->lock, flags); 1820 as = async_getpending(ps, arg); 1821 if (!as) { 1822 spin_unlock_irqrestore(&ps->lock, flags); 1823 return -EINVAL; 1824 } 1825 1826 urb = as->urb; 1827 usb_get_urb(urb); 1828 spin_unlock_irqrestore(&ps->lock, flags); 1829 1830 usb_kill_urb(urb); 1831 usb_put_urb(urb); 1832 1833 return 0; 1834 } 1835 1836 static void compute_isochronous_actual_length(struct urb *urb) 1837 { 1838 unsigned int i; 1839 1840 if (urb->number_of_packets > 0) { 1841 urb->actual_length = 0; 1842 for (i = 0; i < urb->number_of_packets; i++) 1843 urb->actual_length += 1844 urb->iso_frame_desc[i].actual_length; 1845 } 1846 } 1847 1848 static int processcompl(struct async *as, void __user * __user *arg) 1849 { 1850 struct urb *urb = as->urb; 1851 struct usbdevfs_urb __user *userurb = as->userurb; 1852 void __user *addr = as->userurb; 1853 unsigned int i; 1854 1855 compute_isochronous_actual_length(urb); 1856 if (as->userbuffer && urb->actual_length) { 1857 if (copy_urb_data_to_user(as->userbuffer, urb)) 1858 goto err_out; 1859 } 1860 if (put_user(as->status, &userurb->status)) 1861 goto err_out; 1862 if (put_user(urb->actual_length, &userurb->actual_length)) 1863 goto err_out; 1864 if (put_user(urb->error_count, &userurb->error_count)) 1865 goto err_out; 1866 1867 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 1868 for (i = 0; i < urb->number_of_packets; i++) { 1869 if (put_user(urb->iso_frame_desc[i].actual_length, 1870 &userurb->iso_frame_desc[i].actual_length)) 1871 goto err_out; 1872 if (put_user(urb->iso_frame_desc[i].status, 1873 &userurb->iso_frame_desc[i].status)) 1874 goto err_out; 1875 } 1876 } 1877 1878 if (put_user(addr, (void __user * __user *)arg)) 1879 return -EFAULT; 1880 return 0; 1881 1882 err_out: 1883 return -EFAULT; 1884 } 1885 1886 static struct async *reap_as(struct usb_dev_state *ps) 1887 { 1888 DECLARE_WAITQUEUE(wait, current); 1889 struct async *as = NULL; 1890 struct usb_device *dev = ps->dev; 1891 1892 add_wait_queue(&ps->wait, &wait); 1893 for (;;) { 1894 __set_current_state(TASK_INTERRUPTIBLE); 1895 as = async_getcompleted(ps); 1896 if (as || !connected(ps)) 1897 break; 1898 if (signal_pending(current)) 1899 break; 1900 usb_unlock_device(dev); 1901 schedule(); 1902 usb_lock_device(dev); 1903 } 1904 remove_wait_queue(&ps->wait, &wait); 1905 set_current_state(TASK_RUNNING); 1906 return as; 1907 } 1908 1909 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg) 1910 { 1911 struct async *as = reap_as(ps); 1912 1913 if (as) { 1914 int retval; 1915 1916 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 1917 retval = processcompl(as, (void __user * __user *)arg); 1918 free_async(as); 1919 return retval; 1920 } 1921 if (signal_pending(current)) 1922 return -EINTR; 1923 return -ENODEV; 1924 } 1925 1926 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg) 1927 { 1928 int retval; 1929 struct async *as; 1930 1931 as = async_getcompleted(ps); 1932 if (as) { 1933 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 1934 retval = processcompl(as, (void __user * __user *)arg); 1935 free_async(as); 1936 } else { 1937 retval = (connected(ps) ? -EAGAIN : -ENODEV); 1938 } 1939 return retval; 1940 } 1941 1942 #ifdef CONFIG_COMPAT 1943 static int proc_control_compat(struct usb_dev_state *ps, 1944 struct usbdevfs_ctrltransfer32 __user *p32) 1945 { 1946 struct usbdevfs_ctrltransfer __user *p; 1947 __u32 udata; 1948 p = compat_alloc_user_space(sizeof(*p)); 1949 if (copy_in_user(p, p32, (sizeof(*p32) - sizeof(compat_caddr_t))) || 1950 get_user(udata, &p32->data) || 1951 put_user(compat_ptr(udata), &p->data)) 1952 return -EFAULT; 1953 return proc_control(ps, p); 1954 } 1955 1956 static int proc_bulk_compat(struct usb_dev_state *ps, 1957 struct usbdevfs_bulktransfer32 __user *p32) 1958 { 1959 struct usbdevfs_bulktransfer __user *p; 1960 compat_uint_t n; 1961 compat_caddr_t addr; 1962 1963 p = compat_alloc_user_space(sizeof(*p)); 1964 1965 if (get_user(n, &p32->ep) || put_user(n, &p->ep) || 1966 get_user(n, &p32->len) || put_user(n, &p->len) || 1967 get_user(n, &p32->timeout) || put_user(n, &p->timeout) || 1968 get_user(addr, &p32->data) || put_user(compat_ptr(addr), &p->data)) 1969 return -EFAULT; 1970 1971 return proc_bulk(ps, p); 1972 } 1973 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg) 1974 { 1975 struct usbdevfs_disconnectsignal32 ds; 1976 1977 if (copy_from_user(&ds, arg, sizeof(ds))) 1978 return -EFAULT; 1979 ps->discsignr = ds.signr; 1980 ps->disccontext = compat_ptr(ds.context); 1981 return 0; 1982 } 1983 1984 static int get_urb32(struct usbdevfs_urb *kurb, 1985 struct usbdevfs_urb32 __user *uurb) 1986 { 1987 struct usbdevfs_urb32 urb32; 1988 if (copy_from_user(&urb32, uurb, sizeof(*uurb))) 1989 return -EFAULT; 1990 kurb->type = urb32.type; 1991 kurb->endpoint = urb32.endpoint; 1992 kurb->status = urb32.status; 1993 kurb->flags = urb32.flags; 1994 kurb->buffer = compat_ptr(urb32.buffer); 1995 kurb->buffer_length = urb32.buffer_length; 1996 kurb->actual_length = urb32.actual_length; 1997 kurb->start_frame = urb32.start_frame; 1998 kurb->number_of_packets = urb32.number_of_packets; 1999 kurb->error_count = urb32.error_count; 2000 kurb->signr = urb32.signr; 2001 kurb->usercontext = compat_ptr(urb32.usercontext); 2002 return 0; 2003 } 2004 2005 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg) 2006 { 2007 struct usbdevfs_urb uurb; 2008 2009 if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg)) 2010 return -EFAULT; 2011 2012 return proc_do_submiturb(ps, &uurb, 2013 ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, 2014 arg); 2015 } 2016 2017 static int processcompl_compat(struct async *as, void __user * __user *arg) 2018 { 2019 struct urb *urb = as->urb; 2020 struct usbdevfs_urb32 __user *userurb = as->userurb; 2021 void __user *addr = as->userurb; 2022 unsigned int i; 2023 2024 compute_isochronous_actual_length(urb); 2025 if (as->userbuffer && urb->actual_length) { 2026 if (copy_urb_data_to_user(as->userbuffer, urb)) 2027 return -EFAULT; 2028 } 2029 if (put_user(as->status, &userurb->status)) 2030 return -EFAULT; 2031 if (put_user(urb->actual_length, &userurb->actual_length)) 2032 return -EFAULT; 2033 if (put_user(urb->error_count, &userurb->error_count)) 2034 return -EFAULT; 2035 2036 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 2037 for (i = 0; i < urb->number_of_packets; i++) { 2038 if (put_user(urb->iso_frame_desc[i].actual_length, 2039 &userurb->iso_frame_desc[i].actual_length)) 2040 return -EFAULT; 2041 if (put_user(urb->iso_frame_desc[i].status, 2042 &userurb->iso_frame_desc[i].status)) 2043 return -EFAULT; 2044 } 2045 } 2046 2047 if (put_user(ptr_to_compat(addr), (u32 __user *)arg)) 2048 return -EFAULT; 2049 return 0; 2050 } 2051 2052 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg) 2053 { 2054 struct async *as = reap_as(ps); 2055 2056 if (as) { 2057 int retval; 2058 2059 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 2060 retval = processcompl_compat(as, (void __user * __user *)arg); 2061 free_async(as); 2062 return retval; 2063 } 2064 if (signal_pending(current)) 2065 return -EINTR; 2066 return -ENODEV; 2067 } 2068 2069 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg) 2070 { 2071 int retval; 2072 struct async *as; 2073 2074 as = async_getcompleted(ps); 2075 if (as) { 2076 snoop(&ps->dev->dev, "reap %pK\n", as->userurb); 2077 retval = processcompl_compat(as, (void __user * __user *)arg); 2078 free_async(as); 2079 } else { 2080 retval = (connected(ps) ? -EAGAIN : -ENODEV); 2081 } 2082 return retval; 2083 } 2084 2085 2086 #endif 2087 2088 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg) 2089 { 2090 struct usbdevfs_disconnectsignal ds; 2091 2092 if (copy_from_user(&ds, arg, sizeof(ds))) 2093 return -EFAULT; 2094 ps->discsignr = ds.signr; 2095 ps->disccontext = ds.context; 2096 return 0; 2097 } 2098 2099 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg) 2100 { 2101 unsigned int ifnum; 2102 2103 if (get_user(ifnum, (unsigned int __user *)arg)) 2104 return -EFAULT; 2105 return claimintf(ps, ifnum); 2106 } 2107 2108 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg) 2109 { 2110 unsigned int ifnum; 2111 int ret; 2112 2113 if (get_user(ifnum, (unsigned int __user *)arg)) 2114 return -EFAULT; 2115 ret = releaseintf(ps, ifnum); 2116 if (ret < 0) 2117 return ret; 2118 destroy_async_on_interface(ps, ifnum); 2119 return 0; 2120 } 2121 2122 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl) 2123 { 2124 int size; 2125 void *buf = NULL; 2126 int retval = 0; 2127 struct usb_interface *intf = NULL; 2128 struct usb_driver *driver = NULL; 2129 2130 if (ps->privileges_dropped) 2131 return -EACCES; 2132 2133 /* alloc buffer */ 2134 size = _IOC_SIZE(ctl->ioctl_code); 2135 if (size > 0) { 2136 buf = kmalloc(size, GFP_KERNEL); 2137 if (buf == NULL) 2138 return -ENOMEM; 2139 if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) { 2140 if (copy_from_user(buf, ctl->data, size)) { 2141 kfree(buf); 2142 return -EFAULT; 2143 } 2144 } else { 2145 memset(buf, 0, size); 2146 } 2147 } 2148 2149 if (!connected(ps)) { 2150 kfree(buf); 2151 return -ENODEV; 2152 } 2153 2154 if (ps->dev->state != USB_STATE_CONFIGURED) 2155 retval = -EHOSTUNREACH; 2156 else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno))) 2157 retval = -EINVAL; 2158 else switch (ctl->ioctl_code) { 2159 2160 /* disconnect kernel driver from interface */ 2161 case USBDEVFS_DISCONNECT: 2162 if (intf->dev.driver) { 2163 driver = to_usb_driver(intf->dev.driver); 2164 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2165 usb_driver_release_interface(driver, intf); 2166 } else 2167 retval = -ENODATA; 2168 break; 2169 2170 /* let kernel drivers try to (re)bind to the interface */ 2171 case USBDEVFS_CONNECT: 2172 if (!intf->dev.driver) 2173 retval = device_attach(&intf->dev); 2174 else 2175 retval = -EBUSY; 2176 break; 2177 2178 /* talk directly to the interface's driver */ 2179 default: 2180 if (intf->dev.driver) 2181 driver = to_usb_driver(intf->dev.driver); 2182 if (driver == NULL || driver->unlocked_ioctl == NULL) { 2183 retval = -ENOTTY; 2184 } else { 2185 retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf); 2186 if (retval == -ENOIOCTLCMD) 2187 retval = -ENOTTY; 2188 } 2189 } 2190 2191 /* cleanup and return */ 2192 if (retval >= 0 2193 && (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0 2194 && size > 0 2195 && copy_to_user(ctl->data, buf, size) != 0) 2196 retval = -EFAULT; 2197 2198 kfree(buf); 2199 return retval; 2200 } 2201 2202 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg) 2203 { 2204 struct usbdevfs_ioctl ctrl; 2205 2206 if (copy_from_user(&ctrl, arg, sizeof(ctrl))) 2207 return -EFAULT; 2208 return proc_ioctl(ps, &ctrl); 2209 } 2210 2211 #ifdef CONFIG_COMPAT 2212 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg) 2213 { 2214 struct usbdevfs_ioctl32 ioc32; 2215 struct usbdevfs_ioctl ctrl; 2216 2217 if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32))) 2218 return -EFAULT; 2219 ctrl.ifno = ioc32.ifno; 2220 ctrl.ioctl_code = ioc32.ioctl_code; 2221 ctrl.data = compat_ptr(ioc32.data); 2222 return proc_ioctl(ps, &ctrl); 2223 } 2224 #endif 2225 2226 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg) 2227 { 2228 unsigned portnum; 2229 int rc; 2230 2231 if (get_user(portnum, (unsigned __user *) arg)) 2232 return -EFAULT; 2233 rc = usb_hub_claim_port(ps->dev, portnum, ps); 2234 if (rc == 0) 2235 snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n", 2236 portnum, task_pid_nr(current), current->comm); 2237 return rc; 2238 } 2239 2240 static int proc_release_port(struct usb_dev_state *ps, void __user *arg) 2241 { 2242 unsigned portnum; 2243 2244 if (get_user(portnum, (unsigned __user *) arg)) 2245 return -EFAULT; 2246 return usb_hub_release_port(ps->dev, portnum, ps); 2247 } 2248 2249 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg) 2250 { 2251 __u32 caps; 2252 2253 caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM | 2254 USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP | 2255 USBDEVFS_CAP_DROP_PRIVILEGES; 2256 if (!ps->dev->bus->no_stop_on_short) 2257 caps |= USBDEVFS_CAP_BULK_CONTINUATION; 2258 if (ps->dev->bus->sg_tablesize) 2259 caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER; 2260 2261 if (put_user(caps, (__u32 __user *)arg)) 2262 return -EFAULT; 2263 2264 return 0; 2265 } 2266 2267 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg) 2268 { 2269 struct usbdevfs_disconnect_claim dc; 2270 struct usb_interface *intf; 2271 2272 if (copy_from_user(&dc, arg, sizeof(dc))) 2273 return -EFAULT; 2274 2275 intf = usb_ifnum_to_if(ps->dev, dc.interface); 2276 if (!intf) 2277 return -EINVAL; 2278 2279 if (intf->dev.driver) { 2280 struct usb_driver *driver = to_usb_driver(intf->dev.driver); 2281 2282 if (ps->privileges_dropped) 2283 return -EACCES; 2284 2285 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) && 2286 strncmp(dc.driver, intf->dev.driver->name, 2287 sizeof(dc.driver)) != 0) 2288 return -EBUSY; 2289 2290 if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) && 2291 strncmp(dc.driver, intf->dev.driver->name, 2292 sizeof(dc.driver)) == 0) 2293 return -EBUSY; 2294 2295 dev_dbg(&intf->dev, "disconnect by usbfs\n"); 2296 usb_driver_release_interface(driver, intf); 2297 } 2298 2299 return claimintf(ps, dc.interface); 2300 } 2301 2302 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg) 2303 { 2304 unsigned num_streams, num_eps; 2305 struct usb_host_endpoint **eps; 2306 struct usb_interface *intf; 2307 int r; 2308 2309 r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps, 2310 &eps, &intf); 2311 if (r) 2312 return r; 2313 2314 destroy_async_on_interface(ps, 2315 intf->altsetting[0].desc.bInterfaceNumber); 2316 2317 r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL); 2318 kfree(eps); 2319 return r; 2320 } 2321 2322 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg) 2323 { 2324 unsigned num_eps; 2325 struct usb_host_endpoint **eps; 2326 struct usb_interface *intf; 2327 int r; 2328 2329 r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf); 2330 if (r) 2331 return r; 2332 2333 destroy_async_on_interface(ps, 2334 intf->altsetting[0].desc.bInterfaceNumber); 2335 2336 r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL); 2337 kfree(eps); 2338 return r; 2339 } 2340 2341 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg) 2342 { 2343 u32 data; 2344 2345 if (copy_from_user(&data, arg, sizeof(data))) 2346 return -EFAULT; 2347 2348 /* This is a one way operation. Once privileges are 2349 * dropped, you cannot regain them. You may however reissue 2350 * this ioctl to shrink the allowed interfaces mask. 2351 */ 2352 ps->interface_allowed_mask &= data; 2353 ps->privileges_dropped = true; 2354 2355 return 0; 2356 } 2357 2358 /* 2359 * NOTE: All requests here that have interface numbers as parameters 2360 * are assuming that somehow the configuration has been prevented from 2361 * changing. But there's no mechanism to ensure that... 2362 */ 2363 static long usbdev_do_ioctl(struct file *file, unsigned int cmd, 2364 void __user *p) 2365 { 2366 struct usb_dev_state *ps = file->private_data; 2367 struct inode *inode = file_inode(file); 2368 struct usb_device *dev = ps->dev; 2369 int ret = -ENOTTY; 2370 2371 if (!(file->f_mode & FMODE_WRITE)) 2372 return -EPERM; 2373 2374 usb_lock_device(dev); 2375 2376 /* Reap operations are allowed even after disconnection */ 2377 switch (cmd) { 2378 case USBDEVFS_REAPURB: 2379 snoop(&dev->dev, "%s: REAPURB\n", __func__); 2380 ret = proc_reapurb(ps, p); 2381 goto done; 2382 2383 case USBDEVFS_REAPURBNDELAY: 2384 snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__); 2385 ret = proc_reapurbnonblock(ps, p); 2386 goto done; 2387 2388 #ifdef CONFIG_COMPAT 2389 case USBDEVFS_REAPURB32: 2390 snoop(&dev->dev, "%s: REAPURB32\n", __func__); 2391 ret = proc_reapurb_compat(ps, p); 2392 goto done; 2393 2394 case USBDEVFS_REAPURBNDELAY32: 2395 snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__); 2396 ret = proc_reapurbnonblock_compat(ps, p); 2397 goto done; 2398 #endif 2399 } 2400 2401 if (!connected(ps)) { 2402 usb_unlock_device(dev); 2403 return -ENODEV; 2404 } 2405 2406 switch (cmd) { 2407 case USBDEVFS_CONTROL: 2408 snoop(&dev->dev, "%s: CONTROL\n", __func__); 2409 ret = proc_control(ps, p); 2410 if (ret >= 0) 2411 inode->i_mtime = current_time(inode); 2412 break; 2413 2414 case USBDEVFS_BULK: 2415 snoop(&dev->dev, "%s: BULK\n", __func__); 2416 ret = proc_bulk(ps, p); 2417 if (ret >= 0) 2418 inode->i_mtime = current_time(inode); 2419 break; 2420 2421 case USBDEVFS_RESETEP: 2422 snoop(&dev->dev, "%s: RESETEP\n", __func__); 2423 ret = proc_resetep(ps, p); 2424 if (ret >= 0) 2425 inode->i_mtime = current_time(inode); 2426 break; 2427 2428 case USBDEVFS_RESET: 2429 snoop(&dev->dev, "%s: RESET\n", __func__); 2430 ret = proc_resetdevice(ps); 2431 break; 2432 2433 case USBDEVFS_CLEAR_HALT: 2434 snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__); 2435 ret = proc_clearhalt(ps, p); 2436 if (ret >= 0) 2437 inode->i_mtime = current_time(inode); 2438 break; 2439 2440 case USBDEVFS_GETDRIVER: 2441 snoop(&dev->dev, "%s: GETDRIVER\n", __func__); 2442 ret = proc_getdriver(ps, p); 2443 break; 2444 2445 case USBDEVFS_CONNECTINFO: 2446 snoop(&dev->dev, "%s: CONNECTINFO\n", __func__); 2447 ret = proc_connectinfo(ps, p); 2448 break; 2449 2450 case USBDEVFS_SETINTERFACE: 2451 snoop(&dev->dev, "%s: SETINTERFACE\n", __func__); 2452 ret = proc_setintf(ps, p); 2453 break; 2454 2455 case USBDEVFS_SETCONFIGURATION: 2456 snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__); 2457 ret = proc_setconfig(ps, p); 2458 break; 2459 2460 case USBDEVFS_SUBMITURB: 2461 snoop(&dev->dev, "%s: SUBMITURB\n", __func__); 2462 ret = proc_submiturb(ps, p); 2463 if (ret >= 0) 2464 inode->i_mtime = current_time(inode); 2465 break; 2466 2467 #ifdef CONFIG_COMPAT 2468 case USBDEVFS_CONTROL32: 2469 snoop(&dev->dev, "%s: CONTROL32\n", __func__); 2470 ret = proc_control_compat(ps, p); 2471 if (ret >= 0) 2472 inode->i_mtime = current_time(inode); 2473 break; 2474 2475 case USBDEVFS_BULK32: 2476 snoop(&dev->dev, "%s: BULK32\n", __func__); 2477 ret = proc_bulk_compat(ps, p); 2478 if (ret >= 0) 2479 inode->i_mtime = current_time(inode); 2480 break; 2481 2482 case USBDEVFS_DISCSIGNAL32: 2483 snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__); 2484 ret = proc_disconnectsignal_compat(ps, p); 2485 break; 2486 2487 case USBDEVFS_SUBMITURB32: 2488 snoop(&dev->dev, "%s: SUBMITURB32\n", __func__); 2489 ret = proc_submiturb_compat(ps, p); 2490 if (ret >= 0) 2491 inode->i_mtime = current_time(inode); 2492 break; 2493 2494 case USBDEVFS_IOCTL32: 2495 snoop(&dev->dev, "%s: IOCTL32\n", __func__); 2496 ret = proc_ioctl_compat(ps, ptr_to_compat(p)); 2497 break; 2498 #endif 2499 2500 case USBDEVFS_DISCARDURB: 2501 snoop(&dev->dev, "%s: DISCARDURB %pK\n", __func__, p); 2502 ret = proc_unlinkurb(ps, p); 2503 break; 2504 2505 case USBDEVFS_DISCSIGNAL: 2506 snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__); 2507 ret = proc_disconnectsignal(ps, p); 2508 break; 2509 2510 case USBDEVFS_CLAIMINTERFACE: 2511 snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__); 2512 ret = proc_claiminterface(ps, p); 2513 break; 2514 2515 case USBDEVFS_RELEASEINTERFACE: 2516 snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__); 2517 ret = proc_releaseinterface(ps, p); 2518 break; 2519 2520 case USBDEVFS_IOCTL: 2521 snoop(&dev->dev, "%s: IOCTL\n", __func__); 2522 ret = proc_ioctl_default(ps, p); 2523 break; 2524 2525 case USBDEVFS_CLAIM_PORT: 2526 snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__); 2527 ret = proc_claim_port(ps, p); 2528 break; 2529 2530 case USBDEVFS_RELEASE_PORT: 2531 snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__); 2532 ret = proc_release_port(ps, p); 2533 break; 2534 case USBDEVFS_GET_CAPABILITIES: 2535 ret = proc_get_capabilities(ps, p); 2536 break; 2537 case USBDEVFS_DISCONNECT_CLAIM: 2538 ret = proc_disconnect_claim(ps, p); 2539 break; 2540 case USBDEVFS_ALLOC_STREAMS: 2541 ret = proc_alloc_streams(ps, p); 2542 break; 2543 case USBDEVFS_FREE_STREAMS: 2544 ret = proc_free_streams(ps, p); 2545 break; 2546 case USBDEVFS_DROP_PRIVILEGES: 2547 ret = proc_drop_privileges(ps, p); 2548 break; 2549 case USBDEVFS_GET_SPEED: 2550 ret = ps->dev->speed; 2551 break; 2552 } 2553 2554 done: 2555 usb_unlock_device(dev); 2556 if (ret >= 0) 2557 inode->i_atime = current_time(inode); 2558 return ret; 2559 } 2560 2561 static long usbdev_ioctl(struct file *file, unsigned int cmd, 2562 unsigned long arg) 2563 { 2564 int ret; 2565 2566 ret = usbdev_do_ioctl(file, cmd, (void __user *)arg); 2567 2568 return ret; 2569 } 2570 2571 #ifdef CONFIG_COMPAT 2572 static long usbdev_compat_ioctl(struct file *file, unsigned int cmd, 2573 unsigned long arg) 2574 { 2575 int ret; 2576 2577 ret = usbdev_do_ioctl(file, cmd, compat_ptr(arg)); 2578 2579 return ret; 2580 } 2581 #endif 2582 2583 /* No kernel lock - fine */ 2584 static __poll_t usbdev_poll(struct file *file, 2585 struct poll_table_struct *wait) 2586 { 2587 struct usb_dev_state *ps = file->private_data; 2588 __poll_t mask = 0; 2589 2590 poll_wait(file, &ps->wait, wait); 2591 if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed)) 2592 mask |= EPOLLOUT | EPOLLWRNORM; 2593 if (!connected(ps)) 2594 mask |= EPOLLHUP; 2595 if (list_empty(&ps->list)) 2596 mask |= EPOLLERR; 2597 return mask; 2598 } 2599 2600 const struct file_operations usbdev_file_operations = { 2601 .owner = THIS_MODULE, 2602 .llseek = no_seek_end_llseek, 2603 .read = usbdev_read, 2604 .poll = usbdev_poll, 2605 .unlocked_ioctl = usbdev_ioctl, 2606 #ifdef CONFIG_COMPAT 2607 .compat_ioctl = usbdev_compat_ioctl, 2608 #endif 2609 .mmap = usbdev_mmap, 2610 .open = usbdev_open, 2611 .release = usbdev_release, 2612 }; 2613 2614 static void usbdev_remove(struct usb_device *udev) 2615 { 2616 struct usb_dev_state *ps; 2617 struct kernel_siginfo sinfo; 2618 2619 while (!list_empty(&udev->filelist)) { 2620 ps = list_entry(udev->filelist.next, struct usb_dev_state, list); 2621 destroy_all_async(ps); 2622 wake_up_all(&ps->wait); 2623 list_del_init(&ps->list); 2624 if (ps->discsignr) { 2625 clear_siginfo(&sinfo); 2626 sinfo.si_signo = ps->discsignr; 2627 sinfo.si_errno = EPIPE; 2628 sinfo.si_code = SI_ASYNCIO; 2629 sinfo.si_addr = ps->disccontext; 2630 kill_pid_info_as_cred(ps->discsignr, &sinfo, 2631 ps->disc_pid, ps->cred); 2632 } 2633 } 2634 } 2635 2636 static int usbdev_notify(struct notifier_block *self, 2637 unsigned long action, void *dev) 2638 { 2639 switch (action) { 2640 case USB_DEVICE_ADD: 2641 break; 2642 case USB_DEVICE_REMOVE: 2643 usbdev_remove(dev); 2644 break; 2645 } 2646 return NOTIFY_OK; 2647 } 2648 2649 static struct notifier_block usbdev_nb = { 2650 .notifier_call = usbdev_notify, 2651 }; 2652 2653 static struct cdev usb_device_cdev; 2654 2655 int __init usb_devio_init(void) 2656 { 2657 int retval; 2658 2659 retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX, 2660 "usb_device"); 2661 if (retval) { 2662 printk(KERN_ERR "Unable to register minors for usb_device\n"); 2663 goto out; 2664 } 2665 cdev_init(&usb_device_cdev, &usbdev_file_operations); 2666 retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX); 2667 if (retval) { 2668 printk(KERN_ERR "Unable to get usb_device major %d\n", 2669 USB_DEVICE_MAJOR); 2670 goto error_cdev; 2671 } 2672 usb_register_notify(&usbdev_nb); 2673 out: 2674 return retval; 2675 2676 error_cdev: 2677 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2678 goto out; 2679 } 2680 2681 void usb_devio_cleanup(void) 2682 { 2683 usb_unregister_notify(&usbdev_nb); 2684 cdev_del(&usb_device_cdev); 2685 unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX); 2686 } 2687