xref: /openbmc/linux/drivers/usb/core/devio.c (revision bacf743e)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*****************************************************************************/
3 
4 /*
5  *      devio.c  --  User space communication with USB devices.
6  *
7  *      Copyright (C) 1999-2000  Thomas Sailer (sailer@ife.ee.ethz.ch)
8  *
9  *  This file implements the usbfs/x/y files, where
10  *  x is the bus number and y the device number.
11  *
12  *  It allows user space programs/"drivers" to communicate directly
13  *  with USB devices without intervening kernel driver.
14  *
15  *  Revision history
16  *    22.12.1999   0.1   Initial release (split from proc_usb.c)
17  *    04.01.2000   0.2   Turned into its own filesystem
18  *    30.09.2005   0.3   Fix user-triggerable oops in async URB delivery
19  *    			 (CAN-2005-3055)
20  */
21 
22 /*****************************************************************************/
23 
24 #include <linux/fs.h>
25 #include <linux/mm.h>
26 #include <linux/sched/signal.h>
27 #include <linux/slab.h>
28 #include <linux/signal.h>
29 #include <linux/poll.h>
30 #include <linux/module.h>
31 #include <linux/string.h>
32 #include <linux/usb.h>
33 #include <linux/usbdevice_fs.h>
34 #include <linux/usb/hcd.h>	/* for usbcore internals */
35 #include <linux/usb/quirks.h>
36 #include <linux/cdev.h>
37 #include <linux/notifier.h>
38 #include <linux/security.h>
39 #include <linux/user_namespace.h>
40 #include <linux/scatterlist.h>
41 #include <linux/uaccess.h>
42 #include <linux/dma-mapping.h>
43 #include <asm/byteorder.h>
44 #include <linux/moduleparam.h>
45 
46 #include "usb.h"
47 
48 #ifdef CONFIG_PM
49 #define MAYBE_CAP_SUSPEND	USBDEVFS_CAP_SUSPEND
50 #else
51 #define MAYBE_CAP_SUSPEND	0
52 #endif
53 
54 #define USB_MAXBUS			64
55 #define USB_DEVICE_MAX			(USB_MAXBUS * 128)
56 #define USB_SG_SIZE			16384 /* split-size for large txs */
57 
58 /* Mutual exclusion for ps->list in resume vs. release and remove */
59 static DEFINE_MUTEX(usbfs_mutex);
60 
61 struct usb_dev_state {
62 	struct list_head list;      /* state list */
63 	struct usb_device *dev;
64 	struct file *file;
65 	spinlock_t lock;            /* protects the async urb lists */
66 	struct list_head async_pending;
67 	struct list_head async_completed;
68 	struct list_head memory_list;
69 	wait_queue_head_t wait;     /* wake up if a request completed */
70 	wait_queue_head_t wait_for_resume;   /* wake up upon runtime resume */
71 	unsigned int discsignr;
72 	struct pid *disc_pid;
73 	const struct cred *cred;
74 	sigval_t disccontext;
75 	unsigned long ifclaimed;
76 	u32 disabled_bulk_eps;
77 	unsigned long interface_allowed_mask;
78 	int not_yet_resumed;
79 	bool suspend_allowed;
80 	bool privileges_dropped;
81 };
82 
83 struct usb_memory {
84 	struct list_head memlist;
85 	int vma_use_count;
86 	int urb_use_count;
87 	u32 size;
88 	void *mem;
89 	dma_addr_t dma_handle;
90 	unsigned long vm_start;
91 	struct usb_dev_state *ps;
92 };
93 
94 struct async {
95 	struct list_head asynclist;
96 	struct usb_dev_state *ps;
97 	struct pid *pid;
98 	const struct cred *cred;
99 	unsigned int signr;
100 	unsigned int ifnum;
101 	void __user *userbuffer;
102 	void __user *userurb;
103 	sigval_t userurb_sigval;
104 	struct urb *urb;
105 	struct usb_memory *usbm;
106 	unsigned int mem_usage;
107 	int status;
108 	u8 bulk_addr;
109 	u8 bulk_status;
110 };
111 
112 static bool usbfs_snoop;
113 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
114 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
115 
116 static unsigned usbfs_snoop_max = 65536;
117 module_param(usbfs_snoop_max, uint, S_IRUGO | S_IWUSR);
118 MODULE_PARM_DESC(usbfs_snoop_max,
119 		"maximum number of bytes to print while snooping");
120 
121 #define snoop(dev, format, arg...)				\
122 	do {							\
123 		if (usbfs_snoop)				\
124 			dev_info(dev, format, ## arg);		\
125 	} while (0)
126 
127 enum snoop_when {
128 	SUBMIT, COMPLETE
129 };
130 
131 #define USB_DEVICE_DEV		MKDEV(USB_DEVICE_MAJOR, 0)
132 
133 /* Limit on the total amount of memory we can allocate for transfers */
134 static u32 usbfs_memory_mb = 16;
135 module_param(usbfs_memory_mb, uint, 0644);
136 MODULE_PARM_DESC(usbfs_memory_mb,
137 		"maximum MB allowed for usbfs buffers (0 = no limit)");
138 
139 /* Hard limit, necessary to avoid arithmetic overflow */
140 #define USBFS_XFER_MAX         (UINT_MAX / 2 - 1000000)
141 
142 static DEFINE_SPINLOCK(usbfs_memory_usage_lock);
143 static u64 usbfs_memory_usage;	/* Total memory currently allocated */
144 
145 /* Check whether it's okay to allocate more memory for a transfer */
146 static int usbfs_increase_memory_usage(u64 amount)
147 {
148 	u64 lim, total_mem;
149 	unsigned long flags;
150 	int ret;
151 
152 	lim = READ_ONCE(usbfs_memory_mb);
153 	lim <<= 20;
154 
155 	ret = 0;
156 	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
157 	total_mem = usbfs_memory_usage + amount;
158 	if (lim > 0 && total_mem > lim)
159 		ret = -ENOMEM;
160 	else
161 		usbfs_memory_usage = total_mem;
162 	spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags);
163 
164 	return ret;
165 }
166 
167 /* Memory for a transfer is being deallocated */
168 static void usbfs_decrease_memory_usage(u64 amount)
169 {
170 	unsigned long flags;
171 
172 	spin_lock_irqsave(&usbfs_memory_usage_lock, flags);
173 	if (amount > usbfs_memory_usage)
174 		usbfs_memory_usage = 0;
175 	else
176 		usbfs_memory_usage -= amount;
177 	spin_unlock_irqrestore(&usbfs_memory_usage_lock, flags);
178 }
179 
180 static int connected(struct usb_dev_state *ps)
181 {
182 	return (!list_empty(&ps->list) &&
183 			ps->dev->state != USB_STATE_NOTATTACHED);
184 }
185 
186 static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count)
187 {
188 	struct usb_dev_state *ps = usbm->ps;
189 	unsigned long flags;
190 
191 	spin_lock_irqsave(&ps->lock, flags);
192 	--*count;
193 	if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) {
194 		list_del(&usbm->memlist);
195 		spin_unlock_irqrestore(&ps->lock, flags);
196 
197 		usb_free_coherent(ps->dev, usbm->size, usbm->mem,
198 				usbm->dma_handle);
199 		usbfs_decrease_memory_usage(
200 			usbm->size + sizeof(struct usb_memory));
201 		kfree(usbm);
202 	} else {
203 		spin_unlock_irqrestore(&ps->lock, flags);
204 	}
205 }
206 
207 static void usbdev_vm_open(struct vm_area_struct *vma)
208 {
209 	struct usb_memory *usbm = vma->vm_private_data;
210 	unsigned long flags;
211 
212 	spin_lock_irqsave(&usbm->ps->lock, flags);
213 	++usbm->vma_use_count;
214 	spin_unlock_irqrestore(&usbm->ps->lock, flags);
215 }
216 
217 static void usbdev_vm_close(struct vm_area_struct *vma)
218 {
219 	struct usb_memory *usbm = vma->vm_private_data;
220 
221 	dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
222 }
223 
224 static const struct vm_operations_struct usbdev_vm_ops = {
225 	.open = usbdev_vm_open,
226 	.close = usbdev_vm_close
227 };
228 
229 static int usbdev_mmap(struct file *file, struct vm_area_struct *vma)
230 {
231 	struct usb_memory *usbm = NULL;
232 	struct usb_dev_state *ps = file->private_data;
233 	struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus);
234 	size_t size = vma->vm_end - vma->vm_start;
235 	void *mem;
236 	unsigned long flags;
237 	dma_addr_t dma_handle;
238 	int ret;
239 
240 	ret = usbfs_increase_memory_usage(size + sizeof(struct usb_memory));
241 	if (ret)
242 		goto error;
243 
244 	usbm = kzalloc(sizeof(struct usb_memory), GFP_KERNEL);
245 	if (!usbm) {
246 		ret = -ENOMEM;
247 		goto error_decrease_mem;
248 	}
249 
250 	mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN,
251 			&dma_handle);
252 	if (!mem) {
253 		ret = -ENOMEM;
254 		goto error_free_usbm;
255 	}
256 
257 	memset(mem, 0, size);
258 
259 	usbm->mem = mem;
260 	usbm->dma_handle = dma_handle;
261 	usbm->size = size;
262 	usbm->ps = ps;
263 	usbm->vm_start = vma->vm_start;
264 	usbm->vma_use_count = 1;
265 	INIT_LIST_HEAD(&usbm->memlist);
266 
267 	if (hcd->localmem_pool || !hcd_uses_dma(hcd)) {
268 		if (remap_pfn_range(vma, vma->vm_start,
269 				    virt_to_phys(usbm->mem) >> PAGE_SHIFT,
270 				    size, vma->vm_page_prot) < 0) {
271 			dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
272 			return -EAGAIN;
273 		}
274 	} else {
275 		if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle,
276 				      size)) {
277 			dec_usb_memory_use_count(usbm, &usbm->vma_use_count);
278 			return -EAGAIN;
279 		}
280 	}
281 
282 	vma->vm_flags |= VM_IO;
283 	vma->vm_flags |= (VM_DONTEXPAND | VM_DONTDUMP);
284 	vma->vm_ops = &usbdev_vm_ops;
285 	vma->vm_private_data = usbm;
286 
287 	spin_lock_irqsave(&ps->lock, flags);
288 	list_add_tail(&usbm->memlist, &ps->memory_list);
289 	spin_unlock_irqrestore(&ps->lock, flags);
290 
291 	return 0;
292 
293 error_free_usbm:
294 	kfree(usbm);
295 error_decrease_mem:
296 	usbfs_decrease_memory_usage(size + sizeof(struct usb_memory));
297 error:
298 	return ret;
299 }
300 
301 static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
302 			   loff_t *ppos)
303 {
304 	struct usb_dev_state *ps = file->private_data;
305 	struct usb_device *dev = ps->dev;
306 	ssize_t ret = 0;
307 	unsigned len;
308 	loff_t pos;
309 	int i;
310 
311 	pos = *ppos;
312 	usb_lock_device(dev);
313 	if (!connected(ps)) {
314 		ret = -ENODEV;
315 		goto err;
316 	} else if (pos < 0) {
317 		ret = -EINVAL;
318 		goto err;
319 	}
320 
321 	if (pos < sizeof(struct usb_device_descriptor)) {
322 		/* 18 bytes - fits on the stack */
323 		struct usb_device_descriptor temp_desc;
324 
325 		memcpy(&temp_desc, &dev->descriptor, sizeof(dev->descriptor));
326 		le16_to_cpus(&temp_desc.bcdUSB);
327 		le16_to_cpus(&temp_desc.idVendor);
328 		le16_to_cpus(&temp_desc.idProduct);
329 		le16_to_cpus(&temp_desc.bcdDevice);
330 
331 		len = sizeof(struct usb_device_descriptor) - pos;
332 		if (len > nbytes)
333 			len = nbytes;
334 		if (copy_to_user(buf, ((char *)&temp_desc) + pos, len)) {
335 			ret = -EFAULT;
336 			goto err;
337 		}
338 
339 		*ppos += len;
340 		buf += len;
341 		nbytes -= len;
342 		ret += len;
343 	}
344 
345 	pos = sizeof(struct usb_device_descriptor);
346 	for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
347 		struct usb_config_descriptor *config =
348 			(struct usb_config_descriptor *)dev->rawdescriptors[i];
349 		unsigned int length = le16_to_cpu(config->wTotalLength);
350 
351 		if (*ppos < pos + length) {
352 
353 			/* The descriptor may claim to be longer than it
354 			 * really is.  Here is the actual allocated length. */
355 			unsigned alloclen =
356 				le16_to_cpu(dev->config[i].desc.wTotalLength);
357 
358 			len = length - (*ppos - pos);
359 			if (len > nbytes)
360 				len = nbytes;
361 
362 			/* Simply don't write (skip over) unallocated parts */
363 			if (alloclen > (*ppos - pos)) {
364 				alloclen -= (*ppos - pos);
365 				if (copy_to_user(buf,
366 				    dev->rawdescriptors[i] + (*ppos - pos),
367 				    min(len, alloclen))) {
368 					ret = -EFAULT;
369 					goto err;
370 				}
371 			}
372 
373 			*ppos += len;
374 			buf += len;
375 			nbytes -= len;
376 			ret += len;
377 		}
378 
379 		pos += length;
380 	}
381 
382 err:
383 	usb_unlock_device(dev);
384 	return ret;
385 }
386 
387 /*
388  * async list handling
389  */
390 
391 static struct async *alloc_async(unsigned int numisoframes)
392 {
393 	struct async *as;
394 
395 	as = kzalloc(sizeof(struct async), GFP_KERNEL);
396 	if (!as)
397 		return NULL;
398 	as->urb = usb_alloc_urb(numisoframes, GFP_KERNEL);
399 	if (!as->urb) {
400 		kfree(as);
401 		return NULL;
402 	}
403 	return as;
404 }
405 
406 static void free_async(struct async *as)
407 {
408 	int i;
409 
410 	put_pid(as->pid);
411 	if (as->cred)
412 		put_cred(as->cred);
413 	for (i = 0; i < as->urb->num_sgs; i++) {
414 		if (sg_page(&as->urb->sg[i]))
415 			kfree(sg_virt(&as->urb->sg[i]));
416 	}
417 
418 	kfree(as->urb->sg);
419 	if (as->usbm == NULL)
420 		kfree(as->urb->transfer_buffer);
421 	else
422 		dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
423 
424 	kfree(as->urb->setup_packet);
425 	usb_free_urb(as->urb);
426 	usbfs_decrease_memory_usage(as->mem_usage);
427 	kfree(as);
428 }
429 
430 static void async_newpending(struct async *as)
431 {
432 	struct usb_dev_state *ps = as->ps;
433 	unsigned long flags;
434 
435 	spin_lock_irqsave(&ps->lock, flags);
436 	list_add_tail(&as->asynclist, &ps->async_pending);
437 	spin_unlock_irqrestore(&ps->lock, flags);
438 }
439 
440 static void async_removepending(struct async *as)
441 {
442 	struct usb_dev_state *ps = as->ps;
443 	unsigned long flags;
444 
445 	spin_lock_irqsave(&ps->lock, flags);
446 	list_del_init(&as->asynclist);
447 	spin_unlock_irqrestore(&ps->lock, flags);
448 }
449 
450 static struct async *async_getcompleted(struct usb_dev_state *ps)
451 {
452 	unsigned long flags;
453 	struct async *as = NULL;
454 
455 	spin_lock_irqsave(&ps->lock, flags);
456 	if (!list_empty(&ps->async_completed)) {
457 		as = list_entry(ps->async_completed.next, struct async,
458 				asynclist);
459 		list_del_init(&as->asynclist);
460 	}
461 	spin_unlock_irqrestore(&ps->lock, flags);
462 	return as;
463 }
464 
465 static struct async *async_getpending(struct usb_dev_state *ps,
466 					     void __user *userurb)
467 {
468 	struct async *as;
469 
470 	list_for_each_entry(as, &ps->async_pending, asynclist)
471 		if (as->userurb == userurb) {
472 			list_del_init(&as->asynclist);
473 			return as;
474 		}
475 
476 	return NULL;
477 }
478 
479 static void snoop_urb(struct usb_device *udev,
480 		void __user *userurb, int pipe, unsigned length,
481 		int timeout_or_status, enum snoop_when when,
482 		unsigned char *data, unsigned data_len)
483 {
484 	static const char *types[] = {"isoc", "int", "ctrl", "bulk"};
485 	static const char *dirs[] = {"out", "in"};
486 	int ep;
487 	const char *t, *d;
488 
489 	if (!usbfs_snoop)
490 		return;
491 
492 	ep = usb_pipeendpoint(pipe);
493 	t = types[usb_pipetype(pipe)];
494 	d = dirs[!!usb_pipein(pipe)];
495 
496 	if (userurb) {		/* Async */
497 		if (when == SUBMIT)
498 			dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
499 					"length %u\n",
500 					userurb, ep, t, d, length);
501 		else
502 			dev_info(&udev->dev, "userurb %px, ep%d %s-%s, "
503 					"actual_length %u status %d\n",
504 					userurb, ep, t, d, length,
505 					timeout_or_status);
506 	} else {
507 		if (when == SUBMIT)
508 			dev_info(&udev->dev, "ep%d %s-%s, length %u, "
509 					"timeout %d\n",
510 					ep, t, d, length, timeout_or_status);
511 		else
512 			dev_info(&udev->dev, "ep%d %s-%s, actual_length %u, "
513 					"status %d\n",
514 					ep, t, d, length, timeout_or_status);
515 	}
516 
517 	data_len = min(data_len, usbfs_snoop_max);
518 	if (data && data_len > 0) {
519 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
520 			data, data_len, 1);
521 	}
522 }
523 
524 static void snoop_urb_data(struct urb *urb, unsigned len)
525 {
526 	int i, size;
527 
528 	len = min(len, usbfs_snoop_max);
529 	if (!usbfs_snoop || len == 0)
530 		return;
531 
532 	if (urb->num_sgs == 0) {
533 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
534 			urb->transfer_buffer, len, 1);
535 		return;
536 	}
537 
538 	for (i = 0; i < urb->num_sgs && len; i++) {
539 		size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
540 		print_hex_dump(KERN_DEBUG, "data: ", DUMP_PREFIX_NONE, 32, 1,
541 			sg_virt(&urb->sg[i]), size, 1);
542 		len -= size;
543 	}
544 }
545 
546 static int copy_urb_data_to_user(u8 __user *userbuffer, struct urb *urb)
547 {
548 	unsigned i, len, size;
549 
550 	if (urb->number_of_packets > 0)		/* Isochronous */
551 		len = urb->transfer_buffer_length;
552 	else					/* Non-Isoc */
553 		len = urb->actual_length;
554 
555 	if (urb->num_sgs == 0) {
556 		if (copy_to_user(userbuffer, urb->transfer_buffer, len))
557 			return -EFAULT;
558 		return 0;
559 	}
560 
561 	for (i = 0; i < urb->num_sgs && len; i++) {
562 		size = (len > USB_SG_SIZE) ? USB_SG_SIZE : len;
563 		if (copy_to_user(userbuffer, sg_virt(&urb->sg[i]), size))
564 			return -EFAULT;
565 		userbuffer += size;
566 		len -= size;
567 	}
568 
569 	return 0;
570 }
571 
572 #define AS_CONTINUATION	1
573 #define AS_UNLINK	2
574 
575 static void cancel_bulk_urbs(struct usb_dev_state *ps, unsigned bulk_addr)
576 __releases(ps->lock)
577 __acquires(ps->lock)
578 {
579 	struct urb *urb;
580 	struct async *as;
581 
582 	/* Mark all the pending URBs that match bulk_addr, up to but not
583 	 * including the first one without AS_CONTINUATION.  If such an
584 	 * URB is encountered then a new transfer has already started so
585 	 * the endpoint doesn't need to be disabled; otherwise it does.
586 	 */
587 	list_for_each_entry(as, &ps->async_pending, asynclist) {
588 		if (as->bulk_addr == bulk_addr) {
589 			if (as->bulk_status != AS_CONTINUATION)
590 				goto rescan;
591 			as->bulk_status = AS_UNLINK;
592 			as->bulk_addr = 0;
593 		}
594 	}
595 	ps->disabled_bulk_eps |= (1 << bulk_addr);
596 
597 	/* Now carefully unlink all the marked pending URBs */
598  rescan:
599 	list_for_each_entry_reverse(as, &ps->async_pending, asynclist) {
600 		if (as->bulk_status == AS_UNLINK) {
601 			as->bulk_status = 0;		/* Only once */
602 			urb = as->urb;
603 			usb_get_urb(urb);
604 			spin_unlock(&ps->lock);		/* Allow completions */
605 			usb_unlink_urb(urb);
606 			usb_put_urb(urb);
607 			spin_lock(&ps->lock);
608 			goto rescan;
609 		}
610 	}
611 }
612 
613 static void async_completed(struct urb *urb)
614 {
615 	struct async *as = urb->context;
616 	struct usb_dev_state *ps = as->ps;
617 	struct pid *pid = NULL;
618 	const struct cred *cred = NULL;
619 	unsigned long flags;
620 	sigval_t addr;
621 	int signr, errno;
622 
623 	spin_lock_irqsave(&ps->lock, flags);
624 	list_move_tail(&as->asynclist, &ps->async_completed);
625 	as->status = urb->status;
626 	signr = as->signr;
627 	if (signr) {
628 		errno = as->status;
629 		addr = as->userurb_sigval;
630 		pid = get_pid(as->pid);
631 		cred = get_cred(as->cred);
632 	}
633 	snoop(&urb->dev->dev, "urb complete\n");
634 	snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
635 			as->status, COMPLETE, NULL, 0);
636 	if (usb_urb_dir_in(urb))
637 		snoop_urb_data(urb, urb->actual_length);
638 
639 	if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET &&
640 			as->status != -ENOENT)
641 		cancel_bulk_urbs(ps, as->bulk_addr);
642 
643 	wake_up(&ps->wait);
644 	spin_unlock_irqrestore(&ps->lock, flags);
645 
646 	if (signr) {
647 		kill_pid_usb_asyncio(signr, errno, addr, pid, cred);
648 		put_pid(pid);
649 		put_cred(cred);
650 	}
651 }
652 
653 static void destroy_async(struct usb_dev_state *ps, struct list_head *list)
654 {
655 	struct urb *urb;
656 	struct async *as;
657 	unsigned long flags;
658 
659 	spin_lock_irqsave(&ps->lock, flags);
660 	while (!list_empty(list)) {
661 		as = list_last_entry(list, struct async, asynclist);
662 		list_del_init(&as->asynclist);
663 		urb = as->urb;
664 		usb_get_urb(urb);
665 
666 		/* drop the spinlock so the completion handler can run */
667 		spin_unlock_irqrestore(&ps->lock, flags);
668 		usb_kill_urb(urb);
669 		usb_put_urb(urb);
670 		spin_lock_irqsave(&ps->lock, flags);
671 	}
672 	spin_unlock_irqrestore(&ps->lock, flags);
673 }
674 
675 static void destroy_async_on_interface(struct usb_dev_state *ps,
676 				       unsigned int ifnum)
677 {
678 	struct list_head *p, *q, hitlist;
679 	unsigned long flags;
680 
681 	INIT_LIST_HEAD(&hitlist);
682 	spin_lock_irqsave(&ps->lock, flags);
683 	list_for_each_safe(p, q, &ps->async_pending)
684 		if (ifnum == list_entry(p, struct async, asynclist)->ifnum)
685 			list_move_tail(p, &hitlist);
686 	spin_unlock_irqrestore(&ps->lock, flags);
687 	destroy_async(ps, &hitlist);
688 }
689 
690 static void destroy_all_async(struct usb_dev_state *ps)
691 {
692 	destroy_async(ps, &ps->async_pending);
693 }
694 
695 /*
696  * interface claims are made only at the request of user level code,
697  * which can also release them (explicitly or by closing files).
698  * they're also undone when devices disconnect.
699  */
700 
701 static int driver_probe(struct usb_interface *intf,
702 			const struct usb_device_id *id)
703 {
704 	return -ENODEV;
705 }
706 
707 static void driver_disconnect(struct usb_interface *intf)
708 {
709 	struct usb_dev_state *ps = usb_get_intfdata(intf);
710 	unsigned int ifnum = intf->altsetting->desc.bInterfaceNumber;
711 
712 	if (!ps)
713 		return;
714 
715 	/* NOTE:  this relies on usbcore having canceled and completed
716 	 * all pending I/O requests; 2.6 does that.
717 	 */
718 
719 	if (likely(ifnum < 8*sizeof(ps->ifclaimed)))
720 		clear_bit(ifnum, &ps->ifclaimed);
721 	else
722 		dev_warn(&intf->dev, "interface number %u out of range\n",
723 			 ifnum);
724 
725 	usb_set_intfdata(intf, NULL);
726 
727 	/* force async requests to complete */
728 	destroy_async_on_interface(ps, ifnum);
729 }
730 
731 /* We don't care about suspend/resume of claimed interfaces */
732 static int driver_suspend(struct usb_interface *intf, pm_message_t msg)
733 {
734 	return 0;
735 }
736 
737 static int driver_resume(struct usb_interface *intf)
738 {
739 	return 0;
740 }
741 
742 /* The following routines apply to the entire device, not interfaces */
743 void usbfs_notify_suspend(struct usb_device *udev)
744 {
745 	/* We don't need to handle this */
746 }
747 
748 void usbfs_notify_resume(struct usb_device *udev)
749 {
750 	struct usb_dev_state *ps;
751 
752 	/* Protect against simultaneous remove or release */
753 	mutex_lock(&usbfs_mutex);
754 	list_for_each_entry(ps, &udev->filelist, list) {
755 		WRITE_ONCE(ps->not_yet_resumed, 0);
756 		wake_up_all(&ps->wait_for_resume);
757 	}
758 	mutex_unlock(&usbfs_mutex);
759 }
760 
761 struct usb_driver usbfs_driver = {
762 	.name =		"usbfs",
763 	.probe =	driver_probe,
764 	.disconnect =	driver_disconnect,
765 	.suspend =	driver_suspend,
766 	.resume =	driver_resume,
767 	.supports_autosuspend = 1,
768 };
769 
770 static int claimintf(struct usb_dev_state *ps, unsigned int ifnum)
771 {
772 	struct usb_device *dev = ps->dev;
773 	struct usb_interface *intf;
774 	int err;
775 
776 	if (ifnum >= 8*sizeof(ps->ifclaimed))
777 		return -EINVAL;
778 	/* already claimed */
779 	if (test_bit(ifnum, &ps->ifclaimed))
780 		return 0;
781 
782 	if (ps->privileges_dropped &&
783 			!test_bit(ifnum, &ps->interface_allowed_mask))
784 		return -EACCES;
785 
786 	intf = usb_ifnum_to_if(dev, ifnum);
787 	if (!intf)
788 		err = -ENOENT;
789 	else {
790 		unsigned int old_suppress;
791 
792 		/* suppress uevents while claiming interface */
793 		old_suppress = dev_get_uevent_suppress(&intf->dev);
794 		dev_set_uevent_suppress(&intf->dev, 1);
795 		err = usb_driver_claim_interface(&usbfs_driver, intf, ps);
796 		dev_set_uevent_suppress(&intf->dev, old_suppress);
797 	}
798 	if (err == 0)
799 		set_bit(ifnum, &ps->ifclaimed);
800 	return err;
801 }
802 
803 static int releaseintf(struct usb_dev_state *ps, unsigned int ifnum)
804 {
805 	struct usb_device *dev;
806 	struct usb_interface *intf;
807 	int err;
808 
809 	err = -EINVAL;
810 	if (ifnum >= 8*sizeof(ps->ifclaimed))
811 		return err;
812 	dev = ps->dev;
813 	intf = usb_ifnum_to_if(dev, ifnum);
814 	if (!intf)
815 		err = -ENOENT;
816 	else if (test_and_clear_bit(ifnum, &ps->ifclaimed)) {
817 		unsigned int old_suppress;
818 
819 		/* suppress uevents while releasing interface */
820 		old_suppress = dev_get_uevent_suppress(&intf->dev);
821 		dev_set_uevent_suppress(&intf->dev, 1);
822 		usb_driver_release_interface(&usbfs_driver, intf);
823 		dev_set_uevent_suppress(&intf->dev, old_suppress);
824 		err = 0;
825 	}
826 	return err;
827 }
828 
829 static int checkintf(struct usb_dev_state *ps, unsigned int ifnum)
830 {
831 	if (ps->dev->state != USB_STATE_CONFIGURED)
832 		return -EHOSTUNREACH;
833 	if (ifnum >= 8*sizeof(ps->ifclaimed))
834 		return -EINVAL;
835 	if (test_bit(ifnum, &ps->ifclaimed))
836 		return 0;
837 	/* if not yet claimed, claim it for the driver */
838 	dev_warn(&ps->dev->dev, "usbfs: process %d (%s) did not claim "
839 		 "interface %u before use\n", task_pid_nr(current),
840 		 current->comm, ifnum);
841 	return claimintf(ps, ifnum);
842 }
843 
844 static int findintfep(struct usb_device *dev, unsigned int ep)
845 {
846 	unsigned int i, j, e;
847 	struct usb_interface *intf;
848 	struct usb_host_interface *alts;
849 	struct usb_endpoint_descriptor *endpt;
850 
851 	if (ep & ~(USB_DIR_IN|0xf))
852 		return -EINVAL;
853 	if (!dev->actconfig)
854 		return -ESRCH;
855 	for (i = 0; i < dev->actconfig->desc.bNumInterfaces; i++) {
856 		intf = dev->actconfig->interface[i];
857 		for (j = 0; j < intf->num_altsetting; j++) {
858 			alts = &intf->altsetting[j];
859 			for (e = 0; e < alts->desc.bNumEndpoints; e++) {
860 				endpt = &alts->endpoint[e].desc;
861 				if (endpt->bEndpointAddress == ep)
862 					return alts->desc.bInterfaceNumber;
863 			}
864 		}
865 	}
866 	return -ENOENT;
867 }
868 
869 static int check_ctrlrecip(struct usb_dev_state *ps, unsigned int requesttype,
870 			   unsigned int request, unsigned int index)
871 {
872 	int ret = 0;
873 	struct usb_host_interface *alt_setting;
874 
875 	if (ps->dev->state != USB_STATE_UNAUTHENTICATED
876 	 && ps->dev->state != USB_STATE_ADDRESS
877 	 && ps->dev->state != USB_STATE_CONFIGURED)
878 		return -EHOSTUNREACH;
879 	if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
880 		return 0;
881 
882 	/*
883 	 * check for the special corner case 'get_device_id' in the printer
884 	 * class specification, which we always want to allow as it is used
885 	 * to query things like ink level, etc.
886 	 */
887 	if (requesttype == 0xa1 && request == 0) {
888 		alt_setting = usb_find_alt_setting(ps->dev->actconfig,
889 						   index >> 8, index & 0xff);
890 		if (alt_setting
891 		 && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
892 			return 0;
893 	}
894 
895 	index &= 0xff;
896 	switch (requesttype & USB_RECIP_MASK) {
897 	case USB_RECIP_ENDPOINT:
898 		if ((index & ~USB_DIR_IN) == 0)
899 			return 0;
900 		ret = findintfep(ps->dev, index);
901 		if (ret < 0) {
902 			/*
903 			 * Some not fully compliant Win apps seem to get
904 			 * index wrong and have the endpoint number here
905 			 * rather than the endpoint address (with the
906 			 * correct direction). Win does let this through,
907 			 * so we'll not reject it here but leave it to
908 			 * the device to not break KVM. But we warn.
909 			 */
910 			ret = findintfep(ps->dev, index ^ 0x80);
911 			if (ret >= 0)
912 				dev_info(&ps->dev->dev,
913 					"%s: process %i (%s) requesting ep %02x but needs %02x\n",
914 					__func__, task_pid_nr(current),
915 					current->comm, index, index ^ 0x80);
916 		}
917 		if (ret >= 0)
918 			ret = checkintf(ps, ret);
919 		break;
920 
921 	case USB_RECIP_INTERFACE:
922 		ret = checkintf(ps, index);
923 		break;
924 	}
925 	return ret;
926 }
927 
928 static struct usb_host_endpoint *ep_to_host_endpoint(struct usb_device *dev,
929 						     unsigned char ep)
930 {
931 	if (ep & USB_ENDPOINT_DIR_MASK)
932 		return dev->ep_in[ep & USB_ENDPOINT_NUMBER_MASK];
933 	else
934 		return dev->ep_out[ep & USB_ENDPOINT_NUMBER_MASK];
935 }
936 
937 static int parse_usbdevfs_streams(struct usb_dev_state *ps,
938 				  struct usbdevfs_streams __user *streams,
939 				  unsigned int *num_streams_ret,
940 				  unsigned int *num_eps_ret,
941 				  struct usb_host_endpoint ***eps_ret,
942 				  struct usb_interface **intf_ret)
943 {
944 	unsigned int i, num_streams, num_eps;
945 	struct usb_host_endpoint **eps;
946 	struct usb_interface *intf = NULL;
947 	unsigned char ep;
948 	int ifnum, ret;
949 
950 	if (get_user(num_streams, &streams->num_streams) ||
951 	    get_user(num_eps, &streams->num_eps))
952 		return -EFAULT;
953 
954 	if (num_eps < 1 || num_eps > USB_MAXENDPOINTS)
955 		return -EINVAL;
956 
957 	/* The XHCI controller allows max 2 ^ 16 streams */
958 	if (num_streams_ret && (num_streams < 2 || num_streams > 65536))
959 		return -EINVAL;
960 
961 	eps = kmalloc_array(num_eps, sizeof(*eps), GFP_KERNEL);
962 	if (!eps)
963 		return -ENOMEM;
964 
965 	for (i = 0; i < num_eps; i++) {
966 		if (get_user(ep, &streams->eps[i])) {
967 			ret = -EFAULT;
968 			goto error;
969 		}
970 		eps[i] = ep_to_host_endpoint(ps->dev, ep);
971 		if (!eps[i]) {
972 			ret = -EINVAL;
973 			goto error;
974 		}
975 
976 		/* usb_alloc/free_streams operate on an usb_interface */
977 		ifnum = findintfep(ps->dev, ep);
978 		if (ifnum < 0) {
979 			ret = ifnum;
980 			goto error;
981 		}
982 
983 		if (i == 0) {
984 			ret = checkintf(ps, ifnum);
985 			if (ret < 0)
986 				goto error;
987 			intf = usb_ifnum_to_if(ps->dev, ifnum);
988 		} else {
989 			/* Verify all eps belong to the same interface */
990 			if (ifnum != intf->altsetting->desc.bInterfaceNumber) {
991 				ret = -EINVAL;
992 				goto error;
993 			}
994 		}
995 	}
996 
997 	if (num_streams_ret)
998 		*num_streams_ret = num_streams;
999 	*num_eps_ret = num_eps;
1000 	*eps_ret = eps;
1001 	*intf_ret = intf;
1002 
1003 	return 0;
1004 
1005 error:
1006 	kfree(eps);
1007 	return ret;
1008 }
1009 
1010 static struct usb_device *usbdev_lookup_by_devt(dev_t devt)
1011 {
1012 	struct device *dev;
1013 
1014 	dev = bus_find_device_by_devt(&usb_bus_type, devt);
1015 	if (!dev)
1016 		return NULL;
1017 	return to_usb_device(dev);
1018 }
1019 
1020 /*
1021  * file operations
1022  */
1023 static int usbdev_open(struct inode *inode, struct file *file)
1024 {
1025 	struct usb_device *dev = NULL;
1026 	struct usb_dev_state *ps;
1027 	int ret;
1028 
1029 	ret = -ENOMEM;
1030 	ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
1031 	if (!ps)
1032 		goto out_free_ps;
1033 
1034 	ret = -ENODEV;
1035 
1036 	/* usbdev device-node */
1037 	if (imajor(inode) == USB_DEVICE_MAJOR)
1038 		dev = usbdev_lookup_by_devt(inode->i_rdev);
1039 	if (!dev)
1040 		goto out_free_ps;
1041 
1042 	usb_lock_device(dev);
1043 	if (dev->state == USB_STATE_NOTATTACHED)
1044 		goto out_unlock_device;
1045 
1046 	ret = usb_autoresume_device(dev);
1047 	if (ret)
1048 		goto out_unlock_device;
1049 
1050 	ps->dev = dev;
1051 	ps->file = file;
1052 	ps->interface_allowed_mask = 0xFFFFFFFF; /* 32 bits */
1053 	spin_lock_init(&ps->lock);
1054 	INIT_LIST_HEAD(&ps->list);
1055 	INIT_LIST_HEAD(&ps->async_pending);
1056 	INIT_LIST_HEAD(&ps->async_completed);
1057 	INIT_LIST_HEAD(&ps->memory_list);
1058 	init_waitqueue_head(&ps->wait);
1059 	init_waitqueue_head(&ps->wait_for_resume);
1060 	ps->disc_pid = get_pid(task_pid(current));
1061 	ps->cred = get_current_cred();
1062 	smp_wmb();
1063 
1064 	/* Can't race with resume; the device is already active */
1065 	list_add_tail(&ps->list, &dev->filelist);
1066 	file->private_data = ps;
1067 	usb_unlock_device(dev);
1068 	snoop(&dev->dev, "opened by process %d: %s\n", task_pid_nr(current),
1069 			current->comm);
1070 	return ret;
1071 
1072  out_unlock_device:
1073 	usb_unlock_device(dev);
1074 	usb_put_dev(dev);
1075  out_free_ps:
1076 	kfree(ps);
1077 	return ret;
1078 }
1079 
1080 static int usbdev_release(struct inode *inode, struct file *file)
1081 {
1082 	struct usb_dev_state *ps = file->private_data;
1083 	struct usb_device *dev = ps->dev;
1084 	unsigned int ifnum;
1085 	struct async *as;
1086 
1087 	usb_lock_device(dev);
1088 	usb_hub_release_all_ports(dev, ps);
1089 
1090 	/* Protect against simultaneous resume */
1091 	mutex_lock(&usbfs_mutex);
1092 	list_del_init(&ps->list);
1093 	mutex_unlock(&usbfs_mutex);
1094 
1095 	for (ifnum = 0; ps->ifclaimed && ifnum < 8*sizeof(ps->ifclaimed);
1096 			ifnum++) {
1097 		if (test_bit(ifnum, &ps->ifclaimed))
1098 			releaseintf(ps, ifnum);
1099 	}
1100 	destroy_all_async(ps);
1101 	if (!ps->suspend_allowed)
1102 		usb_autosuspend_device(dev);
1103 	usb_unlock_device(dev);
1104 	usb_put_dev(dev);
1105 	put_pid(ps->disc_pid);
1106 	put_cred(ps->cred);
1107 
1108 	as = async_getcompleted(ps);
1109 	while (as) {
1110 		free_async(as);
1111 		as = async_getcompleted(ps);
1112 	}
1113 
1114 	kfree(ps);
1115 	return 0;
1116 }
1117 
1118 static void usbfs_blocking_completion(struct urb *urb)
1119 {
1120 	complete((struct completion *) urb->context);
1121 }
1122 
1123 /*
1124  * Much like usb_start_wait_urb, but returns status separately from
1125  * actual_length and uses a killable wait.
1126  */
1127 static int usbfs_start_wait_urb(struct urb *urb, int timeout,
1128 		unsigned int *actlen)
1129 {
1130 	DECLARE_COMPLETION_ONSTACK(ctx);
1131 	unsigned long expire;
1132 	int rc;
1133 
1134 	urb->context = &ctx;
1135 	urb->complete = usbfs_blocking_completion;
1136 	*actlen = 0;
1137 	rc = usb_submit_urb(urb, GFP_KERNEL);
1138 	if (unlikely(rc))
1139 		return rc;
1140 
1141 	expire = (timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT);
1142 	rc = wait_for_completion_killable_timeout(&ctx, expire);
1143 	if (rc <= 0) {
1144 		usb_kill_urb(urb);
1145 		*actlen = urb->actual_length;
1146 		if (urb->status != -ENOENT)
1147 			;	/* Completed before it was killed */
1148 		else if (rc < 0)
1149 			return -EINTR;
1150 		else
1151 			return -ETIMEDOUT;
1152 	}
1153 	*actlen = urb->actual_length;
1154 	return urb->status;
1155 }
1156 
1157 static int do_proc_control(struct usb_dev_state *ps,
1158 		struct usbdevfs_ctrltransfer *ctrl)
1159 {
1160 	struct usb_device *dev = ps->dev;
1161 	unsigned int tmo;
1162 	unsigned char *tbuf;
1163 	unsigned int wLength, actlen;
1164 	int i, pipe, ret;
1165 	struct urb *urb = NULL;
1166 	struct usb_ctrlrequest *dr = NULL;
1167 
1168 	ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
1169 			      ctrl->wIndex);
1170 	if (ret)
1171 		return ret;
1172 	wLength = ctrl->wLength;	/* To suppress 64k PAGE_SIZE warning */
1173 	if (wLength > PAGE_SIZE)
1174 		return -EINVAL;
1175 	ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1176 			sizeof(struct usb_ctrlrequest));
1177 	if (ret)
1178 		return ret;
1179 
1180 	ret = -ENOMEM;
1181 	tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1182 	if (!tbuf)
1183 		goto done;
1184 	urb = usb_alloc_urb(0, GFP_NOIO);
1185 	if (!urb)
1186 		goto done;
1187 	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
1188 	if (!dr)
1189 		goto done;
1190 
1191 	dr->bRequestType = ctrl->bRequestType;
1192 	dr->bRequest = ctrl->bRequest;
1193 	dr->wValue = cpu_to_le16(ctrl->wValue);
1194 	dr->wIndex = cpu_to_le16(ctrl->wIndex);
1195 	dr->wLength = cpu_to_le16(ctrl->wLength);
1196 
1197 	tmo = ctrl->timeout;
1198 	snoop(&dev->dev, "control urb: bRequestType=%02x "
1199 		"bRequest=%02x wValue=%04x "
1200 		"wIndex=%04x wLength=%04x\n",
1201 		ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
1202 		ctrl->wIndex, ctrl->wLength);
1203 
1204 	if ((ctrl->bRequestType & USB_DIR_IN) && wLength) {
1205 		pipe = usb_rcvctrlpipe(dev, 0);
1206 		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
1207 				wLength, NULL, NULL);
1208 		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, NULL, 0);
1209 
1210 		usb_unlock_device(dev);
1211 		i = usbfs_start_wait_urb(urb, tmo, &actlen);
1212 		usb_lock_device(dev);
1213 		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, tbuf, actlen);
1214 		if (!i && actlen) {
1215 			if (copy_to_user(ctrl->data, tbuf, actlen)) {
1216 				ret = -EFAULT;
1217 				goto recv_fault;
1218 			}
1219 		}
1220 	} else {
1221 		if (wLength) {
1222 			if (copy_from_user(tbuf, ctrl->data, wLength)) {
1223 				ret = -EFAULT;
1224 				goto done;
1225 			}
1226 		}
1227 		pipe = usb_sndctrlpipe(dev, 0);
1228 		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
1229 				wLength, NULL, NULL);
1230 		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, tbuf, wLength);
1231 
1232 		usb_unlock_device(dev);
1233 		i = usbfs_start_wait_urb(urb, tmo, &actlen);
1234 		usb_lock_device(dev);
1235 		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, NULL, 0);
1236 	}
1237 	if (i < 0 && i != -EPIPE) {
1238 		dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1239 			   "failed cmd %s rqt %u rq %u len %u ret %d\n",
1240 			   current->comm, ctrl->bRequestType, ctrl->bRequest,
1241 			   ctrl->wLength, i);
1242 	}
1243 	ret = (i < 0 ? i : actlen);
1244 
1245  recv_fault:
1246 	/* Linger a bit, prior to the next control message. */
1247 	if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
1248 		msleep(200);
1249  done:
1250 	kfree(dr);
1251 	usb_free_urb(urb);
1252 	free_page((unsigned long) tbuf);
1253 	usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1254 			sizeof(struct usb_ctrlrequest));
1255 	return ret;
1256 }
1257 
1258 static int proc_control(struct usb_dev_state *ps, void __user *arg)
1259 {
1260 	struct usbdevfs_ctrltransfer ctrl;
1261 
1262 	if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
1263 		return -EFAULT;
1264 	return do_proc_control(ps, &ctrl);
1265 }
1266 
1267 static int do_proc_bulk(struct usb_dev_state *ps,
1268 		struct usbdevfs_bulktransfer *bulk)
1269 {
1270 	struct usb_device *dev = ps->dev;
1271 	unsigned int tmo, len1, len2, pipe;
1272 	unsigned char *tbuf;
1273 	int i, ret;
1274 	struct urb *urb = NULL;
1275 	struct usb_host_endpoint *ep;
1276 
1277 	ret = findintfep(ps->dev, bulk->ep);
1278 	if (ret < 0)
1279 		return ret;
1280 	ret = checkintf(ps, ret);
1281 	if (ret)
1282 		return ret;
1283 
1284 	len1 = bulk->len;
1285 	if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb)))
1286 		return -EINVAL;
1287 
1288 	if (bulk->ep & USB_DIR_IN)
1289 		pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f);
1290 	else
1291 		pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f);
1292 	ep = usb_pipe_endpoint(dev, pipe);
1293 	if (!ep || !usb_endpoint_maxp(&ep->desc))
1294 		return -EINVAL;
1295 	ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
1296 	if (ret)
1297 		return ret;
1298 
1299 	/*
1300 	 * len1 can be almost arbitrarily large.  Don't WARN if it's
1301 	 * too big, just fail the request.
1302 	 */
1303 	ret = -ENOMEM;
1304 	tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN);
1305 	if (!tbuf)
1306 		goto done;
1307 	urb = usb_alloc_urb(0, GFP_KERNEL);
1308 	if (!urb)
1309 		goto done;
1310 
1311 	if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
1312 			USB_ENDPOINT_XFER_INT) {
1313 		pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
1314 		usb_fill_int_urb(urb, dev, pipe, tbuf, len1,
1315 				NULL, NULL, ep->desc.bInterval);
1316 	} else {
1317 		usb_fill_bulk_urb(urb, dev, pipe, tbuf, len1, NULL, NULL);
1318 	}
1319 
1320 	tmo = bulk->timeout;
1321 	if (bulk->ep & 0x80) {
1322 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
1323 
1324 		usb_unlock_device(dev);
1325 		i = usbfs_start_wait_urb(urb, tmo, &len2);
1326 		usb_lock_device(dev);
1327 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
1328 
1329 		if (!i && len2) {
1330 			if (copy_to_user(bulk->data, tbuf, len2)) {
1331 				ret = -EFAULT;
1332 				goto done;
1333 			}
1334 		}
1335 	} else {
1336 		if (len1) {
1337 			if (copy_from_user(tbuf, bulk->data, len1)) {
1338 				ret = -EFAULT;
1339 				goto done;
1340 			}
1341 		}
1342 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
1343 
1344 		usb_unlock_device(dev);
1345 		i = usbfs_start_wait_urb(urb, tmo, &len2);
1346 		usb_lock_device(dev);
1347 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
1348 	}
1349 	ret = (i < 0 ? i : len2);
1350  done:
1351 	usb_free_urb(urb);
1352 	kfree(tbuf);
1353 	usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
1354 	return ret;
1355 }
1356 
1357 static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
1358 {
1359 	struct usbdevfs_bulktransfer bulk;
1360 
1361 	if (copy_from_user(&bulk, arg, sizeof(bulk)))
1362 		return -EFAULT;
1363 	return do_proc_bulk(ps, &bulk);
1364 }
1365 
1366 static void check_reset_of_active_ep(struct usb_device *udev,
1367 		unsigned int epnum, char *ioctl_name)
1368 {
1369 	struct usb_host_endpoint **eps;
1370 	struct usb_host_endpoint *ep;
1371 
1372 	eps = (epnum & USB_DIR_IN) ? udev->ep_in : udev->ep_out;
1373 	ep = eps[epnum & 0x0f];
1374 	if (ep && !list_empty(&ep->urb_list))
1375 		dev_warn(&udev->dev, "Process %d (%s) called USBDEVFS_%s for active endpoint 0x%02x\n",
1376 				task_pid_nr(current), current->comm,
1377 				ioctl_name, epnum);
1378 }
1379 
1380 static int proc_resetep(struct usb_dev_state *ps, void __user *arg)
1381 {
1382 	unsigned int ep;
1383 	int ret;
1384 
1385 	if (get_user(ep, (unsigned int __user *)arg))
1386 		return -EFAULT;
1387 	ret = findintfep(ps->dev, ep);
1388 	if (ret < 0)
1389 		return ret;
1390 	ret = checkintf(ps, ret);
1391 	if (ret)
1392 		return ret;
1393 	check_reset_of_active_ep(ps->dev, ep, "RESETEP");
1394 	usb_reset_endpoint(ps->dev, ep);
1395 	return 0;
1396 }
1397 
1398 static int proc_clearhalt(struct usb_dev_state *ps, void __user *arg)
1399 {
1400 	unsigned int ep;
1401 	int pipe;
1402 	int ret;
1403 
1404 	if (get_user(ep, (unsigned int __user *)arg))
1405 		return -EFAULT;
1406 	ret = findintfep(ps->dev, ep);
1407 	if (ret < 0)
1408 		return ret;
1409 	ret = checkintf(ps, ret);
1410 	if (ret)
1411 		return ret;
1412 	check_reset_of_active_ep(ps->dev, ep, "CLEAR_HALT");
1413 	if (ep & USB_DIR_IN)
1414 		pipe = usb_rcvbulkpipe(ps->dev, ep & 0x7f);
1415 	else
1416 		pipe = usb_sndbulkpipe(ps->dev, ep & 0x7f);
1417 
1418 	return usb_clear_halt(ps->dev, pipe);
1419 }
1420 
1421 static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
1422 {
1423 	struct usbdevfs_getdriver gd;
1424 	struct usb_interface *intf;
1425 	int ret;
1426 
1427 	if (copy_from_user(&gd, arg, sizeof(gd)))
1428 		return -EFAULT;
1429 	intf = usb_ifnum_to_if(ps->dev, gd.interface);
1430 	if (!intf || !intf->dev.driver)
1431 		ret = -ENODATA;
1432 	else {
1433 		strlcpy(gd.driver, intf->dev.driver->name,
1434 				sizeof(gd.driver));
1435 		ret = (copy_to_user(arg, &gd, sizeof(gd)) ? -EFAULT : 0);
1436 	}
1437 	return ret;
1438 }
1439 
1440 static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
1441 {
1442 	struct usbdevfs_connectinfo ci;
1443 
1444 	memset(&ci, 0, sizeof(ci));
1445 	ci.devnum = ps->dev->devnum;
1446 	ci.slow = ps->dev->speed == USB_SPEED_LOW;
1447 
1448 	if (copy_to_user(arg, &ci, sizeof(ci)))
1449 		return -EFAULT;
1450 	return 0;
1451 }
1452 
1453 static int proc_conninfo_ex(struct usb_dev_state *ps,
1454 			    void __user *arg, size_t size)
1455 {
1456 	struct usbdevfs_conninfo_ex ci;
1457 	struct usb_device *udev = ps->dev;
1458 
1459 	if (size < sizeof(ci.size))
1460 		return -EINVAL;
1461 
1462 	memset(&ci, 0, sizeof(ci));
1463 	ci.size = sizeof(ci);
1464 	ci.busnum = udev->bus->busnum;
1465 	ci.devnum = udev->devnum;
1466 	ci.speed = udev->speed;
1467 
1468 	while (udev && udev->portnum != 0) {
1469 		if (++ci.num_ports <= ARRAY_SIZE(ci.ports))
1470 			ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports] =
1471 					udev->portnum;
1472 		udev = udev->parent;
1473 	}
1474 
1475 	if (ci.num_ports < ARRAY_SIZE(ci.ports))
1476 		memmove(&ci.ports[0],
1477 			&ci.ports[ARRAY_SIZE(ci.ports) - ci.num_ports],
1478 			ci.num_ports);
1479 
1480 	if (copy_to_user(arg, &ci, min(sizeof(ci), size)))
1481 		return -EFAULT;
1482 
1483 	return 0;
1484 }
1485 
1486 static int proc_resetdevice(struct usb_dev_state *ps)
1487 {
1488 	struct usb_host_config *actconfig = ps->dev->actconfig;
1489 	struct usb_interface *interface;
1490 	int i, number;
1491 
1492 	/* Don't allow a device reset if the process has dropped the
1493 	 * privilege to do such things and any of the interfaces are
1494 	 * currently claimed.
1495 	 */
1496 	if (ps->privileges_dropped && actconfig) {
1497 		for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1498 			interface = actconfig->interface[i];
1499 			number = interface->cur_altsetting->desc.bInterfaceNumber;
1500 			if (usb_interface_claimed(interface) &&
1501 					!test_bit(number, &ps->ifclaimed)) {
1502 				dev_warn(&ps->dev->dev,
1503 					"usbfs: interface %d claimed by %s while '%s' resets device\n",
1504 					number,	interface->dev.driver->name, current->comm);
1505 				return -EACCES;
1506 			}
1507 		}
1508 	}
1509 
1510 	return usb_reset_device(ps->dev);
1511 }
1512 
1513 static int proc_setintf(struct usb_dev_state *ps, void __user *arg)
1514 {
1515 	struct usbdevfs_setinterface setintf;
1516 	int ret;
1517 
1518 	if (copy_from_user(&setintf, arg, sizeof(setintf)))
1519 		return -EFAULT;
1520 	ret = checkintf(ps, setintf.interface);
1521 	if (ret)
1522 		return ret;
1523 
1524 	destroy_async_on_interface(ps, setintf.interface);
1525 
1526 	return usb_set_interface(ps->dev, setintf.interface,
1527 			setintf.altsetting);
1528 }
1529 
1530 static int proc_setconfig(struct usb_dev_state *ps, void __user *arg)
1531 {
1532 	int u;
1533 	int status = 0;
1534 	struct usb_host_config *actconfig;
1535 
1536 	if (get_user(u, (int __user *)arg))
1537 		return -EFAULT;
1538 
1539 	actconfig = ps->dev->actconfig;
1540 
1541 	/* Don't touch the device if any interfaces are claimed.
1542 	 * It could interfere with other drivers' operations, and if
1543 	 * an interface is claimed by usbfs it could easily deadlock.
1544 	 */
1545 	if (actconfig) {
1546 		int i;
1547 
1548 		for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
1549 			if (usb_interface_claimed(actconfig->interface[i])) {
1550 				dev_warn(&ps->dev->dev,
1551 					"usbfs: interface %d claimed by %s "
1552 					"while '%s' sets config #%d\n",
1553 					actconfig->interface[i]
1554 						->cur_altsetting
1555 						->desc.bInterfaceNumber,
1556 					actconfig->interface[i]
1557 						->dev.driver->name,
1558 					current->comm, u);
1559 				status = -EBUSY;
1560 				break;
1561 			}
1562 		}
1563 	}
1564 
1565 	/* SET_CONFIGURATION is often abused as a "cheap" driver reset,
1566 	 * so avoid usb_set_configuration()'s kick to sysfs
1567 	 */
1568 	if (status == 0) {
1569 		if (actconfig && actconfig->desc.bConfigurationValue == u)
1570 			status = usb_reset_configuration(ps->dev);
1571 		else
1572 			status = usb_set_configuration(ps->dev, u);
1573 	}
1574 
1575 	return status;
1576 }
1577 
1578 static struct usb_memory *
1579 find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb)
1580 {
1581 	struct usb_memory *usbm = NULL, *iter;
1582 	unsigned long flags;
1583 	unsigned long uurb_start = (unsigned long)uurb->buffer;
1584 
1585 	spin_lock_irqsave(&ps->lock, flags);
1586 	list_for_each_entry(iter, &ps->memory_list, memlist) {
1587 		if (uurb_start >= iter->vm_start &&
1588 				uurb_start < iter->vm_start + iter->size) {
1589 			if (uurb->buffer_length > iter->vm_start + iter->size -
1590 					uurb_start) {
1591 				usbm = ERR_PTR(-EINVAL);
1592 			} else {
1593 				usbm = iter;
1594 				usbm->urb_use_count++;
1595 			}
1596 			break;
1597 		}
1598 	}
1599 	spin_unlock_irqrestore(&ps->lock, flags);
1600 	return usbm;
1601 }
1602 
1603 static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb,
1604 			struct usbdevfs_iso_packet_desc __user *iso_frame_desc,
1605 			void __user *arg, sigval_t userurb_sigval)
1606 {
1607 	struct usbdevfs_iso_packet_desc *isopkt = NULL;
1608 	struct usb_host_endpoint *ep;
1609 	struct async *as = NULL;
1610 	struct usb_ctrlrequest *dr = NULL;
1611 	unsigned int u, totlen, isofrmlen;
1612 	int i, ret, num_sgs = 0, ifnum = -1;
1613 	int number_of_packets = 0;
1614 	unsigned int stream_id = 0;
1615 	void *buf;
1616 	bool is_in;
1617 	bool allow_short = false;
1618 	bool allow_zero = false;
1619 	unsigned long mask =	USBDEVFS_URB_SHORT_NOT_OK |
1620 				USBDEVFS_URB_BULK_CONTINUATION |
1621 				USBDEVFS_URB_NO_FSBR |
1622 				USBDEVFS_URB_ZERO_PACKET |
1623 				USBDEVFS_URB_NO_INTERRUPT;
1624 	/* USBDEVFS_URB_ISO_ASAP is a special case */
1625 	if (uurb->type == USBDEVFS_URB_TYPE_ISO)
1626 		mask |= USBDEVFS_URB_ISO_ASAP;
1627 
1628 	if (uurb->flags & ~mask)
1629 			return -EINVAL;
1630 
1631 	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
1632 		return -EINVAL;
1633 	if (uurb->buffer_length > 0 && !uurb->buffer)
1634 		return -EINVAL;
1635 	if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&
1636 	    (uurb->endpoint & ~USB_ENDPOINT_DIR_MASK) == 0)) {
1637 		ifnum = findintfep(ps->dev, uurb->endpoint);
1638 		if (ifnum < 0)
1639 			return ifnum;
1640 		ret = checkintf(ps, ifnum);
1641 		if (ret)
1642 			return ret;
1643 	}
1644 	ep = ep_to_host_endpoint(ps->dev, uurb->endpoint);
1645 	if (!ep)
1646 		return -ENOENT;
1647 	is_in = (uurb->endpoint & USB_ENDPOINT_DIR_MASK) != 0;
1648 
1649 	u = 0;
1650 	switch (uurb->type) {
1651 	case USBDEVFS_URB_TYPE_CONTROL:
1652 		if (!usb_endpoint_xfer_control(&ep->desc))
1653 			return -EINVAL;
1654 		/* min 8 byte setup packet */
1655 		if (uurb->buffer_length < 8)
1656 			return -EINVAL;
1657 		dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_KERNEL);
1658 		if (!dr)
1659 			return -ENOMEM;
1660 		if (copy_from_user(dr, uurb->buffer, 8)) {
1661 			ret = -EFAULT;
1662 			goto error;
1663 		}
1664 		if (uurb->buffer_length < (le16_to_cpu(dr->wLength) + 8)) {
1665 			ret = -EINVAL;
1666 			goto error;
1667 		}
1668 		ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
1669 				      le16_to_cpu(dr->wIndex));
1670 		if (ret)
1671 			goto error;
1672 		uurb->buffer_length = le16_to_cpu(dr->wLength);
1673 		uurb->buffer += 8;
1674 		if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
1675 			is_in = true;
1676 			uurb->endpoint |= USB_DIR_IN;
1677 		} else {
1678 			is_in = false;
1679 			uurb->endpoint &= ~USB_DIR_IN;
1680 		}
1681 		if (is_in)
1682 			allow_short = true;
1683 		snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
1684 			"bRequest=%02x wValue=%04x "
1685 			"wIndex=%04x wLength=%04x\n",
1686 			dr->bRequestType, dr->bRequest,
1687 			__le16_to_cpu(dr->wValue),
1688 			__le16_to_cpu(dr->wIndex),
1689 			__le16_to_cpu(dr->wLength));
1690 		u = sizeof(struct usb_ctrlrequest);
1691 		break;
1692 
1693 	case USBDEVFS_URB_TYPE_BULK:
1694 		if (!is_in)
1695 			allow_zero = true;
1696 		else
1697 			allow_short = true;
1698 		switch (usb_endpoint_type(&ep->desc)) {
1699 		case USB_ENDPOINT_XFER_CONTROL:
1700 		case USB_ENDPOINT_XFER_ISOC:
1701 			return -EINVAL;
1702 		case USB_ENDPOINT_XFER_INT:
1703 			/* allow single-shot interrupt transfers */
1704 			uurb->type = USBDEVFS_URB_TYPE_INTERRUPT;
1705 			goto interrupt_urb;
1706 		}
1707 		num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE);
1708 		if (num_sgs == 1 || num_sgs > ps->dev->bus->sg_tablesize)
1709 			num_sgs = 0;
1710 		if (ep->streams)
1711 			stream_id = uurb->stream_id;
1712 		break;
1713 
1714 	case USBDEVFS_URB_TYPE_INTERRUPT:
1715 		if (!usb_endpoint_xfer_int(&ep->desc))
1716 			return -EINVAL;
1717  interrupt_urb:
1718 		if (!is_in)
1719 			allow_zero = true;
1720 		else
1721 			allow_short = true;
1722 		break;
1723 
1724 	case USBDEVFS_URB_TYPE_ISO:
1725 		/* arbitrary limit */
1726 		if (uurb->number_of_packets < 1 ||
1727 		    uurb->number_of_packets > 128)
1728 			return -EINVAL;
1729 		if (!usb_endpoint_xfer_isoc(&ep->desc))
1730 			return -EINVAL;
1731 		number_of_packets = uurb->number_of_packets;
1732 		isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
1733 				   number_of_packets;
1734 		isopkt = memdup_user(iso_frame_desc, isofrmlen);
1735 		if (IS_ERR(isopkt)) {
1736 			ret = PTR_ERR(isopkt);
1737 			isopkt = NULL;
1738 			goto error;
1739 		}
1740 		for (totlen = u = 0; u < number_of_packets; u++) {
1741 			/*
1742 			 * arbitrary limit need for USB 3.1 Gen2
1743 			 * sizemax: 96 DPs at SSP, 96 * 1024 = 98304
1744 			 */
1745 			if (isopkt[u].length > 98304) {
1746 				ret = -EINVAL;
1747 				goto error;
1748 			}
1749 			totlen += isopkt[u].length;
1750 		}
1751 		u *= sizeof(struct usb_iso_packet_descriptor);
1752 		uurb->buffer_length = totlen;
1753 		break;
1754 
1755 	default:
1756 		return -EINVAL;
1757 	}
1758 
1759 	if (uurb->buffer_length > 0 &&
1760 			!access_ok(uurb->buffer, uurb->buffer_length)) {
1761 		ret = -EFAULT;
1762 		goto error;
1763 	}
1764 	as = alloc_async(number_of_packets);
1765 	if (!as) {
1766 		ret = -ENOMEM;
1767 		goto error;
1768 	}
1769 
1770 	as->usbm = find_memory_area(ps, uurb);
1771 	if (IS_ERR(as->usbm)) {
1772 		ret = PTR_ERR(as->usbm);
1773 		as->usbm = NULL;
1774 		goto error;
1775 	}
1776 
1777 	/* do not use SG buffers when memory mapped segments
1778 	 * are in use
1779 	 */
1780 	if (as->usbm)
1781 		num_sgs = 0;
1782 
1783 	u += sizeof(struct async) + sizeof(struct urb) +
1784 	     (as->usbm ? 0 : uurb->buffer_length) +
1785 	     num_sgs * sizeof(struct scatterlist);
1786 	ret = usbfs_increase_memory_usage(u);
1787 	if (ret)
1788 		goto error;
1789 	as->mem_usage = u;
1790 
1791 	if (num_sgs) {
1792 		as->urb->sg = kmalloc_array(num_sgs,
1793 					    sizeof(struct scatterlist),
1794 					    GFP_KERNEL | __GFP_NOWARN);
1795 		if (!as->urb->sg) {
1796 			ret = -ENOMEM;
1797 			goto error;
1798 		}
1799 		as->urb->num_sgs = num_sgs;
1800 		sg_init_table(as->urb->sg, as->urb->num_sgs);
1801 
1802 		totlen = uurb->buffer_length;
1803 		for (i = 0; i < as->urb->num_sgs; i++) {
1804 			u = (totlen > USB_SG_SIZE) ? USB_SG_SIZE : totlen;
1805 			buf = kmalloc(u, GFP_KERNEL);
1806 			if (!buf) {
1807 				ret = -ENOMEM;
1808 				goto error;
1809 			}
1810 			sg_set_buf(&as->urb->sg[i], buf, u);
1811 
1812 			if (!is_in) {
1813 				if (copy_from_user(buf, uurb->buffer, u)) {
1814 					ret = -EFAULT;
1815 					goto error;
1816 				}
1817 				uurb->buffer += u;
1818 			}
1819 			totlen -= u;
1820 		}
1821 	} else if (uurb->buffer_length > 0) {
1822 		if (as->usbm) {
1823 			unsigned long uurb_start = (unsigned long)uurb->buffer;
1824 
1825 			as->urb->transfer_buffer = as->usbm->mem +
1826 					(uurb_start - as->usbm->vm_start);
1827 		} else {
1828 			as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
1829 					GFP_KERNEL | __GFP_NOWARN);
1830 			if (!as->urb->transfer_buffer) {
1831 				ret = -ENOMEM;
1832 				goto error;
1833 			}
1834 			if (!is_in) {
1835 				if (copy_from_user(as->urb->transfer_buffer,
1836 						   uurb->buffer,
1837 						   uurb->buffer_length)) {
1838 					ret = -EFAULT;
1839 					goto error;
1840 				}
1841 			} else if (uurb->type == USBDEVFS_URB_TYPE_ISO) {
1842 				/*
1843 				 * Isochronous input data may end up being
1844 				 * discontiguous if some of the packets are
1845 				 * short. Clear the buffer so that the gaps
1846 				 * don't leak kernel data to userspace.
1847 				 */
1848 				memset(as->urb->transfer_buffer, 0,
1849 						uurb->buffer_length);
1850 			}
1851 		}
1852 	}
1853 	as->urb->dev = ps->dev;
1854 	as->urb->pipe = (uurb->type << 30) |
1855 			__create_pipe(ps->dev, uurb->endpoint & 0xf) |
1856 			(uurb->endpoint & USB_DIR_IN);
1857 
1858 	/* This tedious sequence is necessary because the URB_* flags
1859 	 * are internal to the kernel and subject to change, whereas
1860 	 * the USBDEVFS_URB_* flags are a user API and must not be changed.
1861 	 */
1862 	u = (is_in ? URB_DIR_IN : URB_DIR_OUT);
1863 	if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
1864 		u |= URB_ISO_ASAP;
1865 	if (allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1866 		u |= URB_SHORT_NOT_OK;
1867 	if (allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1868 		u |= URB_ZERO_PACKET;
1869 	if (uurb->flags & USBDEVFS_URB_NO_INTERRUPT)
1870 		u |= URB_NO_INTERRUPT;
1871 	as->urb->transfer_flags = u;
1872 
1873 	if (!allow_short && uurb->flags & USBDEVFS_URB_SHORT_NOT_OK)
1874 		dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK.\n");
1875 	if (!allow_zero && uurb->flags & USBDEVFS_URB_ZERO_PACKET)
1876 		dev_warn(&ps->dev->dev, "Requested nonsensical USBDEVFS_URB_ZERO_PACKET.\n");
1877 
1878 	as->urb->transfer_buffer_length = uurb->buffer_length;
1879 	as->urb->setup_packet = (unsigned char *)dr;
1880 	dr = NULL;
1881 	as->urb->start_frame = uurb->start_frame;
1882 	as->urb->number_of_packets = number_of_packets;
1883 	as->urb->stream_id = stream_id;
1884 
1885 	if (ep->desc.bInterval) {
1886 		if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
1887 				ps->dev->speed == USB_SPEED_HIGH ||
1888 				ps->dev->speed >= USB_SPEED_SUPER)
1889 			as->urb->interval = 1 <<
1890 					min(15, ep->desc.bInterval - 1);
1891 		else
1892 			as->urb->interval = ep->desc.bInterval;
1893 	}
1894 
1895 	as->urb->context = as;
1896 	as->urb->complete = async_completed;
1897 	for (totlen = u = 0; u < number_of_packets; u++) {
1898 		as->urb->iso_frame_desc[u].offset = totlen;
1899 		as->urb->iso_frame_desc[u].length = isopkt[u].length;
1900 		totlen += isopkt[u].length;
1901 	}
1902 	kfree(isopkt);
1903 	isopkt = NULL;
1904 	as->ps = ps;
1905 	as->userurb = arg;
1906 	as->userurb_sigval = userurb_sigval;
1907 	if (as->usbm) {
1908 		unsigned long uurb_start = (unsigned long)uurb->buffer;
1909 
1910 		as->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
1911 		as->urb->transfer_dma = as->usbm->dma_handle +
1912 				(uurb_start - as->usbm->vm_start);
1913 	} else if (is_in && uurb->buffer_length > 0)
1914 		as->userbuffer = uurb->buffer;
1915 	as->signr = uurb->signr;
1916 	as->ifnum = ifnum;
1917 	as->pid = get_pid(task_pid(current));
1918 	as->cred = get_current_cred();
1919 	snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1920 			as->urb->transfer_buffer_length, 0, SUBMIT,
1921 			NULL, 0);
1922 	if (!is_in)
1923 		snoop_urb_data(as->urb, as->urb->transfer_buffer_length);
1924 
1925 	async_newpending(as);
1926 
1927 	if (usb_endpoint_xfer_bulk(&ep->desc)) {
1928 		spin_lock_irq(&ps->lock);
1929 
1930 		/* Not exactly the endpoint address; the direction bit is
1931 		 * shifted to the 0x10 position so that the value will be
1932 		 * between 0 and 31.
1933 		 */
1934 		as->bulk_addr = usb_endpoint_num(&ep->desc) |
1935 			((ep->desc.bEndpointAddress & USB_ENDPOINT_DIR_MASK)
1936 				>> 3);
1937 
1938 		/* If this bulk URB is the start of a new transfer, re-enable
1939 		 * the endpoint.  Otherwise mark it as a continuation URB.
1940 		 */
1941 		if (uurb->flags & USBDEVFS_URB_BULK_CONTINUATION)
1942 			as->bulk_status = AS_CONTINUATION;
1943 		else
1944 			ps->disabled_bulk_eps &= ~(1 << as->bulk_addr);
1945 
1946 		/* Don't accept continuation URBs if the endpoint is
1947 		 * disabled because of an earlier error.
1948 		 */
1949 		if (ps->disabled_bulk_eps & (1 << as->bulk_addr))
1950 			ret = -EREMOTEIO;
1951 		else
1952 			ret = usb_submit_urb(as->urb, GFP_ATOMIC);
1953 		spin_unlock_irq(&ps->lock);
1954 	} else {
1955 		ret = usb_submit_urb(as->urb, GFP_KERNEL);
1956 	}
1957 
1958 	if (ret) {
1959 		dev_printk(KERN_DEBUG, &ps->dev->dev,
1960 			   "usbfs: usb_submit_urb returned %d\n", ret);
1961 		snoop_urb(ps->dev, as->userurb, as->urb->pipe,
1962 				0, ret, COMPLETE, NULL, 0);
1963 		async_removepending(as);
1964 		goto error;
1965 	}
1966 	return 0;
1967 
1968  error:
1969 	kfree(isopkt);
1970 	kfree(dr);
1971 	if (as)
1972 		free_async(as);
1973 	return ret;
1974 }
1975 
1976 static int proc_submiturb(struct usb_dev_state *ps, void __user *arg)
1977 {
1978 	struct usbdevfs_urb uurb;
1979 	sigval_t userurb_sigval;
1980 
1981 	if (copy_from_user(&uurb, arg, sizeof(uurb)))
1982 		return -EFAULT;
1983 
1984 	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
1985 	userurb_sigval.sival_ptr = arg;
1986 
1987 	return proc_do_submiturb(ps, &uurb,
1988 			(((struct usbdevfs_urb __user *)arg)->iso_frame_desc),
1989 			arg, userurb_sigval);
1990 }
1991 
1992 static int proc_unlinkurb(struct usb_dev_state *ps, void __user *arg)
1993 {
1994 	struct urb *urb;
1995 	struct async *as;
1996 	unsigned long flags;
1997 
1998 	spin_lock_irqsave(&ps->lock, flags);
1999 	as = async_getpending(ps, arg);
2000 	if (!as) {
2001 		spin_unlock_irqrestore(&ps->lock, flags);
2002 		return -EINVAL;
2003 	}
2004 
2005 	urb = as->urb;
2006 	usb_get_urb(urb);
2007 	spin_unlock_irqrestore(&ps->lock, flags);
2008 
2009 	usb_kill_urb(urb);
2010 	usb_put_urb(urb);
2011 
2012 	return 0;
2013 }
2014 
2015 static void compute_isochronous_actual_length(struct urb *urb)
2016 {
2017 	unsigned int i;
2018 
2019 	if (urb->number_of_packets > 0) {
2020 		urb->actual_length = 0;
2021 		for (i = 0; i < urb->number_of_packets; i++)
2022 			urb->actual_length +=
2023 					urb->iso_frame_desc[i].actual_length;
2024 	}
2025 }
2026 
2027 static int processcompl(struct async *as, void __user * __user *arg)
2028 {
2029 	struct urb *urb = as->urb;
2030 	struct usbdevfs_urb __user *userurb = as->userurb;
2031 	void __user *addr = as->userurb;
2032 	unsigned int i;
2033 
2034 	compute_isochronous_actual_length(urb);
2035 	if (as->userbuffer && urb->actual_length) {
2036 		if (copy_urb_data_to_user(as->userbuffer, urb))
2037 			goto err_out;
2038 	}
2039 	if (put_user(as->status, &userurb->status))
2040 		goto err_out;
2041 	if (put_user(urb->actual_length, &userurb->actual_length))
2042 		goto err_out;
2043 	if (put_user(urb->error_count, &userurb->error_count))
2044 		goto err_out;
2045 
2046 	if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2047 		for (i = 0; i < urb->number_of_packets; i++) {
2048 			if (put_user(urb->iso_frame_desc[i].actual_length,
2049 				     &userurb->iso_frame_desc[i].actual_length))
2050 				goto err_out;
2051 			if (put_user(urb->iso_frame_desc[i].status,
2052 				     &userurb->iso_frame_desc[i].status))
2053 				goto err_out;
2054 		}
2055 	}
2056 
2057 	if (put_user(addr, (void __user * __user *)arg))
2058 		return -EFAULT;
2059 	return 0;
2060 
2061 err_out:
2062 	return -EFAULT;
2063 }
2064 
2065 static struct async *reap_as(struct usb_dev_state *ps)
2066 {
2067 	DECLARE_WAITQUEUE(wait, current);
2068 	struct async *as = NULL;
2069 	struct usb_device *dev = ps->dev;
2070 
2071 	add_wait_queue(&ps->wait, &wait);
2072 	for (;;) {
2073 		__set_current_state(TASK_INTERRUPTIBLE);
2074 		as = async_getcompleted(ps);
2075 		if (as || !connected(ps))
2076 			break;
2077 		if (signal_pending(current))
2078 			break;
2079 		usb_unlock_device(dev);
2080 		schedule();
2081 		usb_lock_device(dev);
2082 	}
2083 	remove_wait_queue(&ps->wait, &wait);
2084 	set_current_state(TASK_RUNNING);
2085 	return as;
2086 }
2087 
2088 static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
2089 {
2090 	struct async *as = reap_as(ps);
2091 
2092 	if (as) {
2093 		int retval;
2094 
2095 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2096 		retval = processcompl(as, (void __user * __user *)arg);
2097 		free_async(as);
2098 		return retval;
2099 	}
2100 	if (signal_pending(current))
2101 		return -EINTR;
2102 	return -ENODEV;
2103 }
2104 
2105 static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
2106 {
2107 	int retval;
2108 	struct async *as;
2109 
2110 	as = async_getcompleted(ps);
2111 	if (as) {
2112 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2113 		retval = processcompl(as, (void __user * __user *)arg);
2114 		free_async(as);
2115 	} else {
2116 		retval = (connected(ps) ? -EAGAIN : -ENODEV);
2117 	}
2118 	return retval;
2119 }
2120 
2121 #ifdef CONFIG_COMPAT
2122 static int proc_control_compat(struct usb_dev_state *ps,
2123 				struct usbdevfs_ctrltransfer32 __user *p32)
2124 {
2125 	struct usbdevfs_ctrltransfer ctrl;
2126 	u32 udata;
2127 
2128 	if (copy_from_user(&ctrl, p32, sizeof(*p32) - sizeof(compat_caddr_t)) ||
2129 	    get_user(udata, &p32->data))
2130 		return -EFAULT;
2131 	ctrl.data = compat_ptr(udata);
2132 	return do_proc_control(ps, &ctrl);
2133 }
2134 
2135 static int proc_bulk_compat(struct usb_dev_state *ps,
2136 			struct usbdevfs_bulktransfer32 __user *p32)
2137 {
2138 	struct usbdevfs_bulktransfer bulk;
2139 	compat_caddr_t addr;
2140 
2141 	if (get_user(bulk.ep, &p32->ep) ||
2142 	    get_user(bulk.len, &p32->len) ||
2143 	    get_user(bulk.timeout, &p32->timeout) ||
2144 	    get_user(addr, &p32->data))
2145 		return -EFAULT;
2146 	bulk.data = compat_ptr(addr);
2147 	return do_proc_bulk(ps, &bulk);
2148 }
2149 
2150 static int proc_disconnectsignal_compat(struct usb_dev_state *ps, void __user *arg)
2151 {
2152 	struct usbdevfs_disconnectsignal32 ds;
2153 
2154 	if (copy_from_user(&ds, arg, sizeof(ds)))
2155 		return -EFAULT;
2156 	ps->discsignr = ds.signr;
2157 	ps->disccontext.sival_int = ds.context;
2158 	return 0;
2159 }
2160 
2161 static int get_urb32(struct usbdevfs_urb *kurb,
2162 		     struct usbdevfs_urb32 __user *uurb)
2163 {
2164 	struct usbdevfs_urb32 urb32;
2165 	if (copy_from_user(&urb32, uurb, sizeof(*uurb)))
2166 		return -EFAULT;
2167 	kurb->type = urb32.type;
2168 	kurb->endpoint = urb32.endpoint;
2169 	kurb->status = urb32.status;
2170 	kurb->flags = urb32.flags;
2171 	kurb->buffer = compat_ptr(urb32.buffer);
2172 	kurb->buffer_length = urb32.buffer_length;
2173 	kurb->actual_length = urb32.actual_length;
2174 	kurb->start_frame = urb32.start_frame;
2175 	kurb->number_of_packets = urb32.number_of_packets;
2176 	kurb->error_count = urb32.error_count;
2177 	kurb->signr = urb32.signr;
2178 	kurb->usercontext = compat_ptr(urb32.usercontext);
2179 	return 0;
2180 }
2181 
2182 static int proc_submiturb_compat(struct usb_dev_state *ps, void __user *arg)
2183 {
2184 	struct usbdevfs_urb uurb;
2185 	sigval_t userurb_sigval;
2186 
2187 	if (get_urb32(&uurb, (struct usbdevfs_urb32 __user *)arg))
2188 		return -EFAULT;
2189 
2190 	memset(&userurb_sigval, 0, sizeof(userurb_sigval));
2191 	userurb_sigval.sival_int = ptr_to_compat(arg);
2192 
2193 	return proc_do_submiturb(ps, &uurb,
2194 			((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc,
2195 			arg, userurb_sigval);
2196 }
2197 
2198 static int processcompl_compat(struct async *as, void __user * __user *arg)
2199 {
2200 	struct urb *urb = as->urb;
2201 	struct usbdevfs_urb32 __user *userurb = as->userurb;
2202 	void __user *addr = as->userurb;
2203 	unsigned int i;
2204 
2205 	compute_isochronous_actual_length(urb);
2206 	if (as->userbuffer && urb->actual_length) {
2207 		if (copy_urb_data_to_user(as->userbuffer, urb))
2208 			return -EFAULT;
2209 	}
2210 	if (put_user(as->status, &userurb->status))
2211 		return -EFAULT;
2212 	if (put_user(urb->actual_length, &userurb->actual_length))
2213 		return -EFAULT;
2214 	if (put_user(urb->error_count, &userurb->error_count))
2215 		return -EFAULT;
2216 
2217 	if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
2218 		for (i = 0; i < urb->number_of_packets; i++) {
2219 			if (put_user(urb->iso_frame_desc[i].actual_length,
2220 				     &userurb->iso_frame_desc[i].actual_length))
2221 				return -EFAULT;
2222 			if (put_user(urb->iso_frame_desc[i].status,
2223 				     &userurb->iso_frame_desc[i].status))
2224 				return -EFAULT;
2225 		}
2226 	}
2227 
2228 	if (put_user(ptr_to_compat(addr), (u32 __user *)arg))
2229 		return -EFAULT;
2230 	return 0;
2231 }
2232 
2233 static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
2234 {
2235 	struct async *as = reap_as(ps);
2236 
2237 	if (as) {
2238 		int retval;
2239 
2240 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2241 		retval = processcompl_compat(as, (void __user * __user *)arg);
2242 		free_async(as);
2243 		return retval;
2244 	}
2245 	if (signal_pending(current))
2246 		return -EINTR;
2247 	return -ENODEV;
2248 }
2249 
2250 static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
2251 {
2252 	int retval;
2253 	struct async *as;
2254 
2255 	as = async_getcompleted(ps);
2256 	if (as) {
2257 		snoop(&ps->dev->dev, "reap %px\n", as->userurb);
2258 		retval = processcompl_compat(as, (void __user * __user *)arg);
2259 		free_async(as);
2260 	} else {
2261 		retval = (connected(ps) ? -EAGAIN : -ENODEV);
2262 	}
2263 	return retval;
2264 }
2265 
2266 
2267 #endif
2268 
2269 static int proc_disconnectsignal(struct usb_dev_state *ps, void __user *arg)
2270 {
2271 	struct usbdevfs_disconnectsignal ds;
2272 
2273 	if (copy_from_user(&ds, arg, sizeof(ds)))
2274 		return -EFAULT;
2275 	ps->discsignr = ds.signr;
2276 	ps->disccontext.sival_ptr = ds.context;
2277 	return 0;
2278 }
2279 
2280 static int proc_claiminterface(struct usb_dev_state *ps, void __user *arg)
2281 {
2282 	unsigned int ifnum;
2283 
2284 	if (get_user(ifnum, (unsigned int __user *)arg))
2285 		return -EFAULT;
2286 	return claimintf(ps, ifnum);
2287 }
2288 
2289 static int proc_releaseinterface(struct usb_dev_state *ps, void __user *arg)
2290 {
2291 	unsigned int ifnum;
2292 	int ret;
2293 
2294 	if (get_user(ifnum, (unsigned int __user *)arg))
2295 		return -EFAULT;
2296 	ret = releaseintf(ps, ifnum);
2297 	if (ret < 0)
2298 		return ret;
2299 	destroy_async_on_interface(ps, ifnum);
2300 	return 0;
2301 }
2302 
2303 static int proc_ioctl(struct usb_dev_state *ps, struct usbdevfs_ioctl *ctl)
2304 {
2305 	int			size;
2306 	void			*buf = NULL;
2307 	int			retval = 0;
2308 	struct usb_interface    *intf = NULL;
2309 	struct usb_driver       *driver = NULL;
2310 
2311 	if (ps->privileges_dropped)
2312 		return -EACCES;
2313 
2314 	if (!connected(ps))
2315 		return -ENODEV;
2316 
2317 	/* alloc buffer */
2318 	size = _IOC_SIZE(ctl->ioctl_code);
2319 	if (size > 0) {
2320 		buf = kmalloc(size, GFP_KERNEL);
2321 		if (buf == NULL)
2322 			return -ENOMEM;
2323 		if ((_IOC_DIR(ctl->ioctl_code) & _IOC_WRITE)) {
2324 			if (copy_from_user(buf, ctl->data, size)) {
2325 				kfree(buf);
2326 				return -EFAULT;
2327 			}
2328 		} else {
2329 			memset(buf, 0, size);
2330 		}
2331 	}
2332 
2333 	if (ps->dev->state != USB_STATE_CONFIGURED)
2334 		retval = -EHOSTUNREACH;
2335 	else if (!(intf = usb_ifnum_to_if(ps->dev, ctl->ifno)))
2336 		retval = -EINVAL;
2337 	else switch (ctl->ioctl_code) {
2338 
2339 	/* disconnect kernel driver from interface */
2340 	case USBDEVFS_DISCONNECT:
2341 		if (intf->dev.driver) {
2342 			driver = to_usb_driver(intf->dev.driver);
2343 			dev_dbg(&intf->dev, "disconnect by usbfs\n");
2344 			usb_driver_release_interface(driver, intf);
2345 		} else
2346 			retval = -ENODATA;
2347 		break;
2348 
2349 	/* let kernel drivers try to (re)bind to the interface */
2350 	case USBDEVFS_CONNECT:
2351 		if (!intf->dev.driver)
2352 			retval = device_attach(&intf->dev);
2353 		else
2354 			retval = -EBUSY;
2355 		break;
2356 
2357 	/* talk directly to the interface's driver */
2358 	default:
2359 		if (intf->dev.driver)
2360 			driver = to_usb_driver(intf->dev.driver);
2361 		if (driver == NULL || driver->unlocked_ioctl == NULL) {
2362 			retval = -ENOTTY;
2363 		} else {
2364 			retval = driver->unlocked_ioctl(intf, ctl->ioctl_code, buf);
2365 			if (retval == -ENOIOCTLCMD)
2366 				retval = -ENOTTY;
2367 		}
2368 	}
2369 
2370 	/* cleanup and return */
2371 	if (retval >= 0
2372 			&& (_IOC_DIR(ctl->ioctl_code) & _IOC_READ) != 0
2373 			&& size > 0
2374 			&& copy_to_user(ctl->data, buf, size) != 0)
2375 		retval = -EFAULT;
2376 
2377 	kfree(buf);
2378 	return retval;
2379 }
2380 
2381 static int proc_ioctl_default(struct usb_dev_state *ps, void __user *arg)
2382 {
2383 	struct usbdevfs_ioctl	ctrl;
2384 
2385 	if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
2386 		return -EFAULT;
2387 	return proc_ioctl(ps, &ctrl);
2388 }
2389 
2390 #ifdef CONFIG_COMPAT
2391 static int proc_ioctl_compat(struct usb_dev_state *ps, compat_uptr_t arg)
2392 {
2393 	struct usbdevfs_ioctl32 ioc32;
2394 	struct usbdevfs_ioctl ctrl;
2395 
2396 	if (copy_from_user(&ioc32, compat_ptr(arg), sizeof(ioc32)))
2397 		return -EFAULT;
2398 	ctrl.ifno = ioc32.ifno;
2399 	ctrl.ioctl_code = ioc32.ioctl_code;
2400 	ctrl.data = compat_ptr(ioc32.data);
2401 	return proc_ioctl(ps, &ctrl);
2402 }
2403 #endif
2404 
2405 static int proc_claim_port(struct usb_dev_state *ps, void __user *arg)
2406 {
2407 	unsigned portnum;
2408 	int rc;
2409 
2410 	if (get_user(portnum, (unsigned __user *) arg))
2411 		return -EFAULT;
2412 	rc = usb_hub_claim_port(ps->dev, portnum, ps);
2413 	if (rc == 0)
2414 		snoop(&ps->dev->dev, "port %d claimed by process %d: %s\n",
2415 			portnum, task_pid_nr(current), current->comm);
2416 	return rc;
2417 }
2418 
2419 static int proc_release_port(struct usb_dev_state *ps, void __user *arg)
2420 {
2421 	unsigned portnum;
2422 
2423 	if (get_user(portnum, (unsigned __user *) arg))
2424 		return -EFAULT;
2425 	return usb_hub_release_port(ps->dev, portnum, ps);
2426 }
2427 
2428 static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
2429 {
2430 	__u32 caps;
2431 
2432 	caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
2433 			USBDEVFS_CAP_REAP_AFTER_DISCONNECT | USBDEVFS_CAP_MMAP |
2434 			USBDEVFS_CAP_DROP_PRIVILEGES |
2435 			USBDEVFS_CAP_CONNINFO_EX | MAYBE_CAP_SUSPEND;
2436 	if (!ps->dev->bus->no_stop_on_short)
2437 		caps |= USBDEVFS_CAP_BULK_CONTINUATION;
2438 	if (ps->dev->bus->sg_tablesize)
2439 		caps |= USBDEVFS_CAP_BULK_SCATTER_GATHER;
2440 
2441 	if (put_user(caps, (__u32 __user *)arg))
2442 		return -EFAULT;
2443 
2444 	return 0;
2445 }
2446 
2447 static int proc_disconnect_claim(struct usb_dev_state *ps, void __user *arg)
2448 {
2449 	struct usbdevfs_disconnect_claim dc;
2450 	struct usb_interface *intf;
2451 
2452 	if (copy_from_user(&dc, arg, sizeof(dc)))
2453 		return -EFAULT;
2454 
2455 	intf = usb_ifnum_to_if(ps->dev, dc.interface);
2456 	if (!intf)
2457 		return -EINVAL;
2458 
2459 	if (intf->dev.driver) {
2460 		struct usb_driver *driver = to_usb_driver(intf->dev.driver);
2461 
2462 		if (ps->privileges_dropped)
2463 			return -EACCES;
2464 
2465 		if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_IF_DRIVER) &&
2466 				strncmp(dc.driver, intf->dev.driver->name,
2467 					sizeof(dc.driver)) != 0)
2468 			return -EBUSY;
2469 
2470 		if ((dc.flags & USBDEVFS_DISCONNECT_CLAIM_EXCEPT_DRIVER) &&
2471 				strncmp(dc.driver, intf->dev.driver->name,
2472 					sizeof(dc.driver)) == 0)
2473 			return -EBUSY;
2474 
2475 		dev_dbg(&intf->dev, "disconnect by usbfs\n");
2476 		usb_driver_release_interface(driver, intf);
2477 	}
2478 
2479 	return claimintf(ps, dc.interface);
2480 }
2481 
2482 static int proc_alloc_streams(struct usb_dev_state *ps, void __user *arg)
2483 {
2484 	unsigned num_streams, num_eps;
2485 	struct usb_host_endpoint **eps;
2486 	struct usb_interface *intf;
2487 	int r;
2488 
2489 	r = parse_usbdevfs_streams(ps, arg, &num_streams, &num_eps,
2490 				   &eps, &intf);
2491 	if (r)
2492 		return r;
2493 
2494 	destroy_async_on_interface(ps,
2495 				   intf->altsetting[0].desc.bInterfaceNumber);
2496 
2497 	r = usb_alloc_streams(intf, eps, num_eps, num_streams, GFP_KERNEL);
2498 	kfree(eps);
2499 	return r;
2500 }
2501 
2502 static int proc_free_streams(struct usb_dev_state *ps, void __user *arg)
2503 {
2504 	unsigned num_eps;
2505 	struct usb_host_endpoint **eps;
2506 	struct usb_interface *intf;
2507 	int r;
2508 
2509 	r = parse_usbdevfs_streams(ps, arg, NULL, &num_eps, &eps, &intf);
2510 	if (r)
2511 		return r;
2512 
2513 	destroy_async_on_interface(ps,
2514 				   intf->altsetting[0].desc.bInterfaceNumber);
2515 
2516 	r = usb_free_streams(intf, eps, num_eps, GFP_KERNEL);
2517 	kfree(eps);
2518 	return r;
2519 }
2520 
2521 static int proc_drop_privileges(struct usb_dev_state *ps, void __user *arg)
2522 {
2523 	u32 data;
2524 
2525 	if (copy_from_user(&data, arg, sizeof(data)))
2526 		return -EFAULT;
2527 
2528 	/* This is a one way operation. Once privileges are
2529 	 * dropped, you cannot regain them. You may however reissue
2530 	 * this ioctl to shrink the allowed interfaces mask.
2531 	 */
2532 	ps->interface_allowed_mask &= data;
2533 	ps->privileges_dropped = true;
2534 
2535 	return 0;
2536 }
2537 
2538 static int proc_forbid_suspend(struct usb_dev_state *ps)
2539 {
2540 	int ret = 0;
2541 
2542 	if (ps->suspend_allowed) {
2543 		ret = usb_autoresume_device(ps->dev);
2544 		if (ret == 0)
2545 			ps->suspend_allowed = false;
2546 		else if (ret != -ENODEV)
2547 			ret = -EIO;
2548 	}
2549 	return ret;
2550 }
2551 
2552 static int proc_allow_suspend(struct usb_dev_state *ps)
2553 {
2554 	if (!connected(ps))
2555 		return -ENODEV;
2556 
2557 	WRITE_ONCE(ps->not_yet_resumed, 1);
2558 	if (!ps->suspend_allowed) {
2559 		usb_autosuspend_device(ps->dev);
2560 		ps->suspend_allowed = true;
2561 	}
2562 	return 0;
2563 }
2564 
2565 static int proc_wait_for_resume(struct usb_dev_state *ps)
2566 {
2567 	int ret;
2568 
2569 	usb_unlock_device(ps->dev);
2570 	ret = wait_event_interruptible(ps->wait_for_resume,
2571 			READ_ONCE(ps->not_yet_resumed) == 0);
2572 	usb_lock_device(ps->dev);
2573 
2574 	if (ret != 0)
2575 		return -EINTR;
2576 	return proc_forbid_suspend(ps);
2577 }
2578 
2579 /*
2580  * NOTE:  All requests here that have interface numbers as parameters
2581  * are assuming that somehow the configuration has been prevented from
2582  * changing.  But there's no mechanism to ensure that...
2583  */
2584 static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
2585 				void __user *p)
2586 {
2587 	struct usb_dev_state *ps = file->private_data;
2588 	struct inode *inode = file_inode(file);
2589 	struct usb_device *dev = ps->dev;
2590 	int ret = -ENOTTY;
2591 
2592 	if (!(file->f_mode & FMODE_WRITE))
2593 		return -EPERM;
2594 
2595 	usb_lock_device(dev);
2596 
2597 	/* Reap operations are allowed even after disconnection */
2598 	switch (cmd) {
2599 	case USBDEVFS_REAPURB:
2600 		snoop(&dev->dev, "%s: REAPURB\n", __func__);
2601 		ret = proc_reapurb(ps, p);
2602 		goto done;
2603 
2604 	case USBDEVFS_REAPURBNDELAY:
2605 		snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
2606 		ret = proc_reapurbnonblock(ps, p);
2607 		goto done;
2608 
2609 #ifdef CONFIG_COMPAT
2610 	case USBDEVFS_REAPURB32:
2611 		snoop(&dev->dev, "%s: REAPURB32\n", __func__);
2612 		ret = proc_reapurb_compat(ps, p);
2613 		goto done;
2614 
2615 	case USBDEVFS_REAPURBNDELAY32:
2616 		snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
2617 		ret = proc_reapurbnonblock_compat(ps, p);
2618 		goto done;
2619 #endif
2620 	}
2621 
2622 	if (!connected(ps)) {
2623 		usb_unlock_device(dev);
2624 		return -ENODEV;
2625 	}
2626 
2627 	switch (cmd) {
2628 	case USBDEVFS_CONTROL:
2629 		snoop(&dev->dev, "%s: CONTROL\n", __func__);
2630 		ret = proc_control(ps, p);
2631 		if (ret >= 0)
2632 			inode->i_mtime = current_time(inode);
2633 		break;
2634 
2635 	case USBDEVFS_BULK:
2636 		snoop(&dev->dev, "%s: BULK\n", __func__);
2637 		ret = proc_bulk(ps, p);
2638 		if (ret >= 0)
2639 			inode->i_mtime = current_time(inode);
2640 		break;
2641 
2642 	case USBDEVFS_RESETEP:
2643 		snoop(&dev->dev, "%s: RESETEP\n", __func__);
2644 		ret = proc_resetep(ps, p);
2645 		if (ret >= 0)
2646 			inode->i_mtime = current_time(inode);
2647 		break;
2648 
2649 	case USBDEVFS_RESET:
2650 		snoop(&dev->dev, "%s: RESET\n", __func__);
2651 		ret = proc_resetdevice(ps);
2652 		break;
2653 
2654 	case USBDEVFS_CLEAR_HALT:
2655 		snoop(&dev->dev, "%s: CLEAR_HALT\n", __func__);
2656 		ret = proc_clearhalt(ps, p);
2657 		if (ret >= 0)
2658 			inode->i_mtime = current_time(inode);
2659 		break;
2660 
2661 	case USBDEVFS_GETDRIVER:
2662 		snoop(&dev->dev, "%s: GETDRIVER\n", __func__);
2663 		ret = proc_getdriver(ps, p);
2664 		break;
2665 
2666 	case USBDEVFS_CONNECTINFO:
2667 		snoop(&dev->dev, "%s: CONNECTINFO\n", __func__);
2668 		ret = proc_connectinfo(ps, p);
2669 		break;
2670 
2671 	case USBDEVFS_SETINTERFACE:
2672 		snoop(&dev->dev, "%s: SETINTERFACE\n", __func__);
2673 		ret = proc_setintf(ps, p);
2674 		break;
2675 
2676 	case USBDEVFS_SETCONFIGURATION:
2677 		snoop(&dev->dev, "%s: SETCONFIGURATION\n", __func__);
2678 		ret = proc_setconfig(ps, p);
2679 		break;
2680 
2681 	case USBDEVFS_SUBMITURB:
2682 		snoop(&dev->dev, "%s: SUBMITURB\n", __func__);
2683 		ret = proc_submiturb(ps, p);
2684 		if (ret >= 0)
2685 			inode->i_mtime = current_time(inode);
2686 		break;
2687 
2688 #ifdef CONFIG_COMPAT
2689 	case USBDEVFS_CONTROL32:
2690 		snoop(&dev->dev, "%s: CONTROL32\n", __func__);
2691 		ret = proc_control_compat(ps, p);
2692 		if (ret >= 0)
2693 			inode->i_mtime = current_time(inode);
2694 		break;
2695 
2696 	case USBDEVFS_BULK32:
2697 		snoop(&dev->dev, "%s: BULK32\n", __func__);
2698 		ret = proc_bulk_compat(ps, p);
2699 		if (ret >= 0)
2700 			inode->i_mtime = current_time(inode);
2701 		break;
2702 
2703 	case USBDEVFS_DISCSIGNAL32:
2704 		snoop(&dev->dev, "%s: DISCSIGNAL32\n", __func__);
2705 		ret = proc_disconnectsignal_compat(ps, p);
2706 		break;
2707 
2708 	case USBDEVFS_SUBMITURB32:
2709 		snoop(&dev->dev, "%s: SUBMITURB32\n", __func__);
2710 		ret = proc_submiturb_compat(ps, p);
2711 		if (ret >= 0)
2712 			inode->i_mtime = current_time(inode);
2713 		break;
2714 
2715 	case USBDEVFS_IOCTL32:
2716 		snoop(&dev->dev, "%s: IOCTL32\n", __func__);
2717 		ret = proc_ioctl_compat(ps, ptr_to_compat(p));
2718 		break;
2719 #endif
2720 
2721 	case USBDEVFS_DISCARDURB:
2722 		snoop(&dev->dev, "%s: DISCARDURB %px\n", __func__, p);
2723 		ret = proc_unlinkurb(ps, p);
2724 		break;
2725 
2726 	case USBDEVFS_DISCSIGNAL:
2727 		snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
2728 		ret = proc_disconnectsignal(ps, p);
2729 		break;
2730 
2731 	case USBDEVFS_CLAIMINTERFACE:
2732 		snoop(&dev->dev, "%s: CLAIMINTERFACE\n", __func__);
2733 		ret = proc_claiminterface(ps, p);
2734 		break;
2735 
2736 	case USBDEVFS_RELEASEINTERFACE:
2737 		snoop(&dev->dev, "%s: RELEASEINTERFACE\n", __func__);
2738 		ret = proc_releaseinterface(ps, p);
2739 		break;
2740 
2741 	case USBDEVFS_IOCTL:
2742 		snoop(&dev->dev, "%s: IOCTL\n", __func__);
2743 		ret = proc_ioctl_default(ps, p);
2744 		break;
2745 
2746 	case USBDEVFS_CLAIM_PORT:
2747 		snoop(&dev->dev, "%s: CLAIM_PORT\n", __func__);
2748 		ret = proc_claim_port(ps, p);
2749 		break;
2750 
2751 	case USBDEVFS_RELEASE_PORT:
2752 		snoop(&dev->dev, "%s: RELEASE_PORT\n", __func__);
2753 		ret = proc_release_port(ps, p);
2754 		break;
2755 	case USBDEVFS_GET_CAPABILITIES:
2756 		ret = proc_get_capabilities(ps, p);
2757 		break;
2758 	case USBDEVFS_DISCONNECT_CLAIM:
2759 		ret = proc_disconnect_claim(ps, p);
2760 		break;
2761 	case USBDEVFS_ALLOC_STREAMS:
2762 		ret = proc_alloc_streams(ps, p);
2763 		break;
2764 	case USBDEVFS_FREE_STREAMS:
2765 		ret = proc_free_streams(ps, p);
2766 		break;
2767 	case USBDEVFS_DROP_PRIVILEGES:
2768 		ret = proc_drop_privileges(ps, p);
2769 		break;
2770 	case USBDEVFS_GET_SPEED:
2771 		ret = ps->dev->speed;
2772 		break;
2773 	case USBDEVFS_FORBID_SUSPEND:
2774 		ret = proc_forbid_suspend(ps);
2775 		break;
2776 	case USBDEVFS_ALLOW_SUSPEND:
2777 		ret = proc_allow_suspend(ps);
2778 		break;
2779 	case USBDEVFS_WAIT_FOR_RESUME:
2780 		ret = proc_wait_for_resume(ps);
2781 		break;
2782 	}
2783 
2784 	/* Handle variable-length commands */
2785 	switch (cmd & ~IOCSIZE_MASK) {
2786 	case USBDEVFS_CONNINFO_EX(0):
2787 		ret = proc_conninfo_ex(ps, p, _IOC_SIZE(cmd));
2788 		break;
2789 	}
2790 
2791  done:
2792 	usb_unlock_device(dev);
2793 	if (ret >= 0)
2794 		inode->i_atime = current_time(inode);
2795 	return ret;
2796 }
2797 
2798 static long usbdev_ioctl(struct file *file, unsigned int cmd,
2799 			unsigned long arg)
2800 {
2801 	int ret;
2802 
2803 	ret = usbdev_do_ioctl(file, cmd, (void __user *)arg);
2804 
2805 	return ret;
2806 }
2807 
2808 /* No kernel lock - fine */
2809 static __poll_t usbdev_poll(struct file *file,
2810 				struct poll_table_struct *wait)
2811 {
2812 	struct usb_dev_state *ps = file->private_data;
2813 	__poll_t mask = 0;
2814 
2815 	poll_wait(file, &ps->wait, wait);
2816 	if (file->f_mode & FMODE_WRITE && !list_empty(&ps->async_completed))
2817 		mask |= EPOLLOUT | EPOLLWRNORM;
2818 	if (!connected(ps))
2819 		mask |= EPOLLHUP;
2820 	if (list_empty(&ps->list))
2821 		mask |= EPOLLERR;
2822 	return mask;
2823 }
2824 
2825 const struct file_operations usbdev_file_operations = {
2826 	.owner =	  THIS_MODULE,
2827 	.llseek =	  no_seek_end_llseek,
2828 	.read =		  usbdev_read,
2829 	.poll =		  usbdev_poll,
2830 	.unlocked_ioctl = usbdev_ioctl,
2831 	.compat_ioctl =   compat_ptr_ioctl,
2832 	.mmap =           usbdev_mmap,
2833 	.open =		  usbdev_open,
2834 	.release =	  usbdev_release,
2835 };
2836 
2837 static void usbdev_remove(struct usb_device *udev)
2838 {
2839 	struct usb_dev_state *ps;
2840 
2841 	/* Protect against simultaneous resume */
2842 	mutex_lock(&usbfs_mutex);
2843 	while (!list_empty(&udev->filelist)) {
2844 		ps = list_entry(udev->filelist.next, struct usb_dev_state, list);
2845 		destroy_all_async(ps);
2846 		wake_up_all(&ps->wait);
2847 		WRITE_ONCE(ps->not_yet_resumed, 0);
2848 		wake_up_all(&ps->wait_for_resume);
2849 		list_del_init(&ps->list);
2850 		if (ps->discsignr)
2851 			kill_pid_usb_asyncio(ps->discsignr, EPIPE, ps->disccontext,
2852 					     ps->disc_pid, ps->cred);
2853 	}
2854 	mutex_unlock(&usbfs_mutex);
2855 }
2856 
2857 static int usbdev_notify(struct notifier_block *self,
2858 			       unsigned long action, void *dev)
2859 {
2860 	switch (action) {
2861 	case USB_DEVICE_ADD:
2862 		break;
2863 	case USB_DEVICE_REMOVE:
2864 		usbdev_remove(dev);
2865 		break;
2866 	}
2867 	return NOTIFY_OK;
2868 }
2869 
2870 static struct notifier_block usbdev_nb = {
2871 	.notifier_call =	usbdev_notify,
2872 };
2873 
2874 static struct cdev usb_device_cdev;
2875 
2876 int __init usb_devio_init(void)
2877 {
2878 	int retval;
2879 
2880 	retval = register_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX,
2881 					"usb_device");
2882 	if (retval) {
2883 		printk(KERN_ERR "Unable to register minors for usb_device\n");
2884 		goto out;
2885 	}
2886 	cdev_init(&usb_device_cdev, &usbdev_file_operations);
2887 	retval = cdev_add(&usb_device_cdev, USB_DEVICE_DEV, USB_DEVICE_MAX);
2888 	if (retval) {
2889 		printk(KERN_ERR "Unable to get usb_device major %d\n",
2890 		       USB_DEVICE_MAJOR);
2891 		goto error_cdev;
2892 	}
2893 	usb_register_notify(&usbdev_nb);
2894 out:
2895 	return retval;
2896 
2897 error_cdev:
2898 	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2899 	goto out;
2900 }
2901 
2902 void usb_devio_cleanup(void)
2903 {
2904 	usb_unregister_notify(&usbdev_nb);
2905 	cdev_del(&usb_device_cdev);
2906 	unregister_chrdev_region(USB_DEVICE_DEV, USB_DEVICE_MAX);
2907 }
2908