2 * The USB Monitor, inspired by Dave Harding's USBMon.
4 * This is a text format reader.
7 #include <linux/kernel.h>
8 #include <linux/list.h>
10 #include <linux/time.h>
11 #include <linux/mutex.h>
12 #include <linux/debugfs.h>
13 #include <asm/uaccess.h>
18 * No, we do not want arbitrarily long data strings.
19 * Use the binary interface if you want to capture bulk data!
24 * Defined by USB 2.0 clause 9.3, table 9.2.
29 * This limit exists to prevent OOMs when the user process stops reading.
30 * If usbmon were available to unprivileged processes, it might be open
31 * to a local DoS. But we have to keep to root in order to prevent
32 * password sniffing from HID devices.
34 #define EVENT_MAX (2*PAGE_SIZE / sizeof(struct mon_event_text))
36 #define PRINTF_DFL 160
38 struct mon_event_text
{
39 struct list_head e_link
;
40 int type
; /* submit, complete, etc. */
41 unsigned int pipe
; /* Pipe */
42 unsigned long id
; /* From pointer, most of the time */
44 int length
; /* Depends on type: xfer length or act length */
48 unsigned char setup
[SETUP_MAX
];
49 unsigned char data
[DATA_MAX
];
52 #define SLAB_NAME_SZ 30
53 struct mon_reader_text
{
54 struct kmem_cache
*e_slab
;
56 struct list_head e_list
;
57 struct mon_reader r
; /* In C, parent class can be placed anywhere */
59 wait_queue_head_t wait
;
62 struct mutex printf_lock
;
64 char slab_name
[SLAB_NAME_SZ
];
67 static struct dentry
*mon_dir
; /* Usually /sys/kernel/debug/usbmon */
69 static void mon_text_ctor(void *, struct kmem_cache
*, unsigned long);
75 * May be called from an interrupt.
77 * This is called with the whole mon_bus locked, so no additional lock.
80 static inline char mon_text_get_setup(struct mon_event_text
*ep
,
81 struct urb
*urb
, char ev_type
, struct mon_bus
*mbus
)
84 if (!usb_pipecontrol(urb
->pipe
) || ev_type
!= 'S')
87 if (mbus
->uses_dma
&& (urb
->transfer_flags
& URB_NO_SETUP_DMA_MAP
))
88 return mon_dmapeek(ep
->setup
, urb
->setup_dma
, SETUP_MAX
);
89 if (urb
->setup_packet
== NULL
)
90 return 'Z'; /* '0' would be not as pretty. */
92 memcpy(ep
->setup
, urb
->setup_packet
, SETUP_MAX
);
96 static inline char mon_text_get_data(struct mon_event_text
*ep
, struct urb
*urb
,
97 int len
, char ev_type
, struct mon_bus
*mbus
)
106 if (usb_pipein(pipe
)) {
115 * The check to see if it's safe to poke at data has an enormous
116 * number of corner cases, but it seems that the following is
119 * We do not even try to look at transfer_buffer, because it can
120 * contain non-NULL garbage in case the upper level promised to
121 * set DMA for the HCD.
123 if (mbus
->uses_dma
&& (urb
->transfer_flags
& URB_NO_TRANSFER_DMA_MAP
))
124 return mon_dmapeek(ep
->data
, urb
->transfer_dma
, len
);
126 if (urb
->transfer_buffer
== NULL
)
127 return 'Z'; /* '0' would be not as pretty. */
129 memcpy(ep
->data
, urb
->transfer_buffer
, len
);
133 static inline unsigned int mon_get_timestamp(void)
138 do_gettimeofday(&tval
);
139 stamp
= tval
.tv_sec
& 0xFFFF; /* 2^32 = 4294967296. Limit to 4096s. */
140 stamp
= stamp
* 1000000 + tval
.tv_usec
;
144 static void mon_text_event(struct mon_reader_text
*rp
, struct urb
*urb
,
147 struct mon_event_text
*ep
;
150 stamp
= mon_get_timestamp();
152 if (rp
->nevents
>= EVENT_MAX
||
153 (ep
= kmem_cache_alloc(rp
->e_slab
, GFP_ATOMIC
)) == NULL
) {
154 rp
->r
.m_bus
->cnt_text_lost
++;
159 ep
->pipe
= urb
->pipe
;
160 ep
->id
= (unsigned long) urb
;
162 ep
->length
= (ev_type
== 'S') ?
163 urb
->transfer_buffer_length
: urb
->actual_length
;
164 /* Collecting status makes debugging sense for submits, too */
165 ep
->status
= urb
->status
;
167 ep
->setup_flag
= mon_text_get_setup(ep
, urb
, ev_type
, rp
->r
.m_bus
);
168 ep
->data_flag
= mon_text_get_data(ep
, urb
, ep
->length
, ev_type
,
172 list_add_tail(&ep
->e_link
, &rp
->e_list
);
176 static void mon_text_submit(void *data
, struct urb
*urb
)
178 struct mon_reader_text
*rp
= data
;
179 mon_text_event(rp
, urb
, 'S');
182 static void mon_text_complete(void *data
, struct urb
*urb
)
184 struct mon_reader_text
*rp
= data
;
185 mon_text_event(rp
, urb
, 'C');
188 static void mon_text_error(void *data
, struct urb
*urb
, int error
)
190 struct mon_reader_text
*rp
= data
;
191 struct mon_event_text
*ep
;
193 if (rp
->nevents
>= EVENT_MAX
||
194 (ep
= kmem_cache_alloc(rp
->e_slab
, GFP_ATOMIC
)) == NULL
) {
195 rp
->r
.m_bus
->cnt_text_lost
++;
200 ep
->pipe
= urb
->pipe
;
201 ep
->id
= (unsigned long) urb
;
206 ep
->setup_flag
= '-';
210 list_add_tail(&ep
->e_link
, &rp
->e_list
);
215 * Fetch next event from the circular buffer.
217 static struct mon_event_text
*mon_text_fetch(struct mon_reader_text
*rp
,
218 struct mon_bus
*mbus
)
223 spin_lock_irqsave(&mbus
->lock
, flags
);
224 if (list_empty(&rp
->e_list
)) {
225 spin_unlock_irqrestore(&mbus
->lock
, flags
);
231 spin_unlock_irqrestore(&mbus
->lock
, flags
);
232 return list_entry(p
, struct mon_event_text
, e_link
);
237 static int mon_text_open(struct inode
*inode
, struct file
*file
)
239 struct mon_bus
*mbus
;
240 struct usb_bus
*ubus
;
241 struct mon_reader_text
*rp
;
244 mutex_lock(&mon_lock
);
245 mbus
= inode
->i_private
;
248 rp
= kzalloc(sizeof(struct mon_reader_text
), GFP_KERNEL
);
253 INIT_LIST_HEAD(&rp
->e_list
);
254 init_waitqueue_head(&rp
->wait
);
255 mutex_init(&rp
->printf_lock
);
257 rp
->printf_size
= PRINTF_DFL
;
258 rp
->printf_buf
= kmalloc(rp
->printf_size
, GFP_KERNEL
);
259 if (rp
->printf_buf
== NULL
) {
266 rp
->r
.rnf_submit
= mon_text_submit
;
267 rp
->r
.rnf_error
= mon_text_error
;
268 rp
->r
.rnf_complete
= mon_text_complete
;
270 snprintf(rp
->slab_name
, SLAB_NAME_SZ
, "mon%dt_%lx", ubus
->busnum
,
272 rp
->e_slab
= kmem_cache_create(rp
->slab_name
,
273 sizeof(struct mon_event_text
), sizeof(long), 0,
274 mon_text_ctor
, NULL
);
275 if (rp
->e_slab
== NULL
) {
280 mon_reader_add(mbus
, &rp
->r
);
282 file
->private_data
= rp
;
283 mutex_unlock(&mon_lock
);
287 // kmem_cache_destroy(rp->e_slab);
289 kfree(rp
->printf_buf
);
293 mutex_unlock(&mon_lock
);
298 * For simplicity, we read one record in one system call and throw out
299 * what does not fit. This means that the following does not work:
300 * dd if=/dbg/usbmon/0t bs=10
301 * Also, we do not allow seeks and do not bother advancing the offset.
303 static ssize_t
mon_text_read(struct file
*file
, char __user
*buf
,
304 size_t nbytes
, loff_t
*ppos
)
306 struct mon_reader_text
*rp
= file
->private_data
;
307 struct mon_bus
*mbus
= rp
->r
.m_bus
;
308 DECLARE_WAITQUEUE(waita
, current
);
309 struct mon_event_text
*ep
;
315 add_wait_queue(&rp
->wait
, &waita
);
316 set_current_state(TASK_INTERRUPTIBLE
);
317 while ((ep
= mon_text_fetch(rp
, mbus
)) == NULL
) {
318 if (file
->f_flags
& O_NONBLOCK
) {
319 set_current_state(TASK_RUNNING
);
320 remove_wait_queue(&rp
->wait
, &waita
);
321 return -EWOULDBLOCK
; /* Same as EAGAIN in Linux */
324 * We do not count nwaiters, because ->release is supposed
325 * to be called when all openers are gone only.
328 if (signal_pending(current
)) {
329 remove_wait_queue(&rp
->wait
, &waita
);
332 set_current_state(TASK_INTERRUPTIBLE
);
334 set_current_state(TASK_RUNNING
);
335 remove_wait_queue(&rp
->wait
, &waita
);
337 mutex_lock(&rp
->printf_lock
);
339 pbuf
= rp
->printf_buf
;
340 limit
= rp
->printf_size
;
342 udir
= usb_pipein(ep
->pipe
) ? 'i' : 'o';
343 switch (usb_pipetype(ep
->pipe
)) {
344 case PIPE_ISOCHRONOUS
: utype
= 'Z'; break;
345 case PIPE_INTERRUPT
: utype
= 'I'; break;
346 case PIPE_CONTROL
: utype
= 'C'; break;
347 default: /* PIPE_BULK */ utype
= 'B';
349 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
350 "%lx %u %c %c%c:%03u:%02u",
351 ep
->id
, ep
->tstamp
, ep
->type
,
352 utype
, udir
, usb_pipedevice(ep
->pipe
), usb_pipeendpoint(ep
->pipe
));
354 if (ep
->setup_flag
== 0) { /* Setup packet is present and captured */
355 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
356 " s %02x %02x %04x %04x %04x",
359 (ep
->setup
[3] << 8) | ep
->setup
[2],
360 (ep
->setup
[5] << 8) | ep
->setup
[4],
361 (ep
->setup
[7] << 8) | ep
->setup
[6]);
362 } else if (ep
->setup_flag
!= '-') { /* Unable to capture setup packet */
363 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
364 " %c __ __ ____ ____ ____", ep
->setup_flag
);
365 } else { /* No setup for this kind of URB */
366 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
, " %d", ep
->status
);
368 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
, " %d", ep
->length
);
370 if ((data_len
= ep
->length
) > 0) {
371 if (ep
->data_flag
== 0) {
372 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
, " =");
373 if (data_len
>= DATA_MAX
)
375 for (i
= 0; i
< data_len
; i
++) {
377 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
380 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
381 "%02x", ep
->data
[i
]);
383 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
, "\n");
385 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
,
386 " %c\n", ep
->data_flag
);
389 cnt
+= snprintf(pbuf
+ cnt
, limit
- cnt
, "\n");
392 if (copy_to_user(buf
, rp
->printf_buf
, cnt
))
394 mutex_unlock(&rp
->printf_lock
);
395 kmem_cache_free(rp
->e_slab
, ep
);
399 static int mon_text_release(struct inode
*inode
, struct file
*file
)
401 struct mon_reader_text
*rp
= file
->private_data
;
402 struct mon_bus
*mbus
;
403 /* unsigned long flags; */
405 struct mon_event_text
*ep
;
407 mutex_lock(&mon_lock
);
408 mbus
= inode
->i_private
;
410 if (mbus
->nreaders
<= 0) {
411 printk(KERN_ERR TAG
": consistency error on close\n");
412 mutex_unlock(&mon_lock
);
415 mon_reader_del(mbus
, &rp
->r
);
418 * In theory, e_list is protected by mbus->lock. However,
419 * after mon_reader_del has finished, the following is the case:
420 * - we are not on reader list anymore, so new events won't be added;
421 * - whole mbus may be dropped if it was orphaned.
422 * So, we better not touch mbus.
424 /* spin_lock_irqsave(&mbus->lock, flags); */
425 while (!list_empty(&rp
->e_list
)) {
427 ep
= list_entry(p
, struct mon_event_text
, e_link
);
430 kmem_cache_free(rp
->e_slab
, ep
);
432 /* spin_unlock_irqrestore(&mbus->lock, flags); */
434 kmem_cache_destroy(rp
->e_slab
);
435 kfree(rp
->printf_buf
);
438 mutex_unlock(&mon_lock
);
442 static const struct file_operations mon_fops_text
= {
443 .owner
= THIS_MODULE
,
444 .open
= mon_text_open
,
446 .read
= mon_text_read
,
447 /* .write = mon_text_write, */
448 /* .poll = mon_text_poll, */
449 /* .ioctl = mon_text_ioctl, */
450 .release
= mon_text_release
,
453 int mon_text_add(struct mon_bus
*mbus
, const struct usb_bus
*ubus
)
456 enum { NAMESZ
= 10 };
460 rc
= snprintf(name
, NAMESZ
, "%dt", ubus
->busnum
);
461 if (rc
<= 0 || rc
>= NAMESZ
)
463 d
= debugfs_create_file(name
, 0600, mon_dir
, mbus
, &mon_fops_text
);
468 /* XXX The stats do not belong to here (text API), but oh well... */
469 rc
= snprintf(name
, NAMESZ
, "%ds", ubus
->busnum
);
470 if (rc
<= 0 || rc
>= NAMESZ
)
472 d
= debugfs_create_file(name
, 0600, mon_dir
, mbus
, &mon_fops_stat
);
481 debugfs_remove(mbus
->dent_t
);
488 void mon_text_del(struct mon_bus
*mbus
)
490 debugfs_remove(mbus
->dent_t
);
491 debugfs_remove(mbus
->dent_s
);
495 * Slab interface: constructor.
497 static void mon_text_ctor(void *mem
, struct kmem_cache
*slab
, unsigned long sflags
)
500 * Nothing to initialize. No, really!
501 * So, we fill it with garbage to emulate a reused object.
503 memset(mem
, 0xe5, sizeof(struct mon_event_text
));
506 int __init
mon_text_init(void)
508 struct dentry
*mondir
;
510 mondir
= debugfs_create_dir("usbmon", NULL
);
511 if (IS_ERR(mondir
)) {
512 printk(KERN_NOTICE TAG
": debugfs is not available\n");
515 if (mondir
== NULL
) {
516 printk(KERN_NOTICE TAG
": unable to create usbmon directory\n");
523 void __exit
mon_text_exit(void)
525 debugfs_remove(mon_dir
);