1 /*
2 * Copyright (C) 2003-2008 Takahiro Hirofuchi
3 * Copyright (C) 2015-2016 Nobuo Iwata
4 *
5 * This is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
18 * USA.
19 */
20
21 #include <linux/kthread.h>
22 #include <linux/file.h>
23 #include <linux/net.h>
24 #include <linux/platform_device.h>
25 #include <linux/slab.h>
26
27 /* Hardening for Spectre-v1 */
28 #include <linux/nospec.h>
29
30 #include "usbip_common.h"
31 #include "vhci.h"
32
33 /* TODO: refine locking ?*/
34
35 /*
36 * output example:
37 * hub port sta spd dev sockfd local_busid
38 * hs 0000 004 000 00000000 000003 1-2.3
39 * ................................................
40 * ss 0008 004 000 00000000 000004 2-3.4
41 * ................................................
42 *
43 * Output includes socket fd instead of socket pointer address to avoid
44 * leaking kernel memory address in:
45 * /sys/devices/platform/vhci_hcd.0/status and in debug output.
46 * The socket pointer address is not used at the moment and it was made
47 * visible as a convenient way to find IP address from socket pointer
48 * address by looking up /proc/net/{tcp,tcp6}. As this opens a security
49 * hole, the change is made to use sockfd instead.
50 *
51 */
port_show_vhci(char ** out,int hub,int port,struct vhci_device * vdev)52 static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vdev)
53 {
54 if (hub == HUB_SPEED_HIGH)
55 *out += sprintf(*out, "hs %04u %03u ",
56 port, vdev->ud.status);
57 else /* hub == HUB_SPEED_SUPER */
58 *out += sprintf(*out, "ss %04u %03u ",
59 port, vdev->ud.status);
60
61 if (vdev->ud.status == VDEV_ST_USED) {
62 *out += sprintf(*out, "%03u %08x ",
63 vdev->speed, vdev->devid);
64 *out += sprintf(*out, "%06u %s",
65 vdev->ud.sockfd,
66 dev_name(&vdev->udev->dev));
67
68 } else {
69 *out += sprintf(*out, "000 00000000 ");
70 *out += sprintf(*out, "000000 0-0");
71 }
72
73 *out += sprintf(*out, "\n");
74 }
75
76 /* Sysfs entry to show port status */
status_show_vhci(int pdev_nr,char * out)77 static ssize_t status_show_vhci(int pdev_nr, char *out)
78 {
79 struct platform_device *pdev = vhcis[pdev_nr].pdev;
80 struct vhci *vhci;
81 struct usb_hcd *hcd;
82 struct vhci_hcd *vhci_hcd;
83 char *s = out;
84 int i;
85 unsigned long flags;
86
87 if (!pdev || !out) {
88 usbip_dbg_vhci_sysfs("show status error\n");
89 return 0;
90 }
91
92 hcd = platform_get_drvdata(pdev);
93 vhci_hcd = hcd_to_vhci_hcd(hcd);
94 vhci = vhci_hcd->vhci;
95
96 spin_lock_irqsave(&vhci->lock, flags);
97
98 for (i = 0; i < VHCI_HC_PORTS; i++) {
99 struct vhci_device *vdev = &vhci->vhci_hcd_hs->vdev[i];
100
101 spin_lock(&vdev->ud.lock);
102 port_show_vhci(&out, HUB_SPEED_HIGH,
103 pdev_nr * VHCI_PORTS + i, vdev);
104 spin_unlock(&vdev->ud.lock);
105 }
106
107 for (i = 0; i < VHCI_HC_PORTS; i++) {
108 struct vhci_device *vdev = &vhci->vhci_hcd_ss->vdev[i];
109
110 spin_lock(&vdev->ud.lock);
111 port_show_vhci(&out, HUB_SPEED_SUPER,
112 pdev_nr * VHCI_PORTS + VHCI_HC_PORTS + i, vdev);
113 spin_unlock(&vdev->ud.lock);
114 }
115
116 spin_unlock_irqrestore(&vhci->lock, flags);
117
118 return out - s;
119 }
120
status_show_not_ready(int pdev_nr,char * out)121 static ssize_t status_show_not_ready(int pdev_nr, char *out)
122 {
123 char *s = out;
124 int i = 0;
125
126 for (i = 0; i < VHCI_HC_PORTS; i++) {
127 out += sprintf(out, "hs %04u %03u ",
128 (pdev_nr * VHCI_PORTS) + i,
129 VDEV_ST_NOTASSIGNED);
130 out += sprintf(out, "000 00000000 0000000000000000 0-0");
131 out += sprintf(out, "\n");
132 }
133
134 for (i = 0; i < VHCI_HC_PORTS; i++) {
135 out += sprintf(out, "ss %04u %03u ",
136 (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i,
137 VDEV_ST_NOTASSIGNED);
138 out += sprintf(out, "000 00000000 0000000000000000 0-0");
139 out += sprintf(out, "\n");
140 }
141 return out - s;
142 }
143
status_name_to_id(const char * name)144 static int status_name_to_id(const char *name)
145 {
146 char *c;
147 long val;
148 int ret;
149
150 c = strchr(name, '.');
151 if (c == NULL)
152 return 0;
153
154 ret = kstrtol(c+1, 10, &val);
155 if (ret < 0)
156 return ret;
157
158 return val;
159 }
160
status_show(struct device * dev,struct device_attribute * attr,char * out)161 static ssize_t status_show(struct device *dev,
162 struct device_attribute *attr, char *out)
163 {
164 char *s = out;
165 int pdev_nr;
166
167 out += sprintf(out,
168 "hub port sta spd dev sockfd local_busid\n");
169
170 pdev_nr = status_name_to_id(attr->attr.name);
171 if (pdev_nr < 0)
172 out += status_show_not_ready(pdev_nr, out);
173 else
174 out += status_show_vhci(pdev_nr, out);
175
176 return out - s;
177 }
178
nports_show(struct device * dev,struct device_attribute * attr,char * out)179 static ssize_t nports_show(struct device *dev, struct device_attribute *attr,
180 char *out)
181 {
182 char *s = out;
183
184 /*
185 * Half the ports are for SPEED_HIGH and half for SPEED_SUPER,
186 * thus the * 2.
187 */
188 out += sprintf(out, "%d\n", VHCI_PORTS * vhci_num_controllers);
189 return out - s;
190 }
191 static DEVICE_ATTR_RO(nports);
192
193 /* Sysfs entry to shutdown a virtual connection */
vhci_port_disconnect(struct vhci_hcd * vhci_hcd,__u32 rhport)194 static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
195 {
196 struct vhci_device *vdev = &vhci_hcd->vdev[rhport];
197 struct vhci *vhci = vhci_hcd->vhci;
198 unsigned long flags;
199
200 usbip_dbg_vhci_sysfs("enter\n");
201
202 /* lock */
203 spin_lock_irqsave(&vhci->lock, flags);
204 spin_lock(&vdev->ud.lock);
205
206 if (vdev->ud.status == VDEV_ST_NULL) {
207 pr_err("not connected %d\n", vdev->ud.status);
208
209 /* unlock */
210 spin_unlock(&vdev->ud.lock);
211 spin_unlock_irqrestore(&vhci->lock, flags);
212
213 return -EINVAL;
214 }
215
216 /* unlock */
217 spin_unlock(&vdev->ud.lock);
218 spin_unlock_irqrestore(&vhci->lock, flags);
219
220 usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
221
222 return 0;
223 }
224
valid_port(__u32 * pdev_nr,__u32 * rhport)225 static int valid_port(__u32 *pdev_nr, __u32 *rhport)
226 {
227 if (*pdev_nr >= vhci_num_controllers) {
228 pr_err("pdev %u\n", *pdev_nr);
229 return 0;
230 }
231 *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers);
232
233 if (*rhport >= VHCI_HC_PORTS) {
234 pr_err("rhport %u\n", *rhport);
235 return 0;
236 }
237 *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS);
238
239 return 1;
240 }
241
store_detach(struct device * dev,struct device_attribute * attr,const char * buf,size_t count)242 static ssize_t store_detach(struct device *dev, struct device_attribute *attr,
243 const char *buf, size_t count)
244 {
245 __u32 port = 0, pdev_nr = 0, rhport = 0;
246 struct usb_hcd *hcd;
247 struct vhci_hcd *vhci_hcd;
248 int ret;
249
250 if (kstrtoint(buf, 10, &port) < 0)
251 return -EINVAL;
252
253 pdev_nr = port_to_pdev_nr(port);
254 rhport = port_to_rhport(port);
255
256 if (!valid_port(&pdev_nr, &rhport))
257 return -EINVAL;
258
259 hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
260 if (hcd == NULL) {
261 dev_err(dev, "port is not ready %u\n", port);
262 return -EAGAIN;
263 }
264
265 usbip_dbg_vhci_sysfs("rhport %d\n", rhport);
266
267 if ((port / VHCI_HC_PORTS) % 2)
268 vhci_hcd = hcd_to_vhci_hcd(hcd)->vhci->vhci_hcd_ss;
269 else
270 vhci_hcd = hcd_to_vhci_hcd(hcd)->vhci->vhci_hcd_hs;
271
272 ret = vhci_port_disconnect(vhci_hcd, rhport);
273 if (ret < 0)
274 return -EINVAL;
275
276 usbip_dbg_vhci_sysfs("Leave\n");
277
278 return count;
279 }
280 static DEVICE_ATTR(detach, S_IWUSR, NULL, store_detach);
281
valid_args(__u32 * pdev_nr,__u32 * rhport,enum usb_device_speed speed)282 static int valid_args(__u32 *pdev_nr, __u32 *rhport,
283 enum usb_device_speed speed)
284 {
285 if (!valid_port(pdev_nr, rhport)) {
286 return 0;
287 }
288
289 switch (speed) {
290 case USB_SPEED_LOW:
291 case USB_SPEED_FULL:
292 case USB_SPEED_HIGH:
293 case USB_SPEED_WIRELESS:
294 case USB_SPEED_SUPER:
295 break;
296 default:
297 pr_err("Failed attach request for unsupported USB speed: %s\n",
298 usb_speed_string(speed));
299 return 0;
300 }
301
302 return 1;
303 }
304
305 /* Sysfs entry to establish a virtual connection */
306 /*
307 * To start a new USB/IP attachment, a userland program needs to setup a TCP
308 * connection and then write its socket descriptor with remote device
309 * information into this sysfs file.
310 *
311 * A remote device is virtually attached to the root-hub port of @rhport with
312 * @speed. @devid is embedded into a request to specify the remote device in a
313 * server host.
314 *
315 * write() returns 0 on success, else negative errno.
316 */
store_attach(struct device * dev,struct device_attribute * attr,const char * buf,size_t count)317 static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
318 const char *buf, size_t count)
319 {
320 struct socket *socket;
321 int sockfd = 0;
322 __u32 port = 0, pdev_nr = 0, rhport = 0, devid = 0, speed = 0;
323 struct usb_hcd *hcd;
324 struct vhci_hcd *vhci_hcd;
325 struct vhci_device *vdev;
326 struct vhci *vhci;
327 int err;
328 unsigned long flags;
329
330 /*
331 * @rhport: port number of vhci_hcd
332 * @sockfd: socket descriptor of an established TCP connection
333 * @devid: unique device identifier in a remote host
334 * @speed: usb device speed in a remote host
335 */
336 if (sscanf(buf, "%u %u %u %u", &port, &sockfd, &devid, &speed) != 4)
337 return -EINVAL;
338 pdev_nr = port_to_pdev_nr(port);
339 rhport = port_to_rhport(port);
340
341 usbip_dbg_vhci_sysfs("port(%u) pdev(%d) rhport(%u)\n",
342 port, pdev_nr, rhport);
343 usbip_dbg_vhci_sysfs("sockfd(%u) devid(%u) speed(%u)\n",
344 sockfd, devid, speed);
345
346 /* check received parameters */
347 if (!valid_args(&pdev_nr, &rhport, speed))
348 return -EINVAL;
349
350 hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
351 if (hcd == NULL) {
352 dev_err(dev, "port %d is not ready\n", port);
353 return -EAGAIN;
354 }
355
356 vhci_hcd = hcd_to_vhci_hcd(hcd);
357 vhci = vhci_hcd->vhci;
358
359 if (speed == USB_SPEED_SUPER)
360 vdev = &vhci->vhci_hcd_ss->vdev[rhport];
361 else
362 vdev = &vhci->vhci_hcd_hs->vdev[rhport];
363
364 /* Extract socket from fd. */
365 socket = sockfd_lookup(sockfd, &err);
366 if (!socket)
367 return -EINVAL;
368
369 /* now need lock until setting vdev status as used */
370
371 /* begin a lock */
372 spin_lock_irqsave(&vhci->lock, flags);
373 spin_lock(&vdev->ud.lock);
374
375 if (vdev->ud.status != VDEV_ST_NULL) {
376 /* end of the lock */
377 spin_unlock(&vdev->ud.lock);
378 spin_unlock_irqrestore(&vhci->lock, flags);
379
380 sockfd_put(socket);
381
382 dev_err(dev, "port %d already used\n", rhport);
383 /*
384 * Will be retried from userspace
385 * if there's another free port.
386 */
387 return -EBUSY;
388 }
389
390 dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
391 pdev_nr, rhport, sockfd);
392 dev_info(dev, "devid(%u) speed(%u) speed_str(%s)\n",
393 devid, speed, usb_speed_string(speed));
394
395 vdev->devid = devid;
396 vdev->speed = speed;
397 vdev->ud.sockfd = sockfd;
398 vdev->ud.tcp_socket = socket;
399 vdev->ud.status = VDEV_ST_NOTASSIGNED;
400
401 spin_unlock(&vdev->ud.lock);
402 spin_unlock_irqrestore(&vhci->lock, flags);
403 /* end the lock */
404
405 vdev->ud.tcp_rx = kthread_get_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
406 vdev->ud.tcp_tx = kthread_get_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
407
408 rh_port_connect(vdev, speed);
409
410 return count;
411 }
412 static DEVICE_ATTR(attach, S_IWUSR, NULL, store_attach);
413
414 #define MAX_STATUS_NAME 16
415
416 struct status_attr {
417 struct device_attribute attr;
418 char name[MAX_STATUS_NAME+1];
419 };
420
421 static struct status_attr *status_attrs;
422
set_status_attr(int id)423 static void set_status_attr(int id)
424 {
425 struct status_attr *status;
426
427 status = status_attrs + id;
428 if (id == 0)
429 strcpy(status->name, "status");
430 else
431 snprintf(status->name, MAX_STATUS_NAME+1, "status.%d", id);
432 status->attr.attr.name = status->name;
433 status->attr.attr.mode = S_IRUGO;
434 status->attr.show = status_show;
435 sysfs_attr_init(&status->attr.attr);
436 }
437
init_status_attrs(void)438 static int init_status_attrs(void)
439 {
440 int id;
441
442 status_attrs = kcalloc(vhci_num_controllers, sizeof(struct status_attr),
443 GFP_KERNEL);
444 if (status_attrs == NULL)
445 return -ENOMEM;
446
447 for (id = 0; id < vhci_num_controllers; id++)
448 set_status_attr(id);
449
450 return 0;
451 }
452
finish_status_attrs(void)453 static void finish_status_attrs(void)
454 {
455 kfree(status_attrs);
456 }
457
458 struct attribute_group vhci_attr_group = {
459 .attrs = NULL,
460 };
461
vhci_init_attr_group(void)462 int vhci_init_attr_group(void)
463 {
464 struct attribute **attrs;
465 int ret, i;
466
467 attrs = kcalloc((vhci_num_controllers + 5), sizeof(struct attribute *),
468 GFP_KERNEL);
469 if (attrs == NULL)
470 return -ENOMEM;
471
472 ret = init_status_attrs();
473 if (ret) {
474 kfree(attrs);
475 return ret;
476 }
477 *attrs = &dev_attr_nports.attr;
478 *(attrs + 1) = &dev_attr_detach.attr;
479 *(attrs + 2) = &dev_attr_attach.attr;
480 *(attrs + 3) = &dev_attr_usbip_debug.attr;
481 for (i = 0; i < vhci_num_controllers; i++)
482 *(attrs + i + 4) = &((status_attrs + i)->attr.attr);
483 vhci_attr_group.attrs = attrs;
484 return 0;
485 }
486
vhci_finish_attr_group(void)487 void vhci_finish_attr_group(void)
488 {
489 finish_status_attrs();
490 kfree(vhci_attr_group.attrs);
491 }
492