]> git.ipfire.org Git - thirdparty/kernel/linux.git/blob - drivers/usb/usbip/stub_dev.c
projects / thirdparty / kernel / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
[thirdparty/kernel/linux.git] / drivers / usb / usbip / stub_dev.c
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (C) 2003-2008 Takahiro Hirofuchi
4 */
5
6 #include <linux/device.h>
7 #include <linux/file.h>
8 #include <linux/kthread.h>
9 #include <linux/module.h>
10
11 #include "usbip_common.h"
12 #include "stub.h"
13
14 /*
15 * usbip_status shows the status of usbip-host as long as this driver is bound
16 * to the target device.
17 */
18 static ssize_t usbip_status_show(struct device *dev,
19 struct device_attribute *attr, char *buf)
20 {
21 struct stub_device *sdev = dev_get_drvdata(dev);
22 int status;
23
24 if (!sdev) {
25 dev_err(dev, "sdev is null\n");
26 return -ENODEV;
27 }
28
29 spin_lock_irq(&sdev->ud.lock);
30 status = sdev->ud.status;
31 spin_unlock_irq(&sdev->ud.lock);
32
33 return snprintf(buf, PAGE_SIZE, "%d\n", status);
34 }
35 static DEVICE_ATTR_RO(usbip_status);
36
37 /*
38 * usbip_sockfd gets a socket descriptor of an established TCP connection that
39 * is used to transfer usbip requests by kernel threads. -1 is a magic number
40 * by which usbip connection is finished.
41 */
42 static ssize_t usbip_sockfd_store(struct device *dev, struct device_attribute *attr,
43 const char *buf, size_t count)
44 {
45 struct stub_device *sdev = dev_get_drvdata(dev);
46 int sockfd = 0;
47 struct socket *socket;
48 int rv;
49
50 if (!sdev) {
51 dev_err(dev, "sdev is null\n");
52 return -ENODEV;
53 }
54
55 rv = sscanf(buf, "%d", &sockfd);
56 if (rv != 1)
57 return -EINVAL;
58
59 if (sockfd != -1) {
60 int err;
61
62 dev_info(dev, "stub up\n");
63
64 spin_lock_irq(&sdev->ud.lock);
65
66 if (sdev->ud.status != SDEV_ST_AVAILABLE) {
67 dev_err(dev, "not ready\n");
68 goto err;
69 }
70
71 socket = sockfd_lookup(sockfd, &err);
72 if (!socket)
73 goto err;
74
75 sdev->ud.tcp_socket = socket;
76 sdev->ud.sockfd = sockfd;
77
78 spin_unlock_irq(&sdev->ud.lock);
79
80 sdev->ud.tcp_rx = kthread_get_run(stub_rx_loop, &sdev->ud,
81 "stub_rx");
82 sdev->ud.tcp_tx = kthread_get_run(stub_tx_loop, &sdev->ud,
83 "stub_tx");
84
85 spin_lock_irq(&sdev->ud.lock);
86 sdev->ud.status = SDEV_ST_USED;
87 spin_unlock_irq(&sdev->ud.lock);
88
89 } else {
90 dev_info(dev, "stub down\n");
91
92 spin_lock_irq(&sdev->ud.lock);
93 if (sdev->ud.status != SDEV_ST_USED)
94 goto err;
95
96 spin_unlock_irq(&sdev->ud.lock);
97
98 usbip_event_add(&sdev->ud, SDEV_EVENT_DOWN);
99 }
100
101 return count;
102
103 err:
104 spin_unlock_irq(&sdev->ud.lock);
105 return -EINVAL;
106 }
107 static DEVICE_ATTR_WO(usbip_sockfd);
108
109 static int stub_add_files(struct device *dev)
110 {
111 int err = 0;
112
113 err = device_create_file(dev, &dev_attr_usbip_status);
114 if (err)
115 goto err_status;
116
117 err = device_create_file(dev, &dev_attr_usbip_sockfd);
118 if (err)
119 goto err_sockfd;
120
121 err = device_create_file(dev, &dev_attr_usbip_debug);
122 if (err)
123 goto err_debug;
124
125 return 0;
126
127 err_debug:
128 device_remove_file(dev, &dev_attr_usbip_sockfd);
129 err_sockfd:
130 device_remove_file(dev, &dev_attr_usbip_status);
131 err_status:
132 return err;
133 }
134
135 static void stub_remove_files(struct device *dev)
136 {
137 device_remove_file(dev, &dev_attr_usbip_status);
138 device_remove_file(dev, &dev_attr_usbip_sockfd);
139 device_remove_file(dev, &dev_attr_usbip_debug);
140 }
141
142 static void stub_shutdown_connection(struct usbip_device *ud)
143 {
144 struct stub_device *sdev = container_of(ud, struct stub_device, ud);
145
146 /*
147 * When removing an exported device, kernel panic sometimes occurred
148 * and then EIP was sk_wait_data of stub_rx thread. Is this because
149 * sk_wait_data returned though stub_rx thread was already finished by
150 * step 1?
151 */
152 if (ud->tcp_socket) {
153 dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
154 kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
155 }
156
157 /* 1. stop threads */
158 if (ud->tcp_rx) {
159 kthread_stop_put(ud->tcp_rx);
160 ud->tcp_rx = NULL;
161 }
162 if (ud->tcp_tx) {
163 kthread_stop_put(ud->tcp_tx);
164 ud->tcp_tx = NULL;
165 }
166
167 /*
168 * 2. close the socket
169 *
170 * tcp_socket is freed after threads are killed so that usbip_xmit does
171 * not touch NULL socket.
172 */
173 if (ud->tcp_socket) {
174 sockfd_put(ud->tcp_socket);
175 ud->tcp_socket = NULL;
176 ud->sockfd = -1;
177 }
178
179 /* 3. free used data */
180 stub_device_cleanup_urbs(sdev);
181
182 /* 4. free stub_unlink */
183 {
184 unsigned long flags;
185 struct stub_unlink *unlink, *tmp;
186
187 spin_lock_irqsave(&sdev->priv_lock, flags);
188 list_for_each_entry_safe(unlink, tmp, &sdev->unlink_tx, list) {
189 list_del(&unlink->list);
190 kfree(unlink);
191 }
192 list_for_each_entry_safe(unlink, tmp, &sdev->unlink_free,
193 list) {
194 list_del(&unlink->list);
195 kfree(unlink);
196 }
197 spin_unlock_irqrestore(&sdev->priv_lock, flags);
198 }
199 }
200
201 static void stub_device_reset(struct usbip_device *ud)
202 {
203 struct stub_device *sdev = container_of(ud, struct stub_device, ud);
204 struct usb_device *udev = sdev->udev;
205 int ret;
206
207 dev_dbg(&udev->dev, "device reset");
208
209 ret = usb_lock_device_for_reset(udev, NULL);
210 if (ret < 0) {
211 dev_err(&udev->dev, "lock for reset\n");
212 spin_lock_irq(&ud->lock);
213 ud->status = SDEV_ST_ERROR;
214 spin_unlock_irq(&ud->lock);
215 return;
216 }
217
218 /* try to reset the device */
219 ret = usb_reset_device(udev);
220 usb_unlock_device(udev);
221
222 spin_lock_irq(&ud->lock);
223 if (ret) {
224 dev_err(&udev->dev, "device reset\n");
225 ud->status = SDEV_ST_ERROR;
226 } else {
227 dev_info(&udev->dev, "device reset\n");
228 ud->status = SDEV_ST_AVAILABLE;
229 }
230 spin_unlock_irq(&ud->lock);
231 }
232
233 static void stub_device_unusable(struct usbip_device *ud)
234 {
235 spin_lock_irq(&ud->lock);
236 ud->status = SDEV_ST_ERROR;
237 spin_unlock_irq(&ud->lock);
238 }
239
240 /**
241 * stub_device_alloc - allocate a new stub_device struct
242 * @udev: usb_device of a new device
243 *
244 * Allocates and initializes a new stub_device struct.
245 */
246 static struct stub_device *stub_device_alloc(struct usb_device *udev)
247 {
248 struct stub_device *sdev;
249 int busnum = udev->bus->busnum;
250 int devnum = udev->devnum;
251
252 dev_dbg(&udev->dev, "allocating stub device");
253
254 /* yes, it's a new device */
255 sdev = kzalloc(sizeof(struct stub_device), GFP_KERNEL);
256 if (!sdev)
257 return NULL;
258
259 sdev->udev = usb_get_dev(udev);
260
261 /*
262 * devid is defined with devnum when this driver is first allocated.
263 * devnum may change later if a device is reset. However, devid never
264 * changes during a usbip connection.
265 */
266 sdev->devid = (busnum << 16) | devnum;
267 sdev->ud.side = USBIP_STUB;
268 sdev->ud.status = SDEV_ST_AVAILABLE;
269 spin_lock_init(&sdev->ud.lock);
270 sdev->ud.tcp_socket = NULL;
271 sdev->ud.sockfd = -1;
272
273 INIT_LIST_HEAD(&sdev->priv_init);
274 INIT_LIST_HEAD(&sdev->priv_tx);
275 INIT_LIST_HEAD(&sdev->priv_free);
276 INIT_LIST_HEAD(&sdev->unlink_free);
277 INIT_LIST_HEAD(&sdev->unlink_tx);
278 spin_lock_init(&sdev->priv_lock);
279
280 init_waitqueue_head(&sdev->tx_waitq);
281
282 sdev->ud.eh_ops.shutdown = stub_shutdown_connection;
283 sdev->ud.eh_ops.reset = stub_device_reset;
284 sdev->ud.eh_ops.unusable = stub_device_unusable;
285
286 usbip_start_eh(&sdev->ud);
287
288 dev_dbg(&udev->dev, "register new device\n");
289
290 return sdev;
291 }
292
293 static void stub_device_free(struct stub_device *sdev)
294 {
295 kfree(sdev);
296 }
297
298 static int stub_probe(struct usb_device *udev)
299 {
300 struct stub_device *sdev = NULL;
301 const char *udev_busid = dev_name(&udev->dev);
302 struct bus_id_priv *busid_priv;
303 int rc = 0;
304
305 dev_dbg(&udev->dev, "Enter probe\n");
306
307 /* check we should claim or not by busid_table */
308 busid_priv = get_busid_priv(udev_busid);
309 if (!busid_priv || (busid_priv->status == STUB_BUSID_REMOV) ||
310 (busid_priv->status == STUB_BUSID_OTHER)) {
311 dev_info(&udev->dev,
312 "%s is not in match_busid table... skip!\n",
313 udev_busid);
314
315 /*
316 * Return value should be ENODEV or ENOXIO to continue trying
317 * other matched drivers by the driver core.
318 * See driver_probe_device() in driver/base/dd.c
319 */
320 rc = -ENODEV;
321 goto call_put_busid_priv;
322 }
323
324 if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
325 dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
326 udev_busid);
327 rc = -ENODEV;
328 goto call_put_busid_priv;
329 }
330
331 if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
332 dev_dbg(&udev->dev,
333 "%s is attached on vhci_hcd... skip!\n",
334 udev_busid);
335
336 rc = -ENODEV;
337 goto call_put_busid_priv;
338 }
339
340 /* ok, this is my device */
341 sdev = stub_device_alloc(udev);
342 if (!sdev) {
343 rc = -ENOMEM;
344 goto call_put_busid_priv;
345 }
346
347 dev_info(&udev->dev,
348 "usbip-host: register new device (bus %u dev %u)\n",
349 udev->bus->busnum, udev->devnum);
350
351 busid_priv->shutdown_busid = 0;
352
353 /* set private data to usb_device */
354 dev_set_drvdata(&udev->dev, sdev);
355 busid_priv->sdev = sdev;
356 busid_priv->udev = udev;
357
358 /*
359 * Claim this hub port.
360 * It doesn't matter what value we pass as owner
361 * (struct dev_state) as long as it is unique.
362 */
363 rc = usb_hub_claim_port(udev->parent, udev->portnum,
364 (struct usb_dev_state *) udev);
365 if (rc) {
366 dev_dbg(&udev->dev, "unable to claim port\n");
367 goto err_port;
368 }
369
370 rc = stub_add_files(&udev->dev);
371 if (rc) {
372 dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid);
373 goto err_files;
374 }
375 busid_priv->status = STUB_BUSID_ALLOC;
376
377 rc = 0;
378 goto call_put_busid_priv;
379
380 err_files:
381 usb_hub_release_port(udev->parent, udev->portnum,
382 (struct usb_dev_state *) udev);
383 err_port:
384 dev_set_drvdata(&udev->dev, NULL);
385 usb_put_dev(udev);
386
387 busid_priv->sdev = NULL;
388 stub_device_free(sdev);
389
390 call_put_busid_priv:
391 put_busid_priv(busid_priv);
392 return rc;
393 }
394
395 static void shutdown_busid(struct bus_id_priv *busid_priv)
396 {
397 if (busid_priv->sdev && !busid_priv->shutdown_busid) {
398 busid_priv->shutdown_busid = 1;
399 usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED);
400
401 /* wait for the stop of the event handler */
402 usbip_stop_eh(&busid_priv->sdev->ud);
403 }
404 }
405
406 /*
407 * called in usb_disconnect() or usb_deregister()
408 * but only if actconfig(active configuration) exists
409 */
410 static void stub_disconnect(struct usb_device *udev)
411 {
412 struct stub_device *sdev;
413 const char *udev_busid = dev_name(&udev->dev);
414 struct bus_id_priv *busid_priv;
415 int rc;
416
417 dev_dbg(&udev->dev, "Enter disconnect\n");
418
419 busid_priv = get_busid_priv(udev_busid);
420 if (!busid_priv) {
421 BUG();
422 return;
423 }
424
425 sdev = dev_get_drvdata(&udev->dev);
426
427 /* get stub_device */
428 if (!sdev) {
429 dev_err(&udev->dev, "could not get device");
430 goto call_put_busid_priv;
431 }
432
433 dev_set_drvdata(&udev->dev, NULL);
434
435 /*
436 * NOTE: rx/tx threads are invoked for each usb_device.
437 */
438 stub_remove_files(&udev->dev);
439
440 /* release port */
441 rc = usb_hub_release_port(udev->parent, udev->portnum,
442 (struct usb_dev_state *) udev);
443 if (rc) {
444 dev_dbg(&udev->dev, "unable to release port\n");
445 goto call_put_busid_priv;
446 }
447
448 /* If usb reset is called from event handler */
449 if (usbip_in_eh(current))
450 goto call_put_busid_priv;
451
452 /* shutdown the current connection */
453 shutdown_busid(busid_priv);
454
455 usb_put_dev(sdev->udev);
456
457 /* free sdev */
458 busid_priv->sdev = NULL;
459 stub_device_free(sdev);
460
461 if (busid_priv->status == STUB_BUSID_ALLOC)
462 busid_priv->status = STUB_BUSID_ADDED;
463
464 call_put_busid_priv:
465 put_busid_priv(busid_priv);
466 }
467
468 #ifdef CONFIG_PM
469
470 /* These functions need usb_port_suspend and usb_port_resume,
471 * which reside in drivers/usb/core/usb.h. Skip for now. */
472
473 static int stub_suspend(struct usb_device *udev, pm_message_t message)
474 {
475 dev_dbg(&udev->dev, "stub_suspend\n");
476
477 return 0;
478 }
479
480 static int stub_resume(struct usb_device *udev, pm_message_t message)
481 {
482 dev_dbg(&udev->dev, "stub_resume\n");
483
484 return 0;
485 }
486
487 #endif /* CONFIG_PM */
488
489 struct usb_device_driver stub_driver = {
490 .name = "usbip-host",
491 .probe = stub_probe,
492 .disconnect = stub_disconnect,
493 #ifdef CONFIG_PM
494 .suspend = stub_suspend,
495 .resume = stub_resume,
496 #endif
497 .supports_autosuspend = 0,
498 };
A mirror of Linus' kernel repository