Commit Graph

17 Commits

Author SHA1 Message Date
Gustavo A. R. Silva a0d6ec8809 usbip: vhci_sysfs: fix potential Spectre v1
pdev_nr and rhport can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:
drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'

Fix this by sanitizing pdev_nr and rhport before using them to index
vhcis and vhci->vhci_hcd_ss->vdev respectively.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-24 18:14:28 +02:00
Greg Kroah-Hartman ca35910a1b USB: move many drivers to use DEVICE_ATTR_WO
Instead of "open coding" a DEVICE_ATTR() define, use the
DEVICE_ATTR_WO() macro instead, which does everything properly instead.

This does require a few static functions to be renamed to work properly,
but thanks to a script from Joe Perches, this was easily done.

Reported-by: Joe Perches <joe@perches.com>
Cc: Peter Chen <Peter.Chen@nxp.com>
Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-24 08:49:52 +01:00
Shuah Khan 5468099c74 usbip: vhci_hcd: update 'status' file header and format
Commit 2f2d0088eb
("usbip: prevent vhci_hcd driver from leaking a socket pointer address")
in the /sys/devices/platform/vhci_hcd/status.

Fix the header and field alignment to reflect the changes and make it
easier to read.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-22 15:34:37 +01:00
Shuah Khan 2f2d0088eb usbip: prevent vhci_hcd driver from leaking a socket pointer address
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-08 17:32:23 +01:00
Greg Kroah-Hartman 7f2b019c8d USB: usbip: Remove redundant license text
Now that the SPDX tag is in all USB files, that identifies the license
in a specific and legally-defined manner.  So the extra GPL text wording
can be removed as it is no longer needed at all.

This is done on a quest to remove the 700+ different ways that files in
the kernel describe the GPL license text.  And there's unneeded stuff
like the address (sometimes incorrect) for the FSF which is never
needed.

No copyright headers or other non-license-description text was removed.

Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-07 15:45:01 +01:00
Greg Kroah-Hartman 5fd54ace47 USB: add SPDX identifiers to all remaining files in drivers/usb/
It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses.

Update the drivers/usb/ and include/linux/usb* files with the correct
SPDX license identifier based on the license text in the file itself.
The SPDX identifier is a legally binding shorthand, which can be used
instead of the full boiler plate text.

This work is based on a script and data from Thomas Gleixner, Philippe
Ombredanne, and Kate Stewart.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-04 11:48:02 +01:00
Nobuo Iwata a38711a88b usbip: auto retry for concurrent attach
This patch adds recovery from false busy state on concurrent attach
operation.

The procedure of attach operation is as below.
1) Find an unused port in /sys/devices/platform/vhci_hcd/status.
(userspace)
2) Request attach found port to driver through
/sys/devices/platform/vhci_hcd/attach. (userspace)
3) Lock table, reserve requested port and unlock table. (vhci driver)

Attaching more than one remote devices concurrently, same unused port
number will be found in step-1. Then one request will succeed and
others will fail even though there are some unused ports.

With this patch, driver returns EBUSY when requested port has already
been used. In this case, attach command retries from step-1: finding
another unused port. If there's no unused port, the attach operation
will fail in step-1. Otherwise it retries automatically using another
unused port.

vhci-hcd's interface (only errno) is changed as following.

Current	errno	New errno	Condition
EINVAL		same as left	specified port number is in invalid
				range
EAGAIN		same as left	platform_get_drvdata() failed
EINVAL		same as left	specified socket fd is not valid
EINVAL		EBUSY		specified port status is not free

The errno EBUSY was not used in userspace
src/usbip_attach.c:import_device(). It is needed to distinguish the
condition to be able to retry from other unrecoverable errors.

It is possible to avoid this failure by introducing userspace exclusive
control. But it's exaggerated for this special condition. The locking
itself has done in driver.
As an alternate solution, userspace doesn't specify port number, driver
searches unused port and it returns port number to the userspace. With
this solution, the interface is much different than this patch.

Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-08-31 18:08:45 +02:00
Yuyang Du b891245bff usbip: vhci-hcd: Clean up the code by adding a new macro
Each vhci has 2*VHCI_HC_PORTS ports, in which VHCI_HC_PORTS
ports are HighSpeed (or below), and VHCI_HC_PORTS are SuperSpeed.
This new macro VHCI_PORTS reflects this configuration.

Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:10 +02:00
Yuyang Du df9032c13d usbip: Add USB_SPEED_SUPER as valid arg
With this patch, USB_SPEED_SUPER is a valid speed when attaching
a USB3 SuperSpeed device.

Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:10 +02:00
Yuyang Du 1c9de5bf42 usbip: vhci-hcd: Add USB3 SuperSpeed support
This patch adds a USB3 HCD to an existing USB2 HCD and provides
the support of SuperSpeed, in case the device can only be enumerated
with SuperSpeed.

The bulk of the added code in usb3_bos_desc and hub_control to support
SuperSpeed is borrowed from the commit 1cd8fd2887 ("usb: gadget:
dummy_hcd: add SuperSpeed support").

With this patch, each vhci will have VHCI_HC_PORTS HighSpeed ports
and VHCI_HC_PORTS SuperSpeed ports.

Suggested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:10 +02:00
Yuyang Du 03cd00d538 usbip: vhci-hcd: Set the vhci structure up to work
This patch enables the new vhci structure. Its lock protects
both the USB2 hub and the shared USB3 hub.

Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:10 +02:00
Yuyang Du 89a73d281f usbip: vhci-hcd: Move VHCI platform device into vhci struct
Every VHCI is a platform device, so move the platform_device struct
into the VHCI struct.

Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:10 +02:00
Yuyang Du 5ec0edc965 usbip: vhci-hcd: Rename function names to reflect their struct names
These helper function names are renamed to have their full struct
names to avoid confusion:

 - hcd_to_vhci() -> hcd_to_vhci_hcd()
 - vhci_to_hcd() -> vhci_hcd_to_hcd()
 - vdev_to_vhci() -> vdev_to_vhci_hcd()

Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13 10:51:09 +02:00
Shuah Khan 918b8ac55b usbip: fix warning in vhci_hcd_probe/lockdep_init_map
vhci_hcd calls sysfs_create_group() with dynamically allocated sysfs
attributes triggering the lock-class key not persistent warning. Call
sysfs_attr_init() for dynamically allocated sysfs attributes to fix it.

vhci_hcd vhci_hcd: USB/IP Virtual Host Controller
vhci_hcd vhci_hcd: new USB bus registered, assigned bus number 2
BUG: key ffff88006a7e8d18 not in .data!
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:3131
lockdep_init_map+0x60c/0x770
DEBUG_LOCKS_WARN_ON(1)[    1.567044] Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-rc7+ #58
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006bce6eb8 ffffffff81f96c8a ffffffff00000a02 1ffff1000d79cd6a
 ffffed000d79cd62 000000046bce6ed8 0000000041b58ab3 ffffffff8598af40
 ffffffff81f969f8 0000000000000000 0000000041b58ab3 0000000000000200
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96c8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
 [<ffffffff813f3efc>] lockdep_init_map+0x60c/0x770 kernel/locking/lockdep.c:3131
 [<ffffffff819e43d4>] __kernfs_create_file+0x114/0x2a0 fs/kernfs/file.c:954
 [<ffffffff819e68f5>] sysfs_add_file_mode_ns+0x225/0x520 fs/sysfs/file.c:305
 [<     inline     >] create_files fs/sysfs/group.c:64
 [<ffffffff819e8a89>] internal_create_group+0x239/0x8f0 fs/sysfs/group.c:134
 [<ffffffff819e915f>] sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:156
 [<ffffffff8323de24>] vhci_start+0x5b4/0x7a0 drivers/usb/usbip/vhci_hcd.c:978
 [<ffffffff82c907ca>] usb_add_hcd+0x8da/0x1c60 drivers/usb/core/hcd.c:2867
 [<ffffffff8323bc57>] vhci_hcd_probe+0x97/0x130
drivers/usb/usbip/vhci_hcd.c:1103
 ---
 ---
---[ end trace c33c7b202cf3aac8 ]---

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-12-06 08:37:41 +01:00
Nobuo Iwata 0775a9cbc6 usbip: vhci extension: modifications to vhci driver
Modification to Kconfig, vhci_hc.c, vhci.h and vhci_sysfs.c.

1. kernel config

Followings are added.

USBIP_VHCI_HC_PORTS: Number of ports per USB/IP virtual host
controller. The default is 8 - same as current VHCI_NPORTS.
USBIP_VHCI_NR_HCS: Number of USB/IP virtual host controllers. The
default is 1. This paratmeter is replaced with USBIP_VHCI_INIT_HCS and
USBIP_VHCI_MAX_HCS included in succeeding dynamic extension patch.

2. the_controller to controllers

the_controller is changed to vhci_pdevs: array of struct
platform_device.

3. vhci_sysfs.c

Sysfs structure is changed as following.

BEFORE:
    /sys/devices/platform
        +-- vhci
            +-- status
            +-- attach
            +-- detach
            +-- usbip_debug

AFTER: example for CONFIG_USBIP_NR_HCS=4
    /sys/devices/platform
        +-- vhci
        |   +-- nports
        |   +-- status
        |   +-- status.1
        |   +-- status.2
        |   +-- status.3
        |   +-- attach
        |   +-- detach
        |   +-- usbip_debug
        +-- vhci.1
        +-- vhci.2
        +-- vhci.3

vhci[.N] is shown for each host controller kobj. vhch.1, vhci.2, ...
are shown only when CONFIG_USBIP_NR_HCS is more than 1. Only 'vhci'
(without number) has user space interfaces. 'nports' is newly added to
give ports-per-controller and number of controlles. Before that, number
of ports is acquired by reading status lines. Status is divided for
each controller to avoid page size (4KB) limitation.

Old userspace tool binaries work with the first status within the first
controller.

Inconsistency between status header and content is fixed.
4th and 5th column are
header:          "dev bus"
content(unused): "000 000"
content(used):   "%08x", devid
Only 1st and 2nd column are used by program. In old version, sscanf()
in parse_status expect no bus column. And bus_id string is shown in the
last column. Then bus in the header is removed and unused content is
replaced with 8 zeros. The sscanf() expects more than 5 columns and new
has 6 columns so there's no compatibility issue in this change.

Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-08-09 16:21:05 +02:00
Andrew Goodbody 21619792d1 usb: usbip: Fix possible deadlocks reported by lockdep
Change spin_lock calls to spin_lock_irqsave to prevent
attmpted recursive lock taking in interrupt context.

This patch fixes Bug 109351
  https://bugzilla.kernel.org/show_bug.cgi?id=109351

Signed-off-by: Andrew Goodbody <andrew.goodbody@cambrionix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-02-03 13:52:10 -08:00
Valentina Manea 96c2737716 usbip: move usbip kernel code out of staging
At this point, USB/IP kernel code is fully functional
and can be moved out of staging.

Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-08-25 10:40:06 -07:00