pdev_nr and rhport can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'
Fix this by sanitizing pdev_nr and rhport before using them to index
vhcis and vhci->vhci_hcd_ss->vdev respectively.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Instead of "open coding" a DEVICE_ATTR() define, use the
DEVICE_ATTR_WO() macro instead, which does everything properly instead.
This does require a few static functions to be renamed to work properly,
but thanks to a script from Joe Perches, this was easily done.
Reported-by: Joe Perches <joe@perches.com>
Cc: Peter Chen <Peter.Chen@nxp.com>
Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 2f2d0088eb
("usbip: prevent vhci_hcd driver from leaking a socket pointer address")
in the /sys/devices/platform/vhci_hcd/status.
Fix the header and field alignment to reflect the changes and make it
easier to read.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the
/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.
Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.
As this opens a security hole, the fix replaces socket pointer address with
sockfd.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Now that the SPDX tag is in all USB files, that identifies the license
in a specific and legally-defined manner. So the extra GPL text wording
can be removed as it is no longer needed at all.
This is done on a quest to remove the 700+ different ways that files in
the kernel describe the GPL license text. And there's unneeded stuff
like the address (sometimes incorrect) for the FSF which is never
needed.
No copyright headers or other non-license-description text was removed.
Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses.
Update the drivers/usb/ and include/linux/usb* files with the correct
SPDX license identifier based on the license text in the file itself.
The SPDX identifier is a legally binding shorthand, which can be used
instead of the full boiler plate text.
This work is based on a script and data from Thomas Gleixner, Philippe
Ombredanne, and Kate Stewart.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch adds recovery from false busy state on concurrent attach
operation.
The procedure of attach operation is as below.
1) Find an unused port in /sys/devices/platform/vhci_hcd/status.
(userspace)
2) Request attach found port to driver through
/sys/devices/platform/vhci_hcd/attach. (userspace)
3) Lock table, reserve requested port and unlock table. (vhci driver)
Attaching more than one remote devices concurrently, same unused port
number will be found in step-1. Then one request will succeed and
others will fail even though there are some unused ports.
With this patch, driver returns EBUSY when requested port has already
been used. In this case, attach command retries from step-1: finding
another unused port. If there's no unused port, the attach operation
will fail in step-1. Otherwise it retries automatically using another
unused port.
vhci-hcd's interface (only errno) is changed as following.
Current errno New errno Condition
EINVAL same as left specified port number is in invalid
range
EAGAIN same as left platform_get_drvdata() failed
EINVAL same as left specified socket fd is not valid
EINVAL EBUSY specified port status is not free
The errno EBUSY was not used in userspace
src/usbip_attach.c:import_device(). It is needed to distinguish the
condition to be able to retry from other unrecoverable errors.
It is possible to avoid this failure by introducing userspace exclusive
control. But it's exaggerated for this special condition. The locking
itself has done in driver.
As an alternate solution, userspace doesn't specify port number, driver
searches unused port and it returns port number to the userspace. With
this solution, the interface is much different than this patch.
Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Each vhci has 2*VHCI_HC_PORTS ports, in which VHCI_HC_PORTS
ports are HighSpeed (or below), and VHCI_HC_PORTS are SuperSpeed.
This new macro VHCI_PORTS reflects this configuration.
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With this patch, USB_SPEED_SUPER is a valid speed when attaching
a USB3 SuperSpeed device.
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch adds a USB3 HCD to an existing USB2 HCD and provides
the support of SuperSpeed, in case the device can only be enumerated
with SuperSpeed.
The bulk of the added code in usb3_bos_desc and hub_control to support
SuperSpeed is borrowed from the commit 1cd8fd2887 ("usb: gadget:
dummy_hcd: add SuperSpeed support").
With this patch, each vhci will have VHCI_HC_PORTS HighSpeed ports
and VHCI_HC_PORTS SuperSpeed ports.
Suggested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch enables the new vhci structure. Its lock protects
both the USB2 hub and the shared USB3 hub.
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Every VHCI is a platform device, so move the platform_device struct
into the VHCI struct.
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These helper function names are renamed to have their full struct
names to avoid confusion:
- hcd_to_vhci() -> hcd_to_vhci_hcd()
- vhci_to_hcd() -> vhci_hcd_to_hcd()
- vdev_to_vhci() -> vdev_to_vhci_hcd()
Signed-off-by: Yuyang Du <yuyang.du@intel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Modification to Kconfig, vhci_hc.c, vhci.h and vhci_sysfs.c.
1. kernel config
Followings are added.
USBIP_VHCI_HC_PORTS: Number of ports per USB/IP virtual host
controller. The default is 8 - same as current VHCI_NPORTS.
USBIP_VHCI_NR_HCS: Number of USB/IP virtual host controllers. The
default is 1. This paratmeter is replaced with USBIP_VHCI_INIT_HCS and
USBIP_VHCI_MAX_HCS included in succeeding dynamic extension patch.
2. the_controller to controllers
the_controller is changed to vhci_pdevs: array of struct
platform_device.
3. vhci_sysfs.c
Sysfs structure is changed as following.
BEFORE:
/sys/devices/platform
+-- vhci
+-- status
+-- attach
+-- detach
+-- usbip_debug
AFTER: example for CONFIG_USBIP_NR_HCS=4
/sys/devices/platform
+-- vhci
| +-- nports
| +-- status
| +-- status.1
| +-- status.2
| +-- status.3
| +-- attach
| +-- detach
| +-- usbip_debug
+-- vhci.1
+-- vhci.2
+-- vhci.3
vhci[.N] is shown for each host controller kobj. vhch.1, vhci.2, ...
are shown only when CONFIG_USBIP_NR_HCS is more than 1. Only 'vhci'
(without number) has user space interfaces. 'nports' is newly added to
give ports-per-controller and number of controlles. Before that, number
of ports is acquired by reading status lines. Status is divided for
each controller to avoid page size (4KB) limitation.
Old userspace tool binaries work with the first status within the first
controller.
Inconsistency between status header and content is fixed.
4th and 5th column are
header: "dev bus"
content(unused): "000 000"
content(used): "%08x", devid
Only 1st and 2nd column are used by program. In old version, sscanf()
in parse_status expect no bus column. And bus_id string is shown in the
last column. Then bus in the header is removed and unused content is
replaced with 8 zeros. The sscanf() expects more than 5 columns and new
has 6 columns so there's no compatibility issue in this change.
Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
At this point, USB/IP kernel code is fully functional
and can be moved out of staging.
Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>