1// SPDX-License-Identifier: GPL-2.0+
  2/*
  3 * Copyright (C) 2003-2008 Takahiro Hirofuchi
  4 * Copyright (C) 2015-2016 Nobuo Iwata
  5 */
  6
  7#include <linux/kthread.h>
  8#include <linux/file.h>
  9#include <linux/net.h>
 10#include <linux/platform_device.h>
 11#include <linux/slab.h>
 12
 13/* Hardening for Spectre-v1 */
 14#include <linux/nospec.h>
 15
 16#include "usbip_common.h"
 17#include "vhci.h"
 18
 19/* TODO: refine locking ?*/
 20
 21/*
 22 * output example:
 23 * hub port sta spd dev       sockfd local_busid
 24 * hs  0000 004 000 00000000  000003 1-2.3
 25 * ................................................
 26 * ss  0008 004 000 00000000  000004 2-3.4
 27 * ................................................
 28 *
 29 * Output includes socket fd instead of socket pointer address to avoid
 30 * leaking kernel memory address in:
 31 *	/sys/devices/platform/vhci_hcd.0/status and in debug output.
 32 * The socket pointer address is not used at the moment and it was made
 33 * visible as a convenient way to find IP address from socket pointer
 34 * address by looking up /proc/net/{tcp,tcp6}. As this opens a security
 35 * hole, the change is made to use sockfd instead.
 36 *
 37 */
 38static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vdev)
 39{
 40	if (hub == HUB_SPEED_HIGH)
 41		*out += sprintf(*out, "hs  %04u %03u ",
 42				      port, vdev->ud.status);
 43	else /* hub == HUB_SPEED_SUPER */
 44		*out += sprintf(*out, "ss  %04u %03u ",
 45				      port, vdev->ud.status);
 46
 47	if (vdev->ud.status == VDEV_ST_USED) {
 48		*out += sprintf(*out, "%03u %08x ",
 49				      vdev->speed, vdev->devid);
 50		*out += sprintf(*out, "%06u %s",
 51				      vdev->ud.sockfd,
 52				      dev_name(&vdev->udev->dev));
 53
 54	} else {
 55		*out += sprintf(*out, "000 00000000 ");
 56		*out += sprintf(*out, "000000 0-0");
 57	}
 58
 59	*out += sprintf(*out, "\n");
 60}
 61
 62/* Sysfs entry to show port status */
 63static ssize_t status_show_vhci(int pdev_nr, char *out)
 64{
 65	struct platform_device *pdev = vhcis[pdev_nr].pdev;
 66	struct vhci *vhci;
 67	struct usb_hcd *hcd;
 68	struct vhci_hcd *vhci_hcd;
 69	char *s = out;
 70	int i;
 71	unsigned long flags;
 72
 73	if (!pdev || !out) {
 74		usbip_dbg_vhci_sysfs("show status error\n");
 75		return 0;
 76	}
 77
 78	hcd = platform_get_drvdata(pdev);
 79	vhci_hcd = hcd_to_vhci_hcd(hcd);
 80	vhci = vhci_hcd->vhci;
 81
 82	spin_lock_irqsave(&vhci->lock, flags);
 83
 84	for (i = 0; i < VHCI_HC_PORTS; i++) {
 85		struct vhci_device *vdev = &vhci->vhci_hcd_hs->vdev[i];
 86
 87		spin_lock(&vdev->ud.lock);
 88		port_show_vhci(&out, HUB_SPEED_HIGH,
 89			       pdev_nr * VHCI_PORTS + i, vdev);
 90		spin_unlock(&vdev->ud.lock);
 91	}
 92
 93	for (i = 0; i < VHCI_HC_PORTS; i++) {
 94		struct vhci_device *vdev = &vhci->vhci_hcd_ss->vdev[i];
 95
 96		spin_lock(&vdev->ud.lock);
 97		port_show_vhci(&out, HUB_SPEED_SUPER,
 98			       pdev_nr * VHCI_PORTS + VHCI_HC_PORTS + i, vdev);
 99		spin_unlock(&vdev->ud.lock);
100	}
101
102	spin_unlock_irqrestore(&vhci->lock, flags);
103
104	return out - s;
105}
106
107static ssize_t status_show_not_ready(int pdev_nr, char *out)
108{
109	char *s = out;
110	int i = 0;
111
112	for (i = 0; i < VHCI_HC_PORTS; i++) {
113		out += sprintf(out, "hs  %04u %03u ",
114				    (pdev_nr * VHCI_PORTS) + i,
115				    VDEV_ST_NOTASSIGNED);
116		out += sprintf(out, "000 00000000 0000000000000000 0-0");
117		out += sprintf(out, "\n");
118	}
119
120	for (i = 0; i < VHCI_HC_PORTS; i++) {
121		out += sprintf(out, "ss  %04u %03u ",
122				    (pdev_nr * VHCI_PORTS) + VHCI_HC_PORTS + i,
123				    VDEV_ST_NOTASSIGNED);
124		out += sprintf(out, "000 00000000 0000000000000000 0-0");
125		out += sprintf(out, "\n");
126	}
127	return out - s;
128}
129
130static int status_name_to_id(const char *name)
131{
132	char *c;
133	long val;
134	int ret;
135
136	c = strchr(name, '.');
137	if (c == NULL)
138		return 0;
139
140	ret = kstrtol(c+1, 10, &val);
141	if (ret < 0)
142		return ret;
143
144	return val;
145}
146
147static ssize_t status_show(struct device *dev,
148			   struct device_attribute *attr, char *out)
149{
150	char *s = out;
151	int pdev_nr;
152
153	out += sprintf(out,
154		       "hub port sta spd dev      sockfd local_busid\n");
155
156	pdev_nr = status_name_to_id(attr->attr.name);
157	if (pdev_nr < 0)
158		out += status_show_not_ready(pdev_nr, out);
159	else
160		out += status_show_vhci(pdev_nr, out);
161
162	return out - s;
163}
164
165static ssize_t nports_show(struct device *dev, struct device_attribute *attr,
166			   char *out)
167{
168	char *s = out;
169
170	/*
171	 * Half the ports are for SPEED_HIGH and half for SPEED_SUPER,
172	 * thus the * 2.
173	 */
174	out += sprintf(out, "%d\n", VHCI_PORTS * vhci_num_controllers);
175	return out - s;
176}
177static DEVICE_ATTR_RO(nports);
178
179/* Sysfs entry to shutdown a virtual connection */
180static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
181{
182	struct vhci_device *vdev = &vhci_hcd->vdev[rhport];
183	struct vhci *vhci = vhci_hcd->vhci;
184	unsigned long flags;
185
186	usbip_dbg_vhci_sysfs("enter\n");
187
188	mutex_lock(&vdev->ud.sysfs_lock);
189
190	/* lock */
191	spin_lock_irqsave(&vhci->lock, flags);
192	spin_lock(&vdev->ud.lock);
193
194	if (vdev->ud.status == VDEV_ST_NULL) {
195		pr_err("not connected %d\n", vdev->ud.status);
196
197		/* unlock */
198		spin_unlock(&vdev->ud.lock);
199		spin_unlock_irqrestore(&vhci->lock, flags);
200		mutex_unlock(&vdev->ud.sysfs_lock);
201
202		return -EINVAL;
203	}
204
205	/* unlock */
206	spin_unlock(&vdev->ud.lock);
207	spin_unlock_irqrestore(&vhci->lock, flags);
208
209	usbip_event_add(&vdev->ud, VDEV_EVENT_DOWN);
210
211	mutex_unlock(&vdev->ud.sysfs_lock);
212
213	return 0;
214}
215
216static int valid_port(__u32 *pdev_nr, __u32 *rhport)
217{
218	if (*pdev_nr >= vhci_num_controllers) {
219		pr_err("pdev %u\n", *pdev_nr);
220		return 0;
221	}
222	*pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers);
223
224	if (*rhport >= VHCI_HC_PORTS) {
225		pr_err("rhport %u\n", *rhport);
226		return 0;
227	}
228	*rhport = array_index_nospec(*rhport, VHCI_HC_PORTS);
229
230	return 1;
231}
232
233static ssize_t detach_store(struct device *dev, struct device_attribute *attr,
234			    const char *buf, size_t count)
235{
236	__u32 port = 0, pdev_nr = 0, rhport = 0;
237	struct usb_hcd *hcd;
238	struct vhci_hcd *vhci_hcd;
239	int ret;
240
241	if (kstrtoint(buf, 10, &port) < 0)
242		return -EINVAL;
243
244	pdev_nr = port_to_pdev_nr(port);
245	rhport = port_to_rhport(port);
246
247	if (!valid_port(&pdev_nr, &rhport))
248		return -EINVAL;
249
250	hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
251	if (hcd == NULL) {
252		dev_err(dev, "port is not ready %u\n", port);
253		return -EAGAIN;
254	}
255
256	usbip_dbg_vhci_sysfs("rhport %d\n", rhport);
257
258	if ((port / VHCI_HC_PORTS) % 2)
259		vhci_hcd = hcd_to_vhci_hcd(hcd)->vhci->vhci_hcd_ss;
260	else
261		vhci_hcd = hcd_to_vhci_hcd(hcd)->vhci->vhci_hcd_hs;
262
263	ret = vhci_port_disconnect(vhci_hcd, rhport);
264	if (ret < 0)
265		return -EINVAL;
266
267	usbip_dbg_vhci_sysfs("Leave\n");
268
269	return count;
270}
271static DEVICE_ATTR_WO(detach);
272
273static int valid_args(__u32 *pdev_nr, __u32 *rhport,
274		      enum usb_device_speed speed)
275{
276	if (!valid_port(pdev_nr, rhport)) {
277		return 0;
278	}
279
280	switch (speed) {
281	case USB_SPEED_LOW:
282	case USB_SPEED_FULL:
283	case USB_SPEED_HIGH:
284	case USB_SPEED_WIRELESS:
285	case USB_SPEED_SUPER:
286	case USB_SPEED_SUPER_PLUS:
287		break;
288	default:
289		pr_err("Failed attach request for unsupported USB speed: %s\n",
290			usb_speed_string(speed));
291		return 0;
292	}
293
294	return 1;
295}
296
297/* Sysfs entry to establish a virtual connection */
298/*
299 * To start a new USB/IP attachment, a userland program needs to setup a TCP
300 * connection and then write its socket descriptor with remote device
301 * information into this sysfs file.
302 *
303 * A remote device is virtually attached to the root-hub port of @rhport with
304 * @speed. @devid is embedded into a request to specify the remote device in a
305 * server host.
306 *
307 * write() returns 0 on success, else negative errno.
308 */
309static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
310			    const char *buf, size_t count)
311{
312	struct socket *socket;
313	int sockfd = 0;
314	__u32 port = 0, pdev_nr = 0, rhport = 0, devid = 0, speed = 0;
315	struct usb_hcd *hcd;
316	struct vhci_hcd *vhci_hcd;
317	struct vhci_device *vdev;
318	struct vhci *vhci;
319	int err;
320	unsigned long flags;
321	struct task_struct *tcp_rx = NULL;
322	struct task_struct *tcp_tx = NULL;
323
324	/*
325	 * @rhport: port number of vhci_hcd
326	 * @sockfd: socket descriptor of an established TCP connection
327	 * @devid: unique device identifier in a remote host
328	 * @speed: usb device speed in a remote host
329	 */
330	if (sscanf(buf, "%u %u %u %u", &port, &sockfd, &devid, &speed) != 4)
331		return -EINVAL;
332	pdev_nr = port_to_pdev_nr(port);
333	rhport = port_to_rhport(port);
334
335	usbip_dbg_vhci_sysfs("port(%u) pdev(%d) rhport(%u)\n",
336			     port, pdev_nr, rhport);
337	usbip_dbg_vhci_sysfs("sockfd(%u) devid(%u) speed(%u)\n",
338			     sockfd, devid, speed);
339
340	/* check received parameters */
341	if (!valid_args(&pdev_nr, &rhport, speed))
342		return -EINVAL;
343
344	hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
345	if (hcd == NULL) {
346		dev_err(dev, "port %d is not ready\n", port);
347		return -EAGAIN;
348	}
349
350	vhci_hcd = hcd_to_vhci_hcd(hcd);
351	vhci = vhci_hcd->vhci;
352
353	if (speed >= USB_SPEED_SUPER)
354		vdev = &vhci->vhci_hcd_ss->vdev[rhport];
355	else
356		vdev = &vhci->vhci_hcd_hs->vdev[rhport];
357
358	mutex_lock(&vdev->ud.sysfs_lock);
359
360	/* Extract socket from fd. */
361	socket = sockfd_lookup(sockfd, &err);
362	if (!socket) {
363		dev_err(dev, "failed to lookup sock");
364		err = -EINVAL;
365		goto unlock_mutex;
366	}
367	if (socket->type != SOCK_STREAM) {
368		dev_err(dev, "Expecting SOCK_STREAM - found %d",
369			socket->type);
370		sockfd_put(socket);
371		err = -EINVAL;
372		goto unlock_mutex;
373	}
374
375	/* create threads before locking */
376	tcp_rx = kthread_create(vhci_rx_loop, &vdev->ud, "vhci_rx");
377	if (IS_ERR(tcp_rx)) {
378		sockfd_put(socket);
379		err = -EINVAL;
380		goto unlock_mutex;
381	}
382	tcp_tx = kthread_create(vhci_tx_loop, &vdev->ud, "vhci_tx");
383	if (IS_ERR(tcp_tx)) {
384		kthread_stop(tcp_rx);
385		sockfd_put(socket);
386		err = -EINVAL;
387		goto unlock_mutex;
388	}
389
390	/* get task structs now */
391	get_task_struct(tcp_rx);
392	get_task_struct(tcp_tx);
393
394	/* now begin lock until setting vdev status set */
395	spin_lock_irqsave(&vhci->lock, flags);
396	spin_lock(&vdev->ud.lock);
397
398	if (vdev->ud.status != VDEV_ST_NULL) {
399		/* end of the lock */
400		spin_unlock(&vdev->ud.lock);
401		spin_unlock_irqrestore(&vhci->lock, flags);
402
403		sockfd_put(socket);
404		kthread_stop_put(tcp_rx);
405		kthread_stop_put(tcp_tx);
406
407		dev_err(dev, "port %d already used\n", rhport);
408		/*
409		 * Will be retried from userspace
410		 * if there's another free port.
411		 */
412		err = -EBUSY;
413		goto unlock_mutex;
414	}
415
416	dev_info(dev, "pdev(%u) rhport(%u) sockfd(%d)\n",
417		 pdev_nr, rhport, sockfd);
418	dev_info(dev, "devid(%u) speed(%u) speed_str(%s)\n",
419		 devid, speed, usb_speed_string(speed));
420
421	vdev->devid         = devid;
422	vdev->speed         = speed;
423	vdev->ud.sockfd     = sockfd;
424	vdev->ud.tcp_socket = socket;
425	vdev->ud.tcp_rx     = tcp_rx;
426	vdev->ud.tcp_tx     = tcp_tx;
427	vdev->ud.status     = VDEV_ST_NOTASSIGNED;
428	usbip_kcov_handle_init(&vdev->ud);
429
430	spin_unlock(&vdev->ud.lock);
431	spin_unlock_irqrestore(&vhci->lock, flags);
432	/* end the lock */
433
434	wake_up_process(vdev->ud.tcp_rx);
435	wake_up_process(vdev->ud.tcp_tx);
436
437	rh_port_connect(vdev, speed);
438
439	dev_info(dev, "Device attached\n");
440
441	mutex_unlock(&vdev->ud.sysfs_lock);
442
443	return count;
444
445unlock_mutex:
446	mutex_unlock(&vdev->ud.sysfs_lock);
447	return err;
448}
449static DEVICE_ATTR_WO(attach);
450
451#define MAX_STATUS_NAME 16
452
453struct status_attr {
454	struct device_attribute attr;
455	char name[MAX_STATUS_NAME+1];
456};
457
458static struct status_attr *status_attrs;
459
460static void set_status_attr(int id)
461{
462	struct status_attr *status;
463
464	status = status_attrs + id;
465	if (id == 0)
466		strcpy(status->name, "status");
467	else
468		snprintf(status->name, MAX_STATUS_NAME+1, "status.%d", id);
469	status->attr.attr.name = status->name;
470	status->attr.attr.mode = S_IRUGO;
471	status->attr.show = status_show;
472	sysfs_attr_init(&status->attr.attr);
473}
474
475static int init_status_attrs(void)
476{
477	int id;
478
479	status_attrs = kcalloc(vhci_num_controllers, sizeof(struct status_attr),
480			       GFP_KERNEL);
481	if (status_attrs == NULL)
482		return -ENOMEM;
483
484	for (id = 0; id < vhci_num_controllers; id++)
485		set_status_attr(id);
486
487	return 0;
488}
489
490static void finish_status_attrs(void)
491{
492	kfree(status_attrs);
493}
494
495struct attribute_group vhci_attr_group = {
496	.attrs = NULL,
497};
498
499int vhci_init_attr_group(void)
500{
501	struct attribute **attrs;
502	int ret, i;
503
504	attrs = kcalloc((vhci_num_controllers + 5), sizeof(struct attribute *),
505			GFP_KERNEL);
506	if (attrs == NULL)
507		return -ENOMEM;
508
509	ret = init_status_attrs();
510	if (ret) {
511		kfree(attrs);
512		return ret;
513	}
514	*attrs = &dev_attr_nports.attr;
515	*(attrs + 1) = &dev_attr_detach.attr;
516	*(attrs + 2) = &dev_attr_attach.attr;
517	*(attrs + 3) = &dev_attr_usbip_debug.attr;
518	for (i = 0; i < vhci_num_controllers; i++)
519		*(attrs + i + 4) = &((status_attrs + i)->attr.attr);
520	vhci_attr_group.attrs = attrs;
521	return 0;
522}
523
524void vhci_finish_attr_group(void)
525{
526	finish_status_attrs();
527	kfree(vhci_attr_group.attrs);
528}