lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+yFcVgY4uBw2GCN7fE1sUO=x=Z3w5P+3GFCE-qOKVo=yw@mail.gmail.com>
Date:   Fri, 8 Nov 2019 23:17:39 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     USB list <linux-usb@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Alan Stern <stern@...land.harvard.edu>,
        Jonathan Corbet <corbet@....net>,
        Felipe Balbi <balbi@...nel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Alexander Potapenko <glider@...gle.com>,
        Marco Elver <elver@...gle.com>
Subject: Re: [PATCH 1/1] usb: gadget: add raw-gadget interface

On Fri, Nov 8, 2019 at 10:17 PM Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
>
> On Fri, Nov 08, 2019 at 07:26:55PM +0100, Andrey Konovalov wrote:
> > USB Raw Gadget is a kernel module that provides a userspace interface for
> > the USB Gadget subsystem. Essentially it allows to emulate USB devices
> > from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is
> > currently a strictly debugging feature and shouldn't be used in
> > production.
> >
> > Raw Gadget is similar to GadgetFS, but provides a more low-level and
> > direct access to the USB Gadget layer for the userspace. The key
> > differences are:
> >
> > 1. Every USB request is passed to the userspace to get a response, while
> >    GadgetFS responds to some USB requests internally based on the provided
> >    descriptors. However note, that the UDC driver might respond to some
> >    requests on its own and never forward them to the Gadget layer.
> >
> > 2. GadgetFS performs some sanity checks on the provided USB descriptors,
> >    while Raw Gadget allows you to provide arbitrary data as responses to
> >    USB requests.
> >
> > 3. Raw Gadget provides a way to select a UDC device/driver to bind to,
> >    while GadgetFS currently binds to the first available UDC.
> >
> > 4. Raw Gadget uses predictable endpoint names (handles) across different
> >    UDCs (as long as UDCs have enough endpoints of each required transfer
> >    type).
> >
> > 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one.
>
> I like the idea, and you've shown that you can do neat stuff with this,
> so that's a good proof-of-concept.
>
> But, at the least, use a "real" char device node for this, not debugfs.
> Switch this to a misc device and I'll be glad to review it.

Hi Greg! Great, thanks! =) I'll review your comments and send an
updated version next week!

>
> Some minor nits that jump out at me other than debugfs:
>
> > +static void raw_event_queue_destroy(struct raw_event_queue *queue)
> > +{
> > +     int i;
> > +
> > +     for (i = 0; i < queue->size; i++) {
> > +             pr_debug("freeing event[%d] = %px\n", i, queue->events[i]);
>
> You still have a lot of debugging messages in here.  Most of these can
> be removed, as ftrace is useful instead now that you "know" the code
> works properly.
>
> > +             kfree(queue->events[i]);
> > +     }
> > +     queue->size = 0;
> > +}
> > +
> > +/*----------------------------------------------------------------------*/
> > +
> > +struct raw_dev;
> > +
> > +#define USB_RAW_MAX_ENDPOINTS 32
> > +
> > +enum ep_state {
> > +     STATE_EP_DISABLED,
> > +     STATE_EP_ENABLED,
> > +};
> > +
> > +struct raw_ep {
> > +     struct raw_dev          *dev;
> > +     enum ep_state           state;
> > +     struct usb_ep           *ep;
> > +     struct usb_request      *req;
> > +     bool                    urb_queued;
> > +     bool                    disabling;
> > +     ssize_t                 status;
> > +};
> > +
> > +enum dev_state {
> > +     STATE_DEV_INVALID = 0,
> > +     STATE_DEV_OPENED,
> > +     STATE_DEV_INITIALIZED,
> > +     STATE_DEV_RUNNING,
> > +     STATE_DEV_CLOSED,
> > +     STATE_DEV_FAILED
> > +};
> > +
> > +struct raw_dev {
> > +     refcount_t                      count;
>
> Why not just use a "real" struct device?
>
> Or a kref at the least, no need to roll your own refcount logic here,
> right?
>
> > +     spinlock_t                      lock;
> > +
> > +     const char                      *udc_name;
> > +     struct usb_gadget_driver        driver;
> > +
> > +     /* Protected by lock: */
> > +     enum dev_state                  state;
> > +     bool                            gadget_registered;
> > +     struct usb_gadget               *gadget;
> > +     struct usb_request              *req;
> > +     bool                            ep0_in_pending;
> > +     bool                            ep0_out_pending;
> > +     bool                            ep0_urb_queued;
> > +     ssize_t                         ep0_status;
> > +     struct raw_ep                   eps[USB_RAW_MAX_ENDPOINTS];
> > +
> > +     struct completion               ep0_done;
> > +     struct raw_event_queue          queue;
> > +};
> > +
> > +static struct raw_dev *dev_new(void)
> > +{
> > +     struct raw_dev *dev;
> > +
> > +     dev = kzalloc(sizeof(*dev), GFP_KERNEL);
> > +     if (!dev)
> > +             return NULL;
> > +     refcount_set(&dev->count, 1); /* Matches dev_put() in raw_release(). */
> > +     spin_lock_init(&dev->lock);
> > +     init_completion(&dev->ep0_done);
> > +     raw_event_queue_init(&dev->queue);
> > +     pr_debug("device created\n");
> > +     return dev;
> > +}
> > +
> > +static inline void dev_get(struct raw_dev *dev)
> > +{
> > +     refcount_inc(&dev->count);
> > +}
> > +
> > +static void dev_put(struct raw_dev *dev)
> > +{
> > +     int i;
> > +
> > +     if (likely(!refcount_dec_and_test(&dev->count)))
> > +             return;
>
> unless you can measure it, don't use likely/unlikely as the compiler and
> cpu can almost always get it right instead.
>
> > +     kfree(dev->udc_name);
> > +     kfree(dev->driver.udc_name);
> > +     if (dev->req) {
> > +             if (dev->ep0_urb_queued)
> > +                     usb_ep_dequeue(dev->gadget->ep0, dev->req);
> > +             usb_ep_free_request(dev->gadget->ep0, dev->req);
> > +     }
> > +     raw_event_queue_destroy(&dev->queue);
> > +     for (i = 0; i < USB_RAW_MAX_ENDPOINTS; i++) {
> > +             if (dev->eps[i].state != STATE_EP_ENABLED)
> > +                     continue;
> > +             usb_ep_disable(dev->eps[i].ep);
> > +             usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
> > +             kfree(dev->eps[i].ep->desc);
> > +             dev->eps[i].state = STATE_EP_DISABLED;
> > +     }
> > +     kfree(dev);
> > +     pr_debug("device freed\n");
>
> ftrace :)
>
> > +static void gadget_unbind(struct usb_gadget *gadget)
> > +{
> > +     struct raw_dev *dev = get_gadget_data(gadget);
> > +     unsigned long flags;
> > +
> > +     if (WARN_ON(!dev))
> > +             return;
>
> Why warn?  How can this happen?
>
> > +     spin_lock_irqsave(&dev->lock, flags);
> > +     set_gadget_data(gadget, NULL);
> > +     spin_unlock_irqrestore(&dev->lock, flags);
> > +     dev_put(dev); /* Matches dev_get() in gadget_bind(). */
> > +     pr_debug("unbound\n");
> > +}
> > +
> > +static int gadget_setup(struct usb_gadget *gadget,
> > +                     const struct usb_ctrlrequest *ctrl)
> > +{
> > +     int ret = 0;
> > +     struct raw_dev *dev = get_gadget_data(gadget);
> > +     unsigned long flags;
> > +
> > +     pr_debug("bRequestType: 0x%x (%s), bRequest: 0x%x,\n"
> > +             "                   wValue: 0x%x, wIndex: 0x%x, wLength: %d\n",
> > +             ctrl->bRequestType,
> > +             (ctrl->bRequestType & USB_DIR_IN) ? "IN" : "OUT",
> > +             ctrl->bRequest, ctrl->wValue, ctrl->wIndex, ctrl->wLength);
> > +
> > +     if (WARN_ON(!dev))
> > +             return -ENODEV;
>
> Same here.
>
> > +     spin_lock_irqsave(&dev->lock, flags);
> > +     if (dev->state != STATE_DEV_RUNNING) {
> > +             pr_err("ignoring, device is not running\n");
> > +             ret = -ENODEV;
> > +             goto out_unlock;
> > +     }
> > +     pr_debug("in_pending: %d, out_pending: %d\n",
> > +                     dev->ep0_in_pending, dev->ep0_out_pending);
> > +     if (dev->ep0_in_pending || dev->ep0_out_pending) {
> > +             pr_debug("stalling, already have pending request\n");
> > +             ret = -EBUSY;
> > +             goto out_unlock;
> > +     }
> > +     if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
> > +             pr_debug("ep0_in_pending <= true\n");
> > +             dev->ep0_in_pending = true;
> > +     } else {
> > +             pr_debug("ep0_out_pending <= true\n");
> > +             dev->ep0_out_pending = true;
> > +     }
> > +     spin_unlock_irqrestore(&dev->lock, flags);
> > +
> > +     ret = raw_queue_event(dev, USB_RAW_EVENT_CONTROL, sizeof(*ctrl), ctrl);
> > +     if (ret < 0)
> > +             pr_err("failed to queue event\n");
> > +     pr_debug("event queued\n");
> > +     goto out;
> > +
> > +out_unlock:
> > +     spin_unlock_irqrestore(&dev->lock, flags);
> > +out:
> > +     return ret;
> > +}
> > +
> > +static void gadget_disconnect(struct usb_gadget *gadget)
> > +{
> > +     pr_debug("ignoring\n");
> > +}
> > +
> > +static void gadget_suspend(struct usb_gadget *gadget)
> > +{
> > +     pr_debug("ignoring\n");
> > +}
> > +
> > +static void gadget_resume(struct usb_gadget *gadget)
> > +{
> > +     pr_debug("ignoring\n");
> > +}
> > +
> > +static void gadget_reset(struct usb_gadget *gadget)
> > +{
> > +     pr_debug("ignoring\n");
> > +}
>
> I think you don't even need functions for these, right?  If not, just
> remove.  If you do, we should fix the gadget core to not require them :)
>
> > +
> > +/*----------------------------------------------------------------------*/
> > +
> > +static int raw_open(struct inode *inode, struct file *fd)
> > +{
> > +     struct raw_dev *dev;
> > +
> > +     dev = dev_new();
> > +     if (!dev) {
> > +             pr_err("failed to created device");
>
> So many error messages printed on failures, you only needed the original
> one if memory was gone that the core sent out.
>
> > +             return -ENOMEM;
> > +     }
> > +     fd->private_data = dev;
> > +     dev->state = STATE_DEV_OPENED;
> > +     pr_debug("device opened");
> > +     return 0;
> > +}
> > +
> > +static int raw_release(struct inode *inode, struct file *fd)
> > +{
> > +     int ret = 0;
> > +     struct raw_dev *dev = fd->private_data;
> > +     unsigned long flags;
> > +     bool unregister = false;
> > +
> > +     if (!dev)
> > +             return -EBUSY;
>
> How can that happen?
>
> > +
> > +     spin_lock_irqsave(&dev->lock, flags);
> > +     dev->state = STATE_DEV_CLOSED;
> > +     pr_debug("device is closed\n");
> > +     if (!dev->gadget) {
> > +             spin_unlock_irqrestore(&dev->lock, flags);
> > +             goto out_put;
> > +     }
> > +     if (dev->gadget_registered)
> > +             unregister = true;
> > +     dev->gadget_registered = false;
> > +     spin_unlock_irqrestore(&dev->lock, flags);
> > +
> > +     if (unregister) {
> > +             ret = usb_gadget_unregister_driver(&dev->driver);
> > +             WARN_ON(ret != 0);
> > +             dev_put(dev); /* Matches dev_get() in raw_ioctl_run(). */
> > +     }
> > +
> > +out_put:
> > +     dev_put(dev); /* Matches dev_new() in raw_open(). */
> > +     pr_debug("device released");
> > +     return ret;
> > +}
> > +
> > +/*----------------------------------------------------------------------*/
> > +
> > +#define UDC_NAME_LENGTH_MAX 128
> > +
> > +static int raw_ioctl_init(struct raw_dev *dev, unsigned long value)
> > +{
> > +     int ret = 0;
> > +     struct usb_raw_init arg;
> > +     char *udc_driver_name;
> > +     char *udc_device_name;
> > +     unsigned long flags;
> > +
> > +     ret = copy_from_user(&arg, (void __user *)value, sizeof(arg));
> > +     if (ret)
> > +             return ret;
> > +
> > +     switch (arg.speed) {
> > +     case USB_SPEED_LOW:
> > +     case USB_SPEED_FULL:
> > +     case USB_SPEED_HIGH:
> > +     case USB_SPEED_SUPER:
> > +             break;
> > +     default:
> > +             arg.speed = USB_SPEED_HIGH;
> > +     }
> > +
> > +     udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
> > +     if (!udc_driver_name)
> > +             return -ENOMEM;
> > +     ret = strncpy_from_user(udc_driver_name, arg.driver_name,
> > +                                     UDC_NAME_LENGTH_MAX);
> > +     if (ret < 0) {
> > +             kfree(udc_driver_name);
> > +             return ret;
> > +     }
> > +     ret = 0;
> > +     pr_debug("udc_driver_name: %s\n", udc_driver_name);
> > +
> > +     udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
> > +     if (!udc_device_name) {
> > +             kfree(udc_driver_name);
> > +             return -ENOMEM;
> > +     }
> > +     ret = strncpy_from_user(udc_device_name, arg.device_name,
> > +                                     UDC_NAME_LENGTH_MAX);
>
> You are burying the max size of names in the .c code, put it in the .h
> to give userspace a chance.
>
> > +static bool check_ep_caps(struct usb_ep *ep,
> > +                             struct usb_endpoint_descriptor *desc)
> > +{
> > +     switch (desc->bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
> > +     case USB_ENDPOINT_XFER_ISOC:
>
> We have functions/macros for endpoint types, right?  Can't you use them
> here?
>
> > +             if (!ep->caps.type_iso)
> > +                     return false;
> > +             break;
> > +     case USB_ENDPOINT_XFER_BULK:
> > +             if (!ep->caps.type_bulk)
> > +                     return false;
> > +             break;
> > +     case USB_ENDPOINT_XFER_INT:
> > +             if (!ep->caps.type_int)
> > +                     return false;
> > +             break;
> > +     default:
> > +             return false;
> > +     }
> > +
> > +     switch (desc->bEndpointAddress & USB_ENDPOINT_DIR_MASK) {
> > +     case USB_DIR_IN:
>
> Same here, we have macros for this.
>
> > +static int __init raw_init(void)
> > +{
> > +     raw_file = debugfs_create_file("raw-gadget", 0600,
> > +                     usb_debug_root, NULL, &raw_ops);
> > +     if (!raw_file) {
>
> this return value will never be NULL no matter what.  So you just tested
> for an impossiblity :)
>
> In the future, there's never a new to check any return value for any
> debugfs calls, it's not an issue.
>
> > +             pr_err("failed to create raw-gadget in debugfs\n");
> > +             return -ENOMEM;
> > +     }
> > +     return 0;
> > +}
> > +
> > +static void __exit raw_exit(void)
> > +{
> > +     if (!raw_file)
> > +             return;
>
> No need to check:
>
> > +     debugfs_remove(raw_file);
>
> that call can take NULL
>
> > +     raw_file = NULL;
>
> No need for this :)
>
> > +/*
> > + * struct usb_raw_init - argument for USB_RAW_IOCTL_INIT ioctl.
> > + * @speed: The speed of the emulated USB device, takes the same values as
> > + *     the usb_device_speed enum: USB_SPEED_FULL, USB_SPEED_HIGH, etc.
> > + * @driver_name: The name of the UDC driver.
> > + * @device_name: The name of a UDC instance.
> > + *
> > + * The last two fields identify a UDC the gadget driver should bind to.
> > + * For example, Dummy UDC has "dummy_udc" as its driver_name and "dummy_udc.N"
> > + * as its device_name, where N in the index of the Dummy UDC instance.
> > + * At the same time the dwc2 driver that is used on Raspberry Pi Zero, has
> > + * "20980000.usb" as both driver_name and device_name.
> > + */
> > +struct usb_raw_init {
> > +     uint64_t        speed;
> > +     const char      *driver_name;
> > +     const char      *device_name;
>
> If you have structures crossing the user/kernel boundry, always use the
> correct data types.  Those start with "__".  So this would be __u32 and
> __u8 * instead.
>
> > +};
> > +
> > +/* The type of event fetched with the USB_RAW_IOCTL_EVENT_FETCH ioctl. */
> > +enum usb_raw_event_type {
> > +     USB_RAW_EVENT_INVALID,
> > +
> > +     /* This event is queued when the driver has bound to a UDC. */
> > +     USB_RAW_EVENT_CONNECT,
> > +
> > +     /* This event is queued when a new control request arrived to ep0. */
> > +     USB_RAW_EVENT_CONTROL,
> > +
> > +     /* The list might grow in the future. */
> > +};
> > +
> > +/*
> > + * struct usb_raw_event - argument for USB_RAW_IOCTL_EVENT_FETCH ioctl.
> > + * @type: The type of the fetched event.
> > + * @length: Length of the data buffer. Updated by the driver and set to the
> > + *     actual length of the fetched event data.
> > + * @data: A buffer to store the fetched event data.
> > + *
> > + * Currently the fetched data buffer is empty for USB_RAW_EVENT_CONNECT,
> > + * and contains struct usb_ctrlrequest for USB_RAW_EVENT_CONTROL.
> > + */
> > +struct usb_raw_event {
> > +     uint32_t        type;
> > +     uint32_t        length;
> > +     char            data[0];
>
> __u32 please.
>
> > +};
> > +
> > +#define USB_RAW_IO_FLAGS_ZERO        0x0001
> > +#define USB_RAW_IO_FLAGS_MASK        0x0001
> > +
> > +static int usb_raw_io_flags_valid(uint16_t flags)
> > +{
> > +     return (flags & ~USB_RAW_IO_FLAGS_MASK) == 0;
> > +}
> > +
> > +static int usb_raw_io_flags_zero(uint16_t flags)
> > +{
> > +     return (flags & USB_RAW_IO_FLAGS_ZERO);
> > +}
> > +
> > +/*
> > + * struct usb_raw_ep_io - argument for USB_RAW_IOCTL_EP0/EP_WRITE/READ ioctls.
> > + * @ep: Endpoint handle as returned by USB_RAW_IOCTL_EP_ENABLE for
> > + *     USB_RAW_IOCTL_EP_WRITE/READ. Ignored for USB_RAW_IOCTL_EP0_WRITE/READ.
> > + * @flags: When USB_RAW_IO_FLAGS_ZERO is specified, the zero flag is set on
> > + *     the submitted USB request, see include/linux/usb/gadget.h for details.
> > + * @length: Length of data.
> > + * @data: Data to send for USB_RAW_IOCTL_EP0/EP_WRITE. Buffer to store received
> > + *     data for USB_RAW_IOCTL_EP0/EP_READ.
> > + */
> > +struct usb_raw_ep_io {
> > +     uint16_t        ep;
> > +     uint16_t        flags;
>
> __u16
>
> > +     uint32_t        length;
> > +     char            data[0];
> > +};
> > +
> > +/*
> > + * Initializes a Raw Gadget instance.
> > + * Accepts a pointer to the usb_raw_init struct as an argument.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_INIT           _IOW('U', 0, struct usb_raw_init)
> > +
> > +/*
> > + * Instructs Raw Gadget to bind to a UDC and start emulating a USB device.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_RUN            _IO('U', 1)
> > +
> > +/*
> > + * A blocking ioctl that waits for an event and returns fetched event data to
> > + * the user.
> > + * Accepts a pointer to the usb_raw_event struct.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_EVENT_FETCH    _IOR('U', 2, struct usb_raw_event)
> > +
> > +/*
> > + * Queues an IN (OUT for READ) urb as a response to the last control request
> > + * received on endpoint 0, provided that was an IN (OUT for READ) request and
> > + * waits until the urb is completed. Copies received data to user for READ.
> > + * Accepts a pointer to the usb_raw_ep_io struct as an argument.
> > + * Returns length of trasferred data on success or negative error code on
> > + * failure.
> > + */
> > +#define USB_RAW_IOCTL_EP0_WRITE              _IOW('U', 3, struct usb_raw_ep_io)
> > +#define USB_RAW_IOCTL_EP0_READ               _IOWR('U', 4, struct usb_raw_ep_io)
> > +
> > +/*
> > + * Finds an endpoint that supports the transfer type specified in the
> > + * descriptor and enables it.
> > + * Accepts a pointer to the usb_endpoint_descriptor struct as an argument.
> > + * Returns enabled endpoint handle on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_EP_ENABLE              _IOW('U', 5, struct usb_endpoint_descriptor)
> > +
> > +/* Disables specified endpoint.
> > + * Accepts endpoint handle as an argument.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_EP_DISABLE     _IOW('U', 6, int)
>
> __u32, right?
>
>
> > +
> > +/*
> > + * Queues an IN (OUT for READ) urb as a response to the last control request
> > + * received on endpoint usb_raw_ep_io.ep, provided that was an IN (OUT for READ)
> > + * request and waits until the urb is completed. Copies received data to user
> > + * for READ.
> > + * Accepts a pointer to the usb_raw_ep_io struct as an argument.
> > + * Returns length of trasferred data on success or negative error code on
> > + * failure.
> > + */
> > +#define USB_RAW_IOCTL_EP_WRITE               _IOW('U', 7, struct usb_raw_ep_io)
> > +#define USB_RAW_IOCTL_EP_READ                _IOWR('U', 8, struct usb_raw_ep_io)
> > +
> > +/*
> > + * Switches the gadget into the configured state.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_CONFIGURE              _IO('U', 9)
> > +
> > +/*
> > + * Constrains UDC VBUS power usage.
> > + * Accepts current limit in 2 mA units as an argument.
> > + * Returns 0 on success or negative error code on failure.
> > + */
> > +#define USB_RAW_IOCTL_VBUS_DRAW              _IOW('U', 10, uint32_t)
>
> __u32
>
> thanks,
>
> greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ