lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+yscLbzCh3P5uhOpxtB8-xhQbBSmSHpj6ugM=AMqjE7NA@mail.gmail.com>
Date:   Tue, 28 Apr 2020 21:53:51 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Alan Stern <stern@...land.harvard.edu>
Cc:     USB list <linux-usb@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Felipe Balbi <balbi@...nel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] usb: raw-gadget: fix gadget endpoint selection

On Tue, Apr 28, 2020 at 9:46 PM Andrey Konovalov <andreyknvl@...gle.com> wrote:
>
> Currently automatic gadget endpoint selection based on required features
> doesn't work. Raw Gadget tries iterating over the list of available
> endpoints and finding one that has the right direction and transfer type.
> Unfortunately selecting arbitrary gadget endpoints (even if they satisfy
> feature requirements) doesn't work, as (depending on the UDC driver) they
> might have fixed addresses, and one also needs to provide matching
> endpoint addresses in the descriptors sent to the host.
>
> The composite framework deals with this by assigning endpoint addresses
> in usb_ep_autoconfig() before enumeration starts. This approach won't work
> with Raw Gadget as the endpoints are supposed to be enabled after a
> set_configuration/set_interface request from the host, so it's too late to
> patch the endpoint descriptors that had already been sent to the host.
>
> For Raw Gadget we take the another approach. Similarly to GadgetFS, we
> allow the user to make the decision as to which gadget endpoints to use.
>
> This patch adds another Raw Gadget ioctl USB_RAW_IOCTL_EPS_INFO that
> exposes information about all non-control endpoints that a currently
> connected UDC has. This information includes endpoints addresses, as well
> as their capabilities and limits to allow the user to chose the most
> fitting gadget endpoint.
>
> The USB_RAW_IOCTL_EP_ENABLE ioctl is updated to use the proper endpoint
> validation routine usb_gadget_ep_match_desc() and also now accepts an
> optional usb_ss_ep_comp_descriptor argument.
>
> These changes affect the portability of the gadgets that use Raw Gadget
> when running on different UDCs. Nevertheless, as long as the user relies
> on the information provided by USB_RAW_IOCTL_EPS_INFO to dynamically
> choose endpoint addresses, UDC-agnostic gadgets can still be written with
> Raw Gadget.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>

Hi Alan,

This patch uses the approach that I mentioned in the discussion about
endpoint selection. Does this look acceptable?

I'm not sure which endpoint limits it makes sense to expose via
USB_RAW_IOCTL_EPS_INFO. I'm more or less sure about maxpacket_limit
and max_streams, but I don't exactly know what maxburst is used for.
Maybe there are some others?

I also wonder if we need to expose ep0 limits via USB_RAW_IOCTL_EPS_INFO too.
expose ep0 parameters?

Thanks!


> ---
>  Documentation/usb/raw-gadget.rst       |   6 +-
>  drivers/usb/gadget/legacy/raw_gadget.c | 194 ++++++++++++++++---------
>  include/uapi/linux/usb/raw_gadget.h    |  84 ++++++++++-
>  3 files changed, 207 insertions(+), 77 deletions(-)
>
> diff --git a/Documentation/usb/raw-gadget.rst b/Documentation/usb/raw-gadget.rst
> index 9e78cb858f86..42bd446d72b2 100644
> --- a/Documentation/usb/raw-gadget.rst
> +++ b/Documentation/usb/raw-gadget.rst
> @@ -27,11 +27,7 @@ differences are:
>  3. Raw Gadget provides a way to select a UDC device/driver to bind to,
>     while GadgetFS currently binds to the first available UDC.
>
> -4. Raw Gadget uses predictable endpoint names (handles) across different
> -   UDCs (as long as UDCs have enough endpoints of each required transfer
> -   type).
> -
> -5. Raw Gadget has ioctl-based interface instead of a filesystem-based one.
> +4. Raw Gadget has ioctl-based interface instead of a filesystem-based one.
>
>  Userspace interface
>  ~~~~~~~~~~~~~~~~~~~
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index 7b241992ad5a..cbf4b0572188 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -7,6 +7,7 @@
>   */
>
>  #include <linux/compiler.h>
> +#include <linux/ctype.h>
>  #include <linux/debugfs.h>
>  #include <linux/delay.h>
>  #include <linux/kref.h>
> @@ -123,8 +124,6 @@ static void raw_event_queue_destroy(struct raw_event_queue *queue)
>
>  struct raw_dev;
>
> -#define USB_RAW_MAX_ENDPOINTS 32
> -
>  enum ep_state {
>         STATE_EP_DISABLED,
>         STATE_EP_ENABLED,
> @@ -134,6 +133,7 @@ struct raw_ep {
>         struct raw_dev          *dev;
>         enum ep_state           state;
>         struct usb_ep           *ep;
> +       u8                      addr;
>         struct usb_request      *req;
>         bool                    urb_queued;
>         bool                    disabling;
> @@ -168,7 +168,8 @@ struct raw_dev {
>         bool                            ep0_out_pending;
>         bool                            ep0_urb_queued;
>         ssize_t                         ep0_status;
> -       struct raw_ep                   eps[USB_RAW_MAX_ENDPOINTS];
> +       struct raw_ep                   eps[USB_RAW_EPS_NUM_MAX];
> +       int                             eps_num;
>
>         struct completion               ep0_done;
>         struct raw_event_queue          queue;
> @@ -202,7 +203,7 @@ static void dev_free(struct kref *kref)
>                 usb_ep_free_request(dev->gadget->ep0, dev->req);
>         }
>         raw_event_queue_destroy(&dev->queue);
> -       for (i = 0; i < USB_RAW_MAX_ENDPOINTS; i++) {
> +       for (i = 0; i < USB_RAW_EPS_NUM_MAX; i++) {
>                 if (dev->eps[i].state != STATE_EP_ENABLED)
>                         continue;
>                 usb_ep_disable(dev->eps[i].ep);
> @@ -249,12 +250,26 @@ static void gadget_ep0_complete(struct usb_ep *ep, struct usb_request *req)
>         complete(&dev->ep0_done);
>  }
>
> +static u8 get_ep_addr(const char *name)
> +{
> +       /* If the endpoint has fixed function (named as e.g. "ep12out-bulk"),
> +        * parse the endpoint address from its name. We deliberately use
> +        * deprecated simple_strtoul() function here, as the number isn't
> +        * followed by '\0' nor '\n'.
> +        */
> +       if (isdigit(name[2]))
> +               return simple_strtoul(&name[2], NULL, 10);
> +       /* Otherwise the endpoint is configurable (named as e.g. "ep-a"). */
> +       return USB_RAW_EP_ADDR_ANY;
> +}
> +
>  static int gadget_bind(struct usb_gadget *gadget,
>                         struct usb_gadget_driver *driver)
>  {
> -       int ret = 0;
> +       int ret = 0, i = 0;
>         struct raw_dev *dev = container_of(driver, struct raw_dev, driver);
>         struct usb_request *req;
> +       struct usb_ep *ep;
>         unsigned long flags;
>
>         if (strcmp(gadget->name, dev->udc_name) != 0)
> @@ -273,6 +288,13 @@ static int gadget_bind(struct usb_gadget *gadget,
>         dev->req->context = dev;
>         dev->req->complete = gadget_ep0_complete;
>         dev->gadget = gadget;
> +       gadget_for_each_ep(ep, dev->gadget) {
> +               dev->eps[i].ep = ep;
> +               dev->eps[i].addr = get_ep_addr(ep->name);
> +               dev->eps[i].state = STATE_EP_DISABLED;
> +               i++;
> +       }
> +       dev->eps_num = i;
>         spin_unlock_irqrestore(&dev->lock, flags);
>
>         /* Matches kref_put() in gadget_unbind(). */
> @@ -555,7 +577,7 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
>
>         if (copy_from_user(io, ptr, sizeof(*io)))
>                 return ERR_PTR(-EFAULT);
> -       if (io->ep >= USB_RAW_MAX_ENDPOINTS)
> +       if (io->ep >= USB_RAW_EPS_NUM_MAX)
>                 return ERR_PTR(-EINVAL);
>         if (!usb_raw_io_flags_valid(io->flags))
>                 return ERR_PTR(-EINVAL);
> @@ -682,52 +704,30 @@ static int raw_ioctl_ep0_read(struct raw_dev *dev, unsigned long value)
>         return ret;
>  }
>
> -static bool check_ep_caps(struct usb_ep *ep,
> -                               struct usb_endpoint_descriptor *desc)
> -{
> -       switch (usb_endpoint_type(desc)) {
> -       case USB_ENDPOINT_XFER_ISOC:
> -               if (!ep->caps.type_iso)
> -                       return false;
> -               break;
> -       case USB_ENDPOINT_XFER_BULK:
> -               if (!ep->caps.type_bulk)
> -                       return false;
> -               break;
> -       case USB_ENDPOINT_XFER_INT:
> -               if (!ep->caps.type_int)
> -                       return false;
> -               break;
> -       default:
> -               return false;
> -       }
> -
> -       if (usb_endpoint_dir_in(desc) && !ep->caps.dir_in)
> -               return false;
> -       if (usb_endpoint_dir_out(desc) && !ep->caps.dir_out)
> -               return false;
> -
> -       return true;
> -}
> -
>  static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value)
>  {
>         int ret = 0, i;
>         unsigned long flags;
> -       struct usb_endpoint_descriptor *desc;
> -       struct usb_ep *ep = NULL;
> +       struct usb_raw_ep_descs *descs;
> +       struct usb_endpoint_descriptor *ep_desc;
> +       struct usb_ss_ep_comp_descriptor *comp_desc = NULL;
> +       struct raw_ep *ep;
>
> -       desc = memdup_user((void __user *)value, sizeof(*desc));
> -       if (IS_ERR(desc))
> -               return PTR_ERR(desc);
> +       descs = memdup_user((void __user *)value, sizeof(*descs));
> +       if (IS_ERR(descs))
> +               return PTR_ERR(descs);
> +
> +       ep_desc = &descs->ep;
> +       if (descs->comp.bLength != 0)
> +               comp_desc = &descs->comp;
>
>         /*
>          * Endpoints with a maxpacket length of 0 can cause crashes in UDC
>          * drivers.
>          */
> -       if (usb_endpoint_maxp(desc) == 0) {
> +       if (usb_endpoint_maxp(ep_desc) == 0) {
>                 dev_dbg(dev->dev, "fail, bad endpoint maxpacket\n");
> -               kfree(desc);
> +               kfree(descs);
>                 return -EINVAL;
>         }
>
> @@ -743,41 +743,38 @@ static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value)
>                 goto out_free;
>         }
>
> -       for (i = 0; i < USB_RAW_MAX_ENDPOINTS; i++) {
> -               if (dev->eps[i].state == STATE_EP_ENABLED)
> +       for (i = 0; i < dev->eps_num; i++) {
> +               ep = &dev->eps[i];
> +               if (ep->state != STATE_EP_DISABLED)
>                         continue;
> -               break;
> -       }
> -       if (i == USB_RAW_MAX_ENDPOINTS) {
> -               dev_dbg(&dev->gadget->dev,
> -                               "fail, no device endpoints available\n");
> -               ret = -EBUSY;
> -               goto out_free;
> -       }
> -
> -       gadget_for_each_ep(ep, dev->gadget) {
> -               if (ep->enabled)
> +               if (ep->addr != usb_endpoint_num(ep_desc) &&
> +                               ep->addr != USB_RAW_EP_ADDR_ANY)
>                         continue;
> -               if (!check_ep_caps(ep, desc))
> +               if (!usb_gadget_ep_match_desc(dev->gadget, ep->ep,
> +                                                       ep_desc, comp_desc))
>                         continue;
> -               ep->desc = desc;
> -               ret = usb_ep_enable(ep);
> +               /* Gadget subsystem requires us to assign only a pointer to the
> +                * endpoint descriptor here, but technically we store pointer
> +                * to a usb_raw_ep_descs struct with both ep and comp
> +                * descriptors to be later freed by raw_ioctl_ep_disable().
> +                */
> +               ep->ep->desc = ep_desc;
> +               ret = usb_ep_enable(ep->ep);
>                 if (ret < 0) {
>                         dev_err(&dev->gadget->dev,
>                                 "fail, usb_ep_enable returned %d\n", ret);
>                         goto out_free;
>                 }
> -               dev->eps[i].req = usb_ep_alloc_request(ep, GFP_ATOMIC);
> -               if (!dev->eps[i].req) {
> +               ep->req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC);
> +               if (!ep->req) {
>                         dev_err(&dev->gadget->dev,
>                                 "fail, usb_ep_alloc_request failed\n");
> -                       usb_ep_disable(ep);
> +                       usb_ep_disable(ep->ep);
>                         ret = -ENOMEM;
>                         goto out_free;
>                 }
> -               dev->eps[i].ep = ep;
> -               dev->eps[i].state = STATE_EP_ENABLED;
> -               ep->driver_data = &dev->eps[i];
> +               ep->state = STATE_EP_ENABLED;
> +               ep->ep->driver_data = ep;
>                 ret = i;
>                 goto out_unlock;
>         }
> @@ -786,7 +783,7 @@ static int raw_ioctl_ep_enable(struct raw_dev *dev, unsigned long value)
>         ret = -EBUSY;
>
>  out_free:
> -       kfree(desc);
> +       kfree(descs);
>  out_unlock:
>         spin_unlock_irqrestore(&dev->lock, flags);
>         return ret;
> @@ -796,9 +793,9 @@ static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
>  {
>         int ret = 0, i = value;
>         unsigned long flags;
> -       const void *desc;
> +       const void *descs;
>
> -       if (i < 0 || i >= USB_RAW_MAX_ENDPOINTS)
> +       if (i < 0 || i >= USB_RAW_EPS_NUM_MAX)
>                 return -EINVAL;
>
>         spin_lock_irqsave(&dev->lock, flags);
> @@ -836,10 +833,10 @@ static int raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
>
>         spin_lock_irqsave(&dev->lock, flags);
>         usb_ep_free_request(dev->eps[i].ep, dev->eps[i].req);
> -       desc = dev->eps[i].ep->desc;
> +       descs = dev->eps[i].ep->desc;
>         dev->eps[i].ep = NULL;
>         dev->eps[i].state = STATE_EP_DISABLED;
> -       kfree(desc);
> +       kfree(descs);
>         dev->eps[i].disabling = false;
>
>  out_unlock:
> @@ -1027,6 +1024,64 @@ static int raw_ioctl_vbus_draw(struct raw_dev *dev, unsigned long value)
>         return ret;
>  }
>
> +static void fill_ep_caps(struct usb_ep_caps *caps,
> +                               struct usb_raw_ep_caps *raw_caps)
> +{
> +       raw_caps->type_control = caps->type_control;
> +       raw_caps->type_iso = caps->type_iso;
> +       raw_caps->type_bulk = caps->type_bulk;
> +       raw_caps->type_int = caps->type_int;
> +       raw_caps->dir_in = caps->dir_in;
> +       raw_caps->dir_out = caps->dir_out;
> +}
> +
> +static void fill_ep_limits(struct usb_ep *ep, struct usb_raw_ep_limits *limits)
> +{
> +       limits->maxpacket_limit = ep->maxpacket_limit;
> +       limits->max_streams = ep->max_streams;
> +       limits->maxburst = ep->maxburst;
> +}
> +
> +static int raw_ioctl_eps_info(struct raw_dev *dev, unsigned long value)
> +{
> +       int ret = 0, i;
> +       unsigned long flags;
> +       struct usb_raw_eps_info info;
> +       struct raw_ep *ep;
> +
> +       spin_lock_irqsave(&dev->lock, flags);
> +       if (dev->state != STATE_DEV_RUNNING) {
> +               dev_dbg(dev->dev, "fail, device is not running\n");
> +               ret = -EINVAL;
> +               spin_unlock_irqrestore(&dev->lock, flags);
> +               goto out;
> +       }
> +       if (!dev->gadget) {
> +               dev_dbg(dev->dev, "fail, gadget is not bound\n");
> +               ret = -EBUSY;
> +               spin_unlock_irqrestore(&dev->lock, flags);
> +               goto out;
> +       }
> +
> +       memset(&info, 0, sizeof(info));
> +       for (i = 0; i < dev->eps_num; i++) {
> +               ep = &dev->eps[i];
> +               strscpy(&info.eps[i].name[0], ep->ep->name,
> +                               USB_RAW_EP_NAME_MAX);
> +               info.eps[i].addr = ep->addr;
> +               fill_ep_caps(&ep->ep->caps, &info.eps[i].caps);
> +               fill_ep_limits(ep->ep, &info.eps[i].limits);
> +       }
> +       ret = dev->eps_num;
> +       spin_unlock_irqrestore(&dev->lock, flags);
> +
> +       if (copy_to_user((void __user *)value, &info, sizeof(info)))
> +               ret = -EFAULT;
> +
> +out:
> +       return ret;
> +}
> +
>  static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
>  {
>         struct raw_dev *dev = fd->private_data;
> @@ -1069,6 +1124,9 @@ static long raw_ioctl(struct file *fd, unsigned int cmd, unsigned long value)
>         case USB_RAW_IOCTL_VBUS_DRAW:
>                 ret = raw_ioctl_vbus_draw(dev, value);
>                 break;
> +       case USB_RAW_IOCTL_EPS_INFO:
> +               ret = raw_ioctl_eps_info(dev, value);
> +               break;
>         default:
>                 ret = -EINVAL;
>         }
> diff --git a/include/uapi/linux/usb/raw_gadget.h b/include/uapi/linux/usb/raw_gadget.h
> index 8544802b25bd..6ae626d17f0c 100644
> --- a/include/uapi/linux/usb/raw_gadget.h
> +++ b/include/uapi/linux/usb/raw_gadget.h
> @@ -93,6 +93,75 @@ struct usb_raw_ep_io {
>         __u8            data[0];
>  };
>
> +/*
> + * struct usb_raw_ep_descs - argument for USB_RAW_IOCTL_EP_ENABLE ioctl.
> + * @ep: Endpoint descriptor.
> + * @comp: SuperSpeed Endpoint Companion descriptor.
> + *
> + * Both of these descriptors are only used by the gadget subsystem including
> + * the UDC driver and don't affect the descriptors that are sent to the host.
> + * However, the user must make sure that the host and the gadget sides agree
> + * on the used endpoint parameters (such as e.g. endpoint addresses).
> + */
> +struct usb_raw_ep_descs {
> +       struct usb_endpoint_descriptor          ep;
> +       struct usb_ss_ep_comp_descriptor        comp;
> +};
> +
> +/* Maximum number of non-control endpoints in struct usb_raw_eps_info. */
> +#define USB_RAW_EPS_NUM_MAX    30
> +
> +/* Maximum length of UDC endpoint name in struct usb_raw_ep_info. */
> +#define USB_RAW_EP_NAME_MAX    16
> +
> +/* Used as addr in struct usb_raw_ep_info if endpoint accepts any address. */
> +#define USB_RAW_EP_ADDR_ANY    0xff
> +
> +/*
> + * struct usb_raw_ep_caps - exposes endpoint capabilities from
> + *     struct usb_ep_caps.
> + */
> +struct usb_raw_ep_caps {
> +       __u32   type_control:1;
> +       __u32   type_iso:1;
> +       __u32   type_bulk:1;
> +       __u32   type_int:1;
> +       __u32   dir_in:1;
> +       __u32   dir_out:1;
> +};
> +
> +/*
> + * struct usb_raw_ep_limits - exposes endpoint limits from struct usb_ep.
> + */
> +struct usb_raw_ep_limits {
> +       __u32   maxpacket_limit;
> +       __u32   max_streams;
> +       __u32   maxburst;
> +};
> +
> +/*
> + * struct usb_raw_ep_info - stores information about a gadget endpoint.
> + * @name: Name of the endpoint as it is defined in the UDC driver.
> + * @addr: Address of the endpoint that must be specified in the endpoint
> + *     descriptor passed to USB_RAW_IOCTL_EP_ENABLE ioctl.
> + * @caps: Endpoint capabilities.
> + * @limits: Endpoint limits.
> + */
> +struct usb_raw_ep_info {
> +       __u8                            name[USB_RAW_EP_NAME_MAX];
> +       __u32                           addr;
> +       struct usb_raw_ep_caps          caps;
> +       struct usb_raw_ep_limits        limits;
> +};
> +
> +/*
> + * struct usb_raw_eps_info - argument for USB_RAW_IOCTL_EPS_INFO ioctl.
> + * eps: Structures that store information about non-control endpoints.
> + */
> +struct usb_raw_eps_info {
> +       struct usb_raw_ep_info  eps[USB_RAW_EPS_NUM_MAX];
> +};
> +
>  /*
>   * Initializes a Raw Gadget instance.
>   * Accepts a pointer to the usb_raw_init struct as an argument.
> @@ -126,12 +195,12 @@ struct usb_raw_ep_io {
>  #define USB_RAW_IOCTL_EP0_READ         _IOWR('U', 4, struct usb_raw_ep_io)
>
>  /*
> - * Finds an endpoint that supports the transfer type specified in the
> - * descriptor and enables it.
> - * Accepts a pointer to the usb_endpoint_descriptor struct as an argument.
> + * Finds an endpoint that satisfies the parameters specified in the provided
> + * descriptors (address, transfer type, etc.) and enables it.
> + * Accepts a pointer to the usb_raw_ep_descs struct as an argument.
>   * Returns enabled endpoint handle on success or negative error code on failure.
>   */
> -#define USB_RAW_IOCTL_EP_ENABLE                _IOW('U', 5, struct usb_endpoint_descriptor)
> +#define USB_RAW_IOCTL_EP_ENABLE                _IOW('U', 5, struct usb_raw_ep_descs)
>
>  /* Disables specified endpoint.
>   * Accepts endpoint handle as an argument.
> @@ -164,4 +233,11 @@ struct usb_raw_ep_io {
>   */
>  #define USB_RAW_IOCTL_VBUS_DRAW                _IOW('U', 10, __u32)
>
> +/* Fills in the usb_raw_eps_info structure with information about non-control
> + * endpoints available for the currently connected UDC.
> + * Returns the number of available endpoints on success or negative error code
> + * on failure.
> + */
> +#define USB_RAW_IOCTL_EPS_INFO         _IOR('U', 11, struct usb_raw_eps_info)
> +
>  #endif /* _UAPI__LINUX_USB_RAW_GADGET_H */
> --
> 2.26.2.303.gf8c07b1a785-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ