1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright (C) 2003-2008 Takahiro Hirofuchi 4 */ 5 6 #include <asm/byteorder.h> 7 #include <linux/kthread.h> 8 #include <linux/usb.h> 9 #include <linux/usb/hcd.h> 10 11 #include "usbip_common.h" 12 #include "stub.h" 13 14 static int is_clear_halt_cmd(struct urb *urb) 15 { 16 struct usb_ctrlrequest *req; 17 18 req = (struct usb_ctrlrequest *) urb->setup_packet; 19 20 return (req->bRequest == USB_REQ_CLEAR_FEATURE) && 21 (req->bRequestType == USB_RECIP_ENDPOINT) && 22 (req->wValue == USB_ENDPOINT_HALT); 23 } 24 25 static int is_set_interface_cmd(struct urb *urb) 26 { 27 struct usb_ctrlrequest *req; 28 29 req = (struct usb_ctrlrequest *) urb->setup_packet; 30 31 return (req->bRequest == USB_REQ_SET_INTERFACE) && 32 (req->bRequestType == USB_RECIP_INTERFACE); 33 } 34 35 static int is_set_configuration_cmd(struct urb *urb) 36 { 37 struct usb_ctrlrequest *req; 38 39 req = (struct usb_ctrlrequest *) urb->setup_packet; 40 41 return (req->bRequest == USB_REQ_SET_CONFIGURATION) && 42 (req->bRequestType == USB_RECIP_DEVICE); 43 } 44 45 static int is_reset_device_cmd(struct urb *urb) 46 { 47 struct usb_ctrlrequest *req; 48 __u16 value; 49 __u16 index; 50 51 req = (struct usb_ctrlrequest *) urb->setup_packet; 52 value = le16_to_cpu(req->wValue); 53 index = le16_to_cpu(req->wIndex); 54 55 if ((req->bRequest == USB_REQ_SET_FEATURE) && 56 (req->bRequestType == USB_RT_PORT) && 57 (value == USB_PORT_FEAT_RESET)) { 58 usbip_dbg_stub_rx("reset_device_cmd, port %u\n", index); 59 return 1; 60 } else 61 return 0; 62 } 63 64 static int tweak_clear_halt_cmd(struct urb *urb) 65 { 66 struct usb_ctrlrequest *req; 67 int target_endp; 68 int target_dir; 69 int target_pipe; 70 int ret; 71 72 req = (struct usb_ctrlrequest *) urb->setup_packet; 73 74 /* 75 * The stalled endpoint is specified in the wIndex value. The endpoint 76 * of the urb is the target of this clear_halt request (i.e., control 77 * endpoint). 78 */ 79 target_endp = le16_to_cpu(req->wIndex) & 0x000f; 80 81 /* the stalled endpoint direction is IN or OUT?. USB_DIR_IN is 0x80. */ 82 target_dir = le16_to_cpu(req->wIndex) & 0x0080; 83 84 if (target_dir) 85 target_pipe = usb_rcvctrlpipe(urb->dev, target_endp); 86 else 87 target_pipe = usb_sndctrlpipe(urb->dev, target_endp); 88 89 ret = usb_clear_halt(urb->dev, target_pipe); 90 if (ret < 0) 91 dev_err(&urb->dev->dev, 92 "usb_clear_halt error: devnum %d endp %d ret %d\n", 93 urb->dev->devnum, target_endp, ret); 94 else 95 dev_info(&urb->dev->dev, 96 "usb_clear_halt done: devnum %d endp %d\n", 97 urb->dev->devnum, target_endp); 98 99 return ret; 100 } 101 102 static int tweak_set_interface_cmd(struct urb *urb) 103 { 104 struct usb_ctrlrequest *req; 105 __u16 alternate; 106 __u16 interface; 107 int ret; 108 109 req = (struct usb_ctrlrequest *) urb->setup_packet; 110 alternate = le16_to_cpu(req->wValue); 111 interface = le16_to_cpu(req->wIndex); 112 113 usbip_dbg_stub_rx("set_interface: inf %u alt %u\n", 114 interface, alternate); 115 116 ret = usb_set_interface(urb->dev, interface, alternate); 117 if (ret < 0) 118 dev_err(&urb->dev->dev, 119 "usb_set_interface error: inf %u alt %u ret %d\n", 120 interface, alternate, ret); 121 else 122 dev_info(&urb->dev->dev, 123 "usb_set_interface done: inf %u alt %u\n", 124 interface, alternate); 125 126 return ret; 127 } 128 129 static int tweak_set_configuration_cmd(struct urb *urb) 130 { 131 struct stub_priv *priv = (struct stub_priv *) urb->context; 132 struct stub_device *sdev = priv->sdev; 133 struct usb_ctrlrequest *req; 134 __u16 config; 135 int err; 136 137 req = (struct usb_ctrlrequest *) urb->setup_packet; 138 config = le16_to_cpu(req->wValue); 139 140 err = usb_set_configuration(sdev->udev, config); 141 if (err && err != -ENODEV) 142 dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", 143 config, err); 144 return 0; 145 } 146 147 static int tweak_reset_device_cmd(struct urb *urb) 148 { 149 struct stub_priv *priv = (struct stub_priv *) urb->context; 150 struct stub_device *sdev = priv->sdev; 151 152 dev_info(&urb->dev->dev, "usb_queue_reset_device\n"); 153 154 if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) { 155 dev_err(&urb->dev->dev, "could not obtain lock to reset device\n"); 156 return 0; 157 } 158 usb_reset_device(sdev->udev); 159 usb_unlock_device(sdev->udev); 160 161 return 0; 162 } 163 164 /* 165 * clear_halt, set_interface, and set_configuration require special tricks. 166 */ 167 static void tweak_special_requests(struct urb *urb) 168 { 169 if (!urb || !urb->setup_packet) 170 return; 171 172 if (usb_pipetype(urb->pipe) != PIPE_CONTROL) 173 return; 174 175 if (is_clear_halt_cmd(urb)) 176 /* tweak clear_halt */ 177 tweak_clear_halt_cmd(urb); 178 179 else if (is_set_interface_cmd(urb)) 180 /* tweak set_interface */ 181 tweak_set_interface_cmd(urb); 182 183 else if (is_set_configuration_cmd(urb)) 184 /* tweak set_configuration */ 185 tweak_set_configuration_cmd(urb); 186 187 else if (is_reset_device_cmd(urb)) 188 tweak_reset_device_cmd(urb); 189 else 190 usbip_dbg_stub_rx("no need to tweak\n"); 191 } 192 193 /* 194 * stub_recv_unlink() unlinks the URB by a call to usb_unlink_urb(). 195 * By unlinking the urb asynchronously, stub_rx can continuously 196 * process coming urbs. Even if the urb is unlinked, its completion 197 * handler will be called and stub_tx will send a return pdu. 198 * 199 * See also comments about unlinking strategy in vhci_hcd.c. 200 */ 201 static int stub_recv_cmd_unlink(struct stub_device *sdev, 202 struct usbip_header *pdu) 203 { 204 int ret; 205 unsigned long flags; 206 struct stub_priv *priv; 207 208 spin_lock_irqsave(&sdev->priv_lock, flags); 209 210 list_for_each_entry(priv, &sdev->priv_init, list) { 211 if (priv->seqnum != pdu->u.cmd_unlink.seqnum) 212 continue; 213 214 dev_info(&priv->urb->dev->dev, "unlink urb %p\n", 215 priv->urb); 216 217 /* 218 * This matched urb is not completed yet (i.e., be in 219 * flight in usb hcd hardware/driver). Now we are 220 * cancelling it. The unlinking flag means that we are 221 * now not going to return the normal result pdu of a 222 * submission request, but going to return a result pdu 223 * of the unlink request. 224 */ 225 priv->unlinking = 1; 226 227 /* 228 * In the case that unlinking flag is on, prev->seqnum 229 * is changed from the seqnum of the cancelling urb to 230 * the seqnum of the unlink request. This will be used 231 * to make the result pdu of the unlink request. 232 */ 233 priv->seqnum = pdu->base.seqnum; 234 235 spin_unlock_irqrestore(&sdev->priv_lock, flags); 236 237 /* 238 * usb_unlink_urb() is now out of spinlocking to avoid 239 * spinlock recursion since stub_complete() is 240 * sometimes called in this context but not in the 241 * interrupt context. If stub_complete() is executed 242 * before we call usb_unlink_urb(), usb_unlink_urb() 243 * will return an error value. In this case, stub_tx 244 * will return the result pdu of this unlink request 245 * though submission is completed and actual unlinking 246 * is not executed. OK? 247 */ 248 /* In the above case, urb->status is not -ECONNRESET, 249 * so a driver in a client host will know the failure 250 * of the unlink request ? 251 */ 252 ret = usb_unlink_urb(priv->urb); 253 if (ret != -EINPROGRESS) 254 dev_err(&priv->urb->dev->dev, 255 "failed to unlink a urb %p, ret %d\n", 256 priv->urb, ret); 257 258 return 0; 259 } 260 261 usbip_dbg_stub_rx("seqnum %d is not pending\n", 262 pdu->u.cmd_unlink.seqnum); 263 264 /* 265 * The urb of the unlink target is not found in priv_init queue. It was 266 * already completed and its results is/was going to be sent by a 267 * CMD_RET pdu. In this case, usb_unlink_urb() is not needed. We only 268 * return the completeness of this unlink request to vhci_hcd. 269 */ 270 stub_enqueue_ret_unlink(sdev, pdu->base.seqnum, 0); 271 272 spin_unlock_irqrestore(&sdev->priv_lock, flags); 273 274 return 0; 275 } 276 277 static int valid_request(struct stub_device *sdev, struct usbip_header *pdu) 278 { 279 struct usbip_device *ud = &sdev->ud; 280 int valid = 0; 281 282 if (pdu->base.devid == sdev->devid) { 283 spin_lock_irq(&ud->lock); 284 if (ud->status == SDEV_ST_USED) { 285 /* A request is valid. */ 286 valid = 1; 287 } 288 spin_unlock_irq(&ud->lock); 289 } 290 291 return valid; 292 } 293 294 static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, 295 struct usbip_header *pdu) 296 { 297 struct stub_priv *priv; 298 struct usbip_device *ud = &sdev->ud; 299 unsigned long flags; 300 301 spin_lock_irqsave(&sdev->priv_lock, flags); 302 303 priv = kmem_cache_zalloc(stub_priv_cache, GFP_ATOMIC); 304 if (!priv) { 305 dev_err(&sdev->udev->dev, "alloc stub_priv\n"); 306 spin_unlock_irqrestore(&sdev->priv_lock, flags); 307 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 308 return NULL; 309 } 310 311 priv->seqnum = pdu->base.seqnum; 312 priv->sdev = sdev; 313 314 /* 315 * After a stub_priv is linked to a list_head, 316 * our error handler can free allocated data. 317 */ 318 list_add_tail(&priv->list, &sdev->priv_init); 319 320 spin_unlock_irqrestore(&sdev->priv_lock, flags); 321 322 return priv; 323 } 324 325 static int get_pipe(struct stub_device *sdev, int epnum, int dir) 326 { 327 struct usb_device *udev = sdev->udev; 328 struct usb_host_endpoint *ep; 329 struct usb_endpoint_descriptor *epd = NULL; 330 331 if (dir == USBIP_DIR_IN) 332 ep = udev->ep_in[epnum & 0x7f]; 333 else 334 ep = udev->ep_out[epnum & 0x7f]; 335 if (!ep) { 336 dev_err(&sdev->udev->dev, "no such endpoint?, %d\n", 337 epnum); 338 BUG(); 339 } 340 341 epd = &ep->desc; 342 if (usb_endpoint_xfer_control(epd)) { 343 if (dir == USBIP_DIR_OUT) 344 return usb_sndctrlpipe(udev, epnum); 345 else 346 return usb_rcvctrlpipe(udev, epnum); 347 } 348 349 if (usb_endpoint_xfer_bulk(epd)) { 350 if (dir == USBIP_DIR_OUT) 351 return usb_sndbulkpipe(udev, epnum); 352 else 353 return usb_rcvbulkpipe(udev, epnum); 354 } 355 356 if (usb_endpoint_xfer_int(epd)) { 357 if (dir == USBIP_DIR_OUT) 358 return usb_sndintpipe(udev, epnum); 359 else 360 return usb_rcvintpipe(udev, epnum); 361 } 362 363 if (usb_endpoint_xfer_isoc(epd)) { 364 if (dir == USBIP_DIR_OUT) 365 return usb_sndisocpipe(udev, epnum); 366 else 367 return usb_rcvisocpipe(udev, epnum); 368 } 369 370 /* NOT REACHED */ 371 dev_err(&sdev->udev->dev, "get pipe, epnum %d\n", epnum); 372 return 0; 373 } 374 375 static void masking_bogus_flags(struct urb *urb) 376 { 377 int xfertype; 378 struct usb_device *dev; 379 struct usb_host_endpoint *ep; 380 int is_out; 381 unsigned int allowed; 382 383 if (!urb || urb->hcpriv || !urb->complete) 384 return; 385 dev = urb->dev; 386 if ((!dev) || (dev->state < USB_STATE_UNAUTHENTICATED)) 387 return; 388 389 ep = (usb_pipein(urb->pipe) ? dev->ep_in : dev->ep_out) 390 [usb_pipeendpoint(urb->pipe)]; 391 if (!ep) 392 return; 393 394 xfertype = usb_endpoint_type(&ep->desc); 395 if (xfertype == USB_ENDPOINT_XFER_CONTROL) { 396 struct usb_ctrlrequest *setup = 397 (struct usb_ctrlrequest *) urb->setup_packet; 398 399 if (!setup) 400 return; 401 is_out = !(setup->bRequestType & USB_DIR_IN) || 402 !setup->wLength; 403 } else { 404 is_out = usb_endpoint_dir_out(&ep->desc); 405 } 406 407 /* enforce simple/standard policy */ 408 allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | 409 URB_DIR_MASK | URB_FREE_BUFFER); 410 switch (xfertype) { 411 case USB_ENDPOINT_XFER_BULK: 412 if (is_out) 413 allowed |= URB_ZERO_PACKET; 414 /* FALLTHROUGH */ 415 case USB_ENDPOINT_XFER_CONTROL: 416 allowed |= URB_NO_FSBR; /* only affects UHCI */ 417 /* FALLTHROUGH */ 418 default: /* all non-iso endpoints */ 419 if (!is_out) 420 allowed |= URB_SHORT_NOT_OK; 421 break; 422 case USB_ENDPOINT_XFER_ISOC: 423 allowed |= URB_ISO_ASAP; 424 break; 425 } 426 urb->transfer_flags &= allowed; 427 } 428 429 static void stub_recv_cmd_submit(struct stub_device *sdev, 430 struct usbip_header *pdu) 431 { 432 int ret; 433 struct stub_priv *priv; 434 struct usbip_device *ud = &sdev->ud; 435 struct usb_device *udev = sdev->udev; 436 int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); 437 438 priv = stub_priv_alloc(sdev, pdu); 439 if (!priv) 440 return; 441 442 /* setup a urb */ 443 if (usb_pipeisoc(pipe)) 444 priv->urb = usb_alloc_urb(pdu->u.cmd_submit.number_of_packets, 445 GFP_KERNEL); 446 else 447 priv->urb = usb_alloc_urb(0, GFP_KERNEL); 448 449 if (!priv->urb) { 450 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 451 return; 452 } 453 454 /* allocate urb transfer buffer, if needed */ 455 if (pdu->u.cmd_submit.transfer_buffer_length > 0) { 456 priv->urb->transfer_buffer = 457 kzalloc(pdu->u.cmd_submit.transfer_buffer_length, 458 GFP_KERNEL); 459 if (!priv->urb->transfer_buffer) { 460 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 461 return; 462 } 463 } 464 465 /* copy urb setup packet */ 466 priv->urb->setup_packet = kmemdup(&pdu->u.cmd_submit.setup, 8, 467 GFP_KERNEL); 468 if (!priv->urb->setup_packet) { 469 dev_err(&udev->dev, "allocate setup_packet\n"); 470 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 471 return; 472 } 473 474 /* set other members from the base header of pdu */ 475 priv->urb->context = (void *) priv; 476 priv->urb->dev = udev; 477 priv->urb->pipe = pipe; 478 priv->urb->complete = stub_complete; 479 480 usbip_pack_pdu(pdu, priv->urb, USBIP_CMD_SUBMIT, 0); 481 482 483 if (usbip_recv_xbuff(ud, priv->urb) < 0) 484 return; 485 486 if (usbip_recv_iso(ud, priv->urb) < 0) 487 return; 488 489 /* no need to submit an intercepted request, but harmless? */ 490 tweak_special_requests(priv->urb); 491 492 masking_bogus_flags(priv->urb); 493 /* urb is now ready to submit */ 494 ret = usb_submit_urb(priv->urb, GFP_KERNEL); 495 496 if (ret == 0) 497 usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", 498 pdu->base.seqnum); 499 else { 500 dev_err(&udev->dev, "submit_urb error, %d\n", ret); 501 usbip_dump_header(pdu); 502 usbip_dump_urb(priv->urb); 503 504 /* 505 * Pessimistic. 506 * This connection will be discarded. 507 */ 508 usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); 509 } 510 511 usbip_dbg_stub_rx("Leave\n"); 512 } 513 514 /* recv a pdu */ 515 static void stub_rx_pdu(struct usbip_device *ud) 516 { 517 int ret; 518 struct usbip_header pdu; 519 struct stub_device *sdev = container_of(ud, struct stub_device, ud); 520 struct device *dev = &sdev->udev->dev; 521 522 usbip_dbg_stub_rx("Enter\n"); 523 524 memset(&pdu, 0, sizeof(pdu)); 525 526 /* receive a pdu header */ 527 ret = usbip_recv(ud->tcp_socket, &pdu, sizeof(pdu)); 528 if (ret != sizeof(pdu)) { 529 dev_err(dev, "recv a header, %d\n", ret); 530 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 531 return; 532 } 533 534 usbip_header_correct_endian(&pdu, 0); 535 536 if (usbip_dbg_flag_stub_rx) 537 usbip_dump_header(&pdu); 538 539 if (!valid_request(sdev, &pdu)) { 540 dev_err(dev, "recv invalid request\n"); 541 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 542 return; 543 } 544 545 switch (pdu.base.command) { 546 case USBIP_CMD_UNLINK: 547 stub_recv_cmd_unlink(sdev, &pdu); 548 break; 549 550 case USBIP_CMD_SUBMIT: 551 stub_recv_cmd_submit(sdev, &pdu); 552 break; 553 554 default: 555 /* NOTREACHED */ 556 dev_err(dev, "unknown pdu\n"); 557 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 558 break; 559 } 560 } 561 562 int stub_rx_loop(void *data) 563 { 564 struct usbip_device *ud = data; 565 566 while (!kthread_should_stop()) { 567 if (usbip_event_happened(ud)) 568 break; 569 570 stub_rx_pdu(ud); 571 } 572 573 return 0; 574 } 575