1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright (C) 2003-2008 Takahiro Hirofuchi 4 */ 5 6 #include <asm/byteorder.h> 7 #include <linux/kthread.h> 8 #include <linux/usb.h> 9 #include <linux/usb/hcd.h> 10 11 #include "usbip_common.h" 12 #include "stub.h" 13 14 static int is_clear_halt_cmd(struct urb *urb) 15 { 16 struct usb_ctrlrequest *req; 17 18 req = (struct usb_ctrlrequest *) urb->setup_packet; 19 20 return (req->bRequest == USB_REQ_CLEAR_FEATURE) && 21 (req->bRequestType == USB_RECIP_ENDPOINT) && 22 (req->wValue == USB_ENDPOINT_HALT); 23 } 24 25 static int is_set_interface_cmd(struct urb *urb) 26 { 27 struct usb_ctrlrequest *req; 28 29 req = (struct usb_ctrlrequest *) urb->setup_packet; 30 31 return (req->bRequest == USB_REQ_SET_INTERFACE) && 32 (req->bRequestType == USB_RECIP_INTERFACE); 33 } 34 35 static int is_set_configuration_cmd(struct urb *urb) 36 { 37 struct usb_ctrlrequest *req; 38 39 req = (struct usb_ctrlrequest *) urb->setup_packet; 40 41 return (req->bRequest == USB_REQ_SET_CONFIGURATION) && 42 (req->bRequestType == USB_RECIP_DEVICE); 43 } 44 45 static int is_reset_device_cmd(struct urb *urb) 46 { 47 struct usb_ctrlrequest *req; 48 __u16 value; 49 __u16 index; 50 51 req = (struct usb_ctrlrequest *) urb->setup_packet; 52 value = le16_to_cpu(req->wValue); 53 index = le16_to_cpu(req->wIndex); 54 55 if ((req->bRequest == USB_REQ_SET_FEATURE) && 56 (req->bRequestType == USB_RT_PORT) && 57 (value == USB_PORT_FEAT_RESET)) { 58 usbip_dbg_stub_rx("reset_device_cmd, port %u\n", index); 59 return 1; 60 } else 61 return 0; 62 } 63 64 static int tweak_clear_halt_cmd(struct urb *urb) 65 { 66 struct usb_ctrlrequest *req; 67 int target_endp; 68 int target_dir; 69 int target_pipe; 70 int ret; 71 72 req = (struct usb_ctrlrequest *) urb->setup_packet; 73 74 /* 75 * The stalled endpoint is specified in the wIndex value. The endpoint 76 * of the urb is the target of this clear_halt request (i.e., control 77 * endpoint). 78 */ 79 target_endp = le16_to_cpu(req->wIndex) & 0x000f; 80 81 /* the stalled endpoint direction is IN or OUT?. USB_DIR_IN is 0x80. */ 82 target_dir = le16_to_cpu(req->wIndex) & 0x0080; 83 84 if (target_dir) 85 target_pipe = usb_rcvctrlpipe(urb->dev, target_endp); 86 else 87 target_pipe = usb_sndctrlpipe(urb->dev, target_endp); 88 89 ret = usb_clear_halt(urb->dev, target_pipe); 90 if (ret < 0) 91 dev_err(&urb->dev->dev, 92 "usb_clear_halt error: devnum %d endp %d ret %d\n", 93 urb->dev->devnum, target_endp, ret); 94 else 95 dev_info(&urb->dev->dev, 96 "usb_clear_halt done: devnum %d endp %d\n", 97 urb->dev->devnum, target_endp); 98 99 return ret; 100 } 101 102 static int tweak_set_interface_cmd(struct urb *urb) 103 { 104 struct usb_ctrlrequest *req; 105 __u16 alternate; 106 __u16 interface; 107 int ret; 108 109 req = (struct usb_ctrlrequest *) urb->setup_packet; 110 alternate = le16_to_cpu(req->wValue); 111 interface = le16_to_cpu(req->wIndex); 112 113 usbip_dbg_stub_rx("set_interface: inf %u alt %u\n", 114 interface, alternate); 115 116 ret = usb_set_interface(urb->dev, interface, alternate); 117 if (ret < 0) 118 dev_err(&urb->dev->dev, 119 "usb_set_interface error: inf %u alt %u ret %d\n", 120 interface, alternate, ret); 121 else 122 dev_info(&urb->dev->dev, 123 "usb_set_interface done: inf %u alt %u\n", 124 interface, alternate); 125 126 return ret; 127 } 128 129 static int tweak_set_configuration_cmd(struct urb *urb) 130 { 131 struct stub_priv *priv = (struct stub_priv *) urb->context; 132 struct stub_device *sdev = priv->sdev; 133 struct usb_ctrlrequest *req; 134 __u16 config; 135 int err; 136 137 req = (struct usb_ctrlrequest *) urb->setup_packet; 138 config = le16_to_cpu(req->wValue); 139 140 err = usb_set_configuration(sdev->udev, config); 141 if (err && err != -ENODEV) 142 dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", 143 config, err); 144 return 0; 145 } 146 147 static int tweak_reset_device_cmd(struct urb *urb) 148 { 149 struct stub_priv *priv = (struct stub_priv *) urb->context; 150 struct stub_device *sdev = priv->sdev; 151 152 dev_info(&urb->dev->dev, "usb_queue_reset_device\n"); 153 154 if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) { 155 dev_err(&urb->dev->dev, "could not obtain lock to reset device\n"); 156 return 0; 157 } 158 usb_reset_device(sdev->udev); 159 usb_unlock_device(sdev->udev); 160 161 return 0; 162 } 163 164 /* 165 * clear_halt, set_interface, and set_configuration require special tricks. 166 */ 167 static void tweak_special_requests(struct urb *urb) 168 { 169 if (!urb || !urb->setup_packet) 170 return; 171 172 if (usb_pipetype(urb->pipe) != PIPE_CONTROL) 173 return; 174 175 if (is_clear_halt_cmd(urb)) 176 /* tweak clear_halt */ 177 tweak_clear_halt_cmd(urb); 178 179 else if (is_set_interface_cmd(urb)) 180 /* tweak set_interface */ 181 tweak_set_interface_cmd(urb); 182 183 else if (is_set_configuration_cmd(urb)) 184 /* tweak set_configuration */ 185 tweak_set_configuration_cmd(urb); 186 187 else if (is_reset_device_cmd(urb)) 188 tweak_reset_device_cmd(urb); 189 else 190 usbip_dbg_stub_rx("no need to tweak\n"); 191 } 192 193 /* 194 * stub_recv_unlink() unlinks the URB by a call to usb_unlink_urb(). 195 * By unlinking the urb asynchronously, stub_rx can continuously 196 * process coming urbs. Even if the urb is unlinked, its completion 197 * handler will be called and stub_tx will send a return pdu. 198 * 199 * See also comments about unlinking strategy in vhci_hcd.c. 200 */ 201 static int stub_recv_cmd_unlink(struct stub_device *sdev, 202 struct usbip_header *pdu) 203 { 204 int ret; 205 unsigned long flags; 206 struct stub_priv *priv; 207 208 spin_lock_irqsave(&sdev->priv_lock, flags); 209 210 list_for_each_entry(priv, &sdev->priv_init, list) { 211 if (priv->seqnum != pdu->u.cmd_unlink.seqnum) 212 continue; 213 214 dev_info(&priv->urb->dev->dev, "unlink urb %p\n", 215 priv->urb); 216 217 /* 218 * This matched urb is not completed yet (i.e., be in 219 * flight in usb hcd hardware/driver). Now we are 220 * cancelling it. The unlinking flag means that we are 221 * now not going to return the normal result pdu of a 222 * submission request, but going to return a result pdu 223 * of the unlink request. 224 */ 225 priv->unlinking = 1; 226 227 /* 228 * In the case that unlinking flag is on, prev->seqnum 229 * is changed from the seqnum of the cancelling urb to 230 * the seqnum of the unlink request. This will be used 231 * to make the result pdu of the unlink request. 232 */ 233 priv->seqnum = pdu->base.seqnum; 234 235 spin_unlock_irqrestore(&sdev->priv_lock, flags); 236 237 /* 238 * usb_unlink_urb() is now out of spinlocking to avoid 239 * spinlock recursion since stub_complete() is 240 * sometimes called in this context but not in the 241 * interrupt context. If stub_complete() is executed 242 * before we call usb_unlink_urb(), usb_unlink_urb() 243 * will return an error value. In this case, stub_tx 244 * will return the result pdu of this unlink request 245 * though submission is completed and actual unlinking 246 * is not executed. OK? 247 */ 248 /* In the above case, urb->status is not -ECONNRESET, 249 * so a driver in a client host will know the failure 250 * of the unlink request ? 251 */ 252 ret = usb_unlink_urb(priv->urb); 253 if (ret != -EINPROGRESS) 254 dev_err(&priv->urb->dev->dev, 255 "failed to unlink a urb %p, ret %d\n", 256 priv->urb, ret); 257 258 return 0; 259 } 260 261 usbip_dbg_stub_rx("seqnum %d is not pending\n", 262 pdu->u.cmd_unlink.seqnum); 263 264 /* 265 * The urb of the unlink target is not found in priv_init queue. It was 266 * already completed and its results is/was going to be sent by a 267 * CMD_RET pdu. In this case, usb_unlink_urb() is not needed. We only 268 * return the completeness of this unlink request to vhci_hcd. 269 */ 270 stub_enqueue_ret_unlink(sdev, pdu->base.seqnum, 0); 271 272 spin_unlock_irqrestore(&sdev->priv_lock, flags); 273 274 return 0; 275 } 276 277 static int valid_request(struct stub_device *sdev, struct usbip_header *pdu) 278 { 279 struct usbip_device *ud = &sdev->ud; 280 int valid = 0; 281 282 if (pdu->base.devid == sdev->devid) { 283 spin_lock_irq(&ud->lock); 284 if (ud->status == SDEV_ST_USED) { 285 /* A request is valid. */ 286 valid = 1; 287 } 288 spin_unlock_irq(&ud->lock); 289 } 290 291 return valid; 292 } 293 294 static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, 295 struct usbip_header *pdu) 296 { 297 struct stub_priv *priv; 298 struct usbip_device *ud = &sdev->ud; 299 unsigned long flags; 300 301 spin_lock_irqsave(&sdev->priv_lock, flags); 302 303 priv = kmem_cache_zalloc(stub_priv_cache, GFP_ATOMIC); 304 if (!priv) { 305 dev_err(&sdev->udev->dev, "alloc stub_priv\n"); 306 spin_unlock_irqrestore(&sdev->priv_lock, flags); 307 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 308 return NULL; 309 } 310 311 priv->seqnum = pdu->base.seqnum; 312 priv->sdev = sdev; 313 314 /* 315 * After a stub_priv is linked to a list_head, 316 * our error handler can free allocated data. 317 */ 318 list_add_tail(&priv->list, &sdev->priv_init); 319 320 spin_unlock_irqrestore(&sdev->priv_lock, flags); 321 322 return priv; 323 } 324 325 static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) 326 { 327 struct usb_device *udev = sdev->udev; 328 struct usb_host_endpoint *ep; 329 struct usb_endpoint_descriptor *epd = NULL; 330 int epnum = pdu->base.ep; 331 int dir = pdu->base.direction; 332 333 if (epnum < 0 || epnum > 15) 334 goto err_ret; 335 336 if (dir == USBIP_DIR_IN) 337 ep = udev->ep_in[epnum & 0x7f]; 338 else 339 ep = udev->ep_out[epnum & 0x7f]; 340 if (!ep) 341 goto err_ret; 342 343 epd = &ep->desc; 344 345 /* validate transfer_buffer_length */ 346 if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) { 347 dev_err(&sdev->udev->dev, 348 "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n", 349 pdu->u.cmd_submit.transfer_buffer_length); 350 return -1; 351 } 352 353 if (usb_endpoint_xfer_control(epd)) { 354 if (dir == USBIP_DIR_OUT) 355 return usb_sndctrlpipe(udev, epnum); 356 else 357 return usb_rcvctrlpipe(udev, epnum); 358 } 359 360 if (usb_endpoint_xfer_bulk(epd)) { 361 if (dir == USBIP_DIR_OUT) 362 return usb_sndbulkpipe(udev, epnum); 363 else 364 return usb_rcvbulkpipe(udev, epnum); 365 } 366 367 if (usb_endpoint_xfer_int(epd)) { 368 if (dir == USBIP_DIR_OUT) 369 return usb_sndintpipe(udev, epnum); 370 else 371 return usb_rcvintpipe(udev, epnum); 372 } 373 374 if (usb_endpoint_xfer_isoc(epd)) { 375 /* validate packet size and number of packets */ 376 unsigned int maxp, packets, bytes; 377 378 maxp = usb_endpoint_maxp(epd); 379 maxp *= usb_endpoint_maxp_mult(epd); 380 bytes = pdu->u.cmd_submit.transfer_buffer_length; 381 packets = DIV_ROUND_UP(bytes, maxp); 382 383 if (pdu->u.cmd_submit.number_of_packets < 0 || 384 pdu->u.cmd_submit.number_of_packets > packets) { 385 dev_err(&sdev->udev->dev, 386 "CMD_SUBMIT: isoc invalid num packets %d\n", 387 pdu->u.cmd_submit.number_of_packets); 388 return -1; 389 } 390 if (dir == USBIP_DIR_OUT) 391 return usb_sndisocpipe(udev, epnum); 392 else 393 return usb_rcvisocpipe(udev, epnum); 394 } 395 396 err_ret: 397 /* NOT REACHED */ 398 dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); 399 return -1; 400 } 401 402 static void masking_bogus_flags(struct urb *urb) 403 { 404 int xfertype; 405 struct usb_device *dev; 406 struct usb_host_endpoint *ep; 407 int is_out; 408 unsigned int allowed; 409 410 if (!urb || urb->hcpriv || !urb->complete) 411 return; 412 dev = urb->dev; 413 if ((!dev) || (dev->state < USB_STATE_UNAUTHENTICATED)) 414 return; 415 416 ep = (usb_pipein(urb->pipe) ? dev->ep_in : dev->ep_out) 417 [usb_pipeendpoint(urb->pipe)]; 418 if (!ep) 419 return; 420 421 xfertype = usb_endpoint_type(&ep->desc); 422 if (xfertype == USB_ENDPOINT_XFER_CONTROL) { 423 struct usb_ctrlrequest *setup = 424 (struct usb_ctrlrequest *) urb->setup_packet; 425 426 if (!setup) 427 return; 428 is_out = !(setup->bRequestType & USB_DIR_IN) || 429 !setup->wLength; 430 } else { 431 is_out = usb_endpoint_dir_out(&ep->desc); 432 } 433 434 /* enforce simple/standard policy */ 435 allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | 436 URB_DIR_MASK | URB_FREE_BUFFER); 437 switch (xfertype) { 438 case USB_ENDPOINT_XFER_BULK: 439 if (is_out) 440 allowed |= URB_ZERO_PACKET; 441 /* FALLTHROUGH */ 442 case USB_ENDPOINT_XFER_CONTROL: 443 allowed |= URB_NO_FSBR; /* only affects UHCI */ 444 /* FALLTHROUGH */ 445 default: /* all non-iso endpoints */ 446 if (!is_out) 447 allowed |= URB_SHORT_NOT_OK; 448 break; 449 case USB_ENDPOINT_XFER_ISOC: 450 allowed |= URB_ISO_ASAP; 451 break; 452 } 453 urb->transfer_flags &= allowed; 454 } 455 456 static void stub_recv_cmd_submit(struct stub_device *sdev, 457 struct usbip_header *pdu) 458 { 459 int ret; 460 struct stub_priv *priv; 461 struct usbip_device *ud = &sdev->ud; 462 struct usb_device *udev = sdev->udev; 463 int pipe = get_pipe(sdev, pdu); 464 465 if (pipe == -1) 466 return; 467 468 priv = stub_priv_alloc(sdev, pdu); 469 if (!priv) 470 return; 471 472 /* setup a urb */ 473 if (usb_pipeisoc(pipe)) 474 priv->urb = usb_alloc_urb(pdu->u.cmd_submit.number_of_packets, 475 GFP_KERNEL); 476 else 477 priv->urb = usb_alloc_urb(0, GFP_KERNEL); 478 479 if (!priv->urb) { 480 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 481 return; 482 } 483 484 /* allocate urb transfer buffer, if needed */ 485 if (pdu->u.cmd_submit.transfer_buffer_length > 0 && 486 pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) { 487 priv->urb->transfer_buffer = 488 kzalloc(pdu->u.cmd_submit.transfer_buffer_length, 489 GFP_KERNEL); 490 if (!priv->urb->transfer_buffer) { 491 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 492 return; 493 } 494 } 495 496 /* copy urb setup packet */ 497 priv->urb->setup_packet = kmemdup(&pdu->u.cmd_submit.setup, 8, 498 GFP_KERNEL); 499 if (!priv->urb->setup_packet) { 500 dev_err(&udev->dev, "allocate setup_packet\n"); 501 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); 502 return; 503 } 504 505 /* set other members from the base header of pdu */ 506 priv->urb->context = (void *) priv; 507 priv->urb->dev = udev; 508 priv->urb->pipe = pipe; 509 priv->urb->complete = stub_complete; 510 511 usbip_pack_pdu(pdu, priv->urb, USBIP_CMD_SUBMIT, 0); 512 513 514 if (usbip_recv_xbuff(ud, priv->urb) < 0) 515 return; 516 517 if (usbip_recv_iso(ud, priv->urb) < 0) 518 return; 519 520 /* no need to submit an intercepted request, but harmless? */ 521 tweak_special_requests(priv->urb); 522 523 masking_bogus_flags(priv->urb); 524 /* urb is now ready to submit */ 525 ret = usb_submit_urb(priv->urb, GFP_KERNEL); 526 527 if (ret == 0) 528 usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", 529 pdu->base.seqnum); 530 else { 531 dev_err(&udev->dev, "submit_urb error, %d\n", ret); 532 usbip_dump_header(pdu); 533 usbip_dump_urb(priv->urb); 534 535 /* 536 * Pessimistic. 537 * This connection will be discarded. 538 */ 539 usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); 540 } 541 542 usbip_dbg_stub_rx("Leave\n"); 543 } 544 545 /* recv a pdu */ 546 static void stub_rx_pdu(struct usbip_device *ud) 547 { 548 int ret; 549 struct usbip_header pdu; 550 struct stub_device *sdev = container_of(ud, struct stub_device, ud); 551 struct device *dev = &sdev->udev->dev; 552 553 usbip_dbg_stub_rx("Enter\n"); 554 555 memset(&pdu, 0, sizeof(pdu)); 556 557 /* receive a pdu header */ 558 ret = usbip_recv(ud->tcp_socket, &pdu, sizeof(pdu)); 559 if (ret != sizeof(pdu)) { 560 dev_err(dev, "recv a header, %d\n", ret); 561 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 562 return; 563 } 564 565 usbip_header_correct_endian(&pdu, 0); 566 567 if (usbip_dbg_flag_stub_rx) 568 usbip_dump_header(&pdu); 569 570 if (!valid_request(sdev, &pdu)) { 571 dev_err(dev, "recv invalid request\n"); 572 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 573 return; 574 } 575 576 switch (pdu.base.command) { 577 case USBIP_CMD_UNLINK: 578 stub_recv_cmd_unlink(sdev, &pdu); 579 break; 580 581 case USBIP_CMD_SUBMIT: 582 stub_recv_cmd_submit(sdev, &pdu); 583 break; 584 585 default: 586 /* NOTREACHED */ 587 dev_err(dev, "unknown pdu\n"); 588 usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); 589 break; 590 } 591 } 592 593 int stub_rx_loop(void *data) 594 { 595 struct usbip_device *ud = data; 596 597 while (!kthread_should_stop()) { 598 if (usbip_event_happened(ud)) 599 break; 600 601 stub_rx_pdu(ud); 602 } 603 604 return 0; 605 } 606