Some modules call config_item_init_type_name() and config_group_init_type_name()
with parameter "name" directly controlled by userspace. These two
functions call config_item_set_name() with this name used as a format
string, which can be used to leak information such as content of the
stack to userspace.
For example, make_netconsole_target() in netconsole module calls
config_item_init_type_name() with the name of a newly-created directory.
This means that the following commands give some unexpected output, with
configfs mounted in /sys/kernel/config/ and on a system with a
configured eth0 ethernet interface:
# modprobe netconsole
# mkdir /sys/kernel/config/netconsole/target_%lx
# echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
# echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
# echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
# dmesg |tail -n1
[ 142.697668] netconsole: target (target_ffffffffc0ae8080) is
enabled, disable to update parameters
The directory name is correct but %lx has been interpreted in the
internal item name, displayed here in the error message used by
store_dev_name() in drivers/net/netconsole.c.
To fix this, update every caller of config_item_set_name to use "%s"
when operating on untrusted input.
This issue was found using -Wformat-security gcc flag, once a __printf
attribute has been added to config_item_set_name().
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <balbi@ti.com>
Acked-by: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The "Extended Compat ID OS Feature Descriptor Specification" does not
require the (sub)compatible ids to be NUL-terminated, because they
are placed in a fixed-size buffer and only unused parts of it should
contain NULs. If the buffer is fully utilized, there is no place for NULs.
Consequently, the code which uses desc->ext_compat_id never expects the
data contained to be NUL terminated.
If the compatible id is stored after sub-compatible id, and the compatible
id is full length (8 bytes), the (useless) NUL terminator overwrites the
first byte of the sub-compatible id.
If the sub-compatible id is full length (8 bytes), the (useless) NUL
terminator ends up out of the buffer. The situation can happen in the RNDIS
function, where the buffer is a part of struct f_rndis_opts. The next
member of struct f_rndis_opts is a mutex, so its first byte gets
overwritten. The said byte is a part of a mutex'es member which contains
the information on whether the muext is locked or not. This can lead to a
deadlock, because, in a configfs-composed gadget when a function is linked
into a configuration with config_usb_cfg_link(), usb_get_function()
is called, which then calls rndis_alloc(), which tries locking the same
mutex and (wrongly) finds it already locked.
This patch eliminates NUL terminating of the (sub)compatible id.
Cc: <stable@vger.kernel.org> # v3.16+
Fixes: da4243145f: "usb: gadget: configfs: OS Extended Compatibility descriptors support"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
USB gadgets composed with configfs lack suspend and resume
methods. This patch uses composite_suspend()/composite_resume()
the same way e.g. composite_setup() or composite_disconnect()
are used in a configfs-based gadget.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Add reset API at usb_gadget_driver, it calls disconnect handler currently,
but may do different things in future.
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Surprisingly enough, while a big set of patches, the majority is
composed of cleanups (using devm_*, fixing sparse errors, moving
code around, adding const, etc).
The highlights are addition of new support for PLX USB338x devices,
and support for USB 2.0-only configurations of the DWC3 IP core.
Signed-of-by: Felipe Balbi <balbi@ti.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJTzTI9AAoJEIaOsuA1yqREIqcQAJbwMaDb5sp8dWst+nL1Vo8N
08bhOOM+o2KLiIBSNQh1hYtujpa06RSQMiNYZ7F/+R4Q3OAoq+uC0dD69TLEQ3Sd
1xi0UgUTAvtXo13TToRjIi0mYywrrkZ91Maqff5jZKdslOY4ZfAScpUQHyD3i1UO
JNUqpayYAnp8JJIGQ8CG1wAeJh/J8JH3O607vaknKVjds+WMkeC5ubnuV4sgVw71
8JTwxk22EkMTr2MKhHjZwcv016NMEvziinWVoTXcWN2Uwk42Dn1nhfaYWSvg7kZE
8/3t6zzdFMdoeeTEn2xXIQGTjbHW0sBS5+S+6PAon2YbjS3x40cbyLJnZ+KoVXog
iHDKAl5w53gd/7qMiv57dW+HRP0M7/m2iy/owIrY8H8DkM3uwFevaeq/G2raJKmA
frB1k95bSyypN7wVkALYv4nurP5+d7ERy9hPj/49M5giJXPpEIbgKN2qGdafaEx7
xzAI+GqYrFtmmg25+f6AQRicVczQNMCdDT8HPZ04099Z2JVY/4uOoqTl29CePMgo
OXeQ45ECMoJuRSwpF56e8h+qmsXp6WD31IhlcHseTvUvFu0Ex4SgUJhFP2UaF9WP
aOqz0w36yX/ME3VhQk9YImNqGoqEk6fYHIHhxfdDugt0n68+M56EiiwtKvd5v5BI
hCJAMBrv+WCGnJvWunVW
=aJY4
-----END PGP SIGNATURE-----
Merge tag 'usb-for-v3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next
Felipe writes:
usb: patches for v3.17 merge window
Surprisingly enough, while a big set of patches, the majority is
composed of cleanups (using devm_*, fixing sparse errors, moving
code around, adding const, etc).
The highlights are addition of new support for PLX USB338x devices,
and support for USB 2.0-only configurations of the DWC3 IP core.
Signed-of-by: Felipe Balbi <balbi@ti.com>
This issue was reported by coccicheck using the semantic patch
at scripts/coccinelle/api/memdup.cocci
Signed-off-by: Benoit Taine <benoit.taine@lip6.fr>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Function's interface directories need to be created when the function
directory is created, but interface numbers are not known until
the gadget is ready and bound to udc, so we cannot use numbers
as part of interface directory names.
Let the client decide what names to use.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
A number of variables serve a generic purpose of handling
"compatible id" and "subcompatible id", but the names suggest they
are for rndis only. Rename to reflect variables' purpose.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Add handling of OS Extended Properties descriptors from configfs interface.
One kind of "OS Descriptors" are "Extended Properties" descriptors, which
need to be specified per interface or per group of interfaces described
by an IAD. This patch adds support for creating subdirectories
in interface.<n> directory located in the function's directory.
Names of subdirectories created become names of properties.
Each property contains two attributes: "type" and "data".
The type can be a numeric value 1..7 while data is a blob interpreted
depending on the type specified.
The types are:
1 - unicode string
2 - unicode string with environment variables
3 - binary
4 - little-endian 32-bit
5 - big-endian 32-bit
6 - unicode string with a symbolic link
7 - multiple unicode strings
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Add handling of OS Extended Compatibility descriptors from configfs interface.
Hosts which expect the "OS Descriptors" ask only for configurations @ index 0,
but linux-based USB devices can provide more than one configuration.
This patch adds marking one of gadget's configurations the configuration
to be reported at index 0, regardless of the actual sequence of usb_add_config
invocations used for adding the configurations. The configuration is selected
by creating a symbolic link pointing to it from the "os_desc" directory
located at the top of a gadget's directory hierarchy.
One kind of "OS Descriptors" are "Extended Compatibility Descriptors",
which need to be specified per interface. This patch adds interface.<n>
directory in function's configfs directory to represent each interface
defined by the function. Each interface's directory contains two attributes:
"compatible_id" and "sub_compatible_id", which represent 8-byte
strings to be reported to the host as the "Compatible ID" and "Sub Compatible
ID".
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Add handling of OS String extension from the configfs interface.
A directory "os_desc" is added at the top level of a gadget's
directories hierarchy. In the "os_desc" directory there are
three attributes: "use", "b_vendor_code" and "qw_sign".
If "use" contains "0" the OS string is not reported to the host.
"b_vendor_code" contains a one-byte value which is used
for custom per-device and per-interface requests.
"qw_sign" contains an identifier to be reported as the "OS String"
proper.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
We only support GPL drivers in the USB Gadget Framework,
it sounds correct to make all exported symbols GPL too.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Include appropriate header file drivers/usb/gadget/configfs.h in
gadget/configfs.c because function unregister_gadget_item() has its
prototype declaration in gadget/configfs.h.
This eliminates the following warning in gadget/configfs.c:
drivers/usb/gadget/configfs.c:994:6: warning: no previous prototype for ‘unregister_gadget_item’ [-Wmissing-prototypes]
Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
USB function's configfs config group is created in a generic way in
usb/gadget/configfs.c:function_make(), which in turn delegates actual
allocation and setup of the USB function instance to a particular
implementation, e.g. in f_acm.c. The said implementation does its job
in a parameter-less function e.g. acm_alloc_instance(), which results
in creating an unnamed config group, whose name is set later in
function_make(). function_make() creates the name by parsing a string
of the form:
<function name>.<instance name>
which comes from userspace as a parameter to mkdir invocation.
Up to now only <function name> has been used, while <instance name>
has been ignored. This patch adds a set_inst_name() operation to
struct usb_function_instance which allows passing the <instance name>
from function_make() so that it is not ignored. It is entirely up to the
implementor of set_inst_name() what to do with the <instance name>.
In a typical case, the struct usb_function_instance is embedded in a
larger struct which is retrieved in set_inst_name() with container_of(),
and the larger struct contains a field to store the <instance name>.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Add a method to unregister the gadget using its config_item.
There can be functions (e.g. mass storage), which in some circumstances
need the gadget stopped. Add a method of stopping the gadget.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
If usb_add_function() fails then the currently processed function
is already not in the list in struct config_usb_cfg, and neither is it
in the list in struct usb_configuration. At the err_purge_funcs label the
purge_config_funcs() is called, which iterates over all configurations,
and in each configuration it iterates over all _successfully_ added
functions, and moves them back from the list in struct usb_configuration
to the list in struct config_usb_cfg. BUT the function which has just
failed adding and caused the unwind process is not taken care of and
is effectively lost.
This patch modifies the configfs_composite_bind() function so that if
the usb_add_function() fails, then the currently processed function
is returned to the list in struct config_usb_cfg.
It would be tempting to delay the list_del() in question after
usb_add_function() invocation, but a struct list_head (&f->list) cannot be
stored in more than one list at the same time, so the list_del() must
be called before usb_add_function(). Hence, the solution is to list_add()
after usb_add_function() in case of error.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Fix to return a negative error code in the go through all configs error
handling case instead of 0(usb_add_function() will overwrite ret to 0).
Also use error code from usb_gstrings_attach() in all strings init error
case instead of -EINVAL.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Use the appropriate WARN() and WARN_ON() accessors to avoid a build error
when CONFIG_BUG=n:
drivers/usb/gadget/configfs.c: In function 'config_usb_cfg_unlink':
drivers/usb/gadget/configfs.c:442:2: error: implicit declaration of function '__WARN_printf'
drivers/usb/gadget/configfs.c: In function 'configfs_do_nothing':
drivers/usb/gadget/configfs.c:733:2: error: implicit declaration of function '__WARN'
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|# modprobe dummy_hcd num=2
|# modprobe libcomposite
|# lsmod
|Module Size Used by
|libcomposite 31648 0
|dummy_hcd 19871 0
|# mkdir /sys/kernel/config/usb_gadget/oha
|# cd /sys/kernel/config/usb_gadget/oha
|# mkdir configs/def.1
|# mkdir configs/def.2
|# mkdir functions/acm.ttyS1
|# mkdir strings/0x1
|mkdir: cannot create directory `strings/0x1': Invalid argument
|# mkdir strings/0x409
|# mkdir strings/1033
|mkdir: cannot create directory `strings/1033': File exists
|# mkdir strings/1032
|# mkdir configs/def.1/strings/0x409
|# mkdir configs/def.2/strings/0x409
|#find . -ls
| 975 0 drwxr-xr-x 5 root root 0 Dec 23 17:40 .
| 978 0 drwxr-xr-x 4 root root 0 Dec 23 17:43 ./strings
| 4100 0 drwxr-xr-x 2 root root 0 Dec 23 17:43 ./strings/1032
| 995 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/1032/serialnumber
| 996 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/1032/product
| 997 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/1032/manufacturer
| 2002 0 drwxr-xr-x 2 root root 0 Dec 23 17:41 ./strings/0x409
| 998 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/0x409/serialnumber
| 999 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/0x409/product
| 1000 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./strings/0x409/manufacturer
| 977 0 drwxr-xr-x 4 root root 0 Dec 23 17:41 ./configs
| 4081 0 drwxr-xr-x 3 root root 0 Dec 23 17:41 ./configs/def.2
| 4082 0 drwxr-xr-x 3 root root 0 Dec 23 17:42 ./configs/def.2/strings
| 2016 0 drwxr-xr-x 2 root root 0 Dec 23 17:42 ./configs/def.2/strings/0x409
| 1001 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.2/strings/0x409/configuration
| 1002 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.2/bmAttributes
| 1003 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.2/MaxPower
| 979 0 drwxr-xr-x 3 root root 0 Dec 23 17:42 ./configs/def.1
| 980 0 drwxr-xr-x 3 root root 0 Dec 23 17:42 ./configs/def.1/strings
| 5122 0 drwxr-xr-x 2 root root 0 Dec 23 17:42 ./configs/def.1/strings/0x409
| 1004 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.1/strings/0x409/configuration
| 1005 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.1/bmAttributes
| 1006 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./configs/def.1/MaxPower
| 976 0 drwxr-xr-x 3 root root 0 Dec 23 17:41 ./functions
| 981 0 drwxr-xr-x 2 root root 0 Dec 23 17:41 ./functions/acm.ttyS1
| 1007 0 -r--r--r-- 1 root root 4096 Dec 23 17:43 ./functions/acm.ttyS1/port_num
| 1008 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./UDC
| 1009 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bcdUSB
| 1010 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bcdDevice
| 1011 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./idProduct
| 1012 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./idVendor
| 1013 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bMaxPacketSize0
| 1014 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bDeviceProtocol
| 1015 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bDeviceSubClass
| 1016 0 -rw-r--r-- 1 root root 4096 Dec 23 17:43 ./bDeviceClass
|# cat functions/acm.ttyS1/port_num
|0
|# ls -lah /dev/ttyGS*
|crw-rw---T 1 root dialout 252, 0 Dec 23 17:41 /dev/ttyGS0
|
|# echo 0x1234 > idProduct
|# echo 0xabcd > idVendor
|# echo 1122 > strings/0x409/serialnumber
|# echo "The manufacturer" > strings/0x409/manufacturer
|# echo 1 > strings/1032/manufacturer
|# echo 1sa > strings/1032/product
|# echo tada > strings/1032/serialnumber
|echo "Primary configuration" > configs/def.1/strings/0x409/configuration
|# echo "Secondary configuration" > configs/def.2/strings/0x409/configuration
|# ln -s functions/acm.ttyS1 configs/def.1/
|# ln -s functions/acm.ttyS1 configs/def.2/
|find configs/def.1/ -ls
| 979 0 drwxr-xr-x 3 root root 0 Dec 23 17:49 configs/def.1/
| 6264 0 lrwxrwxrwx 1 root root 0 Dec 23 17:48 configs/def.1/acm.ttyS1 -> ../../../../usb_gadget/oha/functions/acm.ttyS1
| 980 0 drwxr-xr-x 3 root root 0 Dec 23 17:42 configs/def.1/strings
| 5122 0 drwxr-xr-x 2 root root 0 Dec 23 17:49 configs/def.1/strings/0x409
| 6284 0 -rw-r--r-- 1 root root 4096 Dec 23 17:47 configs/def.1/strings/0x409/configuration
| 6285 0 -rw-r--r-- 1 root root 4096 Dec 23 17:49 configs/def.1/bmAttributes
| 6286 0 -rw-r--r-- 1 root root 4096 Dec 23 17:49 configs/def.1/MaxPower
|
|echo 120 > configs/def.1/MaxPower
|
|# ls -lh /sys/class/udc/
|total 0
|lrwxrwxrwx 1 root root 0 Dec 23 17:50 dummy_udc.0 -> ../../devices/platform/dummy_udc.0/udc/dummy_udc.0
|lrwxrwxrwx 1 root root 0 Dec 23 17:50 dummy_udc.1 -> ../../devices/platform/dummy_udc.1/udc/dummy_udc.1
|# echo dummy_udc.0 > UDC
|# lsusb
|Bus 001 Device 002: ID abcd:1234 Unknown
|
|lsusb -d abcd:1234 -v
|Device Descriptor:
…
| idVendor 0xabcd Unknown
| idProduct 0x1234
| bcdDevice 3.06
| iManufacturer 1 The manufacturer
| iProduct 2
| iSerial 3 1122
| bNumConfigurations 2
…
|echo "" > UDC
v5…v6
- wired up strings with usb_gstrings_attach()
- add UDC attribe. Write "udc-name" will bind the gadget. Write an empty
string (it should contain \n since 0 bytes write get optimzed away)
will unbind the UDC from the gadget. The name of available UDCs can be
obtained from /sys/class/udc/
v4…v5
- string rework. This will add a strings folder incl. language code like
strings/409/manufacturer
as suggested by Alan.
- rebased ontop reworked functions.c which has usb_function_instance
which is used prior after "mkdir acm.instance" and can be directly
used for configuration via configfs.
v3…v4
- moved functions from the root folde down to the gadget as suggested
by Michał
- configs have now their own configs folder as suggested by Michał.
The folder is still name.bConfigurationValue where name becomes the
sConfiguration. Is this usefull should we just stilc
configs/bConfigurationValue/ ?
- added configfs support to the ACM function. The port_num attribute is
exported by f_acm. An argument has been added to the USB alloc
function to distinguish between "old" (use facm_configure() to
configure and configfs interface (expose a config_node).
The port_num is currently a dumb counter. It will
require some function re-work to make it work.
scheduled for v5:
- sym linking function into config.
v2…v3
- replaced one ifndef by ifdef as suggested by Micahał
- strstr()/strchr() function_make as suggested by Micahł
- replace [iSerialNumber|iProduct|iManufacturer] with
[sSerialNumber|sProduct|sManufacturer] as suggested by Alan
- added creation of config descriptors
v1…v2
- moved gadgets from configfs' root directory into /udcs/ within our
"usb_gadget" folder. Requested by Andrzej & Michał
- use a dot as a delimiter between function's name and its instance's name
as suggested by Michał
- renamed all config_item_type, configfs_group_operations, make_group,
drop_item as suggested by suggested by Andrzej to remain consisten
within this file and within other configfs users
- Since configfs.c and functions.c are now part of the udc-core module,
the module itself is now called udc. Also added a tiny ifdef around
init code becuase udc-core is subsys init and this is too early for
configfs in the built-in case. In the module case, we can only have
one init function.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Felipe Balbi <balbi@ti.com>