kernel/drivers/usb/usbip/vhci_hcd.c, branch linux-6.9.y

usb/usbip: fix wrong data added to platform device

2023-10-16T17:58:49Z

.data of platform_device_info will be copied into .platform_data of struct device via platform_device_add_data. However, vhcis[i] contains a spinlock, is dynamically allocated and used by other code, so it is not meant to be copied. The workaround was to use void *vhci as an agent, but it was removed in the commit suggested below. This patch adds back the workaround and changes the way of using platform_data accordingly. Reported-by: syzbot+e0dbc33630a092ccf033@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/00000000000029242706077f3145@google.com/ Reported-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000007634c1060793197c@google.com/ Fixes: b8aaf639b403 ("usbip: Use platform_device_register_full()") Tested-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/0000000000007ac87d0607979b6b@google.com/ Signed-off-by: Hongren Zheng Reviewed-by: Andy Shevchenko Acked-by: Shuah Khan Link: https://lore.kernel.org/r/ZSpHPCaQ5DDA9Ysl@Sun Signed-off-by: Greg Kroah-Hartman

usbip: Use platform_device_register_full()

2023-10-08T05:49:43Z

The code to create the child platform device is essentially the same as what platform_device_register_full() does, so change over to use that same function to reduce duplication. Signed-off-by: Andy Shevchenko Acked-by: Shuah Khan Link: https://lore.kernel.org/r/20231006164312.3528524-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman

usbip: vhci_hcd: Convert to platform remove callback returning void

2023-05-28T11:38:02Z

The .remove() callback for a platform driver returns an int which makes many driver authors wrongly assume it's possible to do error handling by returning an error code. However the value returned is ignored (apart from emitting a warning) and this typically results in resource leaks. To improve here there is a quest to make the remove callback return void. In the first step of this quest all drivers are converted to .remove_new() which already returns void. Eventually after all drivers are converted, .remove_new() is renamed to .remove(). Trivially convert this driver from always returning zero in the remove callback to the void returning variant. Signed-off-by: Uwe Kleine-König Acked-by: Shuah Khan Link: https://lore.kernel.org/r/20230517230239.187727-98-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman

usbip:vhci_hcd USB port can get stuck in the disabled state

2021-08-26T11:29:27Z

When a remote usb device is attached to the local Virtual USB Host Controller Root Hub port, the bound device driver may send a port reset command. vhci_hcd accepts port resets only when the device doesn't have port address assigned to it. When reset happens device is in assigned/used state and vhci_hcd rejects it leaving the port in a stuck state. This problem was found when a blue-tooth or xbox wireless dongle was passed through using usbip. A few drivers reset the port during probe including mt76 driver specific to this bug report. Fix the problem with a change to honor reset requests when device is in used state (VDEV_ST_USED). Reported-and-tested-by: Michael Suggested-by: Michael Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20210819225937.41037-1-skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman

usbip: clean up code in vhci_device_unlink_cleanup

2021-08-26T11:29:10Z

The cleanup code for unlink_tx and unlink_rx lists is almost the same. So, extract it into a new function and call it for both unlink_rx and unlink_tx. Also, remove unnecessary log messages. Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210820190122.16379-3-mail@anirudhrb.com Signed-off-by: Greg Kroah-Hartman

usbip: give back URBs for unsent unlink requests during cleanup

2021-08-26T11:29:10Z

In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are not given back. This sometimes causes usb_kill_urb to wait indefinitely for that urb to be given back. syzbot has reported a hung task issue [1] for this. To fix this, give back the urbs corresponding to unsent unlink requests (unlink_tx list) similar to how urbs corresponding to unanswered unlink requests (unlink_rx list) are given back. [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76 Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com Reviewed-by: Shuah Khan Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210820190122.16379-2-mail@anirudhrb.com Signed-off-by: Greg Kroah-Hartman

usbip: add sysfs_lock to synchronize sysfs code paths

2021-04-05T07:05:42Z

Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. This problem is common to all drivers while it can be reproduced easily in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths. Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host and usip-vudc drivers and the event handler will have to use this lock to protect the paths. These changes will be done in subsequent patches. Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman

usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control()

2021-03-26T13:49:03Z

Fix shift out-of-bounds in vhci_hub_control() SetPortFeature handling. UBSAN: shift-out-of-bounds in drivers/usb/usbip/vhci_hcd.c:605:42 shift exponent 768 is too large for 32-bit type 'int' Reported-by: syzbot+3dea30b047f41084de66@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20210324230654.34798-1-skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman

usb: usbip: vhci_hcd: protect shift size

2021-01-04T15:52:40Z

Fix shift out-of-bounds in vhci_hcd.c: UBSAN: shift-out-of-bounds in ../drivers/usb/usbip/vhci_hcd.c:399:41 shift exponent 768 is too large for 32-bit type 'int' Fixes: 03cd00d538a6 ("usbip: vhci-hcd: Set the vhci structure up to work") Signed-off-by: Randy Dunlap Reported-by: syzbot+297d20e437b79283bf6d@syzkaller.appspotmail.com Cc: Yuyang Du Cc: Shuah Khan Cc: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org Cc: stable Link: https://lore.kernel.org/r/20201229071309.18418-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman

usbip: vhci_hcd: fix calling usb_hcd_giveback_urb() with irqs enabled

2020-10-07T07:25:48Z

kcov testing uncovered call to usb_hcd_giveback_urb() without disabling interrupts. Link: https://lore.kernel.org/linux-usb/CAAeHK+wb4k-LGTjK9F5YbJNviF_+yU+wE_=Vpo9Rn7KFN8vG6Q@mail.gmail.com/ usb_hcd_giveback_urb() is called from vhci's urb_enqueue, when it determines it doesn't need to xmit the urb and can give it back. This path runs in task context. Disable irqs around usb_hcd_giveback_urb() call. Reported-by: Andrey Konovalov Suggested-by: Alan Stern Acked-by: Andrey Konovalov Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20201006223914.39257-1-skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman