On Thu, 2015-03-19 at 03:07 -0700, Keith Packard wrote:
Hi,
unfortunately there are a few issues with this driver.
Please see the comments in the quoted code.
Regards
Oliver
> +#define CK_DEBUG(mask, fmt, args...) do { \
> + if (unlikely(debug & (mask))) \
> + printk(KERN_INFO " chaoskey: %s: %d " fmt, __func__, __LINE__, ##args); \
> + } while (0)
> +
> +#define CK_ENTER(mask, what) CK_DEBUG(mask, "Enter " what)
> +#define CK_LEAVE(mask, what,fmt,ret) CK_DEBUG(mask, "Leave " what ":" fmt, ret)
> +#define CK_LEAVE_INT(mask, what,ret) CK_LEAVE(mask, what,"%d",ret)
> +#define CK_LEAVE_SIZE(mask, what,ret) CK_LEAVE(mask, what,"%zu",ret)
> +#define CK_LEAVE_SSIZE(mask, what,ret) CK_LEAVE(mask, what,"%zd",ret)
> +#define CK_LEAVE_VOID(mask, what) CK_DEBUG(mask, "Leave " what)
Do we really need yet another version of home grown debug macros?
> +/* Driver-local specific stuff */
> +struct chaoskey {
> + struct usb_device *udev;
> + struct usb_interface *interface;
> + char in_ep;
> + struct mutex lock;
> + struct mutex rng_lock;
> + int open; /* open count */
> + int present; /* device not disconnected */
> + int size; /* size of buf */
> + int valid; /* bytes of buf read */
> + int used; /* bytes of buf consumed */
> + char *name; /* product + serial */
> + struct hwrng hwrng; /* Embedded struct for hwrng */
> + int hwrng_registered; /* registered with hwrng API */
> + wait_queue_head_t wait_q; /* for timeouts */
> + char buf[0];
That is a violation of the DMA rules on non-coherent architectures.
The buffer must be allocated separately.
> +};
> +static int chaoskey_probe(struct usb_interface *interface,
> + const struct usb_device_id *id)
> +{
> + struct usb_device *udev = interface_to_usbdev(interface);
> + struct usb_host_interface *altsetting = interface->cur_altsetting;
> + int i;
> + int in_ep = -1;
> + struct chaoskey *dev;
> + int result;
> + int size;
> +
> + CK_ENTER(DEBUG_INIT, "probe");
> +
> + /* Find the first bulk IN endpoint and its packet size */
> + for (i = 0; i < altsetting->desc.bNumEndpoints; i++) {
> + if (usb_endpoint_is_bulk_in(&altsetting->endpoint[i].desc)) {
> + in_ep = altsetting->endpoint[i].desc.bEndpointAddress;
> + size = altsetting->endpoint[i].desc.wMaxPacketSize;
> + break;
> + }
> + }
> +
> + /* Validate endpoint and size */
> + if (in_ep == -1) {
> + CK_LEAVE_INT(DEBUG_INIT, "probe (ep)", -ENODEV);
> + return -ENODEV;
> + }
> + if (size <= 0) {
> + CK_LEAVE_INT(DEBUG_INIT, "probe (size)", -ENODEV);
> + return -ENODEV;
> + }
> +
> + /* Looks good, allocate and initialize */
> + CK_DEBUG(DEBUG_INIT, "New chaoskey, in_ep %d size %d\n", in_ep, size);
> +
> + dev = kzalloc (sizeof (struct chaoskey) + size, GFP_KERNEL);
> +
You do the test for the plausibility of size after you've used it.
> + if (dev == NULL) {
> + CK_LEAVE_INT(DEBUG_INIT, "probe (dev)", -ENOMEM);
> + return -ENOMEM;
> + }
> +
> + dev->udev = udev;
This can be easily deduced from the interface.
> + dev->interface = interface;
> +
> + dev->in_ep = in_ep;
> +
> + if (size > CHAOSKEY_BUF_LEN) {
> + CK_DEBUG(DEBUG_INIT, "chaoskey size %d reduced to %d\n", size,
> + CHAOSKEY_BUF_LEN);
> + size = CHAOSKEY_BUF_LEN;
> + }
> +
> + dev->size = size;
> + dev->present = 1;
> +
> + init_waitqueue_head(&dev->wait_q);
> +
> + usb_set_intfdata(interface, dev);
> +
> + result = usb_register_dev(interface, &chaoskey_class);
> + if (result) {
> + dev_err(&interface->dev, "Unable to allocate minor number.\n");
> + usb_set_intfdata(interface, NULL);
> + chaoskey_free(dev);
> + CK_LEAVE_INT(DEBUG_INIT, "probe (register)", result);
> + return result;
> + }
> +
That is a race condition. At this point the device can be opened and
open() uses the mutexes.
> + mutex_init(&dev->lock);
> + mutex_init(&dev->rng_lock);
Shift this.
> +
> + /* Construct a name using the product and serial values. Each
> + * device needs a unique name for the hwrng code
> + */
> + dev->name = NULL;
> +
> + if (udev->product && udev->serial) {
> + dev->name = kmalloc(strlen(udev->product) + 1 + strlen(udev->serial) + 1, GFP_KERNEL);
> + if (dev->name) {
> + strcpy(dev->name, udev->product);
> + strcat(dev->name, "-");
> + strcat(dev->name, udev->serial);
> + }
> + }
> +
> + dev->hwrng.name = dev->name ? dev->name : chaoskey_driver.name;
> + dev->hwrng.read = chaoskey_rng_read;
> +
> + /* Set the 'quality' metric. Quality is measured in units of
> + * 1/1024's of a bit ("mills"). This should be set to 1024,
> + * but there is a bug in the hwrng core which masks it with
> + * 1023.
> + *
> + * The patch that has been merged to the crypto development
> + * tree for that bug limits the value to 1024 at most, so by
> + * setting this to 1024 + 1023, we get 1023 before the fix is
> + * merged and 1024 afterwards. We'll patch this driver once
> + * both bits of code are in the same tree.
> + */
> + dev->hwrng.quality = 1024 + 1023;
> +
> + dev->hwrng_registered = (hwrng_register(&dev->hwrng) == 0);
> + if (!dev->hwrng_registered)
> + CK_DEBUG(DEBUG_INIT, "probe hwrng register failed: %d\n", result);
> +
> + usb_enable_autosuspend(udev);
> +
> + CK_LEAVE_INT(DEBUG_INIT, "probe", 0);
> + return 0;
> +}
> +
> +static ssize_t chaoskey_read(struct file *file,
> + char __user *buffer,
> + size_t count,
> + loff_t * ppos)
> +{
> + struct chaoskey *dev;
> + int intr;
> + ssize_t read_count = 0;
> + int this_time;
> + int result;
> +
> + CK_ENTER(DEBUG_DEV, "read");
> + dev = file->private_data;
> +
> + if (dev == NULL || !dev->present) {
> + CK_LEAVE_INT(DEBUG_DEV, "read (present)", -ENODEV);
> + return -ENODEV;
> + }
> +
> +
> + CK_DEBUG(DEBUG_DEV, "read %zu\n", count);
> +
> + while (count > 0) {
> +
> + /* Grab the rng_lock briefly to ensure that the hwrng interface
> + * gets priority over other user access
> + */
> + intr = mutex_lock_interruptible(&dev->rng_lock);
> + if (intr) {
> + CK_LEAVE_INT(DEBUG_DEV, "read (rng_lock)", -EINTR);
> + return -EINTR;
At this point you may have already copied data to user space. A signal
should cause a short read in that case, not -EINTR.
Also the mutex is still held.
> + }
> + mutex_unlock(&dev->rng_lock);
> +
> + intr = mutex_lock_interruptible(&dev->lock);
> + if (intr) {
> + CK_LEAVE_INT(DEBUG_DEV, "read (lock)", -EINTR);
The same issue as above.
> + return -EINTR;
> + }
> + if (dev->valid == dev->used) {
> + result = _chaoskey_fill(dev);
> + if (result) {
> + if (read_count) {
> + CK_LEAVE_SIZE(DEBUG_DEV, "read (count)",
> + read_count);
> + return read_count;
The mutex is still held.
> + }
> + CK_LEAVE_INT(DEBUG_DEV, "read (result)", result);
> + return result;
The mutex is still held.
> + }
> +
> + /* Read returned zero bytes */
> + if (dev->used == dev->valid) {
> + CK_LEAVE_SSIZE(DEBUG_DEV, "read (zero)", read_count);
> + return read_count;
> + }
> + }
> +
> + this_time = dev->valid - dev->used;
> + if (this_time > count)
> + this_time = count;
> +
> + if (copy_to_user(buffer, dev->buf + dev->used, this_time)) {
> + mutex_unlock(&dev->lock);
> + CK_LEAVE_INT(DEBUG_DEV, "read (copyout)", -EFAULT);
> + return -EFAULT;
> + }
> +
> + count -= this_time;
> + read_count += this_time;
> + buffer += this_time;
> + dev->used += this_time;
> + mutex_unlock(&dev->lock);
> + }
> +
> + CK_LEAVE_SSIZE(DEBUG_DEV, "read", read_count);
> + return read_count;
> +}
> +
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
