From: Reilly Grant <reil...@chromium.org>

The new USBDEVFS_DROP_PRIVILEGES ioctl allows a process to voluntarily
relinquish the ability to issue other ioctls that may interfere with
other processes and drivers that have claimed an interface on the
device.

Signed-off-by: Reilly Grant <reil...@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorg...@chromium.org>
Reviewed-by: Kees Cook <keesc...@chromium.org>
[emilio.lopez: fix build for v4.4-rc2 and adjust patch title prefix]
Signed-off-by: Emilio López <emilio.lo...@collabora.co.uk>

---

 drivers/usb/core/devio.c          | 50 +++++++++++++++++++++++++++++++++++----
 include/uapi/linux/usbdevice_fs.h |  1 +
 2 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 38ae877c..a5ccc50 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -77,6 +77,7 @@ struct usb_dev_state {
        unsigned long ifclaimed;
        u32 secid;
        u32 disabled_bulk_eps;
+       bool privileges_dropped;
 };
 
 struct async {
@@ -878,7 +879,7 @@ static int usbdev_open(struct inode *inode, struct file 
*file)
        int ret;
 
        ret = -ENOMEM;
-       ps = kmalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
+       ps = kzalloc(sizeof(struct usb_dev_state), GFP_KERNEL);
        if (!ps)
                goto out_free_ps;
 
@@ -911,11 +912,8 @@ static int usbdev_open(struct inode *inode, struct file 
*file)
        INIT_LIST_HEAD(&ps->async_pending);
        INIT_LIST_HEAD(&ps->async_completed);
        init_waitqueue_head(&ps->wait);
-       ps->discsignr = 0;
        ps->disc_pid = get_pid(task_pid(current));
        ps->cred = get_current_cred();
-       ps->disccontext = NULL;
-       ps->ifclaimed = 0;
        security_task_getsecid(current, &ps->secid);
        smp_wmb();
        list_add_tail(&ps->list, &dev->filelist);
@@ -1215,6 +1213,35 @@ static int proc_connectinfo(struct usb_dev_state *ps, 
void __user *arg)
 
 static int proc_resetdevice(struct usb_dev_state *ps)
 {
+       if (ps->privileges_dropped) {
+               struct usb_host_config *actconfig = ps->dev->actconfig;
+
+               /* Don't touch the device if any interfaces are claimed. It
+                * could interfere with other drivers' operations and this
+                * process has dropped its privileges to do such things.
+                */
+               if (actconfig) {
+                       int i;
+
+                       for (i = 0; i < actconfig->desc.bNumInterfaces; ++i) {
+                               if (usb_interface_claimed(
+                                       actconfig->interface[i])) {
+                                       dev_warn(&ps->dev->dev,
+                                               "usbfs: interface %d claimed by"
+                                               " %s while '%s'"
+                                               " resets device\n",
+                                               actconfig->interface[i]
+                                                       ->cur_altsetting
+                                                       ->desc.bInterfaceNumber,
+                                               actconfig->interface[i]
+                                                       ->dev.driver->name,
+                                               current->comm);
+                                       return -EACCES;
+                               }
+                       }
+               }
+       }
+
        return usb_reset_device(ps->dev);
 }
 
@@ -1922,6 +1949,9 @@ static int proc_ioctl(struct usb_dev_state *ps, struct 
usbdevfs_ioctl *ctl)
        struct usb_interface    *intf = NULL;
        struct usb_driver       *driver = NULL;
 
+       if (ps->privileges_dropped)
+               return -EACCES;
+
        /* alloc buffer */
        size = _IOC_SIZE(ctl->ioctl_code);
        if (size > 0) {
@@ -2084,6 +2114,9 @@ static int proc_disconnect_claim(struct usb_dev_state 
*ps, void __user *arg)
                                        sizeof(dc.driver)) == 0)
                        return -EBUSY;
 
+               if (ps->privileges_dropped)
+                       return -EACCES;
+
                dev_dbg(&intf->dev, "disconnect by usbfs\n");
                usb_driver_release_interface(driver, intf);
        }
@@ -2130,6 +2163,12 @@ static int proc_free_streams(struct usb_dev_state *ps, 
void __user *arg)
        return r;
 }
 
+static int proc_drop_privileges(struct usb_dev_state *ps)
+{
+       ps->privileges_dropped = true;
+       return 0;
+}
+
 /*
  * NOTE:  All requests here that have interface numbers as parameters
  * are assuming that somehow the configuration has been prevented from
@@ -2318,6 +2357,9 @@ static long usbdev_do_ioctl(struct file *file, unsigned 
int cmd,
        case USBDEVFS_FREE_STREAMS:
                ret = proc_free_streams(ps, p);
                break;
+       case USBDEVFS_DROP_PRIVILEGES:
+               ret = proc_drop_privileges(ps);
+               break;
        }
 
  done:
diff --git a/include/uapi/linux/usbdevice_fs.h 
b/include/uapi/linux/usbdevice_fs.h
index 019ba1e..99c296b 100644
--- a/include/uapi/linux/usbdevice_fs.h
+++ b/include/uapi/linux/usbdevice_fs.h
@@ -187,5 +187,6 @@ struct usbdevfs_streams {
 #define USBDEVFS_DISCONNECT_CLAIM  _IOR('U', 27, struct 
usbdevfs_disconnect_claim)
 #define USBDEVFS_ALLOC_STREAMS     _IOR('U', 28, struct usbdevfs_streams)
 #define USBDEVFS_FREE_STREAMS      _IOR('U', 29, struct usbdevfs_streams)
+#define USBDEVFS_DROP_PRIVILEGES   _IO('U', 30)
 
 #endif /* _UAPI_LINUX_USBDEVICE_FS_H */
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to