aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb/usbip/stub_tx.c
AgeCommit message (Collapse)Author
2018-01-02usbip: stub: stop printing kernel pointer addresses in messagesShuah Khan
commit 248a22044366f588d46754c54dfe29ffe4f8b4df upstream. Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-20usbip: fix stub_send_ret_submit() vulnerability to null transfer_bufferShuah Khan
commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream. stub_send_ret_submit() handles urb with a potential null transfer_buffer, when it replays a packet with potential malicious data that could contain a null buffer. Add a check for the condition when actual_length > 0 and transfer_buffer is null. Reported-by: Secunia Research <vuln@secunia.com> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-13usb: usbip: set buffer pointers to NULL after freeMichael Grzeschik
The usbip stack dynamically allocates the transfer_buffer and setup_packet of each urb that got generated by the tcp to usb stub code. As these pointers are always used only once we will set them to NULL after use. This is done likewise to the free_urb code in vudc_dev.c. This patch fixes double kfree situations where the usbip remote side added the URB_FREE_BUFFER. Cc: stable@vger.kernel.org Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de> Acked-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-04-28usbip: safe completion against unbind operationNobuo Iwata
This patch adds a code fragment to ignore completing URBs in closing connection. Regarding this patch, 2 execution contexts are related. 1) stub_tx.c: stub_complete() which is called from USB core 1-1) add to unlink list and free URB or 1-2) move to tx list 2) stub_dev.c: stub_shutdown_connection() which is invoked by unbind operation through sysfs. 2-1) stop TX/RX threads 2-2) close TCP connection and set ud.tcp_socket to NULL 2-3) cleanup pending URBs by stub_device_cleanup_urbs(sdev) 2-4) free unlink list (no lock) In the race condition, URBs which will be cleared in 2-3) may be handled in 1). In case 1-1), it will not be transferred bcause tx threads are stooped in 2-1). In case 1-2), may be freed in 2-4). With this patch, after 2-2), completing URBs in 1) will not be handled and cleared in 2-3). The kernel log with this patch is as below. kernel: usbip_core: usbip_kernel_unlink:792: shutting down tcp_socket ef61d980 kernel: usbip-host 1-3: free sdev f5df6180 kernel: usbip-host 1-3: free urb f5df6700 kernel: usbip-host 1-3: Enter kernel: usbip_core: usbip_stop_eh:132: usbip_eh waiting completion 5 kernel: usbip_host: stub_complete:71: complete! status 0 kernel: usbip_host: stub_complete:102: ignore urb for closed connection e725fc00 (*) kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725fc00 (**) kernel: usbip-host 1-3: free urb e725e000 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725f800 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725e800 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: device reset kernel: usbip-host 1-3: lock for reset kernel: usbip_host: store_match_busid:178: del busid 1-3 kernel: uvcvideo: Found UVC 1.00 device Venus USB2.0 Camera (056e:700a) kernel: input: Venus USB2.0 Camera as /devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/input/input22 (*) skipped with this patch in completion (**) released in 2-3 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-04-28usbip: fix NULL pointer dereference on errorsAlexander Popov
Fix NULL pointer dereference and obsolete comments forgotten when usbip server was converted from an interface driver to a device driver. Signed-off-by: Alexander Popov <alpopov@ptsecurity.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-08-25usbip: move usbip kernel code out of stagingValentina Manea
At this point, USB/IP kernel code is fully functional and can be moved out of staging. Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-28 11:48:07 +0000