stub_send_ret_submit() handles urb with a potential null transfer_buffer,
when it replays a packet with potential malicious data that could contain
a null buffer. Add a check for the condition when actual_length > 0 and
transfer_buffer is null.
Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Now that the SPDX tag is in all USB files, that identifies the license
in a specific and legally-defined manner. So the extra GPL text wording
can be removed as it is no longer needed at all.
This is done on a quest to remove the 700+ different ways that files in
the kernel describe the GPL license text. And there's unneeded stuff
like the address (sometimes incorrect) for the FSF which is never
needed.
No copyright headers or other non-license-description text was removed.
Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses.
Update the drivers/usb/ and include/linux/usb* files with the correct
SPDX license identifier based on the license text in the file itself.
The SPDX identifier is a legally binding shorthand, which can be used
instead of the full boiler plate text.
This work is based on a script and data from Thomas Gleixner, Philippe
Ombredanne, and Kate Stewart.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The usbip stack dynamically allocates the transfer_buffer and
setup_packet of each urb that got generated by the tcp to usb stub code.
As these pointers are always used only once we will set them to NULL
after use. This is done likewise to the free_urb code in vudc_dev.c.
This patch fixes double kfree situations where the usbip remote side
added the URB_FREE_BUFFER.
Cc: stable@vger.kernel.org
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch adds a code fragment to ignore completing URBs in closing
connection.
Regarding this patch, 2 execution contexts are related.
1) stub_tx.c: stub_complete() which is called from USB core
1-1) add to unlink list and free URB or
1-2) move to tx list
2) stub_dev.c: stub_shutdown_connection() which is invoked by unbind
operation through sysfs.
2-1) stop TX/RX threads
2-2) close TCP connection and set ud.tcp_socket to NULL
2-3) cleanup pending URBs by stub_device_cleanup_urbs(sdev)
2-4) free unlink list (no lock)
In the race condition, URBs which will be cleared in 2-3) may be
handled in 1).
In case 1-1), it will not be transferred bcause tx threads are stooped
in 2-1).
In case 1-2), may be freed in 2-4).
With this patch, after 2-2), completing URBs in 1) will not be handled
and cleared in 2-3).
The kernel log with this patch is as below.
kernel: usbip_core: usbip_kernel_unlink:792: shutting down tcp_socket
ef61d980
kernel: usbip-host 1-3: free sdev f5df6180
kernel: usbip-host 1-3: free urb f5df6700
kernel: usbip-host 1-3: Enter
kernel: usbip_core: usbip_stop_eh:132: usbip_eh waiting completion 5
kernel: usbip_host: stub_complete:71: complete! status 0
kernel: usbip_host: stub_complete:102: ignore urb for closed connection
e725fc00 (*)
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725fc00 (**)
kernel: usbip-host 1-3: free urb e725e000
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725f800
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725e800
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: device reset
kernel: usbip-host 1-3: lock for reset
kernel: usbip_host: store_match_busid:178: del busid 1-3
kernel: uvcvideo: Found UVC 1.00 device Venus USB2.0 Camera (056e:700a)
kernel: input: Venus USB2.0 Camera as
/devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/input/input22
(*) skipped with this patch in completion
(**) released in 2-3
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix NULL pointer dereference and obsolete comments forgotten when
usbip server was converted from an interface driver to a device driver.
Signed-off-by: Alexander Popov <alpopov@ptsecurity.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
At this point, USB/IP kernel code is fully functional
and can be moved out of staging.
Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>