Commit Graph

11 Commits

Author SHA1 Message Date
Malte Leip c409ca3be3 usb: usbip: fix isoc packet num validation in get_pipe
Change the validation of number_of_packets in get_pipe to compare the
number of packets to a fixed maximum number of packets allowed, set to
be 1024. This number was chosen due to it being used by other drivers as
well, for example drivers/usb/host/uhci-q.c

Background/reason:
The get_pipe function in stub_rx.c validates the number of packets in
isochronous mode and aborts with an error if that number is too large,
in order to prevent malicious input from possibly triggering large
memory allocations. This was previously done by checking whether
pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
if all except possibly the last packet had maximum length, given by
usb_endpoint_maxp(epd) *  usb_endpoint_maxp_mult(epd). This leads to an
error if URBs with packets shorter than the maximum possible length are
submitted, which is allowed according to
Documentation/driver-api/usb/URB.rst and occurs for example with the
snd-usb-audio driver.

Fixes: c6688ef9f2 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
Signed-off-by: Malte Leip <malte@leip.net>
Cc: stable <stable@vger.kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-25 11:11:41 +02:00
Shuah Khan 9020a7efe5 usbip: vhci_hcd: Fix usb device and sockfd leaks
vhci_hcd fails to do reset to put usb device and sockfd in the
module remove/stop paths. Fix the leak.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-22 14:45:11 +02:00
Shuah Khan 2f2d0088eb usbip: prevent vhci_hcd driver from leaking a socket pointer address
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research <vuln@secunia.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-12-08 17:32:23 +01:00
Greg Kroah-Hartman 7f2b019c8d USB: usbip: Remove redundant license text
Now that the SPDX tag is in all USB files, that identifies the license
in a specific and legally-defined manner.  So the extra GPL text wording
can be removed as it is no longer needed at all.

This is done on a quest to remove the 700+ different ways that files in
the kernel describe the GPL license text.  And there's unneeded stuff
like the address (sometimes incorrect) for the FSF which is never
needed.

No copyright headers or other non-license-description text was removed.

Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-07 15:45:01 +01:00
Greg Kroah-Hartman 5fd54ace47 USB: add SPDX identifiers to all remaining files in drivers/usb/
It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses.

Update the drivers/usb/ and include/linux/usb* files with the correct
SPDX license identifier based on the license text in the file itself.
The SPDX identifier is a legally binding shorthand, which can be used
instead of the full boiler plate text.

This work is based on a script and data from Thomas Gleixner, Philippe
Ombredanne, and Kate Stewart.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-04 11:48:02 +01:00
Greg Kroah-Hartman 0c971edabb USB: usbip: remove unneeded MODULE_VERSION() usage
MODULE_VERSION is useless for in-kernel drivers, so just remove all
usage of it in the USB usbip drivers.  Along with this, the
USBIP_VERSION macros was removed as is was also pointless, as well as
printing out the driver version to the syslog at init time, which is not
necessary at all.

Cc: Valentina Manea <valentina.manea.m@gmail.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-22 15:56:53 +02:00
Ingo Molnar 0881e7bd34 sched/headers: Prepare to move the get_task_struct()/put_task_struct() and related APIs from <linux/sched.h> to <linux/sched/task.h>
But first update usage sites with the new header dependency.

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-03-02 08:42:40 +01:00
Alexander Popov 134a92659f usbip: don't call stub_device_reset() during stub_disconnect()
stub_disconnect() calls stub_device_reset() during usb_unbind_device() when
usb device is locked. So usb_lock_device_for_reset() in stub_device_reset()
in that case polls for one second and returns -EBUSY anyway.

Remove useless flag USBIP_EH_RESET from SDEV_EVENT_REMOVED.

Signed-off-by: Alexander Popov <alpopov@ptsecurity.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-06-07 22:18:39 -07:00
Igor Kotrasinski c7af4c2218 usbip: vudc: Make usbip_common vudc-aware
Add constants for VUDC events in usbip_common.h
and make use of them in usbip_common.c.

This commit is a result of cooperation between Samsung R&D Institute
Poland and Open Operating Systems Student Society at University
of Warsaw (O2S3@UW) consisting of:

    Igor Kotrasinski <ikotrasinsk@gmail.com>
    Karol Kosik <karo9@interia.eu>
    Ewelina Kosmider <3w3lfin@gmail.com>
    Dawid Lazarczyk <lazarczyk.dawid@gmail.com>
    Piotr Szulc <ps347277@students.mimuw.edu.pl>

Tutor and project owner:
    Krzysztof Opasiak <k.opasiak@samsung.com>

Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: Karol Kosik <karo9@interia.eu>
[Small fixes and commit message update]
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-04-26 15:19:50 -07:00
Nobuo Iwata bb7871ad99 usbip: event handler as one thread
Dear all,

1. Overview

In current USB/IP implementation, event kernel threads are created for
each port. The functions of the threads are closing connection and
error handling so they don't have not so many events to handle. There's
no need to have thread for each port.

BEFORE) vhci side - VHCI_NPORTS(8) threads are created.
$ ps aux | grep usbip
root     10059  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10060  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10061  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10062  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10063  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10064  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10065  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]
root     10066  0.0  0.0      0     0 ?        S    17:06   0:00 [usbip_eh]

BEFORE) stub side - threads will be created every bind operation.
$ ps aux | grep usbip
root      8368  0.0  0.0      0     0 ?        S    17:56   0:00 [usbip_eh]
root      8399  0.0  0.0      0     0 ?        S    17:56   0:00 [usbip_eh]

This patch put event threads of stub and vhci driver as one workqueue.

AFTER) only one event threads in each vhci and stub side.
$ ps aux | grep usbip
root     10457  0.0  0.0      0     0 ?        S<   17:47   0:00 [usbip_event]

2. Modification to usbip_event.c

BEFORE) kernel threads are created in usbip_start_eh().

AFTER) one workqueue is created in new usbip_init_eh().

Event handler which was main loop of kernel thread is modified to
workqueue handler.

Events themselves are stored in struct usbip_device - same as before.
usbip_devices which have event are listed in event_list.

The handler picks an element from the list and wakeup usbip_device. The
wakeup method is same as before.

usbip_in_eh() substitutes statement which checks whether functions are
called from eh_ops or not. In this function, the worker context is used
for the checking. The context will be set in a variable in the
beginning of first event handling. usbip_in_eh() is used in event
handler so it works well.

3. Modifications to programs using usbip_event.c

Initialization and termination of workqueue are added to init and exit
routine of usbip_core respectively.

A. version info

v2)
# Merged 1/2 event handler itself and 2/2 user programs because of auto
build fail at 1/2 casued unmodified user programs in 1/2.

Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-04-19 04:33:15 +09:00
Valentina Manea 96c2737716 usbip: move usbip kernel code out of staging
At this point, USB/IP kernel code is fully functional
and can be moved out of staging.

Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-08-25 10:40:06 -07:00