commit 22076557b0 upstream.
usbip_host updates device status without holding lock from stub probe,
disconnect and rebind code paths. When multiple requests to import a
device are received, these unprotected code paths step all over each
other and drive fails with NULL-ptr deref and use-after-free errors.
The driver uses a table lock to protect the busid array for adding and
deleting busids to the table. However, the probe, disconnect and rebind
paths get the busid table entry and update the status without holding
the busid table lock. Add a new finer grain lock to protect the busid
entry. This new lock will be held to search and update the busid entry
fields from get_busid_idx(), add_match_busid() and del_match_busid().
match_busid_show() does the same to access the busid entry fields.
get_busid_priv() changed to return the pointer to the busid entry holding
the busid lock. stub_probe(), stub_disconnect() and stub_device_rebind()
call put_busid_priv() to release the busid lock before returning. This
changes fixes the unprotected code paths eliminating the race conditions
in updating the busid entries.
Reported-by: Jakub Jirasek
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7510df3f29 upstream.
After removing usbip_host module, devices it releases are left without
a driver. For example, when a keyboard or a mass storage device are
bound to usbip_host when it is removed, these devices are no longer
bound to any driver.
Fix it to run device_attach() from the module exit routine to restore
the devices to their original drivers. This includes cleanup changes
and moving device_attach() code to a common routine to be called from
rebind_store() and usbip_host_exit().
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 90120d15f4 upstream.
usbip driver is leaking socket pointer address in messages. Remove
the messages that aren't useful and print sockfd in the ones that
are useful for debugging.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix NULL pointer dereference and obsolete comments forgotten when
usbip server was converted from an interface driver to a device driver.
Signed-off-by: Alexander Popov <alpopov@ptsecurity.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dear all,
1. Overview
In current USB/IP implementation, event kernel threads are created for
each port. The functions of the threads are closing connection and
error handling so they don't have not so many events to handle. There's
no need to have thread for each port.
BEFORE) vhci side - VHCI_NPORTS(8) threads are created.
$ ps aux | grep usbip
root 10059 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10060 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10061 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10062 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10063 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10064 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10065 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
root 10066 0.0 0.0 0 0 ? S 17:06 0:00 [usbip_eh]
BEFORE) stub side - threads will be created every bind operation.
$ ps aux | grep usbip
root 8368 0.0 0.0 0 0 ? S 17:56 0:00 [usbip_eh]
root 8399 0.0 0.0 0 0 ? S 17:56 0:00 [usbip_eh]
This patch put event threads of stub and vhci driver as one workqueue.
AFTER) only one event threads in each vhci and stub side.
$ ps aux | grep usbip
root 10457 0.0 0.0 0 0 ? S< 17:47 0:00 [usbip_event]
2. Modification to usbip_event.c
BEFORE) kernel threads are created in usbip_start_eh().
AFTER) one workqueue is created in new usbip_init_eh().
Event handler which was main loop of kernel thread is modified to
workqueue handler.
Events themselves are stored in struct usbip_device - same as before.
usbip_devices which have event are listed in event_list.
The handler picks an element from the list and wakeup usbip_device. The
wakeup method is same as before.
usbip_in_eh() substitutes statement which checks whether functions are
called from eh_ops or not. In this function, the worker context is used
for the checking. The context will be set in a variable in the
beginning of first event handling. usbip_in_eh() is used in event
handler so it works well.
3. Modifications to programs using usbip_event.c
Initialization and termination of workqueue are added to init and exit
routine of usbip_core respectively.
A. version info
v2)
# Merged 1/2 event handler itself and 2/2 user programs because of auto
build fail at 1/2 casued unmodified user programs in 1/2.
Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If usb_hub_claim_port() fails, no resources are deallocated and
if stub_add_files() fails, port is not released.
The patch fixes these issues and rearranges error handling code.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This was used back when usbip-host was an interface device driver;
after the conversion to device driver, the table remained unused.
Remove it in order to stop receiving a warning about it.
Signed-off-by: Valentina Manea <valentina.manea.m@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
