[PATCH] usb: usbip: avoid the usb layer to kfree our allocated buffer

Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx> · Fri, 12 May 2017 15:00:21 +0200

The usbip stack handles the kmalloc and kfree of the transfered buffers. Some
USB-Stacks add the flag URB_FREE_BUFFER to their urbs, so the usb layer removes
it in usb_free_urb. This can lead to double free situations as the usbip stack
already removes its created buffers. To avoid that we remove this flag from the
usbip transfered urbs.

Signed-off-by: Michael Grzeschik <m.grzeschik@xxxxxxxxxxxxxx>
---

After further debugging we found the issue in the cleanup functions of
the priv structs. Some USB drivers add the flag URB_FREE_BUFFER to the
urb which results into double free of the transfer_buffer. Once inside
the stub_* cleanup functions and once inside usb_free_urb.

The result was that this memory being allocated twice for different buffers,
which led to the memory corruptions of any kinds.

For now I have this patch to solve the issue.

 drivers/usb/usbip/usbip_common.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index cab2b71a80d02..3366c35069875 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -381,6 +381,12 @@ static unsigned int tweak_transfer_flags(unsigned int flags)
 	return flags;
 }
 
+static unsigned int tweak_submit_transfer_flags(unsigned int flags)
+{
+	flags &= ~URB_FREE_BUFFER;
+	return flags;
+}
+
 static void usbip_pack_cmd_submit(struct usbip_header *pdu, struct urb *urb,
 				  int pack)
 {
@@ -398,7 +404,7 @@ static void usbip_pack_cmd_submit(struct usbip_header *pdu, struct urb *urb,
 		spdu->number_of_packets		= urb->number_of_packets;
 		spdu->interval			= urb->interval;
 	} else  {
-		urb->transfer_flags         = spdu->transfer_flags;
+		urb->transfer_flags         = tweak_submit_transfer_flags(spdu->transfer_flags);
 		urb->transfer_buffer_length = spdu->transfer_buffer_length;
 		urb->start_frame            = spdu->start_frame;
 		urb->number_of_packets      = spdu->number_of_packets;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






