The usbip stack handles the kmalloc and kfree of the transfered buffers. Some
USB-Stacks add the flag URB_FREE_BUFFER to their urbs, so the usb layer removes
it in usb_free_urb. This can lead to double free situations as the usbip stack
already removes its created buffers. To avoid that we remove this flag from the
usbip transfered urbs.

Signed-off-by: Michael Grzeschik <m.grzesc...@pengutronix.de>
---

After further debugging we found the issue in the cleanup functions of
the priv structs. Some USB drivers add the flag URB_FREE_BUFFER to the
urb which results into double free of the transfer_buffer. Once inside
the stub_* cleanup functions and once inside usb_free_urb.

The result was that this memory being allocated twice for different buffers,
which led to the memory corruptions of any kinds.

For now I have this patch to solve the issue.

 drivers/usb/usbip/usbip_common.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index cab2b71a80d02..3366c35069875 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -381,6 +381,12 @@ static unsigned int tweak_transfer_flags(unsigned int 
flags)
        return flags;
 }
 
+static unsigned int tweak_submit_transfer_flags(unsigned int flags)
+{
+       flags &= ~URB_FREE_BUFFER;
+       return flags;
+}
+
 static void usbip_pack_cmd_submit(struct usbip_header *pdu, struct urb *urb,
                                  int pack)
 {
@@ -398,7 +404,7 @@ static void usbip_pack_cmd_submit(struct usbip_header *pdu, 
struct urb *urb,
                spdu->number_of_packets         = urb->number_of_packets;
                spdu->interval                  = urb->interval;
        } else  {
-               urb->transfer_flags         = spdu->transfer_flags;
+               urb->transfer_flags         = 
tweak_submit_transfer_flags(spdu->transfer_flags);
                urb->transfer_buffer_length = spdu->transfer_buffer_length;
                urb->start_frame            = spdu->start_frame;
                urb->number_of_packets      = spdu->number_of_packets;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to