linux-stable.git/drivers/usb/usbip, branch linux-4.8.y Linux kernel stable tree usbip: vudc: fix: Clear already_seen flag also for ep0 2017-01-06T10:16:19+00:00 Krzysztof Opasiak k.opasiak@samsung.com 2016-12-01T18:14:37+00:00 6b0a56e9aaf3df0e310f8f0524b5fd9e45f89d09 commit 3e448e13a662fb20145916636127995cbf37eb83 upstream. ep_list inside gadget structure doesn't contain ep0. It is stored separately in ep0 field. This causes an urb hang if gadget driver decides to delay setup handling. On host side this is visible as timeout error when setting configuration. This bug can be reproduced using for example any gadget with mass storage function. Fixes: abdb29574322 ("usbip: vudc: Add vudc_transfer") Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Acked-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 3e448e13a662fb20145916636127995cbf37eb83 upstream.

ep_list inside gadget structure doesn't contain ep0.
It is stored separately in ep0 field.

This causes an urb hang if gadget driver decides to
delay setup handling. On host side this is visible as
timeout error when setting configuration.

This bug can be reproduced using for example any gadget
with mass storage function.

Fixes: abdb29574322 ("usbip: vudc: Add vudc_transfer")
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usbip: vudc: fix left shift overflow 2016-10-07T13:03:20+00:00 Nicolas Iooss nicolas.iooss_linux@m4x.org 2016-08-23T15:13:29+00:00 f38d80a51b490a2bad8d7986cefd52381f0729dd commit 238b7bd91b16d5a08326f858db42229b212e53d8 upstream. In v_recv_cmd_submit(), urb_p->urb->pipe has the type unsigned int (which is 32-bit long on x86_64) but 11<<30 results in a 34-bit integer. Therefore the 2 leading bits are truncated and urb_p->urb->pipe &= ~(11 << 30); has the same meaning as urb_p->urb->pipe &= ~(3 << 30); This second statement seems to be how the code was intended to be written, as PIPE_ constants have values between 0 and 3. The overflow has been detected with a clang warning: drivers/usb/usbip/vudc_rx.c:145:27: warning: signed shift result (0x2C0000000) requires 35 bits to represent, but 'int' only has 32 bits [-Wshift-overflow] urb_p->urb->pipe &= ~(11 << 30); ~~ ^ ~~ Fixes: 79c02cb1fd5c ("usbip: vudc: Add vudc_rx") Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 238b7bd91b16d5a08326f858db42229b212e53d8 upstream.

In v_recv_cmd_submit(), urb_p->urb->pipe has the type unsigned int
(which is 32-bit long on x86_64) but 11<<30 results in a 34-bit integer.
Therefore the 2 leading bits are truncated and

    urb_p->urb->pipe &= ~(11 << 30);

has the same meaning as

    urb_p->urb->pipe &= ~(3 << 30);

This second statement seems to be how the code was intended to be
written, as PIPE_ constants have values between 0 and 3.

The overflow has been detected with a clang warning:

    drivers/usb/usbip/vudc_rx.c:145:27: warning: signed shift result
    (0x2C0000000) requires 35 bits to represent, but 'int' only has 32
    bits [-Wshift-overflow]
            urb_p->urb->pipe &= ~(11 << 30);
                                  ~~ ^  ~~

Fixes: 79c02cb1fd5c ("usbip: vudc: Add vudc_rx")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge 4.7-rc4 into usb-next 2016-06-20T14:40:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-06-20T14:40:51+00:00 bc71c2df45e5a861818b5ee173702883df07471a We need the 4.7-rc4 fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We need the 4.7-rc4 fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: rate limit get_frame_number message 2016-06-18T01:00:46+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-06-14T20:41:07+00:00 083d5ad1a924e79ecf92be37cce9f1efa5c1d240 It's annoying to constantly see the same "Not yet implemented" message over and over with nothing able to be done about it, so rate limit it for now to keep user's logs "clean". Reported-by: Lars Täuber <lars.taeuber@web.de> Tested-by: Lars Täuber <lars.taeuber@web.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
It's annoying to constantly see the same "Not yet implemented" message
over and over with nothing able to be done about it, so rate limit it
for now to keep user's logs "clean".

Reported-by: Lars Täuber <lars.taeuber@web.de>
Tested-by: Lars Täuber <lars.taeuber@web.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usbip: remove null check 2016-06-08T05:18:39+00:00 Sudip Mukherjee sudipm.mukherjee@gmail.com 2016-06-06T21:23:32+00:00 7c348f1cfb6d8c6911fcb6d13b4c267a8bc93856 The only caller of get_gadget_descs() has already dereferenced udc before calling this function, so udc can not be NULL at this point of the code and hence no use of checking it. Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The only caller of get_gadget_descs() has already dereferenced udc
before calling this function, so udc can not be NULL at this point of
the code and hence no use of checking it.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Reviewed-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: don't call stub_device_reset() during stub_disconnect() 2016-06-08T05:18:39+00:00 Alexander Popov alpopov@ptsecurity.com 2016-05-20T09:37:28+00:00 134a92659f9382f00f94b880183472b0769ad53e stub_disconnect() calls stub_device_reset() during usb_unbind_device() when usb device is locked. So usb_lock_device_for_reset() in stub_device_reset() in that case polls for one second and returns -EBUSY anyway. Remove useless flag USBIP_EH_RESET from SDEV_EVENT_REMOVED. Signed-off-by: Alexander Popov <alpopov@ptsecurity.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
stub_disconnect() calls stub_device_reset() during usb_unbind_device() when
usb device is locked. So usb_lock_device_for_reset() in stub_device_reset()
in that case polls for one second and returns -EBUSY anyway.

Remove useless flag USBIP_EH_RESET from SDEV_EVENT_REMOVED.

Signed-off-by: Alexander Popov <alpopov@ptsecurity.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: usbip: Avoid NULL pointer dereference in case of error 2016-04-29T22:31:30+00:00 Krzysztof Opasiak k.opasiak@samsung.com 2016-04-29T10:34:13+00:00 442ee366bec3cbdaf5794e80f803d87c5787c5d8 One line above we have checked that udc is NULL so we shouldn't dereference it while printing error message. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
One line above we have checked that udc is NULL so we shouldn't
dereference it while printing error message.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vudc: make dev_desc attribute binary 2016-04-29T22:31:30+00:00 Igor Kotrasinski i.kotrasinsk@gmail.com 2016-04-29T11:41:24+00:00 2a7a10b86c125fd3410bb975e8515ac5dddc3238 We read a struct usb_device_descriptor from it, so make it an actual binary attribute. Signed-off-by: Igor Kotrasinski <i.kotrasinsk@gmail.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Tested-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We read a struct usb_device_descriptor from it, so make it an actual
binary attribute.

Signed-off-by: Igor Kotrasinski <i.kotrasinsk@gmail.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Tested-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: vudc: fix Kconfig dependencies 2016-04-28T19:28:08+00:00 Arnd Bergmann arnd@arndb.de 2016-04-28T12:42:50+00:00 b5a2a8ecb204c821f47b43ab7e93f408b0d085b1 With the addition of VUDC, the USBIP stack can now be used on configurations without USB host support, but trying to build it with USB gadget support disabled fails with drivers/usb/built-in.o: In function `vep_dequeue': vudc_main.c:(.text+0xa6ddc): undefined reference to `usb_gadget_giveback_request' drivers/usb/built-in.o: In function `nuke': vudc_main.c:(.text+0xa6ea8): undefined reference to `usb_gadget_giveback_request' drivers/usb/built-in.o: In function `vudc_device_reset': vudc_main.c:(.text+0xa720c): undefined reference to `usb_gadget_udc_reset' drivers/usb/built-in.o: In function `vudc_probe': This addresses both issues, by changing the dependency for USBIP_CORE to USB_COMMON, and adding additional dependencies on USB or USB_GADGET for the individual portions as needed. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 9360575c5837 ("usbip: vudc: Add vudc to Kconfig") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
With the addition of VUDC, the USBIP stack can now be used on
configurations without USB host support, but trying to build
it with USB gadget support disabled fails with

drivers/usb/built-in.o: In function `vep_dequeue':
vudc_main.c:(.text+0xa6ddc): undefined reference to `usb_gadget_giveback_request'
drivers/usb/built-in.o: In function `nuke':
vudc_main.c:(.text+0xa6ea8): undefined reference to `usb_gadget_giveback_request'
drivers/usb/built-in.o: In function `vudc_device_reset':
vudc_main.c:(.text+0xa720c): undefined reference to `usb_gadget_udc_reset'
drivers/usb/built-in.o: In function `vudc_probe':

This addresses both issues, by changing the dependency for USBIP_CORE
to USB_COMMON, and adding additional dependencies on USB or USB_GADGET
for the individual portions as needed.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 9360575c5837 ("usbip: vudc: Add vudc to Kconfig")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usbip: safe completion against unbind operation 2016-04-28T19:28:08+00:00 Nobuo Iwata nobuo.iwata@fujixerox.co.jp 2016-04-27T06:35:53+00:00 6dc38da4a53837835e2c3d9fec5d793ea9374a94 This patch adds a code fragment to ignore completing URBs in closing connection. Regarding this patch, 2 execution contexts are related. 1) stub_tx.c: stub_complete() which is called from USB core 1-1) add to unlink list and free URB or 1-2) move to tx list 2) stub_dev.c: stub_shutdown_connection() which is invoked by unbind operation through sysfs. 2-1) stop TX/RX threads 2-2) close TCP connection and set ud.tcp_socket to NULL 2-3) cleanup pending URBs by stub_device_cleanup_urbs(sdev) 2-4) free unlink list (no lock) In the race condition, URBs which will be cleared in 2-3) may be handled in 1). In case 1-1), it will not be transferred bcause tx threads are stooped in 2-1). In case 1-2), may be freed in 2-4). With this patch, after 2-2), completing URBs in 1) will not be handled and cleared in 2-3). The kernel log with this patch is as below. kernel: usbip_core: usbip_kernel_unlink:792: shutting down tcp_socket ef61d980 kernel: usbip-host 1-3: free sdev f5df6180 kernel: usbip-host 1-3: free urb f5df6700 kernel: usbip-host 1-3: Enter kernel: usbip_core: usbip_stop_eh:132: usbip_eh waiting completion 5 kernel: usbip_host: stub_complete:71: complete! status 0 kernel: usbip_host: stub_complete:102: ignore urb for closed connection e725fc00 (*) kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725fc00 (**) kernel: usbip-host 1-3: free urb e725e000 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725f800 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: free urb e725e800 kernel: usbip_host: stub_complete:71: complete! status -2 kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of cleaning up a virtual connection kernel: usbip-host 1-3: device reset kernel: usbip-host 1-3: lock for reset kernel: usbip_host: store_match_busid:178: del busid 1-3 kernel: uvcvideo: Found UVC 1.00 device Venus USB2.0 Camera (056e:700a) kernel: input: Venus USB2.0 Camera as /devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/input/input22 (*) skipped with this patch in completion (**) released in 2-3 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This patch adds a code fragment to ignore completing URBs in closing
connection.

Regarding this patch, 2 execution contexts are related.

1) stub_tx.c: stub_complete() which is called from USB core
1-1) add to unlink list and free URB or
1-2) move to tx list

2) stub_dev.c: stub_shutdown_connection() which is invoked by unbind
operation through sysfs.
2-1) stop TX/RX threads
2-2) close TCP connection and set ud.tcp_socket to NULL
2-3) cleanup pending URBs by stub_device_cleanup_urbs(sdev)
2-4) free unlink list (no lock)

In the race condition, URBs which will be cleared in 2-3) may be
handled in 1).
In case 1-1), it will not be transferred bcause tx threads are stooped
in 2-1).
In case 1-2), may be freed in 2-4).

With this patch, after 2-2), completing URBs in 1) will not be handled
and cleared in 2-3).

The kernel log with this patch is as below.

kernel: usbip_core: usbip_kernel_unlink:792: shutting down tcp_socket
ef61d980
kernel: usbip-host 1-3: free sdev f5df6180
kernel: usbip-host 1-3: free urb f5df6700
kernel: usbip-host 1-3: Enter
kernel: usbip_core: usbip_stop_eh:132: usbip_eh waiting completion 5
kernel: usbip_host: stub_complete:71: complete! status 0
kernel: usbip_host: stub_complete:102: ignore urb for closed connection
e725fc00 (*)
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725fc00 (**)
kernel: usbip-host 1-3: free urb e725e000
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725f800
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: free urb e725e800
kernel: usbip_host: stub_complete:71: complete! status -2
kernel: usbip-host 1-3: stopped by a call to usb_kill_urb() because of
cleaning up a virtual connection
kernel: usbip-host 1-3: device reset
kernel: usbip-host 1-3: lock for reset
kernel: usbip_host: store_match_busid:178: del busid 1-3
kernel: uvcvideo: Found UVC 1.00 device Venus USB2.0 Camera (056e:700a)
kernel: input: Venus USB2.0 Camera as
/devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/input/input22

(*) skipped with this patch in completion
(**) released in 2-3

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>