kernel/drivers/staging, branch linux-3.2.y

staging/wlan-ng: Fix 'Branch condition evaluates to a garbage value' in p80211netdev.c

2018-03-19T18:58:25Z

commit fae7e4d39373305cf505d1f0871a4491897d56f9 upstream. clang/scan-build complains that: p80211netdev.c:451:6: warning: Branch condition evaluates to a garbage value if ((p80211_wep.data) && (p80211_wep.data != skb->data)) ^~~~~~~~~~~~~~~~~ This can happen in p80211knetdev_hard_start_xmit if - if (wlandev->state != WLAN_DEVICE_OPEN) evaluates to true. the execution flow then continues at the 'failed' label where p80211_wep.data is used without being initialized first. -> Initialize the data field to NULL to fix this issue. Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings

usbip: remove kernel addresses from usb device and urb debug msgs

2018-03-03T15:50:55Z

commit e1346fd87c71a1f61de1fe476ec8df1425ac931c upstream. usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses. Remove kernel addresses from usb device and urb debug msgs and improve the message content. Instead of printing parent device and bus addresses, print parent device and bus names. Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings

usbip: fix usbip bind writing random string after command in match_busid

2018-03-03T15:50:50Z

commit 544c4605acc5ae4afe7dd5914147947db182f2fb upstream. usbip bind writes commands followed by random string when writing to match_busid attribute in sysfs, caused by using full variable size instead of string length. Signed-off-by: Juan Zea Acked-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings

usbip: prevent leaking socket pointer address in messages

2018-03-03T15:50:50Z

commit 90120d15f4c397272aaf41077960a157fc4212bf upstream. usbip driver is leaking socket pointer address in messages. Remove the messages that aren't useful and print sockfd in the ones that are useful for debugging. Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filenames, context] Signed-off-by: Ben Hutchings

usbip: stub: stop printing kernel pointer addresses in messages

2018-03-03T15:50:50Z

commit 248a22044366f588d46754c54dfe29ffe4f8b4df upstream. Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - Drop change in stub_complete() - Adjust filenames, context] Signed-off-by: Ben Hutchings

usbip: vhci: stop printing kernel pointer addresses in messages

2018-03-03T15:50:50Z

commit 8272d099d05f7ab2776cf56a2ab9f9443be18907 upstream. Remove and/or change debug, info. and error messages to not print kernel pointer addresses. Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filenames, context, indentation] Signed-off-by: Ben Hutchings

staging: usbip: removed dead code from receive function

2018-03-03T15:50:49Z

commit 5a08c5267e45fe936452051a8c126e8418984eb7 upstream. The usbip_xmit function supported sending and receiving data, however the sending part of the function was never used/executed. Renamed the function to usbip_recv, and removed the unused code. Signed-off-by: Bart Westgeest Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings

usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer

2018-02-13T18:32:24Z

commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream. stub_send_ret_submit() handles urb with a potential null transfer_buffer, when it replays a packet with potential malicious data that could contain a null buffer. Add a check for the condition when actual_length > 0 and transfer_buffer is null. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - Device for logging purposes is &sdev->interface->dev - Adjust filename] Signed-off-by: Ben Hutchings

usbip: prevent vhci_hcd driver from leaking a socket pointer address

2018-02-13T18:32:23Z

commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - usbip port status does not include hub type - Adjust filenames, context, indentation] Signed-off-by: Ben Hutchings

usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

2018-02-13T18:32:23Z

commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream. Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - Device for logging purposes is &sdev->interface->dev - Adjust filename, context] Signed-off-by: Ben Hutchings