usbip: prevent leaking socket pointer address in messages (90120d15) · Commits · 戴 / test

drivers/usb/usbip/stub_dev.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -149,8 +149,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
		* step 1?
		*/
		if (ud->tcp_socket) {
		dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n",
		ud->tcp_socket);
		dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
		kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
		}

+5 −11

Original line number	Diff line number	Diff line
		@@ -317,26 +317,20 @@ int usbip_recv(struct socket sock, void buf, int size)
		struct msghdr msg = {.msg_flags = MSG_NOSIGNAL};
		int total = 0;

		if (!sock \|\| !buf \|\| !size)
		return -EINVAL;

		iov_iter_kvec(&msg.msg_iter, READ\|ITER_KVEC, &iov, 1, size);

		usbip_dbg_xmit("enter\n");

		if (!sock \|\| !buf \|\| !size) {
		pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf,
		size);
		return -EINVAL;
		}

		do {
		int sz = msg_data_left(&msg);
		msg_data_left(&msg);
		sock->sk->sk_allocation = GFP_NOIO;

		result = sock_recvmsg(sock, &msg, MSG_WAITALL);
		if (result <= 0) {
		pr_debug("receive sock %p buf %p size %u ret %d total %d\n",
		sock, buf + total, sz, result, total);
		if (result <= 0)
		goto err;
		}

		total += result;
		} while (msg_data_left(&msg));

+1 −1

Original line number	Diff line number	Diff line
		@@ -965,7 +965,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)

		/* need this? see stub_dev.c */
		if (ud->tcp_socket) {
		pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket);
		pr_debug("shutdown tcp_socket %d\n", ud->sockfd);
		kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
		}