Commit 2c1cfa49 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'usb-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small USB fixes and device ids for 4.15-rc8

  Nothing major, small fixes for various devices, some resolutions for
  bugs found by fuzzers, and the usual handful of new device ids.

  All of these have been in linux-next with no reported issues"

* tag 'usb-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  Documentation: usb: fix typo in UVC gadgetfs config command
  usb: misc: usb3503: make sure reset is low for at least 100us
  uas: ignore UAS for Norelsys NS1068(X) chips
  USB: UDC core: fix double-free in usb_add_gadget_udc_release
  USB: fix usbmon BUG trigger
  usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer
  usbip: remove kernel addresses from usb device and urb debug msgs
  usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
  USB: serial: cp210x: add new device ID ELV ALC 8xxx
  USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
parents d5a047fd 1a2e91e7
...@@ -693,7 +693,7 @@ such specification consists of a number of lines with an inverval value ...@@ -693,7 +693,7 @@ such specification consists of a number of lines with an inverval value
in each line. The rules stated above are best illustrated with an example: in each line. The rules stated above are best illustrated with an example:
# mkdir functions/uvc.usb0/control/header/h # mkdir functions/uvc.usb0/control/header/h
# cd functions/uvc.usb0/control/header/h # cd functions/uvc.usb0/control/
# ln -s header/h class/fs # ln -s header/h class/fs
# ln -s header/h class/ss # ln -s header/h class/ss
# mkdir -p functions/uvc.usb0/streaming/uncompressed/u/360p # mkdir -p functions/uvc.usb0/streaming/uncompressed/u/360p
......
...@@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget, ...@@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
udc = kzalloc(sizeof(*udc), GFP_KERNEL); udc = kzalloc(sizeof(*udc), GFP_KERNEL);
if (!udc) if (!udc)
goto err1; goto err_put_gadget;
ret = device_add(&gadget->dev);
if (ret)
goto err2;
device_initialize(&udc->dev); device_initialize(&udc->dev);
udc->dev.release = usb_udc_release; udc->dev.release = usb_udc_release;
...@@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget, ...@@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
udc->dev.parent = parent; udc->dev.parent = parent;
ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj)); ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
if (ret) if (ret)
goto err3; goto err_put_udc;
ret = device_add(&gadget->dev);
if (ret)
goto err_put_udc;
udc->gadget = gadget; udc->gadget = gadget;
gadget->udc = udc; gadget->udc = udc;
...@@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget, ...@@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
ret = device_add(&udc->dev); ret = device_add(&udc->dev);
if (ret) if (ret)
goto err4; goto err_unlist_udc;
usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED); usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
udc->vbus = true; udc->vbus = true;
...@@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget, ...@@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
/* pick up one of pending gadget drivers */ /* pick up one of pending gadget drivers */
ret = check_pending_gadget_drivers(udc); ret = check_pending_gadget_drivers(udc);
if (ret) if (ret)
goto err5; goto err_del_udc;
mutex_unlock(&udc_lock); mutex_unlock(&udc_lock);
return 0; return 0;
err5: err_del_udc:
device_del(&udc->dev); device_del(&udc->dev);
err4: err_unlist_udc:
list_del(&udc->list); list_del(&udc->list);
mutex_unlock(&udc_lock); mutex_unlock(&udc_lock);
err3:
put_device(&udc->dev);
device_del(&gadget->dev); device_del(&gadget->dev);
err2: err_put_udc:
kfree(udc); put_device(&udc->dev);
err1: err_put_gadget:
put_device(&gadget->dev); put_device(&gadget->dev);
return ret; return ret;
} }
......
...@@ -279,6 +279,8 @@ static int usb3503_probe(struct usb3503 *hub) ...@@ -279,6 +279,8 @@ static int usb3503_probe(struct usb3503 *hub)
if (gpio_is_valid(hub->gpio_reset)) { if (gpio_is_valid(hub->gpio_reset)) {
err = devm_gpio_request_one(dev, hub->gpio_reset, err = devm_gpio_request_one(dev, hub->gpio_reset,
GPIOF_OUT_INIT_LOW, "usb3503 reset"); GPIOF_OUT_INIT_LOW, "usb3503 reset");
/* Datasheet defines a hardware reset to be at least 100us */
usleep_range(100, 10000);
if (err) { if (err) {
dev_err(dev, dev_err(dev,
"unable to request GPIO %d as reset pin (%d)\n", "unable to request GPIO %d as reset pin (%d)\n",
......
...@@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg ...@@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg
break; break;
case MON_IOCQ_RING_SIZE: case MON_IOCQ_RING_SIZE:
mutex_lock(&rp->fetch_lock);
ret = rp->b_size; ret = rp->b_size;
mutex_unlock(&rp->fetch_lock);
break; break;
case MON_IOCT_RING_SIZE: case MON_IOCT_RING_SIZE:
...@@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_fault *vmf) ...@@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_fault *vmf)
unsigned long offset, chunk_idx; unsigned long offset, chunk_idx;
struct page *pageptr; struct page *pageptr;
mutex_lock(&rp->fetch_lock);
offset = vmf->pgoff << PAGE_SHIFT; offset = vmf->pgoff << PAGE_SHIFT;
if (offset >= rp->b_size) if (offset >= rp->b_size) {
mutex_unlock(&rp->fetch_lock);
return VM_FAULT_SIGBUS; return VM_FAULT_SIGBUS;
}
chunk_idx = offset / CHUNK_SIZE; chunk_idx = offset / CHUNK_SIZE;
pageptr = rp->b_vec[chunk_idx].pg; pageptr = rp->b_vec[chunk_idx].pg;
get_page(pageptr); get_page(pageptr);
mutex_unlock(&rp->fetch_lock);
vmf->page = pageptr; vmf->page = pageptr;
return 0; return 0;
} }
......
...@@ -124,6 +124,7 @@ static const struct usb_device_id id_table[] = { ...@@ -124,6 +124,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */ { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
...@@ -174,6 +175,7 @@ static const struct usb_device_id id_table[] = { ...@@ -174,6 +175,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
{ USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
{ USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
......
...@@ -143,6 +143,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, ...@@ -143,6 +143,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
USB_SC_DEVICE, USB_PR_DEVICE, NULL, USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_ATA_1X), US_FL_NO_ATA_1X),
/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
"Norelsys",
"NS1068X",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_IGNORE_UAS),
/* Reported-by: Takeo Nakayama <javhera@gmx.com> */ /* Reported-by: Takeo Nakayama <javhera@gmx.com> */
UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999, UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
"JMicron", "JMicron",
......
...@@ -91,7 +91,7 @@ static void usbip_dump_usb_device(struct usb_device *udev) ...@@ -91,7 +91,7 @@ static void usbip_dump_usb_device(struct usb_device *udev)
dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)", dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)",
udev->devnum, udev->devpath, usb_speed_string(udev->speed)); udev->devnum, udev->devpath, usb_speed_string(udev->speed));
pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport); pr_debug("tt hub ttport %d\n", udev->ttport);
dev_dbg(dev, " "); dev_dbg(dev, " ");
for (i = 0; i < 16; i++) for (i = 0; i < 16; i++)
...@@ -124,12 +124,8 @@ static void usbip_dump_usb_device(struct usb_device *udev) ...@@ -124,12 +124,8 @@ static void usbip_dump_usb_device(struct usb_device *udev)
} }
pr_debug("\n"); pr_debug("\n");
dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus); dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
udev->bus->bus_name);
dev_dbg(dev,
"descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
&udev->descriptor, udev->config,
udev->actconfig, udev->rawdescriptors);
dev_dbg(dev, "have_langid %d, string_langid %d\n", dev_dbg(dev, "have_langid %d, string_langid %d\n",
udev->have_langid, udev->string_langid); udev->have_langid, udev->string_langid);
...@@ -237,9 +233,6 @@ void usbip_dump_urb(struct urb *urb) ...@@ -237,9 +233,6 @@ void usbip_dump_urb(struct urb *urb)
dev = &urb->dev->dev; dev = &urb->dev->dev;
dev_dbg(dev, " urb :%p\n", urb);
dev_dbg(dev, " dev :%p\n", urb->dev);
usbip_dump_usb_device(urb->dev); usbip_dump_usb_device(urb->dev);
dev_dbg(dev, " pipe :%08x ", urb->pipe); dev_dbg(dev, " pipe :%08x ", urb->pipe);
...@@ -248,11 +241,9 @@ void usbip_dump_urb(struct urb *urb) ...@@ -248,11 +241,9 @@ void usbip_dump_urb(struct urb *urb)
dev_dbg(dev, " status :%d\n", urb->status); dev_dbg(dev, " status :%d\n", urb->status);
dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags); dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags);
dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer);
dev_dbg(dev, " transfer_buffer_length:%d\n", dev_dbg(dev, " transfer_buffer_length:%d\n",
urb->transfer_buffer_length); urb->transfer_buffer_length);
dev_dbg(dev, " actual_length :%d\n", urb->actual_length); dev_dbg(dev, " actual_length :%d\n", urb->actual_length);
dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet);
if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL) if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
usbip_dump_usb_ctrlrequest( usbip_dump_usb_ctrlrequest(
...@@ -262,8 +253,6 @@ void usbip_dump_urb(struct urb *urb) ...@@ -262,8 +253,6 @@ void usbip_dump_urb(struct urb *urb)
dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets); dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets);
dev_dbg(dev, " interval :%d\n", urb->interval); dev_dbg(dev, " interval :%d\n", urb->interval);
dev_dbg(dev, " error_count :%d\n", urb->error_count); dev_dbg(dev, " error_count :%d\n", urb->error_count);
dev_dbg(dev, " context :%p\n", urb->context);
dev_dbg(dev, " complete :%p\n", urb->complete);
} }
EXPORT_SYMBOL_GPL(usbip_dump_urb); EXPORT_SYMBOL_GPL(usbip_dump_urb);
......
...@@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc, ...@@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc,
urb_p->new = 1; urb_p->new = 1;
urb_p->seqnum = pdu->base.seqnum; urb_p->seqnum = pdu->base.seqnum;
if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
/* validate packet size and number of packets */
unsigned int maxp, packets, bytes;
maxp = usb_endpoint_maxp(urb_p->ep->desc);
maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
bytes = pdu->u.cmd_submit.transfer_buffer_length;
packets = DIV_ROUND_UP(bytes, maxp);
if (pdu->u.cmd_submit.number_of_packets < 0 ||
pdu->u.cmd_submit.number_of_packets > packets) {
dev_err(&udc->gadget.dev,
"CMD_SUBMIT: isoc invalid num packets %d\n",
pdu->u.cmd_submit.number_of_packets);
ret = -EMSGSIZE;
goto free_urbp;
}
}
ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type); ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
if (ret) { if (ret) {
usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC); usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
......
...@@ -85,6 +85,13 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p) ...@@ -85,6 +85,13 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
memset(&pdu_header, 0, sizeof(pdu_header)); memset(&pdu_header, 0, sizeof(pdu_header));
memset(&msg, 0, sizeof(msg)); memset(&msg, 0, sizeof(msg));
if (urb->actual_length > 0 && !urb->transfer_buffer) {
dev_err(&udc->gadget.dev,
"urb: actual_length %d transfer_buffer null\n",
urb->actual_length);
return -1;
}
if (urb_p->type == USB_ENDPOINT_XFER_ISOC) if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
iovnum = 2 + urb->number_of_packets; iovnum = 2 + urb->number_of_packets;
else else
...@@ -100,8 +107,8 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p) ...@@ -100,8 +107,8 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
/* 1. setup usbip_header */ /* 1. setup usbip_header */
setup_ret_submit_pdu(&pdu_header, urb_p); setup_ret_submit_pdu(&pdu_header, urb_p);
usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n", usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
pdu_header.base.seqnum, urb); pdu_header.base.seqnum);
usbip_header_correct_endian(&pdu_header, 1); usbip_header_correct_endian(&pdu_header, 1);
iov[iovnum].iov_base = &pdu_header; iov[iovnum].iov_base = &pdu_header;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment