1. 05 Jan, 2017 3 commits
    • Bin Liu's avatar
      usb: musb: dsps: implement clear_ep_rxintr() callback · c48400ba
      Bin Liu authored
      During dma teardown for dequque urb, if musb load is high, musb might
      generate bogus rx ep interrupt even when the rx fifo is flushed. In such
      case any of the follow log messages could happen.
      
          musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
      
          musb_host_rx 1936: RX3 dma busy, csr 2020
      
      As mentioned in the current inline comment, clearing ep interrupt in the
      teardown path avoids the bogus interrupt, so implement clear_ep_rxintr()
      callback.
      
      This bug seems to be existing since the initial driver for musb support,
      but I only validated the fix back to v4.1, so only cc stable for v4.1+.
      
      cc: stable@vger.kernel.org # 4.1+
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c48400ba
    • Bin Liu's avatar
      usb: musb: core: add clear_ep_rxintr() to musb_platform_ops · 6def85a3
      Bin Liu authored
      During dma teardown for dequque urb, if musb load is high, musb might
      generate bogus rx ep interrupt even when the rx fifo is flushed. In such
      case any of the follow log messages could happen.
      
      	musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0
      
      	musb_host_rx 1936: RX3 dma busy, csr 2020
      
      As mentioned in the current inline comment, clearing ep interrupt in the
      teardown path avoids the bogus interrupt.
      
      Clearing ep interrupt is platform dependent, so this patch adds a
      platform callback to allow glue driver to clear the ep interrupt.
      
      This bug seems to be existing since the initial driver for musb support,
      but I only validated the fix back to v4.1, so only cc stable for v4.1+.
      
      cc: stable@vger.kernel.org # 4.1+
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6def85a3
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-serial-4.10-rc3' of... · c8d204b3
      Greg Kroah-Hartman authored
      Merge tag 'usb-serial-4.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
      
      Johan writes:
      
      USB-serial fixes for v4.10-rc3
      
      These fixes address a number of long-standing issues in various
      USB-serial drivers which would lead to crashes should a malicious device
      lack the expected endpoints.
      
      Included are also a few related fixes, and a couple of unrelated ones
      that were found during my survey (e.g. a memleak and a
      sleep-while-atomic).
      
      A compiler warning revealed an error-handling issue in the new f81534
      driver which is also fixed.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      c8d204b3
  2. 04 Jan, 2017 24 commits
    • Johan Hovold's avatar
      USB: serial: ti_usb_3410_5052: fix NULL-deref at open · ef079936
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should a malicious device lack
      the expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ..
      [<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      ef079936
    • Johan Hovold's avatar
      USB: serial: spcp8x5: fix NULL-deref at open · cc090924
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]
      
      Fixes: 619a6f1d ("USB: add usb-serial spcp8x5 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      cc090924
    • Johan Hovold's avatar
      USB: serial: quatech2: fix sleep-while-atomic in close · f09d1886
      Johan Hovold authored
      The write URB was being killed using the synchronous interface while
      holding a spin lock in close().
      
      Simply drop the lock and busy-flag update, something which would have
      been taken care of by the completion handler if the URB was in flight.
      
      Fixes: f7a33e60 ("USB: serial: add quatech2 usb to serial driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      f09d1886
    • Johan Hovold's avatar
      USB: serial: pl2303: fix NULL-deref at open · 76ab439e
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should a type-0 or type-1 device
      lack the expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at pl2303_open+0x38/0xec [pl2303]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      76ab439e
    • Johan Hovold's avatar
      USB: serial: oti6858: fix NULL-deref at open · 5afeef23
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at oti6858_open+0x30/0x1d0 [oti6858]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 49cdee0e ("USB: oti6858 usb-serial driver (in Nokia CA-42
      cable)")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5afeef23
    • Johan Hovold's avatar
      USB: serial: omninet: fix NULL-derefs at open and disconnect · a5bc0194
      Johan Hovold authored
      Fix NULL-pointer dereferences at open() and disconnect() should the
      device lack the expected bulk-out endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 000000b4
      ...
      [c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
      [<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
      [<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
      [<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
      [<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000234
      ...
      [<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      a5bc0194
    • Johan Hovold's avatar
      USB: serial: mos7840: fix misleading interrupt-URB comment · 472d7e55
      Johan Hovold authored
      The interrupt URB is killed at final port close since commit
      0de9a702 ("USB: overhaul of mos7840 driver").
      
      Fixes: 0de9a702 ("USB: overhaul of mos7840 driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      472d7e55
    • Johan Hovold's avatar
      USB: serial: mos7840: remove unused write URB · fc43e651
      Johan Hovold authored
      Remove code to manage a write URB that was never allocated.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      fc43e651
    • Johan Hovold's avatar
      USB: serial: mos7840: fix NULL-deref at open · 5c75633e
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at mos7840_open+0x88/0x8dc [mos7840]
      
      Note that we continue to treat the interrupt-in endpoint as optional for
      now.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5c75633e
    • Johan Hovold's avatar
      USB: serial: mos7720: remove obsolete port initialisation · 9da049bc
      Johan Hovold authored
      Since commit b69578df ("USB: usbserial: mos7720: add support for
      parallel port on moschip 7715"), the interrupt urb is no longer
      submitted at first port open and the endpoint-address initialisation at
      port-probe is no longer used.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      9da049bc
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parallel probe · fde1faf8
      Johan Hovold authored
      A static usb-serial-driver structure that is used to initialise the
      interrupt URB was modified during probe depending on the currently
      probed device type, something which could break a parallel probe of a
      device of a different type.
      
      Fix this up by overriding the default completion callback for MCS7715
      devices in attach() instead. We may want to use two usb-serial driver
      instances for the two types later.
      
      Fixes: fb088e33 ("USB: serial: add support for serial port on the
      moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      fde1faf8
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parport use-after-free on probe errors · 75dd211e
      Johan Hovold authored
      Do not submit the interrupt URB until after the parport has been
      successfully registered to avoid another use-after-free in the
      completion handler when accessing the freed parport private data in case
      of a racing completion.
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      75dd211e
    • Johan Hovold's avatar
      USB: serial: mos7720: fix use-after-free on probe errors · 91a1ff4d
      Johan Hovold authored
      The interrupt URB was submitted on probe but never stopped on probe
      errors. This can lead to use-after-free issues in the completion
      handler when accessing the freed usb-serial struct:
      
      Unable to handle kernel paging request at virtual address 6b6b6be7
      ...
      [<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
      [<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
      [<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      91a1ff4d
    • Johan Hovold's avatar
      USB: serial: mos7720: fix NULL-deref at open · b05aebc2
      Johan Hovold authored
      Fix NULL-pointer dereference at port open if a device lacks the expected
      bulk in and out endpoints.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
      [<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 0f64478c ("USB: add USB serial mos7720 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      b05aebc2
    • Johan Hovold's avatar
      USB: serial: kobil_sct: fix NULL-deref in write · 21ce5784
      Johan Hovold authored
      Fix NULL-pointer dereference in write() should the device lack the
      expected interrupt-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000054
      ...
      PC is at kobil_write+0x144/0x2a0 [kobil_sct]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      21ce5784
    • Johan Hovold's avatar
      USB: serial: keyspan_pda: verify endpoints at probe · 5d9b0f85
      Johan Hovold authored
      Check for the expected endpoints in attach() and fail loudly if not
      present.
      
      Note that failing to do this appears to be benign since da280e34
      ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
      NULL-pointer dereference in write() by never marking a non-existent
      write-urb as free.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>	# < v3.3
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5d9b0f85
    • Johan Hovold's avatar
      USB: serial: iuu_phoenix: fix NULL-deref at open · 90507d54
      Johan Hovold authored
      Fix NULL-pointer dereference at open should the device lack a bulk-in or
      bulk-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at iuu_open+0x78/0x59c [iuu_phoenix]
      
      Fixes: 07c3b1a1 ("USB: remove broken usb-serial num_endpoints
      check")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      90507d54
    • Johan Hovold's avatar
      USB: serial: io_ti: bind to interface after fw download · e35d6d7c
      Johan Hovold authored
      Bind to the interface, but do not register any ports, after having
      downloaded the firmware. The device will still disconnect and
      re-enumerate, but this way we avoid an error messages from being logged
      as part of the process:
      
      io_ti: probe of 1-1.3:1.0 failed with error -5
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      e35d6d7c
    • Johan Hovold's avatar
      USB: serial: io_ti: fix I/O after disconnect · 2330d0a8
      Johan Hovold authored
      Cancel the heartbeat work on driver unbind in order to avoid I/O after
      disconnect in case the port is held open.
      
      Note that the cancel in release() is still needed to stop the heartbeat
      after late probe errors.
      
      Fixes: 26c78daa ("USB: io_ti: Add heartbeat to keep idle EP/416
      ports from disconnecting")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      2330d0a8
    • Johan Hovold's avatar
      USB: serial: io_ti: fix another NULL-deref at open · 4f9785cc
      Johan Hovold authored
      In case a device is left in "boot-mode" we must not register any port
      devices in order to avoid a NULL-pointer dereference on open due to
      missing endpoints. This could be used by a malicious device to trigger
      an OOPS:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
      [<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      4f9785cc
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref at open · a323fefc
      Johan Hovold authored
      Fix NULL-pointer dereference when clearing halt at open should a
      malicious device lack the expected endpoints when in download mode.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
      [<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      a323fefc
    • Johan Hovold's avatar
      USB: serial: io_edgeport: fix NULL-deref at open · 0dd40842
      Johan Hovold authored
      Fix NULL-pointer dereference when initialising URBs at open should a
      non-EPIC device lack a bulk-in or interrupt-in endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000028
      ...
      PC is at edge_open+0x24c/0x3e8 [io_edgeport]
      
      Note that the EPIC-device probe path has the required sanity checks so
      this makes those checks partially redundant.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      0dd40842
    • Johan Hovold's avatar
      USB: serial: garmin_gps: fix memory leak on failed URB submit · c4ac4496
      Johan Hovold authored
      Make sure to free the URB transfer buffer in case submission fails (e.g.
      due to a disconnect).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      c4ac4496
    • Johan Hovold's avatar
      USB: serial: cyberjack: fix NULL-deref at open · 3dca0111
      Johan Hovold authored
      Fix NULL-pointer dereference when clearing halt at open should the device
      lack a bulk-out endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at cyberjack_open+0x40/0x9c [cyberjack]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      3dca0111
  3. 03 Jan, 2017 13 commits