USB fixes for 4.15-rc8
Here are some small USB fixes and device ids for 4.15-rc8 Nothing major, small fixes for various devices, some resolutions for bugs found by fuzzers, and the usual handful of new device ids. All of these have been in linux-next with no reported issues. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWlpsFw8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+ylJKQCgsPvjc28iHycd//TY0XyXIAqd3VoAn0CsuoGz evubxegyFv0f2XcRbiaQ =WIUz -----END PGP SIGNATURE----- Merge tag 'usb-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes and device ids for 4.15-rc8 Nothing major, small fixes for various devices, some resolutions for bugs found by fuzzers, and the usual handful of new device ids. All of these have been in linux-next with no reported issues" * tag 'usb-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: Documentation: usb: fix typo in UVC gadgetfs config command usb: misc: usb3503: make sure reset is low for at least 100us uas: ignore UAS for Norelsys NS1068(X) chips USB: UDC core: fix double-free in usb_add_gadget_udc_release USB: fix usbmon BUG trigger usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer usbip: remove kernel addresses from usb device and urb debug msgs usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input USB: serial: cp210x: add new device ID ELV ALC 8xxx USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
This commit is contained in:
Linus Torvalds
commit
2c1cfa4990
|
|
@ -693,7 +693,7 @@ such specification consists of a number of lines with an inverval value
|
||||||
in each line. The rules stated above are best illustrated with an example:
|
in each line. The rules stated above are best illustrated with an example:
|
||||||
|
|
||||||
# mkdir functions/uvc.usb0/control/header/h
|
# mkdir functions/uvc.usb0/control/header/h
|
||||||
# cd functions/uvc.usb0/control/header/h
|
# cd functions/uvc.usb0/control/
|
||||||
# ln -s header/h class/fs
|
# ln -s header/h class/fs
|
||||||
# ln -s header/h class/ss
|
# ln -s header/h class/ss
|
||||||
# mkdir -p functions/uvc.usb0/streaming/uncompressed/u/360p
|
# mkdir -p functions/uvc.usb0/streaming/uncompressed/u/360p
|
||||||
|
|
|
||||||
|
|
@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
|
||||||
|
|
||||||
udc = kzalloc(sizeof(*udc), GFP_KERNEL);
|
udc = kzalloc(sizeof(*udc), GFP_KERNEL);
|
||||||
if (!udc)
|
if (!udc)
|
||||||
goto err1;
|
goto err_put_gadget;
|
||||||
|
|
||||||
ret = device_add(&gadget->dev);
|
|
||||||
if (ret)
|
|
||||||
goto err2;
|
|
||||||
|
|
||||||
device_initialize(&udc->dev);
|
device_initialize(&udc->dev);
|
||||||
udc->dev.release = usb_udc_release;
|
udc->dev.release = usb_udc_release;
|
||||||
|
|
@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
|
||||||
udc->dev.parent = parent;
|
udc->dev.parent = parent;
|
||||||
ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
|
ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err3;
|
goto err_put_udc;
|
||||||
|
|
||||||
|
ret = device_add(&gadget->dev);
|
||||||
|
if (ret)
|
||||||
|
goto err_put_udc;
|
||||||
|
|
||||||
udc->gadget = gadget;
|
udc->gadget = gadget;
|
||||||
gadget->udc = udc;
|
gadget->udc = udc;
|
||||||
|
|
@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
|
||||||
|
|
||||||
ret = device_add(&udc->dev);
|
ret = device_add(&udc->dev);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err4;
|
goto err_unlist_udc;
|
||||||
|
|
||||||
usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
|
usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
|
||||||
udc->vbus = true;
|
udc->vbus = true;
|
||||||
|
|
@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
|
||||||
/* pick up one of pending gadget drivers */
|
/* pick up one of pending gadget drivers */
|
||||||
ret = check_pending_gadget_drivers(udc);
|
ret = check_pending_gadget_drivers(udc);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err5;
|
goto err_del_udc;
|
||||||
|
|
||||||
mutex_unlock(&udc_lock);
|
mutex_unlock(&udc_lock);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err5:
|
err_del_udc:
|
||||||
device_del(&udc->dev);
|
device_del(&udc->dev);
|
||||||
|
|
||||||
err4:
|
err_unlist_udc:
|
||||||
list_del(&udc->list);
|
list_del(&udc->list);
|
||||||
mutex_unlock(&udc_lock);
|
mutex_unlock(&udc_lock);
|
||||||
|
|
||||||
err3:
|
|
||||||
put_device(&udc->dev);
|
|
||||||
device_del(&gadget->dev);
|
device_del(&gadget->dev);
|
||||||
|
|
||||||
err2:
|
err_put_udc:
|
||||||
kfree(udc);
|
put_device(&udc->dev);
|
||||||
|
|
||||||
err1:
|
err_put_gadget:
|
||||||
put_device(&gadget->dev);
|
put_device(&gadget->dev);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -279,6 +279,8 @@ static int usb3503_probe(struct usb3503 *hub)
|
||||||
if (gpio_is_valid(hub->gpio_reset)) {
|
if (gpio_is_valid(hub->gpio_reset)) {
|
||||||
err = devm_gpio_request_one(dev, hub->gpio_reset,
|
err = devm_gpio_request_one(dev, hub->gpio_reset,
|
||||||
GPIOF_OUT_INIT_LOW, "usb3503 reset");
|
GPIOF_OUT_INIT_LOW, "usb3503 reset");
|
||||||
|
/* Datasheet defines a hardware reset to be at least 100us */
|
||||||
|
usleep_range(100, 10000);
|
||||||
if (err) {
|
if (err) {
|
||||||
dev_err(dev,
|
dev_err(dev,
|
||||||
"unable to request GPIO %d as reset pin (%d)\n",
|
"unable to request GPIO %d as reset pin (%d)\n",
|
||||||
|
|
|
||||||
|
|
@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case MON_IOCQ_RING_SIZE:
|
case MON_IOCQ_RING_SIZE:
|
||||||
|
mutex_lock(&rp->fetch_lock);
|
||||||
ret = rp->b_size;
|
ret = rp->b_size;
|
||||||
|
mutex_unlock(&rp->fetch_lock);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case MON_IOCT_RING_SIZE:
|
case MON_IOCT_RING_SIZE:
|
||||||
|
|
@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_fault *vmf)
|
||||||
unsigned long offset, chunk_idx;
|
unsigned long offset, chunk_idx;
|
||||||
struct page *pageptr;
|
struct page *pageptr;
|
||||||
|
|
||||||
|
mutex_lock(&rp->fetch_lock);
|
||||||
offset = vmf->pgoff << PAGE_SHIFT;
|
offset = vmf->pgoff << PAGE_SHIFT;
|
||||||
if (offset >= rp->b_size)
|
if (offset >= rp->b_size) {
|
||||||
|
mutex_unlock(&rp->fetch_lock);
|
||||||
return VM_FAULT_SIGBUS;
|
return VM_FAULT_SIGBUS;
|
||||||
|
}
|
||||||
chunk_idx = offset / CHUNK_SIZE;
|
chunk_idx = offset / CHUNK_SIZE;
|
||||||
pageptr = rp->b_vec[chunk_idx].pg;
|
pageptr = rp->b_vec[chunk_idx].pg;
|
||||||
get_page(pageptr);
|
get_page(pageptr);
|
||||||
|
mutex_unlock(&rp->fetch_lock);
|
||||||
vmf->page = pageptr;
|
vmf->page = pageptr;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -124,6 +124,7 @@ static const struct usb_device_id id_table[] = {
|
||||||
{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
|
{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
|
||||||
{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
|
{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
|
||||||
{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
|
{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
|
||||||
|
{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
|
||||||
{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
|
{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
|
||||||
{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
|
{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
|
||||||
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
|
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
|
||||||
|
|
@ -174,6 +175,7 @@ static const struct usb_device_id id_table[] = {
|
||||||
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
|
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
|
||||||
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
|
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
|
||||||
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
|
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
|
||||||
|
{ USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
|
||||||
{ USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
|
{ USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
|
||||||
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
|
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
|
||||||
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
|
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
|
||||||
|
|
|
||||||
|
|
@ -143,6 +143,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
|
||||||
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
|
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
|
||||||
US_FL_NO_ATA_1X),
|
US_FL_NO_ATA_1X),
|
||||||
|
|
||||||
|
/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
|
||||||
|
UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
|
||||||
|
"Norelsys",
|
||||||
|
"NS1068X",
|
||||||
|
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
|
||||||
|
US_FL_IGNORE_UAS),
|
||||||
|
|
||||||
/* Reported-by: Takeo Nakayama <javhera@gmx.com> */
|
/* Reported-by: Takeo Nakayama <javhera@gmx.com> */
|
||||||
UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
|
UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
|
||||||
"JMicron",
|
"JMicron",
|
||||||
|
|
|
||||||
|
|
@ -91,7 +91,7 @@ static void usbip_dump_usb_device(struct usb_device *udev)
|
||||||
dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)",
|
dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)",
|
||||||
udev->devnum, udev->devpath, usb_speed_string(udev->speed));
|
udev->devnum, udev->devpath, usb_speed_string(udev->speed));
|
||||||
|
|
||||||
pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
|
pr_debug("tt hub ttport %d\n", udev->ttport);
|
||||||
|
|
||||||
dev_dbg(dev, " ");
|
dev_dbg(dev, " ");
|
||||||
for (i = 0; i < 16; i++)
|
for (i = 0; i < 16; i++)
|
||||||
|
|
@ -124,12 +124,8 @@ static void usbip_dump_usb_device(struct usb_device *udev)
|
||||||
}
|
}
|
||||||
pr_debug("\n");
|
pr_debug("\n");
|
||||||
|
|
||||||
dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
|
dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
|
||||||
|
udev->bus->bus_name);
|
||||||
dev_dbg(dev,
|
|
||||||
"descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
|
|
||||||
&udev->descriptor, udev->config,
|
|
||||||
udev->actconfig, udev->rawdescriptors);
|
|
||||||
|
|
||||||
dev_dbg(dev, "have_langid %d, string_langid %d\n",
|
dev_dbg(dev, "have_langid %d, string_langid %d\n",
|
||||||
udev->have_langid, udev->string_langid);
|
udev->have_langid, udev->string_langid);
|
||||||
|
|
@ -237,9 +233,6 @@ void usbip_dump_urb(struct urb *urb)
|
||||||
|
|
||||||
dev = &urb->dev->dev;
|
dev = &urb->dev->dev;
|
||||||
|
|
||||||
dev_dbg(dev, " urb :%p\n", urb);
|
|
||||||
dev_dbg(dev, " dev :%p\n", urb->dev);
|
|
||||||
|
|
||||||
usbip_dump_usb_device(urb->dev);
|
usbip_dump_usb_device(urb->dev);
|
||||||
|
|
||||||
dev_dbg(dev, " pipe :%08x ", urb->pipe);
|
dev_dbg(dev, " pipe :%08x ", urb->pipe);
|
||||||
|
|
@ -248,11 +241,9 @@ void usbip_dump_urb(struct urb *urb)
|
||||||
|
|
||||||
dev_dbg(dev, " status :%d\n", urb->status);
|
dev_dbg(dev, " status :%d\n", urb->status);
|
||||||
dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags);
|
dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags);
|
||||||
dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer);
|
|
||||||
dev_dbg(dev, " transfer_buffer_length:%d\n",
|
dev_dbg(dev, " transfer_buffer_length:%d\n",
|
||||||
urb->transfer_buffer_length);
|
urb->transfer_buffer_length);
|
||||||
dev_dbg(dev, " actual_length :%d\n", urb->actual_length);
|
dev_dbg(dev, " actual_length :%d\n", urb->actual_length);
|
||||||
dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet);
|
|
||||||
|
|
||||||
if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
|
if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
|
||||||
usbip_dump_usb_ctrlrequest(
|
usbip_dump_usb_ctrlrequest(
|
||||||
|
|
@ -262,8 +253,6 @@ void usbip_dump_urb(struct urb *urb)
|
||||||
dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets);
|
dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets);
|
||||||
dev_dbg(dev, " interval :%d\n", urb->interval);
|
dev_dbg(dev, " interval :%d\n", urb->interval);
|
||||||
dev_dbg(dev, " error_count :%d\n", urb->error_count);
|
dev_dbg(dev, " error_count :%d\n", urb->error_count);
|
||||||
dev_dbg(dev, " context :%p\n", urb->context);
|
|
||||||
dev_dbg(dev, " complete :%p\n", urb->complete);
|
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(usbip_dump_urb);
|
EXPORT_SYMBOL_GPL(usbip_dump_urb);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc,
|
||||||
urb_p->new = 1;
|
urb_p->new = 1;
|
||||||
urb_p->seqnum = pdu->base.seqnum;
|
urb_p->seqnum = pdu->base.seqnum;
|
||||||
|
|
||||||
|
if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
|
||||||
|
/* validate packet size and number of packets */
|
||||||
|
unsigned int maxp, packets, bytes;
|
||||||
|
|
||||||
|
maxp = usb_endpoint_maxp(urb_p->ep->desc);
|
||||||
|
maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
|
||||||
|
bytes = pdu->u.cmd_submit.transfer_buffer_length;
|
||||||
|
packets = DIV_ROUND_UP(bytes, maxp);
|
||||||
|
|
||||||
|
if (pdu->u.cmd_submit.number_of_packets < 0 ||
|
||||||
|
pdu->u.cmd_submit.number_of_packets > packets) {
|
||||||
|
dev_err(&udc->gadget.dev,
|
||||||
|
"CMD_SUBMIT: isoc invalid num packets %d\n",
|
||||||
|
pdu->u.cmd_submit.number_of_packets);
|
||||||
|
ret = -EMSGSIZE;
|
||||||
|
goto free_urbp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
|
ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
|
usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
|
||||||
|
|
|
||||||
|
|
@ -85,6 +85,13 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
|
||||||
memset(&pdu_header, 0, sizeof(pdu_header));
|
memset(&pdu_header, 0, sizeof(pdu_header));
|
||||||
memset(&msg, 0, sizeof(msg));
|
memset(&msg, 0, sizeof(msg));
|
||||||
|
|
||||||
|
if (urb->actual_length > 0 && !urb->transfer_buffer) {
|
||||||
|
dev_err(&udc->gadget.dev,
|
||||||
|
"urb: actual_length %d transfer_buffer null\n",
|
||||||
|
urb->actual_length);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
|
if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
|
||||||
iovnum = 2 + urb->number_of_packets;
|
iovnum = 2 + urb->number_of_packets;
|
||||||
else
|
else
|
||||||
|
|
@ -100,8 +107,8 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
|
||||||
|
|
||||||
/* 1. setup usbip_header */
|
/* 1. setup usbip_header */
|
||||||
setup_ret_submit_pdu(&pdu_header, urb_p);
|
setup_ret_submit_pdu(&pdu_header, urb_p);
|
||||||
usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
|
usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
|
||||||
pdu_header.base.seqnum, urb);
|
pdu_header.base.seqnum);
|
||||||
usbip_header_correct_endian(&pdu_header, 1);
|
usbip_header_correct_endian(&pdu_header, 1);
|
||||||
|
|
||||||
iov[iovnum].iov_base = &pdu_header;
|
iov[iovnum].iov_base = &pdu_header;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue