1. 29 7月, 2015 16 次提交
  2. 23 7月, 2015 13 次提交
  3. 22 7月, 2015 1 次提交
    • J
      usb: dwc3: Reset the transfer resource index on SET_INTERFACE · aebda618
      John Youn 提交于
      This fixes an issue introduced in commit b23c8439 (usb: dwc3:
      gadget: fix DEPSTARTCFG for non-EP0 EPs) that made sure we would
      only use DEPSTARTCFG once per SetConfig.
      
      The trick is that we should use one DEPSTARTCFG per SetConfig *OR*
      SetInterface. SetInterface was completely missed from the original
      patch.
      
      This problem became aparent after commit 76e838c9 (usb: dwc3:
      gadget: return error if command sent to DEPCMD register fails)
      added checking of the return status of device endpoint commands.
      
      'Set Endpoint Transfer Resource' command was caught failing
      occasionally. This is because the Transfer Resource
      Index was not getting reset during a SET_INTERFACE request.
      
      Finally, to fix the issue, was we have to do is make sure that
      our start_config_issued flag gets reset whenever we receive a
      SetInterface request.
      
      To verify the problem (and its fix), all we have to do is run
      test 9 from testusb with 'testusb -t 9 -s 2048 -a -c 5000'.
      Tested-by: NHuang Rui <ray.huang@amd.com>
      Tested-by: NSubbaraya Sundeep Bhatta <subbaraya.sundeep.bhatta@xilinx.com>
      Fixes: b23c8439 (usb: dwc3: gadget: fix DEPSTARTCFG for non-EP0 EPs)
      Cc: <stable@vger.kernel.org> # v3.2+
      Signed-off-by: NJohn Youn <johnyoun@synopsys.com>
      Signed-off-by: NFelipe Balbi <balbi@ti.com>
      aebda618
  4. 21 7月, 2015 3 次提交
  5. 18 7月, 2015 1 次提交
    • N
      configfs: fix kernel infoleak through user-controlled format string · 3958b792
      Nicolas Iooss 提交于
      Some modules call config_item_init_type_name() and config_group_init_type_name()
      with parameter "name" directly controlled by userspace.  These two
      functions call config_item_set_name() with this name used as a format
      string, which can be used to leak information such as content of the
      stack to userspace.
      
      For example, make_netconsole_target() in netconsole module calls
      config_item_init_type_name() with the name of a newly-created directory.
      This means that the following commands give some unexpected output, with
      configfs mounted in /sys/kernel/config/ and on a system with a
      configured eth0 ethernet interface:
      
          # modprobe netconsole
          # mkdir /sys/kernel/config/netconsole/target_%lx
          # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
          # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
          # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
          # dmesg |tail -n1
          [  142.697668] netconsole: target (target_ffffffffc0ae8080) is
          enabled, disable to update parameters
      
      The directory name is correct but %lx has been interpreted in the
      internal item name, displayed here in the error message used by
      store_dev_name() in drivers/net/netconsole.c.
      
      To fix this, update every caller of config_item_set_name to use "%s"
      when operating on untrusted input.
      
      This issue was found using -Wformat-security gcc flag, once a __printf
      attribute has been added to config_item_set_name().
      Signed-off-by: NNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: NFelipe Balbi <balbi@ti.com>
      Acked-by: NJoel Becker <jlbec@evilplan.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3958b792
  6. 09 7月, 2015 1 次提交
    • J
      USB: serial: Destroy serial_minors IDR on module exit · d23f47d4
      Johannes Thumshirn 提交于
      Destroy serial_minors IDR on module exit, reclaiming the allocated memory.
      
      This was detected by the following semantic patch (written by Luis
      Rodriguez <mcgrof@suse.com>)
      
      <SmPL>
      @ defines_module_init @
      declarer name module_init, module_exit;
      declarer name DEFINE_IDR;
      identifier init;
      @@
      
      module_init(init);
      
      @ defines_module_exit @
      identifier exit;
      @@
      
      module_exit(exit);
      
      @ declares_idr depends on defines_module_init && defines_module_exit @
      identifier idr;
      @@
      
      DEFINE_IDR(idr);
      
      @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
      identifier declares_idr.idr, defines_module_exit.exit;
      @@
      
      exit(void)
      {
       ...
       idr_destroy(&idr);
       ...
      }
      
      @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
      identifier declares_idr.idr, defines_module_exit.exit;
      @@
      
      exit(void)
      {
       ...
       +idr_destroy(&idr);
      }
      </SmPL>
      Signed-off-by: NJohannes Thumshirn <jthumshirn@suse.de>
      Cc: stable <stable@vger.kernel.org>	# v3.11
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      d23f47d4
  7. 07 7月, 2015 5 次提交