- 01 10月, 2013 1 次提交
-
-
由 Robert Baldyga 提交于
This patch add missing error check in ffs_func_bind() function, after ffs_do_descs() function call for high speed descriptors. Without this check it's possible that the module will try dereference incorrect pointer. [ balbi@ti.com : removed trailing empty line ] Acked-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NRobert Baldyga <r.baldyga@samsung.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 27 9月, 2013 1 次提交
-
-
由 Al Viro 提交于
There's a bunch of failure exits in ffs_fs_mount() with seriously broken recovery logics. Most of that appears to stem from misunderstanding of the ->kill_sb() semantics; unlike ->put_super() it is called for *all* superblocks of given type, no matter how (in)complete the setup had been. ->put_super() is called only if ->s_root is not NULL; any failure prior to setting ->s_root will have the call of ->put_super() skipped. ->kill_sb(), OTOH, awaits every superblock that has come from sget(). Current behaviour of ffs_fs_mount(): We have struct ffs_sb_fill_data data on stack there. We do ffs_dev = functionfs_acquire_dev_callback(dev_name); and store that in data.private_data. Then we call mount_nodev(), passing it ffs_sb_fill() as a callback. That will either fail outright, or manage to call ffs_sb_fill(). There we allocate an instance of struct ffs_data, slap the value of ffs_dev (picked from data.private_data) into ffs->private_data and overwrite data.private_data by storing ffs into an overlapping member (data.ffs_data). Then we store ffs into sb->s_fs_info and attempt to set the rest of the things up (root inode, root dentry, then create /ep0 there). Any of those might fail. Should that happen, we get ffs_fs_kill_sb() called before mount_nodev() returns. If mount_nodev() fails for any reason whatsoever, we proceed to functionfs_release_dev_callback(data.ffs_data); That's broken in a lot of ways. Suppose the thing has failed in allocation of e.g. root inode or dentry. We have functionfs_release_dev_callback(ffs); ffs_data_put(ffs); done by ffs_fs_kill_sb() (ffs accessed via sb->s_fs_info), followed by functionfs_release_dev_callback(ffs); from ffs_fs_mount() (via data.ffs_data). Note that the second functionfs_release_dev_callback() has every chance to be done to freed memory. Suppose we fail *before* root inode allocation. What happens then? ffs_fs_kill_sb() doesn't do anything to ffs (it's either not called at all, or it doesn't have a pointer to ffs stored in sb->s_fs_info). And functionfs_release_dev_callback(data.ffs_data); is called by ffs_fs_mount(), but here we are in nasal daemon country - we are reading from a member of union we'd never stored into. In practice, we'll get what we used to store into the overlapping field, i.e. ffs_dev. And then we get screwed, since we treat it (struct gfs_ffs_obj * in disguise, returned by functionfs_acquire_dev_callback()) as struct ffs_data *, pick what would've been ffs_data ->private_data from it (*well* past the actual end of the struct gfs_ffs_obj - struct ffs_data is much bigger) and poke in whatever it points to. FWIW, there's a minor leak on top of all that in case if ffs_sb_fill() fails on kstrdup() - ffs is obviously forgotten. The thing is, there is no point in playing all those games with union. Just allocate and initialize ffs_data *before* calling mount_nodev() and pass a pointer to it via data.ffs_data. And once it's stored in sb->s_fs_info, clear data.ffs_data, so that ffs_fs_mount() knows that it doesn't need to kill the sucker manually - from that point on we'll have it done by ->kill_sb(). Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Acked-by: NMichal Nazarewicz <mina86@mina86.com> Cc: stable <stable@vger.kernel.org> # 3.3+ Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 28 8月, 2013 1 次提交
-
-
由 Dan Carpenter 提交于
ffs_data_put() can sometimes free "ffs" so I have moved the call down a line below the dereference. Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 10 4月, 2013 1 次提交
-
-
由 Al Viro 提交于
filesystem module as whole is pinned down by its superblock, no need to have opened files on it to add anything to that. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 04 3月, 2013 1 次提交
-
-
由 Eric W. Biederman 提交于
Modify the request_module to prefix the file system type with "fs-" and add aliases to all of the filesystems that can be built as modules to match. A common practice is to build all of the kernel code and leave code that is not commonly needed as modules, with the result that many users are exposed to any bug anywhere in the kernel. Looking for filesystems with a fs- prefix limits the pool of possible modules that can be loaded by mount to just filesystems trivially making things safer with no real cost. Using aliases means user space can control the policy of which filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf with blacklist and alias directives. Allowing simple, safe, well understood work-arounds to known problematic software. This also addresses a rare but unfortunate problem where the filesystem name is not the same as it's module name and module auto-loading would not work. While writing this patch I saw a handful of such cases. The most significant being autofs that lives in the module autofs4. This is relevant to user namespaces because we can reach the request module in get_fs_type() without having any special permissions, and people get uncomfortable when a user specified string (in this case the filesystem type) goes all of the way to request_module. After having looked at this issue I don't think there is any particular reason to perform any filtering or permission checks beyond making it clear in the module request that we want a filesystem module. The common pattern in the kernel is to call request_module() without regards to the users permissions. In general all a filesystem module does once loaded is call register_filesystem() and go to sleep. Which means there is not much attack surface exposed by loading a filesytem module unless the filesystem is mounted. In a user namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT, which most filesystems do not set today. Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Acked-by: NKees Cook <keescook@chromium.org> Reported-by: NKees Cook <keescook@google.com> Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
-
- 18 1月, 2013 1 次提交
-
-
由 Benoit Goby 提交于
Add missing braces around an if block in ffs_fs_parse_opts. This broke parsing the uid/gid mount options and causes mount to fail when using uid/gid. This has been introduced by commit b9b73f7c (userns: Convert usb functionfs to use kuid/kgid where appropriate) in 3.7. Cc: <stable@vger.kernel.org> Signed-off-by: NBenoit Goby <benoit@android.com> Acked-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 10 1月, 2013 1 次提交
-
-
由 Michal Nazarewicz 提交于
kstrtoul() checks for overflow which simple_strtoul() does not pluss it has “*end == 0” check in it as well. As a side effect, a new line character is now accepted, but this should not be an issue. Signed-off-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 31 10月, 2012 1 次提交
-
-
HS and SS descriptors are staticaly created. They are updated during the bind process with the endpoint address, string id or interface numbers. After that, the descriptor chain is linked to struct usb_function which is used by composite in order to serve the GET_DESCRIPTOR requests, number of available configs and so on. There is no need to assign the HS descriptor only if the UDC supports HS speed because composite won't report those to the host if HS support has not been reached. The same reasoning is valid for SS. This patch makes sure each function updates HS/SS descriptors unconditionally and uses the newly introduced helper function to create a copy the descriptors for the speed which is supported by the UDC. While at that, also rename f->descriptors to f->fs_descriptors in order to make it more explicit what that means. Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 27 9月, 2012 1 次提交
-
-
由 Al Viro 提交于
__user * != * __user Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 21 9月, 2012 1 次提交
-
-
由 Eric W. Biederman 提交于
Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: NFelipe Balbi <balbi@ti.com> Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
-
- 07 9月, 2012 1 次提交
-
-
由 Andrzej Pietrasiewicz 提交于
If f_fs.c and u_serial.c are combined together using #include, which has been a common practice so far, the pr_vdebug macro is defined multiple times. Define it only once. Acked-by: NRandy Dunlap <rdunlap@xenotime.net> Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 04 6月, 2012 1 次提交
-
-
由 Koen Beel 提交于
When writing the descriptors to the ep0 file of functionfs, the HID descriptors where not recognized which caused the initialization from user space to fail. Signed-off-by: NKoen Beel <koen.beel@barco.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 15 5月, 2012 1 次提交
-
-
由 Andrzej Pietrasiewicz 提交于
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Acked-by: NMichal Nazarewicz <mina86@mina86.com> Cc: Felipe Balbi <balbi@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 04 5月, 2012 1 次提交
-
-
由 Peter Korsgaard 提交于
functionfs was leaking request objects created by autoconfig. Signed-off-by: NPeter Korsgaard <peter.korsgaard@barco.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 11 4月, 2012 2 次提交
-
-
由 Andrzej Pietrasiewicz 提交于
usb: gadget: eliminate NULL pointer dereference (bugfix) This patch fixes a bug which causes NULL pointer dereference in ffs_ep0_ioctl. The bug happens when the FunctionFS is not bound (either has not been bound yet or has been bound and then unbound) and can be reproduced with running the following commands: $ insmod g_ffs.ko $ mount -t functionfs func /dev/usbgadget $ ./null where null.c is: #include <fcntl.h> #include <linux/usb/functionfs.h> int main(void) { int fd = open("/dev/usbgadget/ep0", O_RDWR); ioctl(fd, FUNCTIONFS_CLEAR_HALT); return 0; } Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
由 Andrzej Pietrasiewicz 提交于
clear FFS_FL_BOUND flag on unbind (bugfix) Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Acked-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 21 3月, 2012 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 17 3月, 2012 1 次提交
-
-
由 Andi Kleen 提交于
lock debugging already supports this, no need to do it explicitely. Cc: balbi@ti.com Cc: gregkh@linuxfoundation.org Signed-off-by: NAndi Kleen <ak@linux.intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 24 1月, 2012 1 次提交
-
-
由 Michal Nazarewicz 提交于
The m.nazarewicz@samsung.com email address is no longer valid, so this commit replaces it with mina86@mina86.com which is employer-agnostic and thus should be valid for foreseeable feature. Signed-off-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 09 1月, 2012 1 次提交
-
-
由 Al Viro 提交于
* if you do dput() of root dentry, do *not* follow that with iput() of root inode. * while we are at it, don't do that dput() at all - you are leaving the pointer in ->s_root and your ->kill_sb() will be very unhappy with that. It will do proper dput(), though, so the easiest way is to leave that to it entirely. * freeing ->s_fs_info is also best left to ->kill_sb() (which will do it anyway), especially since we leave the pointer in place. * that xchg() in ->kill_sb() is not a bug per se, but it's a plain and simple masturbation with fewer excuses than Onan had... Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 12 12月, 2011 1 次提交
-
-
由 Thomas Meyer 提交于
The advantage of kcalloc is, that will prevent integer overflows which could result from the multiplication of number of elements and size and it is also a bit nicer to read. The semantic patch that makes this change is available in https://lkml.org/lkml/2011/11/25/107Signed-off-by: NThomas Meyer <thomas@m3y3r.de> Acked-by: NMichal Nazarewicz <[4]mina86@mina86.com> Signed-off-by: NFelipe Balbi <balbi@ti.com>
-
- 01 11月, 2011 1 次提交
-
-
由 Paul Gortmaker 提交于
With module.h being implicitly everywhere via device.h, the absence of explicitly including something for EXPORT_SYMBOL went unnoticed. Since we are heading to fix things up and clean module.h from the device.h file, we need to explicitly include these files now. Use the lightweight version of the header that has just THIS_MODULE and EXPORT_SYMBOL variants. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
- 10 9月, 2011 1 次提交
-
-
由 Klaus Schwarzkopf 提交于
remove the following two paragraphs as they are not needed: This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.,59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Signed-off-by: NKlaus Schwarzkopf <schwarzkopf@sensortherm.de> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 29 6月, 2011 1 次提交
-
-
由 Tatyana Brokhman 提交于
Change usb_ep_enable() prototype to use endpoint descriptor from usb_ep. This optimization spares the FDs from saving the endpoint chosen descriptor. This optimization is not full though. To fully exploit this change, one needs to update all the UDCs as well since in the current implementation each of them saves the endpoint descriptor in it's internal (and extended) endpoint structure. Signed-off-by: NTatyana Brokhman <tlinder@codeaurora.org> Signed-off-by: NFelipe Balbi <balbi@ti.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 05 2月, 2011 1 次提交
-
-
由 Marek Szyprowski 提交于
Some UDC drivers fails to queue a request if req->buf == NULL even for ZLP requests. This patch adds a poisoned pointer instead of NULL to make the code compliant with the gadget specification and catches possible bug in the UDC driver if it tries to dereference buffer pointer on ZLP request. Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 11 12月, 2010 1 次提交
-
-
由 Tobias Klauser 提交于
IS_ERR() already implies unlikely(), so it can be omitted here. Signed-off-by: NTobias Klauser <tklauser@distanz.ch> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 18 11月, 2010 2 次提交
-
-
由 Michal Nazarewicz 提交于
This commit fixes warning in f_fs.c introduced by "usb: gadget: f_fs: remove custom printk() wrappers": In file included from drivers/usb/gadget/g_ffs.c:64: drivers/usb/gadget/f_fs.c:30:1: warning: "pr_fmt" redefined Signed-off-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Arnd Bergmann 提交于
The big kernel lock has been removed from all these files at some point, leaving only the #include. Remove this too as a cleanup. Signed-off-by: NArnd Bergmann <arnd@arndb.de> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 17 11月, 2010 3 次提交
-
-
由 Michal Nazarewicz 提交于
This commit removes custom printk() wrappers from the f_fs.c file. They served little purpose above what pr_*() family of macros provides. Only FVDBG() has been left but renamed to pr_vdebug() to match other uses. Signed-off-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Michal Nazarewicz 提交于
This commit changes FunctionFS as to make it more compliant with coding style as well as fixes several typos. Signed-off-by: NMichal Nazarewicz <mina86@mina86.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Joe Perches 提交于
Signed-off-by: NJoe Perches <joe@perches.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 29 10月, 2010 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 27 10月, 2010 1 次提交
-
-
由 Al Viro 提交于
usbfs_get_inode() is something completely different... Bogosity introduced by commit 85fe4025 ("fs: do not assign default i_ino in new_inode"). Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 26 10月, 2010 1 次提交
-
-
由 Christoph Hellwig 提交于
Instead of always assigning an increasing inode number in new_inode move the call to assign it into those callers that actually need it. For now callers that need it is estimated conservatively, that is the call is added to all filesystems that do not assign an i_ino by themselves. For a few more filesystems we can avoid assigning any inode number given that they aren't user visible, and for others it could be done lazily when an inode number is actually needed, but that's left for later patches. Signed-off-by: NChristoph Hellwig <hch@lst.de> Signed-off-by: NDave Chinner <dchinner@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 11 8月, 2010 3 次提交
-
-
由 Michal Nazarewicz 提交于
Use usb_string_ids_n() function to simplify string ids registeration. Signed-off-by: NMichal Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Michal Nazarewicz 提交于
FunctionFS had a bit unique name for function used to add it to USB configuration. Renamed as to match naming convention of other functions. Signed-off-by: NMichal Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Arnd Bergmann 提交于
There is no gadget driver in the tree that actually implements the ioctl operation, so obviously it is not necessary to hold the BKL around the call. Signed-off-by: NArnd Bergmann <arnd@arndb.de> Cc: David Brownell <dbrownell@users.sourceforge.net> Cc: Michał Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
- 22 7月, 2010 1 次提交
-
-
由 Linus Torvalds 提交于
Pointed out by Lucas who found the new one in a comment in setup_percpu.c. And then I fixed the others that I grepped for. Reported-by: NLucas <canolucas@gmail.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 21 5月, 2010 2 次提交
-
-
由 Randy Dunlap 提交于
Fix g_ffs build error, add a needed header file: drivers/usb/gadget/f_fs.c:1064:error: 'PAGE_CACHE_SIZE' undeclared (first use in this function) drivers/usb/gadget/f_fs.c:1065:error: 'PAGE_CACHE_SHIFT' undeclared (first use in this function) Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Acked-by: NMichał Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-
由 Michal Nazarewicz 提交于
The FunctionFS is a USB composite function that can be used with the composite framework to create an USB gadget. >From kernel point of view it is just a composite function with some unique behaviour. It may be added to an USB configuration only after the user space driver has registered by writing descriptors and strings (the user space program has to provide the same information that kernel level composite functions provide when they are added to the configuration). >From user space point of view it is a file system which when mounted provide an "ep0" file. User space driver need to write descriptors and strings to that file. It does not need to worry about endpoints, interfaces or strings numbers but simply provide descriptors such as if the function was the only one (endpoints and strings numbers starting from one and interface numbers starting from core). The FunctionFS changes numbers of those as needed also handling situation when numbers differ in different configurations. When descriptors and strings are written "ep#" files appear (one for each declared endpoint) which handle communication on a single endpoint. Again, FunctionFS takes care of the real numbers and changing of the configuration (which means that "ep1" file may be really mapped to (say) endpoint 3 (and when configuration changes to (say) endpoint 2)). "ep0" is used for receiving events and handling setup requests. When all files are closed the function disables itself. Signed-off-by: NMichal Nazarewicz <m.nazarewicz@samsung.com> Cc: Kyungmin Park <kyungmin.park@samsung.com> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
-