Skip to content

R
raspberrypi-kernel

openeuler / raspberrypi-kernel

通知 13
Star 1
Fork 0
R
raspberrypi-kernel
切换分支/标签
  1. 11 10月, 2017 1 次提交
    • A
      usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options · aec17e1e
      Andrew Gabbasov 提交于 
      KASAN enabled configuration reports an error

    BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
                [libcomposite] at addr ...
    Read of size 1 by task ...

when some driver is un-bound and then bound again.
For example, this happens with FunctionFS driver when "ffs-test"
test application is run several times in a row.

If the driver has empty manufacturer ID string in initial static data,
it is then replaced with generated string. After driver unbinding
the generated string is freed, but the driver data still keep that
pointer. And if the driver is then bound again, that pointer
is re-used for string emptiness check.

The fix is to clean up the driver string data upon its unbinding
to drop the pointer to freed memory.

Fixes: cc2683c3 ("usb: gadget: Provide a default implementation of default manufacturer string")
Cc: stable@vger.kernel.org
Signed-off-by: NAndrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      aec17e1e
  3. 06 6月, 2017 1 次提交
  5. 02 6月, 2017 2 次提交
  7. 12 1月, 2017 1 次提交
  9. 02 1月, 2017 1 次提交
    • K
      usb: gadget: composite: Test get_alt() presence instead of set_alt() · 7e4da3fc
      Krzysztof Opasiak 提交于 
      By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.

Fixes: dd4dff8b ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NKrzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      7e4da3fc
  11. 03 11月, 2016 2 次提交
  13. 31 10月, 2016 2 次提交
    • F
      usb: gadget: composite: always set ep->mult to a sensible value · eaa496ff
      Felipe Balbi 提交于 
      ep->mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.

If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.

While at that, also make sure the ep->mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep->maxpacket to zero.

Cc: <stable@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      eaa496ff
    • F
      usb: gadget: composite: correctly initialize ep->maxpacket · e8f29bb7
      Felipe Balbi 提交于 
      usb_endpoint_maxp() returns wMaxPacketSize in its
raw form. Without taking into consideration that it
also contains other bits reserved for isochronous
endpoints.

This patch fixes one occasion where this is a
problem by making sure that we initialize
ep->maxpacket only with lower 10 bits of the value
returned by usb_endpoint_maxp(). Note that seperate
patches will be necessary to audit all call sites of
usb_endpoint_maxp() and make sure that
usb_endpoint_maxp() only returns lower 10 bits of
wMaxPacketSize.

Cc: <stable@vger.kernel.org>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      e8f29bb7
  15. 25 8月, 2016 1 次提交
    • F
      usb: gadget: composite: let USB functions process ctrl reqs in cfg0 · 1a00b457
      Felix Hädicke 提交于 
      It can sometimes be necessary for gadget drivers to process non-standard
control requests, which host devices can send without having sent
USB_REQ_SET_CONFIGURATION.

Therefore, the req_match() usb_function method is enhanced with the new
parameter "config0". When a USB configuration is active, this parameter
is false. When a non-core control request is processed in
composite_setup(), without an active configuration, req_match() of the
USB functions of all available configurations which implement this
function, is called with config0=true. Then the control request gets
processed by the first usb_function instance whose req_match() returns
true.
Signed-off-by: NFelix Hädicke <felixhaedicke@web.de>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      1a00b457
  17. 11 8月, 2016 2 次提交
  19. 31 5月, 2016 1 次提交
    • W
      usb: gadget: composite: don't queue OS desc req if length is invalid · 7e14f47a
      William Wu 提交于 
      In OS descriptors handling, if ctrl->bRequestType is
USB_RECIP_DEVICE and w_index != 0x4 or (w_value >> 8)
is true, it will not assign a valid value to req->length,
but use the default value(-EOPNOTSUPP), and queue an
OS desc request with the invalid req->length. It always
happens on the platforms which use os_desc (for example:
rk3366, rk3399), and cause kernel panic as follows
(use dwc3 driver):

Unable to handle kernel paging request at virtual address ffffffc0f7e00000
Internal error: Oops: 96000146 [#1] PREEMPT SMP
PC is at __dma_clean_range+0x18/0x30
LR is at __swiotlb_map_page+0x50/0x64
Call trace:
[<ffffffc0000930f8>] __dma_clean_range+0x18/0x30
[<ffffffc00062214c>] usb_gadget_map_request+0x134/0x1b0
[<ffffffc0005c289c>] __dwc3_ep0_do_control_data+0x110/0x14c
[<ffffffc0005c2d38>] __dwc3_gadget_ep0_queue+0x198/0x1b8
[<ffffffc0005c2e18>] dwc3_gadget_ep0_queue+0xc0/0xe8
[<ffffffc00061cfec>] composite_ep0_queue.constprop.14+0x34/0x98
[<ffffffc00061dfb0>] composite_setup+0xf60/0x100c
[<ffffffc0006204dc>] android_setup+0xd8/0x138
[<ffffffc0005c29a4>] dwc3_ep0_delegate_req+0x34/0x50
[<ffffffc0005c3534>] dwc3_ep0_interrupt+0x5dc/0xb58
[<ffffffc0005c0c3c>] dwc3_thread_interrupt+0x15c/0xa24

With this patch, the gadget driver will not queue
a request and return immediately if req->length is
invalid. And the usb controller driver can handle
the unsupport request correctly.
Signed-off-by: NWilliam Wu <william.wu@rock-chips.com>
Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
      7e14f47a
  21. 28 4月, 2016 1 次提交
  23. 18 4月, 2016 1 次提交
  25. 29 3月, 2016 1 次提交
  27. 04 3月, 2016 9 次提交
  29. 10 10月, 2015 1 次提交
    • I
      usb: gadget: composite: fill bcdUSB for any gadget max speed · 5527e733
      Igor Kotrasinski 提交于 
      When handling device GET_DESCRIPTOR, composite gadget driver fills
the bcdUSB field only if the gadget supports USB 3.0. Otherwise
the field is left unfilled.

For consistency, set bcdUSB to 0x0200 for gadgets that don't
support superspeed.

It's correct to use 0x0200 for any setting that doesn't use
superspeed, since USB 2.0 devices can restrict themselves to
full speed only. It is NOT correct to use 0x0210, since BOS
descriptors are handled only if gadget_is_superspeed() is
satisfied, otherwise it results in a stall.
Signed-off-by: NIgor Kotrasinski <i.kotrasinsk@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      5527e733
  31. 27 9月, 2015 1 次提交
  33. 07 8月, 2015 1 次提交
  35. 29 7月, 2015 4 次提交
  37. 07 7月, 2015 1 次提交
  39. 11 3月, 2015 3 次提交
  41. 27 1月, 2015 1 次提交
  43. 04 11月, 2014 2 次提交
    • A
      usb: gadget: configfs: add suspend/resume · 3a571870
      Andrzej Pietrasiewicz 提交于 
      USB gadgets composed with configfs lack suspend and resume
methods. This patch uses composite_suspend()/composite_resume()
the same way e.g. composite_setup() or composite_disconnect()
are used in a configfs-based gadget.
Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      3a571870
    • F
      usb: gadget: composite: conditionally dequeue os_desc and setup requests · a7c12eaf
      Felipe Balbi 提交于 
      In case we unload a gadget driver while any of
os_desc_req or req are still pending, we need
to make sure to dequeue them.

By using our setup_pending and os_desc_pending
flags we achieve that in a way that doesn't
cause any regressions because we won't dequeue
a request which was already completed.

The original idea came from Li Jun's commit
f2267089
(usb: gadget: composite: dequeue cdev->req
before free it in composite_dev_cleanup) which,
unfortunately, caused two regressions (kfree()
being called before usb_ep_dequeue() and calling
usb_ep_dequeue() when the request was already
completed). That commit also didn't take care
of os_desc_req which can fall into the same
situation so we must care for that one too.

Note that in order to make code slightly easier
to read, we introduce composite_ep_queue() which
hides details about how to fiddle with our pending
flags.
Signed-off-by: NFelipe Balbi <balbi@ti.com>
      a7c12eaf