Skip to content

R
raspberrypi-kernel

openeuler / raspberrypi-kernel

通知 13
Star 1
Fork 0
R
raspberrypi-kernel
切换分支/标签
  1. 03 11月, 2016 2 次提交
  3. 22 9月, 2016 1 次提交
    • G
      usb: misc: legousbtower: Fix NULL pointer deference · 2fae9e5a
      Greg Kroah-Hartman 提交于 
      This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.
Reported-by: NJames Patrick-Evans <james@jmp-e.com>
Tested-by: NJames Patrick-Evans <james@jmp-e.com>
Signed-off-by: NJames Patrick-Evans <james@jmp-e.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fae9e5a
  5. 13 9月, 2016 1 次提交
    • J
      ezusb: constify local structures · 36ae6776
      Julia Lawall 提交于 
      For structure types defined in the same file or local header files, find
top-level static structure declarations that have the following
properties:
1. Never reassigned.
2. Address never taken
3. Not passed to a top-level macro call
4. No pointer or array-typed field passed to a function or stored in a
variable.
Declare structures having all of these properties as const.

Done using Coccinelle.
Based on a suggestion by Joe Perches <joe@perches.com>.
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36ae6776
  7. 31 8月, 2016 15 次提交
  9. 15 8月, 2016 10 次提交
  11. 12 8月, 2016 1 次提交
  13. 11 8月, 2016 1 次提交
  15. 09 8月, 2016 6 次提交
    • B
      usb: ftdi-elan: Remove deprecated create_singlethread_workqueue · c936f45f
      Bhaktipriya Shridhar 提交于 
      The status workqueue is involved in initializing the Uxxx and polling
the Uxxx until a supported PCMCIA CardBus device is detected.
It then starts the command and respond workqueues and then loads the
module that handles the device, after which it just polls the Uxxx
looking for card ejects.

The command and respond workqueues are involved in implementing a command
sequencer for communicating with the firmware on the other side of
the FTDI chip in the Uxxx.

These workqueues have only a single work item each and hence they do not
require ordering. Also, none of the above workqueues are being used on a
memory recliam path. Hence, the singlethreaded workqueues have been
replaced with the use of system_wq.

System workqueues have been able to handle high level of concurrency
for a long time now and hence it's not required to have a singlethreaded
workqueue just to gain concurrency. Unlike a dedicated per-cpu workqueue
created with create_singlethread_workqueue(), system_wq allows multiple
work items to overlap executions even on the same CPU; however, a
per-cpu workqueue doesn't have any CPU locality or global ordering
guarantee unless the target CPU is explicitly specified and thus the
increase of local concurrency shouldn't make any difference.

The work items have been sync cancelled because they are self-requeueing
and need to wait for the in-flight work item to finish before proceeding
with destruction. Hence, they have been sync cancelled in
ftdi_status_cancel_work(), ftdi_command_cancel_work() and
ftdi_response_cancel_work(). These functions are called in
ftdi_elan_exit() to ensure that there are no pending work items while
disconnecting the driver.
Signed-off-by: NBhaktipriya Shridhar <bhaktipriya96@gmail.com>
Acked-by: NTejun Heo <tj@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c936f45f
    • B
      USB: appledisplay: Remove deprecated create_singlethread_workqueue · 6a0bb434
      Bhaktipriya Shridhar 提交于 
      The workqueue "wq" is involved in controlling the brightness of an
Apple Cinema Display over USB.

It has a single work item(&pdata->work) per appledisplay and hence
doesn't require ordering. Also, it is not being used on a memory
reclaim path.

Hence, the singlethreaded workqueue has been replaced with the use of
system_wq.

System workqueues have been able to handle high level of concurrency
for a long time now and hence it's not required to have a singlethreaded
workqueue just to gain concurrency. Unlike a dedicated per-cpu workqueue
created with create_singlethread_workqueue(), system_wq allows multiple
work items to overlap executions even on the same CPU; however, a
per-cpu workqueue doesn't have any CPU locality or global ordering
guarantee unless the target CPU is explicitly specified and thus the
increase of local concurrency shouldn't make any difference.

The work item is self-requeueing and needs to wait for the in-flight
work item to finish before proceeding with destruction.
Hence, it has been sync cancelled in appledisplay_disconnect().
This also ensures that there are no pending tasks while disconnecting
the driver.
Signed-off-by: NBhaktipriya Shridhar <bhaktipriya96@gmail.com>
Acked-by: NTejun Heo <tj@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a0bb434
    • B
      usb: lvstest: Remove deprecated create_singlethread_workqueue · bd783108
      Bhaktipriya Shridhar 提交于 
      The workqueue has a single work item(&lvs->rh_work) and hence
doesn't require ordering. Also, it is not being used on a memory
reclaim path. Hence, the singlethreaded workqueue has been replaced
with the use of system_wq.

System workqueues have been able to handle high level of concurrency
for a long time now and hence it's not required to have a singlethreaded
workqueue just to gain concurrency. Unlike a dedicated per-cpu workqueue
created with create_singlethread_workqueue(), system_wq allows multiple
work items to overlap executions even on the same CPU; however, a
per-cpu workqueue doesn't have any CPU locality or global ordering
guarantee unless the target CPU is explicitly specified and thus the
increase of local concurrency shouldn't make any difference.

The work item has been flushed in lvs_rh_disconnect() to ensure that
there are no pending tasks while disconnecting the driver.
Signed-off-by: NBhaktipriya Shridhar <bhaktipriya96@gmail.com>
Acked-by: NTejun Heo <tj@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd783108
    • S
      usb: misc: Add driver for usb4604 · 740a6a17
      Stephen Boyd 提交于 
      This is a minimal driver to support bringing a usb4604 device
from microchip out of reset and into hub mode. The usb4604 device
is related to the usb3503 device, but it didn't seem close enough
to warrant putting both into the same file. This patch borrows
some of the usb3503 structure and trims it down to just handle
the optional reset gpio and adds the i2c command to put the
device into hub mode.

Datasheet: http://ww1.microchip.com/downloads/en/DeviceDoc/00001716A.pdf
Cc: <devicetree@vger.kernel.org>
Signed-off-by: NStephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      740a6a17
    • X
      usb: misc: ftdi-elan: Fix off-by-one memory corruptions · 9c6256a5
      Xiao Han 提交于 
      This patch fixes fives off-by-one bugs in the ftdi-elan driver code. The
bug can be triggered by plugging a USB adapter for CardBus 3G cards (model
U132 manufactured by Elan Digital Systems, Ltd), causing a kernel panic.
The fix was tested on Ubuntu 14.04.4 with 4.7.0-rc14.2.0-27-generic+ and
4.4.0-22-generic+ kernel. In the ftdi_elan_synchronize function, an
off-by-one memory corruption occurs when packet_bytes is equal or bigger
than m. After having read m bytes, that is bytes_read is equal to m, "
..\x00" is still copied to the stack variable causing an out bounds write
of 4 bytes, which overwrites the stack canary and results in a kernel
panic.

This off-by-one requires physical access to the machine. It is not
exploitable since we have no control on the overwritten data.  Similar
off-by-one bugs have been observed in 4 other functions:
ftdi_elan_stuck_waiting, ftdi_elan_read, ftdi_elan_edset_output and
ftdi_elan_flush_input_fifo.
Reported-by: NAlex Palesandro <palexster@gmail.com>
Signed-off-by: NXiao Han <xiao.han@orange.fr>
Tested-by: NPaul Chaignon <pchaigno@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9c6256a5
    • P
      usb: misc: usbtest: usbtest_do_ioctl may return positive integer · 28324936
      Peter Chen 提交于 
      For case 14 and case 21, their correct return value is the number
of bytes transferred, so it is a positive integer. But in usbtest_ioctl,
it takes non-zero as false return value for usbtest_do_ioctl, so
it will treat the correct test as wrong test, then the time on
tests will be the minus value.
Signed-off-by: NPeter Chen <peter.chen@nxp.com>
Cc: stable <stable@vger.kernel.org>
Fixes: 18fc4ebd ("usb: misc: usbtest: Remove timeval usage")
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28324936
  17. 26 6月, 2016 3 次提交
    • J
      tty: vt, convert more macros to functions · 6ca8dfd7
      Jiri Slaby 提交于 
      Namely convert:
* IS_FG -> con_is_fg
* DO_UPDATE -> con_should_update
* CON_IS_VISIBLE -> con_is_visible

DO_UPDATE was a weird name for a yes/no answer, so the new name is
con_should_update.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Cc: linux-usb@vger.kernel.org
Cc: linux-fbdev@vger.kernel.org
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ca8dfd7
    • J
      tty: vt, remove consw->con_bmove · 52ad1f38
      Jiri Slaby 提交于 
      It is never called since commit 81732c3b (tty vt: Fix line
garbage in virtual console on command line edition) in 3.7. So remove
all the callbacks.
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Cc: linux-usb@vger.kernel.org
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: linux-parisc@vger.kernel.org
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52ad1f38
    • J
      tty: vt, consw->con_set_palette cleanup · 709280da
      Jiri Slaby 提交于 
      * allow NULL consw->con_set_palette (some consoles define an empty
  hook)
* => remove empty hooks now
* return value of consw->con_set_palette is never checked => make the
  function void
* document consw->con_set_palette a bit
Signed-off-by: NJiri Slaby <jslaby@suse.cz>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Cc: linux-usb@vger.kernel.org
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: linux-parisc@vger.kernel.org
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      709280da