#
647d61ae |
| 27-Jun-2024 |
Alan Stern <stern@rowland.harvard.edu> |
USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
commit a368ecde8a5055b627749b09c6218ef793043e47 upstream.
Syzbot has identified a bug in usbcore (see the Closes: t
USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
commit a368ecde8a5055b627749b09c6218ef793043e47 upstream.
Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk).
To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/0000000000003d868e061bc0f554@google.com/ Fixes: 0a8fd1346254 ("USB: fix problems with duplicate endpoint addresses") CC: Oliver Neukum <oneukum@suse.com> CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/205a5edc-7fef-4159-b64a-80374b6b101a@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
7c0244cc |
| 15-Nov-2023 |
Niklas Neronin <niklas.neronin@linux.intel.com> |
usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
commit 974bba5c118f4c2baf00de0356e3e4f7928b4cbc upstream.
The BOS descriptor defines a root descriptor and is the base descriptor for
usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
commit 974bba5c118f4c2baf00de0356e3e4f7928b4cbc upstream.
The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors.
Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly.
To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly.
Cc: stable@vger.kernel.org Fixes: 3dd550a2d365 ("USB: usbcore: Fix slab-out-of-bounds bug during device reset") Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com> Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> Reviewed-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20231115121325.471454-1-niklas.neronin@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
1e4c5742 |
| 08-Aug-2023 |
Alan Stern <stern@rowland.harvard.edu> |
USB: Remove remnants of Wireless USB and UWB
Wireless USB has long been defunct, and kernel support for it was removed in 2020 by commit caa6772db4c1 ("Staging: remove wusbcore and UWB from the kern
USB: Remove remnants of Wireless USB and UWB
Wireless USB has long been defunct, and kernel support for it was removed in 2020 by commit caa6772db4c1 ("Staging: remove wusbcore and UWB from the kernel tree.").
Nevertheless, some vestiges of the old implementation still clutter up the USB subsystem and one or two other places. Let's get rid of them once and for all.
The only parts still left are the user-facing APIs in include/uapi/linux/usb/ch9.h. (There are also a couple of misleading instances, such as the Sierra Wireless USB modem, which is a USB modem made by Sierra Wireless.)
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/b4f2710f-a2de-4fb0-b50f-76776f3a961b@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
7a09c126 |
| 02-Nov-2022 |
Alan Stern <stern@rowland.harvard.edu> |
USB: core: Change configuration warnings to notices
It has been pointed out that the kernel log messages warning about problems in USB configuration and related descriptors are vexing for users. Th
USB: core: Change configuration warnings to notices
It has been pointed out that the kernel log messages warning about problems in USB configuration and related descriptors are vexing for users. The warning log level has a fairly high priority, but the user can do nothing to fix the underlying errors in the device's firmware.
To reduce the amount of useless information produced by tools that filter high-priority log messages, we can change these warnings to notices, i.e., change dev_warn() to dev_notice(). The same holds for a few messages that currently use dev_err(): Unless they indicate a failure that might make a device unusable (such as inability to transfer a config descriptor), change them to dev_notice() also.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216630 Suggested-by: Artem S. Tashkinov <aros@gmx.com> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/Y2KzPx0h6z1jXCuN@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
ca573739 |
| 10-Dec-2021 |
Pavel Hofman <pavel.hofman@ivitera.com> |
usb: core: config: using bit mask instead of individual bits
Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for extracting multiple-transactions bits from wMaxPacketSize value.
Ack
usb: core: config: using bit mask instead of individual bits
Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for extracting multiple-transactions bits from wMaxPacketSize value.
Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com> Link: https://lore.kernel.org/r/20211210085219.16796-2-pavel.hofman@ivitera.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
1a3910c8 |
| 10-Dec-2021 |
Pavel Hofman <pavel.hofman@ivitera.com> |
usb: core: config: fix validation of wMaxPacketValue entries
The checks performed by commit aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") require that initial value
usb: core: config: fix validation of wMaxPacketValue entries
The checks performed by commit aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") require that initial value of the maxp variable contains both maximum packet size bits (10..0) and multiple-transactions bits (12..11). However, the existing code assings only the maximum packet size bits. This patch assigns all bits of wMaxPacketSize to the variable.
Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") Cc: stable <stable@vger.kernel.org> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com> Link: https://lore.kernel.org/r/20211210085219.16796-1-pavel.hofman@ivitera.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
f3351eca |
| 01-Oct-2021 |
Robert Greener <rob@robgreener.com> |
usb: core: config: Change sizeof(struct ...) to sizeof(*...)
This fixes the following checkpatch.pl warnings:
drivers/usb/core/config.c:989: CHECK:ALLOC_SIZEOF_STRUCT: Prefer kzalloc(sizeof(*bos)..
usb: core: config: Change sizeof(struct ...) to sizeof(*...)
This fixes the following checkpatch.pl warnings:
drivers/usb/core/config.c:989: CHECK:ALLOC_SIZEOF_STRUCT: Prefer kzalloc(sizeof(*bos)...) over kzalloc(sizeof(struct usb_bos_descriptor)...) drivers/usb/core/config.c:1010: CHECK:ALLOC_SIZEOF_STRUCT: Prefer kzalloc(sizeof(*dev->bos)...) over kzalloc(sizeof(struct usb_host_bos)...)
Signed-off-by: Robert Greener <rob@robgreener.com> Link: https://lore.kernel.org/r/20211001151350.ijiexr3ebwvypmdd@shortbread Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
1d6903a6 |
| 10-Nov-2020 |
Nick Desaulniers <ndesaulniers@google.com> |
usb: fix a few cases of -Wfallthrough
The "fallthrough" pseudo-keyword was added as a portable way to denote intentional fallthrough. Clang will still warn on cases where there is a fallthrough to a
usb: fix a few cases of -Wfallthrough
The "fallthrough" pseudo-keyword was added as a portable way to denote intentional fallthrough. Clang will still warn on cases where there is a fallthrough to an immediate break. Add explicit breaks for those cases.
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Link: https://lore.kernel.org/r/20201111014716.260633-1-ndesaulniers@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
0d9b6d49 |
| 07-Jul-2020 |
Gustavo A. R. Silva <gustavoars@kernel.org> |
usb: Use fallthrough pseudo-keyword
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings
usb: Use fallthrough pseudo-keyword
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case.
[1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20200707195607.GA4198@embeddedor Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
91c7eaa6 |
| 18-Jun-2020 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
USB: rename USB quirk to USB_QUIRK_ENDPOINT_IGNORE
The USB core has a quirk flag to ignore specific endpoints, so rename it to be more obvious what this quirk does.
Cc: Johan Hovold <johan@kernel.o
USB: rename USB quirk to USB_QUIRK_ENDPOINT_IGNORE
The USB core has a quirk flag to ignore specific endpoints, so rename it to be more obvious what this quirk does.
Cc: Johan Hovold <johan@kernel.org> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Richard Dodd <richard.o.dodd@gmail.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Jonathan Cox <jonathan@jdcox.net> Cc: Bastien Nocera <hadess@hadess.net> Cc: "Thiébaud Weksteen" <tweek@google.com> Cc: Nishad Kamdar <nishadkamdar@gmail.com> Link: https://lore.kernel.org/r/20200618094300.1887727-2-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
7f1b92a6 |
| 03-Feb-2020 |
Johan Hovold <johan@kernel.org> |
USB: core: clean up endpoint-descriptor parsing
Use the new usb-device pointer instead of back-casting when accessing the struct usb_device when parsing endpoints.
Note that this introduces two lin
USB: core: clean up endpoint-descriptor parsing
Use the new usb-device pointer instead of back-casting when accessing the struct usb_device when parsing endpoints.
Note that this introduces two lines that are longer than 80 chars on purpose.
Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20200203153830.26394-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
73f8bda9 |
| 03-Feb-2020 |
Johan Hovold <johan@kernel.org> |
USB: core: add endpoint-blacklist quirk
Add a new device quirk that can be used to blacklist endpoints.
Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") USB core ignores a
USB: core: add endpoint-blacklist quirk
Add a new device quirk that can be used to blacklist endpoints.
Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") USB core ignores any duplicate endpoints found during descriptor parsing.
In order to handle devices where the first interfaces with duplicate endpoints are the ones that should have their endpoints ignored, we need to add a blacklist.
Tested-by: edes <edes@gmx.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20200203153830.26394-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
2548288b |
| 06-Jan-2020 |
Alan Stern <stern@rowland.harvard.edu> |
USB: Fix: Don't skip endpoint descriptors with maxpacket=0
It turns out that even though endpoints with a maxpacket length of 0 aren't useful for data transfer, the descriptors do serve other purpos
USB: Fix: Don't skip endpoint descriptors with maxpacket=0
It turns out that even though endpoints with a maxpacket length of 0 aren't useful for data transfer, the descriptors do serve other purposes. In particular, skipping them will also skip over other class-specific descriptors for classes such as UVC. This unexpected side effect has caused some UVC cameras to stop working.
In addition, the USB spec requires that when isochronous endpoint descriptors are present in an interface's altsetting 0 (which is true on some devices), the maxpacket size _must_ be set to 0. Warning about such things seems like a bad idea.
This patch updates an earlier commit which would log a warning and skip these endpoint descriptors. Now we only log a warning, and we don't even do that for isochronous endpoints in altsetting 0.
We don't need to worry about preventing endpoints with maxpacket = 0 from ever being used for data transfers; usb_submit_urb() already checks for this.
Reported-and-tested-by: Roger Whittaker <Roger.Whittaker@suse.com> Fixes: d482c7bb0541 ("USB: Skip endpoints with 0 maxpacket length") Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://marc.info/?l=linux-usb&m=157790377329882&w=2 Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001061040270.1514-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
3e4f8e21 |
| 19-Dec-2019 |
Johan Hovold <johan@kernel.org> |
USB: core: fix check for duplicate endpoints
Amend the endpoint-descriptor sanity checks to detect all duplicate endpoint addresses in a configuration.
Commit 0a8fd1346254 ("USB: fix problems with
USB: core: fix check for duplicate endpoints
Amend the endpoint-descriptor sanity checks to detect all duplicate endpoint addresses in a configuration.
Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint addresses") added a check for duplicate endpoint addresses within a single alternate setting, but did not look for duplicate addresses in other interfaces.
The current check would also not detect all duplicate addresses when one endpoint is as a (bi-directional) control endpoint.
This specifically avoids overwriting the endpoint entries in struct usb_device when enabling a duplicate endpoint, something which could potentially lead to crashes or leaks, for example, when endpoints are later disabled.
Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
d482c7bb |
| 28-Oct-2019 |
Alan Stern <stern@rowland.harvard.edu> |
USB: Skip endpoints with 0 maxpacket length
Endpoints with a maxpacket length of 0 are probably useless. They can't transfer any data, and it's not at all unlikely that an HCD will crash or hang wh
USB: Skip endpoints with 0 maxpacket length
Endpoints with a maxpacket length of 0 are probably useless. They can't transfer any data, and it's not at all unlikely that an HCD will crash or hang when trying to handle an URB for such an endpoint.
Currently the USB core does not check for endpoints having a maxpacket value of 0. This patch adds a check, printing a warning and skipping over any endpoints it catches.
Now, the USB spec does not rule out endpoints having maxpacket = 0. But since they wouldn't have any practical use, there doesn't seem to be any good reason for us to accept them.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
dd2057e5 |
| 08-Oct-2019 |
Johan Hovold <johan@kernel.org> |
USB: core: drop OOM message
Drop redundant OOM message on allocation failures which would already have been logged by the allocator. This also allows us to clean up the error paths somewhat.
Signed
USB: core: drop OOM message
Drop redundant OOM message on allocation failures which would already have been logged by the allocator. This also allows us to clean up the error paths somewhat.
Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20191008090240.30376-1-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
3dd550a2 |
| 04-Sep-2019 |
Alan Stern <stern@rowland.harvard.edu> |
USB: usbcore: Fix slab-out-of-bounds bug during device reset
The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:9
USB: usbcore: Fix slab-out-of-bounds bug during device reset
The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x6a/0x32c mm/kasan/report.c:351 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 kasan_report+0xe/0x12 mm/kasan/common.c:612 memcmp+0xa6/0xb0 lib/string.c:904 memcmp include/linux/string.h:400 [inline] descriptors_changed drivers/usb/core/hub.c:5579 [inline] usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729 usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898 rt2x00usb_probe+0x53/0x7af drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
The error occurs when the descriptors_changed() routine (called during a device reset) attempts to compare the old and new BOS and capability descriptors. The length it uses for the comparison is the wTotalLength value stored in BOS descriptor, but this value is not necessarily the same as the length actually allocated for the descriptors. If it is larger the routine will call memcmp() with a length that is too big, thus reading beyond the end of the allocated region and leading to this fault.
The kernel reads the BOS descriptor twice: first to get the total length of all the capability descriptors, and second to read it along with all those other descriptors. A malicious (or very faulty) device may send different values for the BOS descriptor fields each time. The memory area will be allocated using the wTotalLength value read the first time, but stored within it will be the value read the second time.
To prevent this possibility from causing any errors, this patch modifies the BOS descriptor after it has been read the second time: It sets the wTotalLength field to the actual length of the descriptors that were read in and validated. Then the memcpy() call, or any other code using these descriptors, will be able to rely on wTotalLength being valid.
Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
a03ff544 |
| 13-May-2019 |
Alan Stern <stern@rowland.harvard.edu> |
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descr
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the USB core, caused by a failure to check the actual size of a BOS descriptor. This patch adds a check to make sure the descriptor is at least as large as it is supposed to be, so that the code doesn't inadvertently access memory beyond the end of the allocated region when assigning to dev->bos->desc->bNumDeviceCaps later on.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
5ebf5c89 |
| 18-Feb-2019 |
Gustavo A. R. Silva <gustavo@embeddedor.com> |
usb: core: config: Use struct_size() in kzalloc()
One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with m
usb: core: config: Use struct_size() in kzalloc()
One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example:
struct foo { int stuff; struct boo entry[]; };
size = sizeof(struct foo) + count * sizeof(struct boo); instance = kzalloc(size, GFP_KERNEL);
Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper:
instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL);
Notice that, in this case, variable len is not necessary, hence it is removed.
This code was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
1760435d |
| 30-Jan-2019 |
Suwan Kim <suwan.kim027@gmail.com> |
usb: core: Move variable initialization to appropriate place
It is better to initialize the variable 'cfgno' in the for loop than at the current place.
Signed-off-by: Suwan Kim <suwan.kim027@gmail.
usb: core: Move variable initialization to appropriate place
It is better to initialize the variable 'cfgno' in the for loop than at the current place.
Signed-off-by: Suwan Kim <suwan.kim027@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
f2fd71db |
| 07-Jan-2019 |
Suwan Kim <suwan.kim027@gmail.com> |
usb: core: Simplify return value of usb_get_configuration()
It is better to initialize the return value "result" to -ENOMEM than to 0. And because "result" takes the return value of usb_parse_config
usb: core: Simplify return value of usb_get_configuration()
It is better to initialize the return value "result" to -ENOMEM than to 0. And because "result" takes the return value of usb_parse_configuration() which returns 0 for success, setting "result" to 0 at before and after of the for loop is unnecessary.
Signed-off-by: Suwan Kim <suwan.kim027@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
fb5ee84e |
| 03-May-2018 |
Alan Stern <stern@rowland.harvard.edu> |
USB: Accept bulk endpoints with 1024-byte maxpacket
Some non-compliant high-speed USB devices have bulk endpoints with a 1024-byte maxpacket size. Although such endpoints don't work with xHCI host
USB: Accept bulk endpoints with 1024-byte maxpacket
Some non-compliant high-speed USB devices have bulk endpoints with a 1024-byte maxpacket size. Although such endpoints don't work with xHCI host controllers, they do work with EHCI controllers. We used to accept these invalid sizes (with a warning), but we no longer do because of an unintentional change introduced by commit aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors").
This patch restores the old behavior, so that people with these peculiar devices can use them without patching their kernels by hand.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Suggested-by: Elvinas <elvinas@veikia.lt> Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
07b9f128 |
| 19-Dec-2017 |
Mathias Nyman <mathias.nyman@linux.intel.com> |
USB: Fix off by one in type-specific length check of BOS SSP capability
USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a off by one in commit 81cf4a45360f ("USB: core: Add typ
USB: Fix off by one in type-specific length check of BOS SSP capability
USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a off by one in commit 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes the zero based SSAC as argument, not the actual count of sublink speed attributes.
USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
The type-specific length check patch was added to stable and needs to be fixed there as well
Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors") Cc: linux-stable <stable@vger.kernel.org> CC: Masakazu Mokuno <masakazu.mokuno@gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
48a4ff1c |
| 12-Dec-2017 |
Alan Stern <stern@rowland.harvard.edu> |
USB: core: prevent malicious bNumInterfaces overflow
A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in
USB: core: prevent malicious bNumInterfaces overflow
A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths.
This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Andrey Konovalov <andreyknvl@google.com> CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
#
cf4df407 |
| 13-Dec-2017 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
Revert "USB: core: only clean up what we allocated"
This reverts commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3.
Alan wrote a better fix for this...
Cc: Andrey Konovalov <andreyknvl@google.com> C
Revert "USB: core: only clean up what we allocated"
This reverts commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3.
Alan wrote a better fix for this...
Cc: Andrey Konovalov <andreyknvl@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|