mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

USB fixes for 5.17 

Here are some small remaining USB fixes for 5.17-final.
 
 They include:
 	- two USB gadget driver fixes for reported problems
 	- usbtmc driver fix for syzbot found issues
 	- musb patch partial revert to resolve a reported regression.
 
 All of these have been in linux-next this week with no reported
 problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCYjWSaw8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+yntPwCbBiAyqbzAjZnKC8HIFN/AbfAt3mMAn3zwhpSg
 Sbgoj2DwSpS6mTxXRy43
 =/Z/U
 -----END PGP SIGNATURE-----

Merge tag 'usb-5.17-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB fixes from Greg KH:
 "Here are some small remaining USB fixes for 5.17-final.

  They include:

   - two USB gadget driver fixes for reported problems

   - usbtmc driver fix for syzbot found issues

   - musb patch partial revert to resolve a reported regression.

  All of these have been in linux-next this week with no reported
  problems"

* tag 'usb-5.17-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
  usb: usbtmc: Fix bug in pipe direction for control transfers
  partially Revert "usb: musb: Set the DT node on the child device"
  usb: gadget: rndis: prevent integer overflow in rndis_set_response()
This commit is contained in:
Linus Torvalds 2022-03-19 10:16:33 -07:00
parent 34e047aa16 16b1941eac
commit 6aa61c12a4
4 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/usb/class/usbtmc.c
View File

@ -1919,6 +1919,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
struct usbtmc_ctrlrequest request;
u8 *buffer = NULL;
int rv;
unsigned int is_in, pipe;
unsigned long res;
res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest));
@ -1928,12 +1929,14 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
if (request.req.wLength > USBTMC_BUFSIZE)
return -EMSGSIZE;
is_in = request.req.bRequestType & USB_DIR_IN;
if (request.req.wLength) {
buffer = kmalloc(request.req.wLength, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
if ((request.req.bRequestType & USB_DIR_IN) == 0) {
if (!is_in) {
/* Send control data to device */
res = copy_from_user(buffer, request.data,
request.req.wLength);
@ -1944,8 +1947,12 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
}
}
if (is_in)
pipe = usb_rcvctrlpipe(data->usb_dev, 0);
else
pipe = usb_sndctrlpipe(data->usb_dev, 0);
rv = usb_control_msg(data->usb_dev,
usb_rcvctrlpipe(data->usb_dev, 0),
pipe,
request.req.bRequest,
request.req.bRequestType,
request.req.wValue,
@ -1957,7 +1964,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
goto exit;
}
if (rv && (request.req.bRequestType & USB_DIR_IN)) {
if (rv && is_in) {
/* Read control data from device */
res = copy_to_user(request.data, buffer, rv);
if (res)

1
drivers/usb/gadget/function/rndis.c
View File

@ -640,6 +640,7 @@ static int rndis_set_response(struct rndis_params *params,
BufLength = le32_to_cpu(buf->InformationBufferLength);
BufOffset = le32_to_cpu(buf->InformationBufferOffset);
if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
(BufOffset > RNDIS_MAX_TOTAL_SIZE) ||
(BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
return -EINVAL;

3
drivers/usb/gadget/udc/core.c
View File

@ -1436,7 +1436,6 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
usb_gadget_udc_stop(udc);
udc->driver = NULL;
udc->dev.driver = NULL;
udc->gadget->dev.driver = NULL;
}
@ -1498,7 +1497,6 @@ static int udc_bind_to_driver(struct usb_udc *udc, struct usb_gadget_driver *dri
driver->function);
udc->driver = driver;
udc->dev.driver = &driver->driver;
udc->gadget->dev.driver = &driver->driver;
usb_gadget_udc_set_speed(udc, driver->max_speed);
@ -1521,7 +1519,6 @@ err1:
dev_err(&udc->dev, "failed to start %s: %d\n",
udc->driver->function, ret);
udc->driver = NULL;
udc->dev.driver = NULL;
udc->gadget->dev.driver = NULL;
return ret;
}

1
drivers/usb/musb/omap2430.c
View File

@ -327,7 +327,6 @@ static int omap2430_probe(struct platform_device *pdev)
musb->dev.parent = &pdev->dev;
musb->dev.dma_mask = &omap2430_dmamask;
musb->dev.coherent_dma_mask = omap2430_dmamask;
device_set_of_node_from_dev(&musb->dev, &pdev->dev);
glue->dev = &pdev->dev;
glue->musb = musb;