linux-stable.git/drivers/usb/core/devio.c, branch linux-2.6.27.y Linux kernel stable tree usb: core: fix information leak to userland 2010-12-09T21:24:18+00:00 Vasiliy Kulikov segooon@gmail.com 2010-11-06T14:41:28+00:00 3ddf4f97bee674e72412d9b0a3be2695d80dad3a commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. Structure usbdevfs_connectinfo is copied to userland with padding byted after "slow" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.

Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: fix usbfs regression 2010-04-01T22:52:29+00:00 Alan Stern stern@rowland.harvard.edu 2010-03-06T20:04:03+00:00 aaaa549b386fdd80b93b447541f42b313b103f95 commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream. This patch (as1352) fixes a bug in the way isochronous input data is returned to userspace for usbfs transfers. The entire buffer must be copied, not just the first actual_length bytes, because the individual packets will be discontiguous if any of them are short. Reported-by: Markus Rechberger <mrechberger@gmail.com> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream.

This patch (as1352) fixes a bug in the way isochronous input data is
returned to userspace for usbfs transfers.  The entire buffer must be
copied, not just the first actual_length bytes, because the individual
packets will be discontiguous if any of them are short.

Reported-by: Markus Rechberger <mrechberger@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: properly clean up the as structure on error paths 2010-04-01T22:52:22+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-02-16T20:35:07+00:00 ffa27b3ddf12952737dcf30b83e56e3da4e965bd commit ddeee0b2eec2a51b0712b04de4b39e7bec892a53 upstream. I notice that the processcompl_compat() function seems to be leaking the 'struct async *as' in the error paths. I think that the calling convention is fundamentally buggered. The caller is the one that did the "reap_as()" to get the as thing, the caller should be the one to free it too. Freeing it in the caller also means that it very clearly always gets freed, and avoids the need for any "free in the error case too". From: Linus Torvalds <torvalds@linux-foundation.org> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Marcus Meissner <meissner@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit ddeee0b2eec2a51b0712b04de4b39e7bec892a53 upstream.

I notice that the processcompl_compat() function seems to be leaking the
'struct async *as' in the error paths.

I think that the calling convention is fundamentally buggered. The
caller is the one that did the "reap_as()" to get the as thing, the
caller should be the one to free it too.

Freeing it in the caller also means that it very clearly always gets
freed, and avoids the need for any "free in the error case too".

From: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Marcus Meissner <meissner@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: only copy the actual data received 2010-04-01T22:52:22+00:00 Greg KH greg@kroah.com 2010-02-15T17:37:46+00:00 00400c98e8359ec5ecec199d66fbf25b944b8834 commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream. We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Thanks to Marcus Meissner for pointing this out and testing the fix. Reported-by: Marcus Meissner <meissner@suse.de> Tested-by: Marcus Meissner <meissner@suse.de> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream.

We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.

Thanks to Marcus Meissner for pointing this out and testing the fix.

Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: fix -ENOENT error code to be -ENODEV 2009-08-16T21:27:30+00:00 Alan Stern stern@rowland.harvard.edu 2009-07-30T19:28:14+00:00 3e16ba377737c5815cd1d6315c3cffe9c6e388ad commit 01105a246345f011fde64d24a601090b646e9e4c upstream. This patch (as1272) changes the error code returned when an open call for a USB device node fails to locate the corresponding device. The appropriate error code is -ENODEV, not -ENOENT. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 01105a246345f011fde64d24a601090b646e9e4c upstream.

This patch (as1272) changes the error code returned when an open call
for a USB device node fails to locate the corresponding device.  The
appropriate error code is -ENODEV, not -ENOENT.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: devio: Properly do access_ok() checks 2009-08-16T21:27:21+00:00 Michael Buesch mb@bu3sch.de 2009-07-29T09:39:03+00:00 0517d13f5206dcb7c09087ee3d7e522fdc9af2e3 commit 18753ebc8a98efe0e8ff6167afb31cef220c8e50 upstream. access_ok() checks must be done on every part of the userspace structure that is accessed. If access_ok() on one part of the struct succeeded, it does not imply it will succeed on other parts of the struct. (Does depend on the architecture implementation of access_ok()). This changes the __get_user() users to first check access_ok() on the data structure. Signed-off-by: Michael Buesch <mb@bu3sch.de> Cc: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 18753ebc8a98efe0e8ff6167afb31cef220c8e50 upstream.

access_ok() checks must be done on every part of the userspace structure
that is accessed. If access_ok() on one part of the struct succeeded, it
does not imply it will succeed on other parts of the struct. (Does
depend on the architecture implementation of access_ok()).

This changes the __get_user() users to first check access_ok() on the
data structure.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Cc: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: handle zero-length usbfs submissions correctly 2009-07-30T23:06:03+00:00 Alan Stern stern@rowland.harvard.edu 2009-06-29T15:04:54+00:00 0a9b8d3bae0dfe231e244e3b1952886248bd683e commit 9180135bc80ab11199d482b6111e23f74d65af4a upstream. This patch (as1262) fixes a bug in usbfs: It refuses to accept zero-length transfers, and it insists that the buffer pointer be valid even if there is no data being transferred. The patch also consolidates a bunch of repetitive access_ok() checks into a single check, which incidentally fixes the lack of such a check for Isochronous URBs. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 9180135bc80ab11199d482b6111e23f74d65af4a upstream.

This patch (as1262) fixes a bug in usbfs: It refuses to accept
zero-length transfers, and it insists that the buffer pointer be valid
even if there is no data being transferred.

The patch also consolidates a bunch of repetitive access_ok() checks
into a single check, which incidentally fixes the lack of such a check
for Isochronous URBs.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: fix memleak in usbfs 2009-07-30T23:06:02+00:00 Oliver Neukum oliver@neukum.org 2009-06-28T21:34:14+00:00 4f487d4dae272ae4431af968d67aa358d59c5479 commit d794a02111cd3393da69bc7d6dd2b6074bd037cc upstream. This patch fixes a memory leak in devio.c::processcompl If writing to user space fails the packet must be discarded, as it already has been removed from the queue of completed packets. Signed-off-by: Oliver Neukum <oliver@neukum.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit d794a02111cd3393da69bc7d6dd2b6074bd037cc upstream.

This patch fixes a memory leak in devio.c::processcompl

If writing to user space fails the packet must be discarded, as it
already has been removed from the queue of completed packets.

Signed-off-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: keep async URBs until the device file is closed 2009-03-23T22:00:12+00:00 Alan Stern stern@rowland.harvard.edu 2009-03-09T17:44:02+00:00 2de0d862426bc8fc36b9a65622ec00f92e6c6acf commit 6ff10464096540e14d7575a72c50d0316d003714 upstream. The usbfs driver manages a list of completed asynchronous URBs. But it is too eager to free the entries on this list: destroy_async() gets called whenever an interface is unbound or a device is removed, and it deallocates the outstanding struct async entries for all URBs on that interface or device. This is wrong; the user program should be able to reap an URB any time after it has completed, regardless of whether or not the interface is still bound or the device is still present. This patch (as1222) moves the code for deallocating the completed list entries from destroy_async() to usbdev_release(). The outstanding entries won't be freed until the user program has closed the device file, thereby eliminating any possibility that the remaining URBs might still be reaped. This fixes a bug in which a program can hang in the USBDEVFS_REAPURB ioctl when the device is unplugged. Reported-and-tested-by: Martin Poupe <martin.poupe@upek.com> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 6ff10464096540e14d7575a72c50d0316d003714 upstream.

The usbfs driver manages a list of completed asynchronous URBs.  But
it is too eager to free the entries on this list: destroy_async() gets
called whenever an interface is unbound or a device is removed, and it
deallocates the outstanding struct async entries for all URBs on that
interface or device.  This is wrong; the user program should be able
to reap an URB any time after it has completed, regardless of whether
or not the interface is still bound or the device is still present.

This patch (as1222) moves the code for deallocating the completed list
entries from destroy_async() to usbdev_release().  The outstanding
entries won't be freed until the user program has closed the device
file, thereby eliminating any possibility that the remaining URBs
might still be reaped.

This fixes a bug in which a program can hang in the USBDEVFS_REAPURB
ioctl when the device is unplugged.

Reported-and-tested-by: Martin Poupe <martin.poupe@upek.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: fix char-device disconnect handling 2009-02-02T16:28:11+00:00 Alan Stern stern@rowland.harvard.edu 2009-01-13T16:33:42+00:00 bb74fdbb0c7138a397b58141791eae4b2e7e4cfe commit 501950d846218ed80a776d2aae5aed9c8b92e778 upstream. This patch (as1198) fixes a conceptual bug: Somewhere along the line we managed to confuse USB class devices with USB char devices. As a result, the code to send a disconnect signal to userspace would not be built if both CONFIG_USB_DEVICE_CLASS and CONFIG_USB_DEVICEFS were disabled. The usb_fs_classdev_common_remove() routine has been renamed to usbdev_remove() and it is now called whenever any USB device is removed, not just when a class device is unregistered. The notifier registration and unregistration calls are no longer conditionally compiled. And since the common removal code will always be called as part of the char device interface, there's no need to call it again as part of the usbfs interface; thus the invocation of usb_fs_classdev_common_remove() has been taken out of usbfs_remove_device(). Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Alon Bar-Lev <alon.barlev@gmail.com> Tested-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 501950d846218ed80a776d2aae5aed9c8b92e778 upstream.

This patch (as1198) fixes a conceptual bug: Somewhere along the line
we managed to confuse USB class devices with USB char devices.  As a
result, the code to send a disconnect signal to userspace would not be
built if both CONFIG_USB_DEVICE_CLASS and CONFIG_USB_DEVICEFS were
disabled.

The usb_fs_classdev_common_remove() routine has been renamed to
usbdev_remove() and it is now called whenever any USB device is
removed, not just when a class device is unregistered.  The notifier
registration and unregistration calls are no longer conditionally
compiled.  And since the common removal code will always be called as
part of the char device interface, there's no need to call it again as
part of the usbfs interface; thus the invocation of
usb_fs_classdev_common_remove() has been taken out of
usbfs_remove_device().

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alon Bar-Lev <alon.barlev@gmail.com>
Tested-by: Alon Bar-Lev <alon.barlev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>