linux-stable.git/drivers/usb/core/devio.c, branch linux-2.6.33.y Linux kernel stable tree USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid 2011-11-07T21:47:17+00:00 Serge Hallyn serge.hallyn@canonical.com 2011-09-26T15:18:29+00:00 03c47d73c14c9859e092a2c6346c278942876caa commit aec01c5895051849ed842dc5b8794017a7751f28 upstream. Alan Stern points out that after spin_unlock(&ps->lock) there is no guarantee that ps->pid won't be freed. Since kill_pid_info_as_uid() is called after the spin_unlock(), the pid passed to it must be pinned. Reported-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit aec01c5895051849ed842dc5b8794017a7751f28 upstream.

Alan Stern points out that after spin_unlock(&ps->lock) there is no
guarantee that ps->pid won't be freed.  Since kill_pid_info_as_uid() is
called after the spin_unlock(), the pid passed to it must be pinned.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
usb/core/devio.c: Check for printer class specific request 2011-11-07T21:47:16+00:00 Matthias Dellweg 2500@gmx.de 2011-09-25T12:26:25+00:00 edd9f053b52d5882c9c37432939e03db8634ebc0 commit 393cbb5151ecda9f9e14e3082d048dd27a1ff9f6 upstream. In the usb printer class specific request get_device_id the value of wIndex is (interface << 8 | altsetting) instead of just interface. This enables the detection of some printers with libusb. Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Matthias Dellweg <2500@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 393cbb5151ecda9f9e14e3082d048dd27a1ff9f6 upstream.

In the usb printer class specific request get_device_id the value of
wIndex is (interface << 8 | altsetting) instead of just interface.
This enables the detection of some printers with libusb.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Matthias Dellweg <2500@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
usb: core: fix information leak to userland 2011-03-21T19:44:01+00:00 Vasiliy Kulikov segooon@gmail.com 2010-11-06T14:41:28+00:00 9f34fd7e76428bdd07f4ad10320b06f53b0b6ab2 commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream. Structure usbdevfs_connectinfo is copied to userland with padding byted after "slow" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.

Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: fix usbfs regression 2010-04-01T23:01:36+00:00 Alan Stern stern@rowland.harvard.edu 2010-03-06T20:04:03+00:00 55fe2557940e0cd1d88aa89ef580089698a7dac1 commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream. This patch (as1352) fixes a bug in the way isochronous input data is returned to userspace for usbfs transfers. The entire buffer must be copied, not just the first actual_length bytes, because the individual packets will be discontiguous if any of them are short. Reported-by: Markus Rechberger <mrechberger@gmail.com> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream.

This patch (as1352) fixes a bug in the way isochronous input data is
returned to userspace for usbfs transfers.  The entire buffer must be
copied, not just the first actual_length bytes, because the individual
packets will be discontiguous if any of them are short.

Reported-by: Markus Rechberger <mrechberger@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: properly clean up the as structure on error paths 2010-02-16T23:11:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-02-16T20:35:07+00:00 ddeee0b2eec2a51b0712b04de4b39e7bec892a53 I notice that the processcompl_compat() function seems to be leaking the 'struct async *as' in the error paths. I think that the calling convention is fundamentally buggered. The caller is the one that did the "reap_as()" to get the as thing, the caller should be the one to free it too. Freeing it in the caller also means that it very clearly always gets freed, and avoids the need for any "free in the error case too". From: Linus Torvalds <torvalds@linux-foundation.org> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Marcus Meissner <meissner@suse.de> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
I notice that the processcompl_compat() function seems to be leaking the
'struct async *as' in the error paths. 

I think that the calling convention is fundamentally buggered. The
caller is the one that did the "reap_as()" to get the as thing, the
caller should be the one to free it too. 

Freeing it in the caller also means that it very clearly always gets
freed, and avoids the need for any "free in the error case too".

From: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Marcus Meissner <meissner@suse.de>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: usbfs: only copy the actual data received 2010-02-16T23:11:01+00:00 Greg KH greg@kroah.com 2010-02-15T17:37:46+00:00 d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Thanks to Marcus Meissner for pointing this out and testing the fix. Reported-by: Marcus Meissner <meissner@suse.de> Tested-by: Marcus Meissner <meissner@suse.de> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.

Thanks to Marcus Meissner for pointing this out and testing the fix.

Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
usbdevfs: move compat_ioctl handling to devio.c 2009-12-10T21:55:37+00:00 Arnd Bergmann arnd@arndb.de 2009-11-14T01:28:05+00:00 637e8a60a7aaf4ef7d46cfdf83bcfac9cf6f0fbd Half the compat_ioctl handling is in devio.c, the other half is in fs/compat_ioctl.c. This moves everything into one place for consistency. As a positive side-effect, push down the BKL into the ioctl methods. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Greg Kroah-Hartman <gregkh@suse.de> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Oliver Neukum <oliver@neukum.org> Cc: Alon Bar-Lev <alon.barlev@gmail.com> Cc: David Vrabel <david.vrabel@csr.com> Cc: linux-usb@vger.kernel.org 
Half the compat_ioctl handling is in devio.c, the other
half is in fs/compat_ioctl.c. This moves everything into
one place for consistency.

As a positive side-effect, push down the BKL into the
ioctl methods.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Alon Bar-Lev <alon.barlev@gmail.com>
Cc: David Vrabel <david.vrabel@csr.com>
Cc: linux-usb@vger.kernel.org
USB: usbfs: add USBDEVFS_URB_BULK_CONTINUATION flag 2009-09-23T13:46:39+00:00 Alan Stern stern@rowland.harvard.edu 2009-09-01T15:09:56+00:00 01c6460f968d7b57fc6f98adb587952628c6e099 This patch (as1283) adds a new flag, USBDEVFS_URB_BULK_CONTINUATION, to usbfs. It is intended for userspace libraries such as libusb and openusb. When they have to break up a single usbfs bulk transfer into multiple URBs, they will set the flag on all but the first URB of the series. If an error other than an unlink occurs, the kernel will automatically cancel all the following URBs for the same endpoint and refuse to accept new submissions, until an URB is encountered that is not marked as a BULK_CONTINUATION. Such an URB would indicate the start of a new transfer or the presence of an older library, so the kernel returns to normal operation. This enables libraries to delimit bulk transfers correctly, even in the presence of early termination as indicated by short packets. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This patch (as1283) adds a new flag, USBDEVFS_URB_BULK_CONTINUATION,
to usbfs.  It is intended for userspace libraries such as libusb and
openusb.  When they have to break up a single usbfs bulk transfer into
multiple URBs, they will set the flag on all but the first URB of the
series.

If an error other than an unlink occurs, the kernel will automatically
cancel all the following URBs for the same endpoint and refuse to
accept new submissions, until an URB is encountered that is not marked
as a BULK_CONTINUATION.  Such an URB would indicate the start of a new
transfer or the presence of an older library, so the kernel returns to
normal operation.

This enables libraries to delimit bulk transfers correctly, even in
the presence of early termination as indicated by short packets.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: increase usbdevfs max isoc buffer size 2009-09-23T13:46:33+00:00 Markus Rechberger mrechberger@gmail.com 2009-08-09T19:23:34+00:00 5971897f3025249c0eea1987fb12efb8c65c93a4 The current limit only allows isochronous transfers up to 32kbyte/urb, updating this to 192 kbyte/urb improves the reliability of the transfer. USB 2.0 transfer is possible with 32kbyte but increases the chance of corrupted/incomplete data when the system is performing some other tasks in the background. http://www.spinics.net/lists/linux-usb/msg19955.html Signed-off-by: Markus Rechberger <mrechberger@gmail.com> Cc: Oliver Neukum <oliver@neukum.org> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
The current limit only allows isochronous transfers up to 32kbyte/urb,
updating this to 192 kbyte/urb improves the reliability of the
transfer. USB 2.0 transfer is possible with 32kbyte but increases the
chance of corrupted/incomplete data when the system is performing some
other tasks in the background.

http://www.spinics.net/lists/linux-usb/msg19955.html

Signed-off-by: Markus Rechberger <mrechberger@gmail.com>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB: make the "usbfs_snoop" log more pertinent 2009-09-23T13:46:23+00:00 Alan Stern stern@rowland.harvard.edu 2009-06-29T15:02:04+00:00 4c6e8971cbe0148085fcf6fd30eaa3c39f8a8cce This patch (as1261) reduces the amount of detailed URB information logged by usbfs when the usbfs_snoop parameter is enabled. Currently we don't display the final status value for a completed URB. But we do display the entire data buffer twice: both before submission and after completion. The after-completion display doesn't limit itself to the actual_length value. But since usbmon is readily available in virtually all distributions, there's no reason for usbfs to print out any buffer contents at all! So this patch restricts the information to: userspace buffer pointer, endpoint number, type, and direction, length or actual_length, and timeout value or status. Now everything fits neatly into a single line. Along with those changes, the patch also fixes the snoop output for the REAPURBNDELAY and REAPURBNDELAY32 ioctls. The current version omits the 'N' from the names. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
This patch (as1261) reduces the amount of detailed URB information
logged by usbfs when the usbfs_snoop parameter is enabled.

Currently we don't display the final status value for a completed URB.
But we do display the entire data buffer twice: both before submission
and after completion.  The after-completion display doesn't limit
itself to the actual_length value.  But since usbmon is readily
available in virtually all distributions, there's no reason for usbfs
to print out any buffer contents at all!

So this patch restricts the information to: userspace buffer pointer,
endpoint number, type, and direction, length or actual_length, and
timeout value or status.  Now everything fits neatly into a single
line.

Along with those changes, the patch also fixes the snoop output for
the REAPURBNDELAY and REAPURBNDELAY32 ioctls.  The current version
omits the 'N' from the names.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>