<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/gadget, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ACM gadget: fix endianness in notifications</title>
<updated>2017-04-07T08:38:25+00:00</updated>
<author>
<name>Oliver Neukum</name>
<email>oneukum@suse.com</email>
</author>
<published>2017-03-14T11:09:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1fe96ca018e25a99c4b2fc84acc6e95b53668f70'/>
<id>1fe96ca018e25a99c4b2fc84acc6e95b53668f70</id>
<content type='text'>
commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.

The gadget code exports the bitfield for serial status changes
over the wire in its internal endianness. The fix is to convert
to little endian before sending it over the wire.

Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Tested-by: 家瑋 &lt;momo1208@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.

The gadget code exports the bitfield for serial status changes
over the wire in its internal endianness. The fix is to convert
to little endian before sending it over the wire.

Signed-off-by: Oliver Neukum &lt;oneukum@suse.com&gt;
Tested-by: 家瑋 &lt;momo1208@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: composite: always set ep-&gt;mult to a sensible value</title>
<updated>2017-01-26T16:40:21+00:00</updated>
<author>
<name>Felipe Balbi</name>
<email>felipe.balbi@linux.intel.com</email>
</author>
<published>2016-09-28T09:33:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6e89266fa6eedba557c0a602acb4f60ff5a1543c'/>
<id>6e89266fa6eedba557c0a602acb4f60ff5a1543c</id>
<content type='text'>
commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream.

ep-&gt;mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.

If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.

While at that, also make sure the ep-&gt;mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep-&gt;maxpacket to zero.

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream.

ep-&gt;mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.

If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.

While at that, also make sure the ep-&gt;mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep-&gt;maxpacket to zero.

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: composite: Test get_alt() presence instead of set_alt()</title>
<updated>2017-01-26T16:39:29+00:00</updated>
<author>
<name>Krzysztof Opasiak</name>
<email>k.opasiak@samsung.com</email>
</author>
<published>2016-12-20T18:52:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d1324a5fceb1883cfdd5edc0cc5ad4c713eef0e1'/>
<id>d1324a5fceb1883cfdd5edc0cc5ad4c713eef0e1</id>
<content type='text'>
commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.

By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.

Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.

By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.

Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak &lt;k.opasiak@samsung.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: dummy-hcd: fix bug in stop_activity (handle ep0)</title>
<updated>2017-01-26T16:39:28+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2016-12-14T19:55:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=02578fc2d6f4c647ca8e53bbefb6342a8fb01d7e'/>
<id>02578fc2d6f4c647ca8e53bbefb6342a8fb01d7e</id>
<content type='text'>
commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff81f96b8a&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff812b808f&gt;] __warn+0x19f/0x1e0 kernel/panic.c:550
 [&lt;ffffffff812b831c&gt;] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [&lt;ffffffff830fcb13&gt;] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [&lt;ffffffff830ed1b0&gt;] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [&lt;ffffffff83225031&gt;] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [&lt;ffffffff830ebd8f&gt;] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [&lt;ffffffff830ec084&gt;] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff81f96b8a&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff812b808f&gt;] __warn+0x19f/0x1e0 kernel/panic.c:550
 [&lt;ffffffff812b831c&gt;] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [&lt;ffffffff830fcb13&gt;] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [&lt;ffffffff830ed1b0&gt;] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [&lt;ffffffff83225031&gt;] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [&lt;ffffffff830ebd8f&gt;] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [&lt;ffffffff830ec084&gt;] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: gadgetfs: fix checks of wTotalLength in config descriptors</title>
<updated>2017-01-26T16:39:27+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2016-12-09T20:24:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8e60e3f7a747b310e019312a761c145f10c6bb7d'/>
<id>8e60e3f7a747b310e019312a761c145f10c6bb7d</id>
<content type='text'>
commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.

Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user.  In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check.  It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
CC: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.

Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user.  In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check.  It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
CC: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: gadgetfs: fix use-after-free bug</title>
<updated>2017-01-26T16:39:26+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2016-12-09T20:18:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c67399bee66b13c6a9411679b102aa068fd8036d'/>
<id>c67399bee66b13c6a9411679b102aa068fd8036d</id>
<content type='text'>
commit add333a81a16abbd4f106266a2553677a165725f upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
 &lt;IRQ&gt; [  201.343209]  [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 &lt;IRQ&gt; [  201.343209]  [&lt;ffffffff81f96aba&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff817e4dec&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:197
 [&lt;ffffffff817e5080&gt;] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [&lt;     inline     &gt;] kasan_report mm/kasan/report.c:306
 [&lt;ffffffff817e562a&gt;] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
 [&lt;     inline     &gt;] config_buf drivers/usb/gadget/legacy/inode.c:1298
 [&lt;ffffffff8322c8fa&gt;] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
 [&lt;ffffffff830fdcd0&gt;] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
 [&lt;ffffffff814807c1&gt;] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
 [&lt;     inline     &gt;] expire_timers kernel/time/timer.c:1348
 [&lt;ffffffff81482de6&gt;] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
 [&lt;ffffffff814832c1&gt;] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
 [&lt;ffffffff84f4af8b&gt;] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle.  The dev_config() routine gets called
twice by the fuzzer.  The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev-&gt;hs_config to be set.  But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor.  But dev-&gt;hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config.  Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev-&gt;hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit add333a81a16abbd4f106266a2553677a165725f upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
 &lt;IRQ&gt; [  201.343209]  [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 &lt;IRQ&gt; [  201.343209]  [&lt;ffffffff81f96aba&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff817e4dec&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:197
 [&lt;ffffffff817e5080&gt;] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [&lt;     inline     &gt;] kasan_report mm/kasan/report.c:306
 [&lt;ffffffff817e562a&gt;] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
 [&lt;     inline     &gt;] config_buf drivers/usb/gadget/legacy/inode.c:1298
 [&lt;ffffffff8322c8fa&gt;] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
 [&lt;ffffffff830fdcd0&gt;] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
 [&lt;ffffffff814807c1&gt;] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
 [&lt;     inline     &gt;] expire_timers kernel/time/timer.c:1348
 [&lt;ffffffff81482de6&gt;] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
 [&lt;ffffffff814832c1&gt;] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
 [&lt;ffffffff84f4af8b&gt;] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle.  The dev_config() routine gets called
twice by the fuzzer.  The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev-&gt;hs_config to be set.  But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor.  But dev-&gt;hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config.  Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev-&gt;hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>USB: gadgetfs: fix unbounded memory allocation bug</title>
<updated>2017-01-26T16:39:25+00:00</updated>
<author>
<name>Alan Stern</name>
<email>stern@rowland.harvard.edu</email>
</author>
<published>2016-12-09T20:17:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=68613ff444e2652aa77f2f27c9476a831c4ddb89'/>
<id>68613ff444e2652aa77f2f27c9476a831c4ddb89</id>
<content type='text'>
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
 ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff81f96aba&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff817e4dec&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:197
 [&lt;ffffffff817e5080&gt;] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [&lt;ffffffff817e5705&gt;] kasan_report+0x35/0x40 mm/kasan/report.c:306
 [&lt;     inline     &gt;] check_memory_region_inline mm/kasan/kasan.c:308
 [&lt;ffffffff817e3fb9&gt;] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
 [&lt;ffffffff817e4044&gt;] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
 [&lt;     inline     &gt;] copy_from_user arch/x86/include/asm/uaccess.h:689
 [&lt;     inline     &gt;] ep0_write drivers/usb/gadget/legacy/inode.c:1135
 [&lt;ffffffff83228caf&gt;] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
 [&lt;ffffffff817fdd55&gt;] __vfs_write+0x5d5/0x760 fs/read_write.c:510
 [&lt;ffffffff817ff650&gt;] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [&lt;     inline     &gt;] SYSC_write fs/read_write.c:607
 [&lt;ffffffff81803a5b&gt;] SyS_write+0xfb/0x230 fs/read_write.c:599
 [&lt;ffffffff84f47ec1&gt;] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning.  It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
 ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
 [&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
 [&lt;ffffffff81f96aba&gt;] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [&lt;ffffffff817e4dec&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:197
 [&lt;ffffffff817e5080&gt;] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [&lt;ffffffff817e5705&gt;] kasan_report+0x35/0x40 mm/kasan/report.c:306
 [&lt;     inline     &gt;] check_memory_region_inline mm/kasan/kasan.c:308
 [&lt;ffffffff817e3fb9&gt;] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
 [&lt;ffffffff817e4044&gt;] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
 [&lt;     inline     &gt;] copy_from_user arch/x86/include/asm/uaccess.h:689
 [&lt;     inline     &gt;] ep0_write drivers/usb/gadget/legacy/inode.c:1135
 [&lt;ffffffff83228caf&gt;] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
 [&lt;ffffffff817fdd55&gt;] __vfs_write+0x5d5/0x760 fs/read_write.c:510
 [&lt;ffffffff817ff650&gt;] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [&lt;     inline     &gt;] SYSC_write fs/read_write.c:607
 [&lt;ffffffff81803a5b&gt;] SyS_write+0xfb/0x230 fs/read_write.c:599
 [&lt;ffffffff84f47ec1&gt;] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning.  It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadgetfs: restrict upper bound on device configuration size</title>
<updated>2017-01-26T16:39:24+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2016-12-06T07:36:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=edac17655c94b1c734b719e8e077951293c60277'/>
<id>edac17655c94b1c734b719e8e077951293c60277</id>
<content type='text'>
commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.

Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.

Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: composite: correctly initialize ep-&gt;maxpacket</title>
<updated>2017-01-26T16:22:26+00:00</updated>
<author>
<name>Felipe Balbi</name>
<email>felipe.balbi@linux.intel.com</email>
</author>
<published>2016-09-28T07:38:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bc87609a9b18ddfd4f6aa1060a61b704042d4076'/>
<id>bc87609a9b18ddfd4f6aa1060a61b704042d4076</id>
<content type='text'>
commit e8f29bb719b47a234f33b0af62974d7a9521a52c upstream.

usb_endpoint_maxp() returns wMaxPacketSize in its
raw form. Without taking into consideration that it
also contains other bits reserved for isochronous
endpoints.

This patch fixes one occasion where this is a
problem by making sure that we initialize
ep-&gt;maxpacket only with lower 10 bits of the value
returned by usb_endpoint_maxp(). Note that seperate
patches will be necessary to audit all call sites of
usb_endpoint_maxp() and make sure that
usb_endpoint_maxp() only returns lower 10 bits of
wMaxPacketSize.

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e8f29bb719b47a234f33b0af62974d7a9521a52c upstream.

usb_endpoint_maxp() returns wMaxPacketSize in its
raw form. Without taking into consideration that it
also contains other bits reserved for isochronous
endpoints.

This patch fixes one occasion where this is a
problem by making sure that we initialize
ep-&gt;maxpacket only with lower 10 bits of the value
returned by usb_endpoint_maxp(). Note that seperate
patches will be necessary to audit all call sites of
usb_endpoint_maxp() and make sure that
usb_endpoint_maxp() only returns lower 10 bits of
wMaxPacketSize.

Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: gadget: u_ether: remove interrupt throttling</title>
<updated>2016-11-24T15:23:46+00:00</updated>
<author>
<name>Felipe Balbi</name>
<email>felipe.balbi@linux.intel.com</email>
</author>
<published>2016-11-01T11:20:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=64839139c65f84f0573cfd38fbfe04b63b978c7b'/>
<id>64839139c65f84f0573cfd38fbfe04b63b978c7b</id>
<content type='text'>
commit fd9afd3cbe404998d732be6cc798f749597c5114 upstream.

According to Dave Miller "the networking stack has a
hard requirement that all SKBs which are transmitted
must have their completion signalled in a fininte
amount of time. This is because, until the SKB is
freed by the driver, it holds onto socket,
netfilter, and other subsystem resources."

In summary, this means that using TX IRQ throttling
for the networking gadgets is, at least, complex and
we should avoid it for the time being.

Reported-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Tested-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Suggested-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fd9afd3cbe404998d732be6cc798f749597c5114 upstream.

According to Dave Miller "the networking stack has a
hard requirement that all SKBs which are transmitted
must have their completion signalled in a fininte
amount of time. This is because, until the SKB is
freed by the driver, it holds onto socket,
netfilter, and other subsystem resources."

In summary, this means that using TX IRQ throttling
for the networking gadgets is, at least, complex and
we should avoid it for the time being.

Reported-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Tested-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Suggested-by: David Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Felipe Balbi &lt;felipe.balbi@linux.intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
</feed>
