linux-stable.git/drivers/usb/misc, branch v4.4.56 Linux kernel stable tree USB: iowarrior: fix NULL-deref in write 2017-03-18T11:09:58+00:00 Johan Hovold johan@kernel.org 2017-03-07T15:11:04+00:00 6498086195b9d6939293d35e93b804228158eb7f commit de46e56653de7b3b54baa625bd582635008b8d05 upstream. Make sure to verify that we have the required interrupt-out endpoint for IOWarrior56 devices to avoid dereferencing a NULL-pointer in write should a malicious device lack such an endpoint. Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit de46e56653de7b3b54baa625bd582635008b8d05 upstream.

Make sure to verify that we have the required interrupt-out endpoint for
IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
should a malicious device lack such an endpoint.

Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: iowarrior: fix NULL-deref at probe 2017-03-18T11:09:58+00:00 Johan Hovold johan@kernel.org 2017-03-07T15:11:03+00:00 179295c38d23874357ca75af104fd6f1fe769cfd commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream. Make sure to check for the required interrupt-in endpoint to avoid dereferencing a NULL-pointer should a malicious device lack such an endpoint. Note that a fairly recent change purported to fix this issue, but added an insufficient test on the number of endpoints only, a test which can now be removed. Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors") Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.

Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.

Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.

Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: legousbtower: Fix NULL pointer deference 2016-10-07T13:23:47+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-09-19T18:09:51+00:00 62dd9cf78b280c8cd08162f8c4a490fb76deeb23 commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream. This patch fixes a NULL pointer dereference caused by a race codition in the probe function of the legousbtower driver. It re-structures the probe function to only register the interface after successfully reading the board's firmware ID. The probe function does not deregister the usb interface after an error receiving the devices firmware ID. The device file registered (/dev/usb/legousbtower%d) may be read/written globally before the probe function returns. When tower_delete is called in the probe function (after an r/w has been initiated), core dev structures are deleted while the file operation functions are still running. If the 0 address is mappable on the machine, this vulnerability can be used to create a Local Priviege Escalation exploit via a write-what-where condition by remapping dev->interrupt_out_buffer in tower_write. A forged USB device and local program execution would be required for LPE. The USB device would have to delay the control message in tower_probe and accept the control urb in tower_open whilst guest code initiated a write to the device file as tower_delete is called from the error in tower_probe. This bug has existed since 2003. Patch tested by emulated device. Reported-by: James Patrick-Evans <james@jmp-e.com> Tested-by: James Patrick-Evans <james@jmp-e.com> Signed-off-by: James Patrick-Evans <james@jmp-e.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream.

This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: add fix for driver hang 2016-09-07T06:32:38+00:00 Lu Baolu baolu.lu@linux.intel.com 2016-08-11T02:31:14+00:00 97b23f9de12f36cd8f50201f4572bf80cdc6becf commit 539587511835ea12d8daa444cbed766cf2bc3612 upstream. In sg_timeout(), req->status is set to "-ETIMEDOUT" before calling into usb_sg_cancel(). usb_sg_cancel() will do nothing and return directly if req->status has been set to a non-zero value. This will cause driver hang whenever transfer time out is triggered. This patch fixes this issue. It could be backported to stable kernel with version later than v3.15. Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Suggested-by: Alan Stern <stern@rowland.harvard.edu> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 539587511835ea12d8daa444cbed766cf2bc3612 upstream.

In sg_timeout(), req->status is set to "-ETIMEDOUT" before calling
into usb_sg_cancel(). usb_sg_cancel() will do nothing and return
directly if req->status has been set to a non-zero value. This will
cause driver hang whenever transfer time out is triggered.

This patch fixes this issue. It could be backported to stable kernel
with version later than v3.15.

Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: fix pattern tests for scatterlists. 2016-06-01T19:15:51+00:00 Mathias Nyman mathias.nyman@linux.intel.com 2016-05-02T08:39:03+00:00 e3a037a5b851f808883b7bc6c192195635dcb758 commit cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc upstream. The current implemenentation restart the sent pattern for each entry in the sg list. The receiving end expects a continuous pattern, and test will fail unless scatterilst entries happen to be aligned with the pattern Fix this by calculating the pattern byte based on total sent size instead of just the current sg entry. Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing") Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc upstream.

The current implemenentation restart the sent pattern for each entry in
the sg list. The receiving end expects a continuous pattern, and test
will fail unless scatterilst entries happen to be aligned with the
pattern

Fix this by calculating the pattern byte based on total sent size
instead of just the current sg entry.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing")
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: iowarrior: fix oops with malicious USB descriptors 2016-04-12T16:08:41+00:00 Josh Boyer jwboyer@fedoraproject.org 2016-03-14T14:42:38+00:00 850631bedd3cb7f79cb32a456c9ad3a5f6e1d1f3 commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.

The iowarrior driver expects at least one valid endpoint.  If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function.  Ensure there is at least
one endpoint on the interface before using it.

The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usb3503: Use i2c_add_driver helper macro 2015-10-25T02:53:53+00:00 Andrew F. Davis afd@ti.com 2015-10-22T19:11:11+00:00 aa5b477db5826e9922c4fe78ccf53fb2df039367 Use i2c_add_driver as it will add THIS_MODULE for us. Signed-off-by: Andrew F. Davis <afd@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Use i2c_add_driver as it will add THIS_MODULE for us.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'usb-for-v4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next 2015-10-23T00:19:33+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2015-10-23T00:19:33+00:00 a4d8e93c3182a54d8d21a4d1cec6538ae1be9e16 Felipe writes: usb: patches for v4.4 merge window This pull request is large with a total of 136 non-merge commits. Because of its size, we will only describe the big things in broad terms. Many will be happy to know that dwc3 is now almost twice as fast after some profiling and speed improvements. Also in dwc3, John Youn from Synopsys added support for their new DWC USB3.1 IP Core and the HAPS platform which can be used to validate it. A series of patches from Robert Baldyga cleaned up uses of ep->driver_data as a flag for "claimed endpoint" in favor of the new ep->claimed flag. Sudip Mukherjee fixed a ton of really old problems on the amd5536udc driver. That should make a few people happy. Heikki Krogerus worked on converting dwc3 to the unified device property interface. Together with these, there's a ton of non-critical fixes, typos and stuff like that. Signed-off-by: Felipe Balbi <balbi@ti.com> 
Felipe writes:

usb: patches for v4.4 merge window

This pull request is large with a total of 136 non-merge
commits. Because of its size, we will only describe the big things in
broad terms.

Many will be happy to know that dwc3 is now almost twice as fast after
some profiling and speed improvements. Also in dwc3, John Youn from
Synopsys added support for their new DWC USB3.1 IP Core and the HAPS
platform which can be used to validate it.

A series of patches from Robert Baldyga cleaned up uses of
ep->driver_data as a flag for "claimed endpoint" in favor of the new
ep->claimed flag.

Sudip Mukherjee fixed a ton of really old problems on the amd5536udc
driver. That should make a few people happy.

Heikki Krogerus worked on converting dwc3 to the unified device property
interface.

Together with these, there's a ton of non-critical fixes, typos and
stuff like that.

Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: misc: usbtest: add bulk queue test 2015-10-13T18:19:49+00:00 Peter Chen peter.chen@freescale.com 2015-10-13T07:18:21+00:00 145f48c518edb945ea5b689a1d21052597f9d64b The bulk queue tests are used to show 'best performance' for bulk transfer, we are often asked this question by users. The implementation is the same with iso test, that is queue request at interrupt completion, so we reuse the iso structures, and rename them as common one. It's result should be very close to IC simulation, in order to get that, the device side should also need to prepare enough queue. We have got the 'best performance' (IN: 41MB, OUT: 39MB) at i.mx platform (USB2, ARM Cortex A9, stream mode need to enable) with below command: Host side: modprobe usbtest ./testusb -a -t 27 -g 64 -s 16384 ./testusb -a -t 28 -g 64 -s 16384 Gadget side: modprobe g_zero loopdefault=1 qlen=64 buflen=16384 Signed-off-by: Peter Chen <peter.chen@freescale.com> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Felipe Balbi <balbi@ti.com> 
The bulk queue tests are used to show 'best performance' for bulk
transfer, we are often asked this question by users. The implementation
is the same with iso test, that is queue request at interrupt completion,
so we reuse the iso structures, and rename them as common one.

It's result should be very close to IC simulation, in order
to get that, the device side should also need to prepare enough
queue.

We have got the 'best performance' (IN: 41MB, OUT: 39MB) at i.mx platform
(USB2, ARM Cortex A9, stream mode need to enable) with below command:

Host side:
modprobe usbtest
./testusb -a -t 27 -g 64 -s 16384
./testusb -a -t 28 -g 64 -s 16384
Gadget side:
modprobe g_zero loopdefault=1 qlen=64 buflen=16384

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>
USB: chaoskey read offset bug 2015-10-04T10:01:13+00:00 Alexander Inyukhin shurick@sectorb.msk.ru 2015-09-26T12:24:21+00:00 1d5c47f555c5ae050fad22e4a99f88856cae5d05 Rng reads in chaoskey driver could return the same data under the certain conditions. Signed-off-by: Alexander Inyukhin <shurick@sectorb.msk.ru> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Rng reads in chaoskey driver could return the same data under
the certain conditions.

Signed-off-by: Alexander Inyukhin <shurick@sectorb.msk.ru>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>