linux-stable.git/drivers/usb/misc, branch v4.7.7 Linux kernel stable tree usb: misc: legousbtower: Fix NULL pointer deference 2016-10-07T13:21:27+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2016-09-19T18:09:51+00:00 03f8e90de1365975ea21fee41b0c16f558c466a8 commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream. This patch fixes a NULL pointer dereference caused by a race codition in the probe function of the legousbtower driver. It re-structures the probe function to only register the interface after successfully reading the board's firmware ID. The probe function does not deregister the usb interface after an error receiving the devices firmware ID. The device file registered (/dev/usb/legousbtower%d) may be read/written globally before the probe function returns. When tower_delete is called in the probe function (after an r/w has been initiated), core dev structures are deleted while the file operation functions are still running. If the 0 address is mappable on the machine, this vulnerability can be used to create a Local Priviege Escalation exploit via a write-what-where condition by remapping dev->interrupt_out_buffer in tower_write. A forged USB device and local program execution would be required for LPE. The USB device would have to delay the control message in tower_probe and accept the control urb in tower_open whilst guest code initiated a write to the device file as tower_delete is called from the error in tower_probe. This bug has existed since 2003. Patch tested by emulated device. Reported-by: James Patrick-Evans <james@jmp-e.com> Tested-by: James Patrick-Evans <james@jmp-e.com> Signed-off-by: James Patrick-Evans <james@jmp-e.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream.

This patch fixes a NULL pointer dereference caused by a race codition in
the probe function of the legousbtower driver. It re-structures the
probe function to only register the interface after successfully reading
the board's firmware ID.

The probe function does not deregister the usb interface after an error
receiving the devices firmware ID. The device file registered
(/dev/usb/legousbtower%d) may be read/written globally before the probe
function returns. When tower_delete is called in the probe function
(after an r/w has been initiated), core dev structures are deleted while
the file operation functions are still running. If the 0 address is
mappable on the machine, this vulnerability can be used to create a
Local Priviege Escalation exploit via a write-what-where condition by
remapping dev->interrupt_out_buffer in tower_write. A forged USB device
and local program execution would be required for LPE. The USB device
would have to delay the control message in tower_probe and accept
the control urb in tower_open whilst guest code initiated a write to the
device file as tower_delete is called from the error in tower_probe.

This bug has existed since 2003. Patch tested by emulated device.

Reported-by: James Patrick-Evans <james@jmp-e.com>
Tested-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: usbtest_do_ioctl may return positive integer 2016-09-07T06:34:45+00:00 Peter Chen peter.chen@nxp.com 2016-07-26T08:01:30+00:00 e1832e0059dfdf08fa893856f44da615c128764f commit 528d28138f91009f230903bd89ccd44719667831 upstream. For case 14 and case 21, their correct return value is the number of bytes transferred, so it is a positive integer. But in usbtest_ioctl, it takes non-zero as false return value for usbtest_do_ioctl, so it will treat the correct test as wrong test, then the time on tests will be the minus value. Signed-off-by: Peter Chen <peter.chen@nxp.com> Fixes: 18fc4ebdc705 ("usb: misc: usbtest: Remove timeval usage") Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 528d28138f91009f230903bd89ccd44719667831 upstream.

For case 14 and case 21, their correct return value is the number
of bytes transferred, so it is a positive integer. But in usbtest_ioctl,
it takes non-zero as false return value for usbtest_do_ioctl, so
it will treat the correct test as wrong test, then the time on
tests will be the minus value.

Signed-off-by: Peter Chen <peter.chen@nxp.com>
Fixes: 18fc4ebdc705 ("usb: misc: usbtest: Remove timeval usage")
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: add fix for driver hang 2016-09-07T06:34:45+00:00 Lu Baolu baolu.lu@linux.intel.com 2016-08-11T02:31:14+00:00 8ea2706a2a5fa8c1c9fb4b8a1d47c16200369897 commit 539587511835ea12d8daa444cbed766cf2bc3612 upstream. In sg_timeout(), req->status is set to "-ETIMEDOUT" before calling into usb_sg_cancel(). usb_sg_cancel() will do nothing and return directly if req->status has been set to a non-zero value. This will cause driver hang whenever transfer time out is triggered. This patch fixes this issue. It could be backported to stable kernel with version later than v3.15. Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Suggested-by: Alan Stern <stern@rowland.harvard.edu> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 539587511835ea12d8daa444cbed766cf2bc3612 upstream.

In sg_timeout(), req->status is set to "-ETIMEDOUT" before calling
into usb_sg_cancel(). usb_sg_cancel() will do nothing and return
directly if req->status has been set to a non-zero value. This will
cause driver hang whenever transfer time out is triggered.

This patch fixes this issue. It could be backported to stable kernel
with version later than v3.15.

Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'usb-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb 2016-05-21T04:12:25+00:00 Linus Torvalds torvalds@linux-foundation.org 2016-05-21T04:12:25+00:00 19e36ad292ab24980db64a5ff17973d3118a8fb9 Pull USB updates from Greg KH: "Here's the big pull request for USB and PHY drivers for 4.7-rc1 Full details in the shortlog, but it's the normal major gadget driver updates, phy updates, new usbip code, as well as a bit of lots of other stuff. All have been in linux-next with no reported issues" * tag 'usb-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (164 commits) USB: serial: ti_usb_3410_5052: add MOXA UPORT 11x0 support USB: serial: fix minor-number allocation USB: serial: quatech2: fix use-after-free in probe error path USB: serial: mxuport: fix use-after-free in probe error path USB: serial: keyspan: fix debug and error messages USB: serial: keyspan: fix URB unlink USB: serial: keyspan: fix use-after-free in probe error path USB: serial: io_edgeport: fix memory leaks in probe error path USB: serial: io_edgeport: fix memory leaks in attach error path usb: Remove unnecessary space before operator ','. usb: Remove unnecessary space before open square bracket. USB: FHCI: avoid redundant condition usb: host: xhci-rcar: Avoid long wait in xhci_reset() usb/host/fotg210: remove dead code in create_sysfs_files usb: wusbcore: Do not initialise statics to 0. usb: wusbcore: Remove space before ',' and '(' . USB: serial: cp210x: clean up CRTSCTS flag code USB: serial: cp210x: get rid of magic numbers in CRTSCTS flag code USB: serial: cp210x: fix hardware flow-control disable USB: serial: option: add even more ZTE device ids ... 
Pull USB updates from Greg KH:
 "Here's the big pull request for USB and PHY drivers for 4.7-rc1

  Full details in the shortlog, but it's the normal major gadget driver
  updates, phy updates, new usbip code, as well as a bit of lots of
  other stuff.

  All have been in linux-next with no reported issues"

* tag 'usb-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (164 commits)
  USB: serial: ti_usb_3410_5052: add MOXA UPORT 11x0 support
  USB: serial: fix minor-number allocation
  USB: serial: quatech2: fix use-after-free in probe error path
  USB: serial: mxuport: fix use-after-free in probe error path
  USB: serial: keyspan: fix debug and error messages
  USB: serial: keyspan: fix URB unlink
  USB: serial: keyspan: fix use-after-free in probe error path
  USB: serial: io_edgeport: fix memory leaks in probe error path
  USB: serial: io_edgeport: fix memory leaks in attach error path
  usb: Remove unnecessary space before operator ','.
  usb: Remove unnecessary space before open square bracket.
  USB: FHCI: avoid redundant condition
  usb: host: xhci-rcar: Avoid long wait in xhci_reset()
  usb/host/fotg210: remove dead code in create_sysfs_files
  usb: wusbcore: Do not initialise statics to 0.
  usb: wusbcore: Remove space before ',' and '(' .
  USB: serial: cp210x: clean up CRTSCTS flag code
  USB: serial: cp210x: get rid of magic numbers in CRTSCTS flag code
  USB: serial: cp210x: fix hardware flow-control disable
  USB: serial: option: add even more ZTE device ids
  ...
sisusbvga: correct speed testing 2016-05-03T21:32:07+00:00 Oliver Neukum oneukum@suse.com 2016-05-02T11:09:30+00:00 88a0044e6c99a2182e46d56fb8613716b2dc8f3d Allow for SS+ Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Allow for SS+

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: fix pattern tests for scatterlists. 2016-05-03T21:32:07+00:00 Mathias Nyman mathias.nyman@linux.intel.com 2016-05-02T08:39:03+00:00 cdc77c82a8286b1181b81b6e5ef60c8e83ded7bc The current implemenentation restart the sent pattern for each entry in the sg list. The receiving end expects a continuous pattern, and test will fail unless scatterilst entries happen to be aligned with the pattern Fix this by calculating the pattern byte based on total sent size instead of just the current sg entry. Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing") Cc: <stable@vger.kernel.org> # v2.6.18+ Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The current implemenentation restart the sent pattern for each entry in
the sg list. The receiving end expects a continuous pattern, and test
will fail unless scatterilst entries happen to be aligned with the
pattern

Fix this by calculating the pattern byte based on total sent size
instead of just the current sg entry.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Fixes: 8b5249019352 ("[PATCH] USB: usbtest: scatterlist OUT data pattern testing")
Cc: <stable@vger.kernel.org> # v2.6.18+
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty: vt, make color_table const 2016-04-30T16:26:55+00:00 Jiri Slaby jslaby@suse.cz 2016-03-31T08:08:16+00:00 8ede5cce4f0baff77ef63aa3cb3afc65d0317e0b This means all ->con_set_palette have to have the second parameter const too now. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This means all ->con_set_palette have to have the second parameter
const too now.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: Add driver for UCSI 2016-04-29T22:29:18+00:00 Heikki Krogerus heikki.krogerus@linux.intel.com 2016-04-21T12:43:40+00:00 0c1849a8c7af652c92ad0265a7ca5934fd773c69 USB Type-C Connector System Software Interface (UCSI) is specification that defines the registers and data structures that can be used to control USB Type-C ports on a system. UCSI is used on several Intel Broxton SoC based platforms. Things that UCSI can be used to control include at least USB Data Role swapping, Power Role swapping and controlling of Alternate Modes on top of providing general details about the port and the partners that are attached to it. The initial purpose of the UCSI driver is to make sure USB is in host mode on desktop and server systems that are USB dual role capable, and provide UCSI interface. The goal is to integrate the driver later to an USB Type-C framework for Linux kernel, and at the same time add support for more extensive USB Type-C port control that UCSI offers, for example data role swapping, power role swapping, Alternate Mode control etc. The UCSI specification is public can be obtained from here: http://www.intel.com/content/www/us/en/io/universal-serial-bus/usb-type-c-ucsi-spec.html Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
USB Type-C Connector System Software Interface (UCSI) is
specification that defines the registers and data structures
that can be used to control USB Type-C ports on a system.
UCSI is used on several Intel Broxton SoC based platforms.
Things that UCSI can be used to control include at least USB
Data Role swapping, Power Role swapping and controlling of
Alternate Modes on top of providing general details about
the port and the partners that are attached to it.

The initial purpose of the UCSI driver is to make sure USB
is in host mode on desktop and server systems that are USB
dual role capable, and provide UCSI interface.

The goal is to integrate the driver later to an USB Type-C
framework for Linux kernel, and at the same time add support
for more extensive USB Type-C port control that UCSI offers,
for example data role swapping, power role swapping,
Alternate Mode control etc.

The UCSI specification is public can be obtained from here:
http://www.intel.com/content/www/us/en/io/universal-serial-bus/usb-type-c-ucsi-spec.html

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: misc: usbtest: fix error of urb allocation 2016-04-28T19:35:36+00:00 Chunfeng Yun chunfeng.yun@mediatek.com 2016-04-28T03:42:21+00:00 26186e5f2c1a6d1c244a3052f02e46ae29d823f2 urb allocation will fail when usbtest_alloc_urb() tries to allocate zero length buffer, but it doesn't need it in fact, so just skips buffer allocation in the case. Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
urb allocation will fail when usbtest_alloc_urb() tries to
allocate zero length buffer, but it doesn't need it in fact,
so just skips buffer allocation in the case.

Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
USB: iowarrior: fix oops with malicious USB descriptors 2016-03-18T16:19:02+00:00 Josh Boyer jwboyer@fedoraproject.org 2016-03-14T14:42:38+00:00 4ec0ef3a82125efc36173062a50624550a900ae0 The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87 Reported-by: Ralf Spenneberg <ralf@spenneberg.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The iowarrior driver expects at least one valid endpoint.  If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function.  Ensure there is at least
one endpoint on the interface before using it.

The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>