<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/usb/wusbcore, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>USB: wusbcore: fix NULL-deref at probe</title>
<updated>2017-04-07T08:38:26+00:00</updated>
<author>
<name>Johan Hovold</name>
<email>johan@kernel.org</email>
</author>
<published>2017-03-13T12:47:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=84eeabc2289c82b471e4c9932f0741570673fb41'/>
<id>84eeabc2289c82b471e4c9932f0741570673fb41</id>
<content type='text'>
commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

This specifically fixes the NULL-pointer dereference when probing HWA HC
devices.

Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
Cc: Inaky Perez-Gonzalez &lt;inaky.perez-gonzalez@intel.com&gt;
Cc: David Vrabel &lt;david.vrabel@csr.com&gt;
Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

This specifically fixes the NULL-pointer dereference when probing HWA HC
devices.

Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
Cc: Inaky Perez-Gonzalez &lt;inaky.perez-gonzalez@intel.com&gt;
Cc: David Vrabel &lt;david.vrabel@csr.com&gt;
Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>usb: wusbcore: change WA_SEGS_MAX to a legal value</title>
<updated>2013-12-08T15:29:16+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-10-23T19:44:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=aafc56772e2156d2c28fe6ce072d115c0e34834e'/>
<id>aafc56772e2156d2c28fe6ce072d115c0e34834e</id>
<content type='text'>
commit f74b75e7f920c700636cccca669c7d16d12e9202 upstream.

change WA_SEGS_MAX to a number that is legal according to the WUSB
spec.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;


</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f74b75e7f920c700636cccca669c7d16d12e9202 upstream.

change WA_SEGS_MAX to a number that is legal according to the WUSB
spec.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;


</pre>
</div>
</content>
</entry>
<entry>
<title>usb: wusbcore: set the RPIPE wMaxPacketSize value correctly</title>
<updated>2013-11-29T19:28:11+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-10-23T19:44:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=76a8bf9e36c1aeec698190e2187bc2824b69c63b'/>
<id>76a8bf9e36c1aeec698190e2187bc2824b69c63b</id>
<content type='text'>
commit 7b6bc07ab554e929c85d51b3d5b26cf7f12c6a3b upstream.

For isochronous endpoints, set the RPIPE wMaxPacketSize value using
wOverTheAirPacketSize from the endpoint companion descriptor instead of
wMaxPacketSize from the normal endpoint descriptor.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7b6bc07ab554e929c85d51b3d5b26cf7f12c6a3b upstream.

For isochronous endpoints, set the RPIPE wMaxPacketSize value using
wOverTheAirPacketSize from the endpoint companion descriptor instead of
wMaxPacketSize from the normal endpoint descriptor.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge 3.11-rc6 into usb-next</title>
<updated>2013-08-19T03:33:01+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2013-08-19T03:33:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bd479f293370d863953aba59130bcc7ae867dd10'/>
<id>bd479f293370d863953aba59130bcc7ae867dd10</id>
<content type='text'>
We want these USB fixes in this branch as well.

Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We want these USB fixes in this branch as well.

Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: WUSBCORE: Use usb_init_urb instead of creating the URB manually</title>
<updated>2013-08-16T00:36:27+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-15T19:37:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=66591015d88d0b7fc88da79e2054830094ace4c9'/>
<id>66591015d88d0b7fc88da79e2054830094ace4c9</id>
<content type='text'>
In wa_seg_init, use usb_init_urb to init the URB object contained in the
transfer segment instead of initializing it manually.  Use kmalloc to
allocate the memory for segment instead of kzalloc and then use memset
to set the non-URB portion of the transfer segment struct to 0 since
that was already done by usb_init_urb.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In wa_seg_init, use usb_init_urb to init the URB object contained in the
transfer segment instead of initializing it manually.  Use kmalloc to
allocate the memory for segment instead of kzalloc and then use memset
to set the non-URB portion of the transfer segment struct to 0 since
that was already done by usb_init_urb.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: WUSBCORE: fix leak of urb in wa_xfer_destroy.</title>
<updated>2013-08-16T00:36:27+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-15T19:37:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=79731cbd783d3693d4b84731e3cfc79b9f828170'/>
<id>79731cbd783d3693d4b84731e3cfc79b9f828170</id>
<content type='text'>
The check to free the URB was the opposite of the correct case.  This
patch removes the check altogether since the ptr will be NULL if the URB
was not allocated.  Also use usb_free_urb instead of usb_put_urb.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The check to free the URB was the opposite of the correct case.  This
patch removes the check altogether since the ptr will be NULL if the URB
was not allocated.  Also use usb_free_urb instead of usb_put_urb.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: WUSBCORE: fix resource cleanup in error path in __wa_xfer_setup_segs</title>
<updated>2013-08-16T00:36:27+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-15T19:37:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=11b1bf81bf68cab0ad7d7d4d08dbfb236d5cbcaa'/>
<id>11b1bf81bf68cab0ad7d7d4d08dbfb236d5cbcaa</id>
<content type='text'>
Use usb_free_urb instead of kfree in error path and point to the correct
URB.  Also remember to clean up the sg list for the URB if it was allocated.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Use usb_free_urb instead of kfree in error path and point to the correct
URB.  Also remember to clean up the sg list for the URB if it was allocated.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>USB: WUSBCORE: clear RPIPE stall for control endpoints</title>
<updated>2013-08-16T00:35:31+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-15T17:21:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6d33f7bb8c3863e54f8bdede0a2bf97a3585ac20'/>
<id>6d33f7bb8c3863e54f8bdede0a2bf97a3585ac20</id>
<content type='text'>
When the HWA encounters a STALL on a control endpoint, it should clear the
RPIPE_STALL feature on the RPIPE before processing the next transfer
request.  Otherwise, all transfer requests on that endpoint after the
first STALL will fail because the RPIPE is still in the halted state.
This also removes the unneccessary call to spin_lock_irqsave for a nested
lock that was present in the first patch.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the HWA encounters a STALL on a control endpoint, it should clear the
RPIPE_STALL feature on the RPIPE before processing the next transfer
request.  Otherwise, all transfer requests on that endpoint after the
first STALL will fail because the RPIPE is still in the halted state.
This also removes the unneccessary call to spin_lock_irqsave for a nested
lock that was present in the first patch.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wusbcore: fix kernel panic when disconnecting a wireless USB-&gt;serial device</title>
<updated>2013-08-12T20:45:26+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-09T14:52:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec58fad1feb76c323ef47efff1d1e8660ed4644c'/>
<id>ec58fad1feb76c323ef47efff1d1e8660ed4644c</id>
<content type='text'>
This patch fixes a kernel panic that can occur when disconnecting a
wireless USB-&gt;serial device.  When the serial device disconnects, the
device cleanup procedure ends up calling usb_hcd_disable_endpoint on the
serial device's endpoints.  The wusbcore uses the ABORT_RPIPE command to
abort all transfers on the given endpoint but it does not properly give
back the URBs when the transfer results return from the HWA.  This patch
prevents the transfer result processing code from bailing out when it sees
a WA_XFER_STATUS_ABORTED result code so that these urbs are flushed
properly by usb_hcd_disable_endpoint.  It also updates wa_urb_dequeue to
handle the case where the endpoint has already been cleaned up when
usb_kill_urb is called which is where the panic originally occurred.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a kernel panic that can occur when disconnecting a
wireless USB-&gt;serial device.  When the serial device disconnects, the
device cleanup procedure ends up calling usb_hcd_disable_endpoint on the
serial device's endpoints.  The wusbcore uses the ABORT_RPIPE command to
abort all transfers on the given endpoint but it does not properly give
back the URBs when the transfer results return from the HWA.  This patch
prevents the transfer result processing code from bailing out when it sees
a WA_XFER_STATUS_ABORTED result code so that these urbs are flushed
properly by usb_hcd_disable_endpoint.  It also updates wa_urb_dequeue to
handle the case where the endpoint has already been cleaned up when
usb_kill_urb is called which is where the panic originally occurred.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>wusbcore: clean up list locking in urb enqueue</title>
<updated>2013-08-12T20:13:33+00:00</updated>
<author>
<name>Thomas Pugliese</name>
<email>thomas.pugliese@gmail.com</email>
</author>
<published>2013-08-12T15:10:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9a088fae5e4f9be729f3f419627abc3886b09de'/>
<id>e9a088fae5e4f9be729f3f419627abc3886b09de</id>
<content type='text'>
wa_urb_enqueue_run locks and unlocks its list lock as it traverses the
list of queued transfers.  This was done to prevent deadlocking due to
acquiring locks in reverse order in different places.  The problem is that
releasing the lock during the list traversal could allow the dequeue
routine to corrupt the list while it is being iterated over.  This patch
moves all list entries to a temp list while holding the list lock, then
traverses the temp list with no lock held.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
wa_urb_enqueue_run locks and unlocks its list lock as it traverses the
list of queued transfers.  This was done to prevent deadlocking due to
acquiring locks in reverse order in different places.  The problem is that
releasing the lock during the list traversal could allow the dequeue
routine to corrupt the list while it is being iterated over.  This patch
moves all list entries to a temp list while holding the list lock, then
traverses the temp list with no lock held.

Signed-off-by: Thomas Pugliese &lt;thomas.pugliese@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
