1. 15 Aug, 2019 1 commit
  2. 16 Apr, 2019 1 commit
    • Alan Stern's avatar
      USB: core: Fix unterminated string returned by usb_string() · c01c348e
      Alan Stern authored
      
      
      Some drivers (such as the vub300 MMC driver) expect usb_string() to
      return a properly NUL-terminated string, even when an error occurs.
      (In fact, vub300's probe routine doesn't bother to check the return
      code from usb_string().)  When the driver goes on to use an
      unterminated string, it leads to kernel errors such as
      stack-out-of-bounds, as found by the syzkaller USB fuzzer.
      
      An out-of-range string index argument is not at all unlikely, given
      that some devices don't provide string descriptors and therefore list
      0 as the value for their string indexes.  This patch makes
      usb_string() return a properly terminated empty string along with the
      -EINVAL error code when an out-of-range index is encountered.
      
      And since a USB string index is a single-byte value, indexes >= 256
      are just as invalid as values of 0 or below.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+b75b85111c10b8d680f1@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c01c348e
  3. 20 Feb, 2019 1 commit
  4. 18 Jan, 2019 2 commits
  5. 05 Sep, 2018 1 commit
  6. 28 Jun, 2018 1 commit
  7. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: kmalloc() -> kmalloc_array() · 6da2ec56
      Kees Cook authored
      The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
      patch replaces cases of:
      
              kmalloc(a * b, gfp)
      
      with:
              kmalloc_array(a * b, gfp)
      
      as well as handling cases of:
      
              kmalloc(a * b * c, gfp)
      
      with:
      
              kmalloc(array3_size(a, b, c), gfp)
      
      as it's slightly less ugly than:
      
              kmalloc_array(array_size(a, b), c, gfp)
      
      This does, however, attempt to ignore constant size factors like:
      
              kmalloc(4 * 1024, gfp)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The tools/ directory was manually excluded, since it has its own
      implementation of kmalloc().
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        kmalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        kmalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
      ...
      6da2ec56
  8. 31 May, 2018 1 commit
  9. 06 Mar, 2018 1 commit
    • Danilo Krummrich's avatar
      usb: quirks: add control message delay for 1b1c:1b20 · cb88a058
      Danilo Krummrich authored
      Corsair Strafe RGB keyboard does not respond to usb control messages
      sometimes and hence generates timeouts.
      
      Commit de3af5bf ("usb: quirks: add delay init quirk for Corsair
      Strafe RGB keyboard") tried to fix those timeouts by adding
      USB_QUIRK_DELAY_INIT.
      
      Unfortunately, even with this quirk timeouts of usb_control_msg()
      can still be seen, but with a lower frequency (approx. 1 out of 15):
      
      [   29.103520] usb 1-8: string descriptor 0 read error: -110
      [   34.363097] usb 1-8: can't set config #1, error -110
      
      Adding further delays to different locations where usb control
      messages are issued just moves the timeouts to other locations,
      e.g.:
      
      [   35.400533] usbhid 1-8:1.0: can't add hid device: -110
      [   35.401014] usbhid: probe of 1-8:1.0 failed with error -110
      
      The only way to reliably avoid those issues is having a pause after
      each usb control message. In approx. 200 boot cycles no more timeouts
      were seen.
      
      Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
      to have the delay in hub_port_connect() after hub_port_init().
      
      The overall boot time seems not to be influenced by these additional
      delays, even on fast machines and lightweight distributions.
      
      Fixes: de3af5bf
      
       ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDanilo Krummrich <danilokrummrich@dk-develop.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb88a058
  10. 15 Dec, 2017 1 commit
  11. 06 Dec, 2017 1 commit
  12. 28 Nov, 2017 2 commits
    • Johan Hovold's avatar
      USB: add device-tree support for interfaces · 1a7e3948
      Johan Hovold authored
      
      
      Add OF device-tree support for USB interfaces.
      
      USB "interface nodes" are children of USB "device nodes" and are
      identified by an interface number and a configuration value:
      
      	&usb1 { /* host controller */
      		dev1: device@1 { /* device at port 1 */
      			compatible = "usb1234,5678";
      			reg = <1>;
      
      			#address-cells = <2>;
      			#size-cells = <0>;
      
      			interface@0,2 { /* interface 0 of configuration 2 */
      				compatible = "usbif1234,5678.config2.0";
      				reg = <0 2>;
      			};
      		};
      	};
      
      The configuration component is not included in the textual
      representation of an interface-node unit address for configuration 1:
      
      	&dev1 {
      		interface@0 {	/* interface 0 of configuration 1 */
      			compatible = "usbif1234,5678.config1.0";
      			reg = <0 1>;
      		};
      	};
      
      When a USB device of class 0 or 9 (hub) has only a single configuration
      with a single interface, a special case "combined node" is used instead
      of a device node with an interface node:
      
      	&usb1 {
      		device@2 {
      			compatible = "usb1234,abcd";
      			reg = <2>;
      		};
      	};
      
      Combined nodes are shared by the two device structures representing the
      USB device and its interface in the kernel's device model.
      
      Note that, as for device nodes, the compatible strings for interface
      nodes are currently not used.
      
      For more details see "Open Firmware Recommended Practice: Universal
      Serial Bus Version 1" and the binding documentation.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a7e3948
    • Kai-Heng Feng's avatar
      usb: core: lower log level when device is not able to deal with string · 2124c888
      Kai-Heng Feng authored
      USB devices should work just fine when they don't support language id.
      
      Lower the log level so user won't panic in the future.
      
      BugLink: https://bugs.launchpad.net/bugs/1729618
      
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2124c888
  13. 09 Nov, 2017 1 commit
  14. 07 Nov, 2017 3 commits
  15. 03 Nov, 2017 1 commit
  16. 21 Sep, 2017 1 commit
  17. 11 Apr, 2017 1 commit
  18. 19 Jan, 2017 1 commit
    • Jaejoong Kim's avatar
      usb: core: update comments for send message functions · 123b7b30
      Jaejoong Kim authored
      
      
      The commonly use of bottom halves are tasklet and workqueue. The big
      difference between tasklet and workqueue is that the tasklet runs in
      an interrupt context and the workqueue runs in a process context,
      which means it can sleep if need be.
      
      The comment for usb_control/interrupt/bulk_msg() functions note that do
      not use this function within an interrupt context, like a 'bottom half'
      handler. With this comment, it makes confuse about usage of these
      functions.
      
      To more clarify, remove 'bottom half' comment.
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      123b7b30
  19. 29 Oct, 2016 1 commit
  20. 13 Sep, 2016 1 commit
    • Roger Quadros's avatar
      usb: core: setup dma_pfn_offset for USB devices and, interfaces · b44bbc46
      Roger Quadros authored
      
      
      If dma_pfn_offset is not inherited correctly from the host controller,
      it might result in sub-optimal configuration as bounce
      buffer limit might be set to less than optimal level.
      
      Consider the mass storage device case.
      USB storage driver creates a scsi host for the mass storage interface in
      drivers/usb/storage/usb.c
      The scsi host parent device is nothing but the the USB interface device.
      Now, __scsi_init_queue() calls scsi_calculate_bounce_limit() to find out
      and set the block layer bounce limit.
      scsi_calculate_bounce_limit() uses dma_max_pfn(host_dev) to get the
      bounce_limit. host_dev is nothing but the device representing the
      mass storage interface.
      If that device doesn't have the right dma_pfn_offset, then dma_max_pfn()
      is messed up and the bounce buffer limit is wrong.
      
      e.g. On Keystone 2 systems, dma_max_pfn() is 0x87FFFF and dma_mask_pfn
      is 0xFFFFF. Consider a mass storage use case: Without this patch,
      usb scsi host device (usb-storage) will get a dma_pfn_offset of 0 resulting
      in a dma_max_pfn() of 0xFFFFF within the scsi layer
      (scsi_calculate_bounce_limit()).
      This will result in bounce buffers being unnecessarily used.
      
      Hint: On 32-bit ARM platforms dma_max_pfn() = dma_mask_pfn + dma_pfn_offset
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b44bbc46
  21. 30 Aug, 2016 1 commit
  22. 18 Jul, 2016 1 commit
  23. 26 Apr, 2016 2 commits
  24. 04 Oct, 2015 1 commit
  25. 22 Sep, 2015 2 commits
  26. 18 Aug, 2015 2 commits
  27. 14 Aug, 2015 2 commits
  28. 25 Jan, 2015 1 commit
    • Alan Stern's avatar
      USB: don't cancel queued resets when unbinding drivers · 524134d4
      Alan Stern authored
      The USB stack provides a mechanism for drivers to request an
      asynchronous device reset (usb_queue_reset_device()).  The mechanism
      uses a work item (reset_ws) embedded in the usb_interface structure
      used by the driver, and the reset is carried out by a work queue
      routine.
      
      The asynchronous reset can race with driver unbinding.  When this
      happens, we try to cancel the queued reset before unbinding the
      driver, on the theory that the driver won't care about any resets once
      it is unbound.
      
      However, thanks to the fact that lockdep now tracks work queue
      accesses, this can provoke a lockdep warning in situations where the
      device reset causes another interface's driver to be unbound; see
      
      	http://marc.info/?l=linux-usb&m=141893165203776&w=2
      
      for an example.  The reason is that the work routine for reset_ws in
      one interface calls cancel_queued_work() for the reset_ws in another
      interface.  Lockdep thinks this might lead to a work routine trying to
      cancel itself.  The simplest solution is not to cancel queued resets
      when unbinding drivers.
      
      This means we now need to acquire a reference to the usb_interface
      when queuing a reset_ws work item and to drop the reference when the
      work routine finishes.  We also need to make sure that the
      usb_interface structure doesn't outlive its parent usb_device; this
      means acquiring and dropping a reference when the interface is created
      and destroyed.
      
      In addition, cancelling a queued reset can fail (if the device is in
      the middle of an earlier reset), and this can cause usb_reset_device()
      to try to rebind an interface that has been deallocated (see
      http://marc.info/?l=linux-usb&m=142175717016628&w=2
      
       for details).
      Acquiring the extra references prevents this failure.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarRussell King - ARM Linux <linux@arm.linux.org.uk>
      Reported-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Tested-by: default avatarOlivier Sobrie <olivier@sobrie.be>
      Cc: stable <stable@vger.kernel.org> # 3.19
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      524134d4
  29. 29 Sep, 2014 1 commit
  30. 04 Mar, 2014 1 commit
  31. 19 Feb, 2014 1 commit
  32. 07 Feb, 2014 1 commit
    • Valentina Manea's avatar
      staging: usbip: convert usbip-host driver to usb_device_driver · b7945b77
      Valentina Manea authored
      
      
      This driver was previously an interface driver. Since USB/IP
      exports a whole device, not just an interface, it would make
      sense to be a device driver.
      
      This patch also modifies the way userspace sees and uses a
      shared device:
      
      * the usbip_status file is no longer created for interface 0, but for
      the whole device (such as
      /sys/devices/pci0000:00/0000:00:01.2/usb1/1-1/usbip_status).
      * per interface information, such as interface class or protocol, is
      no longer sent/received; only device specific information is
      transmitted.
      * since the driver was moved one level below in the USB architecture,
      there is no need to bind/unbind each interface, just the device as a
      whole.
      Signed-off-by: default avatarValentina Manea <valentina.manea.m@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7945b77