diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-03-18 16:19:15 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-03-18 16:19:15 -0700 |
| commit | 040e3abbb958f5a038c16c1af7258e396303c2e1 (patch) | |
| tree | e010c76f04d025599dd740faa83791cf482ff178 | |
| parent | f7813ad5cbfd1fab2899914281b72a1ba0805c80 (diff) | |
| parent | 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 (diff) | |
| download | kvm-040e3abbb958f5a038c16c1af7258e396303c2e1.tar.gz | |
Merge tag 'usb-4.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here is a USB fix for the reported issue with commit 69bec7259853
("USB: core: let USB device know device node") as well as some other
issues that have been reported so far with this merge window"
* tag 'usb-4.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
USB: uas: Reduce can_queue to MAX_CMNDS
USB: cdc-acm: more sanity checking
USB: usb_driver_claim_interface: add sanity checking
usb/core: usb_alloc_dev(): fix setting of ->portnum
USB: iowarrior: fix oops with malicious USB descriptors
| -rw-r--r-- | drivers/usb/class/cdc-acm.c | 3 | ||||
| -rw-r--r-- | drivers/usb/core/driver.c | 6 | ||||
| -rw-r--r-- | drivers/usb/core/usb.c | 5 | ||||
| -rw-r--r-- | drivers/usb/misc/iowarrior.c | 6 | ||||
| -rw-r--r-- | drivers/usb/storage/uas.c | 2 |
5 files changed, 18 insertions, 4 deletions
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c index 1d2c99af253240..83fd30b0577c55 100644 --- a/drivers/usb/class/cdc-acm.c +++ b/drivers/usb/class/cdc-acm.c @@ -1179,6 +1179,9 @@ static int acm_probe(struct usb_interface *intf, if (quirks == NO_UNION_NORMAL) { data_interface = usb_ifnum_to_if(usb_dev, 1); control_interface = usb_ifnum_to_if(usb_dev, 0); + /* we would crash */ + if (!data_interface || !control_interface) + return -ENODEV; goto skip_normal_probe; } diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index 56593a9a87268c..2057d91d83360d 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -502,11 +502,15 @@ static int usb_unbind_interface(struct device *dev) int usb_driver_claim_interface(struct usb_driver *driver, struct usb_interface *iface, void *priv) { - struct device *dev = &iface->dev; + struct device *dev; struct usb_device *udev; int retval = 0; int lpm_disable_error; + if (!iface) + return -ENODEV; + + dev = &iface->dev; if (dev->driver) return -EBUSY; diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c index ffa5cf13ffe189..dcb85e3cd5a76a 100644 --- a/drivers/usb/core/usb.c +++ b/drivers/usb/core/usb.c @@ -424,6 +424,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, struct usb_device *dev; struct usb_hcd *usb_hcd = bus_to_hcd(bus); unsigned root_hub = 0; + unsigned raw_port = port1; dev = kzalloc(sizeof(*dev), GFP_KERNEL); if (!dev) @@ -498,11 +499,11 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, if (!parent->parent) { /* device under root hub's port */ - port1 = usb_hcd_find_raw_port_number(usb_hcd, + raw_port = usb_hcd_find_raw_port_number(usb_hcd, port1); } dev->dev.of_node = usb_of_get_child_node(parent->dev.of_node, - port1); + raw_port); /* hub driver sets up TT records */ } diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index c6bfd13f6c92ff..1950e87b421904 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, iface_desc = interface->cur_altsetting; dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + if (iface_desc->desc.bNumEndpoints < 1) { + dev_err(&interface->dev, "Invalid number of endpoints\n"); + retval = -EINVAL; + goto error; + } + /* set up the endpoint information */ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c index 44b096c1737b65..13e4cc31bc79e6 100644 --- a/drivers/usb/storage/uas.c +++ b/drivers/usb/storage/uas.c @@ -836,7 +836,7 @@ static struct scsi_host_template uas_host_template = { .slave_configure = uas_slave_configure, .eh_abort_handler = uas_eh_abort_handler, .eh_bus_reset_handler = uas_eh_bus_reset_handler, - .can_queue = 65536, /* Is there a limit on the _host_ ? */ + .can_queue = MAX_CMNDS, .this_id = -1, .sg_tablesize = SG_NONE, .skip_settle_delay = 1, |