USB: serial: ch341: fix control-message error handling

A short control transfer would currently fail to be detected, something which could lead to stale buffer data being used as valid input. Check for short transfers, and make sure to log any transfer errors. Note that this also avoids leaking heap data to user space (TIOCMGET) and the remote device (break control). Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor") Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org>
author: Johan Hovold <johan@kernel.org> 2017-01-06 13:15:18 -0500
committer: Johan Hovold <johan@kernel.org> 2017-01-11 06:08:57 -0500
commit: 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae (patch)
tree: 212f96bdaa6e7612082a3d02d8506ec656364f70
parent: 146cc8a17a3b4996f6805ee5c080e7101277c410 (diff)
1 files changed, 21 insertions, 11 deletions
diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 8d7b0847109b..95aa5233726c 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -113,6 +113,8 @@ static int ch341_control_out(struct usb_device *dev, u8 request,
        r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
                            USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
                            value, index, NULL, 0, DEFAULT_TIMEOUT);
+        if (r < 0)
+                dev_err(&dev->dev, "failed to send control message: %d\n", r);
        return r;
 }
@@ -130,7 +132,20 @@ static int ch341_control_in(struct usb_device *dev,
        r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
                            USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
                            value, index, buf, bufsize, DEFAULT_TIMEOUT);
-        return r;
+        if (r < bufsize) {
+                if (r >= 0) {
+                        dev_err(&dev->dev,
+                                "short control message received (%d < %u)\n",
+                                r, bufsize);
+                        r = -EIO;
+                }
+                dev_err(&dev->dev, "failed to receive control message: %d\n",
+                        r);
+                return r;
+        }
+        return 0;
 }
 static int ch341_set_baudrate_lcr(struct usb_device *dev,
@@ -181,9 +196,9 @@ static int ch341_set_handshake(struct usb_device *dev, u8 control)
 static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
 {
+        const unsigned int size = 2;
        char *buffer;
        int r;
-        const unsigned size = 8;
        unsigned long flags;
        buffer = kmalloc(size, GFP_KERNEL);
@@ -194,14 +209,9 @@ static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
        if (r < 0)
                goto out;
-        /* setup the private status if available */
+        spin_lock_irqsave(&priv->lock, flags);
-        if (r == 2) {
+        priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
-                r = 0;
+        spin_unlock_irqrestore(&priv->lock, flags);
-                spin_lock_irqsave(&priv->lock, flags);
-                priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
-                spin_unlock_irqrestore(&priv->lock, flags);
-        } else
-                r = -EPROTO;
 out:    kfree(buffer);
        return r;
@@ -211,9 +221,9 @@ out:	kfree(buffer);
 static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
 {
+        const unsigned int size = 2;
        char *buffer;
        int r;
-        const unsigned size = 8;
        buffer = kmalloc(size, GFP_KERNEL);
        if (!buffer)
author	Johan Hovold <johan@kernel.org>	2017-01-06 13:15:18 -0500
committer	Johan Hovold <johan@kernel.org>	2017-01-11 06:08:57 -0500
commit	2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae (patch)
tree	212f96bdaa6e7612082a3d02d8506ec656364f70
parent	146cc8a17a3b4996f6805ee5c080e7101277c410 (diff)