diff options
| author | Alan Stern <stern@rowland.harvard.edu> | 2010-09-21 15:01:53 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-09-24 14:05:00 -0400 |
| commit | 0026e00523a85b90a92a93ddf6660939ecef3e54 (patch) | |
| tree | d618b4eb0948c061256346410a4107a526aaab40 | |
| parent | a850ea30374ebed32a0724742601861853fde869 (diff) | |
USB: fix bug in initialization of interface minor numbers
Recent changes in the usbhid layer exposed a bug in usbcore. If
CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
a minor number of 0. However interfaces that aren't registered as USB
class devices also have their minor number set to 0, during
initialization. As a result usb_find_interface() may return the
wrong interface, leading to a crash.
This patch (as1418) fixes the problem by initializing every
interface's minor number to -1. It also cleans up the
usb_register_dev() function, which besides being somewhat awkwardly
written, does not unwind completely on all its error paths.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Philip J. Turmel <philip@turmel.org>
Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
Tested-by: Alex Riesen <raa.lkml@gmail.com>
Tested-by: Matthias Bayer <jackdachef@gmail.com>
CC: Jiri Kosina <jkosina@suse.cz>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | drivers/usb/core/file.c | 35 | ||||
| -rw-r--r-- | drivers/usb/core/message.c | 1 |
2 files changed, 17 insertions, 19 deletions
diff --git a/drivers/usb/core/file.c b/drivers/usb/core/file.c index f06f5dbc8cdc..1e6ccef2cf0c 100644 --- a/drivers/usb/core/file.c +++ b/drivers/usb/core/file.c | |||
| @@ -159,9 +159,9 @@ void usb_major_cleanup(void) | |||
| 159 | int usb_register_dev(struct usb_interface *intf, | 159 | int usb_register_dev(struct usb_interface *intf, |
| 160 | struct usb_class_driver *class_driver) | 160 | struct usb_class_driver *class_driver) |
| 161 | { | 161 | { |
| 162 | int retval = -EINVAL; | 162 | int retval; |
| 163 | int minor_base = class_driver->minor_base; | 163 | int minor_base = class_driver->minor_base; |
| 164 | int minor = 0; | 164 | int minor; |
| 165 | char name[20]; | 165 | char name[20]; |
| 166 | char *temp; | 166 | char *temp; |
| 167 | 167 | ||
| @@ -173,12 +173,17 @@ int usb_register_dev(struct usb_interface *intf, | |||
| 173 | */ | 173 | */ |
| 174 | minor_base = 0; | 174 | minor_base = 0; |
| 175 | #endif | 175 | #endif |
| 176 | intf->minor = -1; | ||
| 177 | |||
| 178 | dbg ("looking for a minor, starting at %d", minor_base); | ||
| 179 | 176 | ||
| 180 | if (class_driver->fops == NULL) | 177 | if (class_driver->fops == NULL) |
| 181 | goto exit; | 178 | return -EINVAL; |
| 179 | if (intf->minor >= 0) | ||
| 180 | return -EADDRINUSE; | ||
| 181 | |||
| 182 | retval = init_usb_class(); | ||
| 183 | if (retval) | ||
| 184 | return retval; | ||
| 185 | |||
| 186 | dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base); | ||
| 182 | 187 | ||
| 183 | down_write(&minor_rwsem); | 188 | down_write(&minor_rwsem); |
| 184 | for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) { | 189 | for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) { |
| @@ -186,20 +191,12 @@ int usb_register_dev(struct usb_interface *intf, | |||
| 186 | continue; | 191 | continue; |
| 187 | 192 | ||
| 188 | usb_minors[minor] = class_driver->fops; | 193 | usb_minors[minor] = class_driver->fops; |
| 189 | 194 | intf->minor = minor; | |
| 190 | retval = 0; | ||
| 191 | break; | 195 | break; |
| 192 | } | 196 | } |
| 193 | up_write(&minor_rwsem); | 197 | up_write(&minor_rwsem); |
| 194 | 198 | if (intf->minor < 0) | |
| 195 | if (retval) | 199 | return -EXFULL; |
| 196 | goto exit; | ||
| 197 | |||
| 198 | retval = init_usb_class(); | ||
| 199 | if (retval) | ||
| 200 | goto exit; | ||
| 201 | |||
| 202 | intf->minor = minor; | ||
| 203 | 200 | ||
| 204 | /* create a usb class device for this usb interface */ | 201 | /* create a usb class device for this usb interface */ |
| 205 | snprintf(name, sizeof(name), class_driver->name, minor - minor_base); | 202 | snprintf(name, sizeof(name), class_driver->name, minor - minor_base); |
| @@ -213,11 +210,11 @@ int usb_register_dev(struct usb_interface *intf, | |||
| 213 | "%s", temp); | 210 | "%s", temp); |
| 214 | if (IS_ERR(intf->usb_dev)) { | 211 | if (IS_ERR(intf->usb_dev)) { |
| 215 | down_write(&minor_rwsem); | 212 | down_write(&minor_rwsem); |
| 216 | usb_minors[intf->minor] = NULL; | 213 | usb_minors[minor] = NULL; |
| 214 | intf->minor = -1; | ||
| 217 | up_write(&minor_rwsem); | 215 | up_write(&minor_rwsem); |
| 218 | retval = PTR_ERR(intf->usb_dev); | 216 | retval = PTR_ERR(intf->usb_dev); |
| 219 | } | 217 | } |
| 220 | exit: | ||
| 221 | return retval; | 218 | return retval; |
| 222 | } | 219 | } |
| 223 | EXPORT_SYMBOL_GPL(usb_register_dev); | 220 | EXPORT_SYMBOL_GPL(usb_register_dev); |
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 844683e50383..9f0ce7de0e36 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c | |||
| @@ -1802,6 +1802,7 @@ free_interfaces: | |||
| 1802 | intf->dev.groups = usb_interface_groups; | 1802 | intf->dev.groups = usb_interface_groups; |
| 1803 | intf->dev.dma_mask = dev->dev.dma_mask; | 1803 | intf->dev.dma_mask = dev->dev.dma_mask; |
| 1804 | INIT_WORK(&intf->reset_ws, __usb_queue_reset_device); | 1804 | INIT_WORK(&intf->reset_ws, __usb_queue_reset_device); |
| 1805 | intf->minor = -1; | ||
| 1805 | device_initialize(&intf->dev); | 1806 | device_initialize(&intf->dev); |
| 1806 | dev_set_name(&intf->dev, "%d-%s:%d.%d", | 1807 | dev_set_name(&intf->dev, "%d-%s:%d.%d", |
| 1807 | dev->bus->busnum, dev->devpath, | 1808 | dev->bus->busnum, dev->devpath, |