From e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Mon, 9 Apr 2012 15:48:55 -0400 Subject: usb: usbtest: avoid integer overflow in test_ctrl_queue() Avoid overflowing context.count = param->sglen * param->iterations, where both `sglen' and `iterations' are from userspace. | test_ctrl_queue() | usbtest_ioctl() Keep -EOPNOTSUPP for error code. Signed-off-by: Xi Wang Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/usb/misc') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 959145baf3cf..967254afb6e8 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param) struct ctrl_ctx context; int i; + if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen) + return -EOPNOTSUPP; + spin_lock_init(&context.lock); context.dev = dev; init_completion(&context.complete); @@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) /* queued control messaging */ case 10: - if (param->sglen == 0) - break; retval = 0; dev_info(&intf->dev, "TEST 10: queue %d control calls, %d times\n", -- cgit v1.2.2 From 8bde9a62ee74afa89f593c563e926d163b1f6ada Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Mon, 9 Apr 2012 15:48:45 -0400 Subject: usb: usbtest: avoid integer overflow in alloc_sglist() A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb/misc') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 967254afb6e8..cac67dea2bac 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary) unsigned i; unsigned size = max; - sg = kmalloc(nents * sizeof *sg, GFP_KERNEL); + sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL); if (!sg) return NULL; sg_init_table(sg, nents); -- cgit v1.2.2 From f4a728d09a96d6a83d9c3f39035b1aa7726892ea Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Sun, 25 Mar 2012 21:08:32 +0200 Subject: drivers/usb/misc/usbtest.c: add kfrees Free the two previously allocated buffers before exiting the function in an error case. Signed-off-by: Julia Lawall Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/usbtest.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/usb/misc') diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index cac67dea2bac..9dcb68f04f03 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -2277,6 +2277,8 @@ usbtest_probe(struct usb_interface *intf, const struct usb_device_id *id) if (status < 0) { WARNING(dev, "couldn't get endpoints, %d\n", status); + kfree(dev->buf); + kfree(dev); return status; } /* may find bulk or ISO pipes */ -- cgit v1.2.2 From 523fc5c14f6cad283e5a266eba0e343aed6e73d5 Mon Sep 17 00:00:00 2001 From: Tomoki Sekiyama Date: Fri, 30 Mar 2012 08:51:28 +0900 Subject: USB: yurex: Remove allocation of coherent buffer for setup-packet buffer Removes allocation of coherent buffer for the control-request setup-packet buffer from the yurex driver. Using coherent buffers for setup-packet is obsolete and does not work with some USB host implementations. Signed-off-by: Tomoki Sekiyama Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'drivers/usb/misc') diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 897edda42270..a4a76fcd41cd 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -99,9 +99,7 @@ static void yurex_delete(struct kref *kref) usb_put_dev(dev->udev); if (dev->cntl_urb) { usb_kill_urb(dev->cntl_urb); - if (dev->cntl_req) - usb_free_coherent(dev->udev, YUREX_BUF_SIZE, - dev->cntl_req, dev->cntl_urb->setup_dma); + kfree(dev->cntl_req); if (dev->cntl_buffer) usb_free_coherent(dev->udev, YUREX_BUF_SIZE, dev->cntl_buffer, dev->cntl_urb->transfer_dma); @@ -234,9 +232,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_ } /* allocate buffer for control req */ - dev->cntl_req = usb_alloc_coherent(dev->udev, YUREX_BUF_SIZE, - GFP_KERNEL, - &dev->cntl_urb->setup_dma); + dev->cntl_req = kmalloc(YUREX_BUF_SIZE, GFP_KERNEL); if (!dev->cntl_req) { err("Could not allocate cntl_req"); goto error; -- cgit v1.2.2 From 532f17b5d59bf0deb6f1ff9bc1fb27d5b5011c09 Mon Sep 17 00:00:00 2001 From: Tomoki Sekiyama Date: Fri, 30 Mar 2012 08:51:36 +0900 Subject: USB: yurex: Fix missing URB_NO_TRANSFER_DMA_MAP flag in urb Current probing code is setting URB_NO_TRANSFER_DMA_MAP flag into a wrong urb structure, and this causes BUG_ON with some USB host implementations. This patch fixes the issue. Signed-off-by: Tomoki Sekiyama Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb/misc') diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index a4a76fcd41cd..70201462e19c 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -282,7 +282,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_ usb_rcvintpipe(dev->udev, dev->int_in_endpointAddr), dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt, dev, 1); - dev->cntl_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; if (usb_submit_urb(dev->urb, GFP_KERNEL)) { retval = -EIO; err("Could not submitting URB"); -- cgit v1.2.2