1. 05 Jan, 2017 8 commits
  2. 04 Jan, 2017 24 commits
    • Johan Hovold's avatar
      USB: serial: ti_usb_3410_5052: fix NULL-deref at open · ef079936
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should a malicious device lack
      the expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ..
      [<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      ef079936
    • Johan Hovold's avatar
      USB: serial: spcp8x5: fix NULL-deref at open · cc090924
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]
      
      Fixes: 619a6f1d ("USB: add usb-serial spcp8x5 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      cc090924
    • Johan Hovold's avatar
      USB: serial: quatech2: fix sleep-while-atomic in close · f09d1886
      Johan Hovold authored
      The write URB was being killed using the synchronous interface while
      holding a spin lock in close().
      
      Simply drop the lock and busy-flag update, something which would have
      been taken care of by the completion handler if the URB was in flight.
      
      Fixes: f7a33e60 ("USB: serial: add quatech2 usb to serial driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      f09d1886
    • Johan Hovold's avatar
      USB: serial: pl2303: fix NULL-deref at open · 76ab439e
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should a type-0 or type-1 device
      lack the expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at pl2303_open+0x38/0xec [pl2303]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      76ab439e
    • Johan Hovold's avatar
      USB: serial: oti6858: fix NULL-deref at open · 5afeef23
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at oti6858_open+0x30/0x1d0 [oti6858]
      
      Note that a missing interrupt-in endpoint would have caused open() to
      fail.
      
      Fixes: 49cdee0e ("USB: oti6858 usb-serial driver (in Nokia CA-42
      cable)")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5afeef23
    • Johan Hovold's avatar
      USB: serial: omninet: fix NULL-derefs at open and disconnect · a5bc0194
      Johan Hovold authored
      Fix NULL-pointer dereferences at open() and disconnect() should the
      device lack the expected bulk-out endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 000000b4
      ...
      [c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
      [<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
      [<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
      [<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
      [<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000234
      ...
      [<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      a5bc0194
    • Johan Hovold's avatar
      USB: serial: mos7840: fix misleading interrupt-URB comment · 472d7e55
      Johan Hovold authored
      The interrupt URB is killed at final port close since commit
      0de9a702 ("USB: overhaul of mos7840 driver").
      
      Fixes: 0de9a702 ("USB: overhaul of mos7840 driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      472d7e55
    • Johan Hovold's avatar
      USB: serial: mos7840: remove unused write URB · fc43e651
      Johan Hovold authored
      Remove code to manage a write URB that was never allocated.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      fc43e651
    • Johan Hovold's avatar
      USB: serial: mos7840: fix NULL-deref at open · 5c75633e
      Johan Hovold authored
      Fix NULL-pointer dereference in open() should the device lack the
      expected endpoints:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at mos7840_open+0x88/0x8dc [mos7840]
      
      Note that we continue to treat the interrupt-in endpoint as optional for
      now.
      
      Fixes: 3f542974 ("USB: Moschip 7840 USB-Serial Driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5c75633e
    • Johan Hovold's avatar
      USB: serial: mos7720: remove obsolete port initialisation · 9da049bc
      Johan Hovold authored
      Since commit b69578df ("USB: usbserial: mos7720: add support for
      parallel port on moschip 7715"), the interrupt urb is no longer
      submitted at first port open and the endpoint-address initialisation at
      port-probe is no longer used.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      9da049bc
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parallel probe · fde1faf8
      Johan Hovold authored
      A static usb-serial-driver structure that is used to initialise the
      interrupt URB was modified during probe depending on the currently
      probed device type, something which could break a parallel probe of a
      device of a different type.
      
      Fix this up by overriding the default completion callback for MCS7715
      devices in attach() instead. We may want to use two usb-serial driver
      instances for the two types later.
      
      Fixes: fb088e33 ("USB: serial: add support for serial port on the
      moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      fde1faf8
    • Johan Hovold's avatar
      USB: serial: mos7720: fix parport use-after-free on probe errors · 75dd211e
      Johan Hovold authored
      Do not submit the interrupt URB until after the parport has been
      successfully registered to avoid another use-after-free in the
      completion handler when accessing the freed parport private data in case
      of a racing completion.
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      75dd211e
    • Johan Hovold's avatar
      USB: serial: mos7720: fix use-after-free on probe errors · 91a1ff4d
      Johan Hovold authored
      The interrupt URB was submitted on probe but never stopped on probe
      errors. This can lead to use-after-free issues in the completion
      handler when accessing the freed usb-serial struct:
      
      Unable to handle kernel paging request at virtual address 6b6b6be7
      ...
      [<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
      [<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
      [<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)
      
      Fixes: b69578df ("USB: usbserial: mos7720: add support for parallel
      port on moschip 7715")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      91a1ff4d
    • Johan Hovold's avatar
      USB: serial: mos7720: fix NULL-deref at open · b05aebc2
      Johan Hovold authored
      Fix NULL-pointer dereference at port open if a device lacks the expected
      bulk in and out endpoints.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
      [<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 0f64478c ("USB: add USB serial mos7720 driver")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      b05aebc2
    • Johan Hovold's avatar
      USB: serial: kobil_sct: fix NULL-deref in write · 21ce5784
      Johan Hovold authored
      Fix NULL-pointer dereference in write() should the device lack the
      expected interrupt-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000054
      ...
      PC is at kobil_write+0x144/0x2a0 [kobil_sct]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      21ce5784
    • Johan Hovold's avatar
      USB: serial: keyspan_pda: verify endpoints at probe · 5d9b0f85
      Johan Hovold authored
      Check for the expected endpoints in attach() and fail loudly if not
      present.
      
      Note that failing to do this appears to be benign since da280e34
      ("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
      NULL-pointer dereference in write() by never marking a non-existent
      write-urb as free.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>	# < v3.3
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      5d9b0f85
    • Johan Hovold's avatar
      USB: serial: iuu_phoenix: fix NULL-deref at open · 90507d54
      Johan Hovold authored
      Fix NULL-pointer dereference at open should the device lack a bulk-in or
      bulk-out endpoint:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at iuu_open+0x78/0x59c [iuu_phoenix]
      
      Fixes: 07c3b1a1 ("USB: remove broken usb-serial num_endpoints
      check")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      90507d54
    • Johan Hovold's avatar
      USB: serial: io_ti: bind to interface after fw download · e35d6d7c
      Johan Hovold authored
      Bind to the interface, but do not register any ports, after having
      downloaded the firmware. The device will still disconnect and
      re-enumerate, but this way we avoid an error messages from being logged
      as part of the process:
      
      io_ti: probe of 1-1.3:1.0 failed with error -5
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      e35d6d7c
    • Johan Hovold's avatar
      USB: serial: io_ti: fix I/O after disconnect · 2330d0a8
      Johan Hovold authored
      Cancel the heartbeat work on driver unbind in order to avoid I/O after
      disconnect in case the port is held open.
      
      Note that the cancel in release() is still needed to stop the heartbeat
      after late probe errors.
      
      Fixes: 26c78daa ("USB: io_ti: Add heartbeat to keep idle EP/416
      ports from disconnecting")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      2330d0a8
    • Johan Hovold's avatar
      USB: serial: io_ti: fix another NULL-deref at open · 4f9785cc
      Johan Hovold authored
      In case a device is left in "boot-mode" we must not register any port
      devices in order to avoid a NULL-pointer dereference on open due to
      missing endpoints. This could be used by a malicious device to trigger
      an OOPS:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
      [<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      4f9785cc
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref at open · a323fefc
      Johan Hovold authored
      Fix NULL-pointer dereference when clearing halt at open should a
      malicious device lack the expected endpoints when in download mode.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      [<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
      [<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
      [<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
      [<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      a323fefc
    • Johan Hovold's avatar
      USB: serial: io_edgeport: fix NULL-deref at open · 0dd40842
      Johan Hovold authored
      Fix NULL-pointer dereference when initialising URBs at open should a
      non-EPIC device lack a bulk-in or interrupt-in endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000028
      ...
      PC is at edge_open+0x24c/0x3e8 [io_edgeport]
      
      Note that the EPIC-device probe path has the required sanity checks so
      this makes those checks partially redundant.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      0dd40842
    • Johan Hovold's avatar
      USB: serial: garmin_gps: fix memory leak on failed URB submit · c4ac4496
      Johan Hovold authored
      Make sure to free the URB transfer buffer in case submission fails (e.g.
      due to a disconnect).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      c4ac4496
    • Johan Hovold's avatar
      USB: serial: cyberjack: fix NULL-deref at open · 3dca0111
      Johan Hovold authored
      Fix NULL-pointer dereference when clearing halt at open should the device
      lack a bulk-out endpoint.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000030
      ...
      PC is at cyberjack_open+0x40/0x9c [cyberjack]
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      3dca0111
  3. 03 Jan, 2017 8 commits