An earlier fix partially fixed the null pointer dereference on skb->len
by moving the assignment of len after the check on skb being non-null,
however it failed to remove the erroneous dereference when assigning len.
Correctly fix this by removing the initialisation of len as was
originally intended.
Fixes: 70237dc8ef ("usb: gadget: function: f_eem: socket buffer may be NULL")
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
When usb gadget is set gadget serial function, it will be crash in below
situation.
It will clean the 'port->port_usb' pointer in gserial_disconnect() function
when usb link is inactive, but it will release lock for disabling the endpoints
in this function. Druing the lock release period, it maybe complete one request
to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb'
pointer had been set NULL, thus it will be crash in gs_start_tx() function.
This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function
to avoid this situation.
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer
check at .wrap API.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer
check at .wrap API.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
When rndis data transfer is in progress, some Windows7 Host PC is not
sending the GET_ENCAPSULATED_RESPONSE command for receiving the response
for the previous SEND_ENCAPSULATED_COMMAND processed.
The rndis function driver appends each response for the
SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted,
the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset.
As the rndis response queue is not freed, the previous response is sent
as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host
block any more Rndis transfers.
Hence free the rndis response queue as a part of this soft-reset so that
the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the
response command.
Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org>
Signed-off-by: Xerox Lin <xerox_lin@htc.com>
[AmitP: Cherry-picked this patch and folded other relevant
fixes from Android common kernel android-4.4]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
dev->port_usb is checked for null pointer at above code, so dev->port_usb
might be null, fix it by adding null pointer check.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Pull media updates from Mauro Carvalho Chehab:
- new framework support for HDMI CEC and remote control support
- new encoding codec driver for Mediatek SoC
- new frontend driver: helene tuner
- added support for NetUp almost universal devices, with supports
DVB-C/S/S2/T/T2 and ISDB-T
- the mn88472 frontend driver got promoted from staging
- a new driver for RCar video input
- some soc_camera legacy drivers got removed: timb, omap1, mx2, mx3
- lots of driver cleanups, improvements and fixups
* tag 'media/v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (377 commits)
[media] cec: always check all_device_types and features
[media] cec: poll should check if there is room in the tx queue
[media] vivid: support monitor all mode
[media] cec: fix test for unconfigured adapter in main message loop
[media] cec: limit the size of the transmit queue
[media] cec: zero unused msg part after msg->len
[media] cec: don't set fh to NULL in CEC_TRANSMIT
[media] cec: clear all status fields before transmit and always fill in sequence
[media] cec: CEC_RECEIVE overwrote the timeout field
[media] cxd2841er: Reading SNR for DVB-C added
[media] cxd2841er: Reading BER and UCB for DVB-C added
[media] cxd2841er: fix switch-case for DVB-C
[media] cxd2841er: fix signal strength scale for ISDB-T
[media] cxd2841er: adjust the dB scale for DVB-C
[media] cxd2841er: provide signal strength for DVB-C
[media] cxd2841er: fix BER report via DVBv5 stats API
[media] mb86a20s: apply mask to val after checking for read failure
[media] airspy: fix error logic during device register
[media] s5p-cec/TODO: add TODO item
[media] cec/TODO: drop comment about sphinx documentation
...
Linux 4.7-rc6
* tag 'v4.7-rc6': (1245 commits)
Linux 4.7-rc6
ovl: warn instead of error if d_type is not supported
MIPS: Fix possible corruption of cache mode by mprotect.
locks: use file_inode()
usb: dwc3: st: Use explicit reset_control_get_exclusive() API
phy: phy-stih407-usb: Use explicit reset_control_get_exclusive() API
phy: miphy28lp: Inform the reset framework that our reset line may be shared
namespace: update event counter when umounting a deleted dentry
9p: use file_dentry()
lockd: unregister notifier blocks if the service fails to come up completely
ACPI,PCI,IRQ: correct operator precedence
fuse: serialize dirops by default
drm/i915: Fix missing unlock on error in i915_ppgtt_info()
powerpc: Initialise pci_io_base as early as possible
mfd: da9053: Fix compiler warning message for uninitialised variable
mfd: max77620: Fix FPS switch statements
phy: phy-stih407-usb: Inform the reset framework that our reset line may be shared
usb: dwc3: st: Inform the reset framework that our reset line may be shared
usb: host: ehci-st: Inform the reset framework that our reset line may be shared
usb: host: ohci-st: Inform the reset framework that our reset line may be shared
...
Make this a proper typed array. Drop the old allocate context code since
that is no longer used.
Note that the memops functions now get a struct device pointer instead of
the struct device ** that was there initially (actually a void pointer to
a struct containing only a struct device pointer).
This code is now a lot cleaner.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Sakari Ailus <sakari.ailus@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
f_fs rounds up read(2) requests to a multiple of a max packet size
which means that host may provide more data than user has space for.
So far, the excess data has been silently ignored.
This introduces a buffer for a tail of such requests so that they are
returned on next read instead of being ignored.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Add a pr_err when host sent more data then the size of the buffer user
space gave us. This may happen on UDCs which require OUT requests to
be aligned to max packet size. The patch includes a description of the
situation.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Those are enabled with W=1 make option.
The patch leaves of some type-limits warnings which are caused by
generic macros used in a way where they produce always-false
conditions.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
valid range for storage buffers is encoded in
Kconfig already. Instead of checking again, let's
drop fsg_num_buffers_validate() altogether.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
If c->cdev->use_os_string flag is not set,
don't need to invoke ffs_do_os_descs() in _ffs_func_bind.
So uninitialized ext_compat_id pointer won't be accessed by
__ffs_func_bind_do_os_desc to cause kernel panic.
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Commit dc8c46a5ae ("usb: gadget: f_tcm: convert to new function
interface with backward compatibility") introduced a possible out
of bounds memory access:
If tpg is not found in function usbg_drop_tpg,
tpg_instances[TPG_INSTANCES] is accessed.
Fixes: dc8c46a5ae ("usb: gadget: f_tcm: convert to new function interface with backward compatibility")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Function in_rq_cur copies random bytes from the stack.
Zero the memory instead.
Fixes: 132fcb4608 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Device qualifier descriptor is now generated by composite.c
code. So let's fix this old comment by removing parts which
are no longer valid.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This descriptor is never used. Currently device qualifier
descriptor is generated by compossite code so no need to
keep it in function file.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This descriptor is never used. Currently device qualifier
descriptor is generated by compossite code, so no need to
keep it in function file.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Krzysztof Opasiak <kopasiak90@gmail.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.
I've cleaned up the loop a little as well.
Fixes: ddf8abd259 ('USB: f_fs: the FunctionFS driver')
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Pull SCSI target updates from Nicholas Bellinger:
"Here are the outstanding target pending updates for v4.7-rc1.
The highlights this round include:
- Allow external PR/ALUA metadata path be defined at runtime via top
level configfs attribute (Lee)
- Fix target session shutdown bug for ib_srpt multi-channel (hch)
- Make TFO close_session() and shutdown_session() optional (hch)
- Drop se_sess->sess_kref + convert tcm_qla2xxx to internal kref
(hch)
- Add tcm_qla2xxx endpoint attribute for basic FC jammer (Laurence)
- Refactor iscsi-target RX/TX PDU encode/decode into common code
(Varun)
- Extend iscsit_transport with xmit_pdu, release_cmd, get_rx_pdu,
validate_parameters, and get_r2t_ttt for generic ISO offload
(Varun)
- Initial merge of cxgb iscsi-segment offload target driver (Varun)
The bulk of the changes are Chelsio's new driver, along with a number
of iscsi-target common code improvements made by Varun + Co along the
way"
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (29 commits)
iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race
cxgbit: Use type ISCSI_CXGBIT + cxgbit tpg_np attribute
iscsi-target: Convert transport drivers to signal rdma_shutdown
iscsi-target: Make iscsi_tpg_np driver show/store use generic code
tcm_qla2xxx Add SCSI command jammer/discard capability
iscsi-target: graceful disconnect on invalid mapping to iovec
target: need_to_release is always false, remove redundant check and kfree
target: remove sess_kref and ->shutdown_session
iscsi-target: remove usage of ->shutdown_session
tcm_qla2xxx: introduce a private sess_kref
target: make close_session optional
target: make ->shutdown_session optional
target: remove acl_stop
target: consolidate and fix session shutdown
cxgbit: add files for cxgbit.ko
iscsi-target: export symbols
iscsi-target: call complete on conn_logout_comp
iscsi-target: clear tx_thread_active
iscsi-target: add new offload transport type
iscsi-target: use conn_transport->transport_type in text rsp
...
Pull USB updates from Greg KH:
"Here's the big pull request for USB and PHY drivers for 4.7-rc1
Full details in the shortlog, but it's the normal major gadget driver
updates, phy updates, new usbip code, as well as a bit of lots of
other stuff.
All have been in linux-next with no reported issues"
* tag 'usb-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (164 commits)
USB: serial: ti_usb_3410_5052: add MOXA UPORT 11x0 support
USB: serial: fix minor-number allocation
USB: serial: quatech2: fix use-after-free in probe error path
USB: serial: mxuport: fix use-after-free in probe error path
USB: serial: keyspan: fix debug and error messages
USB: serial: keyspan: fix URB unlink
USB: serial: keyspan: fix use-after-free in probe error path
USB: serial: io_edgeport: fix memory leaks in probe error path
USB: serial: io_edgeport: fix memory leaks in attach error path
usb: Remove unnecessary space before operator ','.
usb: Remove unnecessary space before open square bracket.
USB: FHCI: avoid redundant condition
usb: host: xhci-rcar: Avoid long wait in xhci_reset()
usb/host/fotg210: remove dead code in create_sysfs_files
usb: wusbcore: Do not initialise statics to 0.
usb: wusbcore: Remove space before ',' and '(' .
USB: serial: cp210x: clean up CRTSCTS flag code
USB: serial: cp210x: get rid of magic numbers in CRTSCTS flag code
USB: serial: cp210x: fix hardware flow-control disable
USB: serial: option: add even more ZTE device ids
...
