From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Alan Stern <stern@rowland.harvard.edu>,
Jiri Kosina <jkosina@suse.cz>
Subject: [008/103] USB: fix bug in initialization of interface minor numbers
Date: Fri, 22 Oct 2010 11:50:42 -0700 [thread overview]
Message-ID: <20101022185228.029323489@clark.site> (raw)
In-Reply-To: <20101022185455.GA9114@kroah.com>
2.6.35-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 0026e00523a85b90a92a93ddf6660939ecef3e54 upstream.
Recent changes in the usbhid layer exposed a bug in usbcore. If
CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
a minor number of 0. However interfaces that aren't registered as USB
class devices also have their minor number set to 0, during
initialization. As a result usb_find_interface() may return the
wrong interface, leading to a crash.
This patch (as1418) fixes the problem by initializing every
interface's minor number to -1. It also cleans up the
usb_register_dev() function, which besides being somewhat awkwardly
written, does not unwind completely on all its error paths.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Philip J. Turmel <philip@turmel.org>
Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
Tested-by: Alex Riesen <raa.lkml@gmail.com>
Tested-by: Matthias Bayer <jackdachef@gmail.com>
CC: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/core/file.c | 35 ++++++++++++++++-------------------
drivers/usb/core/message.c | 1 +
2 files changed, 17 insertions(+), 19 deletions(-)
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -159,9 +159,9 @@ void usb_major_cleanup(void)
int usb_register_dev(struct usb_interface *intf,
struct usb_class_driver *class_driver)
{
- int retval = -EINVAL;
+ int retval;
int minor_base = class_driver->minor_base;
- int minor = 0;
+ int minor;
char name[20];
char *temp;
@@ -173,12 +173,17 @@ int usb_register_dev(struct usb_interfac
*/
minor_base = 0;
#endif
- intf->minor = -1;
-
- dbg ("looking for a minor, starting at %d", minor_base);
if (class_driver->fops == NULL)
- goto exit;
+ return -EINVAL;
+ if (intf->minor >= 0)
+ return -EADDRINUSE;
+
+ retval = init_usb_class();
+ if (retval)
+ return retval;
+
+ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base);
down_write(&minor_rwsem);
for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) {
@@ -186,20 +191,12 @@ int usb_register_dev(struct usb_interfac
continue;
usb_minors[minor] = class_driver->fops;
-
- retval = 0;
+ intf->minor = minor;
break;
}
up_write(&minor_rwsem);
-
- if (retval)
- goto exit;
-
- retval = init_usb_class();
- if (retval)
- goto exit;
-
- intf->minor = minor;
+ if (intf->minor < 0)
+ return -EXFULL;
/* create a usb class device for this usb interface */
snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
@@ -213,11 +210,11 @@ int usb_register_dev(struct usb_interfac
"%s", temp);
if (IS_ERR(intf->usb_dev)) {
down_write(&minor_rwsem);
- usb_minors[intf->minor] = NULL;
+ usb_minors[minor] = NULL;
+ intf->minor = -1;
up_write(&minor_rwsem);
retval = PTR_ERR(intf->usb_dev);
}
-exit:
return retval;
}
EXPORT_SYMBOL_GPL(usb_register_dev);
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1802,6 +1802,7 @@ free_interfaces:
intf->dev.groups = usb_interface_groups;
intf->dev.dma_mask = dev->dev.dma_mask;
INIT_WORK(&intf->reset_ws, __usb_queue_reset_device);
+ intf->minor = -1;
device_initialize(&intf->dev);
dev_set_name(&intf->dev, "%d-%s:%d.%d",
dev->bus->busnum, dev->devpath,
next prev parent reply other threads:[~2010-10-22 19:24 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 18:54 [000/103] 2.6.35.8-stable review Greg KH
2010-10-22 18:50 ` [001/103] x86, cpu: After uncapping CPUID, re-run CPU feature detection Greg KH
2010-10-22 18:50 ` [002/103] ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory Greg KH
2010-10-22 18:50 ` [003/103] ALSA: oxygen: fix analog capture on Claro halo cards Greg KH
2010-10-22 18:50 ` [004/103] ALSA: hda - Add Dell Latitude E6400 model quirk Greg KH
2010-10-22 18:50 ` [005/103] ALSA: prevent heap corruption in snd_ctl_new() Greg KH
2010-10-22 18:50 ` [006/103] ALSA: rawmidi: fix oops (use after free) when unloading a driver module Greg KH
2010-10-22 18:50 ` [007/103] hwmon: (lis3) Fix Oops with NULL platform data Greg KH
2010-10-22 18:50 ` Greg KH [this message]
2010-10-22 18:50 ` [009/103] usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style Greg KH
2010-10-22 18:50 ` [010/103] usb: musb: gadget: restart request on clearing endpoint halt Greg KH
2010-10-22 18:50 ` [011/103] HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl Greg KH
2010-10-22 18:50 ` [012/103] HID: hidraw, fix a NULL pointer dereference in hidraw_write Greg KH
2010-10-22 18:50 ` [013/103] ahci: fix module refcount breakage introduced by libahci split Greg KH
2010-10-22 18:50 ` [014/103] lib/list_sort: do not pass bad pointers to cmp callback Greg KH
2010-10-22 18:50 ` [015/103] ACPI: invoke DSDT corruption workaround on all Toshiba Satellite Greg KH
2010-10-22 18:50 ` [016/103] oprofile: Add Support for Intel CPU Family 6 / Model 29 Greg KH
2010-10-22 18:50 ` [017/103] oprofile, ARM: Release resources on failure Greg KH
2010-10-22 18:50 ` [018/103] RDMA/cxgb3: Turn off RX coalescing for iWARP connections Greg KH
2010-10-22 18:50 ` [019/103] drm/radeon/kms: fix bad cast/shift in evergreen.c Greg KH
2010-10-22 18:50 ` [020/103] drm/radeon/kms: avivo cursor workaround applies to evergreen as well Greg KH
2010-10-22 18:50 ` [021/103] ARM: 6400/1: at91: fix arch_gettimeoffset fallout Greg KH
2010-10-22 18:50 ` [022/103] ARM: 6395/1: VExpress: Set bit 22 in the PL310 (cache controller) AuxCtlr register Greg KH
2010-10-22 18:50 ` [023/103] V4L/DVB: gspca - main: Fix a crash of some webcams on ARM arch Greg KH
2010-10-22 18:50 ` [024/103] V4L/DVB: gspca - sn9c20x: Bad transfer size of Bayer images Greg KH
2010-10-22 18:50 ` [025/103] mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove Greg KH
2010-10-22 18:51 ` [026/103] x86/amd-iommu: Set iommu configuration flags in enable-loop Greg KH
2010-10-22 18:51 ` [027/103] x86/amd-iommu: Fix rounding-bug in __unmap_single Greg KH
2010-10-22 18:51 ` [028/103] x86/amd-iommu: Work around S3 BIOS bug Greg KH
2010-10-22 18:51 ` [029/103] tracing/x86: Dont use mcount in pvclock.c Greg KH
2010-10-22 18:51 ` [030/103] tracing/x86: Dont use mcount in kvmclock.c Greg KH
2010-10-22 18:51 ` [031/103] ksm: fix bad user data when swapping Greg KH
2010-10-22 18:51 ` [032/103] i7core_edac: fix panic in udimm sysfs attributes registration Greg KH
2010-10-22 18:51 ` [033/103] v4l1: fix 32-bit compat microcode loading translation Greg KH
2010-10-22 18:51 ` [034/103] V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) Greg KH
2010-10-22 18:51 ` [035/103] V4L/DVB: IR: fix keys beeing stuck down forever Greg KH
2010-10-22 18:51 ` [036/103] V4L/DVB: Dont identify PV SBTVD Hybrid as a DibCom device Greg KH
2010-10-22 18:51 ` [037/103] Input: joydev - fix JSIOCSAXMAP ioctl Greg KH
2010-10-22 18:51 ` [038/103] Input: wacom - fix pressure in Cintiq 21UX2 Greg KH
2010-10-22 18:51 ` [039/103] ioat2: fix performance regression Greg KH
2010-10-22 18:51 ` [040/103] mac80211: fix use-after-free Greg KH
2010-10-22 18:51 ` [041/103] x86, hpet: Fix bogus error check in hpet_assign_irq() Greg KH
2010-10-22 18:51 ` [042/103] x86, irq: Plug memory leak in sparse irq Greg KH
2010-10-22 18:51 ` [043/103] ubd: fix incorrect sector handling during request restart Greg KH
2010-10-22 18:51 ` [044/103] OSS: soundcard: locking bug in sound_ioctl() Greg KH
2010-10-22 18:51 ` [045/103] virtio-blk: fix request leak Greg KH
2010-10-22 18:51 ` [046/103] ring-buffer: Fix typo of time extends per page Greg KH
2010-10-22 18:51 ` [047/103] dmaengine: fix interrupt clearing for mv_xor Greg KH
2010-10-22 18:51 ` [048/103] drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code Greg KH
2010-10-22 18:51 ` [049/103] hrtimer: Preserve timer state in remove_hrtimer() Greg KH
2010-10-22 18:51 ` [050/103] i2c-pca: Fix waitforcompletion() return value Greg KH
2010-10-22 18:51 ` [051/103] reiserfs: fix dependency inversion between inode and reiserfs mutexes Greg KH
2010-10-22 18:51 ` [052/103] reiserfs: fix unwanted reiserfs lock recursion Greg KH
2010-10-22 18:51 ` [053/103] ocfs2: Dont walk off the end of fast symlinks Greg KH
2010-10-22 18:51 ` [054/103] mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types Greg KH
2010-10-22 18:51 ` [055/103] wext: fix potential private ioctl memory content leak Greg KH
2010-10-22 18:51 ` [056/103] atl1: fix resume Greg KH
2010-10-22 18:51 ` [057/103] x86, numa: For each node, register the memory blocks actually used Greg KH
2010-10-22 18:51 ` [058/103] x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order Greg KH
2010-10-22 18:51 ` [059/103] De-pessimize rds_page_copy_user Greg KH
2010-10-22 18:51 ` [060/103] firewire: ohci: fix TI TSB82AA2 regression since 2.6.35 Greg KH
2010-10-22 18:51 ` [061/103] drm/i915: Prevent module unload to avoid random memory corruption Greg KH
2010-10-22 18:51 ` [062/103] drm/i915: Sanity check pread/pwrite Greg KH
2010-10-22 18:51 ` [063/103] drm/i915: fix GMCH power reporting Greg KH
2010-10-22 18:51 ` [064/103] drm: Prune GEM vma entries Greg KH
2010-10-22 18:51 ` [065/103] drm: Hold the mutex when dropping the last GEM reference (v2) Greg KH
2010-10-22 18:51 ` [066/103] drm/radeon: fix PCI ID 5657 to be an RV410 Greg KH
2010-10-22 18:51 ` [067/103] drm/radeon/kms: fix possible sigbus in evergreen accel code Greg KH
2010-10-22 18:51 ` [068/103] drm/radeon/kms: fix up encoder info messages for DFP6 Greg KH
2010-10-22 18:51 ` [069/103] drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle Greg KH
2010-10-22 18:51 ` [070/103] drm/radeon/kms: add quirk for MSI K9A2GM motherboard Greg KH
2010-10-22 18:51 ` [071/103] mmc: sdio: fix SDIO suspend/resume regression Greg KH
2010-10-22 18:51 ` [072/103] V4L/DVB: dib7770: enable the current mirror Greg KH
2010-10-22 18:51 ` [073/103] xfs: properly account for reclaimed inodes Greg KH
2010-10-22 18:51 ` [074/103] skge: add quirk to limit DMA Greg KH
2010-10-22 18:51 ` [075/103] r8169: allocate with GFP_KERNEL flag when able to sleep Greg KH
2010-10-22 18:51 ` [076/103] KVM: i8259: fix migration Greg KH
2010-10-22 18:51 ` [077/103] KVM: x86: Fix SVM VMCB reset Greg KH
2010-10-23 9:51 ` Michael Tokarev
2010-10-23 13:47 ` Zachary Amsden
2010-10-23 15:59 ` [stable] " Greg KH
2010-10-22 18:51 ` [078/103] KVM: x86: Move TSC reset out of vmcb_init Greg KH
2010-10-22 18:51 ` [079/103] KVM: fix irqfd assign/deassign race Greg KH
2010-10-22 18:51 ` [080/103] KVM: Fix reboot on Intel hosts Greg KH
2010-10-22 18:51 ` [081/103] [SCSI] bsg: fix incorrect device_status value Greg KH
2010-10-22 18:51 ` [082/103] [SCSI] Fix VPD inquiry page wrapper Greg KH
2010-10-22 18:51 ` [083/103] virtio: console: Dont block entire guest if host doesnt read data Greg KH
2010-10-22 18:51 ` [084/103] ACPI: Handle ACPI0007 Device in acpi_early_set_pdc Greg KH
2010-10-22 18:51 ` [085/103] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-10-22 18:52 ` [086/103] powerpc: Dont use kernel stack with translation off Greg KH
2010-10-22 18:52 ` [087/103] b44: fix carrier detection on bind Greg KH
2010-10-22 18:52 ` [088/103] ALSA: hda - add ideapad model for Conexant 5051 codec Greg KH
2010-10-22 18:52 ` [089/103] ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume Greg KH
2010-10-22 18:52 ` [090/103] intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang Greg KH
2010-10-22 18:52 ` [091/103] ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 Greg KH
2010-10-22 18:52 ` [092/103] ACPI: delete ZEPTO idle=nomwait DMI quirk Greg KH
2010-10-22 18:52 ` [093/103] ACPI: Disable Windows Vista compatibility for Toshiba P305D Greg KH
2010-10-22 18:52 ` [094/103] PM / ACPI: Blacklist systems known to require acpi_sleep=nonvs Greg KH
2010-10-22 18:52 ` [095/103] x86: detect scattered cpuid features earlier Greg KH
2010-10-22 18:52 ` [096/103] agp/intel: Fix cache control for Sandybridge Greg KH
2010-10-22 18:52 ` [097/103] x86-32: Separate 1:1 pagetables from swapper_pg_dir Greg KH
2010-10-22 18:52 ` [098/103] x86-32: Fix dummy trampoline-related inline stubs Greg KH
2010-10-22 18:52 ` [099/103] x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline Greg KH
2010-10-22 18:52 ` [100/103] setup_arg_pages: diagnose excessive argument size Greg KH
2010-10-22 18:52 ` [101/103] execve: improve interactivity with large arguments Greg KH
2010-10-22 18:52 ` [102/103] execve: make responsive to SIGKILL " Greg KH
2010-10-22 18:52 ` [103/103] mm: Move vma_stack_continue into mm.h Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101022185228.029323489@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox