From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Roger Quadros <roger.quadros@nokia.com>,
David Brownell <dbrownell@users.sourceforge.net>,
Michal Nazarewicz <m.nazarewicz@samsung.com>,
Robert Lukassen <robert.lukassen@tomtom.com>,
Kyungmin Park <kyungmin.park@samsung.com>
Subject: [32/66] usb gadget: composite: prevent OOPS for non-standard control request
Date: Fri, 19 Nov 2010 14:01:03 -0800 [thread overview]
Message-ID: <20101119220124.797303880@clark.site> (raw)
In-Reply-To: <20101119220309.GA15562@kroah.com>
2.6.36-stable review patch. If anyone has any objections, please let us know.
------------------
From: Roger Quadros <roger.quadros@nokia.com>
commit 5c836e4d583701a5eecb288b5f131da39115f5ec upstream.
The composite gadget will OOPS if the host sends a control request
targetted to an interface of an un-configured composite device. This patch
prevents this.
The OOPS was observed during WHQL USB CV tests. With this patch, the device
STALLs as per requirement.
Failing test case: From host do the following. I used libusb-1.0
1) Set configuration to zero.
libusb_control_transfer(device_handle,
0, /* standard OUT */
0x9, /* setConfiguration */
0, 0, NULL, 0, 0);
2) Query current configuratioan.
libusb_control_transfer(device_handle,
0x80, /* standard IN*/
0x8, /* getConfiguration */
0, 0, data, 1, 0);
3) Send the non-standard ctrl transfer targetted to interface
libusb_control_transfer(device_handle,
0x81, /* standard IN to interface*/
0x6, /* getDescriptor */
0x2300, 0, data, 0x12, 0);
Signed-off-by: Roger Quadros <roger.quadros@nokia.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Michal Nazarewicz <m.nazarewicz@samsung.com>
Cc: Robert Lukassen <robert.lukassen@tomtom.com>
Cc: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/gadget/composite.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -901,7 +901,8 @@ unknown:
*/
switch (ctrl->bRequestType & USB_RECIP_MASK) {
case USB_RECIP_INTERFACE:
- f = cdev->config->interface[intf];
+ if (cdev->config)
+ f = cdev->config->interface[intf];
break;
case USB_RECIP_ENDPOINT:
next prev parent reply other threads:[~2010-11-19 22:13 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-19 22:03 [00/66] 2.6.36.1-stable review Greg KH
2010-11-19 22:00 ` [01/66] staging: usbip: Notify usb core of port status changes Greg KH
2010-11-19 22:00 ` [02/66] staging: usbip: Process event flags without delay Greg KH
2010-11-19 22:00 ` [03/66] Staging: phison: fix problem caused by libata change Greg KH
2010-11-19 22:00 ` [04/66] perf_events: Fix bogus AMD64 generic TLB events Greg KH
2010-11-19 22:00 ` [05/66] perf_events: Fix bogus context time tracking Greg KH
2010-11-19 22:00 ` [06/66] powerpc/perf: Fix sampling enable for PPC970 Greg KH
2010-11-19 22:00 ` [07/66] pcmcia: synclink_cs: fix information leak to userland Greg KH
2010-11-19 22:00 ` [08/66] sched: Drop all load weight manipulation for RT tasks Greg KH
2010-11-19 22:00 ` [09/66] sched: Fix string comparison in /proc/sched_features Greg KH
2010-11-19 22:00 ` [10/66] bluetooth: Fix missing NULL check Greg KH
2010-11-19 22:00 ` [11/66] Bluetooth: fix oops in l2cap_connect_req Greg KH
2010-11-19 22:00 ` [12/66] futex: Fix errors in nested key ref-counting Greg KH
2010-11-19 22:00 ` [13/66] cifs: fix broken oplock handling Greg KH
2010-11-19 22:00 ` [14/66] libahci: fix result_tf handling after an ATA PIO data-in command Greg KH
2010-11-19 22:00 ` [15/66] intel_idle: do not use the LAPIC timer for ATOM C2 Greg KH
2010-11-19 22:00 ` [16/66] mm, x86: Saving vmcore with non-lazy freeing of vmas Greg KH
2010-11-19 22:00 ` [17/66] x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit Greg KH
2010-11-19 22:00 ` [18/66] x86, mrst: A function in a header file needs to be marked "inline" Greg KH
2010-11-19 22:00 ` [19/66] x86, kexec: Make sure to stop all CPUs before exiting the kernel Greg KH
2010-11-19 22:00 ` [20/66] x86, olpc: Dont retry EC commands forever Greg KH
2010-11-19 22:00 ` [21/66] x86, mtrr: Assume SYS_CFG[Tom2ForceMemTypeWB] exists on all future AMD CPUs Greg KH
2010-11-19 22:00 ` [22/66] x86, intr-remap: Set redirection hint in the IRTE Greg KH
2010-11-19 22:00 ` [23/66] x86, kdump: Change copy_oldmem_page() to use cached addressing Greg KH
2010-11-19 22:00 ` [24/66] x86, vm86: Fix preemption bug for int1 debug and int3 breakpoint handlers Greg KH
2010-11-19 22:00 ` [25/66] KVM: X86: Report SVM bit to userspace only when supported Greg KH
2010-11-19 22:00 ` [26/66] KVM: SVM: Restore correct registers after sel_cr0 intercept emulation Greg KH
2010-11-19 22:00 ` [27/66] USB: mct_u232: fix broken close Greg KH
2010-11-19 22:00 ` [28/66] pipe: fix failure to return error code on ->confirm() Greg KH
2010-11-19 22:01 ` [29/66] p54usb: fix off-by-one on !CONFIG_PM Greg KH
2010-11-19 22:01 ` [30/66] p54usb: add five more USBIDs Greg KH
2010-11-19 22:01 ` [31/66] drivers/net/wireless/p54/eeprom.c: Return -ENOMEM on memory allocation failure Greg KH
2010-11-19 22:01 ` Greg KH [this message]
2010-11-19 22:01 ` [33/66] USB: gadget: g_ffs: fixed vendor and product ID Greg KH
2010-11-19 22:01 ` [34/66] USB: gadget: g_multi: " Greg KH
2010-11-19 22:01 ` [35/66] USB: ftdi_sio: Add PID for accesio products Greg KH
2010-11-19 22:01 ` [36/66] USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes" Greg KH
2010-11-19 22:01 ` [37/66] USB: add PID for FTDI based OpenDCC hardware Greg KH
2010-11-19 22:01 ` [38/66] USB: ftdi_sio: new VID/PIDs for various Papouch devices Greg KH
2010-11-19 22:01 ` [39/66] USB: ftdi_sio: add device ids for ScienceScope Greg KH
2010-11-19 22:01 ` [40/66] USB: MUSB: fix kernel WARNING/oops when unloading module in OTG mode Greg KH
2010-11-19 22:01 ` [41/66] usb: musb: blackfin: call usb_nop_xceiv_unregister() in musb_platform_exit() Greg KH
2010-11-19 22:01 ` [42/66] usb: musb: blackfin: call gpio_free() on error path in musb_platform_init() Greg KH
2010-11-19 22:01 ` [43/66] USB: Change acm_iad_descriptor bFunctionProtocol to USB_CDC_ACM_PROTO_AT_V25TER Greg KH
2010-11-19 22:01 ` [44/66] USB: option: Add more ZTE modem USB ids Greg KH
2010-11-19 22:01 ` [45/66] USB: cp210x: Add Renesas RX-Stick device ID Greg KH
2010-11-19 22:01 ` [46/66] USB: cp210x: Add WAGO 750-923 Service Cable " Greg KH
2010-11-19 22:01 ` [47/66] USB: atmel_usba_udc: force vbus_pin at -EINVAL when gpio_request failled Greg KH
2010-11-19 22:01 ` [48/66] USB: disable endpoints after unbinding interfaces, not before Greg KH
2010-11-19 22:01 ` [49/66] USB: visor: fix initialisation of UX50/TH55 devices Greg KH
2010-11-19 22:01 ` [50/66] USB: opticon: Fix long-standing bugs in opticon driver Greg KH
2010-11-19 22:01 ` [51/66] usb: r8a66597-hcd: Change mistake of the outsw function Greg KH
2010-11-19 22:01 ` [52/66] USB: accept some invalid ep0-maxpacket values Greg KH
2010-11-19 22:01 ` [53/66] OHCI: work around for nVidia shutdown problem Greg KH
2010-11-19 22:01 ` [54/66] asus-laptop: fix gps rfkill Greg KH
2010-11-19 22:01 ` [55/66] [SCSI] sd name space exhaustion causes system hang Greg KH
2010-11-19 22:01 ` [56/66] [SCSI] libsas: fix NCQ mixing with non-NCQ Greg KH
2010-11-19 22:01 ` [57/66] [SCSI] qla4xxx: fix build on PPC Greg KH
2010-11-19 22:01 ` [58/66] [SCSI] pmcraid: remove duplicate struct member Greg KH
2010-11-19 22:01 ` [59/66] [SCSI] gdth: integer overflow in ioctl Greg KH
2010-11-19 22:01 ` [60/66] [SCSI] Fix race when removing SCSI devices Greg KH
2010-11-19 22:01 ` [61/66] [SCSI] Fix regressions in scsi_internal_device_block Greg KH
2010-11-19 22:01 ` [62/66] Fixed Regression in NFS Direct I/O path Greg KH
2010-11-19 22:01 ` [63/66] secmark: do not return early if there was no error Greg KH
2010-11-19 22:01 ` [64/66] kgdb,arm: fix register dump Greg KH
2010-11-19 22:01 ` [65/66] ARM: cns3xxx: Fixup the missing second parameter to addruart macro to allow them to build Greg KH
2010-11-19 22:01 ` [66/66] sgi-xp: incoming XPC channel messages can come in after the channels partition structures have been torn down Greg KH
2010-11-19 22:18 ` [Stable-review] [00/66] 2.6.36.1-stable review Nikola Ciprich
2010-11-20 0:08 ` Greg KH
2010-11-22 8:33 ` Nikola Ciprich
2010-11-20 14:24 ` Andy Lutomirski
2010-11-20 15:52 ` Greg KH
2010-11-20 15:56 ` Thomas Meyer
2010-11-20 15:50 ` Greg KH
2010-12-07 20:18 ` [stable] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101119220124.797303880@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dbrownell@users.sourceforge.net \
--cc=kyungmin.park@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.nazarewicz@samsung.com \
--cc=robert.lukassen@tomtom.com \
--cc=roger.quadros@nokia.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox