From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <johan@kernel.org>
Subject: [PATCH 4.4 20/48] USB: serial: ch341: fix control-message error handling
Date: Wed, 18 Jan 2017 11:46:29 +0100 [thread overview]
Message-ID: <20170118104626.373137701@linuxfoundation.org> (raw)
In-Reply-To: <20170118104625.550018627@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream.
A short control transfer would currently fail to be detected, something
which could lead to stale buffer data being used as valid input.
Check for short transfers, and make sure to log any transfer errors.
Note that this also avoids leaking heap data to user space (TIOCMGET)
and the remote device (break control).
Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ch341.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -99,6 +99,8 @@ static int ch341_control_out(struct usb_
r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
value, index, NULL, 0, DEFAULT_TIMEOUT);
+ if (r < 0)
+ dev_err(&dev->dev, "failed to send control message: %d\n", r);
return r;
}
@@ -116,7 +118,20 @@ static int ch341_control_in(struct usb_d
r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
value, index, buf, bufsize, DEFAULT_TIMEOUT);
- return r;
+ if (r < bufsize) {
+ if (r >= 0) {
+ dev_err(&dev->dev,
+ "short control message received (%d < %u)\n",
+ r, bufsize);
+ r = -EIO;
+ }
+
+ dev_err(&dev->dev, "failed to receive control message: %d\n",
+ r);
+ return r;
+ }
+
+ return 0;
}
static int ch341_set_baudrate(struct usb_device *dev,
@@ -158,9 +173,9 @@ static int ch341_set_handshake(struct us
static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
unsigned long flags;
buffer = kmalloc(size, GFP_KERNEL);
@@ -171,14 +186,9 @@ static int ch341_get_status(struct usb_d
if (r < 0)
goto out;
- /* setup the private status if available */
- if (r == 2) {
- r = 0;
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
- spin_unlock_irqrestore(&priv->lock, flags);
- } else
- r = -EPROTO;
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
+ spin_unlock_irqrestore(&priv->lock, flags);
out: kfree(buffer);
return r;
@@ -188,9 +198,9 @@ out: kfree(buffer);
static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
buffer = kmalloc(size, GFP_KERNEL);
if (!buffer)
next prev parent reply other threads:[~2017-01-18 10:50 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170118104957epcas3p3c8bb456f6ed6bf7171f9b645196aafc7@epcas3p3.samsung.com>
2017-01-18 10:46 ` [PATCH 4.4 00/48] 4.4.44-stable review Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 01/48] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 02/48] Input: i8042 - add Pegatron touchpad to noloop table Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 03/48] selftests: do not require bash to run netsocktests testcase Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 04/48] selftests: do not require bash for the generated test Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 05/48] mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} Greg Kroah-Hartman
2017-02-09 15:26 ` Ben Hutchings
2017-02-10 5:00 ` Dan Williams
2017-01-18 10:46 ` [PATCH 4.4 06/48] ocfs2: fix crash caused by stale lvb with fsdlm plugin Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 07/48] mm/hugetlb.c: fix reservation race when freeing surplus pages Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 08/48] KVM: x86: fix emulation of "MOV SS, null selector" Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 10/48] jump_labels: API for flushing deferred jump label updates Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 11/48] KVM: x86: flush pending lapic jump label updates on module unload Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 15/48] KVM: x86: Introduce segmented_write_std Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 16/48] nl80211: fix sched scan netlink socket owner destruction Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 17/48] USB: serial: kl5kusb105: fix line-state error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 18/48] USB: serial: ch341: fix initial modem-control state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 19/48] USB: serial: ch341: fix open error handling Greg Kroah-Hartman
2017-01-18 10:46 ` Greg Kroah-Hartman [this message]
2017-01-18 10:46 ` [PATCH 4.4 21/48] USB: serial: ch341: fix open and resume after B0 Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 22/48] Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 23/48] i2c: print correct device invalid address Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 24/48] i2c: fix kernel memory disclosure in dev interface Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 25/48] xhci: fix deadlock at host remove by running watchdog correctly Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 27/48] mnt: Protect the mountpoint hashtable with mount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 28/48] tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 29/48] sysrq: attach sysrq handler correctly for 32-bit kernel Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 30/48] sysctl: Drop reference added by grab_header in proc_sys_readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 31/48] drm/radeon: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 32/48] USB: serial: ch341: fix resume after reset Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 33/48] USB: serial: ch341: fix modem-control and B0 handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 34/48] x86/cpu: Fix bootup crashes by sanitizing the argument of the clearcpuid= command-line option Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 35/48] btrfs: fix locking when we put back a delayed ref thats too new Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 36/48] btrfs: fix error handling when run_delayed_extent_op fails Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 37/48] pinctrl: meson: fix gpio request disabling other modes Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 38/48] pNFS: Fix race in pnfs_wait_on_layoutreturn Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 39/48] NFS: Fix a performance regression in readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 40/48] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 41/48] cpufreq: powernv: Disable preemption while checking CPU throttling state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 42/48] block: cfq_cpd_alloc() should use @gfp Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 43/48] ACPI / APEI: Fix NMI notification handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 44/48] blk-mq: Always schedule hctx->next_cpu Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 45/48] bus: vexpress-config: fix device reference leak Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 46/48] powerpc/ibmebus: Fix further device reference leaks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 47/48] powerpc/ibmebus: Fix device reference leaks in sysfs interface Greg Kroah-Hartman
2017-01-18 18:45 ` [PATCH 4.4 00/48] 4.4.44-stable review Guenter Roeck
2017-01-19 18:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170118104626.373137701@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).