Linux kernel source tree https://git.amat.us/linux/atom/drivers/usb/class?h=v3.2.18 2012-05-11T12:14:41Z 2012-05-11T12:14:41Z Oliver Neukum oliver@neukum.org 2012-04-26T19:59:10Z urn:sha1:670515c56290b7b7435f066e9bc0999fa1fc29b7 commit 5c22837adca7c30b66121cf18ad3e160134268d4 upstream. This patch fixes a race whereby a pointer to a buffer would be overwritten while the buffer was in use leading to a double free and a memory leak. This causes crashes. This bug was introduced in 2.6.34 Signed-off-by: Oliver Neukum <oneukum@suse.de> Tested-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2012-04-02T16:52:31Z Ben Hutchings ben@decadent.org.uk 2012-02-12T06:02:43Z urn:sha1:3d8e1c65555c758475a005c287f1c4b69296b226 commit b7a205545345578712611106b371538992e142ff upstream. The WDM_READ flag is cleared later iff desc->length is reduced to 0. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Tested-by: Bjørn Mork <bjorn@mork.no> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-04-02T16:52:31Z Ben Hutchings ben@decadent.org.uk 2012-02-12T06:00:41Z urn:sha1:8d272f9af55e8900fc96886bd72b158482ed55d0 commit 711c68b3c0f7a924ffbee4aa962d8f62b85188ff upstream. We must not allow the input buffer length to change while we're shuffling the buffer contents. We also mustn't clear the WDM_READ flag after more data might have arrived. Therefore move both of these into the spinlocked region at the bottom of wdm_read(). When reading desc->length without holding the iuspin lock, use ACCESS_ONCE() to ensure the compiler doesn't re-read it with inconsistent results. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Tested-by: Bjørn Mork <bjorn@mork.no> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-03T17:22:17Z Bjørn Mork bjorn@mork.no 2012-01-20T00:49:57Z urn:sha1:1cbb2489441fe3dbb28dc4920f3494898b3d09df commit 15699e6fafc3a90e5fdc2ef30555a04dee62286f upstream. The probe does not strictly require the USB_CDC_DMM_TYPE descriptor, which is a good thing as it makes the driver usable on non-conforming interfaces. A user could e.g. bind to it to a CDC ECM interface by using the new_id and bind sysfs files. But this would fail with a 0 buffer length due to the missing descriptor. Fix by defining a reasonable fallback size: The minimum device receive buffer size required by the CDC WMC standard, revision 1.1 Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-03T17:22:17Z Bjørn Mork bjorn@mork.no 2012-01-16T14:11:59Z urn:sha1:7a55df4694e1758a7a1c3b1432e36fca0c859d6a commit 655e247daf52b202a6c2d0f8a06dd2051e756ce4 upstream. As it turns out, there was a mismatch between the allocated inbuf size (desc->bMaxPacketSize0, typically something like 64) and the length we specified in the URB (desc->wMaxCommand, typically something like 2048) Signed-off-by: Bjørn Mork <bjorn@mork.no> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-03T17:22:16Z Bjørn Mork bjorn@mork.no 2012-01-16T14:11:57Z urn:sha1:4ac2b6d3cc5d685f8701a392bdea04a401333a11 commit 62aaf24dc125d7c55c93e313d15611f152b030c7 upstream. wdm_disconnect() waits for the mutex held by wdm_read() before calling wake_up_all(). This causes a deadlock, preventing device removal to complete. Do the wake_up_all() before we start waiting for the locks. Signed-off-by: Bjørn Mork <bjorn@mork.no> Cc: Oliver Neukum <oliver@neukum.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-03T17:22:02Z Bjørn Mork bjorn@mork.no 2012-01-16T11:41:48Z urn:sha1:d8e13a17cf397abfdef1d27fe70ad8aeff75ffdd commit e8537bd2c4f325a4796da33564ddcef9489b7feb upstream. using a separate read and write mutex for locking is sufficient to make the driver accept simultaneous read and write. This improves useability a lot. Signed-off-by: Bjørn Mork <bjorn@mork.no> Cc: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-03T17:22:01Z Bjørn Mork bjorn@mork.no 2012-01-16T11:41:47Z urn:sha1:3f60c1956f3392760d3c969f19f41d4aa653f726 commit c428b70c1e115c5649707a602742e34130d19428 upstream. wdm_in_callback() will also touch this field, so we cannot change it without locking Signed-off-by: Bjørn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-01-12T19:29:46Z Thilo-Alexander Ginkel thilo@ginkel.com 2011-12-17T09:55:10Z urn:sha1:f9fd8d6232137e255fc9409a81cf282817472b6f [Not upstream as it was fixed differently for 3.3 with a much more "intrusive" rework of the driver - gregkh] There is a race condition involving acm_tty_hangup() and acm_tty_close() where hangup() would attempt to access tty->driver_data without proper locking and NULL checking after close() has potentially already set it to NULL. One possibility to (sporadically) trigger this behavior is to perform a suspend/resume cycle with a running WWAN data connection. This patch addresses the issue by introducing a NULL check for tty->driver_data in acm_tty_hangup() protected by open_mutex and exiting gracefully when hangup() is invoked on a device that has already been closed. Signed-off-by: Thilo-Alexander Ginkel <thilo@ginkel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2012-01-12T19:29:38Z Julia Lawall julia@diku.dk 2011-12-23T13:02:55Z urn:sha1:30234e2694cbc1d6985cafc87db5cd4848493196 commit e7c8e8605d0bafc705ff27f9da98a1668427cc0f upstream. On some failures, the country_code field of an acm structure is freed without freeing the acm structure itself. Elsewhere, operations including memcpy and kfree are performed on the country_code field. The patch sets the country_code field to NULL when it is freed, and likewise sets the country_code_size field to 0. Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>