Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.
This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.
Fixes: 8c209e6782 ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org> # 2.6.30
Signed-off-by: Johan Hovold <johan@kernel.org>
Fix a NULL-pointer dereference in the interrupt callback should a
malicious device send data containing a bad port number by adding the
missing sanity check.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Do not report ASYNC_SKIP_TEST or ASYNC_AUTO_IRQ as being set in
TIOCGSERIAL handlers as these flags are not supported and do not really
make any sense for USB serial devices in the first place.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Bind to the interface, but do not register any ports, after having
downloaded the firmware. The device will still disconnect and
re-enumerate, but this way we avoid an error messages from being logged
as part of the process:
io_ti: probe of 1-1.3:1.0 failed with error -5
Signed-off-by: Johan Hovold <johan@kernel.org>
Cancel the heartbeat work on driver unbind in order to avoid I/O after
disconnect in case the port is held open.
Note that the cancel in release() is still needed to stop the heartbeat
after late probe errors.
Fixes: 26c78daade ("USB: io_ti: Add heartbeat to keep idle EP/416
ports from disconnecting")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Drop invalid user-pointer checks from ioctl handlers.
A NULL-pointer can be valid in user space and copy_to_user() takes care
of sanity checking.
Signed-off-by: Johan Hovold <johan@kernel.org>
Remove extra blank lines in the several places where functions were
separated by more than one.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Fix non-standard formatting in some of the comments.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
[johan: minor fixes ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Move request_firmware from edge_startup to download_fw.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Separate the download and boot mode code from download_fw() into two new
helper functions: do_download_mode() and do_boot_mode().
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Use serial->interface instead of serial->dev for messages in download_fw().
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Remove unused "dev" parameter from build_i2c_fw_hdr() and its caller.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
When using Edgeport/416 models with newer firmware (sometime after
firmware version 4.80.0), idle ports are automatically bounced
(disconnected and then reconnected) approximately every 60 seconds.
This breaks programs (e.g: minicom) where idle periods are common,
normal and expected.
I confirmed with the manufacturer (Digi International) that Edgeport/416
models now ship from the factory with firmware that expects periodic
"heartbeat" queries from the driver to keep idle ports alive. This
patch implements heartbeat support using the mechanism Digi suggested
(periodically requesting an I2C descriptor address) that appears effective
on Edgeports running the newer firmware (that require it) and benign on
Edgeport devices running older firmware. Since we know that Edgeport
firmware version 4.80 (the version distributed in /lib/firmware/down3.bin
and used for Edgeports that are either running still older versions or
have no onboard non-volatile firmware image) does not require heartbeat
support, this patch schedules heartbeats only on Edgeport/416 devices,
and only if they are running firmware versions newer than 4.80.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
[johan: minor style changes ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Do what we can to verify that the driver's firmware image is valid
(before attempting to download it to the Edgeport) by adding a new
function, check_fw_sanity(), and a call to it in in download_fw().
Note: It looks like some Edgeports (models like the EP/416 with on-board
E2PROM) may be able to function even if the on-disk firmware image is
bad or missing, iff their local E2PROM versions are valid. But most
Edgeport models (I've tried EP/1 and EP/8) do not appear to have this
capability and they always rely on the on-disk firmware image.
I tested an implementation that calls the new check_fw_sanity()
function at the top of download_fw() and, rather than simply returning
an error if the firmware image is bad or missing, it saves the result
and defers the decision until later when it may find that it is running
on a E2PROM-equipped device with a valid image. But I think this is
messier than it is worth (adding still more messiness to the already
very messy download_fw()) for such a marginal possible benefit. So, at
least for now, I have chosen the much simpler approach of returning an
error whenever edge_startup() fails to load an on-disk firmware image, or
check_fw_sanity() indicates that it is unusable.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
[johan: drop redundant checksum mask ]
Signed-off-by: Johan Hovold <johan@kernel.org>
The io_ti driver fails to download firmware to Edgeport
devices such as the EP/416, even when the on-disk firmware image
(/lib/firmware/edgeport/down3.bin) is more current than the version
on the EP/416. The current download code is broken in a few ways.
Notably it mis-uses global variables OperationalMajorVersion and
OperationalMinorVersion (reading their values before they've been
properly initialized and subsequently initializing them multiple times
without synchronization). This patch drops the global variables and
replaces the redundant calls to request_firmware()/release_firmware()
in download_fw() with a single call pair in edge_startup(); the firmware
image pointer is then passed to download_fw() and build_i2c_fw_hdr().
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
The io_ti driver fails to download firmware to Edgeport devices such as
the EP/416 and EP/421 (devices with on-board E2PROM). One of the problems
is that the default 1 second timeout in ti_vsend_sync() is insufficient
for download operations. This patch increases the download timeout to
10 seconds.
Signed-off-by: Peter E. Berger <pberger@brimson.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
The tty core does not test tty->hw_stopped; remove from drivers
which don't test it themselves.
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
A recent patch that purported to fix firmware download on big-endian
machines failed to add the corresponding sparse annotation to the
i2c-header. This was reported by the kbuild test robot.
Adding the appropriate annotation revealed another endianess bug related
to the i2c-header Size-field in a code path that is exercised when the
firmware is actually being downloaded (and not just verified and left
untouched unless older than the firmware at hand).
This patch adds the required sparse annotation to the i2c-header and
makes sure that the Size-field is sent in little-endian byte order
during firmware download also on big-endian machines.
Note that this patch is only compile-tested, but that there is no
functional change for little-endian systems.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: Ludovic Drolez <ldrolez@debian.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
During firmware download the device expects memory addresses in
big-endian byte order. As the wIndex parameter which hold the address is
sent in little-endian byte order regardless of host byte order, we need
to use swab16 rather than cpu_to_be16.
Also make sure to handle the struct ti_i2c_desc size parameter which is
returned in little-endian byte order.
Reported-by: Ludovic Drolez <ldrolez@debian.org>
Tested-by: Ludovic Drolez <ldrolez@debian.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
None of these files are actually using any __init type directives
and hence don't need to include <linux/init.h>. Most are just a
left over from __devinit and __cpuinit removal, or simply due to
code getting copied from one driver to the next.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove redundant error messages on allocation failures, which have
already been logged.
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove redundant ioctl debugging from subdrivers. The ioctl request code
has already been logged by usb-serial core.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Clean up the DEVICE_ATTR usage in the USB serial drivers, making them
more obvious as to the permissions that the sysfs files should be.
Note: ftdi_sio.c still has a DEVICE_ATTR() used, that will have to wait
until after 3.12-rc1 comes out when DEVICE_ATTR_WO() shows up in Linus's
tree.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Move port initialisation code from open to probe where it belongs.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kill private write fifo and use the already allocated port write fifo
instead.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The port drain delay is constant and should be set at port probe rather
than open.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This moves the allocation of minor device numbers from a static array to
be dynamic, using the idr interface. This means that you could
potentially get "gaps" in a minor number range for a single USB serial
device with multiple ports, but all should still work properly.
We remove the 'minor' field from the usb_serial structure, as it no
longer makes any sense for it (use the field in the usb_serial_port
structure if you really want to know this number), and take the fact
that we were overloading a number in this field to determine if we had
initialized the minor numbers or not, and just use a flag variable
instead.
Note, we still have the limitation of 255 USB to serial devices in the
system, as that is all we are registering with the TTY layer at this
point in time.
Tested-by: Tobias Winter <tobias@linuxdingsda.de>
Reviewed-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The usb_serial_port structure had the number field, which was the minor
number for the port, which almost no one really cared about. They
really wanted the number of the port within the device, which you had to
subtract from the minor of the parent usb_serial_device structure. To
clean this up, provide the real minor number of the port, and the number
of the port within the serial device separately, as these numbers might
not be related in the future.
Bonus is that this cleans up a lot of logic in the drivers, and saves
lines overall.
Tested-by: Tobias Winter <tobias@linuxdingsda.de>
Reviewed-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--
drivers/staging/serqt_usb2/serqt_usb2.c | 21 +++--------
drivers/usb/serial/ark3116.c | 2 -
drivers/usb/serial/bus.c | 6 +--
drivers/usb/serial/console.c | 2 -
drivers/usb/serial/cp210x.c | 2 -
drivers/usb/serial/cypress_m8.c | 4 +-
drivers/usb/serial/digi_acceleport.c | 6 ---
drivers/usb/serial/f81232.c | 5 +-
drivers/usb/serial/garmin_gps.c | 6 +--
drivers/usb/serial/io_edgeport.c | 58 ++++++++++++--------------------
drivers/usb/serial/io_ti.c | 21 ++++-------
drivers/usb/serial/keyspan.c | 29 +++++++---------
drivers/usb/serial/metro-usb.c | 4 +-
drivers/usb/serial/mos7720.c | 37 +++++++++-----------
drivers/usb/serial/mos7840.c | 52 +++++++++-------------------
drivers/usb/serial/opticon.c | 2 -
drivers/usb/serial/pl2303.c | 2 -
drivers/usb/serial/quatech2.c | 7 +--
drivers/usb/serial/sierra.c | 2 -
drivers/usb/serial/ti_usb_3410_5052.c | 10 ++---
drivers/usb/serial/usb-serial.c | 7 ++-
drivers/usb/serial/usb_wwan.c | 2 -
drivers/usb/serial/whiteheat.c | 20 +++++------
include/linux/usb/serial.h | 6 ++-
24 files changed, 133 insertions(+), 180 deletions(-)
Use the new generic usb-serial wait_until_sent implementation to wait
for hardware buffers to drain.
This removes the need to check the hardware buffers in chars_in_buffer
and thus removes the overhead introduced by commit 263e1f9f ("USB:
io_ti: query hardware-buffer status in chars_in_buffer") without
breaking tty_wait_until_sent (used by, for example, tcdrain, tcsendbreak
and close).
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove redundant wait_until_sent, which has already been handled by the
tty-layer, from break_ctl.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix regression introduced by commit f40d78155 ("USB: io_ti: kill custom
closing_wait implementation") which made TIOCGSERIAL return the wrong
value for closing_wait.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: stable <stable@vger.kernel.org> # 3.9
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tty_port_tty_get might return a tty which is NULL. But it is
dereferenced unconditionally in edge_send. Stop dereferencing that by
sending usb_serial_port pointer around.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Always try to disable the uart on close.
Since the switch to tty ports, close will be called as part of shutdown
before disconnect returns. Hence there is no need to check the
disconnected flag, and we can put devices in disabled states also on
driver unbind.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Switch to the generic TIOCMIWAIT implementation which does not suffer
from the races involved when using the deprecated sleep_on functions.
This also fixes the issue with processes waiting for
modem-status-changes not being woken up at disconnect.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Switch to the generic get_icount implementation.
Note that the interrupt counters will no longer be reset at open which
is in accordance with which how the other drivers work.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.
This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add missing get_icount field to two-port driver.
The two-port driver was not updated when switching to the new icount
interface in commit 0bca1b913a ("tty: Convert the USB drivers to the
new icount interface").
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Here's the big tty/serial driver patches for 3.9-rc1.
More tty port rework and fixes from Jiri here, as well as lots of
individual serial driver updates and fixes.
All of these have been in the linux-next tree for a while.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEABECAAYFAlEmZYQACgkQMUfUDdst+ylJDgCg0B0nMevUUdM4hLvxunbbiyXM
HUEAoIOedqriNNPvX4Bwy0hjeOEaWx0g
=vi6x
-----END PGP SIGNATURE-----
Merge tag 'tty-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial patches from Greg Kroah-Hartman:
"Here's the big tty/serial driver patches for 3.9-rc1.
More tty port rework and fixes from Jiri here, as well as lots of
individual serial driver updates and fixes.
All of these have been in the linux-next tree for a while."
* tag 'tty-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (140 commits)
tty: mxser: improve error handling in mxser_probe() and mxser_module_init()
serial: imx: fix uninitialized variable warning
serial: tegra: assume CONFIG_OF
TTY: do not update atime/mtime on read/write
lguest: select CONFIG_TTY to build properly.
ARM defconfigs: add missing inclusions of linux/platform_device.h
fb/exynos: include platform_device.h
ARM: sa1100/assabet: include platform_device.h directly
serial: imx: Fix recursive locking bug
pps: Fix build breakage from decoupling pps from tty
tty: Remove ancient hardpps()
pps: Additional cleanups in uart_handle_dcd_change
pps: Move timestamp read into PPS code proper
pps: Don't crash the machine when exiting will do
pps: Fix a use-after free bug when unregistering a source.
pps: Use pps_lookup_dev to reduce ldisc coupling
pps: Add pps_lookup_dev() function
tty: serial: uartlite: Support uartlite on big and little endian systems
tty: serial: uartlite: Fix sparse and checkpatch warnings
serial/arc-uart: Miscll DT related updates (Grant's review comments)
...
Fix up trivial conflicts, mostly just due to the TTY config option
clashing with the EXPERIMENTAL removal.
Kill custom closing_wait implementation and let the tty layer handle it
instead.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Query hardware-buffer status in chars_in_buffer should the write fifo be
empty.
This is needed to make the tty layer wait for hardware buffers to drain
on close.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use tty-port drain delay rather than custom implementation in
chase_port.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Move write-fifo flushing from chase_port to close where it belongs.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Now, we start converting tty buffer functions to actually use
tty_port. This will allow us to get rid of the need of tty in many
call sites. Only tty_port will needed and hence no more
tty_port_tty_get in those paths.
Now, the one where most of tty_port_tty_get gets removed:
tty_flip_buffer_push.
IOW we also closed all the races in drivers not using tty_port_tty_get
at all yet.
Also we move tty_flip_buffer_push declaration from include/linux/tty.h
to include/linux/tty_flip.h to all others while we are changing it
anyway.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Now, we start converting tty buffer functions to actually use
tty_port. This will allow us to get rid of the need of tty in many
call sites. Only tty_port will needed and hence no more
tty_port_tty_get in those paths.
tty_insert_flip_string this time.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove all MODULE_VERSION macros and driver-version information (except
for garmin_gps which uses it in a status reply).
It is the kernel version that matters and not some private version
scheme which rarely even gets updated.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Make sure port data is initialised before creating sysfs attributes to
avoid a race.
A recent patch ("USB: io_ti: fix port-data memory leak") got the
sysfs-attribute creation and port-data initialisation ordering wrong.
Cc: <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>