Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.257 2025-08-28T14:22:48+00:00 2025-08-28T14:22:48+00:00 Xinyu Liu katieeliu@tencent.com 2025-06-30T02:02:56+00:00 urn:sha1:5c3097ede7835d3caf6543eb70ff689af4550cd2 commit cf16f408364efd8a68f39011a3b073c83a03612d upstream. usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. Signed-off-by: Xinyu Liu <katieeliu@tencent.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-07-18T11:05:49+00:00 Alan Stern stern@rowland.harvard.edu 2024-06-27T19:56:18+00:00 urn:sha1:d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf commit a368ecde8a5055b627749b09c6218ef793043e47 upstream. Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/0000000000003d868e061bc0f554@google.com/ Fixes: 0a8fd1346254 ("USB: fix problems with duplicate endpoint addresses") CC: Oliver Neukum <oneukum@suse.com> CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/205a5edc-7fef-4159-b64a-80374b6b101a@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-12-08T07:46:13+00:00 Niklas Neronin niklas.neronin@linux.intel.com 2023-11-15T12:13:25+00:00 urn:sha1:9ef94ec8e52eaf7b9abc5b5f8f5b911751112223 [ Upstream commit 974bba5c118f4c2baf00de0356e3e4f7928b4cbc ] The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors. Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly. To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly. Cc: stable@vger.kernel.org Fixes: 3dd550a2d365 ("USB: usbcore: Fix slab-out-of-bounds bug during device reset") Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com> Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com> Reviewed-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/20231115121325.471454-1-niklas.neronin@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-12-08T07:46:13+00:00 Alan Stern stern@rowland.harvard.edu 2022-11-02T18:13:19+00:00 urn:sha1:713530d3c8f13bbb3fda56159e7ed1236a8b4563 [ Upstream commit 7a09c1269702db8eccb6f718da2b00173e1e0034 ] It has been pointed out that the kernel log messages warning about problems in USB configuration and related descriptors are vexing for users. The warning log level has a fairly high priority, but the user can do nothing to fix the underlying errors in the device's firmware. To reduce the amount of useless information produced by tools that filter high-priority log messages, we can change these warnings to notices, i.e., change dev_warn() to dev_notice(). The same holds for a few messages that currently use dev_err(): Unless they indicate a failure that might make a device unusable (such as inability to transfer a config descriptor), change them to dev_notice() also. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216630 Suggested-by: Artem S. Tashkinov <aros@gmx.com> Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/Y2KzPx0h6z1jXCuN@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 974bba5c118f ("usb: config: fix iteration issue in 'usb_get_bos_descriptor()'") Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-12-14T10:32:44+00:00 Pavel Hofman pavel.hofman@ivitera.com 2021-12-10T08:52:19+00:00 urn:sha1:1b43c9b65f6b506759092e542eb9fe055d7c9a08 commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream. Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for extracting multiple-transactions bits from wMaxPacketSize value. Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com> Link: https://lore.kernel.org/r/20211210085219.16796-2-pavel.hofman@ivitera.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-12-14T10:32:43+00:00 Pavel Hofman pavel.hofman@ivitera.com 2021-12-10T08:52:18+00:00 urn:sha1:ef284f086dd07451bef391fc0a7f47a24b3b9e02 commit 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 upstream. The checks performed by commit aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") require that initial value of the maxp variable contains both maximum packet size bits (10..0) and multiple-transactions bits (12..11). However, the existing code assings only the maximum packet size bits. This patch assigns all bits of wMaxPacketSize to the variable. Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") Cc: stable <stable@vger.kernel.org> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com> Link: https://lore.kernel.org/r/20211210085219.16796-1-pavel.hofman@ivitera.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-10T06:55:17+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2020-07-07T19:56:07+00:00 urn:sha1:0d9b6d49fe39bd397f1d5913b1bfb8c4fdef0255 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20200707195607.GA4198@embeddedor Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-19T06:58:37+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2020-06-18T09:42:53+00:00 urn:sha1:91c7eaa686c3b7ae2d5b2aed22a45a02c8baa30e The USB core has a quirk flag to ignore specific endpoints, so rename it to be more obvious what this quirk does. Cc: Johan Hovold <johan@kernel.org> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Richard Dodd <richard.o.dodd@gmail.com> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Jonathan Cox <jonathan@jdcox.net> Cc: Bastien Nocera <hadess@hadess.net> Cc: "Thiébaud Weksteen" <tweek@google.com> Cc: Nishad Kamdar <nishadkamdar@gmail.com> Link: https://lore.kernel.org/r/20200618094300.1887727-2-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-02-10T19:14:22+00:00 Johan Hovold johan@kernel.org 2020-02-03T15:38:30+00:00 urn:sha1:7f1b92a6a7f2b96a8647a488370b9a851433df77 Use the new usb-device pointer instead of back-casting when accessing the struct usb_device when parsing endpoints. Note that this introduces two lines that are longer than 80 chars on purpose. Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20200203153830.26394-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-02-10T19:14:22+00:00 Johan Hovold johan@kernel.org 2020-02-03T15:38:28+00:00 urn:sha1:73f8bda9b5dc1c69df2bc55c0cbb24461a6391a9 Add a new device quirk that can be used to blacklist endpoints. Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") USB core ignores any duplicate endpoints found during descriptor parsing. In order to handle devices where the first interfaces with duplicate endpoints are the ones that should have their endpoints ignored, we need to add a blacklist. Tested-by: edes <edes@gmx.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20200203153830.26394-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>