summaryrefslogtreecommitdiff
path: root/drivers/uwb/hwa-rc.c
AgeCommit message (Collapse)AuthorFilesLines
2017-09-18uwb: ensure that endpoint is interruptAndrey Konovalov1-0/+2
hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no check for that, which results in a WARNING in USB core code, when a bad USB descriptor is provided from a device: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006bdc1a00 task.stack: ffff88006bde8000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282 RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000 RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90 FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0 Call Trace: hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710 uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361 hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4890 hub_port_connect_change drivers/usb/core/hub.c:4996 port_event drivers/usb/core/hub.c:5102 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 ---[ end trace 55d741234124cfc3 ]--- Check that endpoint is interrupt. Found by syzkaller. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-03-14uwb: hwa-rc: fix NULL-deref at probeJohan Hovold1-0/+3
Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer should a malicious device lack endpoints. Note that the dereference happens in the start callback which is called during probe. Fixes: de520b8bd552 ("uwb: add HWA radio controller driver") Cc: stable <stable@vger.kernel.org> # 2.6.28 Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> Cc: David Vrabel <david.vrabel@csr.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-08-15uwb: hwa-rc: don't print error when allocating urb failsWolfram Sang1-3/+1
kmalloc will print enough information in case of failure. Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-08-13HWA RC: fix a kernel panic when unplugging the HWA dongleThomas Pugliese1-1/+15
This patch fixes a kernel panic that can occur when unplugging the HWA dongle while a downstream device is in the process of disconnecting. This involved 2 changes. First, call usb_lock_device_for_reset before usb_reset_device to synchronize the HWA's post_rest and disconnect routines. Second, set the hwarc->neep_urb and hwarc->rd_buffer to NULL when they are freed in the error path in the post_reset routine. This prevents a double free when the disconnect routine is called and attempts to free those resources again. Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-06-07UWB: HWA: add support for Alereon 5310 and 5611 devicesThomas Pugliese1-0/+6
This patch adds support for the Alereon 5310 and 5611 devices to the HWA-rc driver. Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-04-19uwb: fix error handlingOliver Neukum1-1/+2
Fatal errors such as a device disconnect must not trigger error handling. The error returns must be checked. Signed-off-by: Oliver Neukum <oneukum@suse.de> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2011-11-18USB: convert some miscellanies drivers to use module_usb_driver()Greg Kroah-Hartman1-11/+1
This converts the remaining USB drivers in the kernel to use the module_usb_driver() macro which makes the code smaller and a bit simpler. Added bonus is that it removes some unneeded kernel log messages about drivers loading and/or unloading. Cc: Guenter Roeck <guenter.roeck@ericsson.com> Cc: Jean Delvare <khali@linux-fr.org> Cc: Ben Dooks <ben-linux@fluff.org> Cc: Till Harbaum <till@harbaum.org> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: Chris Ball <cjb@laptop.org> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: Steve Glendinning <steve.glendinning@smsc.com> Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de> Cc: Evgeniy Polyakov <zbr@ioremap.net> Cc: Wim Van Sebroeck <wim@iguana.be> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jesper Juhl <jj@chaosbits.net> Cc: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Cc: Jamie Iles <jamie@jamieiles.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo1-0/+1
implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-01-14uwb: make USB device id table constantMárton Németh1-1/+1
The id_table field of the struct usb_device_id is constant in <linux/usb.h> so it is worth to make the initialization data also constant. Signed-off-by: Márton Németh <nm127@freemail.hu> Signed-off-by: David Vrabel <david.vrabel@csr.com>
2009-08-26uwb: avoid radio controller reset loopsDavid Vrabel1-2/+1
If a radio controller reset attempt occurs while a probe() or remove() is in progress it fails and is retried endlessly, potentially preventing the probe() or remove() from completing. If a reset fails, sleep for a bit before retrying the reset. This allows the probe()/remove() to complete. Signed-off-by: David Vrabel <david.vrabel@csr.com>
2009-06-01uwb: event_size should be signedRoel Kluin1-1/+1
event_size should be ssize_t to notice when hwarc_get_event_size() returns -ENOSPC. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Cc: David Vrabel <david.vrabel@csr.com> Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-12-22uwb: use dev_dbg() for debug messagesDavid Vrabel1-22/+8
Instead of the home-grown d_fnstart(), d_fnend() and d_printf() macros, use dev_dbg() or remove the message entirely. Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-11-07uwb: don't unbind the radio controller driver when resettingDavid Vrabel1-1/+21
Use pre_reset and post_reset methods to avoid unbinding the radio controller driver after a uwb_rc_reset_all() call. This avoids a deadlock in uwb_rc_rm() when waiting for the uwb event thread to stop. Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-10-31uwb: remove unused #include <version.h>Huang Weiyi1-1/+0
The file(s) below do not use LINUX_VERSION_CODE nor KERNEL_VERSION. drivers/uwb/drp-ie.c drivers/uwb/hwa-rc.c drivers/uwb/i1480/dfu/usb.c drivers/uwb/i1480/i1480u-wlp/lc.c drivers/uwb/i1480/i1480u-wlp/sysfs.c drivers/uwb/rsv.c drivers/uwb/whc-rc.c This patch removes the said #include <version.h>. Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com> Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-09-17uwb: add Intel i1480 HWA to the UWB RC quirk tableAnderson Lizardo1-0/+3
The Intel i1480 HWA uses WHCI commands/events even though reporting itself as WUSB compliant. This patch fixes this by marking it with the WUSB_QUIRK_WHCI_CMD_EVT flag, which disables WUSB command/event filtering. Signed-off-by: Anderson Lizardo <anderson.lizardo@indt.org.br> Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-09-17uwb: disable command/event filtering for D-Link DUB-1210Anderson Lizardo1-2/+14
The D-Link DUB-1210 HWA uses commands and events from the WHCI specification, although reporting itself as WUSB compliant. Therefore, we disable WUSB command/event filtering for it. USB_DEVICE_AND_INTERFACE_INFO is used for matching only the RC interface. Signed-off-by: Anderson Lizardo <anderson.lizardo@indt.org.br> Signed-off-by: David Vrabel <david.vrabel@csr.com>
2008-09-17uwb: add HWA radio controller driverInaky Perez-Gonzalez1-0/+911
Add a driver for USB-connected UWB radio controllers (HWAs). Signed-off-by: David Vrabel <david.vrabel@csr.com>