summaryrefslogtreecommitdiffstats
path: root/drivers/usb/gadget/function/rndis.c
AgeCommit message (Collapse)AuthorFilesLines
2022-03-15usb: gadget: rndis: prevent integer overflow in rndis_set_response()Dan Carpenter1-0/+1
If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. Cc: stable@kernel.org Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20220301080424.GA17208@kili Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-24usb: gadget: rndis: add spinlock for rndis response listDaehwan Jung1-0/+8
There's no lock for rndis response list. It could cause list corruption if there're two different list_add at the same time like below. It's better to add in rndis_add_response / rndis_free_response / rndis_get_next_response to prevent any race condition on response list. [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c Fixes: f6281af9d62e ("usb: gadget: rndis: use list_for_each_entry_safe") Cc: stable <stable@kernel.org> Signed-off-by: Daehwan Jung <dh10.jung@samsung.com> Link: https://lore.kernel.org/r/1645507768-77687-1-git-send-email-dh10.jung@samsung.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11usb: gadget: rndis: check size of RNDIS_MSG_SET commandGreg Kroah-Hartman1-3/+6
Check the size of the RNDIS_MSG_SET command given to us before attempting to respond to an invalid message size. Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com> Cc: stable@kernel.org Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-22proc: remove PDE_DATA() completelyMuchun Song1-2/+2
Remove PDE_DATA() completely and replace it with pde_data(). [akpm@linux-foundation.org: fix naming clash in drivers/nubus/proc.c] [akpm@linux-foundation.org: now fix it properly] Link: https://lkml.kernel.org/r/20211124081956.87711-2-songmuchun@bytedance.com Signed-off-by: Muchun Song <songmuchun@bytedance.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Alexey Gladkov <gladkov.alexey@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-02-04proc: convert everything to "struct proc_ops"Alexey Dobriyan1-9/+8
The most notable change is DEFINE_SHOW_ATTRIBUTE macro split in seq_file.h. Conversion rule is: llseek => proc_lseek unlocked_ioctl => proc_ioctl xxx => proc_xxx delete ".owner = THIS_MODULE" line [akpm@linux-foundation.org: fix drivers/isdn/capi/kcapi_proc.c] [sfr@canb.auug.org.au: fix kernel/sched/psi.c] Link: http://lkml.kernel.org/r/20200122180545.36222f50@canb.auug.org.au Link: http://lkml.kernel.org/r/20191225172546.GB13378@avx2 Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-05-15USB: rndis: Fix for handling garbled messagesMichel Pollet1-0/+3
A message can be forged to crash the stack; here we make sure we don't completely break the system if this occurs Signed-off-by: Michel Pollet <michel.pollet@bp.renesas.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-11-07USB: gadget: function: Remove redundant license textGreg Kroah-Hartman1-4/+0
Now that the SPDX tag is in all USB files, that identifies the license in a specific and legally-defined manner. So the extra GPL text wording can be removed as it is no longer needed at all. This is done on a quest to remove the 700+ different ways that files in the kernel describe the GPL license text. And there's unneeded stuff like the address (sometimes incorrect) for the FSF which is never needed. No copyright headers or other non-license-description text was removed. Cc: Oliver Neukum <oneukum@suse.com> Cc: Johan Hovold <johan@kernel.org> Cc: Jerry Zhang <zhangjerry@google.com> Cc: John Keeping <john@metanate.com> Cc: Krzysztof Opasiak <k.opasiak@samsung.com> Cc: Abdulhadi Mohamed <abdulahhadi2@gmail.com> Cc: Matthew Wilcox <willy@linux.intel.com> Cc: Janusz Dziedzic <januszx.dziedzic@linux.intel.com> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Vincent Pelletier <plr.vincent@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-04USB: add SPDX identifiers to all remaining files in drivers/usb/Greg Kroah-Hartman1-0/+1
It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. Update the drivers/usb/ and include/linux/usb* files with the correct SPDX license identifier based on the license text in the file itself. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This work is based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Cc: Philippe Ombredanne <pombredanne@nexb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-16networking: make skb_push & __skb_push return void pointersJohannes Berg1-1/+1
It seems like a historic accident that these return unsigned char *, and in many places that means casts are required, more often than not. Make these functions return void * and remove all the casts across the tree, adding a (u8 *) cast only where the unsigned char pointer was used directly, all done with the following spatch: @@ expression SKB, LEN; typedef u8; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; @@ - *(fn(SKB, LEN)) + *(u8 *)fn(SKB, LEN) @@ expression E, SKB, LEN; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; type T; @@ - E = ((T *)(fn(SKB, LEN))) + E = fn(SKB, LEN) @@ expression SKB, LEN; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; @@ - fn(SKB, LEN)[0] + *(u8 *)fn(SKB, LEN) Note that the last part there converts from push(...)[0] to the more idiomatic *(u8 *)push(...). Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-18usb: gadget: Fix checkpatch error for bracesAnson Jacob1-2/+1
Fix error message by checkpath.pl open brace '{' following struct/enum go on the same line Patch applied by running fix inplace capability of checkpatch: checkpatch.pl -f *.[ch] --types OPEN_BRACE --fix-inplace Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-11-03usb: Convert pr_warning to pr_warnJoe Perches1-5/+4
Use the more common logging mechanism. Miscellanea: o Realign multiline statements o Coalesce format Acked-by: Robert Jarzmik <robert.jarzmik@free.fr> Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-08-11usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSGXerox Lin1-0/+6
When rndis data transfer is in progress, some Windows7 Host PC is not sending the GET_ENCAPSULATED_RESPONSE command for receiving the response for the previous SEND_ENCAPSULATED_COMMAND processed. The rndis function driver appends each response for the SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted, the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset. As the rndis response queue is not freed, the previous response is sent as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host block any more Rndis transfers. Hence free the rndis response queue as a part of this soft-reset so that the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the response command. Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org> Signed-off-by: Xerox Lin <xerox_lin@htc.com> [AmitP: Cherry-picked this patch and folded other relevant fixes from Android common kernel android-4.4] Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2016-02-03usb: gadget: rndis: fix itnull.cocci warningsJulia Lawall1-1/+1
The index variable of list_for_each_entry_safe is an offset from a list pointer, and thus should not be NULL. Generated by: scripts/coccinelle/iterators/itnull.cocci CC: Geliang Tang <geliangtang@163.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-01-24usb: gadget: rndis: use list_for_each_entry_safeGeliang Tang1-12/+6
Use list_for_each_entry_safe() instead of list_for_each_safe() to simplify the code. Signed-off-by: Geliang Tang <geliangtang@163.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-21usb: gadget: rndis: use signed type for a signed valueAndrzej Pietrasiewicz1-2/+2
rndis_get_nr() returns either a non-negative value on success or a negative value on failure. In case of failure an error code is returned to the caller of rndis_register(). If the "i" is unsigned, the information about error from rndis_get_nr() is lost. If there is no error but rndis_get_nr() returns a value greater than 256 the least significant bits of i are zero effectively limiting the number of configs to 256. This patch fixes that. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-05-21usb: gadget: rndis: don't duplicate the "i" variableAndrzej Pietrasiewicz1-1/+0
If CONFIG_USB_GADGET_DEBUG_FILES is set then a block is opened and inside it there is a local variable "i" which hides the "i" local to the rndis_deregister(). Consequently, a random value is formatted into the "name" buffer. This patch removes the block-local i. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-05-21usb: gadget: rndis: change the value passed to rndis_signal_(dis)connect()Andrzej Pietrasiewicz1-2/+2
The patch: 83210e59ee1527f229af6aef78c95b747bdcf9c4 usb: gadget: rndis: use rndis_params instead of configNr should change all invocations of rndis_signal_(dis)connect(). This patch fixes that. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-05-07usb: gadget: rndis: remove the limit of available rndis connectionsAndrzej Pietrasiewicz1-63/+77
RNDIS function has a limitation on the number of allowed instances. So far it has been RNDIS_MAX_CONFIGS, which happens to be one. In order to eliminate this kind of arbitrary limitation we should not preallocate a predefined (RNDIS_MAX_CONFIGS) array of struct rndis_params instances but instead allow allocating them on demand. This patch allocates struct rndis_params on demand in rndis_register(). Coversly, the structure is free()'d in rndis_deregister(). If CONFIG_USB_GADGET_DEBUG_FILES is set, the proc files are created which is the same behaviour as before, but the moment of creation is delayed until struct rndis_params is actually allocated. rnids_init() and rndis_exit() have nothing to do, so they are eliminated. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-05-07usb: gadget: rndis: use rndis_params instead of configNrAndrzej Pietrasiewicz1-118/+95
RNDIS function has a limitation on the number of allowed instances. So far it has been RNDIS_MAX_CONFIGS, which happens to be one. In order to eliminate this kind of arbitrary limitation we should not preallocate a predefined (RNDIS_MAX_CONFIGS) array of struct rndis_params instances but instead allow allocating them on demand. This patch prepares the elimination of the said limit by converting all the functions which accept rndis config number to accept a pointer to the actual struct rndis_params. Consequently, rndis_register() returns a pointer to a corresponding struct rndis_params instance. The pointer is then always used by f_rndis.c instead of config number when it talks to rndis.c API. A nice side-effect of the changes is that many lines of code in rndis.c become shorter and fit in 80 columns. If a function prototype changes in rndis.h a style cleanup is made at the same time, otherwise checkpatch complains that the patch has style problems. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-07-16usb: gadget: Gadget directory cleanup - group usb functionsAndrzej Pietrasiewicz1-0/+1190
The drivers/usb/gadget directory contains many files. Files which are related can be distributed into separate directories. This patch moves the USB functions implementations into a separate directory. Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>