mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-02-10 13:28:44 +00:00
a0456399fb
The "Extended Compat ID OS Feature Descriptor Specification" does not require the (sub)compatible ids to be NUL-terminated, because they are placed in a fixed-size buffer and only unused parts of it should contain NULs. If the buffer is fully utilized, there is no place for NULs. Consequently, the code which uses desc->ext_compat_id never expects the data contained to be NUL terminated. If the compatible id is stored after sub-compatible id, and the compatible id is full length (8 bytes), the (useless) NUL terminator overwrites the first byte of the sub-compatible id. If the sub-compatible id is full length (8 bytes), the (useless) NUL terminator ends up out of the buffer. The situation can happen in the RNDIS function, where the buffer is a part of struct f_rndis_opts. The next member of struct f_rndis_opts is a mutex, so its first byte gets overwritten. The said byte is a part of a mutex'es member which contains the information on whether the muext is locked or not. This can lead to a deadlock, because, in a configfs-composed gadget when a function is linked into a configuration with config_usb_cfg_link(), usb_get_function() is called, which then calls rndis_alloc(), which tries locking the same mutex and (wrongly) finds it already locked. This patch eliminates NUL terminating of the (sub)compatible id. Cc: <stable@vger.kernel.org> # v3.16+ Fixes: da4243145fb1: "usb: gadget: configfs: OS Extended Compatibility descriptors support" Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
To understand all the Linux-USB framework, you'll use these resources:
* This source code. This is necessarily an evolving work, and
includes kerneldoc that should help you get a current overview.
("make pdfdocs", and then look at "usb.pdf" for host side and
"gadget.pdf" for peripheral side.) Also, Documentation/usb has
more information.
* The USB 2.0 specification (from www.usb.org), with supplements
such as those for USB OTG and the various device classes.
The USB specification has a good overview chapter, and USB
peripherals conform to the widely known "Chapter 9".
* Chip specifications for USB controllers. Examples include
host controllers (on PCs, servers, and more); peripheral
controllers (in devices with Linux firmware, like printers or
cell phones); and hard-wired peripherals like Ethernet adapters.
* Specifications for other protocols implemented by USB peripheral
functions. Some are vendor-specific; others are vendor-neutral
but just standardized outside of the www.usb.org team.
Here is a list of what each subdirectory here is, and what is contained in
them.
core/ - This is for the core USB host code, including the
usbfs files and the hub class driver ("hub_wq").
host/ - This is for USB host controller drivers. This
includes UHCI, OHCI, EHCI, and others that might
be used with more specialized "embedded" systems.
gadget/ - This is for USB peripheral controller drivers and
the various gadget drivers which talk to them.
Individual USB driver directories. A new driver should be added to the
first subdirectory in the list below that it fits into.
image/ - This is for still image drivers, like scanners or
digital cameras.
../input/ - This is for any driver that uses the input subsystem,
like keyboard, mice, touchscreens, tablets, etc.
../media/ - This is for multimedia drivers, like video cameras,
radios, and any other drivers that talk to the v4l
subsystem.
../net/ - This is for network drivers.
serial/ - This is for USB to serial drivers.
storage/ - This is for USB mass-storage drivers.
class/ - This is for all USB device drivers that do not fit
into any of the above categories, and work for a range
of USB Class specified devices.
misc/ - This is for all USB device drivers that do not fit
into any of the above categories.