From ddd1198e3e0935066d6e309180d49f64ef4fa702 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 23 Sep 2020 15:43:42 +0200
Subject: [PATCH] USB: correct API of usb_control_msg_send/recv
Git-commit: ddd1198e3e0935066d6e309180d49f64ef4fa702
Patch-mainline: v5.10-rc1
References: CVE-2022-3903 bsc#1205220
They need to specify how memory is to be allocated,
as control messages need to work in contexts that require GFP_NOIO.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20200923134348.23862-9-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
drivers/usb/core/message.c | 22 ++++++++++++++--------
include/linux/usb.h | 6 ++++--
2 files changed, 18 insertions(+), 10 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -172,6 +172,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
* @size: length in bytes of the data to send
* @timeout: time in msecs to wait for the message to complete before timing
* out (if 0 the wait is forever)
+ * @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
*
@@ -194,7 +195,8 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
*/
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
__u8 requesttype, __u16 value, __u16 index,
- const void *driver_data, __u16 size, int timeout)
+ const void *driver_data, __u16 size, int timeout,
+ gfp_t memflags)
{
unsigned int pipe = usb_sndctrlpipe(dev, endpoint);
int ret;
@@ -204,7 +206,7 @@ int usb_control_msg_send(struct usb_devi
return -EINVAL;
if (size) {
- data = kmemdup(driver_data, size, GFP_KERNEL);
+ data = kmemdup(driver_data, size, memflags);
if (!data)
return -ENOMEM;
}
@@ -233,6 +235,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
* @size: length in bytes of the data to be received
* @timeout: time in msecs to wait for the message to complete before timing
* out (if 0 the wait is forever)
+ * @memflags: the flags for memory allocation for buffers
*
* Context: !in_interrupt ()
*
@@ -261,7 +264,8 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send);
*/
int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request,
__u8 requesttype, __u16 value, __u16 index,
- void *driver_data, __u16 size, int timeout)
+ void *driver_data, __u16 size, int timeout,
+ gfp_t memflags)
{
unsigned int pipe = usb_rcvctrlpipe(dev, endpoint);
int ret;
@@ -270,7 +274,7 @@ int usb_control_msg_recv(struct usb_devi
if (!size || !driver_data || usb_pipe_type_check(dev, pipe))
return -EINVAL;
- data = kmalloc(size, GFP_KERNEL);
+ data = kmalloc(size, memflags);
if (!data)
return -ENOMEM;
@@ -1144,7 +1148,7 @@ int usb_clear_halt(struct usb_device *de
result = usb_control_msg_send(dev, 0,
USB_REQ_CLEAR_FEATURE, USB_RECIP_ENDPOINT,
USB_ENDPOINT_HALT, endp, NULL, 0,
- USB_CTRL_SET_TIMEOUT);
+ USB_CTRL_SET_TIMEOUT, GFP_NOIO);
/* don't un-halt or force to DATA0 except on success */
if (result)
@@ -1512,7 +1516,8 @@ int usb_set_interface(struct usb_device
ret = usb_control_msg_send(dev, 0,
USB_REQ_SET_INTERFACE,
USB_RECIP_INTERFACE, alternate,
- interface, NULL, 0, 5000);
+ interface, NULL, 0, 5000,
+ GFP_NOIO);
/* 9.4.10 says devices don't need this and are free to STALL the
* request if the interface only has one alternate setting.
@@ -1648,7 +1653,8 @@ int usb_reset_configuration(struct usb_d
}
retval = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0,
config->desc.bConfigurationValue, 0,
- NULL, 0, USB_CTRL_SET_TIMEOUT);
+ NULL, 0, USB_CTRL_SET_TIMEOUT,
+ GFP_NOIO);
if (retval < 0) {
usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL);
usb_enable_lpm(dev);
@@ -2028,7 +2034,7 @@ free_interfaces:
ret = usb_control_msg_send(dev, 0, USB_REQ_SET_CONFIGURATION, 0,
configuration, 0, NULL, 0,
- USB_CTRL_SET_TIMEOUT);
+ USB_CTRL_SET_TIMEOUT, GFP_NOIO);
if (ret && cp) {
/*
* All the old state is gone, so what else can we do?
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1766,10 +1766,12 @@ extern int usb_bulk_msg(struct usb_devic
/* wrappers around usb_control_msg() for the most common standard requests */
int usb_control_msg_send(struct usb_device *dev, __u8 endpoint, __u8 request,
__u8 requesttype, __u16 value, __u16 index,
- const void *data, __u16 size, int timeout);
+ const void *data, __u16 size, int timeout,
+ gfp_t memflags);
int usb_control_msg_recv(struct usb_device *dev, __u8 endpoint, __u8 request,
__u8 requesttype, __u16 value, __u16 index,
- void *data, __u16 size, int timeout);
+ void *data, __u16 size, int timeout,
+ gfp_t memflags);
extern int usb_get_descriptor(struct usb_device *dev, unsigned char desctype,
unsigned char descindex, void *buf, int size);
extern int usb_get_status(struct usb_device *dev,