| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Jan 2021 15:49:31 +0100
From: Johan Hovold <johan@...nel.org>
To: Anant Thazhemadam <anant.thazhemadam@...il.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Peter Chen <peter.chen@....com>,
Minas Harutyunyan <hminas@...opsys.com>,
Chunfeng Yun <chunfeng.yun@...iatek.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 04/12] usb: misc: ehset: update to use the
usb_control_msg_{send|recv}() API
On Wed, Jan 27, 2021 at 12:03:55AM +0530, Anant Thazhemadam wrote:
> The newer usb_control_msg_{send|recv}() API are an improvement on the
> existing usb_control_msg() as it ensures that a short read/write is treated
> as an error, data can be used off the stack, and raw usb pipes need not be
> created in the calling functions.
> For this reason, instances of usb_control_msg() have been replaced with
> usb_control_msg_{recv|send}() appropriately.
>
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
> Reviewed-by: Peter Chen <peter.chen@....com>
> ---
> drivers/usb/misc/ehset.c | 76 +++++++++++++++++-----------------------
> 1 file changed, 32 insertions(+), 44 deletions(-)
>
> diff --git a/drivers/usb/misc/ehset.c b/drivers/usb/misc/ehset.c
> index 2752e1f4f4d0..f87890f9cd26 100644
> --- a/drivers/usb/misc/ehset.c
> +++ b/drivers/usb/misc/ehset.c
> @@ -24,68 +24,57 @@ static int ehset_probe(struct usb_interface *intf,
> int ret = -EINVAL;
> struct usb_device *dev = interface_to_usbdev(intf);
> struct usb_device *hub_udev = dev->parent;
> - struct usb_device_descriptor *buf;
> + struct usb_device_descriptor buf;
> u8 portnum = dev->portnum;
> u16 test_pid = le16_to_cpu(dev->descriptor.idProduct);
>
> switch (test_pid) {
> case TEST_SE0_NAK_PID:
> - ret = usb_control_msg(hub_udev, usb_sndctrlpipe(hub_udev, 0),
> - USB_REQ_SET_FEATURE, USB_RT_PORT,
> - USB_PORT_FEAT_TEST,
> - (USB_TEST_SE0_NAK << 8) | portnum,
> - NULL, 0, 1000);
> + ret = usb_control_msg_send(hub_udev, 0, USB_REQ_SET_FEATURE,
> + USB_RT_PORT, USB_PORT_FEAT_TEST,
> + (USB_TEST_SE0_NAK << 8) | portnum,
> + NULL, 0, 1000, GFP_KERNEL);
> break;
> case TEST_SINGLE_STEP_GET_DEV_DESC:
> /* Test: wait for 15secs -> GetDescriptor request */
> msleep(15 * 1000);
> - buf = kmalloc(USB_DT_DEVICE_SIZE, GFP_KERNEL);
> - if (!buf)
> - return -ENOMEM;
>
> - ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
> - USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
> - USB_DT_DEVICE << 8, 0,
> - buf, USB_DT_DEVICE_SIZE,
> - USB_CTRL_GET_TIMEOUT);
> - kfree(buf);
> + ret = usb_control_msg_recv(dev, 0, USB_REQ_GET_DESCRIPTOR,
> + USB_DIR_IN, USB_DT_DEVICE << 8, 0,
> + &buf, USB_DT_DEVICE_SIZE,
> + USB_CTRL_GET_TIMEOUT, GFP_KERNEL);
Ok, here you now test for a short device descriptor (which USB core
should already have fetched if you get to probe this driver), but which
wasn't verified again here before. You may want to mention that in the
commit message.
And the buffer is small enough that moving it to the stack also for the
other test cases isn't an issue (and the redundant memcpy() introduced
by the helper is in the noise).
So, this looks ok (with an amended commit message dropping the short
write bit):
Reviewed-by: Johan Hovold <johan@...nel.org>
Johan
Powered by blists - more mailing lists