releases/4.14.5/usb-usbfs-filter-flags-passed-in-from-user-space.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001
 From: Oliver Neukum <oneukum@suse.com>
 Date: Thu, 23 Nov 2017 16:39:52 +0100
 Subject: USB: usbfs: Filter flags passed in from user space

 From: Oliver Neukum <oneukum@suse.com>

 commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.

 USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
 Improve sanity checking.

 Reported-by: Andrey Konovalov <andreyknvl@google.com>
 Signed-off-by: Oliver Neukum <oneukum@suse.com>
 Acked-by: Alan Stern <stern@rowland.harvard.edu>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/usb/core/devio.c |   14 +++++++++-----
  1 file changed, 9 insertions(+), 5 deletions(-)

 --- a/drivers/usb/core/devio.c
 +++ b/drivers/usb/core/devio.c
 @@ -1455,14 +1455,18 @@ static int proc_do_submiturb(struct usb_
  	int number_of_packets = 0;
  	unsigned int stream_id = 0;
  	void *buf;
 -
 -	if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
 -				USBDEVFS_URB_SHORT_NOT_OK |
 +	unsigned long mask =	USBDEVFS_URB_SHORT_NOT_OK |
  				USBDEVFS_URB_BULK_CONTINUATION |
  				USBDEVFS_URB_NO_FSBR |
  				USBDEVFS_URB_ZERO_PACKET |
 -				USBDEVFS_URB_NO_INTERRUPT))
 -		return -EINVAL;
 +				USBDEVFS_URB_NO_INTERRUPT;
 +	/* USBDEVFS_URB_ISO_ASAP is a special case */
 +	if (uurb->type == USBDEVFS_URB_TYPE_ISO)
 +		mask |= USBDEVFS_URB_ISO_ASAP;
 +
 +	if (uurb->flags & ~mask)
 +			return -EINVAL;
 +
  	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
  		return -EINVAL;
  	if (uurb->buffer_length > 0 && !uurb->buffer)
	From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001
	From: Oliver Neukum <oneukum@suse.com>
	Date: Thu, 23 Nov 2017 16:39:52 +0100
	Subject: USB: usbfs: Filter flags passed in from user space

	From: Oliver Neukum <oneukum@suse.com>

	commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.

	USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
	Improve sanity checking.

	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	Signed-off-by: Oliver Neukum <oneukum@suse.com>
	Acked-by: Alan Stern <stern@rowland.harvard.edu>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/usb/core/devio.c \| 14 +++++++++-----
	1 file changed, 9 insertions(+), 5 deletions(-)

	--- a/drivers/usb/core/devio.c
	+++ b/drivers/usb/core/devio.c
	@@ -1455,14 +1455,18 @@ static int proc_do_submiturb(struct usb_
	int number_of_packets = 0;
	unsigned int stream_id = 0;
	void *buf;
	-
	- if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP \|
	- USBDEVFS_URB_SHORT_NOT_OK \|
	+ unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK \|
	USBDEVFS_URB_BULK_CONTINUATION \|
	USBDEVFS_URB_NO_FSBR \|
	USBDEVFS_URB_ZERO_PACKET \|
	- USBDEVFS_URB_NO_INTERRUPT))
	- return -EINVAL;
	+ USBDEVFS_URB_NO_INTERRUPT;
	+ /* USBDEVFS_URB_ISO_ASAP is a special case */
	+ if (uurb->type == USBDEVFS_URB_TYPE_ISO)
	+ mask \|= USBDEVFS_URB_ISO_ASAP;
	+
	+ if (uurb->flags & ~mask)
	+ return -EINVAL;
	+
	if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX)
	return -EINVAL;
	if (uurb->buffer_length > 0 && !uurb->buffer)