From d5ec33490c67affef93aebf76e1238260c82d377 Mon Sep 17 00:00:00 2001
From: Franck Bui-Huu <vagabon.xyz@gmail.com>
Date: Thu, 23 Feb 2006 09:35:06 +0100
Subject: [PATCH] USB: lh7a40x gadget driver: Fixed a dead lock

There is a dead lock in lh7a40x udc driver. When the driver receive a
SET_FEATURE HALT request, the dev lock is taken by the interrupt
handler lh7a40x_udc_irq then the handler will call lh7a40x_set_halt
function which in its turn will try to acquire the dev lock.

Signed-off-by: Franck Bui-Huu <franck.bui-huu@innova-card.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/usb/gadget/lh7a40x_udc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'drivers/usb/gadget')

diff --git a/drivers/usb/gadget/lh7a40x_udc.c b/drivers/usb/gadget/lh7a40x_udc.c
index e02fea5a543..1a362c5e7f3 100644
--- a/drivers/usb/gadget/lh7a40x_udc.c
+++ b/drivers/usb/gadget/lh7a40x_udc.c
@@ -1062,11 +1062,11 @@ static int lh7a40x_ep_enable(struct usb_ep *_ep,
 	ep->pio_irqs = 0;
 	ep->ep.maxpacket = le16_to_cpu(desc->wMaxPacketSize);
 
+	spin_unlock_irqrestore(&ep->dev->lock, flags);
+
 	/* Reset halt state (does flush) */
 	lh7a40x_set_halt(_ep, 0);
 
-	spin_unlock_irqrestore(&ep->dev->lock, flags);
-
 	DEBUG("%s: enabled %s\n", __FUNCTION__, _ep->name);
 	return 0;
 }
@@ -1775,6 +1775,7 @@ static void lh7a40x_ep0_setup(struct lh7a40x_udc *dev, u32 csr)
 					break;
 
 				qep = &dev->ep[ep_num];
+				spin_unlock(&dev->lock);
 				if (ctrl.bRequest == USB_REQ_SET_FEATURE) {
 					DEBUG_SETUP("SET_FEATURE (%d)\n",
 						    ep_num);
@@ -1784,6 +1785,7 @@ static void lh7a40x_ep0_setup(struct lh7a40x_udc *dev, u32 csr)
 						    ep_num);
 					lh7a40x_set_halt(&qep->ep, 0);
 				}
+				spin_lock(&dev->lock);
 				usb_set_index(0);
 
 				/* Reply with a ZLP on next IN token */
-- 
cgit v1.2.3


From 8763716bfe4d8a16bef28c9947cf9d799b1796a5 Mon Sep 17 00:00:00 2001
From: Shaun Tancheff <shaun@tancheff.com>
Date: Wed, 22 Feb 2006 19:47:19 -0800
Subject: [PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.

Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/usb/gadget/rndis.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'drivers/usb/gadget')

diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
index 9689efeb364..6d6eaad7396 100644
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
 	// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
 	if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
 	
-	/* 
-	 * we need more memory: 
-	 * oid_supported_list is the largest answer 
+	/*
+	 * we need more memory:
+	 * gen_ndis_query_resp expects enough space for
+	 * rndis_query_cmplt_type followed by data.
+	 * oid_supported_list is the largest data reply
 	 */
-	r = rndis_add_response (configNr, sizeof (oid_supported_list));
+	r = rndis_add_response (configNr,
+		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
 	if (!r)
 		return -ENOMEM;
 	resp = (rndis_query_cmplt_type *) r->buf;
-- 
cgit v1.2.3