USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid
[linux-2.6.git] / drivers / usb / core / devio.c
index a7131ad..0ca54e2 100644 (file)
@@ -407,7 +407,7 @@ static void async_completed(struct urb *urb)
                sinfo.si_errno = as->status;
                sinfo.si_code = SI_ASYNCIO;
                sinfo.si_addr = as->userurb;
-               pid = as->pid;
+               pid = get_pid(as->pid);
                uid = as->uid;
                euid = as->euid;
                secid = as->secid;
@@ -422,9 +422,11 @@ static void async_completed(struct urb *urb)
                cancel_bulk_urbs(ps, as->bulk_addr);
        spin_unlock(&ps->lock);
 
-       if (signr)
+       if (signr) {
                kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid,
                                      euid, secid);
+               put_pid(pid);
+       }
 
        wake_up(&ps->wait);
 }
@@ -607,9 +609,10 @@ static int findintfep(struct usb_device *dev, unsigned int ep)
 }
 
 static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
-                          unsigned int index)
+                          unsigned int request, unsigned int index)
 {
        int ret = 0;
+       struct usb_host_interface *alt_setting;
 
        if (ps->dev->state != USB_STATE_UNAUTHENTICATED
         && ps->dev->state != USB_STATE_ADDRESS
@@ -618,6 +621,19 @@ static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype,
        if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype))
                return 0;
 
+       /*
+        * check for the special corner case 'get_device_id' in the printer
+        * class specification, where wIndex is (interface << 8 | altsetting)
+        * instead of just interface
+        */
+       if (requesttype == 0xa1 && request == 0) {
+               alt_setting = usb_find_alt_setting(ps->dev->actconfig,
+                                                  index >> 8, index & 0xff);
+               if (alt_setting
+                && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER)
+                       index >>= 8;
+       }
+
        index &= 0xff;
        switch (requesttype & USB_RECIP_MASK) {
        case USB_RECIP_ENDPOINT:
@@ -770,7 +786,8 @@ static int proc_control(struct dev_state *ps, void __user *arg)
 
        if (copy_from_user(&ctrl, arg, sizeof(ctrl)))
                return -EFAULT;
-       ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex);
+       ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest,
+                             ctrl.wIndex);
        if (ret)
                return ret;
        wLength = ctrl.wLength;         /* To suppress 64k PAGE_SIZE warning */
@@ -802,7 +819,7 @@ static int proc_control(struct dev_state *ps, void __user *arg)
                                    tbuf, ctrl.wLength, tmo);
                usb_lock_device(dev);
                snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
-                       tbuf, i);
+                         tbuf, max(i, 0));
                if ((i > 0) && ctrl.wLength) {
                        if (copy_to_user(ctrl.data, tbuf, i)) {
                                free_page((unsigned long)tbuf);
@@ -1100,7 +1117,7 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
                        kfree(dr);
                        return -EINVAL;
                }
-               ret = check_ctrlrecip(ps, dr->bRequestType,
+               ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest,
                                      le16_to_cpup(&dr->wIndex));
                if (ret) {
                        kfree(dr);