Pull in new upstream libusb containing important regression fixes

Resolves: #2058730
Resolves: #1938801

.gitignore

@@ -19,3 +19,6 @@
 /libusb-1.0.23.tar.bz2
 /libusb-1.0.24.tar.bz2
 /libusb-1.0.25.tar.bz2
+/libusb-1.0.25-rc1.tar.bz2
+/libusb-1.0.26-rc1.tar.bz2
+/libusb-1.0.26.tar.bz2

1058.patch

@@ -1,24 +0,0 @@
-From 2529a3fc4f987f93e0774af865ac7cb6557bd0c2 Mon Sep 17 00:00:00 2001
-From: Benjamin Berg <bberg@redhat.com>
-Date: Fri, 4 Feb 2022 22:50:28 +0100
-Subject: [PATCH] core: Unset device ctx if it has been destroyed
-
-Devices can outlive their context in some cases (in particular with
-python garbage collection). Guard against this happening by clearing the
-ctx pointer so that it is not pointing to uninitialized memory.
----
- libusb/core.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libusb/core.c b/libusb/core.c
-index 7893ac23..1c1ada14 100644
---- a/libusb/core.c
-+++ b/libusb/core.c
-@@ -2441,6 +2441,7 @@ void API_EXPORTED libusb_exit(libusb_context *ctx)
- 	for_each_device(_ctx, dev) {
- 		usbi_warn(_ctx, "device %d.%d still referenced",
- 			dev->bus_number, dev->device_address);
-+		DEVICE_CTX(dev) = NULL;
- 	}
- 
- 	if (!list_empty(&_ctx->open_devs))

1067.patch

@@ -1,7 +1,7 @@
-From 8420de903a99fb6bfae22a21b2636858f2212baa Mon Sep 17 00:00:00 2001
+From 20b8e95bfc3a9c1be1752e65043a8ed9445fbbd2 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Thu, 15 Jul 2021 17:07:09 +0200
-Subject: [PATCH 01/17] examples: Fix warning about uninitlised variable
+Subject: [PATCH 01/18] examples: Fix warning about uninitlised variable
 
 ---
  examples/fxload.c | 3 ++-
@@ -22,10 +22,10 @@ index 541c3d3a3..85df69952 100644
  	unsigned int i, j;
  	unsigned vid = 0, pid = 0;
 
-From 23dcbd0521c56fb7543c4f8f73a2a1a4de69aa5e Mon Sep 17 00:00:00 2001
+From 0803cdc46314c70ad7f12a7c2d0b1df5b028a89d Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Thu, 15 Jul 2021 17:08:12 +0200
-Subject: [PATCH 02/17] core: Add non-null annotations to avoid static analyser
+Subject: [PATCH 02/18] core: Add non-null annotations to avoid static analyser
  warnings
 
 It is only valid to call these inline functions with non-null values.
@@ -144,7 +144,7 @@ index 61cacc95a..ea09fa8d9 100644
  	struct libusb_transfer *transfer, unsigned int packet)
  {
 diff --git a/libusb/libusbi.h b/libusb/libusbi.h
-index 158a9af58..6c924e548 100644
+index b1fc88c99..db074160c 100644
 --- a/libusb/libusbi.h
 +++ b/libusb/libusbi.h
 @@ -192,11 +192,13 @@ struct list_head {
@@ -185,7 +185,7 @@ index 158a9af58..6c924e548 100644
  static inline void list_cut(struct list_head *list, struct list_head *head)
  {
  	if (list_empty(head)) {
-@@ -755,10 +760,10 @@ struct usbi_hotplug_message {
+@@ -773,10 +778,10 @@ struct usbi_hotplug_message {
  
  /* shared data and functions */
  
@@ -199,7 +199,7 @@ index 158a9af58..6c924e548 100644
  void usbi_hotplug_process(struct libusb_context *ctx, struct list_head *hotplug_msgs);
  
  int usbi_io_init(struct libusb_context *ctx);
-@@ -789,7 +794,8 @@ struct usbi_event_source {
+@@ -807,7 +812,8 @@ struct usbi_event_source {
  
  int usbi_add_event_source(struct libusb_context *ctx, usbi_os_handle_t os_handle,
  	short poll_events);
@@ -210,10 +210,10 @@ index 158a9af58..6c924e548 100644
  struct usbi_option {
    int is_set;
 
-From ac527ddcb72e6cd43f2e9d6ae973e9352856dcaf Mon Sep 17 00:00:00 2001
+From 3ba52d0d048214ee530c2343260965724291255a Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:21:09 +0100
-Subject: [PATCH 03/17] core: Silence dereference warnings using assertions in
+Subject: [PATCH 03/18] core: Silence dereference warnings using assertions in
  list_del
 
 It is guaranteed that entry->next and entry->prev are non-null for a
@@ -224,7 +224,7 @@ though, so add an appropriate assert in case debug mode is enabled.
  1 file changed, 4 insertions(+)
 
 diff --git a/libusb/libusbi.h b/libusb/libusbi.h
-index 6c924e548..faf6b5daf 100644
+index db074160c..27de77aa9 100644
 --- a/libusb/libusbi.h
 +++ b/libusb/libusbi.h
 @@ -222,6 +222,10 @@ static inline void list_add_tail(struct list_head *entry,
@@ -239,10 +239,10 @@ index 6c924e548..faf6b5daf 100644
  	entry->prev->next = entry->next;
  	entry->next = entry->prev = NULL;
 
-From f04d419c0e936333816c969605c2915d5592c328 Mon Sep 17 00:00:00 2001
+From 70486056d5668c94ea3a1824541ff2f36f378d3e Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Thu, 15 Jul 2021 17:11:41 +0200
-Subject: [PATCH 04/17] core: Fix incorrect free if reallocating to zero size
+Subject: [PATCH 04/18] core: Fix incorrect free if reallocating to zero size
 
 A realloc to a size of 0 is equivalent to a free call. As such, in that
 case free'ing the original pointer would result in a double free. Fix
@@ -252,7 +252,7 @@ this by adding a check that the new size if larger than zero.
  1 file changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/libusb/libusbi.h b/libusb/libusbi.h
-index faf6b5daf..652d545ac 100644
+index 27de77aa9..dabf77a9d 100644
 --- a/libusb/libusbi.h
 +++ b/libusb/libusbi.h
 @@ -257,7 +257,14 @@ static inline void list_splice_front(struct list_head *list, struct list_head *h
@@ -272,10 +272,10 @@ index faf6b5daf..652d545ac 100644
  	if (!ret)
  		free(ptr);
 
-From 883b04fe516adb93a6a1df6c2b4b26e9a4de32be Mon Sep 17 00:00:00 2001
+From 73f565261d9284d9f6b0081e3e23fd49773f53c7 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Thu, 15 Jul 2021 17:13:18 +0200
-Subject: [PATCH 05/17] linux_usbfs: Work around static analyser thinking fd is
+Subject: [PATCH 05/18] linux_usbfs: Work around static analyser thinking fd is
  leaked
 
 Static analysis using coverity is detecting the file descriptor handle
@@ -291,7 +291,7 @@ pattern rather than returning from different places.
  1 file changed, 30 insertions(+), 21 deletions(-)
 
 diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
-index c3006753d..fe6319ee9 100644
+index 285d9caa7..1799a9ea0 100644
 --- a/libusb/os/linux_usbfs.c
 +++ b/libusb/os/linux_usbfs.c
 @@ -904,7 +904,8 @@ static int initialize_device(struct libusb_device *dev, uint8_t busnum,
@@ -413,10 +413,10 @@ index c3006753d..fe6319ee9 100644
  	return r;
  }
 
-From 06f4523117ffbe77fbc370a403cc274016867139 Mon Sep 17 00:00:00 2001
+From f6cc8938c5ccf3556cfa54fe8e1d26e627995731 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:08:31 +0100
-Subject: [PATCH 06/17] examples: Fix warning about NULL pointer dereference
+Subject: [PATCH 06/18] examples: Fix warning about NULL pointer dereference
 
 It seems like coverity is getting confused by the transfers being global
 variables, thinking that img_transfer may become NULL again.
@@ -446,10 +446,10 @@ index 682865053..4a871ee4f 100644
  		return -1;
  	}
 
-From b2a2163b3893e57d839b5247072fcb2fdfd5d4e4 Mon Sep 17 00:00:00 2001
+From c2257799e48351e4ac09bb40794f3c8559d93459 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:09:53 +0100
-Subject: [PATCH 07/17] examples: Assert the data fits into our static buffer
+Subject: [PATCH 07/18] examples: Assert the data fits into our static buffer
 
 ---
  examples/ezusb.c | 2 ++
@@ -476,10 +476,10 @@ index 4bed12a4c..0ea787190 100644
  		/* Read the target offset (address up to 64KB) */
  		tmp = buf[7];
 
-From 13fbb9923e4ee5b6d9dfa13396e1faf5da13a2af Mon Sep 17 00:00:00 2001
+From 9bd8bca34de151e191db4d33d717a36488f9a96e Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:11:28 +0100
-Subject: [PATCH 08/17] core: Tell coverity that libusb_open does not free
+Subject: [PATCH 08/18] core: Tell coverity that libusb_open does not free
 
 Internally, libusb_open does an unref in an error case. coverity doesn't
 seem to notice that this is balanced with the earlier ref, and thinks
@@ -493,10 +493,10 @@ the error, but the code is idiomatic as-is.
  1 file changed, 1 insertion(+)
 
 diff --git a/libusb/core.c b/libusb/core.c
-index 7893ac238..076c2bbbd 100644
+index ec429b7cf..b9bf844ee 100644
 --- a/libusb/core.c
 +++ b/libusb/core.c
-@@ -1293,6 +1293,7 @@ int API_EXPORTED libusb_wrap_sys_device(libusb_context *ctx, intptr_t sys_dev,
+@@ -1294,6 +1294,7 @@ int API_EXPORTED libusb_wrap_sys_device(libusb_context *ctx, intptr_t sys_dev,
   * \returns LIBUSB_ERROR_NO_DEVICE if the device has been disconnected
   * \returns another LIBUSB_ERROR code on other failure
   */
@@ -505,10 +505,10 @@ index 7893ac238..076c2bbbd 100644
  	libusb_device_handle **dev_handle)
  {
 
-From 1d576b41cfe229cbf98a3fc9aeb819562cccaaae Mon Sep 17 00:00:00 2001
+From 88e1269900cb8a581d6335d758b713d71ecd8d8e Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:13:26 +0100
-Subject: [PATCH 09/17] core: Remove unneeded bounds check
+Subject: [PATCH 09/18] core: Remove unneeded bounds check
 
 This makes the code slightly less efficient, but shuts up warnings that
 the later switch ends up with dead error handling code.
@@ -517,10 +517,10 @@ the later switch ends up with dead error handling code.
  1 file changed, 4 deletions(-)
 
 diff --git a/libusb/core.c b/libusb/core.c
-index 076c2bbbd..73fb6524a 100644
+index b9bf844ee..1643f9334 100644
 --- a/libusb/core.c
 +++ b/libusb/core.c
-@@ -2201,10 +2201,6 @@ int API_EXPORTED libusb_set_option(libusb_context *ctx,
+@@ -2202,10 +2202,6 @@ int API_EXPORTED libusb_set_option(libusb_context *ctx,
  		return r;
  	}
  
@@ -532,10 +532,10 @@ index 076c2bbbd..73fb6524a 100644
  		usbi_mutex_static_lock(&default_context_lock);
  		default_context_options[option].is_set = 1;
 
-From ca3e801e2f54308651a180e48e2381b5ed88eef1 Mon Sep 17 00:00:00 2001
+From 1eb546e65aaca0c47615a275a961bbeb123c838e Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:15:16 +0100
-Subject: [PATCH 10/17] descriptor: Avoid uninitialized memory warnings
+Subject: [PATCH 10/18] descriptor: Avoid uninitialized memory warnings
 
 The static analyzer has trouble understanding that get_config_descriptor
 fills in the config descriptor. Just initializing the memory silences
@@ -567,10 +567,10 @@ index 253ef1c31..dbcf061d9 100644
  		r = get_config_descriptor(dev, idx, _config.buf, sizeof(_config.buf));
  		if (r < 0)
 
-From e7a0c0d507d662ad3661f52286452880ef75f488 Mon Sep 17 00:00:00 2001
+From 0de57c4af4e637a0a8adfda9a907774add81c8ec Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:19:04 +0100
-Subject: [PATCH 11/17] io: Suppress invalid free warning from coverity
+Subject: [PATCH 11/18] io: Suppress invalid free warning from coverity
 
 Coverity is not understanding the pointer arithmetic involved with the
 transfer in-memory storage. As such, it flags the free as invalid, even
@@ -581,10 +581,10 @@ warning.
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/libusb/io.c b/libusb/io.c
-index 0d2ac9ea2..d32cdc1bf 100644
+index b919e9d91..a801ee6aa 100644
 --- a/libusb/io.c
 +++ b/libusb/io.c
-@@ -1691,8 +1691,10 @@ int usbi_handle_transfer_completion(struct usbi_transfer *itransfer,
+@@ -1696,8 +1696,10 @@ int usbi_handle_transfer_completion(struct usbi_transfer *itransfer,
  		transfer->callback(transfer);
  	/* transfer might have been freed by the above call, do not use from
  	 * this point. */
@@ -593,14 +593,14 @@ index 0d2ac9ea2..d32cdc1bf 100644
 +		/* coverity[incorrect_free] is reported incorrectly here due to the memory layout */
  		libusb_free_transfer(transfer);
 +	}
- 	libusb_unref_device(dev_handle->dev);
  	return r;
  }
+ 
 
-From fc44484ef782bdb05880a26c502a7ea33c0eb72f Mon Sep 17 00:00:00 2001
+From 5dad238771240a6aa8234ba42511fb422c79800c Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:20:27 +0100
-Subject: [PATCH 12/17] io: Suppress missing unlock warning from coverity
+Subject: [PATCH 12/18] io: Suppress missing unlock warning from coverity
 
 The function is supposed to take the lock, as such, this is the expected
 behaviour.
@@ -609,10 +609,10 @@ behaviour.
  1 file changed, 1 insertion(+)
 
 diff --git a/libusb/io.c b/libusb/io.c
-index d32cdc1bf..96bd22861 100644
+index a801ee6aa..114087d94 100644
 --- a/libusb/io.c
 +++ b/libusb/io.c
-@@ -1786,6 +1786,7 @@ int API_EXPORTED libusb_try_lock_events(libusb_context *ctx)
+@@ -1790,6 +1790,7 @@ int API_EXPORTED libusb_try_lock_events(libusb_context *ctx)
  		return 1;
  
  	ctx->event_handler_active = 1;
@@ -621,10 +621,10 @@ index d32cdc1bf..96bd22861 100644
  }
  
 
-From c97e4bb846f41a112262df668e9d8e449555f295 Mon Sep 17 00:00:00 2001
+From 884b55a36ae4dfae6fda1120c948bcf17a333b95 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:23:45 +0100
-Subject: [PATCH 13/17] events_posix: Silence warnings about zero-allocated
+Subject: [PATCH 13/18] events_posix: Silence warnings about zero-allocated
  memory
 
 The static analyser got confused by the fact that fds may be NULL if
@@ -653,10 +653,10 @@ index 715a2d551..172f8afe8 100644
  	if (!fds)
  		return LIBUSB_ERROR_NO_MEM;
 
-From 7e9919314f82c61df6950390412ab3b80c84b707 Mon Sep 17 00:00:00 2001
+From 4e2589b2e9981e5213fb4267550c10638f758add Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:25:40 +0100
-Subject: [PATCH 14/17] linux_usbfs: Disable sleep workaround when using udev
+Subject: [PATCH 14/18] linux_usbfs: Disable sleep workaround when using udev
 
 The workaround to sleep 10ms if a device node has not yet been created
 is definitely not needed with udev. I am not sure what the race looks
@@ -670,7 +670,7 @@ code.
  1 file changed, 3 insertions(+)
 
 diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
-index fe6319ee9..b4837895d 100644
+index 1799a9ea0..481eff6ef 100644
 --- a/libusb/os/linux_usbfs.c
 +++ b/libusb/os/linux_usbfs.c
 @@ -197,6 +197,8 @@ static int get_usbfs_fd(struct libusb_device *dev, mode_t mode, int silent)
@@ -691,10 +691,10 @@ index fe6319ee9..b4837895d 100644
  	if (!silent) {
  		usbi_err(ctx, "libusb couldn't open USB device %s, errno=%d", path, errno);
 
-From 126aacee12b49ed525534a81ad830db692654ba0 Mon Sep 17 00:00:00 2001
+From d237b8cca6c33e237da69ee096232d216f9202a8 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:29:35 +0100
-Subject: [PATCH 15/17] linux_usbfs: Silence coverity warnings about returned
+Subject: [PATCH 15/18] linux_usbfs: Silence coverity warnings about returned
  offset
 
 The seek_to_next_config function returns an offset. This was marked as
@@ -705,7 +705,7 @@ surrounding code. Mark the return value to silence the warnings.
  1 file changed, 1 insertion(+)
 
 diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
-index b4837895d..ba55913f0 100644
+index 481eff6ef..d95ed3bea 100644
 --- a/libusb/os/linux_usbfs.c
 +++ b/libusb/os/linux_usbfs.c
 @@ -638,6 +638,7 @@ int linux_get_device_address(struct libusb_context *ctx, int detached,
@@ -717,10 +717,10 @@ index b4837895d..ba55913f0 100644
  	uint8_t *buffer, size_t len)
  {
 
-From 42679d2d8573dfc27b9c78f832749728997a516b Mon Sep 17 00:00:00 2001
+From ea73414f3309a908d2819991580b080cabca17eb Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Wed, 9 Feb 2022 19:31:44 +0100
-Subject: [PATCH 16/17] linux_usbfs: Silence coverity warning about missing
+Subject: [PATCH 16/18] linux_usbfs: Silence coverity warning about missing
  locking
 
 The reap_status field is locked in most cases when it is accessed.
@@ -733,7 +733,7 @@ As such, add an appropriate comment to silence the warning.
  1 file changed, 1 insertion(+)
 
 diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
-index ba55913f0..2e65d66ce 100644
+index d95ed3bea..35cc54ab5 100644
 --- a/libusb/os/linux_usbfs.c
 +++ b/libusb/os/linux_usbfs.c
 @@ -1984,6 +1984,7 @@ static int submit_bulk_transfer(struct usbi_transfer *itransfer)
@@ -745,10 +745,10 @@ index ba55913f0..2e65d66ce 100644
  
  	for (i = 0; i < num_urbs; i++) {
 
-From 38cff7a438f7a00d76aa03cc1c35f6be395c167d Mon Sep 17 00:00:00 2001
+From 3c792a9b21ec07d9a3f369b9a79eec1e0f999823 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <bberg@redhat.com>
 Date: Thu, 10 Feb 2022 10:51:11 +0100
-Subject: [PATCH 17/17] core: Silence coverity by handling long log messages in
+Subject: [PATCH 17/18] core: Silence coverity by handling long log messages in
  one statement
 
 Having two statements seems to confuse coverity. Having two checks right
@@ -759,10 +759,10 @@ that the static analyzer is not getting confused.
  1 file changed, 5 insertions(+), 8 deletions(-)
 
 diff --git a/libusb/core.c b/libusb/core.c
-index 73fb6524a..03adcb758 100644
+index 1643f9334..359500a9a 100644
 --- a/libusb/core.c
 +++ b/libusb/core.c
-@@ -2629,16 +2629,13 @@ static void log_v(struct libusb_context *ctx, enum libusb_log_level level,
+@@ -2641,16 +2641,13 @@ static void log_v(struct libusb_context *ctx, enum libusb_log_level level,
  		header_len = 0;
  	}
  
@@ -784,3 +784,39 @@ index 73fb6524a..03adcb758 100644
  	}
  	strcpy(buf + header_len + text_len, USBI_LOG_LINE_END);
  
+
+From c6033e4f7f30a0ee1d872dc11ec461b812b5e4e6 Mon Sep 17 00:00:00 2001
+From: Benjamin Berg <bberg@redhat.com>
+Date: Thu, 31 Mar 2022 11:49:11 +0200
+Subject: [PATCH 18/18] linux: Avoid NULL pointer dereference warning from gcc
+
+This warning is a false positive. It occurs because the HANDLE_CTX
+checks whether the passed device handle is non-NULL, returning NULL if
+it is. However, in these cases the handle is guaranteed to not be NULL
+and adding an explicit non-NULL check does not avoid the warning.
+---
+ libusb/os/linux_usbfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libusb/os/linux_usbfs.c b/libusb/os/linux_usbfs.c
+index 35cc54ab5..6e3ea49af 100644
+--- a/libusb/os/linux_usbfs.c
++++ b/libusb/os/linux_usbfs.c
+@@ -1433,7 +1433,7 @@ static void op_close(struct libusb_device_handle *dev_handle)
+ 
+ 	/* fd may have already been removed by POLLERR condition in op_handle_events() */
+ 	if (!hpriv->fd_removed)
+-		usbi_remove_event_source(HANDLE_CTX(dev_handle), hpriv->fd);
++		usbi_remove_event_source(DEVICE_CTX(dev_handle->dev), hpriv->fd);
+ 	if (!hpriv->fd_keep)
+ 		close(hpriv->fd);
+ }
+@@ -2736,7 +2736,7 @@ static int op_handle_events(struct libusb_context *ctx,
+ 			/* remove the fd from the pollfd set so that it doesn't continuously
+ 			 * trigger an event, and flag that it has been removed so op_close()
+ 			 * doesn't try to remove it a second time */
+-			usbi_remove_event_source(HANDLE_CTX(handle), hpriv->fd);
++			usbi_remove_event_source(DEVICE_CTX(handle->dev), hpriv->fd);
+ 			hpriv->fd_removed = 1;
+ 
+ 			/* device will still be marked as attached if hotplug monitor thread

1073.patch

@@ -1,72 +0,0 @@
-From bf833ee6adf58bd4a4a468aa729cdc78bdc13ede Mon Sep 17 00:00:00 2001
-From: Benjamin Berg <bberg@redhat.com>
-Date: Tue, 15 Feb 2022 11:13:41 +0100
-Subject: [PATCH 1/2] core: Catch NULL dev_handle when getting a transfer's
- context
-
-The dev_handle will be set to NULL when the transfer is still in-flight
-while the device is closed. In that case, the transfer free function
-will try to access the context and would run into a NULL pointer
-dereference.
-
-Add a test for dev_handle being valid before dereferencing it further.
----
- libusb/libusbi.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libusb/libusbi.h b/libusb/libusbi.h
-index 158a9af5..dde43df2 100644
---- a/libusb/libusbi.h
-+++ b/libusb/libusbi.h
-@@ -330,7 +330,7 @@ void usbi_log(struct libusb_context *ctx, enum libusb_log_level level,
- 
- #define DEVICE_CTX(dev)		((dev)->ctx)
- #define HANDLE_CTX(handle)	(DEVICE_CTX((handle)->dev))
--#define TRANSFER_CTX(transfer)	(HANDLE_CTX((transfer)->dev_handle))
-+#define TRANSFER_CTX(transfer)	((transfer)->dev_handle ? HANDLE_CTX((transfer)->dev_handle) : NULL)
- #define ITRANSFER_CTX(itransfer) \
- 	(TRANSFER_CTX(USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer)))
- 
-
-From 6428090ea77dfb80906a146977ea7fd6de4718c8 Mon Sep 17 00:00:00 2001
-From: Benjamin Berg <bberg@redhat.com>
-Date: Tue, 15 Feb 2022 10:59:00 +0100
-Subject: [PATCH 2/2] io: Unset dev_handle when removing transfer from flying
- list
-
-API users might hold on to transfers a bit longer than they are in the
-flying list. If they then close the device prior to freeing all
-transfers, we would end up with invalid pointers to the device.
-
-Fix this by setting the device handle to NULL when removing the device
-from the flying list. This matches the behaviour when the device is
-closed while the transfer is still in the flying list.
-
-Specifically, the libgusb wrapper will currently only free the
-underlying transfer in a later mainloop iteration (as a side effect on
-how GTask does memory management). It is possible to fix this, but it
-would make memory management within libgusb much more error prone.
----
- libusb/io.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libusb/io.c b/libusb/io.c
-index 0d2ac9ea..4e6d8984 100644
---- a/libusb/io.c
-+++ b/libusb/io.c
-@@ -1456,6 +1456,7 @@ static int add_to_flying_list(struct usbi_transfer *itransfer)
-  * if it fails to update the timer for the next timeout. */
- static int remove_from_flying_list(struct usbi_transfer *itransfer)
- {
-+	struct libusb_transfer *transfer = USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
- 	struct libusb_context *ctx = ITRANSFER_CTX(itransfer);
- 	int rearm_timer;
- 	int r = 0;
-@@ -1466,6 +1467,7 @@ static int remove_from_flying_list(struct usbi_transfer *itransfer)
- 	list_del(&itransfer->list);
- 	if (rearm_timer)
- 		r = arm_timer_for_next_timeout(ctx);
-+	transfer->dev_handle = NULL;
- 	usbi_mutex_unlock(&ctx->flying_transfers_lock);
- 
- 	return r;

libusbx.spec

@@ -1,27 +1,23 @@
 Summary:        Library for accessing USB devices
 Name:           libusbx
-Version:        1.0.25
-Release:        2%{?dist}
+%define upstream 1.0.26
+Version:        %( echo %{upstream} | sed s/-/~/ )
+Release:        1%{?dist}
 # upstream libusbx has merged back with libusb and is now called libusb again
 # but we already have a libusb package for the old libusb-compat-0.1, renaming
 # that to libusb-compat while at the same time giving this its name is a bit
 # tricky, lets stick with the libusbx name for now
-Source0:        https://github.com/libusb/libusb/releases/download/v%{version}/libusb-%{version}.tar.bz2
+Source0:        https://github.com/libusb/libusb/releases/download/v%{upstream}/libusb-%{upstream}.tar.bz2
 License:        LGPLv2+
 URL:            http://libusb.info
 BuildRequires:  systemd-devel doxygen libtool
-BuildRequires: make
+BuildRequires:  make
+#BuildRequires:  umockdev-devel >= 0.16.0
 Provides:       libusb1 = %{version}-%{release}
 Obsoletes:      libusb1 <= 1.0.9
 
-# Fix a crash after libusb_exit API has been misused
-# https://bugzilla.redhat.com/show_bug.cgi?id=2050638
-Patch0001:      https://github.com/libusb/libusb/pull/1058.patch
-# Fix a crash if a transfer outlives closing the device
-Patch0002:      https://github.com/libusb/libusb/pull/1073.patch
-
 # Pull in coverity related fixes
-Patch9999:      https://github.com/libusb/libusb/pull/1067.patch
+Patch9991:      https://github.com/libusb/libusb/pull/1067.patch
 
 %description
 This package provides a way for applications to access USB devices.
@@ -65,7 +61,7 @@ This package contains tests and examples for %{name}.
 
 
 %prep
-%autosetup -p1 -n libusb-%{version}
+%autosetup -p1 -n libusb-%{upstream}
 chmod -x examples/*.c
 mkdir -p m4
 
@@ -85,6 +81,7 @@ popd
 %{make_install}
 mkdir -p $RPM_BUILD_ROOT%{_bindir}
 install -m 755 tests/.libs/stress $RPM_BUILD_ROOT%{_bindir}/libusb-test-stress
+#install -m 755 tests/.libs/umockdev $RPM_BUILD_ROOT%{_bindir}/libusb-test-umockdev
 install -m 755 examples/.libs/testlibusb \
     $RPM_BUILD_ROOT%{_bindir}/libusb-test-libusb
 # Some examples are very device-specific / require specific hw and miss --help
@@ -99,6 +96,7 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 %check
 LD_LIBRARY_PATH=libusb/.libs ldd $RPM_BUILD_ROOT%{_bindir}/libusb-test-stress
 LD_LIBRARY_PATH=libusb/.libs $RPM_BUILD_ROOT%{_bindir}/libusb-test-stress
+#LD_LIBRARY_PATH=libusb/.libs $RPM_BUILD_ROOT%{_bindir}/libusb-test-umockdev
 LD_LIBRARY_PATH=libusb/.libs $RPM_BUILD_ROOT%{_bindir}/libusb-test-libusb
 LD_LIBRARY_PATH=libusb/.libs $RPM_BUILD_ROOT%{_bindir}/libusb-example-listdevs
 
@@ -124,10 +122,21 @@ LD_LIBRARY_PATH=libusb/.libs $RPM_BUILD_ROOT%{_bindir}/libusb-example-listdevs
 %{_bindir}/libusb-example-listdevs
 %{_bindir}/libusb-example-xusb
 %{_bindir}/libusb-test-stress
+#%{_bindir}/libusb-test-umockdev
 %{_bindir}/libusb-test-libusb
 
 
 %changelog
+* Tue Apr 12 2022 Benjamin Berg <bberg@redhat.com> - 1.0.26
+- Pull in new upstream libusb containing important regression fixes
+  Resolves: #2058730
+  Resolves: #1938801
+
+* Mon Feb 28 2022 Benjamin Berg <bberg@redhat.com> - 1.0.25-3
+- Updated and new regression fixes
+  Resolves: #2058730
+  Related: #1938801
+
 * Tue Feb 15 2022 Benjamin Berg <bberg@redhat.com> - 1.0.25-2
 - Fix a crash if a transfer outlives closing the device
   Related: #1938801

sources

@@ -1 +1 @@
-SHA512 (libusb-1.0.25.tar.bz2) = f1e6e5577d4bd1ff136927dc66c615014a06ac332ddd797b1d1ad5f7b68e2405e66068dcb210e2f0ae3e31681603ef72efbd88bf7fbe0eb41ce700fdc3f92f9d
+SHA512 (libusb-1.0.26.tar.bz2) = fcdb85c98f21639668693c2fd522814d440972d65883984c4ae53d0555bdbdb7e8c7a32199cd4b01113556a1eb5be7841b750cc73c9f6bda79bfe1af80914e71

tests/run.sh

@@ -4,5 +4,6 @@ set -e
 
 ldd /usr/bin/libusb-test-stress
 /usr/bin/libusb-test-stress
+#/usr/bin/libusb-test-umockdev
 /usr/bin/libusb-test-libusb
 /usr/bin/libusb-example-listdevs