]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
3.18-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 5 Jan 2019 08:34:40 +0000 (09:34 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 5 Jan 2019 08:34:40 +0000 (09:34 +0100)
added patches:
usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch
usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch

queue-3.18/series
queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch [new file with mode: 0644]
queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch [new file with mode: 0644]

index 7fdea4b146234717b27b66d9da8230fae72d8a3a..e067ff0732d2445e04c71311784320ed4ec66807 100644 (file)
@@ -17,3 +17,5 @@ vhost-make-sure-used-idx-is-seen-before-log-in-vhost_add_used_n.patch
 vsock-send-reset-control-packet-when-socket-is-partially-bound.patch
 xen-netfront-tolerate-frags-with-no-data.patch
 sock-make-sock-sk_stamp-thread-safe.patch
+usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch
+usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch
diff --git a/queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch b/queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch
new file mode 100644 (file)
index 0000000..6bb9952
--- /dev/null
@@ -0,0 +1,67 @@
+From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Tue, 18 Dec 2018 20:04:25 +0800
+Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+commit c85400f886e3d41e69966470879f635a2b50084c upstream.
+
+The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
+be concurrently executed.
+The two functions both access a possible shared variable "hep->hcpriv".
+
+This shared variable is freed by r8a66597_endpoint_disable() via the
+call path:
+r8a66597_endpoint_disable
+  kfree(hep->hcpriv) (line 1995 in Linux-4.19)
+
+This variable is read by r8a66597_urb_enqueue() via the call path:
+r8a66597_urb_enqueue
+  spin_lock_irqsave(&r8a66597->lock)
+  init_pipe_info
+    enable_r8a66597_pipe
+      pipe = hep->hcpriv (line 802 in Linux-4.19)
+
+The read operation is protected by a spinlock, but the free operation
+is not protected by this spinlock, thus a concurrency use-after-free bug
+may occur.
+
+To fix this bug, the spin-lock and spin-unlock function calls in
+r8a66597_endpoint_disable() are moved to protect the free operation.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct u
+ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+                                     struct usb_host_endpoint *hep)
++__acquires(r8a66597->lock)
++__releases(r8a66597->lock)
+ {
+       struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
+       struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
+@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(st
+               return;
+       pipenum = pipe->info.pipenum;
++      spin_lock_irqsave(&r8a66597->lock, flags);
+       if (pipenum == 0) {
+               kfree(hep->hcpriv);
+               hep->hcpriv = NULL;
++              spin_unlock_irqrestore(&r8a66597->lock, flags);
+               return;
+       }
+-      spin_lock_irqsave(&r8a66597->lock, flags);
+       pipe_stop(r8a66597, pipe);
+       pipe_irq_disable(r8a66597, pipenum);
+       disable_irq_empty(r8a66597, pipenum);
diff --git a/queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch b/queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch
new file mode 100644 (file)
index 0000000..440eff4
--- /dev/null
@@ -0,0 +1,61 @@
+From 8d503f206c336677954160ac62f0c7d9c219cd89 Mon Sep 17 00:00:00 2001
+From: Scott Chen <scott@labau.com.tw>
+Date: Thu, 13 Dec 2018 06:01:47 -0500
+Subject: USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays
+
+From: Scott Chen <scott@labau.com.tw>
+
+commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream.
+
+Add device ids to pl2303 for the HP POS pole displays:
+LM920:   03f0:026b
+TD620:   03f0:0956
+LD960TA: 03f0:4439
+LD220TA: 03f0:4349
+LM940:   03f0:5039
+
+Signed-off-by: Scott Chen <scott@labau.com.tw>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/pl2303.c |    5 +++++
+ drivers/usb/serial/pl2303.h |    5 +++++
+ 2 files changed, 10 insertions(+)
+
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -84,9 +84,14 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
+       { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
+       { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
++      { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
+       { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
++      { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
+       { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
+       { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
++      { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
++      { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
++      { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
+       { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
+       { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
+       { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -121,10 +121,15 @@
+ /* Hewlett-Packard POS Pole Displays */
+ #define HP_VENDOR_ID          0x03f0
++#define HP_LM920_PRODUCT_ID   0x026b
++#define HP_TD620_PRODUCT_ID   0x0956
+ #define HP_LD960_PRODUCT_ID   0x0b39
+ #define HP_LCM220_PRODUCT_ID  0x3139
+ #define HP_LCM960_PRODUCT_ID  0x3239
+ #define HP_LD220_PRODUCT_ID   0x3524
++#define HP_LD220TA_PRODUCT_ID 0x4349
++#define HP_LD960TA_PRODUCT_ID 0x4439
++#define HP_LM940_PRODUCT_ID   0x5039
+ /* Cressi Edy (diving computer) PC interface */
+ #define CRESSI_VENDOR_ID      0x04b8