--- /dev/null
+From bee7da131ff0f25d01375ebb62260221b9d99396 Mon Sep 17 00:00:00 2001
+From: Hillf Danton <hdanton@sina.com>
+Date: Tue, 30 Jul 2019 17:24:36 +0800
+Subject: ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check
+
+[ Upstream commit 5d78e1c2b7f4be00bbe62141603a631dc7812f35 ]
+
+syzbot found the following crash on:
+
+ general protection fault: 0000 [#1] SMP KASAN
+ RIP: 0010:snd_usb_pipe_sanity_check+0x80/0x130 sound/usb/helper.c:75
+ Call Trace:
+ snd_usb_motu_microbookii_communicate.constprop.0+0xa0/0x2fb sound/usb/quirks.c:1007
+ snd_usb_motu_microbookii_boot_quirk sound/usb/quirks.c:1051 [inline]
+ snd_usb_apply_boot_quirk.cold+0x163/0x370 sound/usb/quirks.c:1280
+ usb_audio_probe+0x2ec/0x2010 sound/usb/card.c:576
+ usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
+ really_probe+0x281/0x650 drivers/base/dd.c:548
+ ....
+
+It was introduced in commit 801ebf1043ae for checking pipe and endpoint
+types. It is fixed by adding a check of the ep pointer in question.
+
+BugLink: https://syzkaller.appspot.com/bug?extid=d59c4387bfb6eced94e2
+Reported-by: syzbot <syzbot+d59c4387bfb6eced94e2@syzkaller.appspotmail.com>
+Fixes: 801ebf1043ae ("ALSA: usb-audio: Sanity checks for each pipe and EP types")
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/helper.c b/sound/usb/helper.c
+index 71d5f540334a2..4c12cc5b53fda 100644
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -72,7 +72,7 @@ int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(dev, pipe);
+- if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
+ return -EINVAL;
+ return 0;
+ }
+--
+2.20.1
+
--- /dev/null
+From 7d2713fe8d07dd16f4f4844a35cc94236c006a36 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 24 Jun 2019 15:08:28 +0200
+Subject: ALSA: usb-audio: Sanity checks for each pipe and EP types
+
+[ Upstream commit 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 ]
+
+The recent USB core code performs sanity checks for the given pipe and
+EP types, and it can be hit by manipulated USB descriptors by syzbot.
+For making syzbot happier, this patch introduces a local helper for a
+sanity check in the driver side and calls it at each place before the
+message handling, so that we can avoid the WARNING splats.
+
+Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/helper.c | 17 +++++++++++++++++
+ sound/usb/helper.h | 1 +
+ sound/usb/quirks.c | 18 +++++++++++++++---
+ 3 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/helper.c b/sound/usb/helper.c
+index 84aa265dd802c..71d5f540334a2 100644
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -63,6 +63,20 @@ void *snd_usb_find_csint_desc(void *buffer, int buflen, void *after, u8 dsubtype
+ return NULL;
+ }
+
++/* check the validity of pipe and EP types */
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
++{
++ static const int pipetypes[4] = {
++ PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
++ };
++ struct usb_host_endpoint *ep;
++
++ ep = usb_pipe_endpoint(dev, pipe);
++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ return -EINVAL;
++ return 0;
++}
++
+ /*
+ * Wrapper for usb_control_msg().
+ * Allocates a temp buffer to prevent dmaing from/to the stack.
+@@ -75,6 +89,9 @@ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
+ void *buf = NULL;
+ int timeout;
+
++ if (snd_usb_pipe_sanity_check(dev, pipe))
++ return -EINVAL;
++
+ if (size > 0) {
+ buf = kmemdup(data, size, GFP_KERNEL);
+ if (!buf)
+diff --git a/sound/usb/helper.h b/sound/usb/helper.h
+index d338bd0e0ca60..6afb70156ec4f 100644
+--- a/sound/usb/helper.h
++++ b/sound/usb/helper.h
+@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsigned char *bytes, int size);
+ void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype);
+ void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype);
+
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe);
+ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe,
+ __u8 request, __u8 requesttype, __u16 value, __u16 index,
+ void *data, __u16 size);
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index cf5cff10c08e8..78858918cbc10 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -828,11 +828,13 @@ static int snd_usb_novation_boot_quirk(struct usb_device *dev)
+ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+ {
+ int err, actual_length;
+-
+ /* "midi send" enable */
+ static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 };
++ void *buf;
+
+- void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05)))
++ return -EINVAL;
++ buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf,
+@@ -857,7 +859,11 @@ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+
+ static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
+ {
+- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
++ int ret;
++
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, 1000);
+
+@@ -964,6 +970,8 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev)
+
+ dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n");
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
+ /* If the Axe-Fx III has not fully booted, it will timeout when trying
+ * to enable the audio streaming interface. A more generous timeout is
+ * used here to detect when the Axe-Fx III has finished booting as the
+@@ -996,6 +1004,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,
+ {
+ int err, actual_length;
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length,
+ &actual_length, 1000);
+ if (err < 0)
+@@ -1006,6 +1016,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,
+
+ memset(buf, 0, buf_size);
+
++ if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size,
+ &actual_length, 1000);
+ if (err < 0)
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
