--- /dev/null
+From 265df32eae5845212ad9f55f5ae6b6dcb68b187b Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 9 May 2019 09:15:00 -0300
+Subject: ath10k: Change the warning message string
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 265df32eae5845212ad9f55f5ae6b6dcb68b187b upstream.
+
+The "WARNING" string confuses syzbot, which thinks it found
+a crash [1].
+
+Change the string to avoid such problem.
+
+[1] https://lkml.org/lkml/2019/5/9/243
+
+Reported-by: syzbot+c1b25598aa60dcd47e78@syzkaller.appspotmail.com
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -1025,7 +1025,7 @@ static int ath10k_usb_probe(struct usb_i
+ }
+
+ /* TODO: remove this once USB support is fully implemented */
+- ath10k_warn(ar, "WARNING: ath10k USB support is incomplete, don't expect anything to work!\n");
++ ath10k_warn(ar, "Warning: ath10k USB support is incomplete, don't expect anything to work!\n");
+
+ return 0;
+
--- /dev/null
+From f384e62a82ba5d85408405fdd6aeff89354deaa9 Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Mon, 15 Jul 2019 22:08:14 +0700
+Subject: ISDN: hfcsusb: checking idx of ep configuration
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.
+
+The syzbot test with random endpoint address which made the idx is
+overflow in the table of endpoint configuations.
+
+this adds the checking for fixing the error report from
+syzbot
+
+KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
+The patch tested by syzbot [2]
+
+Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
+
+[1]:
+https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
+[2]:
+https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1967,6 +1967,9 @@ hfcsusb_probe(struct usb_interface *intf
+
+ /* get endpoint base */
+ idx = ((ep_addr & 0x7f) - 1) * 2;
++ if (idx > 15)
++ return -EIO;
++
+ if (ep_addr & 0x80)
+ idx++;
+ attr = ep->desc.bmAttributes;
--- /dev/null
+From 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 19 May 2019 15:28:22 -0400
+Subject: media: au0828: fix null dereference in error path
+
+From: Sean Young <sean@mess.org>
+
+commit 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 upstream.
+
+au0828_usb_disconnect() gets the au0828_dev struct via usb_get_intfdata,
+so it needs to set up for the error paths.
+
+Reported-by: syzbot+357d86bcb4cca1a2f572@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/au0828/au0828-core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/au0828/au0828-core.c
++++ b/drivers/media/usb/au0828/au0828-core.c
+@@ -623,6 +623,12 @@ static int au0828_usb_probe(struct usb_i
+ /* Setup */
+ au0828_card_setup(dev);
+
++ /*
++ * Store the pointer to the au0828_dev so it can be accessed in
++ * au0828_usb_disconnect
++ */
++ usb_set_intfdata(interface, dev);
++
+ /* Analog TV */
+ retval = au0828_analog_register(dev, interface);
+ if (retval) {
+@@ -641,12 +647,6 @@ static int au0828_usb_probe(struct usb_i
+ /* Remote controller */
+ au0828_rc_register(dev);
+
+- /*
+- * Store the pointer to the au0828_dev so it can be accessed in
+- * au0828_usb_disconnect
+- */
+- usb_set_intfdata(interface, dev);
+-
+ pr_info("Registered device AU0828 [%s]\n",
+ dev->board.name == NULL ? "Unset" : dev->board.name);
+
--- /dev/null
+From eff73de2b1600ad8230692f00bc0ab49b166512a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 04:57:09 -0400
+Subject: media: cpia2_usb: first wake up, then free in disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit eff73de2b1600ad8230692f00bc0ab49b166512a upstream.
+
+Kasan reported a use after free in cpia2_usb_disconnect()
+It first freed everything and then woke up those waiting.
+The reverse order is correct.
+
+Fixes: 6c493f8b28c67 ("[media] cpia2: major overhaul to get it in a working state again")
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+0c90fc937c84f97d0aa6@syzkaller.appspotmail.com
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cpia2/cpia2_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -902,7 +902,6 @@ static void cpia2_usb_disconnect(struct
+ cpia2_unregister_camera(cam);
+ v4l2_device_disconnect(&cam->v4l2_dev);
+ mutex_unlock(&cam->v4l2_lock);
+- v4l2_device_put(&cam->v4l2_dev);
+
+ if(cam->buffers) {
+ DBG("Wakeup waiting processes\n");
+@@ -911,6 +910,8 @@ static void cpia2_usb_disconnect(struct
+ wake_up_interruptible(&cam->wq_stream);
+ }
+
++ v4l2_device_put(&cam->v4l2_dev);
++
+ LOG("CPiA2 camera disconnected.\n");
+ }
+
--- /dev/null
+From 1753c7c4367aa1201e1e5d0a601897ab33444af1 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 2 May 2019 12:09:26 -0400
+Subject: media: pvrusb2: use a different format for warnings
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit 1753c7c4367aa1201e1e5d0a601897ab33444af1 upstream.
+
+When the pvrusb2 driver detects that there's something wrong with the
+device, it prints a warning message. Right now those message are
+printed in two different formats:
+
+1. ***WARNING*** message here
+2. WARNING: message here
+
+There's an issue with the second format. Syzkaller recognizes it as a
+message produced by a WARN_ON(), which is used to indicate a bug in the
+kernel. However pvrusb2 prints those warnings to indicate an issue with
+the device, not the bug in the kernel.
+
+This patch changes the pvrusb2 driver to consistently use the first
+warning message format. This will unblock syzkaller testing of this
+driver.
+
+Reported-by: syzbot+af8f8d2ac0d39b0ed3a0@syzkaller.appspotmail.com
+Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
+ drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c | 6 +++---
+ drivers/media/usb/pvrusb2/pvrusb2-std.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -1680,7 +1680,7 @@ static int pvr2_decoder_enable(struct pv
+ }
+ if (!hdw->flag_decoder_missed) {
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: No decoder present");
++ "***WARNING*** No decoder present");
+ hdw->flag_decoder_missed = !0;
+ trace_stbit("flag_decoder_missed",
+ hdw->flag_decoder_missed);
+@@ -2366,7 +2366,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct
+ if (hdw_desc->flag_is_experimental) {
+ pvr2_trace(PVR2_TRACE_INFO, "**********");
+ pvr2_trace(PVR2_TRACE_INFO,
+- "WARNING: Support for this device (%s) is experimental.",
++ "***WARNING*** Support for this device (%s) is experimental.",
+ hdw_desc->description);
+ pvr2_trace(PVR2_TRACE_INFO,
+ "Important functionality might not be entirely working.");
+--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+@@ -343,11 +343,11 @@ static int i2c_hack_cx25840(struct pvr2_
+
+ if ((ret != 0) || (*rdata == 0x04) || (*rdata == 0x0a)) {
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Detected a wedged cx25840 chip; the device will not work.");
++ "***WARNING*** Detected a wedged cx25840 chip; the device will not work.");
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Try power cycling the pvrusb2 device.");
++ "***WARNING*** Try power cycling the pvrusb2 device.");
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Disabling further access to the device to prevent other foul-ups.");
++ "***WARNING*** Disabling further access to the device to prevent other foul-ups.");
+ // This blocks all further communication with the part.
+ hdw->i2c_func[0x44] = NULL;
+ pvr2_hdw_render_useless(hdw);
+--- a/drivers/media/usb/pvrusb2/pvrusb2-std.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-std.c
+@@ -353,7 +353,7 @@ struct v4l2_standard *pvr2_std_create_en
+ bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk);
+ pvr2_trace(
+ PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Failed to classify the following standard(s): %.*s",
++ "***WARNING*** Failed to classify the following standard(s): %.*s",
+ bcnt,buf);
+ }
+
--- /dev/null
+From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Date: Fri, 21 Jun 2019 21:04:38 -0400
+Subject: media: radio-raremono: change devm_k*alloc to k*alloc
+
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+
+commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream.
+
+Change devm_k*alloc to k*alloc to manually allocate memory
+
+The manual allocation and freeing of memory is necessary because when
+the USB radio is disconnected, the memory associated with devm_k*alloc
+is freed. Meaning if we still have unresolved references to the radio
+device, then we get use-after-free errors.
+
+This patch fixes this by manually allocating memory, and freeing it in
+the v4l2.release callback that gets called when the last radio device
+exits.
+
+Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com
+
+Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings]
+[hverkuil-cisco@xs4all.nl: prefix subject with driver name]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/radio/radio-raremono.c
++++ b/drivers/media/radio/radio-raremono.c
+@@ -271,6 +271,14 @@ static int vidioc_g_frequency(struct fil
+ return 0;
+ }
+
++static void raremono_device_release(struct v4l2_device *v4l2_dev)
++{
++ struct raremono_device *radio = to_raremono_dev(v4l2_dev);
++
++ kfree(radio->buffer);
++ kfree(radio);
++}
++
+ /* File system interface */
+ static const struct v4l2_file_operations usb_raremono_fops = {
+ .owner = THIS_MODULE,
+@@ -295,12 +303,14 @@ static int usb_raremono_probe(struct usb
+ struct raremono_device *radio;
+ int retval = 0;
+
+- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL);
+- if (radio)
+- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL);
+-
+- if (!radio || !radio->buffer)
++ radio = kzalloc(sizeof(*radio), GFP_KERNEL);
++ if (!radio)
++ return -ENOMEM;
++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL);
++ if (!radio->buffer) {
++ kfree(radio);
+ return -ENOMEM;
++ }
+
+ radio->usbdev = interface_to_usbdev(intf);
+ radio->intf = intf;
+@@ -324,7 +334,8 @@ static int usb_raremono_probe(struct usb
+ if (retval != 3 ||
+ (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) {
+ dev_info(&intf->dev, "this is not Thanko's Raremono.\n");
+- return -ENODEV;
++ retval = -ENODEV;
++ goto free_mem;
+ }
+
+ dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n",
+@@ -333,7 +344,7 @@ static int usb_raremono_probe(struct usb
+ retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
+ if (retval < 0) {
+ dev_err(&intf->dev, "couldn't register v4l2_device\n");
+- return retval;
++ goto free_mem;
+ }
+
+ mutex_init(&radio->lock);
+@@ -345,6 +356,7 @@ static int usb_raremono_probe(struct usb
+ radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops;
+ radio->vdev.lock = &radio->lock;
+ radio->vdev.release = video_device_release_empty;
++ radio->v4l2_dev.release = raremono_device_release;
+
+ usb_set_intfdata(intf, &radio->v4l2_dev);
+
+@@ -360,6 +372,10 @@ static int usb_raremono_probe(struct usb
+ }
+ dev_err(&intf->dev, "could not register video device\n");
+ v4l2_device_unregister(&radio->v4l2_dev);
++
++free_mem:
++ kfree(radio->buffer);
++ kfree(radio);
+ return retval;
+ }
+
--- /dev/null
+From 9f7761cf0409465075dadb875d5d4b8ef2f890c8 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Tue, 11 Jun 2019 12:57:52 -0400
+Subject: NFS: Cleanup if nfs_match_client is interrupted
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 9f7761cf0409465075dadb875d5d4b8ef2f890c8 upstream.
+
+Don't bail out before cleaning up a new allocation if the wait for
+searching for a matching nfs client is interrupted. Memory leaks.
+
+Reported-by: syzbot+7fe11b49c1cc30e3fce2@syzkaller.appspotmail.com
+Fixes: 950a578c6128 ("NFS: make nfs_match_client killable")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -416,10 +416,10 @@ struct nfs_client *nfs_get_client(const
+ clp = nfs_match_client(cl_init);
+ if (clp) {
+ spin_unlock(&nn->nfs_client_lock);
+- if (IS_ERR(clp))
+- return clp;
+ if (new)
+ new->rpc_ops->free_client(new);
++ if (IS_ERR(clp))
++ return clp;
+ return nfs_found_client(cl_init, clp);
+ }
+ if (new) {
usb-dwc2-fix-disable-all-ep-s-on-disconnect.patch
arm64-compat-provide-definition-for-compat_sigminstksz.patch
binder-fix-possible-uaf-when-freeing-buffer.patch
+isdn-hfcsusb-checking-idx-of-ep-configuration.patch
+media-au0828-fix-null-dereference-in-error-path.patch
+ath10k-change-the-warning-message-string.patch
+media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch
+media-pvrusb2-use-a-different-format-for-warnings.patch
+nfs-cleanup-if-nfs_match_client-is-interrupted.patch
+media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
