--- /dev/null
+From a71266e454b5df10d019b06f5ebacd579f76be28 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 16 Feb 2021 22:42:13 +0300
+Subject: iio: adis16400: Fix an error code in adis16400_initial_setup()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a71266e454b5df10d019b06f5ebacd579f76be28 upstream.
+
+This is to silence a new Smatch warning:
+
+ drivers/iio/imu/adis16400.c:492 adis16400_initial_setup()
+ warn: sscanf doesn't return error codes
+
+If the condition "if (st->variant->flags & ADIS16400_HAS_SLOW_MODE) {"
+is false then we return 1 instead of returning 0 and probe will fail.
+
+Fixes: 72a868b38bdd ("iio: imu: check sscanf return value")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YCwgFb3JVG6qrlQ+@mwanda
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16400_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/imu/adis16400_core.c
++++ b/drivers/iio/imu/adis16400_core.c
+@@ -288,8 +288,7 @@ static int adis16400_initial_setup(struc
+ if (ret)
+ goto err_ret;
+
+- ret = sscanf(indio_dev->name, "adis%u\n", &device_id);
+- if (ret != 1) {
++ if (sscanf(indio_dev->name, "adis%u\n", &device_id) != 1) {
+ ret = -EINVAL;
+ goto err_ret;
+ }
sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch
net-qrtr-fix-__netdev_alloc_skb-call.patch
scsi-lpfc-fix-some-error-codes-in-debugfs.patch
+usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
+usb-gadget-configfs-fix-kasan-use-after-free.patch
+iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
--- /dev/null
+From 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 Mon Sep 17 00:00:00 2001
+From: Jim Lin <jilin@nvidia.com>
+Date: Thu, 11 Mar 2021 14:42:41 +0800
+Subject: usb: gadget: configfs: Fix KASAN use-after-free
+
+From: Jim Lin <jilin@nvidia.com>
+
+commit 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 upstream.
+
+When gadget is disconnected, running sequence is like this.
+. composite_disconnect
+. Call trace:
+ usb_string_copy+0xd0/0x128
+ gadget_config_name_configuration_store+0x4
+ gadget_config_name_attr_store+0x40/0x50
+ configfs_write_file+0x198/0x1f4
+ vfs_write+0x100/0x220
+ SyS_write+0x58/0xa8
+. configfs_composite_unbind
+. configfs_composite_bind
+
+In configfs_composite_bind, it has
+"cn->strings.s = cn->configuration;"
+
+When usb_string_copy is invoked. it would
+allocate memory, copy input string, release previous pointed memory space,
+and use new allocated memory.
+
+When gadget is connected, host sends down request to get information.
+Call trace:
+ usb_gadget_get_string+0xec/0x168
+ lookup_string+0x64/0x98
+ composite_setup+0xa34/0x1ee8
+
+If gadget is disconnected and connected quickly, in the failed case,
+cn->configuration memory has been released by usb_string_copy kfree but
+configfs_composite_bind hasn't been run in time to assign new allocated
+"cn->configuration" pointer to "cn->strings.s".
+
+When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
+memory is accessed, "BUG: KASAN: use-after-free" error occurs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jim Lin <jilin@nvidia.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -108,6 +108,8 @@ struct gadget_config_name {
+ struct list_head list;
+ };
+
++#define USB_MAX_STRING_WITH_NULL_LEN (USB_MAX_STRING_LEN+1)
++
+ static int usb_string_copy(const char *s, char **s_copy)
+ {
+ int ret;
+@@ -117,12 +119,16 @@ static int usb_string_copy(const char *s
+ if (ret > USB_MAX_STRING_LEN)
+ return -EOVERFLOW;
+
+- str = kstrdup(s, GFP_KERNEL);
+- if (!str)
+- return -ENOMEM;
++ if (copy) {
++ str = copy;
++ } else {
++ str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL);
++ if (!str)
++ return -ENOMEM;
++ }
++ strcpy(str, s);
+ if (str[ret - 1] == '\n')
+ str[ret - 1] = '\0';
+- kfree(copy);
+ *s_copy = str;
+ return 0;
+ }
--- /dev/null
+From 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+Date: Thu, 18 Jun 2020 17:13:38 +0800
+Subject: USB: replace hardcode maximum usb string length by definition
+
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+
+commit 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 upstream.
+
+Replace hardcoded maximum USB string length (126 bytes) by definition
+"USB_MAX_STRING_LEN".
+
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/1592471618-29428-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 4 ++--
+ drivers/usb/gadget/configfs.c | 2 +-
+ drivers/usb/gadget/usbstring.c | 4 ++--
+ include/uapi/linux/usb/ch9.h | 3 +++
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1076,7 +1076,7 @@ static void collect_langs(struct usb_gad
+ while (*sp) {
+ s = *sp;
+ language = cpu_to_le16(s->language);
+- for (tmp = buf; *tmp && tmp < &buf[126]; tmp++) {
++ for (tmp = buf; *tmp && tmp < &buf[USB_MAX_STRING_LEN]; tmp++) {
+ if (*tmp == language)
+ goto repeat;
+ }
+@@ -1151,7 +1151,7 @@ static int get_string(struct usb_composi
+ collect_langs(sp, s->wData);
+ }
+
+- for (len = 0; len <= 126 && s->wData[len]; len++)
++ for (len = 0; len <= USB_MAX_STRING_LEN && s->wData[len]; len++)
+ continue;
+ if (!len)
+ return -EINVAL;
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -114,7 +114,7 @@ static int usb_string_copy(const char *s
+ char *str;
+ char *copy = *s_copy;
+ ret = strlen(s);
+- if (ret > 126)
++ if (ret > USB_MAX_STRING_LEN)
+ return -EOVERFLOW;
+
+ str = kstrdup(s, GFP_KERNEL);
+--- a/drivers/usb/gadget/usbstring.c
++++ b/drivers/usb/gadget/usbstring.c
+@@ -59,9 +59,9 @@ usb_gadget_get_string (struct usb_gadget
+ return -EINVAL;
+
+ /* string descriptors have length, tag, then UTF16-LE text */
+- len = min ((size_t) 126, strlen (s->s));
++ len = min((size_t)USB_MAX_STRING_LEN, strlen(s->s));
+ len = utf8s_to_utf16s(s->s, len, UTF16_LITTLE_ENDIAN,
+- (wchar_t *) &buf[2], 126);
++ (wchar_t *) &buf[2], USB_MAX_STRING_LEN);
+ if (len < 0)
+ return -EINVAL;
+ buf [0] = (len + 1) * 2;
+--- a/include/uapi/linux/usb/ch9.h
++++ b/include/uapi/linux/usb/ch9.h
+@@ -358,6 +358,9 @@ struct usb_config_descriptor {
+
+ /*-------------------------------------------------------------------------*/
+
++/* USB String descriptors can contain at most 126 characters. */
++#define USB_MAX_STRING_LEN 126
++
+ /* USB_DT_STRING: String descriptor */
+ struct usb_string_descriptor {
+ __u8 bLength;
projects / thirdparty / kernel / stable-queue.git / commitdiff
