--- /dev/null
+From 184eccd40389df29abefab88092c4ff33191fd0c Mon Sep 17 00:00:00 2001
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+Date: Wed, 12 Jun 2019 14:19:29 -0700
+Subject: HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report
+
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+
+commit 184eccd40389df29abefab88092c4ff33191fd0c upstream.
+
+In the generic code path, HID_DG_CONTACTMAX was previously
+only read from the second byte of report 0x23.
+
+Another report (0x82) has the HID_DG_CONTACTMAX in the
+higher nibble of the third byte. We should support reading the
+value of HID_DG_CONTACTMAX no matter what report we are reading
+or which position that value is in.
+
+To do this we submit the feature report as a event report
+using hid_report_raw_event(). Our modified finger event path
+records the value of HID_DG_CONTACTMAX when it sees that usage.
+
+Fixes: 8ffffd5212846 ("HID: wacom: fix timeout on probe for some wacoms")
+Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 10 ++++++----
+ drivers/hid/wacom_wac.c | 4 ++++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -282,14 +282,16 @@ static void wacom_feature_mapping(struct
+ /* leave touch_max as is if predefined */
+ if (!features->touch_max) {
+ /* read manually */
+- data = kzalloc(2, GFP_KERNEL);
++ n = hid_report_len(field->report);
++ data = hid_alloc_report_buf(field->report, GFP_KERNEL);
+ if (!data)
+ break;
+ data[0] = field->report->id;
+ ret = wacom_get_report(hdev, HID_FEATURE_REPORT,
+- data, 2, WAC_CMD_RETRIES);
+- if (ret == 2) {
+- features->touch_max = data[1];
++ data, n, WAC_CMD_RETRIES);
++ if (ret == n) {
++ ret = hid_report_raw_event(hdev,
++ HID_FEATURE_REPORT, data, n, 0);
+ } else {
+ features->touch_max = 16;
+ hid_warn(hdev, "wacom_feature_mapping: "
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2533,6 +2533,7 @@ static void wacom_wac_finger_event(struc
+ struct wacom *wacom = hid_get_drvdata(hdev);
+ struct wacom_wac *wacom_wac = &wacom->wacom_wac;
+ unsigned equivalent_usage = wacom_equivalent_usage(usage->hid);
++ struct wacom_features *features = &wacom->wacom_wac.features;
+
+ switch (equivalent_usage) {
+ case HID_GD_X:
+@@ -2553,6 +2554,9 @@ static void wacom_wac_finger_event(struc
+ case HID_DG_TIPSWITCH:
+ wacom_wac->hid_data.tipswitch = value;
+ break;
++ case HID_DG_CONTACTMAX:
++ features->touch_max = value;
++ return;
+ }
+
+
--- /dev/null
+From 0c043d70d04711fe6c380df9065fdc44192c49bf Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Fri, 6 Sep 2019 12:02:32 -0700
+Subject: Input: elan_i2c - remove Lenovo Legion Y7000 PnpID
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 0c043d70d04711fe6c380df9065fdc44192c49bf upstream.
+
+Looks like the Bios of the Lenovo Legion Y7000 is using ELAN061B
+when the actual device is supposed to be used with hid-multitouch.
+
+Remove it from the list of the supported device, hoping that
+no one will complain about the loss in functionality.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=203467
+Fixes: 738c06d0e456 ("Input: elan_i2c - add hardware ID for multiple Lenovo laptops")
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1358,7 +1358,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0618", 0 },
+ { "ELAN0619", 0 },
+ { "ELAN061A", 0 },
+- { "ELAN061B", 0 },
++/* { "ELAN061B", 0 }, not working on the Lenovo Legion Y7000 */
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN061E", 0 },
--- /dev/null
+From 699bf94114151aae4dceb2d9dbf1a6312839dcae Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Tue, 13 Aug 2019 13:45:09 -0300
+Subject: media: tm6000: double free if usb disconnect while streaming
+
+From: Sean Young <sean@mess.org>
+
+commit 699bf94114151aae4dceb2d9dbf1a6312839dcae upstream.
+
+The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
+to NULL after each free.
+
+stop stream
+urb killing
+urb buffer free
+tm6000: got start feed request tm6000_start_feed
+tm6000: got start stream request tm6000_start_stream
+tm6000: pipe reset
+tm6000: got start feed request tm6000_start_feed
+tm6000: got start feed request tm6000_start_feed
+tm6000: got start feed request tm6000_start_feed
+tm6000: got start feed request tm6000_start_feed
+tm6000: IR URB failure: status: -71, length 0
+xhci_hcd 0000:00:14.0: ERROR unknown event type 37
+xhci_hcd 0000:00:14.0: ERROR unknown event type 37
+tm6000: error tm6000_urb_received
+usb 1-2: USB disconnect, device number 5
+tm6000: disconnecting tm6000 #0
+==================================================================
+BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
+Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
+
+CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1
+Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ dump_stack+0x9a/0xf0
+ print_address_description.cold+0xae/0x34f
+ __kasan_report.cold+0x75/0x93
+ ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
+ ? dvb_fini+0x75/0x140 [tm6000_dvb]
+ kasan_report+0xe/0x12
+ dvb_fini+0x75/0x140 [tm6000_dvb]
+ tm6000_close_extension+0x51/0x80 [tm6000]
+ tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
+ usb_unbind_interface+0xe4/0x390
+ device_release_driver_internal+0x121/0x250
+ bus_remove_device+0x197/0x260
+ device_del+0x268/0x550
+ ? __device_links_no_driver+0xd0/0xd0
+ ? usb_remove_ep_devs+0x30/0x3b
+ usb_disable_device+0x122/0x400
+ usb_disconnect+0x153/0x430
+ hub_event+0x800/0x1e40
+ ? trace_hardirqs_on_thunk+0x1a/0x20
+ ? hub_port_debounce+0x1f0/0x1f0
+ ? retint_kernel+0x10/0x10
+ ? lock_is_held_type+0xf1/0x130
+ ? hub_port_debounce+0x1f0/0x1f0
+ ? process_one_work+0x4ae/0xa00
+ process_one_work+0x4ba/0xa00
+ ? pwq_dec_nr_in_flight+0x160/0x160
+ ? do_raw_spin_lock+0x10a/0x1d0
+ worker_thread+0x7a/0x5c0
+ ? process_one_work+0xa00/0xa00
+ kthread+0x1d5/0x200
+ ? kthread_create_worker_on_cpu+0xd0/0xd0
+ ret_from_fork+0x3a/0x50
+
+Allocated by task 2682:
+ save_stack+0x1b/0x80
+ __kasan_kmalloc.constprop.0+0xc2/0xd0
+ usb_alloc_urb+0x28/0x60
+ tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
+ dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
+ dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
+ dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
+ dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
+ dvb_usercopy+0x97/0x1f0 [dvb_core]
+ dvb_demux_ioctl+0x11/0x20 [dvb_core]
+ do_vfs_ioctl+0x5d8/0x9d0
+ ksys_ioctl+0x5e/0x90
+ __x64_sys_ioctl+0x3d/0x50
+ do_syscall_64+0x74/0xe0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 22:
+ save_stack+0x1b/0x80
+ __kasan_slab_free+0x12c/0x170
+ kfree+0xfd/0x3a0
+ xhci_giveback_urb_in_irq+0xfe/0x230
+ xhci_td_cleanup+0x276/0x340
+ xhci_irq+0x1129/0x3720
+ __handle_irq_event_percpu+0x6e/0x420
+ handle_irq_event_percpu+0x6f/0x100
+ handle_irq_event+0x55/0x84
+ handle_edge_irq+0x108/0x3b0
+ handle_irq+0x2e/0x40
+ do_IRQ+0x83/0x1a0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/tm6000/tm6000-dvb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/tm6000/tm6000-dvb.c
++++ b/drivers/media/usb/tm6000/tm6000-dvb.c
+@@ -105,6 +105,7 @@ static void tm6000_urb_received(struct u
+ printk(KERN_ERR "tm6000: error %s\n", __func__);
+ kfree(urb->transfer_buffer);
+ usb_free_urb(urb);
++ dev->dvb->bulk_urb = NULL;
+ }
+ }
+ }
+@@ -135,6 +136,7 @@ static int tm6000_start_stream(struct tm
+ dvb->bulk_urb->transfer_buffer = kzalloc(size, GFP_KERNEL);
+ if (!dvb->bulk_urb->transfer_buffer) {
+ usb_free_urb(dvb->bulk_urb);
++ dvb->bulk_urb = NULL;
+ return -ENOMEM;
+ }
+
+@@ -161,6 +163,7 @@ static int tm6000_start_stream(struct tm
+
+ kfree(dvb->bulk_urb->transfer_buffer);
+ usb_free_urb(dvb->bulk_urb);
++ dvb->bulk_urb = NULL;
+ return ret;
+ }
+
--- /dev/null
+From 110e48725db6262f260f10727d0fb2d3d25895e4 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 2 Sep 2019 19:37:43 +0200
+Subject: netfilter: nf_flow_table: set default timeout after successful insertion
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 110e48725db6262f260f10727d0fb2d3d25895e4 upstream.
+
+Set up the default timeout for this new entry otherwise the garbage
+collector might quickly remove it right after the flowtable insertion.
+
+Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_flow_table_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -203,7 +203,7 @@ int flow_offload_add(struct nf_flowtable
+ return err;
+ }
+
+- flow->timeout = (u32)jiffies;
++ flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(flow_offload_add);
--- /dev/null
+From e6839c31a608e79f2057fab987dd814f5d3477e6 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 6 Aug 2019 17:51:19 +0900
+Subject: phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit e6839c31a608e79f2057fab987dd814f5d3477e6 upstream.
+
+The hardware manual should be revised, but the initial value of
+VBCTRL.OCCLREN is set to 1 actually. If the bit is set, the hardware
+clears VBCTRL.VBOUT and ADPCTRL.DRVVBUS registers automatically
+when the hardware detects over-current signal from a USB power switch.
+However, since the hardware doesn't have any registers which
+indicates over-current, the driver cannot handle it at all. So, if
+"is_otg_channel" hardware detects over-current, since ADPCTRL.DRVVBUS
+register is cleared automatically, the channel cannot be used after
+that.
+
+To resolve this behavior, this patch sets the VBCTRL.OCCLREN to 0
+to keep ADPCTRL.DRVVBUS even if the "is_otg_channel" hardware
+detects over-current. (We assume a USB power switch itself protects
+over-current and turns the VBUS off.)
+
+This patch is inspired by a BSP patch from Kazuya Mizuguchi.
+
+Fixes: 1114e2d31731 ("phy: rcar-gen3-usb2: change the mode to OTG on the combined channel")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/renesas/phy-rcar-gen3-usb2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c
++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
+@@ -66,6 +66,7 @@
+ USB2_OBINT_IDDIGCHG)
+
+ /* VBCTRL */
++#define USB2_VBCTRL_OCCLREN BIT(16)
+ #define USB2_VBCTRL_DRVVBUSSEL BIT(8)
+
+ /* LINECTRL1 */
+@@ -289,6 +290,7 @@ static void rcar_gen3_init_otg(struct rc
+ u32 val;
+
+ val = readl(usb2_base + USB2_VBCTRL);
++ val &= ~USB2_VBCTRL_OCCLREN;
+ writel(val | USB2_VBCTRL_DRVVBUSSEL, usb2_base + USB2_VBCTRL);
+ writel(USB2_OBINT_BITS, usb2_base + USB2_OBINTSTA);
+ val = readl(usb2_base + USB2_OBINTEN);
--- /dev/null
+From 89a3496e0664577043666791ec07fb731d57c950 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Mon, 1 Jul 2019 20:04:42 +0530
+Subject: powerpc/mm/radix: Use the right page size for vmemmap mapping
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 89a3496e0664577043666791ec07fb731d57c950 upstream.
+
+We use mmu_vmemmap_psize to find the page size for mapping the vmmemap area.
+With radix translation, we are suboptimally setting this value to PAGE_SIZE.
+
+We do check for 2M page size support and update mmu_vmemap_psize to use
+hugepage size but we suboptimally reset the value to PAGE_SIZE in
+radix__early_init_mmu(). This resulted in always mapping vmemmap area with
+64K page size.
+
+Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines")
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable-radix.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -521,14 +521,6 @@ void __init radix__early_init_devtree(vo
+ mmu_psize_defs[MMU_PAGE_64K].shift = 16;
+ mmu_psize_defs[MMU_PAGE_64K].ap = 0x5;
+ found:
+-#ifdef CONFIG_SPARSEMEM_VMEMMAP
+- if (mmu_psize_defs[MMU_PAGE_2M].shift) {
+- /*
+- * map vmemmap using 2M if available
+- */
+- mmu_vmemmap_psize = MMU_PAGE_2M;
+- }
+-#endif /* CONFIG_SPARSEMEM_VMEMMAP */
+ return;
+ }
+
+@@ -567,7 +559,13 @@ void __init radix__early_init_mmu(void)
+
+ #ifdef CONFIG_SPARSEMEM_VMEMMAP
+ /* vmemmap mapping */
+- mmu_vmemmap_psize = mmu_virtual_psize;
++ if (mmu_psize_defs[MMU_PAGE_2M].shift) {
++ /*
++ * map vmemmap using 2M if available
++ */
++ mmu_vmemmap_psize = MMU_PAGE_2M;
++ } else
++ mmu_vmemmap_psize = mmu_virtual_psize;
+ #endif
+ /*
+ * initialize page table size
--- /dev/null
+From ed7a01fd3fd77f40b4ef2562b966a5decd8928d2 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Tue, 2 Oct 2018 11:48:03 +0300
+Subject: RDMA/restrack: Release task struct which was hold by CM_ID object
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit ed7a01fd3fd77f40b4ef2562b966a5decd8928d2 upstream.
+
+Tracking CM_ID resource is performed in two stages: creation of cm_id
+and connecting it to the cma_dev. It is needed because rdma-cm protocol
+exports two separate user-visible calls rdma_create_id and rdma_accept.
+
+At the time of CM_ID creation, the real owner of that object is unknown
+yet and we need to grab task_struct. This task_struct is released or
+reassigned in attach phase later on. but call to rdma_destroy_id left
+this task_struct unreleased.
+
+Such separation is unique to CM_ID and other restrack objects initialize
+in one shot. It means that it is safe to use "res->valid" check to catch
+unfinished CM_ID flow and release task_struct for that object.
+
+Fixes: 00313983cda6 ("RDMA/nldev: provide detailed CM_ID information")
+Reported-by: Artemy Kovalyov <artemyko@mellanox.com>
+Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
+Reviewed-by: Yossi Itigin <yosefe@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Cc: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 7 +++----
+ drivers/infiniband/core/restrack.c | 6 ++++--
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1723,8 +1723,8 @@ void rdma_destroy_id(struct rdma_cm_id *
+ mutex_lock(&id_priv->handler_mutex);
+ mutex_unlock(&id_priv->handler_mutex);
+
++ rdma_restrack_del(&id_priv->res);
+ if (id_priv->cma_dev) {
+- rdma_restrack_del(&id_priv->res);
+ if (rdma_cap_ib_cm(id_priv->id.device, 1)) {
+ if (id_priv->cm_id.ib)
+ ib_destroy_cm_id(id_priv->cm_id.ib);
+@@ -3463,10 +3463,9 @@ int rdma_bind_addr(struct rdma_cm_id *id
+
+ return 0;
+ err2:
+- if (id_priv->cma_dev) {
+- rdma_restrack_del(&id_priv->res);
++ rdma_restrack_del(&id_priv->res);
++ if (id_priv->cma_dev)
+ cma_release_dev(id_priv);
+- }
+ err1:
+ cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_IDLE);
+ return ret;
+--- a/drivers/infiniband/core/restrack.c
++++ b/drivers/infiniband/core/restrack.c
+@@ -209,7 +209,7 @@ void rdma_restrack_del(struct rdma_restr
+ struct ib_device *dev;
+
+ if (!res->valid)
+- return;
++ goto out;
+
+ dev = res_to_dev(res);
+ if (!dev)
+@@ -222,8 +222,10 @@ void rdma_restrack_del(struct rdma_restr
+ down_write(&dev->res.rwsem);
+ hash_del(&res->node);
+ res->valid = false;
++ up_write(&dev->res.rwsem);
++
++out:
+ if (res->task)
+ put_task_struct(res->task);
+- up_write(&dev->res.rwsem);
+ }
+ EXPORT_SYMBOL(rdma_restrack_del);
--- /dev/null
+netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch
+hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch
+rdma-restrack-release-task-struct-which-was-hold-by-cm_id-object.patch
+input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch
+powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch
+usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch
+media-tm6000-double-free-if-usb-disconnect-while-streaming.patch
+phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch
--- /dev/null
+From 3dd550a2d36596a1b0ee7955da3b611c031d3873 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 4 Sep 2019 11:56:27 -0400
+Subject: USB: usbcore: Fix slab-out-of-bounds bug during device reset
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 3dd550a2d36596a1b0ee7955da3b611c031d3873 upstream.
+
+The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
+
+BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
+Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
+
+CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xca/0x13e lib/dump_stack.c:113
+ print_address_description+0x6a/0x32c mm/kasan/report.c:351
+ __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
+ kasan_report+0xe/0x12 mm/kasan/common.c:612
+ memcmp+0xa6/0xb0 lib/string.c:904
+ memcmp include/linux/string.h:400 [inline]
+ descriptors_changed drivers/usb/core/hub.c:5579 [inline]
+ usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
+ usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
+ rt2x00usb_probe+0x53/0x7af
+drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
+
+The error occurs when the descriptors_changed() routine (called during
+a device reset) attempts to compare the old and new BOS and capability
+descriptors. The length it uses for the comparison is the
+wTotalLength value stored in BOS descriptor, but this value is not
+necessarily the same as the length actually allocated for the
+descriptors. If it is larger the routine will call memcmp() with a
+length that is too big, thus reading beyond the end of the allocated
+region and leading to this fault.
+
+The kernel reads the BOS descriptor twice: first to get the total
+length of all the capability descriptors, and second to read it along
+with all those other descriptors. A malicious (or very faulty) device
+may send different values for the BOS descriptor fields each time.
+The memory area will be allocated using the wTotalLength value read
+the first time, but stored within it will be the value read the second
+time.
+
+To prevent this possibility from causing any errors, this patch
+modifies the BOS descriptor after it has been read the second time:
+It sets the wTotalLength field to the actual length of the descriptors
+that were read in and validated. Then the memcpy() call, or any other
+code using these descriptors, will be able to rely on wTotalLength
+being valid.
+
+Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -925,7 +925,7 @@ int usb_get_bos_descriptor(struct usb_de
+ struct usb_bos_descriptor *bos;
+ struct usb_dev_cap_header *cap;
+ struct usb_ssp_cap_descriptor *ssp_cap;
+- unsigned char *buffer;
++ unsigned char *buffer, *buffer0;
+ int length, total_len, num, i, ssac;
+ __u8 cap_type;
+ int ret;
+@@ -970,10 +970,12 @@ int usb_get_bos_descriptor(struct usb_de
+ ret = -ENOMSG;
+ goto err;
+ }
++
++ buffer0 = buffer;
+ total_len -= length;
++ buffer += length;
+
+ for (i = 0; i < num; i++) {
+- buffer += length;
+ cap = (struct usb_dev_cap_header *)buffer;
+
+ if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+@@ -987,8 +989,6 @@ int usb_get_bos_descriptor(struct usb_de
+ break;
+ }
+
+- total_len -= length;
+-
+ if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
+ dev_warn(ddev, "descriptor type invalid, skip\n");
+ continue;
+@@ -1023,7 +1023,11 @@ int usb_get_bos_descriptor(struct usb_de
+ default:
+ break;
+ }
++
++ total_len -= length;
++ buffer += length;
+ }
++ dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0);
+
+ return 0;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
