--- /dev/null
+From a659daf63d16aa883be42f3f34ff84235c302198 Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@linaro.org>
+Date: Mon, 19 Sep 2022 14:59:57 -0700
+Subject: usb: mon: make mmapped memory read only
+
+From: Tadeusz Struk <tadeusz.struk@linaro.org>
+
+commit a659daf63d16aa883be42f3f34ff84235c302198 upstream.
+
+Syzbot found an issue in usbmon module, where the user space client can
+corrupt the monitor's internal memory, causing the usbmon module to
+crash the kernel with segfault, UAF, etc.
+
+The reproducer mmaps the /dev/usbmon memory to user space, and
+overwrites it with arbitrary data, which causes all kinds of issues.
+
+Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set.
+Also clear VM_MAYWRITE to make it impossible to change it to writable
+later.
+
+Cc: "Dmitry Vyukov" <dvyukov@google.com>
+Cc: stable <stable@kernel.org>
+Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon")
+Suggested-by: PaX Team <pageexec@freemail.hu> # for the VM_MAYRITE portion
+Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a
+Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com
+Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
+Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/mon/mon_bin.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *fil
+ {
+ /* don't do anything here: "fault" will set up page table entries */
+ vma->vm_ops = &mon_bin_vm_ops;
++
++ if (vma->vm_flags & VM_WRITE)
++ return -EPERM;
++
++ vma->vm_flags &= ~VM_MAYWRITE;
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
+ vma->vm_private_data = filp->private_data;
+ mon_bin_vma_open(vma);
--- /dev/null
+From 7bd7ad3c310cd6766f170927381eea0aa6f46c69 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 13 Sep 2022 16:53:12 +0200
+Subject: USB: serial: ftdi_sio: fix 300 bps rate for SIO
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream.
+
+The 300 bps rate of SIO devices has been mapped to 9600 bps since
+2003... Let's fix the regression.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1319,8 +1319,7 @@ static u32 get_ftdi_divisor(struct tty_s
+ case 38400: div_value = ftdi_sio_b38400; break;
+ case 57600: div_value = ftdi_sio_b57600; break;
+ case 115200: div_value = ftdi_sio_b115200; break;
+- } /* baud */
+- if (div_value == 0) {
++ default:
+ dev_dbg(dev, "%s - Baudrate (%d) requested is not supported\n",
+ __func__, baud);
+ div_value = ftdi_sio_b9600;
projects / thirdparty / kernel / stable-queue.git / commitdiff
