4.9-stable patches

added patches:
	drivers-usb-usbip-add-missing-break-statement-to-switch.patch
	usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch
	usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch
	usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch

diff --git a/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch b/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch
new file mode 100644 (file)
index 0000000..9a01e8f
--- /dev/null
+++ b/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch
@@ -0,0 +1,30 @@
+From 7c92e5fbf4dac0dd4dd41a0383adc54f16f403e2 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Thu, 9 Feb 2017 01:49:56 -0600
+Subject: drivers: usb: usbip: Add missing break statement to switch
+
+From: Gustavo A. R. Silva <garsilva@embeddedor.com>
+
+commit 7c92e5fbf4dac0dd4dd41a0383adc54f16f403e2 upstream.
+
+Add missing break statement to prevent the code for case
+USB_PORT_FEAT_C_RESET falling through to the default case.
+
+Addresses-Coverity-ID: 143155
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_hcd.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -318,6 +318,7 @@ static int vhci_hub_control(struct usb_h
+                       default:
+                               break;
+                       }
++                      break;
+               default:
+                       usbip_dbg_vhci_rh(" ClearPortFeature: default %x\n",
+                                         wValue);

diff --git a/queue-4.9/series b/queue-4.9/series
index 52af13c218fb8fc70a0400c2aaff3d496d68bc22..d4aa3ee06f8a0878470f45d365e5786d9957f230 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -30,3 +30,7 @@ configfs_register_group-shouldn-t-be-and-isn-t-called-in-rmdirable-parts.patch
 configfs-new-object-reprsenting-tree-fragments.patch
 configfs-provide-exclusion-between-io-and-removals.patch
 configfs-fix-a-deadlock-in-configfs_symlink.patch
+usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch
+usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch
+usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch
+drivers-usb-usbip-add-missing-break-statement-to-switch.patch

diff --git a/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch b/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch
new file mode 100644 (file)
index 0000000..43915f4
--- /dev/null
+++ b/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch
@@ -0,0 +1,44 @@
+From d79cda045e3bacb7e754a5324cd3d4ce80708eb1 Mon Sep 17 00:00:00 2001
+From: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
+Date: Thu, 13 Oct 2016 12:49:02 +0900
+Subject: usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c
+
+From: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
+
+commit d79cda045e3bacb7e754a5324cd3d4ce80708eb1 upstream.
+
+This patch fixes possibility of dereference by NULLL pointer in "[PATCH
+v5 1/3] usbip: vhci extension: modifications to vhci driver" which has
+been merged to 4.9-rc1. It occurs when a URB with pointer to invalid
+USB/IP device is enqueued in race condition against detach operation.
+
+A pointer was passed to vdev_to_vhci() before NULL check.
+In vdev_to_vhci(), there's a dereference by the pointer.
+
+This patch moves vdev_to_vhci() after NULL check of the pointer.
+
+Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_hcd.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -465,13 +465,14 @@ static void vhci_tx_urb(struct urb *urb)
+ {
+       struct vhci_device *vdev = get_vdev(urb->dev);
+       struct vhci_priv *priv;
+-      struct vhci_hcd *vhci = vdev_to_vhci(vdev);
++      struct vhci_hcd *vhci;
+       unsigned long flags;
+ 
+       if (!vdev) {
+               pr_err("could not get virtual device");
+               return;
+       }
++      vhci = vdev_to_vhci(vdev);
+ 
+       priv = kzalloc(sizeof(struct vhci_priv), GFP_ATOMIC);
+       if (!priv) {

diff --git a/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch b/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch
new file mode 100644 (file)
index 0000000..74fa043
--- /dev/null
+++ b/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch
@@ -0,0 +1,34 @@
+From 2c904963b1dd2acd4bc785b6c72e10a6283c2081 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Thu, 24 Jan 2019 14:46:42 -0700
+Subject: usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path
+
+From: Shuah Khan <shuah@kernel.org>
+
+commit 2c904963b1dd2acd4bc785b6c72e10a6283c2081 upstream.
+
+Fix vhci_urb_enqueue() to print debug msg and return error instead of
+failing with BUG_ON.
+
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_hcd.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -512,8 +512,10 @@ static int vhci_urb_enqueue(struct usb_h
+       }
+       vdev = &vhci->vdev[portnum-1];
+ 
+-      /* patch to usb_sg_init() is in 2.5.60 */
+-      BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length);
++      if (!urb->transfer_buffer && urb->transfer_buffer_length) {
++              dev_dbg(dev, "Null URB transfer buffer\n");
++              return -EINVAL;
++      }
+ 
+       spin_lock_irqsave(&vhci->lock, flags);
+ 

diff --git a/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch b/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch
new file mode 100644 (file)
index 0000000..6b84dee
--- /dev/null
+++ b/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch
@@ -0,0 +1,59 @@
+From 10c90120930628e8b959bf58d4a0aaef3ae5d945 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Fri, 15 Dec 2017 10:05:15 -0700
+Subject: usbip: stub_rx: fix static checker warning on unnecessary checks
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream.
+
+Fix the following static checker warnings:
+
+The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
+to handle malicious input" from Dec 7, 2017, leads to the following
+static checker warning:
+
+    drivers/usb/usbip/stub_rx.c:346 get_pipe()
+    warn: impossible condition
+'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
+(s32min-s32max > s32max)'
+    drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
+    warn: always true condition
+'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
+(s32min-s32max <= s32max)'
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_rx.c |   11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/drivers/usb/usbip/stub_rx.c
++++ b/drivers/usb/usbip/stub_rx.c
+@@ -353,14 +353,6 @@ static int get_pipe(struct stub_device *
+ 
+       epd = &ep->desc;
+ 
+-      /* validate transfer_buffer_length */
+-      if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
+-              dev_err(&sdev->udev->dev,
+-                      "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
+-                      pdu->u.cmd_submit.transfer_buffer_length);
+-              return -1;
+-      }
+-
+       if (usb_endpoint_xfer_control(epd)) {
+               if (dir == USBIP_DIR_OUT)
+                       return usb_sndctrlpipe(udev, epnum);
+@@ -487,8 +479,7 @@ static void stub_recv_cmd_submit(struct
+       }
+ 
+       /* allocate urb transfer buffer, if needed */
+-      if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
+-          pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
++      if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
+               priv->urb->transfer_buffer =
+                       kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
+                               GFP_KERNEL);