--- /dev/null
+From c97d96b4e612c7dc1b37d7afc61b598a9a25994d Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Sun, 24 Sep 2017 15:20:49 +0100
+Subject: staging: bcm2835-audio: Fix memory corruption
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+commit c97d96b4e612c7dc1b37d7afc61b598a9a25994d upstream.
+
+The previous commit (0adbfd46) fixed a memory leak but also freed a
+block in the success case, causing a stale pointer to be used with
+potentially fatal results. Only free the vchi_instance block in the
+case that vchi_connect fails; once connected, the instance is
+retained for subsequent connections.
+
+Simplifying the code by removing a bunch of gotos and returning errors
+directly.
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()")
+Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 19 ++++--------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
+@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection
+ __func__, instance);
+ instance->alsa_stream = alsa_stream;
+ alsa_stream->instance = instance;
+- ret = 0; // xxx todo -1;
+- goto err_free_mem;
++ return 0;
+ }
+
+ /* Initialize and create a VCHI connection */
+@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection
+ LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n",
+ __func__, ret);
+
+- ret = -EIO;
+- goto err_free_mem;
++ return -EIO;
+ }
+ ret = vchi_connect(NULL, 0, vchi_instance);
+ if (ret) {
+ LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n",
+ __func__, ret);
+
+- ret = -EIO;
+- goto err_free_mem;
++ kfree(vchi_instance);
++ return -EIO;
+ }
+ initted = 1;
+ }
+@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection
+ if (IS_ERR(instance)) {
+ LOG_ERR("%s: failed to initialize audio service\n", __func__);
+
+- ret = PTR_ERR(instance);
+- goto err_free_mem;
++ /* vchi_instance is retained for use the next time. */
++ return PTR_ERR(instance);
+ }
+
+ instance->alsa_stream = alsa_stream;
+ alsa_stream->instance = instance;
+
+ LOG_DBG(" success !\n");
+- ret = 0;
+-err_free_mem:
+- kfree(vchi_instance);
+
+- return ret;
++ return 0;
+ }
+
+ int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream)
--- /dev/null
+From 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 16 Oct 2017 16:21:19 +0200
+Subject: USB: devio: Revert "USB: devio: Don't corrupt user memory"
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 upstream.
+
+Taking the uurb->buffer_length userspace passes in as a maximum for the
+actual urbs transfer_buffer_length causes 2 serious issues:
+
+1) It breaks isochronous support for all userspace apps using libusb,
+ as existing libusb versions pass in 0 for uurb->buffer_length,
+ relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc
+ descriptors passed in added together as buffer length.
+
+ This for example causes redirection of USB audio and Webcam's into
+ virtual machines using qemu-kvm to no longer work. This is a userspace
+ ABI break and as such must be reverted.
+
+ Note that the original commit does not protect other users / the
+ kernels memory, it only stops the userspace process making the call
+ from shooting itself in the foot.
+
+2) It may cause the kernel to program host controllers to DMA over random
+ memory. Just as the devio code used to only look at the iso_packet_desc
+ lenghts, the host drivers do the same, relying on the submitter of the
+ urbs to make sure the entire buffer is large enough and not checking
+ transfer_buffer_length.
+
+ But the "USB: devio: Don't corrupt user memory" commit now takes the
+ userspace provided uurb->buffer_length for the buffer-size while copying
+ over the user-provided iso_packet_desc lengths 1:1, allowing the user
+ to specify a small buffer size while programming the host controller to
+ dma a lot more data.
+
+ (Atleast the ohci, uhci, xhci and fhci drivers do not check
+ transfer_buffer_length for isoc transfers.)
+
+This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory")
+fixing both these issues.
+
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1576,11 +1576,7 @@ static int proc_do_submiturb(struct usb_
+ totlen += isopkt[u].length;
+ }
+ u *= sizeof(struct usb_iso_packet_descriptor);
+- if (totlen <= uurb->buffer_length)
+- uurb->buffer_length = totlen;
+- else
+- WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+- totlen, uurb->buffer_length);
++ uurb->buffer_length = totlen;
+ break;
+
+ default:
projects / thirdparty / kernel / stable-queue.git / commitdiff
