4.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)
diff --git a/queue-4.14/series b/queue-4.14/series

index 2d32084d51202c991451698037ef04739d8af17d..461da2863f172872e393ececfc3bcb88e9b2e697 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -72,3 +72,12 @@ drm-i915-fix-init_clock_gating-for-resume.patch
  bpf-prevent-out-of-bounds-speculation.patch
  bpf-array-fix-overflow-in-max_entries-and-undefined-behavior-in-index_mask.patch
  bpf-arsh-is-not-supported-in-32-bit-alu-thus-reject-it.patch
+usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
+usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
+usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
+usb-fix-usbmon-bug-trigger.patch
+usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
+usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
+usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
+usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
+staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
diff --git a/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch b/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch

new file mode 100644 (file)

index 0000000..6e83073
--- /dev/null
+++ b/queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch
@@ -0,0 +1,38 @@
+From 443064cb0b1fb4569fe0a71209da7625129fb760 Mon Sep 17 00:00:00 2001
+From: Viktor Slavkovic <viktors@google.com>
+Date: Mon, 8 Jan 2018 10:43:03 -0800
+Subject: staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
+
+From: Viktor Slavkovic <viktors@google.com>
+
+commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.
+
+A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
+race condition when mmap is called. After the !asma->file check, before
+setting asma->size, asma->file can be set in mmap. That would result in
+having different asma->size than the mapped memory size. Combined with
+ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
+corruption.
+
+Signed-off-by: Viktor Slavkovic <viktors@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -765,10 +765,12 @@ static long ashmem_ioctl(struct file *fi
+               break;
+       case ASHMEM_SET_SIZE:
+               ret = -EINVAL;
++              mutex_lock(&ashmem_mutex);
+               if (!asma->file) {
+                       ret = 0;
+                       asma->size = (size_t)arg;
+               }
++              mutex_unlock(&ashmem_mutex);
+               break;
+       case ASHMEM_GET_SIZE:
+               ret = asma->size;
diff --git a/queue-4.14/usb-fix-usbmon-bug-trigger.patch b/queue-4.14/usb-fix-usbmon-bug-trigger.patch

new file mode 100644 (file)

index 0000000..5df2b16
--- /dev/null
+++ b/queue-4.14/usb-fix-usbmon-bug-trigger.patch
@@ -0,0 +1,52 @@
+From 46eb14a6e1585d99c1b9f58d0e7389082a5f466b Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Mon, 8 Jan 2018 15:46:41 -0600
+Subject: USB: fix usbmon BUG trigger
+
+From: Pete Zaitcev <zaitcev@redhat.com>
+
+commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.
+
+Automated tests triggered this by opening usbmon and accessing the
+mmap while simultaneously resizing the buffers. This bug was with
+us since 2006, because typically applications only size the buffers
+once and thus avoid racing. Reported by Kirill A. Shutemov.
+
+Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/mon/mon_bin.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *f
+               break;
+ 
+       case MON_IOCQ_RING_SIZE:
++              mutex_lock(&rp->fetch_lock);
+               ret = rp->b_size;
++              mutex_unlock(&rp->fetch_lock);
+               break;
+ 
+       case MON_IOCT_RING_SIZE:
+@@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_f
+       unsigned long offset, chunk_idx;
+       struct page *pageptr;
+ 
++      mutex_lock(&rp->fetch_lock);
+       offset = vmf->pgoff << PAGE_SHIFT;
+-      if (offset >= rp->b_size)
++      if (offset >= rp->b_size) {
++              mutex_unlock(&rp->fetch_lock);
+               return VM_FAULT_SIGBUS;
++      }
+       chunk_idx = offset / CHUNK_SIZE;
+       pageptr = rp->b_vec[chunk_idx].pg;
+       get_page(pageptr);
++      mutex_unlock(&rp->fetch_lock);
+       vmf->page = pageptr;
+       return 0;
+ }
diff --git a/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch b/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch

new file mode 100644 (file)

index 0000000..f98b618
--- /dev/null
+++ b/queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch
@@ -0,0 +1,38 @@
+From b8626f1dc29d3eee444bfaa92146ec7b291ef41c Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Thu, 11 Jan 2018 14:47:40 +0100
+Subject: usb: misc: usb3503: make sure reset is low for at least 100us
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit b8626f1dc29d3eee444bfaa92146ec7b291ef41c upstream.
+
+When using a GPIO which is high by default, and initialize the
+driver in USB Hub mode, initialization fails with:
+  [  111.757794] usb3503 0-0008: SP_ILOCK failed (-5)
+
+The reason seems to be that the chip is not properly reset.
+Probe does initialize reset low, however some lines later the
+code already set it back high, which is not long enouth.
+
+Make sure reset is asserted for at least 100us by inserting a
+delay after initializing the reset pin during probe.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usb3503.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/misc/usb3503.c
++++ b/drivers/usb/misc/usb3503.c
+@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503
+       if (gpio_is_valid(hub->gpio_reset)) {
+               err = devm_gpio_request_one(dev, hub->gpio_reset,
+                               GPIOF_OUT_INIT_LOW, "usb3503 reset");
++              /* Datasheet defines a hardware reset to be at least 100us */
++              usleep_range(100, 10000);
+               if (err) {
+                       dev_err(dev,
+                               "unable to request GPIO %d as reset pin (%d)\n",
diff --git a/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch b/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch

new file mode 100644 (file)

index 0000000..d4d6b75
--- /dev/null
+++ b/queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch
@@ -0,0 +1,33 @@
+From 4307413256ac1e09b8f53e8715af3df9e49beec3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
+Date: Fri, 29 Dec 2017 09:54:25 +0000
+Subject: USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+
+commit 4307413256ac1e09b8f53e8715af3df9e49beec3 upstream.
+
+Add IDs for the OneTouch Verio IQ that comes with an embedded
+USB-to-serial converter.
+
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -127,6 +127,7 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
+       { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
+       { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
++      { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+       { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
+       { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
+       { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
diff --git a/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch b/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch

new file mode 100644 (file)

index 0000000..59d2c98
--- /dev/null
+++ b/queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch
@@ -0,0 +1,30 @@
+From d14ac576d10f865970bb1324d337e5e24d79aaf4 Mon Sep 17 00:00:00 2001
+From: Christian Holl <cyborgx1@gmail.com>
+Date: Wed, 3 Jan 2018 19:53:02 +0100
+Subject: USB: serial: cp210x: add new device ID ELV ALC 8xxx
+
+From: Christian Holl <cyborgx1@gmail.com>
+
+commit d14ac576d10f865970bb1324d337e5e24d79aaf4 upstream.
+
+This adds the ELV ALC 8xxx Battery Charging device
+to the list of USB IDs of drivers/usb/serial/cp210x.c
+
+Signed-off-by: Christian Holl <cyborgx1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -178,6 +178,7 @@ static const struct usb_device_id id_tab
+       { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
+       { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+       { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
++      { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
+       { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
+       { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+       { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
diff --git a/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch b/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch

new file mode 100644 (file)

index 0000000..6a3d997
--- /dev/null
+++ b/queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch
@@ -0,0 +1,98 @@
+From 7ae2c3c280db183ca9ada2675c34ec2f7378abfa Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 3 Jan 2018 12:51:51 -0500
+Subject: USB: UDC core: fix double-free in usb_add_gadget_udc_release
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 7ae2c3c280db183ca9ada2675c34ec2f7378abfa upstream.
+
+The error-handling pathways in usb_add_gadget_udc_release() are messed
+up.  Aside from the uninformative statement labels, they can deallocate
+the udc structure after calling put_device(), which is a double-free.
+This was observed by KASAN in automatic testing.
+
+This patch cleans up the routine.  It preserves the requirement that
+when any failure occurs, we call put_device(&gadget->dev).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/core.c |   28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -1158,11 +1158,7 @@ int usb_add_gadget_udc_release(struct de
+ 
+       udc = kzalloc(sizeof(*udc), GFP_KERNEL);
+       if (!udc)
+-              goto err1;
+-
+-      ret = device_add(&gadget->dev);
+-      if (ret)
+-              goto err2;
++              goto err_put_gadget;
+ 
+       device_initialize(&udc->dev);
+       udc->dev.release = usb_udc_release;
+@@ -1171,7 +1167,11 @@ int usb_add_gadget_udc_release(struct de
+       udc->dev.parent = parent;
+       ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
+       if (ret)
+-              goto err3;
++              goto err_put_udc;
++
++      ret = device_add(&gadget->dev);
++      if (ret)
++              goto err_put_udc;
+ 
+       udc->gadget = gadget;
+       gadget->udc = udc;
+@@ -1181,7 +1181,7 @@ int usb_add_gadget_udc_release(struct de
+ 
+       ret = device_add(&udc->dev);
+       if (ret)
+-              goto err4;
++              goto err_unlist_udc;
+ 
+       usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
+       udc->vbus = true;
+@@ -1189,27 +1189,25 @@ int usb_add_gadget_udc_release(struct de
+       /* pick up one of pending gadget drivers */
+       ret = check_pending_gadget_drivers(udc);
+       if (ret)
+-              goto err5;
++              goto err_del_udc;
+ 
+       mutex_unlock(&udc_lock);
+ 
+       return 0;
+ 
+-err5:
++ err_del_udc:
+       device_del(&udc->dev);
+ 
+-err4:
++ err_unlist_udc:
+       list_del(&udc->list);
+       mutex_unlock(&udc_lock);
+ 
+-err3:
+-      put_device(&udc->dev);
+       device_del(&gadget->dev);
+ 
+-err2:
+-      kfree(udc);
++ err_put_udc:
++      put_device(&udc->dev);
+ 
+-err1:
++ err_put_gadget:
+       put_device(&gadget->dev);
+       return ret;
+ }
diff --git a/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch b/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch

new file mode 100644 (file)

index 0000000..cddf045
--- /dev/null
+++ b/queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch
@@ -0,0 +1,49 @@
+From b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 19:23:46 -0700
+Subject: usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 upstream.
+
+Harden CMD_SUBMIT path to handle malicious input that could trigger
+large memory allocations. Add checks to validate transfer_buffer_length
+and number_of_packets to protect against bad input requesting for
+unbounded memory allocations.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_rx.c |   19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/usb/usbip/vudc_rx.c
++++ b/drivers/usb/usbip/vudc_rx.c
+@@ -132,6 +132,25 @@ static int v_recv_cmd_submit(struct vudc
+       urb_p->new = 1;
+       urb_p->seqnum = pdu->base.seqnum;
+ 
++      if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
++              /* validate packet size and number of packets */
++              unsigned int maxp, packets, bytes;
++
++              maxp = usb_endpoint_maxp(urb_p->ep->desc);
++              maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
++              bytes = pdu->u.cmd_submit.transfer_buffer_length;
++              packets = DIV_ROUND_UP(bytes, maxp);
++
++              if (pdu->u.cmd_submit.number_of_packets < 0 ||
++                  pdu->u.cmd_submit.number_of_packets > packets) {
++                      dev_err(&udc->gadget.dev,
++                              "CMD_SUBMIT: isoc invalid num packets %d\n",
++                              pdu->u.cmd_submit.number_of_packets);
++                      ret = -EMSGSIZE;
++                      goto free_urbp;
++              }
++      }
++
+       ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
+       if (ret) {
+               usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
diff --git a/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch b/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch

new file mode 100644 (file)

index 0000000..92084a1
--- /dev/null
+++ b/queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch
@@ -0,0 +1,80 @@
+From e1346fd87c71a1f61de1fe476ec8df1425ac931c Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 17:00:06 -0700
+Subject: usbip: remove kernel addresses from usb device and urb debug msgs
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit e1346fd87c71a1f61de1fe476ec8df1425ac931c upstream.
+
+usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
+Remove kernel addresses from usb device and urb debug msgs and improve
+the message content.
+
+Instead of printing parent device and bus addresses, print parent device
+and bus names.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/usbip_common.c |   17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/usbip/usbip_common.c
++++ b/drivers/usb/usbip/usbip_common.c
+@@ -105,7 +105,7 @@ static void usbip_dump_usb_device(struct
+       dev_dbg(dev, "       devnum(%d) devpath(%s) usb speed(%s)",
+               udev->devnum, udev->devpath, usb_speed_string(udev->speed));
+ 
+-      pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
++      pr_debug("tt hub ttport %d\n", udev->ttport);
+ 
+       dev_dbg(dev, "                    ");
+       for (i = 0; i < 16; i++)
+@@ -138,12 +138,8 @@ static void usbip_dump_usb_device(struct
+       }
+       pr_debug("\n");
+ 
+-      dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
+-
+-      dev_dbg(dev,
+-              "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
+-              &udev->descriptor, udev->config,
+-              udev->actconfig, udev->rawdescriptors);
++      dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
++              udev->bus->bus_name);
+ 
+       dev_dbg(dev, "have_langid %d, string_langid %d\n",
+               udev->have_langid, udev->string_langid);
+@@ -251,9 +247,6 @@ void usbip_dump_urb(struct urb *urb)
+ 
+       dev = &urb->dev->dev;
+ 
+-      dev_dbg(dev, "   urb                   :%p\n", urb);
+-      dev_dbg(dev, "   dev                   :%p\n", urb->dev);
+-
+       usbip_dump_usb_device(urb->dev);
+ 
+       dev_dbg(dev, "   pipe                  :%08x ", urb->pipe);
+@@ -262,11 +255,9 @@ void usbip_dump_urb(struct urb *urb)
+ 
+       dev_dbg(dev, "   status                :%d\n", urb->status);
+       dev_dbg(dev, "   transfer_flags        :%08X\n", urb->transfer_flags);
+-      dev_dbg(dev, "   transfer_buffer       :%p\n", urb->transfer_buffer);
+       dev_dbg(dev, "   transfer_buffer_length:%d\n",
+                                               urb->transfer_buffer_length);
+       dev_dbg(dev, "   actual_length         :%d\n", urb->actual_length);
+-      dev_dbg(dev, "   setup_packet          :%p\n", urb->setup_packet);
+ 
+       if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
+               usbip_dump_usb_ctrlrequest(
+@@ -276,8 +267,6 @@ void usbip_dump_urb(struct urb *urb)
+       dev_dbg(dev, "   number_of_packets     :%d\n", urb->number_of_packets);
+       dev_dbg(dev, "   interval              :%d\n", urb->interval);
+       dev_dbg(dev, "   error_count           :%d\n", urb->error_count);
+-      dev_dbg(dev, "   context               :%p\n", urb->context);
+-      dev_dbg(dev, "   complete              :%p\n", urb->complete);
+ }
+ EXPORT_SYMBOL_GPL(usbip_dump_urb);
+ 
diff --git a/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch b/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch

new file mode 100644 (file)

index 0000000..618b897
--- /dev/null
+++ b/queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch
@@ -0,0 +1,50 @@
+From 5fd77a3a0e408c23ab4002a57db980e46bc16e72 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 22 Dec 2017 19:23:47 -0700
+Subject: usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 5fd77a3a0e408c23ab4002a57db980e46bc16e72 upstream.
+
+v_send_ret_submit() handles urb with a null transfer_buffer, when it
+replays a packet with potential malicious data that could contain a
+null buffer.
+
+Add a check for the condition when actual_length > 0 and transfer_buffer
+is null.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_tx.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/usbip/vudc_tx.c
++++ b/drivers/usb/usbip/vudc_tx.c
+@@ -97,6 +97,13 @@ static int v_send_ret_submit(struct vudc
+       memset(&pdu_header, 0, sizeof(pdu_header));
+       memset(&msg, 0, sizeof(msg));
+ 
++      if (urb->actual_length > 0 && !urb->transfer_buffer) {
++              dev_err(&udc->gadget.dev,
++                      "urb: actual_length %d transfer_buffer null\n",
++                      urb->actual_length);
++              return -1;
++      }
++
+       if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
+               iovnum = 2 + urb->number_of_packets;
+       else
+@@ -112,8 +119,8 @@ static int v_send_ret_submit(struct vudc
+ 
+       /* 1. setup usbip_header */
+       setup_ret_submit_pdu(&pdu_header, urb_p);
+-      usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
+-                        pdu_header.base.seqnum, urb);
++      usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
++                        pdu_header.base.seqnum);
+       usbip_header_correct_endian(&pdu_header, 1);
+ 
+       iov[iovnum].iov_base = &pdu_header;
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 14 Jan 2018 08:09:08 +0000 (09:09 +0100)
queue-4.14/series		patch \| blob \| blame \| history
queue-4.14/staging-android-ashmem-fix-a-race-condition-in-ashmem_set_size-ioctl.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usb-fix-usbmon-bug-trigger.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usb-misc-usb3503-make-sure-reset-is-low-for-at-least-100us.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usb-serial-cp210x-add-ids-for-lifescan-onetouch-verio-iq.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usb-serial-cp210x-add-new-device-id-elv-alc-8xxx.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usb-udc-core-fix-double-free-in-usb_add_gadget_udc_release.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usbip-fix-vudc_rx-harden-cmd_submit-path-to-handle-malicious-input.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usbip-remove-kernel-addresses-from-usb-device-and-urb-debug-msgs.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/usbip-vudc_tx-fix-v_send_ret_submit-vulnerability-to-null-xfer-buffer.patch	[new file with mode: 0644]	patch \| blob