--- /dev/null
+>From ad94965f69c2681832f64473d28c23ae71b6e52f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <nicolai.haehnle@amd.com>
+Date: Tue, 15 Mar 2016 12:56:45 -0500
+Subject: [PATCH] drm/radeon: hold reference to fences in radeon_sa_bo_new
+ (3.17 and older)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolai Hähnle <nicolai.haehnle@amd.com>
+
+[Backport of upstream commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb, with
+ an additional NULL pointer guard that is required for kernels 3.17 and older.
+
+ To be precise, any kernel that does *not* have commit 954605ca3 "drm/radeon:
+ use common fence implementation for fences, v4" requires this additional
+ NULL pointer guard.]
+
+An arbitrary amount of time can pass between spin_unlock and
+radeon_fence_wait_any, so we need to ensure that nobody frees the
+fences from under us.
+
+Based on the analogous fix for amdgpu.
+
+Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com> (v1 + fix)
+Tested-by: Lutz Euler <lutz.euler@freenet.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/radeon_sa.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_sa.c
++++ b/drivers/gpu/drm/radeon/radeon_sa.c
+@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_devic
+ /* see if we can skip over some allocations */
+ } while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
+
++ for (i = 0; i < RADEON_NUM_RINGS; ++i) {
++ if (fences[i])
++ radeon_fence_ref(fences[i]);
++ }
++
+ spin_unlock(&sa_manager->wq.lock);
+ r = radeon_fence_wait_any(rdev, fences, false);
++ for (i = 0; i < RADEON_NUM_RINGS; ++i)
++ radeon_fence_unref(&fences[i]);
+ spin_lock(&sa_manager->wq.lock);
+ /* if we have nothing to wait for block */
+ if (r == -ENOENT && block) {
--- /dev/null
+From foo@baz Mon Apr 18 10:31:57 JST 2016
+Date: Mon, 18 Apr 2016 10:31:57 +0900
+To: Greg KH <gregkh@linuxfoundation.org>
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Subject: Revert bad backport of "drm/radeon: hold reference to fences in radeon_sa_bo_new"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit 50353e6f86eb2ac46ffe3cc0b9f9a11ddc8a9410, which is
+commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb upstream, as it was
+backported to the 3.14-stable tree incorrectly. A correct fix will
+happen next.
+
+Reported-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/gpu/drm/radeon/radeon_sa.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_sa.c
++++ b/drivers/gpu/drm/radeon/radeon_sa.c
+@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_devic
+ /* see if we can skip over some allocations */
+ } while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
+
+- for (i = 0; i < RADEON_NUM_RINGS; ++i)
+- radeon_fence_ref(fences[i]);
+-
+ spin_unlock(&sa_manager->wq.lock);
+ r = radeon_fence_wait_any(rdev, fences, false);
+- for (i = 0; i < RADEON_NUM_RINGS; ++i)
+- radeon_fence_unref(&fences[i]);
+ spin_lock(&sa_manager->wq.lock);
+ /* if we have nothing to wait for block */
+ if (r == -ENOENT && block) {
--- /dev/null
+From e5bdfd50d6f76077bf8441d130c606229e100d40 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sat, 20 Feb 2016 14:19:34 -0800
+Subject: Revert "usb: hub: do not clear BOS field during reset device"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit e5bdfd50d6f76077bf8441d130c606229e100d40 upstream.
+
+This reverts commit d8f00cd685f5c8e0def8593e520a7fef12c22407.
+
+Tony writes:
+
+This upstream commit is causing an oops:
+d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")
+
+This patch has already been included in several -stable kernels. Here
+are the affected kernels:
+4.5.0-rc4 (current git)
+4.4.2
+4.3.6 (currently in review)
+4.1.18
+3.18.27
+3.14.61
+
+How to reproduce the problem:
+Boot kernel with slub debugging enabled (otherwise memory corruption
+will cause random oopses later instead of immediately)
+Plug in USB 3.0 disk to xhci USB 3.0 port
+dd if=/dev/sdc of=/dev/null bs=65536
+(where /dev/sdc is the USB 3.0 disk)
+Unplug USB cable while dd is still going
+Oops is immediate:
+
+Reported-by: Tony Battersby <tonyb@cybernetics.com>
+Cc: Du, Changbin <changbin.du@intel.com>
+Cc: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5231,6 +5231,7 @@ static int usb_reset_and_verify_device(s
+ usb_set_usb2_hardware_lpm(udev, 0);
+
+ bos = udev->bos;
++ udev->bos = NULL;
+
+ /* Disable LPM and LTM while we reset the device and reinstall the alt
+ * settings. Device-initiated LPM settings, and system exit latency
+@@ -5339,11 +5340,8 @@ done:
+ usb_set_usb2_hardware_lpm(udev, 1);
+ usb_unlocked_enable_lpm(udev);
+ usb_enable_ltm(udev);
+- /* release the new BOS descriptor allocated by hub_port_init() */
+- if (udev->bos != bos) {
+- usb_release_bos_descriptor(udev);
+- udev->bos = bos;
+- }
++ usb_release_bos_descriptor(udev);
++ udev->bos = bos;
+ return 0;
+
+ re_enumerate:
ext4-add-lockdep-annotations-for-i_data_sem.patch
perf-cure-event-pending_disable-race.patch
hid-usbhid-fix-inconsistent-reset-resume-reset-resume-behavior.patch
+revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch
+0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch
+usbvision-fix-overflow-of-interfaces-array.patch
+usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch
+usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch
+revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch
--- /dev/null
+From fa52bd506f274b7619955917abfde355e3d19ffe Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 16 Nov 2015 15:55:11 -0200
+Subject: [media] usbvision: fix crash on detecting device with invalid configuration
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit fa52bd506f274b7619955917abfde355e3d19ffe upstream.
+
+The usbvision driver crashes when a specially crafted usb device with invalid
+number of interfaces or endpoints is detected. This fix adds checks that the
+device has proper configuration expected by the driver.
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in
+
+ if (usbvision_device_data[model].interface >= 0)
+ interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
+- else
++ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
+ interface = &dev->actconfig->interface[ifnum]->altsetting[0];
++ else {
++ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
++ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
++ ret = -ENODEV;
++ goto err_usb;
++ }
++
++ if (interface->desc.bNumEndpoints < 2) {
++ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
++ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
++ ret = -ENODEV;
++ goto err_usb;
++ }
+ endpoint = &interface->endpoint[1].desc;
++
+ if (!usb_endpoint_xfer_isoc(endpoint)) {
+ dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
+ __func__, ifnum);
--- /dev/null
+From afd270d1a45043cef14341bcceff62ed50e8dc9a Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit afd270d1a45043cef14341bcceff62ed50e8dc9a upstream.
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1522,7 +1522,7 @@ static int usbvision_probe(struct usb_in
+ const struct usb_host_interface *interface;
+ struct usb_usbvision *usbvision = NULL;
+ const struct usb_endpoint_descriptor *endpoint;
+- int model, i;
++ int model, i, ret;
+
+ PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ dev->descriptor.idVendor,
+@@ -1531,7 +1531,8 @@ static int usbvision_probe(struct usb_in
+ model = devid->driver_info;
+ if (model < 0 || model >= usbvision_device_data_size) {
+ PDEBUG(DBG_PROBE, "model out of bounds %d", model);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ printk(KERN_INFO "%s: %s found\n", __func__,
+ usbvision_device_data[model].model_string);
+@@ -1553,18 +1554,21 @@ static int usbvision_probe(struct usb_in
+ __func__, ifnum);
+ dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ __func__, endpoint->bmAttributes);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ if (usb_endpoint_dir_out(endpoint)) {
+ dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ __func__, ifnum);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+
+ usbvision = usbvision_alloc(dev, intf);
+ if (usbvision == NULL) {
+ dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_usb;
+ }
+
+ if (dev->descriptor.bNumConfigurations > 1)
+@@ -1583,8 +1587,8 @@ static int usbvision_probe(struct usb_in
+ usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ if (usbvision->alt_max_pkt_size == NULL) {
+ dev_err(&intf->dev, "usbvision: out of memory!\n");
+- usbvision_release(usbvision);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_pkt;
+ }
+
+ for (i = 0; i < usbvision->num_alt; i++) {
+@@ -1619,6 +1623,12 @@ static int usbvision_probe(struct usb_in
+
+ PDEBUG(DBG_PROBE, "success");
+ return 0;
++
++err_pkt:
++ usbvision_release(usbvision);
++err_usb:
++ usb_put_dev(dev);
++ return ret;
+ }
+
+
--- /dev/null
+From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 27 Oct 2015 09:51:34 -0200
+Subject: [media] usbvision fix overflow of interfaces array
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.
+
+This fixes the crash reported in:
+http://seclists.org/bugtraq/2015/Oct/35
+The interface number needs a sanity check.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1536,6 +1536,13 @@ static int usbvision_probe(struct usb_in
+ printk(KERN_INFO "%s: %s found\n", __func__,
+ usbvision_device_data[model].model_string);
+
++ /*
++ * this is a security check.
++ * an exploit using an incorrect bInterfaceNumber is known
++ */
++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
++ return -ENODEV;
++
+ if (usbvision_device_data[model].interface >= 0)
+ interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
