--- /dev/null
+From 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 24 Jun 2019 15:08:28 +0200
+Subject: ALSA: usb-audio: Sanity checks for each pipe and EP types
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 upstream.
+
+The recent USB core code performs sanity checks for the given pipe and
+EP types, and it can be hit by manipulated USB descriptors by syzbot.
+For making syzbot happier, this patch introduces a local helper for a
+sanity check in the driver side and calls it at each place before the
+message handling, so that we can avoid the WARNING splats.
+
+Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/helper.c | 17 +++++++++++++++++
+ sound/usb/helper.h | 1 +
+ sound/usb/quirks.c | 18 +++++++++++++++---
+ 3 files changed, 33 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -63,6 +63,20 @@ void *snd_usb_find_csint_desc(void *buff
+ return NULL;
+ }
+
++/* check the validity of pipe and EP types */
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
++{
++ static const int pipetypes[4] = {
++ PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
++ };
++ struct usb_host_endpoint *ep;
++
++ ep = usb_pipe_endpoint(dev, pipe);
++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ return -EINVAL;
++ return 0;
++}
++
+ /*
+ * Wrapper for usb_control_msg().
+ * Allocates a temp buffer to prevent dmaing from/to the stack.
+@@ -75,6 +89,9 @@ int snd_usb_ctl_msg(struct usb_device *d
+ void *buf = NULL;
+ int timeout;
+
++ if (snd_usb_pipe_sanity_check(dev, pipe))
++ return -EINVAL;
++
+ if (size > 0) {
+ buf = kmemdup(data, size, GFP_KERNEL);
+ if (!buf)
+--- a/sound/usb/helper.h
++++ b/sound/usb/helper.h
+@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsig
+ void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype);
+ void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype);
+
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe);
+ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe,
+ __u8 request, __u8 requesttype, __u16 value, __u16 index,
+ void *data, __u16 size);
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -828,11 +828,13 @@ static int snd_usb_novation_boot_quirk(s
+ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+ {
+ int err, actual_length;
+-
+ /* "midi send" enable */
+ static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 };
++ void *buf;
+
+- void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05)))
++ return -EINVAL;
++ buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf,
+@@ -857,7 +859,11 @@ static int snd_usb_accessmusic_boot_quir
+
+ static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
+ {
+- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
++ int ret;
++
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, 1000);
+
+@@ -964,6 +970,8 @@ static int snd_usb_axefx3_boot_quirk(str
+
+ dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n");
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
+ /* If the Axe-Fx III has not fully booted, it will timeout when trying
+ * to enable the audio streaming interface. A more generous timeout is
+ * used here to detect when the Axe-Fx III has finished booting as the
+@@ -996,6 +1004,8 @@ static int snd_usb_motu_microbookii_comm
+ {
+ int err, actual_length;
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length,
+ &actual_length, 1000);
+ if (err < 0)
+@@ -1006,6 +1016,8 @@ static int snd_usb_motu_microbookii_comm
+
+ memset(buf, 0, buf_size);
+
++ if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82)))
++ return -EINVAL;
+ err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size,
+ &actual_length, 1000);
+ if (err < 0)
--- /dev/null
+From 265df32eae5845212ad9f55f5ae6b6dcb68b187b Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 9 May 2019 09:15:00 -0300
+Subject: ath10k: Change the warning message string
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 265df32eae5845212ad9f55f5ae6b6dcb68b187b upstream.
+
+The "WARNING" string confuses syzbot, which thinks it found
+a crash [1].
+
+Change the string to avoid such problem.
+
+[1] https://lkml.org/lkml/2019/5/9/243
+
+Reported-by: syzbot+c1b25598aa60dcd47e78@syzkaller.appspotmail.com
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -1016,7 +1016,7 @@ static int ath10k_usb_probe(struct usb_i
+ }
+
+ /* TODO: remove this once USB support is fully implemented */
+- ath10k_warn(ar, "WARNING: ath10k USB support is incomplete, don't expect anything to work!\n");
++ ath10k_warn(ar, "Warning: ath10k USB support is incomplete, don't expect anything to work!\n");
+
+ return 0;
+
--- /dev/null
+From e4f07120210a1794c1f1ae64d209a2fbc7bd2682 Mon Sep 17 00:00:00 2001
+From: Stanislav Fomichev <sdf@google.com>
+Date: Wed, 19 Jun 2019 12:01:05 -0700
+Subject: bpf: fix NULL deref in btf_type_is_resolve_source_only
+
+From: Stanislav Fomichev <sdf@google.com>
+
+commit e4f07120210a1794c1f1ae64d209a2fbc7bd2682 upstream.
+
+Commit 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec")
+added invocations of btf_type_is_resolve_source_only before
+btf_type_nosize_or_null which checks for the NULL pointer.
+Swap the order of btf_type_nosize_or_null and
+btf_type_is_resolve_source_only to make sure the do the NULL pointer
+check first.
+
+Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/btf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -1928,8 +1928,8 @@ static int btf_array_resolve(struct btf_
+ /* Check array->index_type */
+ index_type_id = array->index_type;
+ index_type = btf_type_by_id(btf, index_type_id);
+- if (btf_type_is_resolve_source_only(index_type) ||
+- btf_type_nosize_or_null(index_type)) {
++ if (btf_type_nosize_or_null(index_type) ||
++ btf_type_is_resolve_source_only(index_type)) {
+ btf_verifier_log_type(env, v->t, "Invalid index");
+ return -EINVAL;
+ }
+@@ -1948,8 +1948,8 @@ static int btf_array_resolve(struct btf_
+ /* Check array->type */
+ elem_type_id = array->type;
+ elem_type = btf_type_by_id(btf, elem_type_id);
+- if (btf_type_is_resolve_source_only(elem_type) ||
+- btf_type_nosize_or_null(elem_type)) {
++ if (btf_type_nosize_or_null(elem_type) ||
++ btf_type_is_resolve_source_only(elem_type)) {
+ btf_verifier_log_type(env, v->t,
+ "Invalid elem");
+ return -EINVAL;
+@@ -2170,8 +2170,8 @@ static int btf_struct_resolve(struct btf
+ const struct btf_type *member_type = btf_type_by_id(env->btf,
+ member_type_id);
+
+- if (btf_type_is_resolve_source_only(member_type) ||
+- btf_type_nosize_or_null(member_type)) {
++ if (btf_type_nosize_or_null(member_type) ||
++ btf_type_is_resolve_source_only(member_type)) {
+ btf_verifier_log_member(env, v->t, member,
+ "Invalid member");
+ return -EINVAL;
--- /dev/null
+From f384e62a82ba5d85408405fdd6aeff89354deaa9 Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Mon, 15 Jul 2019 22:08:14 +0700
+Subject: ISDN: hfcsusb: checking idx of ep configuration
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.
+
+The syzbot test with random endpoint address which made the idx is
+overflow in the table of endpoint configuations.
+
+this adds the checking for fixing the error report from
+syzbot
+
+KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
+The patch tested by syzbot [2]
+
+Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
+
+[1]:
+https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
+[2]:
+https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf
+
+ /* get endpoint base */
+ idx = ((ep_addr & 0x7f) - 1) * 2;
++ if (idx > 15)
++ return -EIO;
++
+ if (ep_addr & 0x80)
+ idx++;
+ attr = ep->desc.bmAttributes;
--- /dev/null
+From 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 19 May 2019 15:28:22 -0400
+Subject: media: au0828: fix null dereference in error path
+
+From: Sean Young <sean@mess.org>
+
+commit 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 upstream.
+
+au0828_usb_disconnect() gets the au0828_dev struct via usb_get_intfdata,
+so it needs to set up for the error paths.
+
+Reported-by: syzbot+357d86bcb4cca1a2f572@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/au0828/au0828-core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/au0828/au0828-core.c
++++ b/drivers/media/usb/au0828/au0828-core.c
+@@ -719,6 +719,12 @@ static int au0828_usb_probe(struct usb_i
+ /* Setup */
+ au0828_card_setup(dev);
+
++ /*
++ * Store the pointer to the au0828_dev so it can be accessed in
++ * au0828_usb_disconnect
++ */
++ usb_set_intfdata(interface, dev);
++
+ /* Analog TV */
+ retval = au0828_analog_register(dev, interface);
+ if (retval) {
+@@ -737,12 +743,6 @@ static int au0828_usb_probe(struct usb_i
+ /* Remote controller */
+ au0828_rc_register(dev);
+
+- /*
+- * Store the pointer to the au0828_dev so it can be accessed in
+- * au0828_usb_disconnect
+- */
+- usb_set_intfdata(interface, dev);
+-
+ pr_info("Registered device AU0828 [%s]\n",
+ dev->board.name == NULL ? "Unset" : dev->board.name);
+
--- /dev/null
+From eff73de2b1600ad8230692f00bc0ab49b166512a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 04:57:09 -0400
+Subject: media: cpia2_usb: first wake up, then free in disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit eff73de2b1600ad8230692f00bc0ab49b166512a upstream.
+
+Kasan reported a use after free in cpia2_usb_disconnect()
+It first freed everything and then woke up those waiting.
+The reverse order is correct.
+
+Fixes: 6c493f8b28c67 ("[media] cpia2: major overhaul to get it in a working state again")
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+0c90fc937c84f97d0aa6@syzkaller.appspotmail.com
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cpia2/cpia2_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -893,7 +893,6 @@ static void cpia2_usb_disconnect(struct
+ cpia2_unregister_camera(cam);
+ v4l2_device_disconnect(&cam->v4l2_dev);
+ mutex_unlock(&cam->v4l2_lock);
+- v4l2_device_put(&cam->v4l2_dev);
+
+ if(cam->buffers) {
+ DBG("Wakeup waiting processes\n");
+@@ -902,6 +901,8 @@ static void cpia2_usb_disconnect(struct
+ wake_up_interruptible(&cam->wq_stream);
+ }
+
++ v4l2_device_put(&cam->v4l2_dev);
++
+ LOG("CPiA2 camera disconnected.\n");
+ }
+
--- /dev/null
+From 1753c7c4367aa1201e1e5d0a601897ab33444af1 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 2 May 2019 12:09:26 -0400
+Subject: media: pvrusb2: use a different format for warnings
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit 1753c7c4367aa1201e1e5d0a601897ab33444af1 upstream.
+
+When the pvrusb2 driver detects that there's something wrong with the
+device, it prints a warning message. Right now those message are
+printed in two different formats:
+
+1. ***WARNING*** message here
+2. WARNING: message here
+
+There's an issue with the second format. Syzkaller recognizes it as a
+message produced by a WARN_ON(), which is used to indicate a bug in the
+kernel. However pvrusb2 prints those warnings to indicate an issue with
+the device, not the bug in the kernel.
+
+This patch changes the pvrusb2 driver to consistently use the first
+warning message format. This will unblock syzkaller testing of this
+driver.
+
+Reported-by: syzbot+af8f8d2ac0d39b0ed3a0@syzkaller.appspotmail.com
+Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
+ drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c | 6 +++---
+ drivers/media/usb/pvrusb2/pvrusb2-std.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -1670,7 +1670,7 @@ static int pvr2_decoder_enable(struct pv
+ }
+ if (!hdw->flag_decoder_missed) {
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: No decoder present");
++ "***WARNING*** No decoder present");
+ hdw->flag_decoder_missed = !0;
+ trace_stbit("flag_decoder_missed",
+ hdw->flag_decoder_missed);
+@@ -2356,7 +2356,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct
+ if (hdw_desc->flag_is_experimental) {
+ pvr2_trace(PVR2_TRACE_INFO, "**********");
+ pvr2_trace(PVR2_TRACE_INFO,
+- "WARNING: Support for this device (%s) is experimental.",
++ "***WARNING*** Support for this device (%s) is experimental.",
+ hdw_desc->description);
+ pvr2_trace(PVR2_TRACE_INFO,
+ "Important functionality might not be entirely working.");
+--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+@@ -333,11 +333,11 @@ static int i2c_hack_cx25840(struct pvr2_
+
+ if ((ret != 0) || (*rdata == 0x04) || (*rdata == 0x0a)) {
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Detected a wedged cx25840 chip; the device will not work.");
++ "***WARNING*** Detected a wedged cx25840 chip; the device will not work.");
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Try power cycling the pvrusb2 device.");
++ "***WARNING*** Try power cycling the pvrusb2 device.");
+ pvr2_trace(PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Disabling further access to the device to prevent other foul-ups.");
++ "***WARNING*** Disabling further access to the device to prevent other foul-ups.");
+ // This blocks all further communication with the part.
+ hdw->i2c_func[0x44] = NULL;
+ pvr2_hdw_render_useless(hdw);
+--- a/drivers/media/usb/pvrusb2/pvrusb2-std.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-std.c
+@@ -343,7 +343,7 @@ struct v4l2_standard *pvr2_std_create_en
+ bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk);
+ pvr2_trace(
+ PVR2_TRACE_ERROR_LEGS,
+- "WARNING: Failed to classify the following standard(s): %.*s",
++ "***WARNING*** Failed to classify the following standard(s): %.*s",
+ bcnt,buf);
+ }
+
--- /dev/null
+From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Date: Fri, 21 Jun 2019 21:04:38 -0400
+Subject: media: radio-raremono: change devm_k*alloc to k*alloc
+
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+
+commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream.
+
+Change devm_k*alloc to k*alloc to manually allocate memory
+
+The manual allocation and freeing of memory is necessary because when
+the USB radio is disconnected, the memory associated with devm_k*alloc
+is freed. Meaning if we still have unresolved references to the radio
+device, then we get use-after-free errors.
+
+This patch fixes this by manually allocating memory, and freeing it in
+the v4l2.release callback that gets called when the last radio device
+exits.
+
+Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com
+
+Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings]
+[hverkuil-cisco@xs4all.nl: prefix subject with driver name]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/radio/radio-raremono.c
++++ b/drivers/media/radio/radio-raremono.c
+@@ -271,6 +271,14 @@ static int vidioc_g_frequency(struct fil
+ return 0;
+ }
+
++static void raremono_device_release(struct v4l2_device *v4l2_dev)
++{
++ struct raremono_device *radio = to_raremono_dev(v4l2_dev);
++
++ kfree(radio->buffer);
++ kfree(radio);
++}
++
+ /* File system interface */
+ static const struct v4l2_file_operations usb_raremono_fops = {
+ .owner = THIS_MODULE,
+@@ -295,12 +303,14 @@ static int usb_raremono_probe(struct usb
+ struct raremono_device *radio;
+ int retval = 0;
+
+- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL);
+- if (radio)
+- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL);
+-
+- if (!radio || !radio->buffer)
++ radio = kzalloc(sizeof(*radio), GFP_KERNEL);
++ if (!radio)
++ return -ENOMEM;
++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL);
++ if (!radio->buffer) {
++ kfree(radio);
+ return -ENOMEM;
++ }
+
+ radio->usbdev = interface_to_usbdev(intf);
+ radio->intf = intf;
+@@ -324,7 +334,8 @@ static int usb_raremono_probe(struct usb
+ if (retval != 3 ||
+ (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) {
+ dev_info(&intf->dev, "this is not Thanko's Raremono.\n");
+- return -ENODEV;
++ retval = -ENODEV;
++ goto free_mem;
+ }
+
+ dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n",
+@@ -333,7 +344,7 @@ static int usb_raremono_probe(struct usb
+ retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
+ if (retval < 0) {
+ dev_err(&intf->dev, "couldn't register v4l2_device\n");
+- return retval;
++ goto free_mem;
+ }
+
+ mutex_init(&radio->lock);
+@@ -345,6 +356,7 @@ static int usb_raremono_probe(struct usb
+ radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops;
+ radio->vdev.lock = &radio->lock;
+ radio->vdev.release = video_device_release_empty;
++ radio->v4l2_dev.release = raremono_device_release;
+
+ usb_set_intfdata(intf, &radio->v4l2_dev);
+
+@@ -360,6 +372,10 @@ static int usb_raremono_probe(struct usb
+ }
+ dev_err(&intf->dev, "could not register video device\n");
+ v4l2_device_unregister(&radio->v4l2_dev);
++
++free_mem:
++ kfree(radio->buffer);
++ kfree(radio);
+ return retval;
+ }
+
--- /dev/null
+From 9f7761cf0409465075dadb875d5d4b8ef2f890c8 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Tue, 11 Jun 2019 12:57:52 -0400
+Subject: NFS: Cleanup if nfs_match_client is interrupted
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 9f7761cf0409465075dadb875d5d4b8ef2f890c8 upstream.
+
+Don't bail out before cleaning up a new allocation if the wait for
+searching for a matching nfs client is interrupted. Memory leaks.
+
+Reported-by: syzbot+7fe11b49c1cc30e3fce2@syzkaller.appspotmail.com
+Fixes: 950a578c6128 ("NFS: make nfs_match_client killable")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -406,10 +406,10 @@ struct nfs_client *nfs_get_client(const
+ clp = nfs_match_client(cl_init);
+ if (clp) {
+ spin_unlock(&nn->nfs_client_lock);
+- if (IS_ERR(clp))
+- return clp;
+ if (new)
+ new->rpc_ops->free_client(new);
++ if (IS_ERR(clp))
++ return clp;
+ return nfs_found_client(cl_init, clp);
+ }
+ if (new) {
vsock-correct-removal-of-socket-from-the-list.patch
+isdn-hfcsusb-checking-idx-of-ep-configuration.patch
+alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-types.patch
+bpf-fix-null-deref-in-btf_type_is_resolve_source_only.patch
+media-au0828-fix-null-dereference-in-error-path.patch
+ath10k-change-the-warning-message-string.patch
+media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch
+media-pvrusb2-use-a-different-format-for-warnings.patch
+nfs-cleanup-if-nfs_match_client-is-interrupted.patch
+media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
+xfrm-policy-fix-bydst-hlist-corruption-on-hash-rebuild.patch
--- /dev/null
+From fd709721352dd5239056eacaded00f2244e6ef58 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 2 Jul 2019 12:46:00 +0200
+Subject: xfrm: policy: fix bydst hlist corruption on hash rebuild
+
+From: Florian Westphal <fw@strlen.de>
+
+commit fd709721352dd5239056eacaded00f2244e6ef58 upstream.
+
+syzbot reported following spat:
+
+BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:221
+BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:455
+BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xa0d/0x1000 net/xfrm/xfrm_policy.c:1318
+Write of size 8 at addr ffff888095e79c00 by task kworker/1:3/8066
+Workqueue: events xfrm_hash_rebuild
+Call Trace:
+ __write_once_size include/linux/compiler.h:221 [inline]
+ hlist_del_rcu include/linux/rculist.h:455 [inline]
+ xfrm_hash_rebuild+0xa0d/0x1000 net/xfrm/xfrm_policy.c:1318
+ process_one_work+0x814/0x1130 kernel/workqueue.c:2269
+Allocated by task 8064:
+ __kmalloc+0x23c/0x310 mm/slab.c:3669
+ kzalloc include/linux/slab.h:742 [inline]
+ xfrm_hash_alloc+0x38/0xe0 net/xfrm/xfrm_hash.c:21
+ xfrm_policy_init net/xfrm/xfrm_policy.c:4036 [inline]
+ xfrm_net_init+0x269/0xd60 net/xfrm/xfrm_policy.c:4120
+ ops_init+0x336/0x420 net/core/net_namespace.c:130
+ setup_net+0x212/0x690 net/core/net_namespace.c:316
+
+The faulting address is the address of the old chain head,
+free'd by xfrm_hash_resize().
+
+In xfrm_hash_rehash(), chain heads get re-initialized without
+any hlist_del_rcu:
+
+ for (i = hmask; i >= 0; i--)
+ INIT_HLIST_HEAD(odst + i);
+
+Then, hlist_del_rcu() gets called on the about to-be-reinserted policy
+when iterating the per-net list of policies.
+
+hlist_del_rcu() will then make chain->first be nonzero again:
+
+static inline void __hlist_del(struct hlist_node *n)
+{
+ struct hlist_node *next = n->next; // address of next element in list
+ struct hlist_node **pprev = n->pprev;// location of previous elem, this
+ // can point at chain->first
+ WRITE_ONCE(*pprev, next); // chain->first points to next elem
+ if (next)
+ next->pprev = pprev;
+
+Then, when we walk chainlist to find insertion point, we may find a
+non-empty list even though we're supposedly reinserting the first
+policy to an empty chain.
+
+To fix this first unlink all exact and inexact policies instead of
+zeroing the list heads.
+
+Add the commands equivalent to the syzbot reproducer to xfrm_policy.sh,
+without fix KASAN catches the corruption as it happens, SLUB poisoning
+detects it a bit later.
+
+Reported-by: syzbot+0165480d4ef07360eeda@syzkaller.appspotmail.com
+Fixes: 1548bc4e0512 ("xfrm: policy: delete inexact policies from inexact list on hash rebuild")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 12 +++++++-----
+ tools/testing/selftests/net/xfrm_policy.sh | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 33 insertions(+), 6 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1280,13 +1280,17 @@ static void xfrm_hash_rebuild(struct wor
+
+ hlist_for_each_entry_safe(policy, n,
+ &net->xfrm.policy_inexact[dir],
+- bydst_inexact_list)
++ bydst_inexact_list) {
++ hlist_del_rcu(&policy->bydst);
+ hlist_del_init(&policy->bydst_inexact_list);
++ }
+
+ hmask = net->xfrm.policy_bydst[dir].hmask;
+ odst = net->xfrm.policy_bydst[dir].table;
+- for (i = hmask; i >= 0; i--)
+- INIT_HLIST_HEAD(odst + i);
++ for (i = hmask; i >= 0; i--) {
++ hlist_for_each_entry_safe(policy, n, odst + i, bydst)
++ hlist_del_rcu(&policy->bydst);
++ }
+ if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
+ /* dir out => dst = remote, src = local */
+ net->xfrm.policy_bydst[dir].dbits4 = rbits4;
+@@ -1315,8 +1319,6 @@ static void xfrm_hash_rebuild(struct wor
+ chain = policy_hash_bysel(net, &policy->selector,
+ policy->family, dir);
+
+- hlist_del_rcu(&policy->bydst);
+-
+ if (!chain) {
+ void *p = xfrm_policy_inexact_insert(policy, dir, 0);
+
+--- a/tools/testing/selftests/net/xfrm_policy.sh
++++ b/tools/testing/selftests/net/xfrm_policy.sh
+@@ -257,6 +257,29 @@ check_exceptions()
+ return $lret
+ }
+
++check_hthresh_repeat()
++{
++ local log=$1
++ i=0
++
++ for i in $(seq 1 10);do
++ ip -net ns1 xfrm policy update src e000:0001::0000 dst ff01::0014:0000:0001 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
++ ip -net ns1 xfrm policy set hthresh6 0 28 || break
++
++ ip -net ns1 xfrm policy update src e000:0001::0000 dst ff01::01 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
++ ip -net ns1 xfrm policy set hthresh6 0 28 || break
++ done
++
++ if [ $i -ne 10 ] ;then
++ echo "FAIL: $log" 1>&2
++ ret=1
++ return 1
++ fi
++
++ echo "PASS: $log"
++ return 0
++}
++
+ #check for needed privileges
+ if [ "$(id -u)" -ne 0 ];then
+ echo "SKIP: Need root privileges"
+@@ -404,7 +427,9 @@ for n in ns3 ns4;do
+ ip -net $n xfrm policy set hthresh4 32 32 hthresh6 128 128
+ sleep $((RANDOM%5))
+ done
+-check_exceptions "exceptions and block policies after hresh change to normal"
++check_exceptions "exceptions and block policies after htresh change to normal"
++
++check_hthresh_repeat "policies with repeated htresh change"
+
+ for i in 1 2 3 4;do ip netns del ns$i;done
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
