--- /dev/null
+From f384e62a82ba5d85408405fdd6aeff89354deaa9 Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Mon, 15 Jul 2019 22:08:14 +0700
+Subject: ISDN: hfcsusb: checking idx of ep configuration
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream.
+
+The syzbot test with random endpoint address which made the idx is
+overflow in the table of endpoint configuations.
+
+this adds the checking for fixing the error report from
+syzbot
+
+KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
+The patch tested by syzbot [2]
+
+Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
+
+[1]:
+https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
+[2]:
+https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1963,6 +1963,9 @@ hfcsusb_probe(struct usb_interface *intf
+
+ /* get endpoint base */
+ idx = ((ep_addr & 0x7f) - 1) * 2;
++ if (idx > 15)
++ return -EIO;
++
+ if (ep_addr & 0x80)
+ idx++;
+ attr = ep->desc.bmAttributes;
--- /dev/null
+From 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 19 May 2019 15:28:22 -0400
+Subject: media: au0828: fix null dereference in error path
+
+From: Sean Young <sean@mess.org>
+
+commit 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 upstream.
+
+au0828_usb_disconnect() gets the au0828_dev struct via usb_get_intfdata,
+so it needs to set up for the error paths.
+
+Reported-by: syzbot+357d86bcb4cca1a2f572@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/au0828/au0828-core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/au0828/au0828-core.c
++++ b/drivers/media/usb/au0828/au0828-core.c
+@@ -630,6 +630,12 @@ static int au0828_usb_probe(struct usb_i
+ /* Setup */
+ au0828_card_setup(dev);
+
++ /*
++ * Store the pointer to the au0828_dev so it can be accessed in
++ * au0828_usb_disconnect
++ */
++ usb_set_intfdata(interface, dev);
++
+ /* Analog TV */
+ retval = au0828_analog_register(dev, interface);
+ if (retval) {
+@@ -647,12 +653,6 @@ static int au0828_usb_probe(struct usb_i
+ /* Remote controller */
+ au0828_rc_register(dev);
+
+- /*
+- * Store the pointer to the au0828_dev so it can be accessed in
+- * au0828_usb_disconnect
+- */
+- usb_set_intfdata(interface, dev);
+-
+ pr_info("Registered device AU0828 [%s]\n",
+ dev->board.name == NULL ? "Unset" : dev->board.name);
+
--- /dev/null
+From eff73de2b1600ad8230692f00bc0ab49b166512a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 04:57:09 -0400
+Subject: media: cpia2_usb: first wake up, then free in disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit eff73de2b1600ad8230692f00bc0ab49b166512a upstream.
+
+Kasan reported a use after free in cpia2_usb_disconnect()
+It first freed everything and then woke up those waiting.
+The reverse order is correct.
+
+Fixes: 6c493f8b28c67 ("[media] cpia2: major overhaul to get it in a working state again")
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+0c90fc937c84f97d0aa6@syzkaller.appspotmail.com
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cpia2/cpia2_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -909,7 +909,6 @@ static void cpia2_usb_disconnect(struct
+ cpia2_unregister_camera(cam);
+ v4l2_device_disconnect(&cam->v4l2_dev);
+ mutex_unlock(&cam->v4l2_lock);
+- v4l2_device_put(&cam->v4l2_dev);
+
+ if(cam->buffers) {
+ DBG("Wakeup waiting processes\n");
+@@ -921,6 +920,8 @@ static void cpia2_usb_disconnect(struct
+ DBG("Releasing interface\n");
+ usb_driver_release_interface(&cpia2_driver, intf);
+
++ v4l2_device_put(&cam->v4l2_dev);
++
+ LOG("CPiA2 camera disconnected.\n");
+ }
+
--- /dev/null
+From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Date: Fri, 21 Jun 2019 21:04:38 -0400
+Subject: media: radio-raremono: change devm_k*alloc to k*alloc
+
+From: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+
+commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream.
+
+Change devm_k*alloc to k*alloc to manually allocate memory
+
+The manual allocation and freeing of memory is necessary because when
+the USB radio is disconnected, the memory associated with devm_k*alloc
+is freed. Meaning if we still have unresolved references to the radio
+device, then we get use-after-free errors.
+
+This patch fixes this by manually allocating memory, and freeing it in
+the v4l2.release callback that gets called when the last radio device
+exits.
+
+Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com
+
+Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings]
+[hverkuil-cisco@xs4all.nl: prefix subject with driver name]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/radio/radio-raremono.c
++++ b/drivers/media/radio/radio-raremono.c
+@@ -283,6 +283,14 @@ static int vidioc_g_frequency(struct fil
+ return 0;
+ }
+
++static void raremono_device_release(struct v4l2_device *v4l2_dev)
++{
++ struct raremono_device *radio = to_raremono_dev(v4l2_dev);
++
++ kfree(radio->buffer);
++ kfree(radio);
++}
++
+ /* File system interface */
+ static const struct v4l2_file_operations usb_raremono_fops = {
+ .owner = THIS_MODULE,
+@@ -307,12 +315,14 @@ static int usb_raremono_probe(struct usb
+ struct raremono_device *radio;
+ int retval = 0;
+
+- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL);
+- if (radio)
+- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL);
+-
+- if (!radio || !radio->buffer)
++ radio = kzalloc(sizeof(*radio), GFP_KERNEL);
++ if (!radio)
++ return -ENOMEM;
++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL);
++ if (!radio->buffer) {
++ kfree(radio);
+ return -ENOMEM;
++ }
+
+ radio->usbdev = interface_to_usbdev(intf);
+ radio->intf = intf;
+@@ -336,7 +346,8 @@ static int usb_raremono_probe(struct usb
+ if (retval != 3 ||
+ (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) {
+ dev_info(&intf->dev, "this is not Thanko's Raremono.\n");
+- return -ENODEV;
++ retval = -ENODEV;
++ goto free_mem;
+ }
+
+ dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n",
+@@ -345,7 +356,7 @@ static int usb_raremono_probe(struct usb
+ retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
+ if (retval < 0) {
+ dev_err(&intf->dev, "couldn't register v4l2_device\n");
+- return retval;
++ goto free_mem;
+ }
+
+ mutex_init(&radio->lock);
+@@ -357,6 +368,7 @@ static int usb_raremono_probe(struct usb
+ radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops;
+ radio->vdev.lock = &radio->lock;
+ radio->vdev.release = video_device_release_empty;
++ radio->v4l2_dev.release = raremono_device_release;
+
+ usb_set_intfdata(intf, &radio->v4l2_dev);
+
+@@ -372,6 +384,10 @@ static int usb_raremono_probe(struct usb
+ }
+ dev_err(&intf->dev, "could not register video device\n");
+ v4l2_device_unregister(&radio->v4l2_dev);
++
++free_mem:
++ kfree(radio->buffer);
++ kfree(radio);
+ return retval;
+ }
+
arm64-dts-marvell-fix-a37xx-uart0-register-size.patch
i2c-qup-fixed-releasing-dma-without-flush-operation-completion.patch
arm64-compat-provide-definition-for-compat_sigminstksz.patch
+isdn-hfcsusb-checking-idx-of-ep-configuration.patch
+media-au0828-fix-null-dereference-in-error-path.patch
+media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch
+media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
