floppy-check-fdc-index-for-errors-before-assigning-it.patch
staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch
staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch
+usb-uas-fix-a-plug-unplug-racing.patch
+usb-fix-novation-sourcecontrol-xl-after-suspend.patch
+usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch
+staging-rtl8188eu-fix-potential-security-hole.patch
+staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch
--- /dev/null
+From 4ddf8ab8d15ddbc52eefb44eb64e38466ce1f70f Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 10 Feb 2020 12:02:32 -0600
+Subject: staging: rtl8188eu: Fix potential overuse of kernel memory
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 4ddf8ab8d15ddbc52eefb44eb64e38466ce1f70f upstream.
+
+In routine wpa_supplicant_ioctl(), the user-controlled p->length is
+checked to be at least the size of struct ieee_param size, but the code
+does not detect the case where p->length is greater than the size
+of the struct, thus a malicious user could be wasting kernel memory.
+Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
+
+Reported by: Pietro Oliva <pietroliva@gmail.com>
+Cc: Pietro Oliva <pietroliva@gmail.com>
+Cc: Stable <stable@vger.kernel.org>
+Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/r/20200210180235.21691-4-Larry.Finger@lwfinger.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -2054,7 +2054,7 @@ static int wpa_supplicant_ioctl(struct n
+ struct ieee_param *param;
+ uint ret = 0;
+
+- if (p->length < sizeof(struct ieee_param) || !p->pointer) {
++ if (!p->pointer || p->length != sizeof(struct ieee_param)) {
+ ret = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 499c405b2b80bb3a04425ba3541d20305e014d3e Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 10 Feb 2020 12:02:30 -0600
+Subject: staging: rtl8188eu: Fix potential security hole
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 499c405b2b80bb3a04425ba3541d20305e014d3e upstream.
+
+In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
+to be at least the size of struct ieee_param size, but this assumption is
+never checked. This could result in out-of-bounds read/write on kernel
+heap in case a p->length less than the size of struct ieee_param is
+specified by the user. If p->length is allowed to be greater than the size
+of the struct, then a malicious user could be wasting kernel memory.
+Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
+
+Reported by: Pietro Oliva <pietroliva@gmail.com>
+Cc: Pietro Oliva <pietroliva@gmail.com>
+Cc: Stable <stable@vger.kernel.org>
+Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Link: https://lore.kernel.org/r/20200210180235.21691-2-Larry.Finger@lwfinger.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -2859,7 +2859,7 @@ static int rtw_hostapd_ioctl(struct net_
+ goto out;
+ }
+
+- if (!p->pointer) {
++ if (!p->pointer || p->length != sizeof(struct ieee_param)) {
+ ret = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From b692056db8ecc7f452b934f016c17348282b7699 Mon Sep 17 00:00:00 2001
+From: Richard Dodd <richard.o.dodd@gmail.com>
+Date: Wed, 12 Feb 2020 14:22:18 +0000
+Subject: USB: Fix novation SourceControl XL after suspend
+
+From: Richard Dodd <richard.o.dodd@gmail.com>
+
+commit b692056db8ecc7f452b934f016c17348282b7699 upstream.
+
+Currently, the SourceControl will stay in power-down mode after resuming
+from suspend. This patch resets the device after suspend to power it up.
+
+Signed-off-by: Richard Dodd <richard.o.dodd@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200212142220.36892-1-richard.o.dodd@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -291,6 +291,9 @@ static const struct usb_device_id usb_qu
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* novation SoundControl XL */
++ { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ { } /* terminating entry must be last */
+ };
+
--- /dev/null
+From 8099f58f1ecddf4f374f4828a3dff8397c7cbd74 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 31 Jan 2020 10:39:26 -0500
+Subject: USB: hub: Don't record a connect-change event during reset-resume
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 8099f58f1ecddf4f374f4828a3dff8397c7cbd74 upstream.
+
+Paul Zimmerman reports that his USB Bluetooth adapter sometimes
+crashes following system resume, when it receives a
+Get-Device-Descriptor request while it is busy doing something else.
+
+Such a request was added by commit a4f55d8b8c14 ("usb: hub: Check
+device descriptor before resusciation"). It gets sent when the hub
+driver's work thread checks whether a connect-change event on an
+enabled port really indicates a new device has been connected, as
+opposed to an old device momentarily disconnecting and then
+reconnecting (which can happen with xHCI host controllers, since they
+automatically enable connected ports).
+
+The same kind of thing occurs when a port's power session is lost
+during system suspend. When the system wakes up it sees a
+connect-change event on the port, and if the child device's
+persist_enabled flag was set then hub_activate() sets the device's
+reset_resume flag as well as the port's bit in hub->change_bits. The
+reset-resume code then takes responsibility for checking that the same
+device is still attached to the port, and it does this as part of the
+device's resume pathway. By the time the hub driver's work thread
+starts up again, the device has already been fully reinitialized and
+is busy doing its own thing. There's no need for the work thread to
+do the same check a second time, and in fact this unnecessary check is
+what caused the problem that Paul observed.
+
+Note that performing the unnecessary check is not actually a bug.
+Devices are supposed to be able to send descriptors back to the host
+even when they are busy doing something else. The underlying cause of
+Paul's problem lies in his Bluetooth adapter. Nevertheless, we
+shouldn't perform the same check twice in a row -- and as a nice side
+benefit, removing the extra check allows the Bluetooth adapter to work
+more reliably.
+
+The work thread performs its check when it sees that the port's bit is
+set in hub->change_bits. In this situation that bit is interpreted as
+though a connect-change event had occurred on the port _after_ the
+reset-resume, which is not what actually happened.
+
+One possible fix would be to make the reset-resume code clear the
+port's bit in hub->change_bits. But it seems simpler to just avoid
+setting the bit during hub_activate() in the first place. That's what
+this patch does.
+
+(Proving that the patch is correct when CONFIG_PM is disabled requires
+a little thought. In that setting hub_activate() will be called only
+for initialization and resets, since there won't be any resumes or
+reset-resumes. During initialization and hub resets the hub doesn't
+have any child devices, and so this code path never gets executed.)
+
+Reported-and-tested-by: Paul Zimmerman <pauldzim@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://marc.info/?t=157949360700001&r=1&w=2
+CC: David Heinzelmann <heinzelmann.david@gmail.com>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001311037460.1577-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1171,11 +1171,6 @@ static void hub_activate(struct usb_hub
+ #ifdef CONFIG_PM
+ udev->reset_resume = 1;
+ #endif
+- /* Don't set the change_bits when the device
+- * was powered off.
+- */
+- if (test_bit(port1, hub->power_bits))
+- set_bit(port1, hub->change_bits);
+
+ } else {
+ /* The power session is gone; tell hub_wq */
--- /dev/null
+From 3e99862c05a9caa5a27969f41566b428696f5a9a Mon Sep 17 00:00:00 2001
+From: EJ Hsu <ejh@nvidia.com>
+Date: Thu, 30 Jan 2020 01:25:06 -0800
+Subject: usb: uas: fix a plug & unplug racing
+
+From: EJ Hsu <ejh@nvidia.com>
+
+commit 3e99862c05a9caa5a27969f41566b428696f5a9a upstream.
+
+When a uas disk is plugged into an external hub, uas_probe()
+will be called by the hub thread to do the probe. It will
+first create a SCSI host and then do the scan for this host.
+During the scan, it will probe the LUN using SCSI INQUERY command
+which will be packed in the URB and submitted to uas disk.
+
+There might be a chance that this external hub with uas disk
+attached is unplugged during the scan. In this case, uas driver
+will fail to submit the URB (due to the NOTATTACHED state of uas
+device) and try to put this SCSI command back to request queue
+waiting for next chance to run.
+
+In normal case, this cycle will terminate when hub thread gets
+disconnection event and calls into uas_disconnect() accordingly.
+But in this case, uas_disconnect() will not be called because
+hub thread of external hub gets stuck waiting for the completion
+of this SCSI command. A deadlock happened.
+
+In this fix, uas will call scsi_scan_host() asynchronously to
+avoid the blocking of hub thread.
+
+Signed-off-by: EJ Hsu <ejh@nvidia.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200130092506.102760-1-ejh@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -46,6 +46,7 @@ struct uas_dev_info {
+ struct scsi_cmnd *cmnd[MAX_CMNDS];
+ spinlock_t lock;
+ struct work_struct work;
++ struct work_struct scan_work; /* for async scanning */
+ };
+
+ enum {
+@@ -115,6 +116,17 @@ out:
+ spin_unlock_irqrestore(&devinfo->lock, flags);
+ }
+
++static void uas_scan_work(struct work_struct *work)
++{
++ struct uas_dev_info *devinfo =
++ container_of(work, struct uas_dev_info, scan_work);
++ struct Scsi_Host *shost = usb_get_intfdata(devinfo->intf);
++
++ dev_dbg(&devinfo->intf->dev, "starting scan\n");
++ scsi_scan_host(shost);
++ dev_dbg(&devinfo->intf->dev, "scan complete\n");
++}
++
+ static void uas_add_work(struct uas_cmd_info *cmdinfo)
+ {
+ struct scsi_pointer *scp = (void *)cmdinfo;
+@@ -929,6 +941,7 @@ static int uas_probe(struct usb_interfac
+ init_usb_anchor(&devinfo->data_urbs);
+ spin_lock_init(&devinfo->lock);
+ INIT_WORK(&devinfo->work, uas_do_work);
++ INIT_WORK(&devinfo->scan_work, uas_scan_work);
+
+ result = uas_configure_endpoints(devinfo);
+ if (result)
+@@ -945,7 +958,9 @@ static int uas_probe(struct usb_interfac
+ if (result)
+ goto free_streams;
+
+- scsi_scan_host(shost);
++ /* Submit the delayed_work for SCSI-device scanning */
++ schedule_work(&devinfo->scan_work);
++
+ return result;
+
+ free_streams:
+@@ -1113,6 +1128,12 @@ static void uas_disconnect(struct usb_in
+ usb_kill_anchored_urbs(&devinfo->data_urbs);
+ uas_zap_pending(devinfo, DID_NO_CONNECT);
+
++ /*
++ * Prevent SCSI scanning (if it hasn't started yet)
++ * or wait for the SCSI-scanning routine to stop.
++ */
++ cancel_work_sync(&devinfo->scan_work);
++
+ scsi_remove_host(shost);
+ uas_free_streams(devinfo);
+ scsi_host_put(shost);
projects / thirdparty / kernel / stable-queue.git / commitdiff
