From: Greg Kroah-Hartman Date: Sat, 5 Jan 2019 08:34:40 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.9.149~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05528cff30d8778c3ed471bff1e4eab99d060aa8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index 7fdea4b1462..e067ff0732d 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -17,3 +17,5 @@ vhost-make-sure-used-idx-is-seen-before-log-in-vhost_add_used_n.patch vsock-send-reset-control-packet-when-socket-is-partially-bound.patch xen-netfront-tolerate-frags-with-no-data.patch sock-make-sock-sk_stamp-thread-safe.patch +usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch +usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch diff --git a/queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch b/queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch new file mode 100644 index 00000000000..6bb995236bd --- /dev/null +++ b/queue-3.18/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch @@ -0,0 +1,67 @@ +From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 18 Dec 2018 20:04:25 +0800 +Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() + +From: Jia-Ju Bai + +commit c85400f886e3d41e69966470879f635a2b50084c upstream. + +The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may +be concurrently executed. +The two functions both access a possible shared variable "hep->hcpriv". + +This shared variable is freed by r8a66597_endpoint_disable() via the +call path: +r8a66597_endpoint_disable + kfree(hep->hcpriv) (line 1995 in Linux-4.19) + +This variable is read by r8a66597_urb_enqueue() via the call path: +r8a66597_urb_enqueue + spin_lock_irqsave(&r8a66597->lock) + init_pipe_info + enable_r8a66597_pipe + pipe = hep->hcpriv (line 802 in Linux-4.19) + +The read operation is protected by a spinlock, but the free operation +is not protected by this spinlock, thus a concurrency use-after-free bug +may occur. + +To fix this bug, the spin-lock and spin-unlock function calls in +r8a66597_endpoint_disable() are moved to protect the free operation. + +Signed-off-by: Jia-Ju Bai +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/r8a66597-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct u + + static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + struct usb_host_endpoint *hep) ++__acquires(r8a66597->lock) ++__releases(r8a66597->lock) + { + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(st + return; + pipenum = pipe->info.pipenum; + ++ spin_lock_irqsave(&r8a66597->lock, flags); + if (pipenum == 0) { + kfree(hep->hcpriv); + hep->hcpriv = NULL; ++ spin_unlock_irqrestore(&r8a66597->lock, flags); + return; + } + +- spin_lock_irqsave(&r8a66597->lock, flags); + pipe_stop(r8a66597, pipe); + pipe_irq_disable(r8a66597, pipenum); + disable_irq_empty(r8a66597, pipenum); diff --git a/queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch b/queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch new file mode 100644 index 00000000000..440eff49bd0 --- /dev/null +++ b/queue-3.18/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch @@ -0,0 +1,61 @@ +From 8d503f206c336677954160ac62f0c7d9c219cd89 Mon Sep 17 00:00:00 2001 +From: Scott Chen +Date: Thu, 13 Dec 2018 06:01:47 -0500 +Subject: USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays + +From: Scott Chen + +commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream. + +Add device ids to pl2303 for the HP POS pole displays: +LM920: 03f0:026b +TD620: 03f0:0956 +LD960TA: 03f0:4439 +LD220TA: 03f0:4349 +LM940: 03f0:5039 + +Signed-off-by: Scott Chen +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 5 +++++ + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -84,9 +84,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) }, + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) }, + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) }, + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) }, + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -121,10 +121,15 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LM920_PRODUCT_ID 0x026b ++#define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 + #define HP_LCM220_PRODUCT_ID 0x3139 + #define HP_LCM960_PRODUCT_ID 0x3239 + #define HP_LD220_PRODUCT_ID 0x3524 ++#define HP_LD220TA_PRODUCT_ID 0x4349 ++#define HP_LD960TA_PRODUCT_ID 0x4439 ++#define HP_LM940_PRODUCT_ID 0x5039 + + /* Cressi Edy (diving computer) PC interface */ + #define CRESSI_VENDOR_ID 0x04b8