From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2020 12:12:59 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.4.47~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=059bb11f2fca2fc90d848952710ab3b0c445e224;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
	xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch
---

diff --git a/queue-4.14/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch b/queue-4.14/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
new file mode 100644
index 00000000000..6297c768fe5
--- /dev/null
+++ b/queue-4.14/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
@@ -0,0 +1,54 @@
+From da2311a6385c3b499da2ed5d9be59ce331fa93e9 Mon Sep 17 00:00:00 2001
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Date: Sat, 7 Dec 2019 22:40:24 +0800
+Subject: can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix this by using kzalloc() instead of kmalloc().
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
+Cc: linux-stable <stable@vger.kernel.org> # >= v4.19
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+[bwh: Backported to 4.9: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -791,7 +791,7 @@ static int kvaser_usb_simple_msg_async(s
+ 	if (!urb)
+ 		return -ENOMEM;
+ 
+-	buf = kmalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
++	buf = kzalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
+ 	if (!buf) {
+ 		usb_free_urb(urb);
+ 		return -ENOMEM;
+@@ -1459,7 +1459,7 @@ static int kvaser_usb_set_opt_mode(const
+ 	struct kvaser_msg *msg;
+ 	int rc;
+ 
+-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
++	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+ 	if (!msg)
+ 		return -ENOMEM;
+ 
+@@ -1592,7 +1592,7 @@ static int kvaser_usb_flush_queue(struct
+ 	struct kvaser_msg *msg;
+ 	int rc;
+ 
+-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
++	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+ 	if (!msg)
+ 		return -ENOMEM;
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 94125ced4aa..98fe350ed9e 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -70,3 +70,5 @@ perf-add-cond_resched-to-task_function_call.patch
 agp-intel-reinforce-the-barrier-after-gtt-updates.patch
 mmc-sdhci-msm-clear-tuning-done-flag-while-hs400-tuning.patch
 mmc-sdio-fix-potential-null-pointer-error-in-mmc_sdio_init_card.patch
+can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
+xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch
diff --git a/queue-4.14/xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch b/queue-4.14/xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch
new file mode 100644
index 00000000000..8a889168b56
--- /dev/null
+++ b/queue-4.14/xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch
@@ -0,0 +1,36 @@
+From c8d70a29d6bbc956013f3401f92a4431a9385a3c Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 11 May 2020 09:42:31 +0200
+Subject: xen/pvcalls-back: test for errors when calling backend_connect()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit c8d70a29d6bbc956013f3401f92a4431a9385a3c upstream.
+
+backend_connect() can fail, so switch the device to connected only if
+no error occurred.
+
+Fixes: 0a9c75c2c7258f2 ("xen/pvcalls: xenbus state handling")
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20200511074231.19794-1-jgross@suse.com
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/pvcalls-back.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/pvcalls-back.c
++++ b/drivers/xen/pvcalls-back.c
+@@ -1104,7 +1104,8 @@ static void set_backend_state(struct xen
+ 		case XenbusStateInitialised:
+ 			switch (state) {
+ 			case XenbusStateConnected:
+-				backend_connect(dev);
++				if (backend_connect(dev))
++					return;
+ 				xenbus_switch_state(dev, XenbusStateConnected);
+ 				break;
+ 			case XenbusStateClosing: