From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 May 2017 07:19:10 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.55~67
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=073a501df7d102cd137090aefdae2571ccf8d190;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	usb-misc-legousbtower-fix-buffers-on-stack.patch
	usb-misc-legousbtower-fix-memory-leak.patch
---

diff --git a/queue-4.9/usb-misc-legousbtower-fix-buffers-on-stack.patch b/queue-4.9/usb-misc-legousbtower-fix-buffers-on-stack.patch
new file mode 100644
index 00000000000..d2ab86715e4
--- /dev/null
+++ b/queue-4.9/usb-misc-legousbtower-fix-buffers-on-stack.patch
@@ -0,0 +1,116 @@
+From 942a48730faf149ccbf3e12ac718aee120bb3529 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Tue, 25 Apr 2017 22:49:21 +0300
+Subject: usb: misc: legousbtower: Fix buffers on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
+
+Allocate buffers on HEAP instead of STACK for local structures
+that are to be received using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Tested-by: Alfredo Rafael Vicente Boix <alviboi@gmail.com>;
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c |   37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino
+ 	int subminor;
+ 	int retval = 0;
+ 	struct usb_interface *interface;
+-	struct tower_reset_reply reset_reply;
++	struct tower_reset_reply *reset_reply;
+ 	int result;
+ 
++	reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
++
++	if (!reset_reply) {
++		retval = -ENOMEM;
++		goto exit;
++	}
++
+ 	nonseekable_open(inode, file);
+ 	subminor = iminor(inode);
+ 
+@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino
+ 				  USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 				  0,
+ 				  0,
+-				  &reset_reply,
+-				  sizeof(reset_reply),
++				  reset_reply,
++				  sizeof(*reset_reply),
+ 				  1000);
+ 	if (result < 0) {
+ 		dev_err(&dev->udev->dev,
+@@ -406,6 +413,7 @@ unlock_exit:
+ 	mutex_unlock(&dev->lock);
+ 
+ exit:
++	kfree(reset_reply);
+ 	return retval;
+ }
+ 
+@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter
+ 	struct lego_usb_tower *dev = NULL;
+ 	struct usb_host_interface *iface_desc;
+ 	struct usb_endpoint_descriptor* endpoint;
+-	struct tower_get_version_reply get_version_reply;
++	struct tower_get_version_reply *get_version_reply = NULL;
+ 	int i;
+ 	int retval = -ENOMEM;
+ 	int result;
+@@ -886,6 +894,13 @@ static int tower_probe (struct usb_inter
+ 	dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
+ 	dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
+ 
++	get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
++
++	if (!get_version_reply) {
++		retval = -ENOMEM;
++		goto error;
++	}
++
+ 	/* get the firmware version and log it */
+ 	result = usb_control_msg (udev,
+ 				  usb_rcvctrlpipe(udev, 0),
+@@ -893,18 +908,19 @@ static int tower_probe (struct usb_inter
+ 				  USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 				  0,
+ 				  0,
+-				  &get_version_reply,
+-				  sizeof(get_version_reply),
++				  get_version_reply,
++				  sizeof(*get_version_reply),
+ 				  1000);
+ 	if (result < 0) {
+ 		dev_err(idev, "LEGO USB Tower get version control request failed\n");
+ 		retval = result;
+ 		goto error;
+ 	}
+-	dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
+-		 "build %d\n", get_version_reply.major,
+-		 get_version_reply.minor,
+-		 le16_to_cpu(get_version_reply.build_no));
++	dev_info(&interface->dev,
++		 "LEGO USB Tower firmware version is %d.%d build %d\n",
++		 get_version_reply->major,
++		 get_version_reply->minor,
++		 le16_to_cpu(get_version_reply->build_no));
+ 
+ 	/* we can register the device now, as it is ready */
+ 	usb_set_intfdata (interface, dev);
+@@ -928,6 +944,7 @@ exit:
+ 	return retval;
+ 
+ error:
++	kfree(get_version_reply);
+ 	tower_delete(dev);
+ 	return retval;
+ }
diff --git a/queue-4.9/usb-misc-legousbtower-fix-memory-leak.patch b/queue-4.9/usb-misc-legousbtower-fix-memory-leak.patch
new file mode 100644
index 00000000000..bfa790ea91b
--- /dev/null
+++ b/queue-4.9/usb-misc-legousbtower-fix-memory-leak.patch
@@ -0,0 +1,30 @@
+From 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Sat, 13 May 2017 23:49:26 +0300
+Subject: usb: misc: legousbtower: Fix memory leak
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 upstream.
+
+get_version_reply is not freed if function returns with success.
+
+Fixes: 942a48730faf ("usb: misc: legousbtower: Fix buffers on stack")
+Reported-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -941,6 +941,7 @@ static int tower_probe (struct usb_inter
+ 		 USB_MAJOR, dev->minor);
+ 
+ exit:
++	kfree(get_version_reply);
+ 	return retval;
+ 
+ error: