From: Sasha Levin Date: Fri, 1 Nov 2019 14:53:21 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.4.199~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=083508f95d542f9343c75c4a43fab025dfc68f34;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ath6kl-fix-a-null-ptr-deref-bug-in-ath6kl_usb_alloc_.patch b/queue-4.19/ath6kl-fix-a-null-ptr-deref-bug-in-ath6kl_usb_alloc_.patch new file mode 100644 index 00000000000..e7dae6b3ea2 --- /dev/null +++ b/queue-4.19/ath6kl-fix-a-null-ptr-deref-bug-in-ath6kl_usb_alloc_.patch @@ -0,0 +1,77 @@ +From cca66abd4c43fd19cacead62ab25dfad1d64e8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Aug 2019 20:29:04 -0400 +Subject: ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() + +From: Hui Peng + +[ Upstream commit 39d170b3cb62ba98567f5c4f40c27b5864b304e5 ] + +The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects +are initialized to point to the containing `ath6kl_usb` object +according to endpoint descriptors read from the device side, as shown +below in `ath6kl_usb_setup_pipe_resources`: + +for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; + + // get the address from endpoint descriptor + pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, + endpoint->bEndpointAddress, + &urbcount); + ...... + // select the pipe object + pipe = &ar_usb->pipes[pipe_num]; + + // initialize the ar_usb field + pipe->ar_usb = ar_usb; +} + +The driver assumes that the addresses reported in endpoint +descriptors from device side to be complete. If a device is +malicious and does not report complete addresses, it may trigger +NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and +`ath6kl_usb_free_urb_to_pipe`. + +This patch fixes the bug by preventing potential NULL-ptr-deref +(CVE-2019-15098). + +Signed-off-by: Hui Peng +Reported-by: Hui Peng +Reported-by: Mathias Payer +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c +index 4defb7a0330f4..53b66e9434c99 100644 +--- a/drivers/net/wireless/ath/ath6kl/usb.c ++++ b/drivers/net/wireless/ath/ath6kl/usb.c +@@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe) + struct ath6kl_urb_context *urb_context = NULL; + unsigned long flags; + ++ /* bail if this pipe is not initialized */ ++ if (!pipe->ar_usb) ++ return NULL; ++ + spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); + if (!list_empty(&pipe->urb_list_head)) { + urb_context = +@@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe, + { + unsigned long flags; + ++ /* bail if this pipe is not initialized */ ++ if (!pipe->ar_usb) ++ return; ++ + spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags); + pipe->urb_cnt++; + +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 66dd4eb84d9..f1af2bfa398 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -103,3 +103,5 @@ alsa-hda-realtek-reduce-the-headphone-static-noise-o.patch iwlwifi-exclude-geo-sar-support-for-3168.patch nbd-verify-socket-is-supported-during-setup.patch usb-legousbtower-fix-a-signedness-bug-in-tower_probe.patch +thunderbolt-use-32-bit-writes-when-writing-ring-prod.patch +ath6kl-fix-a-null-ptr-deref-bug-in-ath6kl_usb_alloc_.patch diff --git a/queue-4.19/thunderbolt-use-32-bit-writes-when-writing-ring-prod.patch b/queue-4.19/thunderbolt-use-32-bit-writes-when-writing-ring-prod.patch new file mode 100644 index 00000000000..d1a260dfd1f --- /dev/null +++ b/queue-4.19/thunderbolt-use-32-bit-writes-when-writing-ring-prod.patch @@ -0,0 +1,73 @@ +From 617f3e09bd5f34c42824cb8aad09e96539c707dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jul 2018 08:46:07 +0300 +Subject: thunderbolt: Use 32-bit writes when writing ring producer/consumer + +From: Mika Westerberg + +[ Upstream commit 943795219d3cb9f8ce6ce51cad3ffe1f61e95c6b ] + +The register access should be using 32-bit reads/writes according to the +datasheet. With the previous generation hardware 16-bit writes have been +working but starting with ICL this is not the case anymore so fix +producer/consumer register update to use correct width register address. + +Signed-off-by: Mika Westerberg +Reviewed-by: Yehezkel Bernat +Tested-by: Mario Limonciello +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/nhi.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c +index 5cd6bdfa068f9..d436a1534fc2b 100644 +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -142,9 +142,20 @@ static void __iomem *ring_options_base(struct tb_ring *ring) + return io; + } + +-static void ring_iowrite16desc(struct tb_ring *ring, u32 value, u32 offset) ++static void ring_iowrite_cons(struct tb_ring *ring, u16 cons) + { +- iowrite16(value, ring_desc_base(ring) + offset); ++ /* ++ * The other 16-bits in the register is read-only and writes to it ++ * are ignored by the hardware so we can save one ioread32() by ++ * filling the read-only bits with zeroes. ++ */ ++ iowrite32(cons, ring_desc_base(ring) + 8); ++} ++ ++static void ring_iowrite_prod(struct tb_ring *ring, u16 prod) ++{ ++ /* See ring_iowrite_cons() above for explanation */ ++ iowrite32(prod << 16, ring_desc_base(ring) + 8); + } + + static void ring_iowrite32desc(struct tb_ring *ring, u32 value, u32 offset) +@@ -196,7 +207,10 @@ static void ring_write_descriptors(struct tb_ring *ring) + descriptor->sof = frame->sof; + } + ring->head = (ring->head + 1) % ring->size; +- ring_iowrite16desc(ring, ring->head, ring->is_tx ? 10 : 8); ++ if (ring->is_tx) ++ ring_iowrite_prod(ring, ring->head); ++ else ++ ring_iowrite_cons(ring, ring->head); + } + } + +@@ -660,7 +674,7 @@ void tb_ring_stop(struct tb_ring *ring) + + ring_iowrite32options(ring, 0, 0); + ring_iowrite64desc(ring, 0, 0); +- ring_iowrite16desc(ring, 0, ring->is_tx ? 10 : 8); ++ ring_iowrite32desc(ring, 0, 8); + ring_iowrite32desc(ring, 0, 12); + ring->head = 0; + ring->tail = 0; +-- +2.20.1 +