From: Greg Kroah-Hartman Date: Tue, 8 May 2018 07:22:27 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.9.99~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=183fcf49f8bdac5f0bb796e061a6311cbf41853b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: usb-musb-host-fix-potential-null-pointer-dereference.patch usb-serial-visor-handle-potential-invalid-device-configuration.patch --- diff --git a/queue-3.18/series b/queue-3.18/series index c7e28fda092..ae24b37f0fc 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -7,3 +7,5 @@ alsa-aloop-mark-paused-device-as-inactive.patch alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch rdma-mlx5-protect-from-shift-operand-overflow.patch net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch +usb-serial-visor-handle-potential-invalid-device-configuration.patch +usb-musb-host-fix-potential-null-pointer-dereference.patch diff --git a/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch b/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..1415d814cd3 --- /dev/null +++ b/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 2b63f1329df2cd814c1f8353fae4853ace6521d1 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Mon, 30 Apr 2018 11:20:53 -0500 +Subject: usb: musb: host: fix potential NULL pointer dereference + +From: Bin Liu + +commit 2b63f1329df2cd814c1f8353fae4853ace6521d1 upstream. + +musb_start_urb() doesn't check the pass-in parameter if it is NULL. But +in musb_bulk_nak_timeout() the parameter passed to musb_start_urb() is +returned from first_qh(), which could be NULL. + +So wrap the musb_start_urb() call here with a if condition check to +avoid the potential NULL pointer dereference. + +Fixes: f283862f3b5c ("usb: musb: NAK timeout scheme on bulk TX endpoint") +Cc: stable@vger.kernel.org # v3.7+ +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_host.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -1002,7 +1002,9 @@ static void musb_bulk_nak_timeout(struct + /* set tx_reinit and schedule the next qh */ + ep->tx_reinit = 1; + } +- musb_start_urb(musb, is_in, next_qh); ++ ++ if (next_qh) ++ musb_start_urb(musb, is_in, next_qh); + } + } + diff --git a/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch b/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch new file mode 100644 index 00000000000..3861d581888 --- /dev/null +++ b/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch @@ -0,0 +1,115 @@ +From 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 29 Apr 2018 17:41:55 +0200 +Subject: USB: serial: visor: handle potential invalid device configuration + +From: Greg Kroah-Hartman + +commit 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 upstream. + +If we get an invalid device configuration from a palm 3 type device, we +might incorrectly parse things, and we have the potential to crash in +"interesting" ways. + +Fix this up by verifying the size of the configuration passed to us by +the device, and only if it is correct, will we handle it. + +Note that this also fixes an information leak of slab data. + +Reported-by: Andrey Konovalov +Reviewed-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman +[ johan: add comment about the info leak ] +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/visor.c | 69 ++++++++++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 34 deletions(-) + +--- a/drivers/usb/serial/visor.c ++++ b/drivers/usb/serial/visor.c +@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_se + goto exit; + } + +- if (retval == sizeof(*connection_info)) { +- connection_info = (struct visor_connection_info *) +- transfer_buffer; +- +- num_ports = le16_to_cpu(connection_info->num_ports); +- for (i = 0; i < num_ports; ++i) { +- switch ( +- connection_info->connections[i].port_function_id) { +- case VISOR_FUNCTION_GENERIC: +- string = "Generic"; +- break; +- case VISOR_FUNCTION_DEBUGGER: +- string = "Debugger"; +- break; +- case VISOR_FUNCTION_HOTSYNC: +- string = "HotSync"; +- break; +- case VISOR_FUNCTION_CONSOLE: +- string = "Console"; +- break; +- case VISOR_FUNCTION_REMOTE_FILE_SYS: +- string = "Remote File System"; +- break; +- default: +- string = "unknown"; +- break; +- } +- dev_info(dev, "%s: port %d, is for %s use\n", +- serial->type->description, +- connection_info->connections[i].port, string); +- } ++ if (retval != sizeof(*connection_info)) { ++ dev_err(dev, "Invalid connection information received from device\n"); ++ retval = -ENODEV; ++ goto exit; + } +- /* +- * Handle devices that report invalid stuff here. +- */ ++ ++ connection_info = (struct visor_connection_info *)transfer_buffer; ++ ++ num_ports = le16_to_cpu(connection_info->num_ports); ++ ++ /* Handle devices that report invalid stuff here. */ + if (num_ports == 0 || num_ports > 2) { + dev_warn(dev, "%s: No valid connect info available\n", + serial->type->description); + num_ports = 2; + } + ++ for (i = 0; i < num_ports; ++i) { ++ switch (connection_info->connections[i].port_function_id) { ++ case VISOR_FUNCTION_GENERIC: ++ string = "Generic"; ++ break; ++ case VISOR_FUNCTION_DEBUGGER: ++ string = "Debugger"; ++ break; ++ case VISOR_FUNCTION_HOTSYNC: ++ string = "HotSync"; ++ break; ++ case VISOR_FUNCTION_CONSOLE: ++ string = "Console"; ++ break; ++ case VISOR_FUNCTION_REMOTE_FILE_SYS: ++ string = "Remote File System"; ++ break; ++ default: ++ string = "unknown"; ++ break; ++ } ++ dev_info(dev, "%s: port %d, is for %s use\n", ++ serial->type->description, ++ connection_info->connections[i].port, string); ++ } + dev_info(dev, "%s: Number of ports: %d\n", serial->type->description, + num_ports); +