From: Sasha Levin Date: Wed, 7 Aug 2019 02:37:30 +0000 (-0400) Subject: fixes for 5.2 X-Git-Tag: v5.2.8~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37fe2d5ac6b692346930b0837fac45b238ac7ecd;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.2 Signed-off-by: Sasha Levin --- diff --git a/queue-5.2/alsa-usb-audio-fix-gpf-in-snd_usb_pipe_sanity_check.patch b/queue-5.2/alsa-usb-audio-fix-gpf-in-snd_usb_pipe_sanity_check.patch new file mode 100644 index 00000000000..7881bca1eaf --- /dev/null +++ b/queue-5.2/alsa-usb-audio-fix-gpf-in-snd_usb_pipe_sanity_check.patch @@ -0,0 +1,50 @@ +From bee7da131ff0f25d01375ebb62260221b9d99396 Mon Sep 17 00:00:00 2001 +From: Hillf Danton +Date: Tue, 30 Jul 2019 17:24:36 +0800 +Subject: ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check + +[ Upstream commit 5d78e1c2b7f4be00bbe62141603a631dc7812f35 ] + +syzbot found the following crash on: + + general protection fault: 0000 [#1] SMP KASAN + RIP: 0010:snd_usb_pipe_sanity_check+0x80/0x130 sound/usb/helper.c:75 + Call Trace: + snd_usb_motu_microbookii_communicate.constprop.0+0xa0/0x2fb sound/usb/quirks.c:1007 + snd_usb_motu_microbookii_boot_quirk sound/usb/quirks.c:1051 [inline] + snd_usb_apply_boot_quirk.cold+0x163/0x370 sound/usb/quirks.c:1280 + usb_audio_probe+0x2ec/0x2010 sound/usb/card.c:576 + usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 + really_probe+0x281/0x650 drivers/base/dd.c:548 + .... + +It was introduced in commit 801ebf1043ae for checking pipe and endpoint +types. It is fixed by adding a check of the ep pointer in question. + +BugLink: https://syzkaller.appspot.com/bug?extid=d59c4387bfb6eced94e2 +Reported-by: syzbot +Fixes: 801ebf1043ae ("ALSA: usb-audio: Sanity checks for each pipe and EP types") +Cc: Andrey Konovalov +Signed-off-by: Hillf Danton +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/helper.c b/sound/usb/helper.c +index 71d5f540334a2..4c12cc5b53fda 100644 +--- a/sound/usb/helper.c ++++ b/sound/usb/helper.c +@@ -72,7 +72,7 @@ int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe) + struct usb_host_endpoint *ep; + + ep = usb_pipe_endpoint(dev, pipe); +- if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) ++ if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + return -EINVAL; + return 0; + } +-- +2.20.1 + diff --git a/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-ty.patch b/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-ty.patch new file mode 100644 index 00000000000..19599a18c9d --- /dev/null +++ b/queue-5.2/alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-ty.patch @@ -0,0 +1,132 @@ +From 7d2713fe8d07dd16f4f4844a35cc94236c006a36 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 24 Jun 2019 15:08:28 +0200 +Subject: ALSA: usb-audio: Sanity checks for each pipe and EP types + +[ Upstream commit 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 ] + +The recent USB core code performs sanity checks for the given pipe and +EP types, and it can be hit by manipulated USB descriptors by syzbot. +For making syzbot happier, this patch introduces a local helper for a +sanity check in the driver side and calls it at each place before the +message handling, so that we can avoid the WARNING splats. + +Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/helper.c | 17 +++++++++++++++++ + sound/usb/helper.h | 1 + + sound/usb/quirks.c | 18 +++++++++++++++--- + 3 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/helper.c b/sound/usb/helper.c +index 84aa265dd802c..71d5f540334a2 100644 +--- a/sound/usb/helper.c ++++ b/sound/usb/helper.c +@@ -63,6 +63,20 @@ void *snd_usb_find_csint_desc(void *buffer, int buflen, void *after, u8 dsubtype + return NULL; + } + ++/* check the validity of pipe and EP types */ ++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe) ++{ ++ static const int pipetypes[4] = { ++ PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT ++ }; ++ struct usb_host_endpoint *ep; ++ ++ ep = usb_pipe_endpoint(dev, pipe); ++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) ++ return -EINVAL; ++ return 0; ++} ++ + /* + * Wrapper for usb_control_msg(). + * Allocates a temp buffer to prevent dmaing from/to the stack. +@@ -75,6 +89,9 @@ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, __u8 request, + void *buf = NULL; + int timeout; + ++ if (snd_usb_pipe_sanity_check(dev, pipe)) ++ return -EINVAL; ++ + if (size > 0) { + buf = kmemdup(data, size, GFP_KERNEL); + if (!buf) +diff --git a/sound/usb/helper.h b/sound/usb/helper.h +index d338bd0e0ca60..6afb70156ec4f 100644 +--- a/sound/usb/helper.h ++++ b/sound/usb/helper.h +@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsigned char *bytes, int size); + void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype); + void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype); + ++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe); + int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe, + __u8 request, __u8 requesttype, __u16 value, __u16 index, + void *data, __u16 size); +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index cf5cff10c08e8..78858918cbc10 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -828,11 +828,13 @@ static int snd_usb_novation_boot_quirk(struct usb_device *dev) + static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev) + { + int err, actual_length; +- + /* "midi send" enable */ + static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 }; ++ void *buf; + +- void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL); ++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05))) ++ return -EINVAL; ++ buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL); + if (!buf) + return -ENOMEM; + err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf, +@@ -857,7 +859,11 @@ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev) + + static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev) + { +- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ++ int ret; ++ ++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0))) ++ return -EINVAL; ++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), + 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 1, 0, NULL, 0, 1000); + +@@ -964,6 +970,8 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev) + + dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n"); + ++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0))) ++ return -EINVAL; + /* If the Axe-Fx III has not fully booted, it will timeout when trying + * to enable the audio streaming interface. A more generous timeout is + * used here to detect when the Axe-Fx III has finished booting as the +@@ -996,6 +1004,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf, + { + int err, actual_length; + ++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x01))) ++ return -EINVAL; + err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x01), buf, *length, + &actual_length, 1000); + if (err < 0) +@@ -1006,6 +1016,8 @@ static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf, + + memset(buf, 0, buf_size); + ++ if (snd_usb_pipe_sanity_check(dev, usb_rcvintpipe(dev, 0x82))) ++ return -EINVAL; + err = usb_interrupt_msg(dev, usb_rcvintpipe(dev, 0x82), buf, buf_size, + &actual_length, 1000); + if (err < 0) +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series index 42531faf243..a3d78cb77c8 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -1,3 +1,5 @@ scsi-fcoe-embed-fc_rport_priv-in-fcoe_rport-structure.patch libnvdimm-bus-prepare-the-nd_ioctl-path-to-be-re-ent.patch libnvdimm-bus-fix-wait_nvdimm_bus_probe_idle-abba-de.patch +alsa-usb-audio-sanity-checks-for-each-pipe-and-ep-ty.patch +alsa-usb-audio-fix-gpf-in-snd_usb_pipe_sanity_check.patch