From: Greg Kroah-Hartman Date: Mon, 9 Jan 2017 09:32:59 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.42~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43dbed9983691b35ac9300eca11a75f90d43f343;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: kvm-mips-flush-kvm-entry-code-from-icache-globally.patch kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch usb-dwc3-core-avoid-overflow-events.patch usb-fix-problems-with-duplicate-endpoint-addresses.patch usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch usb-gadgetfs-fix-use-after-free-bug.patch usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch usb-musb-dsps-implement-clear_ep_rxintr-callback.patch usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch usb-xhci-fix-possible-wild-pointer.patch --- diff --git a/queue-4.4/kvm-mips-flush-kvm-entry-code-from-icache-globally.patch b/queue-4.4/kvm-mips-flush-kvm-entry-code-from-icache-globally.patch new file mode 100644 index 00000000000..be5fa27b70b --- /dev/null +++ b/queue-4.4/kvm-mips-flush-kvm-entry-code-from-icache-globally.patch @@ -0,0 +1,41 @@ +From 32eb12a6c11034867401d56b012e3c15d5f8141e Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 3 Jan 2017 17:43:01 +0000 +Subject: KVM: MIPS: Flush KVM entry code from icache globally +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit 32eb12a6c11034867401d56b012e3c15d5f8141e upstream. + +Flush the KVM entry code from the icache on all CPUs, not just the one +that built the entry code. + +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: "Radim Krčmář" +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/mips.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -324,8 +324,8 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st + #endif + + /* Invalidate the icache for these ranges */ +- local_flush_icache_range((unsigned long)gebase, +- (unsigned long)gebase + ALIGN(size, PAGE_SIZE)); ++ flush_icache_range((unsigned long)gebase, ++ (unsigned long)gebase + ALIGN(size, PAGE_SIZE)); + + /* + * Allocate comm page for guest kernel, a TLB will be reserved for diff --git a/queue-4.4/kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch b/queue-4.4/kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch new file mode 100644 index 00000000000..f553d024e27 --- /dev/null +++ b/queue-4.4/kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch @@ -0,0 +1,47 @@ +From 6ef4e07ecd2db21025c446327ecf34414366498b Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong +Date: Sat, 24 Dec 2016 10:00:42 +0100 +Subject: KVM: x86: reset MMU on KVM_SET_VCPU_EVENTS + +From: Xiao Guangrong + +commit 6ef4e07ecd2db21025c446327ecf34414366498b upstream. + +Otherwise, mismatch between the smm bit in hflags and the MMU role +can cause a NULL pointer dereference. + +Signed-off-by: Xiao Guangrong +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2949,6 +2949,8 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_ + memset(&events->reserved, 0, sizeof(events->reserved)); + } + ++static void kvm_set_hflags(struct kvm_vcpu *vcpu, unsigned emul_flags); ++ + static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, + struct kvm_vcpu_events *events) + { +@@ -2981,10 +2983,13 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_e + vcpu->arch.apic->sipi_vector = events->sipi_vector; + + if (events->flags & KVM_VCPUEVENT_VALID_SMM) { ++ u32 hflags = vcpu->arch.hflags; + if (events->smi.smm) +- vcpu->arch.hflags |= HF_SMM_MASK; ++ hflags |= HF_SMM_MASK; + else +- vcpu->arch.hflags &= ~HF_SMM_MASK; ++ hflags &= ~HF_SMM_MASK; ++ kvm_set_hflags(vcpu, hflags); ++ + vcpu->arch.smi_pending = events->smi.pending; + if (events->smi.smm_inside_nmi) + vcpu->arch.hflags |= HF_SMM_INSIDE_NMI_MASK; diff --git a/queue-4.4/series b/queue-4.4/series index 37211ad4a8d..cf4c1a6b359 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,3 +3,17 @@ alsa-hda-apply-asus-mode8-fixup-to-asus-x71sl.patch alsa-usb-audio-fix-irq-process-data-synchronization.patch arm-davinci-da850-don-t-add-emac-clock-to-lookup-table-twice.patch mac80211-initialize-fast-xmit-info-later.patch +kvm-x86-reset-mmu-on-kvm_set_vcpu_events.patch +kvm-mips-flush-kvm-entry-code-from-icache-globally.patch +usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch +usb-musb-dsps-implement-clear_ep_rxintr-callback.patch +usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch +usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch +usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch +usb-gadgetfs-fix-use-after-free-bug.patch +usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch +usb-fix-problems-with-duplicate-endpoint-addresses.patch +usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch +usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch +usb-dwc3-core-avoid-overflow-events.patch +usb-xhci-fix-possible-wild-pointer.patch diff --git a/queue-4.4/usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch b/queue-4.4/usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch new file mode 100644 index 00000000000..555903ddfa6 --- /dev/null +++ b/queue-4.4/usb-dummy-hcd-fix-bug-in-stop_activity-handle-ep0.patch @@ -0,0 +1,67 @@ +From bcdbeb844773333d2d1c08004f3b3e25921040e5 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 14 Dec 2016 14:55:56 -0500 +Subject: USB: dummy-hcd: fix bug in stop_activity (handle ep0) + +From: Alan Stern + +commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream. + +The stop_activity() routine in dummy-hcd is supposed to unlink all +active requests for every endpoint, among other things. But it +doesn't handle ep0. As a result, fuzz testing can generate a WARNING +like the following: + +WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170 +Modules linked in: +CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35 + ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510 + ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590 +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x292/0x398 lib/dump_stack.c:51 + [] __warn+0x19f/0x1e0 kernel/panic.c:550 + [] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585 + [] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672 + [] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195 + [] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612 + [] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228 + [] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357 + +This patch fixes the problem by iterating over all the endpoints in +the driver's ep array instead of iterating over the gadget's ep_list, +which explicitly leaves out ep0. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -330,7 +330,7 @@ static void nuke(struct dummy *dum, stru + /* caller must hold lock */ + static void stop_activity(struct dummy *dum) + { +- struct dummy_ep *ep; ++ int i; + + /* prevent any more requests */ + dum->address = 0; +@@ -338,8 +338,8 @@ static void stop_activity(struct dummy * + /* The timer is left running so that outstanding URBs can fail */ + + /* nuke any pending requests first, so driver i/o is quiesced */ +- list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list) +- nuke(dum, ep); ++ for (i = 0; i < DUMMY_ENDPOINTS; ++i) ++ nuke(dum, &dum->ep[i]); + + /* driver now does any non-usb quiescing necessary */ + } diff --git a/queue-4.4/usb-dwc3-core-avoid-overflow-events.patch b/queue-4.4/usb-dwc3-core-avoid-overflow-events.patch new file mode 100644 index 00000000000..519f85e26d6 --- /dev/null +++ b/queue-4.4/usb-dwc3-core-avoid-overflow-events.patch @@ -0,0 +1,37 @@ +From e71d363d9c611c99fb78f53bfee99616e7fe352c Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Fri, 23 Dec 2016 14:40:40 +0200 +Subject: usb: dwc3: core: avoid Overflow events + +From: Felipe Balbi + +commit e71d363d9c611c99fb78f53bfee99616e7fe352c upstream. + +Now that we're handling so many transfers at a time +and for some dwc3 revisions LPM events *must* be +enabled, we can fall into a situation where too many +events fire and we start receiving Overflow events. + +Let's do what XHCI does and allocate a full page for +the Event Ring, this will avoid any future issues. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -42,9 +42,7 @@ + #define DWC3_XHCI_RESOURCES_NUM 2 + + #define DWC3_SCRATCHBUF_SIZE 4096 /* each buffer is assumed to be 4KiB */ +-#define DWC3_EVENT_SIZE 4 /* bytes */ +-#define DWC3_EVENT_MAX_NUM 64 /* 2 events/endpoint */ +-#define DWC3_EVENT_BUFFERS_SIZE (DWC3_EVENT_SIZE * DWC3_EVENT_MAX_NUM) ++#define DWC3_EVENT_BUFFERS_SIZE 4096 + #define DWC3_EVENT_TYPE_MASK 0xfe + + #define DWC3_EVENT_TYPE_DEV 0 diff --git a/queue-4.4/usb-fix-problems-with-duplicate-endpoint-addresses.patch b/queue-4.4/usb-fix-problems-with-duplicate-endpoint-addresses.patch new file mode 100644 index 00000000000..b2d59614a82 --- /dev/null +++ b/queue-4.4/usb-fix-problems-with-duplicate-endpoint-addresses.patch @@ -0,0 +1,76 @@ +From 0a8fd1346254974c3a852338508e4a4cddbb35f1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 19 Dec 2016 12:03:41 -0500 +Subject: USB: fix problems with duplicate endpoint addresses + +From: Alan Stern + +commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream. + +When checking a new device's descriptors, the USB core does not check +for duplicate endpoint addresses. This can cause a problem when the +sysfs files for those endpoints are created; trying to create multiple +files with the same name will provoke a WARNING: + +WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0 +sysfs: cannot create duplicate filename +'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05' +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event + ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c + ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510 + ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000 +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x292/0x398 lib/dump_stack.c:51 + [] panic+0x1cb/0x3a9 kernel/panic.c:179 + [] __warn+0x1c4/0x1e0 kernel/panic.c:542 + [] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565 + [] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30 + [] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59 + [< inline >] create_dir lib/kobject.c:71 + [] kobject_add_internal+0x227/0xa60 lib/kobject.c:229 + [< inline >] kobject_add_varg lib/kobject.c:366 + [] kobject_add+0x139/0x220 lib/kobject.c:411 + [] device_add+0x353/0x1660 drivers/base/core.c:1088 + [] device_register+0x1d/0x20 drivers/base/core.c:1206 + [] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195 + [] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030 + [] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937 + [] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172 + [] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263 + +This patch prevents the problem by checking for duplicate endpoint +addresses during enumeration and skipping any duplicates. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -205,6 +205,16 @@ static int usb_parse_endpoint(struct dev + if (ifp->desc.bNumEndpoints >= num_ep) + goto skip_to_next_endpoint_or_interface_descriptor; + ++ /* Check for duplicate endpoint addresses */ ++ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) { ++ if (ifp->endpoint[i].desc.bEndpointAddress == ++ d->bEndpointAddress) { ++ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", ++ cfgno, inum, asnum, d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; ++ } ++ } ++ + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + ++ifp->desc.bNumEndpoints; + diff --git a/queue-4.4/usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch b/queue-4.4/usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch new file mode 100644 index 00000000000..6cba8deed26 --- /dev/null +++ b/queue-4.4/usb-gadget-composite-test-get_alt-presence-instead-of-set_alt.patch @@ -0,0 +1,61 @@ +From 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f Mon Sep 17 00:00:00 2001 +From: Krzysztof Opasiak +Date: Tue, 20 Dec 2016 19:52:16 +0100 +Subject: usb: gadget: composite: Test get_alt() presence instead of set_alt() + +From: Krzysztof Opasiak + +commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream. + +By convention (according to doc) if function does not provide +get_alt() callback composite framework should assume that it has only +altsetting 0 and should respond with error if host tries to set +other one. + +After commit dd4dff8b035f ("USB: composite: Fix bug: should test +set_alt function pointer before use it") +we started checking set_alt() callback instead of get_alt(). +This check is useless as we check if set_alt() is set inside +usb_add_function() and fail if it's NULL. + +Let's fix this check and move comment about why we check the get +method instead of set a little bit closer to prevent future false +fixes. + +Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it") +Signed-off-by: Krzysztof Opasiak +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1601,9 +1601,7 @@ composite_setup(struct usb_gadget *gadge + value = min(w_length, (u16) 1); + break; + +- /* function drivers must handle get/set altsetting; if there's +- * no get() method, we know only altsetting zero works. +- */ ++ /* function drivers must handle get/set altsetting */ + case USB_REQ_SET_INTERFACE: + if (ctrl->bRequestType != USB_RECIP_INTERFACE) + goto unknown; +@@ -1612,7 +1610,13 @@ composite_setup(struct usb_gadget *gadge + f = cdev->config->interface[intf]; + if (!f) + break; +- if (w_value && !f->set_alt) ++ ++ /* ++ * If there's no get_alt() method, we know only altsetting zero ++ * works. There is no need to check if set_alt() is not NULL ++ * as we check this in usb_add_function(). ++ */ ++ if (w_value && !f->get_alt) + break; + value = f->set_alt(f, w_index, w_value); + if (value == USB_GADGET_DELAYED_STATUS) { diff --git a/queue-4.4/usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch b/queue-4.4/usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch new file mode 100644 index 00000000000..eb94a0e3b3b --- /dev/null +++ b/queue-4.4/usb-gadgetfs-fix-checks-of-wtotallength-in-config-descriptors.patch @@ -0,0 +1,67 @@ +From 1c069b057dcf64fada952eaa868d35f02bb0cfc2 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 9 Dec 2016 15:24:24 -0500 +Subject: USB: gadgetfs: fix checks of wTotalLength in config descriptors + +From: Alan Stern + +commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream. + +Andrey Konovalov's fuzz testing of gadgetfs showed that we should +improve the driver's checks for valid configuration descriptors passed +in by the user. In particular, the driver needs to verify that the +wTotalLength value in the descriptor is not too short (smaller +than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is +too large has to be changed, because the driver assumes there is +always enough room remaining in the buffer to hold a device descriptor +(at least USB_DT_DEVICE_SIZE bytes). + +This patch adds the additional check and fixes the existing check. It +may do a little more than strictly necessary, but one extra check +won't hurt. + +Signed-off-by: Alan Stern +CC: Andrey Konovalov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1755,10 +1755,12 @@ static struct usb_gadget_driver probe_dr + * such as configuration notifications. + */ + +-static int is_valid_config (struct usb_config_descriptor *config) ++static int is_valid_config(struct usb_config_descriptor *config, ++ unsigned int total) + { + return config->bDescriptorType == USB_DT_CONFIG + && config->bLength == USB_DT_CONFIG_SIZE ++ && total >= USB_DT_CONFIG_SIZE + && config->bConfigurationValue != 0 + && (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0 + && (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0; +@@ -1808,7 +1810,8 @@ dev_config (struct file *fd, const char + /* full or low speed config */ + dev->config = (void *) kbuf; + total = le16_to_cpu(dev->config->wTotalLength); +- if (!is_valid_config (dev->config) || total >= length) ++ if (!is_valid_config(dev->config, total) || ++ total > length - USB_DT_DEVICE_SIZE) + goto fail; + kbuf += total; + length -= total; +@@ -1817,7 +1820,8 @@ dev_config (struct file *fd, const char + if (kbuf [1] == USB_DT_CONFIG) { + dev->hs_config = (void *) kbuf; + total = le16_to_cpu(dev->hs_config->wTotalLength); +- if (!is_valid_config (dev->hs_config) || total >= length) ++ if (!is_valid_config(dev->hs_config, total) || ++ total > length - USB_DT_DEVICE_SIZE) + goto fail; + kbuf += total; + length -= total; diff --git a/queue-4.4/usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch b/queue-4.4/usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch new file mode 100644 index 00000000000..1701474be4b --- /dev/null +++ b/queue-4.4/usb-gadgetfs-fix-unbounded-memory-allocation-bug.patch @@ -0,0 +1,67 @@ +From faab50984fe6636e616c7cc3d30308ba391d36fd Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 9 Dec 2016 15:17:46 -0500 +Subject: USB: gadgetfs: fix unbounded memory allocation bug + +From: Alan Stern + +commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream. + +Andrey Konovalov reports that fuzz testing with syzkaller causes a +KASAN warning in gadgetfs: + +BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160 +Write of size 65537 by task syz-executor0/6356 +CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee + ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8 + ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738 +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x292/0x398 lib/dump_stack.c:51 + [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159 + [< inline >] print_address_description mm/kasan/report.c:197 + [] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286 + [] kasan_report+0x35/0x40 mm/kasan/report.c:306 + [< inline >] check_memory_region_inline mm/kasan/kasan.c:308 + [] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315 + [] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326 + [< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689 + [< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135 + [] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759 + [] __vfs_write+0x5d5/0x760 fs/read_write.c:510 + [] vfs_write+0x170/0x4e0 fs/read_write.c:560 + [< inline >] SYSC_write fs/read_write.c:607 + [] SyS_write+0xfb/0x230 fs/read_write.c:599 + [] entry_SYSCALL_64_fastpath+0x1f/0xc2 + +Indeed, there is a comment saying that the value of len is restricted +to a 16-bit integer, but the code doesn't actually do this. + +This patch fixes the warning. It replaces the comment with a +computation that forces the amount of data copied from the user in +ep0_write() to be no larger than the wLength size for the control +transfer, which is a 16-bit quantity. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1125,7 +1125,7 @@ ep0_write (struct file *fd, const char _ + /* data and/or status stage for control request */ + } else if (dev->state == STATE_DEV_SETUP) { + +- /* IN DATA+STATUS caller makes len <= wLength */ ++ len = min_t(size_t, len, dev->setup_wLength); + if (dev->setup_in) { + retval = setup_req (dev->gadget->ep0, dev->req, len); + if (retval == 0) { diff --git a/queue-4.4/usb-gadgetfs-fix-use-after-free-bug.patch b/queue-4.4/usb-gadgetfs-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..41b0c01d279 --- /dev/null +++ b/queue-4.4/usb-gadgetfs-fix-use-after-free-bug.patch @@ -0,0 +1,74 @@ +From add333a81a16abbd4f106266a2553677a165725f Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 9 Dec 2016 15:18:43 -0500 +Subject: USB: gadgetfs: fix use-after-free bug + +From: Alan Stern + +commit add333a81a16abbd4f106266a2553677a165725f upstream. + +Andrey Konovalov reports that fuzz testing with syzkaller causes a +KASAN use-after-free bug report in gadgetfs: + +BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2 +Read of size 2 by task syz-executor0/22994 +CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6 + ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8 + ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748 +Call Trace: + [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15 + [ 201.343209] [] dump_stack+0x292/0x398 lib/dump_stack.c:51 + [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159 + [< inline >] print_address_description mm/kasan/report.c:197 + [] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286 + [< inline >] kasan_report mm/kasan/report.c:306 + [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337 + [< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298 + [] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368 + [] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858 + [] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308 + [< inline >] expire_timers kernel/time/timer.c:1348 + [] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641 + [] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654 + [] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284 + +The cause of the bug is subtle. The dev_config() routine gets called +twice by the fuzzer. The first time, the user data contains both a +full-speed configuration descriptor and a high-speed config +descriptor, causing dev->hs_config to be set. But it also contains an +invalid device descriptor, so the buffer containing the descriptors is +deallocated and dev_config() returns an error. + +The second time dev_config() is called, the user data contains only a +full-speed config descriptor. But dev->hs_config still has the stale +pointer remaining from the first call, causing the routine to think +that there is a valid high-speed config. Later on, when the driver +dereferences the stale pointer to copy that descriptor, we get a +use-after-free access. + +The fix is simple: Clear dev->hs_config if the passed-in data does not +contain a high-speed config descriptor. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1821,6 +1821,8 @@ dev_config (struct file *fd, const char + goto fail; + kbuf += total; + length -= total; ++ } else { ++ dev->hs_config = NULL; + } + + /* could support multiple configs, using another encoding! */ diff --git a/queue-4.4/usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch b/queue-4.4/usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch new file mode 100644 index 00000000000..426d845292d --- /dev/null +++ b/queue-4.4/usb-gadgetfs-restrict-upper-bound-on-device-configuration-size.patch @@ -0,0 +1,36 @@ +From 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 6 Dec 2016 08:36:29 +0100 +Subject: usb: gadgetfs: restrict upper bound on device configuration size + +From: Greg Kroah-Hartman + +commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream. + +Andrey Konovalov reported that we were not properly checking the upper +limit before of a device configuration size before calling +memdup_user(), which could cause some problems. + +So set the upper limit to PAGE_SIZE * 4, which should be good enough for +all devices. + +Reported-by: Andrey Konovalov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1783,7 +1783,8 @@ dev_config (struct file *fd, const char + } + spin_unlock_irq(&dev->lock); + +- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ++ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) || ++ (len > PAGE_SIZE * 4)) + return -EINVAL; + + /* we might need to change message format someday */ diff --git a/queue-4.4/usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch b/queue-4.4/usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch new file mode 100644 index 00000000000..ea3e6cf3aaa --- /dev/null +++ b/queue-4.4/usb-musb-core-add-clear_ep_rxintr-to-musb_platform_ops.patch @@ -0,0 +1,85 @@ +From 6def85a396ce7796bd9f4561c6ae8138833f7a52 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Tue, 3 Jan 2017 18:13:46 -0600 +Subject: usb: musb: core: add clear_ep_rxintr() to musb_platform_ops + +From: Bin Liu + +commit 6def85a396ce7796bd9f4561c6ae8138833f7a52 upstream. + +During dma teardown for dequque urb, if musb load is high, musb might +generate bogus rx ep interrupt even when the rx fifo is flushed. In such +case any of the follow log messages could happen. + + musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0 + + musb_host_rx 1936: RX3 dma busy, csr 2020 + +As mentioned in the current inline comment, clearing ep interrupt in the +teardown path avoids the bogus interrupt. + +Clearing ep interrupt is platform dependent, so this patch adds a +platform callback to allow glue driver to clear the ep interrupt. + +This bug seems to be existing since the initial driver for musb support, +but I only validated the fix back to v4.1, so only cc stable for v4.1+. + +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_core.h | 7 +++++++ + drivers/usb/musb/musb_host.c | 10 ++++------ + 2 files changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/usb/musb/musb_core.h ++++ b/drivers/usb/musb/musb_core.h +@@ -214,6 +214,7 @@ struct musb_platform_ops { + dma_addr_t *dma_addr, u32 *len); + void (*pre_root_reset_end)(struct musb *musb); + void (*post_root_reset_end)(struct musb *musb); ++ void (*clear_ep_rxintr)(struct musb *musb, int epnum); + }; + + /* +@@ -612,4 +613,10 @@ static inline void musb_platform_post_ro + musb->ops->post_root_reset_end(musb); + } + ++static inline void musb_platform_clear_ep_rxintr(struct musb *musb, int epnum) ++{ ++ if (musb->ops->clear_ep_rxintr) ++ musb->ops->clear_ep_rxintr(musb, epnum); ++} ++ + #endif /* __MUSB_CORE_H__ */ +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2390,12 +2390,11 @@ static int musb_cleanup_urb(struct urb * + int is_in = usb_pipein(urb->pipe); + int status = 0; + u16 csr; ++ struct dma_channel *dma = NULL; + + musb_ep_select(regs, hw_end); + + if (is_dma_capable()) { +- struct dma_channel *dma; +- + dma = is_in ? ep->rx_channel : ep->tx_channel; + if (dma) { + status = ep->musb->dma_controller->channel_abort(dma); +@@ -2412,10 +2411,9 @@ static int musb_cleanup_urb(struct urb * + /* giveback saves bulk toggle */ + csr = musb_h_flush_rxfifo(ep, 0); + +- /* REVISIT we still get an irq; should likely clear the +- * endpoint's irq status here to avoid bogus irqs. +- * clearing that status is platform-specific... +- */ ++ /* clear the endpoint's irq status here to avoid bogus irqs */ ++ if (is_dma_capable() && dma) ++ musb_platform_clear_ep_rxintr(musb, ep->epnum); + } else if (ep->epnum) { + musb_h_tx_flush_fifo(ep); + csr = musb_readw(epio, MUSB_TXCSR); diff --git a/queue-4.4/usb-musb-dsps-implement-clear_ep_rxintr-callback.patch b/queue-4.4/usb-musb-dsps-implement-clear_ep_rxintr-callback.patch new file mode 100644 index 00000000000..756f41abf0f --- /dev/null +++ b/queue-4.4/usb-musb-dsps-implement-clear_ep_rxintr-callback.patch @@ -0,0 +1,59 @@ +From c48400baa02155a5ddad63e8554602e48782278c Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Tue, 3 Jan 2017 18:13:47 -0600 +Subject: usb: musb: dsps: implement clear_ep_rxintr() callback + +From: Bin Liu + +commit c48400baa02155a5ddad63e8554602e48782278c upstream. + +During dma teardown for dequque urb, if musb load is high, musb might +generate bogus rx ep interrupt even when the rx fifo is flushed. In such +case any of the follow log messages could happen. + + musb_host_rx 1853: BOGUS RX2 ready, csr 0000, count 0 + + musb_host_rx 1936: RX3 dma busy, csr 2020 + +As mentioned in the current inline comment, clearing ep interrupt in the +teardown path avoids the bogus interrupt, so implement clear_ep_rxintr() +callback. + +This bug seems to be existing since the initial driver for musb support, +but I only validated the fix back to v4.1, so only cc stable for v4.1+. + +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_dsps.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -301,6 +301,17 @@ static void otg_timer(unsigned long _mus + spin_unlock_irqrestore(&musb->lock, flags); + } + ++void dsps_musb_clear_ep_rxintr(struct musb *musb, int epnum) ++{ ++ u32 epintr; ++ struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent); ++ const struct dsps_musb_wrapper *wrp = glue->wrp; ++ ++ /* musb->lock might already been held */ ++ epintr = (1 << epnum) << wrp->rxep_shift; ++ musb_writel(musb->ctrl_base, wrp->epintr_status, epintr); ++} ++ + static irqreturn_t dsps_interrupt(int irq, void *hci) + { + struct musb *musb = hci; +@@ -647,6 +658,7 @@ static struct musb_platform_ops dsps_ops + .try_idle = dsps_musb_try_idle, + .set_mode = dsps_musb_set_mode, + .recover = dsps_musb_recover, ++ .clear_ep_rxintr = dsps_musb_clear_ep_rxintr, + }; + + static u64 musb_dmamask = DMA_BIT_MASK(32); diff --git a/queue-4.4/usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch b/queue-4.4/usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch new file mode 100644 index 00000000000..bad43b8b5ca --- /dev/null +++ b/queue-4.4/usb-storage-unusual_uas-add-jmicron-jms56x-to-unusual-device.patch @@ -0,0 +1,40 @@ +From 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 2 Jan 2017 15:26:17 +0100 +Subject: usb: storage: unusual_uas: Add JMicron JMS56x to unusual device + +From: Oliver Neukum + +commit 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 upstream. + +This device gives the following error on detection. +xhci_hcd 0000:00:11.0: ERROR Transfer event for disabled endpoint or +incorrect stream ring + +The same error is not seen when it is added to unusual_device +list with US_FL_NO_REPORT_OPCODES passed. + +Signed-off-by: George Cherian +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2135,6 +2135,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ), + ++/* Reported-by George Cherian */ ++UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999, ++ "JMicron", ++ "JMS56x", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_REPORT_OPCODES), ++ + /* + * Patch by Constantin Baranov + * Report by Andreas Koenecke. diff --git a/queue-4.4/usb-xhci-fix-possible-wild-pointer.patch b/queue-4.4/usb-xhci-fix-possible-wild-pointer.patch new file mode 100644 index 00000000000..331040d56a0 --- /dev/null +++ b/queue-4.4/usb-xhci-fix-possible-wild-pointer.patch @@ -0,0 +1,63 @@ +From 2b985467371a58ae44d76c7ba12b0951fee6ed98 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Tue, 3 Jan 2017 18:28:46 +0200 +Subject: usb: xhci: fix possible wild pointer + +From: Lu Baolu + +commit 2b985467371a58ae44d76c7ba12b0951fee6ed98 upstream. + +handle_cmd_completion() frees a command structure which might be still +referenced by xhci->current_cmd. +This might cause problem when xhci->current_cmd is accessed after that. + +A real-life case could be like this. The host takes a very long time to +respond to a command, and the command timer is fired at the same time +when the command completion event arrives. The command completion +handler frees xhci->current_cmd before the timer function can grab +xhci->lock. Afterward, timer function grabs the lock and go ahead with +checking and setting members of xhci->current_cmd. + +Signed-off-by: Lu Baolu +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1268,14 +1268,18 @@ void xhci_handle_command_timeout(unsigne + bool second_timeout = false; + xhci = (struct xhci_hcd *) data; + +- /* mark this command to be cancelled */ + spin_lock_irqsave(&xhci->lock, flags); +- if (xhci->current_cmd) { +- if (xhci->current_cmd->status == COMP_CMD_ABORT) +- second_timeout = true; +- xhci->current_cmd->status = COMP_CMD_ABORT; ++ ++ if (!xhci->current_cmd) { ++ spin_unlock_irqrestore(&xhci->lock, flags); ++ return; + } + ++ /* mark this command to be cancelled */ ++ if (xhci->current_cmd->status == COMP_CMD_ABORT) ++ second_timeout = true; ++ xhci->current_cmd->status = COMP_CMD_ABORT; ++ + /* Make sure command ring is running before aborting it */ + hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring); + if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) && +@@ -1424,6 +1428,8 @@ static void handle_cmd_completion(struct + xhci->current_cmd = list_entry(cmd->cmd_list.next, + struct xhci_command, cmd_list); + mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT); ++ } else if (xhci->current_cmd == cmd) { ++ xhci->current_cmd = NULL; + } + + event_handled: