From: Greg Kroah-Hartman Date: Wed, 31 Jul 2019 16:09:53 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.2.6~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68c2e0d3c09989bd66a38cb05f9e2638d9181597;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ath10k-change-the-warning-message-string.patch isdn-hfcsusb-checking-idx-of-ep-configuration.patch media-au0828-fix-null-dereference-in-error-path.patch media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch media-pvrusb2-use-a-different-format-for-warnings.patch media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch nfs-cleanup-if-nfs_match_client-is-interrupted.patch --- diff --git a/queue-4.19/ath10k-change-the-warning-message-string.patch b/queue-4.19/ath10k-change-the-warning-message-string.patch new file mode 100644 index 00000000000..9141422e071 --- /dev/null +++ b/queue-4.19/ath10k-change-the-warning-message-string.patch @@ -0,0 +1,38 @@ +From 265df32eae5845212ad9f55f5ae6b6dcb68b187b Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 9 May 2019 09:15:00 -0300 +Subject: ath10k: Change the warning message string + +From: Fabio Estevam + +commit 265df32eae5845212ad9f55f5ae6b6dcb68b187b upstream. + +The "WARNING" string confuses syzbot, which thinks it found +a crash [1]. + +Change the string to avoid such problem. + +[1] https://lkml.org/lkml/2019/5/9/243 + +Reported-by: syzbot+c1b25598aa60dcd47e78@syzkaller.appspotmail.com +Suggested-by: Greg Kroah-Hartman +Signed-off-by: Fabio Estevam +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -1025,7 +1025,7 @@ static int ath10k_usb_probe(struct usb_i + } + + /* TODO: remove this once USB support is fully implemented */ +- ath10k_warn(ar, "WARNING: ath10k USB support is incomplete, don't expect anything to work!\n"); ++ ath10k_warn(ar, "Warning: ath10k USB support is incomplete, don't expect anything to work!\n"); + + return 0; + diff --git a/queue-4.19/isdn-hfcsusb-checking-idx-of-ep-configuration.patch b/queue-4.19/isdn-hfcsusb-checking-idx-of-ep-configuration.patch new file mode 100644 index 00000000000..e76622d108b --- /dev/null +++ b/queue-4.19/isdn-hfcsusb-checking-idx-of-ep-configuration.patch @@ -0,0 +1,45 @@ +From f384e62a82ba5d85408405fdd6aeff89354deaa9 Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Mon, 15 Jul 2019 22:08:14 +0700 +Subject: ISDN: hfcsusb: checking idx of ep configuration + +From: Phong Tran + +commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream. + +The syzbot test with random endpoint address which made the idx is +overflow in the table of endpoint configuations. + +this adds the checking for fixing the error report from +syzbot + +KASAN: stack-out-of-bounds Read in hfcsusb_probe [1] +The patch tested by syzbot [2] + +Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com + +[1]: +https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522 +[2]: +https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ + +Signed-off-by: Phong Tran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1967,6 +1967,9 @@ hfcsusb_probe(struct usb_interface *intf + + /* get endpoint base */ + idx = ((ep_addr & 0x7f) - 1) * 2; ++ if (idx > 15) ++ return -EIO; ++ + if (ep_addr & 0x80) + idx++; + attr = ep->desc.bmAttributes; diff --git a/queue-4.19/media-au0828-fix-null-dereference-in-error-path.patch b/queue-4.19/media-au0828-fix-null-dereference-in-error-path.patch new file mode 100644 index 00000000000..1f73b4e7cd2 --- /dev/null +++ b/queue-4.19/media-au0828-fix-null-dereference-in-error-path.patch @@ -0,0 +1,49 @@ +From 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 19 May 2019 15:28:22 -0400 +Subject: media: au0828: fix null dereference in error path + +From: Sean Young + +commit 6d0d1ff9ff21fbb06b867c13a1d41ce8ddcd8230 upstream. + +au0828_usb_disconnect() gets the au0828_dev struct via usb_get_intfdata, +so it needs to set up for the error paths. + +Reported-by: syzbot+357d86bcb4cca1a2f572@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/au0828/au0828-core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/au0828/au0828-core.c ++++ b/drivers/media/usb/au0828/au0828-core.c +@@ -623,6 +623,12 @@ static int au0828_usb_probe(struct usb_i + /* Setup */ + au0828_card_setup(dev); + ++ /* ++ * Store the pointer to the au0828_dev so it can be accessed in ++ * au0828_usb_disconnect ++ */ ++ usb_set_intfdata(interface, dev); ++ + /* Analog TV */ + retval = au0828_analog_register(dev, interface); + if (retval) { +@@ -641,12 +647,6 @@ static int au0828_usb_probe(struct usb_i + /* Remote controller */ + au0828_rc_register(dev); + +- /* +- * Store the pointer to the au0828_dev so it can be accessed in +- * au0828_usb_disconnect +- */ +- usb_set_intfdata(interface, dev); +- + pr_info("Registered device AU0828 [%s]\n", + dev->board.name == NULL ? "Unset" : dev->board.name); + diff --git a/queue-4.19/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch b/queue-4.19/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch new file mode 100644 index 00000000000..0c41c25dffc --- /dev/null +++ b/queue-4.19/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch @@ -0,0 +1,44 @@ +From eff73de2b1600ad8230692f00bc0ab49b166512a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 9 May 2019 04:57:09 -0400 +Subject: media: cpia2_usb: first wake up, then free in disconnect + +From: Oliver Neukum + +commit eff73de2b1600ad8230692f00bc0ab49b166512a upstream. + +Kasan reported a use after free in cpia2_usb_disconnect() +It first freed everything and then woke up those waiting. +The reverse order is correct. + +Fixes: 6c493f8b28c67 ("[media] cpia2: major overhaul to get it in a working state again") + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+0c90fc937c84f97d0aa6@syzkaller.appspotmail.com +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cpia2/cpia2_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -902,7 +902,6 @@ static void cpia2_usb_disconnect(struct + cpia2_unregister_camera(cam); + v4l2_device_disconnect(&cam->v4l2_dev); + mutex_unlock(&cam->v4l2_lock); +- v4l2_device_put(&cam->v4l2_dev); + + if(cam->buffers) { + DBG("Wakeup waiting processes\n"); +@@ -911,6 +910,8 @@ static void cpia2_usb_disconnect(struct + wake_up_interruptible(&cam->wq_stream); + } + ++ v4l2_device_put(&cam->v4l2_dev); ++ + LOG("CPiA2 camera disconnected.\n"); + } + diff --git a/queue-4.19/media-pvrusb2-use-a-different-format-for-warnings.patch b/queue-4.19/media-pvrusb2-use-a-different-format-for-warnings.patch new file mode 100644 index 00000000000..be373645dd9 --- /dev/null +++ b/queue-4.19/media-pvrusb2-use-a-different-format-for-warnings.patch @@ -0,0 +1,87 @@ +From 1753c7c4367aa1201e1e5d0a601897ab33444af1 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Thu, 2 May 2019 12:09:26 -0400 +Subject: media: pvrusb2: use a different format for warnings + +From: Andrey Konovalov + +commit 1753c7c4367aa1201e1e5d0a601897ab33444af1 upstream. + +When the pvrusb2 driver detects that there's something wrong with the +device, it prints a warning message. Right now those message are +printed in two different formats: + +1. ***WARNING*** message here +2. WARNING: message here + +There's an issue with the second format. Syzkaller recognizes it as a +message produced by a WARN_ON(), which is used to indicate a bug in the +kernel. However pvrusb2 prints those warnings to indicate an issue with +the device, not the bug in the kernel. + +This patch changes the pvrusb2 driver to consistently use the first +warning message format. This will unblock syzkaller testing of this +driver. + +Reported-by: syzbot+af8f8d2ac0d39b0ed3a0@syzkaller.appspotmail.com +Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com +Signed-off-by: Andrey Konovalov +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++-- + drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c | 6 +++--- + drivers/media/usb/pvrusb2/pvrusb2-std.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -1680,7 +1680,7 @@ static int pvr2_decoder_enable(struct pv + } + if (!hdw->flag_decoder_missed) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, +- "WARNING: No decoder present"); ++ "***WARNING*** No decoder present"); + hdw->flag_decoder_missed = !0; + trace_stbit("flag_decoder_missed", + hdw->flag_decoder_missed); +@@ -2366,7 +2366,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct + if (hdw_desc->flag_is_experimental) { + pvr2_trace(PVR2_TRACE_INFO, "**********"); + pvr2_trace(PVR2_TRACE_INFO, +- "WARNING: Support for this device (%s) is experimental.", ++ "***WARNING*** Support for this device (%s) is experimental.", + hdw_desc->description); + pvr2_trace(PVR2_TRACE_INFO, + "Important functionality might not be entirely working."); +--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c +@@ -343,11 +343,11 @@ static int i2c_hack_cx25840(struct pvr2_ + + if ((ret != 0) || (*rdata == 0x04) || (*rdata == 0x0a)) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, +- "WARNING: Detected a wedged cx25840 chip; the device will not work."); ++ "***WARNING*** Detected a wedged cx25840 chip; the device will not work."); + pvr2_trace(PVR2_TRACE_ERROR_LEGS, +- "WARNING: Try power cycling the pvrusb2 device."); ++ "***WARNING*** Try power cycling the pvrusb2 device."); + pvr2_trace(PVR2_TRACE_ERROR_LEGS, +- "WARNING: Disabling further access to the device to prevent other foul-ups."); ++ "***WARNING*** Disabling further access to the device to prevent other foul-ups."); + // This blocks all further communication with the part. + hdw->i2c_func[0x44] = NULL; + pvr2_hdw_render_useless(hdw); +--- a/drivers/media/usb/pvrusb2/pvrusb2-std.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-std.c +@@ -353,7 +353,7 @@ struct v4l2_standard *pvr2_std_create_en + bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk); + pvr2_trace( + PVR2_TRACE_ERROR_LEGS, +- "WARNING: Failed to classify the following standard(s): %.*s", ++ "***WARNING*** Failed to classify the following standard(s): %.*s", + bcnt,buf); + } + diff --git a/queue-4.19/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch b/queue-4.19/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch new file mode 100644 index 00000000000..314356492f8 --- /dev/null +++ b/queue-4.19/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch @@ -0,0 +1,108 @@ +From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001 +From: Luke Nowakowski-Krijger +Date: Fri, 21 Jun 2019 21:04:38 -0400 +Subject: media: radio-raremono: change devm_k*alloc to k*alloc + +From: Luke Nowakowski-Krijger + +commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream. + +Change devm_k*alloc to k*alloc to manually allocate memory + +The manual allocation and freeing of memory is necessary because when +the USB radio is disconnected, the memory associated with devm_k*alloc +is freed. Meaning if we still have unresolved references to the radio +device, then we get use-after-free errors. + +This patch fixes this by manually allocating memory, and freeing it in +the v4l2.release callback that gets called when the last radio device +exits. + +Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com + +Signed-off-by: Luke Nowakowski-Krijger +Signed-off-by: Hans Verkuil +[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings] +[hverkuil-cisco@xs4all.nl: prefix subject with driver name] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/drivers/media/radio/radio-raremono.c ++++ b/drivers/media/radio/radio-raremono.c +@@ -271,6 +271,14 @@ static int vidioc_g_frequency(struct fil + return 0; + } + ++static void raremono_device_release(struct v4l2_device *v4l2_dev) ++{ ++ struct raremono_device *radio = to_raremono_dev(v4l2_dev); ++ ++ kfree(radio->buffer); ++ kfree(radio); ++} ++ + /* File system interface */ + static const struct v4l2_file_operations usb_raremono_fops = { + .owner = THIS_MODULE, +@@ -295,12 +303,14 @@ static int usb_raremono_probe(struct usb + struct raremono_device *radio; + int retval = 0; + +- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL); +- if (radio) +- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL); +- +- if (!radio || !radio->buffer) ++ radio = kzalloc(sizeof(*radio), GFP_KERNEL); ++ if (!radio) ++ return -ENOMEM; ++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL); ++ if (!radio->buffer) { ++ kfree(radio); + return -ENOMEM; ++ } + + radio->usbdev = interface_to_usbdev(intf); + radio->intf = intf; +@@ -324,7 +334,8 @@ static int usb_raremono_probe(struct usb + if (retval != 3 || + (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) { + dev_info(&intf->dev, "this is not Thanko's Raremono.\n"); +- return -ENODEV; ++ retval = -ENODEV; ++ goto free_mem; + } + + dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n", +@@ -333,7 +344,7 @@ static int usb_raremono_probe(struct usb + retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev); + if (retval < 0) { + dev_err(&intf->dev, "couldn't register v4l2_device\n"); +- return retval; ++ goto free_mem; + } + + mutex_init(&radio->lock); +@@ -345,6 +356,7 @@ static int usb_raremono_probe(struct usb + radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops; + radio->vdev.lock = &radio->lock; + radio->vdev.release = video_device_release_empty; ++ radio->v4l2_dev.release = raremono_device_release; + + usb_set_intfdata(intf, &radio->v4l2_dev); + +@@ -360,6 +372,10 @@ static int usb_raremono_probe(struct usb + } + dev_err(&intf->dev, "could not register video device\n"); + v4l2_device_unregister(&radio->v4l2_dev); ++ ++free_mem: ++ kfree(radio->buffer); ++ kfree(radio); + return retval; + } + diff --git a/queue-4.19/nfs-cleanup-if-nfs_match_client-is-interrupted.patch b/queue-4.19/nfs-cleanup-if-nfs_match_client-is-interrupted.patch new file mode 100644 index 00000000000..f78dd5a52f0 --- /dev/null +++ b/queue-4.19/nfs-cleanup-if-nfs_match_client-is-interrupted.patch @@ -0,0 +1,37 @@ +From 9f7761cf0409465075dadb875d5d4b8ef2f890c8 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Tue, 11 Jun 2019 12:57:52 -0400 +Subject: NFS: Cleanup if nfs_match_client is interrupted + +From: Benjamin Coddington + +commit 9f7761cf0409465075dadb875d5d4b8ef2f890c8 upstream. + +Don't bail out before cleaning up a new allocation if the wait for +searching for a matching nfs client is interrupted. Memory leaks. + +Reported-by: syzbot+7fe11b49c1cc30e3fce2@syzkaller.appspotmail.com +Fixes: 950a578c6128 ("NFS: make nfs_match_client killable") +Signed-off-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -416,10 +416,10 @@ struct nfs_client *nfs_get_client(const + clp = nfs_match_client(cl_init); + if (clp) { + spin_unlock(&nn->nfs_client_lock); +- if (IS_ERR(clp)) +- return clp; + if (new) + new->rpc_ops->free_client(new); ++ if (IS_ERR(clp)) ++ return clp; + return nfs_found_client(cl_init, clp); + } + if (new) { diff --git a/queue-4.19/series b/queue-4.19/series index 11dcb818816..8ca42745346 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -7,3 +7,10 @@ usb-dwc2-disable-all-ep-s-on-disconnect.patch usb-dwc2-fix-disable-all-ep-s-on-disconnect.patch arm64-compat-provide-definition-for-compat_sigminstksz.patch binder-fix-possible-uaf-when-freeing-buffer.patch +isdn-hfcsusb-checking-idx-of-ep-configuration.patch +media-au0828-fix-null-dereference-in-error-path.patch +ath10k-change-the-warning-message-string.patch +media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch +media-pvrusb2-use-a-different-format-for-warnings.patch +nfs-cleanup-if-nfs_match_client-is-interrupted.patch +media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch