From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Mar 2021 09:15:26 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.263~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c011edf97577ee9898649166f2ba73f6bcd6c5d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
	usb-gadget-configfs-fix-kasan-use-after-free.patch
	usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
---

diff --git a/queue-4.9/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch b/queue-4.9/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
new file mode 100644
index 00000000000..f108d6ad7bc
--- /dev/null
+++ b/queue-4.9/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
@@ -0,0 +1,40 @@
+From a71266e454b5df10d019b06f5ebacd579f76be28 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 16 Feb 2021 22:42:13 +0300
+Subject: iio: adis16400: Fix an error code in adis16400_initial_setup()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a71266e454b5df10d019b06f5ebacd579f76be28 upstream.
+
+This is to silence a new Smatch warning:
+
+    drivers/iio/imu/adis16400.c:492 adis16400_initial_setup()
+    warn: sscanf doesn't return error codes
+
+If the condition "if (st->variant->flags & ADIS16400_HAS_SLOW_MODE) {"
+is false then we return 1 instead of returning 0 and probe will fail.
+
+Fixes: 72a868b38bdd ("iio: imu: check sscanf return value")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YCwgFb3JVG6qrlQ+@mwanda
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16400_core.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/imu/adis16400_core.c
++++ b/drivers/iio/imu/adis16400_core.c
+@@ -288,8 +288,7 @@ static int adis16400_initial_setup(struc
+ 		if (ret)
+ 			goto err_ret;
+ 
+-		ret = sscanf(indio_dev->name, "adis%u\n", &device_id);
+-		if (ret != 1) {
++		if (sscanf(indio_dev->name, "adis%u\n", &device_id) != 1) {
+ 			ret = -EINVAL;
+ 			goto err_ret;
+ 		}
diff --git a/queue-4.9/series b/queue-4.9/series
index 0cddcf680bd..492e259da89 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,6 @@ svcrdma-disable-timeouts-on-rdma-backchannel.patch
 sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch
 net-qrtr-fix-__netdev_alloc_skb-call.patch
 scsi-lpfc-fix-some-error-codes-in-debugfs.patch
+usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
+usb-gadget-configfs-fix-kasan-use-after-free.patch
+iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
diff --git a/queue-4.9/usb-gadget-configfs-fix-kasan-use-after-free.patch b/queue-4.9/usb-gadget-configfs-fix-kasan-use-after-free.patch
new file mode 100644
index 00000000000..169c65bd21f
--- /dev/null
+++ b/queue-4.9/usb-gadget-configfs-fix-kasan-use-after-free.patch
@@ -0,0 +1,83 @@
+From 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 Mon Sep 17 00:00:00 2001
+From: Jim Lin <jilin@nvidia.com>
+Date: Thu, 11 Mar 2021 14:42:41 +0800
+Subject: usb: gadget: configfs: Fix KASAN use-after-free
+
+From: Jim Lin <jilin@nvidia.com>
+
+commit 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 upstream.
+
+When gadget is disconnected, running sequence is like this.
+. composite_disconnect
+. Call trace:
+  usb_string_copy+0xd0/0x128
+  gadget_config_name_configuration_store+0x4
+  gadget_config_name_attr_store+0x40/0x50
+  configfs_write_file+0x198/0x1f4
+  vfs_write+0x100/0x220
+  SyS_write+0x58/0xa8
+. configfs_composite_unbind
+. configfs_composite_bind
+
+In configfs_composite_bind, it has
+"cn->strings.s = cn->configuration;"
+
+When usb_string_copy is invoked. it would
+allocate memory, copy input string, release previous pointed memory space,
+and use new allocated memory.
+
+When gadget is connected, host sends down request to get information.
+Call trace:
+  usb_gadget_get_string+0xec/0x168
+  lookup_string+0x64/0x98
+  composite_setup+0xa34/0x1ee8
+
+If gadget is disconnected and connected quickly, in the failed case,
+cn->configuration memory has been released by usb_string_copy kfree but
+configfs_composite_bind hasn't been run in time to assign new allocated
+"cn->configuration" pointer to "cn->strings.s".
+
+When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
+memory is accessed, "BUG: KASAN: use-after-free" error occurs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jim Lin <jilin@nvidia.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -108,6 +108,8 @@ struct gadget_config_name {
+ 	struct list_head list;
+ };
+ 
++#define USB_MAX_STRING_WITH_NULL_LEN	(USB_MAX_STRING_LEN+1)
++
+ static int usb_string_copy(const char *s, char **s_copy)
+ {
+ 	int ret;
+@@ -117,12 +119,16 @@ static int usb_string_copy(const char *s
+ 	if (ret > USB_MAX_STRING_LEN)
+ 		return -EOVERFLOW;
+ 
+-	str = kstrdup(s, GFP_KERNEL);
+-	if (!str)
+-		return -ENOMEM;
++	if (copy) {
++		str = copy;
++	} else {
++		str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL);
++		if (!str)
++			return -ENOMEM;
++	}
++	strcpy(str, s);
+ 	if (str[ret - 1] == '\n')
+ 		str[ret - 1] = '\0';
+-	kfree(copy);
+ 	*s_copy = str;
+ 	return 0;
+ }
diff --git a/queue-4.9/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch b/queue-4.9/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
new file mode 100644
index 00000000000..a57cb727871
--- /dev/null
+++ b/queue-4.9/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
@@ -0,0 +1,80 @@
+From 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+Date: Thu, 18 Jun 2020 17:13:38 +0800
+Subject: USB: replace hardcode maximum usb string length by definition
+
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+
+commit 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 upstream.
+
+Replace hardcoded maximum USB string length (126 bytes) by definition
+"USB_MAX_STRING_LEN".
+
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/1592471618-29428-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c |    4 ++--
+ drivers/usb/gadget/configfs.c  |    2 +-
+ drivers/usb/gadget/usbstring.c |    4 ++--
+ include/uapi/linux/usb/ch9.h   |    3 +++
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1076,7 +1076,7 @@ static void collect_langs(struct usb_gad
+ 	while (*sp) {
+ 		s = *sp;
+ 		language = cpu_to_le16(s->language);
+-		for (tmp = buf; *tmp && tmp < &buf[126]; tmp++) {
++		for (tmp = buf; *tmp && tmp < &buf[USB_MAX_STRING_LEN]; tmp++) {
+ 			if (*tmp == language)
+ 				goto repeat;
+ 		}
+@@ -1151,7 +1151,7 @@ static int get_string(struct usb_composi
+ 			collect_langs(sp, s->wData);
+ 		}
+ 
+-		for (len = 0; len <= 126 && s->wData[len]; len++)
++		for (len = 0; len <= USB_MAX_STRING_LEN && s->wData[len]; len++)
+ 			continue;
+ 		if (!len)
+ 			return -EINVAL;
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -114,7 +114,7 @@ static int usb_string_copy(const char *s
+ 	char *str;
+ 	char *copy = *s_copy;
+ 	ret = strlen(s);
+-	if (ret > 126)
++	if (ret > USB_MAX_STRING_LEN)
+ 		return -EOVERFLOW;
+ 
+ 	str = kstrdup(s, GFP_KERNEL);
+--- a/drivers/usb/gadget/usbstring.c
++++ b/drivers/usb/gadget/usbstring.c
+@@ -59,9 +59,9 @@ usb_gadget_get_string (struct usb_gadget
+ 		return -EINVAL;
+ 
+ 	/* string descriptors have length, tag, then UTF16-LE text */
+-	len = min ((size_t) 126, strlen (s->s));
++	len = min((size_t)USB_MAX_STRING_LEN, strlen(s->s));
+ 	len = utf8s_to_utf16s(s->s, len, UTF16_LITTLE_ENDIAN,
+-			(wchar_t *) &buf[2], 126);
++			(wchar_t *) &buf[2], USB_MAX_STRING_LEN);
+ 	if (len < 0)
+ 		return -EINVAL;
+ 	buf [0] = (len + 1) * 2;
+--- a/include/uapi/linux/usb/ch9.h
++++ b/include/uapi/linux/usb/ch9.h
+@@ -358,6 +358,9 @@ struct usb_config_descriptor {
+ 
+ /*-------------------------------------------------------------------------*/
+ 
++/* USB String descriptors can contain at most 126 characters. */
++#define USB_MAX_STRING_LEN	126
++
+ /* USB_DT_STRING: String descriptor */
+ struct usb_string_descriptor {
+ 	__u8  bLength;