From: Greg Kroah-Hartman Date: Sun, 19 Nov 2017 11:50:14 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.83~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e13d34d2c5559bbee3e5beb9b55350b57bbb1a9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: crypto-brcm-explicity-ack-mailbox-message.patch crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch crypto-dh-don-t-permit-p-to-be-0.patch crypto-dh-fix-double-free-of-ctx-p.patch usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch usb-serial-change-dbc-debug-device-binding-id.patch usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch usb-serial-metro-usb-stop-i-o-after-failed-open.patch usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch usb-usbfs-compute-urb-actual_length-for-isochronous.patch --- diff --git a/queue-4.14/crypto-brcm-explicity-ack-mailbox-message.patch b/queue-4.14/crypto-brcm-explicity-ack-mailbox-message.patch new file mode 100644 index 00000000000..8717a069d07 --- /dev/null +++ b/queue-4.14/crypto-brcm-explicity-ack-mailbox-message.patch @@ -0,0 +1,189 @@ +From f0e2ce58f853634d7ad1a418a49bd5fbd556227c Mon Sep 17 00:00:00 2001 +From: raveendra padasalagi +Date: Tue, 29 Aug 2017 15:08:10 +0530 +Subject: crypto: brcm - Explicity ACK mailbox message + +From: raveendra padasalagi + +commit f0e2ce58f853634d7ad1a418a49bd5fbd556227c upstream. + +Add support to explicity ACK mailbox message +because after sending message we can know +the send status via error attribute of brcm_message. + +This is needed to support "txdone_ack" supported in +mailbox controller driver. + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Signed-off-by: Raveendra Padasalagi +Reviewed-by: Anup Patel +Reviewed-by: Scott Branden +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/bcm/cipher.c | 101 ++++++++++++++++++++------------------------ + 1 file changed, 46 insertions(+), 55 deletions(-) + +--- a/drivers/crypto/bcm/cipher.c ++++ b/drivers/crypto/bcm/cipher.c +@@ -256,6 +256,44 @@ spu_ablkcipher_tx_sg_create(struct brcm_ + return 0; + } + ++static int mailbox_send_message(struct brcm_message *mssg, u32 flags, ++ u8 chan_idx) ++{ ++ int err; ++ int retry_cnt = 0; ++ struct device *dev = &(iproc_priv.pdev->dev); ++ ++ err = mbox_send_message(iproc_priv.mbox[chan_idx], mssg); ++ if (flags & CRYPTO_TFM_REQ_MAY_SLEEP) { ++ while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { ++ /* ++ * Mailbox queue is full. Since MAY_SLEEP is set, assume ++ * not in atomic context and we can wait and try again. ++ */ ++ retry_cnt++; ++ usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); ++ err = mbox_send_message(iproc_priv.mbox[chan_idx], ++ mssg); ++ atomic_inc(&iproc_priv.mb_no_spc); ++ } ++ } ++ if (err < 0) { ++ atomic_inc(&iproc_priv.mb_send_fail); ++ return err; ++ } ++ ++ /* Check error returned by mailbox controller */ ++ err = mssg->error; ++ if (unlikely(err < 0)) { ++ dev_err(dev, "message error %d", err); ++ /* Signal txdone for mailbox channel */ ++ } ++ ++ /* Signal txdone for mailbox channel */ ++ mbox_client_txdone(iproc_priv.mbox[chan_idx], err); ++ return err; ++} ++ + /** + * handle_ablkcipher_req() - Submit as much of a block cipher request as fits in + * a single SPU request message, starting at the current position in the request +@@ -293,7 +331,6 @@ static int handle_ablkcipher_req(struct + u32 pad_len; /* total length of all padding */ + bool update_key = false; + struct brcm_message *mssg; /* mailbox message */ +- int retry_cnt = 0; + + /* number of entries in src and dst sg in mailbox message. */ + u8 rx_frag_num = 2; /* response header and STATUS */ +@@ -462,24 +499,9 @@ static int handle_ablkcipher_req(struct + if (err) + return err; + +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); +- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { +- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { +- /* +- * Mailbox queue is full. Since MAY_SLEEP is set, assume +- * not in atomic context and we can wait and try again. +- */ +- retry_cnt++; +- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], +- mssg); +- atomic_inc(&iproc_priv.mb_no_spc); +- } +- } +- if (unlikely(err < 0)) { +- atomic_inc(&iproc_priv.mb_send_fail); ++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); ++ if (unlikely(err < 0)) + return err; +- } + + return -EINPROGRESS; + } +@@ -710,7 +732,6 @@ static int handle_ahash_req(struct iproc + u32 spu_hdr_len; + unsigned int digestsize; + u16 rem = 0; +- int retry_cnt = 0; + + /* + * number of entries in src and dst sg. Always includes SPU msg header. +@@ -904,24 +925,10 @@ static int handle_ahash_req(struct iproc + if (err) + return err; + +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); +- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { +- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { +- /* +- * Mailbox queue is full. Since MAY_SLEEP is set, assume +- * not in atomic context and we can wait and try again. +- */ +- retry_cnt++; +- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], +- mssg); +- atomic_inc(&iproc_priv.mb_no_spc); +- } +- } +- if (err < 0) { +- atomic_inc(&iproc_priv.mb_send_fail); ++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); ++ if (unlikely(err < 0)) + return err; +- } ++ + return -EINPROGRESS; + } + +@@ -1320,7 +1327,6 @@ static int handle_aead_req(struct iproc_ + int assoc_nents = 0; + bool incl_icv = false; + unsigned int digestsize = ctx->digestsize; +- int retry_cnt = 0; + + /* number of entries in src and dst sg. Always includes SPU msg header. + */ +@@ -1558,24 +1564,9 @@ static int handle_aead_req(struct iproc_ + if (err) + return err; + +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); +- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { +- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { +- /* +- * Mailbox queue is full. Since MAY_SLEEP is set, assume +- * not in atomic context and we can wait and try again. +- */ +- retry_cnt++; +- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); +- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], +- mssg); +- atomic_inc(&iproc_priv.mb_no_spc); +- } +- } +- if (err < 0) { +- atomic_inc(&iproc_priv.mb_send_fail); ++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); ++ if (unlikely(err < 0)) + return err; +- } + + return -EINPROGRESS; + } +@@ -4537,7 +4528,7 @@ static int spu_mb_init(struct device *de + mcl->dev = dev; + mcl->tx_block = false; + mcl->tx_tout = 0; +- mcl->knows_txdone = false; ++ mcl->knows_txdone = true; + mcl->rx_callback = spu_rx_callback; + mcl->tx_done = NULL; + diff --git a/queue-4.14/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch b/queue-4.14/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch new file mode 100644 index 00000000000..70c3d41d0af --- /dev/null +++ b/queue-4.14/crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch @@ -0,0 +1,44 @@ +From ccd9888f14a8019c0bbdeeae758aba1f58693712 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:46 -0800 +Subject: crypto: dh - Don't permit 'key' or 'g' size longer than 'p' + +From: Eric Biggers + +commit ccd9888f14a8019c0bbdeeae758aba1f58693712 upstream. + +The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied +into a buffer with size 'p_size'. However it was never checked that +that was actually the case, which most likely allowed users to cause a +buffer underflow via KEYCTL_DH_COMPUTE. + +Fix this by updating crypto_dh_decode_key() to verify this precondition +for all DH implementations. + +Fixes: c9839143ebbf ("crypto: qat - Add DH support") +Signed-off-by: Eric Biggers +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh_helper.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf + if (secret.len != crypto_dh_key_len(params)) + return -EINVAL; + ++ /* ++ * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since ++ * some drivers assume otherwise. ++ */ ++ if (params->key_size > params->p_size || ++ params->g_size > params->p_size) ++ return -EINVAL; ++ + /* Don't allocate memory. Set pointers to data within + * the given buffer + */ diff --git a/queue-4.14/crypto-dh-don-t-permit-p-to-be-0.patch b/queue-4.14/crypto-dh-don-t-permit-p-to-be-0.patch new file mode 100644 index 00000000000..5492d2c8ea0 --- /dev/null +++ b/queue-4.14/crypto-dh-don-t-permit-p-to-be-0.patch @@ -0,0 +1,81 @@ +From 199512b1234f09e44d592153ec82b44212b2f0c4 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:45 -0800 +Subject: crypto: dh - Don't permit 'p' to be 0 + +From: Eric Biggers + +commit 199512b1234f09e44d592153ec82b44212b2f0c4 upstream. + +If 'p' is 0 for the software Diffie-Hellman implementation, then +dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes +ZERO_SIZE_PTR to be passed to sg_init_one(), which with +CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in +sg_set_buf(). + +Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes +no sense for any DH implementation because 'p' is supposed to be a prime +number. Moreover, 'mod 0' is not mathematically defined. + +Bug report: + + kernel BUG at ./include/linux/scatterlist.h:140! + invalid opcode: 0000 [#1] SMP KASAN + CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 + task: ffff88006caac0c0 task.stack: ffff88006c7c8000 + RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline] + RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 + RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216 + RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee + RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0 + RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30 + R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30 + R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50 + FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0 + Call Trace: + __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360 + keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434 + SYSC_keyctl security/keys/keyctl.c:1745 [inline] + SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x4585c9 + RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa + RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9 + RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017 + RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde + R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000 + Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20 + RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08 + RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08 + +Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") +Reviewed-by: Tudor Ambarus +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh_helper.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/crypto/dh_helper.c ++++ b/crypto/dh_helper.c +@@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf + params->p = (void *)(ptr + params->key_size); + params->g = (void *)(ptr + params->key_size + params->p_size); + ++ /* ++ * Don't permit 'p' to be 0. It's not a prime number, and it's subject ++ * to corner cases such as 'mod 0' being undefined or ++ * crypto_kpp_maxsize() returning 0. ++ */ ++ if (memchr_inv(params->p, 0, params->p_size) == NULL) ++ return -EINVAL; ++ + return 0; + } + EXPORT_SYMBOL_GPL(crypto_dh_decode_key); diff --git a/queue-4.14/crypto-dh-fix-double-free-of-ctx-p.patch b/queue-4.14/crypto-dh-fix-double-free-of-ctx-p.patch new file mode 100644 index 00000000000..fe8cfc8a72d --- /dev/null +++ b/queue-4.14/crypto-dh-fix-double-free-of-ctx-p.patch @@ -0,0 +1,171 @@ +From 12d41a023efb01b846457ccdbbcbe2b65a87d530 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 5 Nov 2017 18:30:44 -0800 +Subject: crypto: dh - Fix double free of ctx->p + +From: Eric Biggers + +commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream. + +When setting the secret with the software Diffie-Hellman implementation, +if allocating 'g' failed (e.g. if it was longer than +MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and +once later when the crypto_kpp tfm was destroyed. + +Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error +paths, as that correctly sets the pointers to NULL. + +KASAN report: + + MPI: mpi too large (32760 bits) + ================================================================== + BUG: KASAN: use-after-free in mpi_free+0x131/0x170 + Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367 + + CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + dump_stack+0xb3/0x10b + ? mpi_free+0x131/0x170 + print_address_description+0x79/0x2a0 + ? mpi_free+0x131/0x170 + kasan_report+0x236/0x340 + ? akcipher_register_instance+0x90/0x90 + __asan_report_load4_noabort+0x14/0x20 + mpi_free+0x131/0x170 + ? akcipher_register_instance+0x90/0x90 + dh_exit_tfm+0x3d/0x140 + crypto_kpp_exit_tfm+0x52/0x70 + crypto_destroy_tfm+0xb3/0x250 + __keyctl_dh_compute+0x640/0xe90 + ? kasan_slab_free+0x12f/0x180 + ? dh_data_from_key+0x240/0x240 + ? key_create_or_update+0x1ee/0xb20 + ? key_instantiate_and_link+0x440/0x440 + ? lock_contended+0xee0/0xee0 + ? kfree+0xcf/0x210 + ? SyS_add_key+0x268/0x340 + keyctl_dh_compute+0xb3/0xf1 + ? __keyctl_dh_compute+0xe90/0xe90 + ? SyS_add_key+0x26d/0x340 + ? entry_SYSCALL_64_fastpath+0x5/0xbe + ? trace_hardirqs_on_caller+0x3f4/0x560 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x43ccf9 + RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa + RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9 + RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017 + RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936 + R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000 + + Allocated by task 367: + save_stack_trace+0x16/0x20 + kasan_kmalloc+0xeb/0x180 + kmem_cache_alloc_trace+0x114/0x300 + mpi_alloc+0x4b/0x230 + mpi_read_raw_data+0xbe/0x360 + dh_set_secret+0x1dc/0x460 + __keyctl_dh_compute+0x623/0xe90 + keyctl_dh_compute+0xb3/0xf1 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + + Freed by task 367: + save_stack_trace+0x16/0x20 + kasan_slab_free+0xab/0x180 + kfree+0xb5/0x210 + mpi_free+0xcb/0x170 + dh_set_secret+0x2d7/0x460 + __keyctl_dh_compute+0x623/0xe90 + keyctl_dh_compute+0xb3/0xf1 + SyS_keyctl+0x72/0x2c0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + +Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") +Signed-off-by: Eric Biggers +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/dh.c | 33 +++++++++++++-------------------- + 1 file changed, 13 insertions(+), 20 deletions(-) + +--- a/crypto/dh.c ++++ b/crypto/dh.c +@@ -21,19 +21,12 @@ struct dh_ctx { + MPI xa; + }; + +-static inline void dh_clear_params(struct dh_ctx *ctx) ++static void dh_clear_ctx(struct dh_ctx *ctx) + { + mpi_free(ctx->p); + mpi_free(ctx->g); +- ctx->p = NULL; +- ctx->g = NULL; +-} +- +-static void dh_free_ctx(struct dh_ctx *ctx) +-{ +- dh_clear_params(ctx); + mpi_free(ctx->xa); +- ctx->xa = NULL; ++ memset(ctx, 0, sizeof(*ctx)); + } + + /* +@@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx * + return -EINVAL; + + ctx->g = mpi_read_raw_data(params->g, params->g_size); +- if (!ctx->g) { +- mpi_free(ctx->p); ++ if (!ctx->g) + return -EINVAL; +- } + + return 0; + } +@@ -86,21 +77,23 @@ static int dh_set_secret(struct crypto_k + struct dh params; + + /* Free the old MPI key if any */ +- dh_free_ctx(ctx); ++ dh_clear_ctx(ctx); + + if (crypto_dh_decode_key(buf, len, ¶ms) < 0) +- return -EINVAL; ++ goto err_clear_ctx; + + if (dh_set_params(ctx, ¶ms) < 0) +- return -EINVAL; ++ goto err_clear_ctx; + + ctx->xa = mpi_read_raw_data(params.key, params.key_size); +- if (!ctx->xa) { +- dh_clear_params(ctx); +- return -EINVAL; +- } ++ if (!ctx->xa) ++ goto err_clear_ctx; + + return 0; ++ ++err_clear_ctx: ++ dh_clear_ctx(ctx); ++ return -EINVAL; + } + + static int dh_compute_value(struct kpp_request *req) +@@ -158,7 +151,7 @@ static void dh_exit_tfm(struct crypto_kp + { + struct dh_ctx *ctx = dh_get_ctx(tfm); + +- dh_free_ctx(ctx); ++ dh_clear_ctx(ctx); + } + + static struct kpp_alg dh = { diff --git a/queue-4.14/series b/queue-4.14/series index 9fc02184b5b..e952e96b80c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,16 @@ edac-sb_edac-don-t-create-a-second-memory-controller-if-ha1-is-not-present.patch dmaengine-dmatest-warn-user-when-dma-test-times-out.patch media-imon-fix-null-ptr-deref-in-imon_probe.patch media-dib0700-fix-invalid-dvb_detach-argument.patch +crypto-dh-fix-double-free-of-ctx-p.patch +crypto-dh-don-t-permit-p-to-be-0.patch +crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch +crypto-brcm-explicity-ack-mailbox-message.patch +usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch +usb-usbfs-compute-urb-actual_length-for-isochronous.patch +usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch +usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch +usb-serial-metro-usb-stop-i-o-after-failed-open.patch +usb-serial-change-dbc-debug-device-binding-id.patch +usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch +usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch +usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch diff --git a/queue-4.14/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch b/queue-4.14/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch new file mode 100644 index 00000000000..64ea49fd8a1 --- /dev/null +++ b/queue-4.14/usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch @@ -0,0 +1,33 @@ +From a0fea6027f19c62727315aba1a7fae75a9caa842 Mon Sep 17 00:00:00 2001 +From: Bernhard Rosenkraenzer +Date: Fri, 3 Nov 2017 16:46:02 +0100 +Subject: USB: Add delay-init quirk for Corsair K70 LUX keyboards + +From: Bernhard Rosenkraenzer + +commit a0fea6027f19c62727315aba1a7fae75a9caa842 upstream. + +Without this patch, K70 LUX keyboards don't work, saying +usb 3-3: unable to read config index 0 descriptor/all +usb 3-3: can't read configurations, error -110 +usb usb3-port3: unable to enumerate USB device + +Signed-off-by: Bernhard Rosenkraenzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -221,6 +221,9 @@ static const struct usb_device_id usb_qu + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* Corsair K70 LUX */ ++ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* MIDI keyboard WORLDE MINI */ + { USB_DEVICE(0x1c75, 0x0204), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, diff --git a/queue-4.14/usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch b/queue-4.14/usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch new file mode 100644 index 00000000000..ac77835aa84 --- /dev/null +++ b/queue-4.14/usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch @@ -0,0 +1,50 @@ +From c67678ec78eff9cf1e7e997fe6c37c9fcccfc5b8 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Tue, 7 Nov 2017 10:28:15 +0800 +Subject: USB: early: Use new USB product ID and strings for DbC device + +From: Lu Baolu + +commit c67678ec78eff9cf1e7e997fe6c37c9fcccfc5b8 upstream. + +The DbC register set defines an interface for system software +to specify the vendor id and product id for the debug device. +These two values will be presented by the debug device in its +device descriptor idVendor and idProduct fields. + +The current used product ID is a place holder. We now have a +valid one. The description strings are changed accordingly. + +This patch should be back-ported to kernels as old as v4.12, +that contain the commit aeb9dd1de98c ("usb/early: Add driver +for xhci debug capability"). + +Signed-off-by: Lu Baolu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/early/xhci-dbc.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/early/xhci-dbc.h ++++ b/drivers/usb/early/xhci-dbc.h +@@ -90,8 +90,8 @@ struct xdbc_context { + + #define XDBC_INFO_CONTEXT_SIZE 48 + #define XDBC_MAX_STRING_LENGTH 64 +-#define XDBC_STRING_MANUFACTURER "Linux" +-#define XDBC_STRING_PRODUCT "Remote GDB" ++#define XDBC_STRING_MANUFACTURER "Linux Foundation" ++#define XDBC_STRING_PRODUCT "Linux USB GDB Target" + #define XDBC_STRING_SERIAL "0001" + + struct xdbc_strings { +@@ -103,7 +103,7 @@ struct xdbc_strings { + + #define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */ + #define XDBC_VENDOR_ID 0x1d6b /* Linux Foundation 0x1d6b */ +-#define XDBC_PRODUCT_ID 0x0004 /* __le16 idProduct; device 0004 */ ++#define XDBC_PRODUCT_ID 0x0011 /* __le16 idProduct; device 0011 */ + #define XDBC_DEVICE_REV 0x0010 /* 0.10 */ + + /* diff --git a/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch b/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch new file mode 100644 index 00000000000..6a05ff222b1 --- /dev/null +++ b/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch @@ -0,0 +1,47 @@ +From cdafb6d8b8da7fde266f79b3287ac221aa841879 Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Wed, 8 Nov 2017 10:13:15 -0700 +Subject: usb: gadget: f_fs: Fix use-after-free in ffs_free_inst + +From: Andrew Gabbasov + +commit cdafb6d8b8da7fde266f79b3287ac221aa841879 upstream. + +KASAN enabled configuration reports an error + +BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ... +Write of size 8 by task ... + +This is observed after "ffs-test" is run and interrupted. If after that +functionfs is unmounted and g_ffs module is unloaded, that use-after-free +occurs during g_ffs module removal. + +Although the report indicates ffs_free_inst() function, the actual +use-after-free condition occurs in _ffs_free_dev() function, which +is probably inlined into ffs_free_inst(). + +This happens due to keeping the ffs_data reference in device structure +during functionfs unmounting, while ffs_data itself is freed as no longer +needed. The fix is to clear that reference in ffs_closed() function, +which is a counterpart of ffs_ready(), where the reference is stored. + +Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") +Signed-off-by: Andrew Gabbasov +Acked-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3677,6 +3677,7 @@ static void ffs_closed(struct ffs_data * + goto done; + + ffs_obj->desc_ready = false; ++ ffs_obj->ffs_data = NULL; + + if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && + ffs_obj->ffs_closed_callback) diff --git a/queue-4.14/usb-serial-change-dbc-debug-device-binding-id.patch b/queue-4.14/usb-serial-change-dbc-debug-device-binding-id.patch new file mode 100644 index 00000000000..aa9d377a9c8 --- /dev/null +++ b/queue-4.14/usb-serial-change-dbc-debug-device-binding-id.patch @@ -0,0 +1,42 @@ +From 12f28144cf2cf69e1520e238eee7c384719ca44b Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Tue, 7 Nov 2017 10:28:16 +0800 +Subject: USB: serial: Change DbC debug device binding ID + +From: Lu Baolu + +commit 12f28144cf2cf69e1520e238eee7c384719ca44b upstream. + +The product ID for "Linux USB GDB Target device" has been +changed. Change the driver binding table accordingly. + +This patch should be back-ported to kernels as old as v4.12, +that contain the commit 57fb47279a04 ("usb/serial: Add DBC +debug device support to usb_debug"). + +Cc: Johan Hovold +Signed-off-by: Lu Baolu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb_debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/usb_debug.c ++++ b/drivers/usb/serial/usb_debug.c +@@ -34,13 +34,13 @@ static const struct usb_device_id id_tab + }; + + static const struct usb_device_id dbc_id_table[] = { +- { USB_DEVICE(0x1d6b, 0x0004) }, ++ { USB_DEVICE(0x1d6b, 0x0011) }, + { }, + }; + + static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(0x0525, 0x127a) }, +- { USB_DEVICE(0x1d6b, 0x0004) }, ++ { USB_DEVICE(0x1d6b, 0x0011) }, + { }, + }; + MODULE_DEVICE_TABLE(usb, id_table_combined); diff --git a/queue-4.14/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch b/queue-4.14/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch new file mode 100644 index 00000000000..246245740fa --- /dev/null +++ b/queue-4.14/usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch @@ -0,0 +1,105 @@ +From 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 11 Oct 2017 14:02:57 +0200 +Subject: USB: serial: garmin_gps: fix I/O after failed probe and remove + +From: Johan Hovold + +commit 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 upstream. + +Make sure to stop any submitted interrupt and bulk-out URBs before +returning after failed probe and when the port is being unbound to avoid +later NULL-pointer dereferences in the completion callbacks. + +Also fix up the related and broken I/O cancellation on failed open and +on close. (Note that port->write_urb was never submitted.) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -138,6 +138,7 @@ struct garmin_data { + __u8 privpkt[4*6]; + spinlock_t lock; + struct list_head pktlist; ++ struct usb_anchor write_urbs; + }; + + +@@ -905,7 +906,7 @@ static int garmin_init_session(struct us + sizeof(GARMIN_START_SESSION_REQ), 0); + + if (status < 0) +- break; ++ goto err_kill_urbs; + } + + if (status > 0) +@@ -913,6 +914,12 @@ static int garmin_init_session(struct us + } + + return status; ++ ++err_kill_urbs: ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); ++ usb_kill_urb(port->interrupt_in_urb); ++ ++ return status; + } + + +@@ -930,7 +937,6 @@ static int garmin_open(struct tty_struct + spin_unlock_irqrestore(&garmin_data_p->lock, flags); + + /* shutdown any bulk reads that might be going on */ +- usb_kill_urb(port->write_urb); + usb_kill_urb(port->read_urb); + + if (garmin_data_p->state == STATE_RESET) +@@ -953,7 +959,7 @@ static void garmin_close(struct usb_seri + + /* shutdown our urbs */ + usb_kill_urb(port->read_urb); +- usb_kill_urb(port->write_urb); ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); + + /* keep reset state so we know that we must start a new session */ + if (garmin_data_p->state != STATE_RESET) +@@ -1037,12 +1043,14 @@ static int garmin_write_bulk(struct usb_ + } + + /* send it down the pipe */ ++ usb_anchor_urb(urb, &garmin_data_p->write_urbs); + status = usb_submit_urb(urb, GFP_ATOMIC); + if (status) { + dev_err(&port->dev, + "%s - usb_submit_urb(write bulk) failed with status = %d\n", + __func__, status); + count = status; ++ usb_unanchor_urb(urb); + kfree(buffer); + } + +@@ -1401,6 +1409,7 @@ static int garmin_port_probe(struct usb_ + garmin_data_p->state = 0; + garmin_data_p->flags = 0; + garmin_data_p->count = 0; ++ init_usb_anchor(&garmin_data_p->write_urbs); + usb_set_serial_port_data(port, garmin_data_p); + + status = garmin_init_session(port); +@@ -1413,6 +1422,7 @@ static int garmin_port_remove(struct usb + { + struct garmin_data *garmin_data_p = usb_get_serial_port_data(port); + ++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); + usb_kill_urb(port->interrupt_in_urb); + del_timer_sync(&garmin_data_p->timer); + kfree(garmin_data_p); diff --git a/queue-4.14/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch b/queue-4.14/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch new file mode 100644 index 00000000000..bbc56e0bf12 --- /dev/null +++ b/queue-4.14/usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch @@ -0,0 +1,36 @@ +From 74d471b598444b7f2d964930f7234779c80960a0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 11 Oct 2017 14:02:58 +0200 +Subject: USB: serial: garmin_gps: fix memory leak on probe errors + +From: Johan Hovold + +commit 74d471b598444b7f2d964930f7234779c80960a0 upstream. + +Make sure to free the port private data before returning after a failed +probe attempt. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -1413,6 +1413,12 @@ static int garmin_port_probe(struct usb_ + usb_set_serial_port_data(port, garmin_data_p); + + status = garmin_init_session(port); ++ if (status) ++ goto err_free; ++ ++ return 0; ++err_free: ++ kfree(garmin_data_p); + + return status; + } diff --git a/queue-4.14/usb-serial-metro-usb-stop-i-o-after-failed-open.patch b/queue-4.14/usb-serial-metro-usb-stop-i-o-after-failed-open.patch new file mode 100644 index 00000000000..641d08c9620 --- /dev/null +++ b/queue-4.14/usb-serial-metro-usb-stop-i-o-after-failed-open.patch @@ -0,0 +1,51 @@ +From 2339536d229df25c71c0900fc619289229bfecf6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Oct 2017 10:54:21 +0200 +Subject: USB: serial: metro-usb: stop I/O after failed open + +From: Johan Hovold + +commit 2339536d229df25c71c0900fc619289229bfecf6 upstream. + +Make sure to kill the interrupt-in URB after a failed open request. +Apart from saving power (and avoiding stale input after a later +successful open), this also prevents a NULL-deref in the completion +handler if the port is manually unbound. + +Reviewed-by: Greg Kroah-Hartman +Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in Uni-Directional mode.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/metro-usb.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/metro-usb.c ++++ b/drivers/usb/serial/metro-usb.c +@@ -189,7 +189,7 @@ static int metrousb_open(struct tty_stru + dev_err(&port->dev, + "%s - failed submitting interrupt in urb, error code=%d\n", + __func__, result); +- goto exit; ++ return result; + } + + /* Send activate cmd to device */ +@@ -198,9 +198,14 @@ static int metrousb_open(struct tty_stru + dev_err(&port->dev, + "%s - failed to configure device, error code=%d\n", + __func__, result); +- goto exit; ++ goto err_kill_urb; + } +-exit: ++ ++ return 0; ++ ++err_kill_urb: ++ usb_kill_urb(port->interrupt_in_urb); ++ + return result; + } + diff --git a/queue-4.14/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch b/queue-4.14/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch new file mode 100644 index 00000000000..7c49d52be99 --- /dev/null +++ b/queue-4.14/usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch @@ -0,0 +1,30 @@ +From 771394a54148f18926ca86414e51c69eda27d0cd Mon Sep 17 00:00:00 2001 +From: Douglas Fischer +Date: Sun, 29 Oct 2017 23:29:55 +0000 +Subject: USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update + +From: Douglas Fischer + +commit 771394a54148f18926ca86414e51c69eda27d0cd upstream. + +Add USB PID/VID for Sierra Wireless EM7355 LTE modem QDL firmware update +mode. + +Signed-off-by: Douglas Fischer +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -148,6 +148,7 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x68a2)}, /* Sierra Wireless MC7710 */ + {DEVICE_SWI(0x1199, 0x68c0)}, /* Sierra Wireless MC7304/MC7354 */ + {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */ ++ {DEVICE_SWI(0x1199, 0x901e)}, /* Sierra Wireless EM7355 QDL */ + {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */ + {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */ + {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */ diff --git a/queue-4.14/usb-usbfs-compute-urb-actual_length-for-isochronous.patch b/queue-4.14/usb-usbfs-compute-urb-actual_length-for-isochronous.patch new file mode 100644 index 00000000000..a8ffd74baa8 --- /dev/null +++ b/queue-4.14/usb-usbfs-compute-urb-actual_length-for-isochronous.patch @@ -0,0 +1,69 @@ +From 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 8 Nov 2017 12:23:17 -0500 +Subject: USB: usbfs: compute urb->actual_length for isochronous + +From: Alan Stern + +commit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream. + +The USB kerneldoc says that the actual_length field "is read in +non-iso completion functions", but the usbfs driver uses it for all +URB types in processcompl(). Since not all of the host controller +drivers set actual_length for isochronous URBs, programs using usbfs +with some host controllers don't work properly. For example, Minas +reports that a USB camera controlled by libusb doesn't work properly +with a dwc2 controller. + +It doesn't seem worthwhile to change the HCDs and the documentation, +since the in-kernel USB class drivers evidently don't rely on +actual_length for isochronous transfers. The easiest solution is for +usbfs to calculate the actual_length value for itself, by adding up +the lengths of the individual packets in an isochronous transfer. + +Signed-off-by: Alan Stern +CC: Minas Harutyunyan +Reported-and-tested-by: wlf +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1833,6 +1833,18 @@ static int proc_unlinkurb(struct usb_dev + return 0; + } + ++static void compute_isochronous_actual_length(struct urb *urb) ++{ ++ unsigned int i; ++ ++ if (urb->number_of_packets > 0) { ++ urb->actual_length = 0; ++ for (i = 0; i < urb->number_of_packets; i++) ++ urb->actual_length += ++ urb->iso_frame_desc[i].actual_length; ++ } ++} ++ + static int processcompl(struct async *as, void __user * __user *arg) + { + struct urb *urb = as->urb; +@@ -1840,6 +1852,7 @@ static int processcompl(struct async *as + void __user *addr = as->userurb; + unsigned int i; + ++ compute_isochronous_actual_length(urb); + if (as->userbuffer && urb->actual_length) { + if (copy_urb_data_to_user(as->userbuffer, urb)) + goto err_out; +@@ -2008,6 +2021,7 @@ static int processcompl_compat(struct as + void __user *addr = as->userurb; + unsigned int i; + ++ compute_isochronous_actual_length(urb); + if (as->userbuffer && urb->actual_length) { + if (copy_urb_data_to_user(as->userbuffer, urb)) + return -EFAULT;