From: Greg Kroah-Hartman Date: Wed, 31 Jul 2019 16:08:56 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.2.6~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=819dd3914a5fbbdddb6916eae09ec51c934829b5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: isdn-hfcsusb-checking-idx-of-ep-configuration.patch media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch --- diff --git a/queue-4.4/isdn-hfcsusb-checking-idx-of-ep-configuration.patch b/queue-4.4/isdn-hfcsusb-checking-idx-of-ep-configuration.patch new file mode 100644 index 00000000000..f6624d5d4a0 --- /dev/null +++ b/queue-4.4/isdn-hfcsusb-checking-idx-of-ep-configuration.patch @@ -0,0 +1,45 @@ +From f384e62a82ba5d85408405fdd6aeff89354deaa9 Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Mon, 15 Jul 2019 22:08:14 +0700 +Subject: ISDN: hfcsusb: checking idx of ep configuration + +From: Phong Tran + +commit f384e62a82ba5d85408405fdd6aeff89354deaa9 upstream. + +The syzbot test with random endpoint address which made the idx is +overflow in the table of endpoint configuations. + +this adds the checking for fixing the error report from +syzbot + +KASAN: stack-out-of-bounds Read in hfcsusb_probe [1] +The patch tested by syzbot [2] + +Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com + +[1]: +https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522 +[2]: +https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ + +Signed-off-by: Phong Tran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1963,6 +1963,9 @@ hfcsusb_probe(struct usb_interface *intf + + /* get endpoint base */ + idx = ((ep_addr & 0x7f) - 1) * 2; ++ if (idx > 15) ++ return -EIO; ++ + if (ep_addr & 0x80) + idx++; + attr = ep->desc.bmAttributes; diff --git a/queue-4.4/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch b/queue-4.4/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch new file mode 100644 index 00000000000..13aa2a87657 --- /dev/null +++ b/queue-4.4/media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch @@ -0,0 +1,44 @@ +From eff73de2b1600ad8230692f00bc0ab49b166512a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 9 May 2019 04:57:09 -0400 +Subject: media: cpia2_usb: first wake up, then free in disconnect + +From: Oliver Neukum + +commit eff73de2b1600ad8230692f00bc0ab49b166512a upstream. + +Kasan reported a use after free in cpia2_usb_disconnect() +It first freed everything and then woke up those waiting. +The reverse order is correct. + +Fixes: 6c493f8b28c67 ("[media] cpia2: major overhaul to get it in a working state again") + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+0c90fc937c84f97d0aa6@syzkaller.appspotmail.com +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cpia2/cpia2_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -884,7 +884,6 @@ static void cpia2_usb_disconnect(struct + cpia2_unregister_camera(cam); + v4l2_device_disconnect(&cam->v4l2_dev); + mutex_unlock(&cam->v4l2_lock); +- v4l2_device_put(&cam->v4l2_dev); + + if(cam->buffers) { + DBG("Wakeup waiting processes\n"); +@@ -897,6 +896,8 @@ static void cpia2_usb_disconnect(struct + DBG("Releasing interface\n"); + usb_driver_release_interface(&cpia2_driver, intf); + ++ v4l2_device_put(&cam->v4l2_dev); ++ + LOG("CPiA2 camera disconnected.\n"); + } + diff --git a/queue-4.4/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch b/queue-4.4/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch new file mode 100644 index 00000000000..2cc1f6d654b --- /dev/null +++ b/queue-4.4/media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch @@ -0,0 +1,108 @@ +From c666355e60ddb4748ead3bdd983e3f7f2224aaf0 Mon Sep 17 00:00:00 2001 +From: Luke Nowakowski-Krijger +Date: Fri, 21 Jun 2019 21:04:38 -0400 +Subject: media: radio-raremono: change devm_k*alloc to k*alloc + +From: Luke Nowakowski-Krijger + +commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream. + +Change devm_k*alloc to k*alloc to manually allocate memory + +The manual allocation and freeing of memory is necessary because when +the USB radio is disconnected, the memory associated with devm_k*alloc +is freed. Meaning if we still have unresolved references to the radio +device, then we get use-after-free errors. + +This patch fixes this by manually allocating memory, and freeing it in +the v4l2.release callback that gets called when the last radio device +exits. + +Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com + +Signed-off-by: Luke Nowakowski-Krijger +Signed-off-by: Hans Verkuil +[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings] +[hverkuil-cisco@xs4all.nl: prefix subject with driver name] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/drivers/media/radio/radio-raremono.c ++++ b/drivers/media/radio/radio-raremono.c +@@ -283,6 +283,14 @@ static int vidioc_g_frequency(struct fil + return 0; + } + ++static void raremono_device_release(struct v4l2_device *v4l2_dev) ++{ ++ struct raremono_device *radio = to_raremono_dev(v4l2_dev); ++ ++ kfree(radio->buffer); ++ kfree(radio); ++} ++ + /* File system interface */ + static const struct v4l2_file_operations usb_raremono_fops = { + .owner = THIS_MODULE, +@@ -307,12 +315,14 @@ static int usb_raremono_probe(struct usb + struct raremono_device *radio; + int retval = 0; + +- radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL); +- if (radio) +- radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL); +- +- if (!radio || !radio->buffer) ++ radio = kzalloc(sizeof(*radio), GFP_KERNEL); ++ if (!radio) ++ return -ENOMEM; ++ radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL); ++ if (!radio->buffer) { ++ kfree(radio); + return -ENOMEM; ++ } + + radio->usbdev = interface_to_usbdev(intf); + radio->intf = intf; +@@ -336,7 +346,8 @@ static int usb_raremono_probe(struct usb + if (retval != 3 || + (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) { + dev_info(&intf->dev, "this is not Thanko's Raremono.\n"); +- return -ENODEV; ++ retval = -ENODEV; ++ goto free_mem; + } + + dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n", +@@ -345,7 +356,7 @@ static int usb_raremono_probe(struct usb + retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev); + if (retval < 0) { + dev_err(&intf->dev, "couldn't register v4l2_device\n"); +- return retval; ++ goto free_mem; + } + + mutex_init(&radio->lock); +@@ -357,6 +368,7 @@ static int usb_raremono_probe(struct usb + radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops; + radio->vdev.lock = &radio->lock; + radio->vdev.release = video_device_release_empty; ++ radio->v4l2_dev.release = raremono_device_release; + + usb_set_intfdata(intf, &radio->v4l2_dev); + +@@ -372,6 +384,10 @@ static int usb_raremono_probe(struct usb + } + dev_err(&intf->dev, "could not register video device\n"); + v4l2_device_unregister(&radio->v4l2_dev); ++ ++free_mem: ++ kfree(radio->buffer); ++ kfree(radio); + return retval; + } + diff --git a/queue-4.4/series b/queue-4.4/series index fa187d79519..5ad49d74f6e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -149,3 +149,6 @@ vmstat-remove-bug_on-from-vmstat_update.patch mm-vmstat-make-quiet_vmstat-lighter.patch ipv6-check-sk-sk_type-and-protocol-early-in-ip_mrout.patch tcp-reset-sk_send_head-in-tcp_write_queue_purge.patch +isdn-hfcsusb-checking-idx-of-ep-configuration.patch +media-cpia2_usb-first-wake-up-then-free-in-disconnect.patch +media-radio-raremono-change-devm_k-alloc-to-k-alloc.patch