From: Greg Kroah-Hartman Date: Thu, 13 Jan 2022 10:53:01 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.16.1~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ae54a7f49983556a4f40780ef2510906b9f4add;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch bluetooth-bfusb-fix-division-by-zero-in-send-path.patch bluetooth-btusb-add-support-for-foxconn-mt7922a.patch bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch mmc-sdhci-pci-add-pci-id-for-intel-adl.patch usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch --- diff --git a/queue-5.10/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch b/queue-5.10/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch new file mode 100644 index 00000000000..7dbd74cf890 --- /dev/null +++ b/queue-5.10/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch @@ -0,0 +1,34 @@ +From 9cb6de45a006a9799ec399bce60d64b6d4fcc4af Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sun, 31 Oct 2021 23:41:36 +0000 +Subject: ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 + +From: Paul Cercueil + +commit 9cb6de45a006a9799ec399bce60d64b6d4fcc4af upstream. + +The reset GPIO was marked active-high, which is against what's specified +in the documentation. Mark the reset GPIO as active-low. With this +change, Bluetooth can now be used on the i9100. + +Fixes: 8620cc2f99b7 ("ARM: dts: exynos: Add devicetree file for the Galaxy S2") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20211031234137.87070-1-paul@crapouillou.net +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4210-i9100.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4210-i9100.dts ++++ b/arch/arm/boot/dts/exynos4210-i9100.dts +@@ -765,7 +765,7 @@ + compatible = "brcm,bcm4330-bt"; + + shutdown-gpios = <&gpl0 4 GPIO_ACTIVE_HIGH>; +- reset-gpios = <&gpl1 0 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&gpl1 0 GPIO_ACTIVE_LOW>; + device-wakeup-gpios = <&gpx3 1 GPIO_ACTIVE_HIGH>; + host-wakeup-gpios = <&gpx2 6 GPIO_ACTIVE_HIGH>; + }; diff --git a/queue-5.10/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch b/queue-5.10/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch new file mode 100644 index 00000000000..3103e34e7cb --- /dev/null +++ b/queue-5.10/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch @@ -0,0 +1,76 @@ +From a658c929ded7ea3aee324c8c2a9635a5e5a38e7f Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 8 Dec 2021 10:43:59 +0200 +Subject: ath11k: Fix buffer overflow when scanning with extraie + +From: Sven Eckelmann + +commit a658c929ded7ea3aee324c8c2a9635a5e5a38e7f upstream. + +If cfg80211 is providing extraie's for a scanning process then ath11k will +copy that over to the firmware. The extraie.len is a 32 bit value in struct +element_info and describes the amount of bytes for the vendor information +elements. + +The WMI_TLV packet is having a special WMI_TAG_ARRAY_BYTE section. This +section can have a (payload) length up to 65535 bytes because the +WMI_TLV_LEN can store up to 16 bits. The code was missing such a check and +could have created a scan request which cannot be parsed correctly by the +firmware. + +But the bigger problem was the allocation of the buffer. It has to align +the TLV sections by 4 bytes. But the code was using an u8 to store the +newly calculated length of this section (with alignment). And the new +calculated length was then used to allocate the skbuff. But the actual code +to copy in the data is using the extraie.len and not the calculated +"aligned" length. + +The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled +was 264 bytes during tests with a QCA Milan card. But it only allocated 8 +bytes (264 bytes % 256) for it. As consequence, the code to memcpy the +extraie into the skb was then just overwriting data after skb->end. Things +like shinfo were therefore corrupted. This could usually be seen by a crash +in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus +address). + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Cc: stable@vger.kernel.org +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211207142913.1734635-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -2036,7 +2036,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + void *ptr; + int i, ret, len; + u32 *tmp_ptr; +- u8 extraie_len_with_pad = 0; ++ u16 extraie_len_with_pad = 0; + struct hint_short_ssid *s_ssid = NULL; + struct hint_bssid *hint_bssid = NULL; + +@@ -2055,7 +2055,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + len += sizeof(*bssid) * params->num_bssid; + + len += TLV_HDR_SIZE; +- if (params->extraie.len) ++ if (params->extraie.len && params->extraie.len <= 0xFFFF) + extraie_len_with_pad = + roundup(params->extraie.len, sizeof(u32)); + len += extraie_len_with_pad; +@@ -2162,7 +2162,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + FIELD_PREP(WMI_TLV_LEN, len); + ptr += TLV_HDR_SIZE; + +- if (params->extraie.len) ++ if (extraie_len_with_pad) + memcpy(ptr, params->extraie.ptr, + params->extraie.len); + diff --git a/queue-5.10/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch b/queue-5.10/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch new file mode 100644 index 00000000000..84d137848e7 --- /dev/null +++ b/queue-5.10/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,38 @@ +From b5e6fa7a12572c82f1e7f2f51fbb02a322291291 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:39:44 +0200 +Subject: Bluetooth: bfusb: fix division by zero in send path + +From: Johan Hovold + +commit b5e6fa7a12572c82f1e7f2f51fbb02a322291291 upstream. + +Add the missing bulk-out endpoint sanity check to probe() to avoid +division by zero in bfusb_send_frame() in case a malicious device has +broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/bfusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/bfusb.c ++++ b/drivers/bluetooth/bfusb.c +@@ -628,6 +628,9 @@ static int bfusb_probe(struct usb_interf + data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; + data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); + ++ if (!data->bulk_pkt_size) ++ goto done; ++ + rwlock_init(&data->lock); + + data->reassembly = NULL; diff --git a/queue-5.10/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch b/queue-5.10/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch new file mode 100644 index 00000000000..35077193979 --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch @@ -0,0 +1,80 @@ +From 6932627425d6d3849aecd43c02158a5312895ad4 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 17 Dec 2021 17:51:50 +0800 +Subject: Bluetooth: btusb: Add support for Foxconn MT7922A + +From: Aaron Ma + +commit 6932627425d6d3849aecd43c02158a5312895ad4 upstream. + +Add 2 USB IDs for MT7922A chip. +These 2 devices got the same description. + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d8 Rev= 1.00 + +T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d9 Rev= 1.00 +S: Manufacturer=MediaTek Inc. +S: Product=Wireless_Device +S: SerialNumber=000000000 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA +A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) +E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us +I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) +E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us + +Signed-off-by: Aaron Ma +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -406,6 +406,14 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, + ++ /* MediaTek MT7922A Bluetooth devices */ ++ { USB_DEVICE(0x0489, 0xe0d8), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0d9), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ + /* Additional Realtek 8723AE Bluetooth devices */ + { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK }, diff --git a/queue-5.10/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch b/queue-5.10/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch new file mode 100644 index 00000000000..d275b982d0b --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch @@ -0,0 +1,63 @@ +From 1cd563ebd0dc062127a85e84f934f4c697bb43ef Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 7 Jan 2022 11:59:09 +0800 +Subject: Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 + +From: Aaron Ma + +commit 1cd563ebd0dc062127a85e84f934f4c697bb43ef upstream. + +Add an ID of Qualcomm Bluetooth SoC WCN6855. + +T: Bus=05 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d0 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I:* If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Aaron Ma +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -385,6 +385,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x10ab, 0x9409), .driver_info = BTUSB_QCA_WCN6855 | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0d0), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Other Intel Bluetooth devices */ + { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), diff --git a/queue-5.10/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch b/queue-5.10/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch new file mode 100644 index 00000000000..e932344837f --- /dev/null +++ b/queue-5.10/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch @@ -0,0 +1,102 @@ +From d2666be51d5f09662929888dd84d1f4d38c97127 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Dec 2021 14:34:01 +0800 +Subject: Bluetooth: btusb: Add two more Bluetooth parts for WCN6855 + +From: Zijun Hu + +commit d2666be51d5f09662929888dd84d1f4d38c97127 upstream. + +Add USB IDs (0x10ab, 0x9309) and (0x10ab, 0x9409) to +usb_device_id table for WCN6855. + +* /sys/kernel/debug/usb/devices +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=10ab ProdID=9309 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=10ab ProdID=9409 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Zijun Hu +Signed-off-by: Marcel Holtmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -379,6 +379,12 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x8087, 0x0aaa), .driver_info = BTUSB_INTEL_NEW | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x10ab, 0x9309), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x10ab, 0x9409), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Other Intel Bluetooth devices */ + { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), diff --git a/queue-5.10/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch b/queue-5.10/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch new file mode 100644 index 00000000000..e5df80e6abd --- /dev/null +++ b/queue-5.10/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch @@ -0,0 +1,77 @@ +From 60c6a63a3d3080a62f3e0e20084f58dbeff16748 Mon Sep 17 00:00:00 2001 +From: "Mark-YW.Chen" +Date: Thu, 14 Oct 2021 00:22:04 +0800 +Subject: Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() + +From: Mark-YW.Chen + +commit 60c6a63a3d3080a62f3e0e20084f58dbeff16748 upstream. + +Driver should free `usb->setup_packet` to avoid the leak. + +$ cat /sys/kernel/debug/kmemleak +unreferenced object 0xffffffa564a58080 (size 128): + backtrace: + [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384 + [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994 + [btusb] + [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc + [btusb] + [<00000000c6105069>] hci_dev_do_open+0x290/0x974 + [bluetooth] + [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth] + [<000000005d80e687>] process_one_work+0x514/0xc80 + [<00000000f4d57637>] worker_thread+0x818/0xd0c + [<00000000dc7bdb55>] kthread+0x2f8/0x3b8 + [<00000000f9999513>] ret_from_fork+0x10/0x30 + +Fixes: a1c49c434e150 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Signed-off-by: Mark-YW.Chen +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2845,6 +2845,7 @@ static void btusb_mtk_wmt_recv(struct ur + skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC); + if (!skb) { + hdev->stat.err_rx++; ++ kfree(urb->setup_packet); + return; + } + +@@ -2865,6 +2866,7 @@ static void btusb_mtk_wmt_recv(struct ur + data->evt_skb = skb_clone(skb, GFP_ATOMIC); + if (!data->evt_skb) { + kfree_skb(skb); ++ kfree(urb->setup_packet); + return; + } + } +@@ -2873,6 +2875,7 @@ static void btusb_mtk_wmt_recv(struct ur + if (err < 0) { + kfree_skb(data->evt_skb); + data->evt_skb = NULL; ++ kfree(urb->setup_packet); + return; + } + +@@ -2883,6 +2886,7 @@ static void btusb_mtk_wmt_recv(struct ur + wake_up_bit(&data->flags, + BTUSB_TX_WAIT_VND_EVT); + } ++ kfree(urb->setup_packet); + return; + } else if (urb->status == -ENOENT) { + /* Avoid suspend failed when usb_kill_urb */ +@@ -2903,6 +2907,7 @@ static void btusb_mtk_wmt_recv(struct ur + usb_anchor_urb(urb, &data->ctrl_anchor); + err = usb_submit_urb(urb, GFP_ATOMIC); + if (err < 0) { ++ kfree(urb->setup_packet); + /* -EPERM: urb is being killed; + * -ENODEV: device got disconnected + */ diff --git a/queue-5.10/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch b/queue-5.10/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch new file mode 100644 index 00000000000..eceea6dc6dc --- /dev/null +++ b/queue-5.10/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch @@ -0,0 +1,102 @@ +From 51cf0a9e6f1c842efa768d3079b16a80cbf871c3 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 4 Jan 2022 14:16:03 +0000 +Subject: bpf: Fix out of bounds access from invalid *_or_null type verification + +From: Daniel Borkmann + +[ no upstream commit given implicitly fixed through the larger refactoring + in c25b2ae136039ffa820c26138ed4a5e5f3ab3841 ] + +While auditing some other code, I noticed missing checks inside the pointer +arithmetic simulation, more specifically, adjust_ptr_min_max_vals(). Several +*_OR_NULL types are not rejected whereas they are _required_ to be rejected +given the expectation is that they get promoted into a 'real' pointer type +for the success case, that is, after an explicit != NULL check. + +One case which stands out and is accessible from unprivileged (iff enabled +given disabled by default) is BPF ring buffer. From crafting a PoC, the NULL +check can be bypassed through an offset, and its id marking will then lead +to promotion of mem_or_null to a mem type. + +bpf_ringbuf_reserve() helper can trigger this case through passing of reserved +flags, for example. + + func#0 @0 + 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 + 0: (7a) *(u64 *)(r10 -8) = 0 + 1: R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm + 1: (18) r1 = 0x0 + 3: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm + 3: (b7) r2 = 8 + 4: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R2_w=invP8 R10=fp0 fp-8_w=mmmmmmmm + 4: (b7) r3 = 0 + 5: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R2_w=invP8 R3_w=invP0 R10=fp0 fp-8_w=mmmmmmmm + 5: (85) call bpf_ringbuf_reserve#131 + 6: R0_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 6: (bf) r6 = r0 + 7: R0_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R6_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 7: (07) r0 += 1 + 8: R0_w=mem_or_null(id=2,ref_obj_id=2,off=1,imm=0) R6_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 8: (15) if r0 == 0x0 goto pc+4 + R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 9: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 9: (62) *(u32 *)(r6 +0) = 0 + R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 10: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 10: (bf) r1 = r6 + 11: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R1_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 11: (b7) r2 = 0 + 12: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R1_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R2_w=invP0 R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 12: (85) call bpf_ringbuf_submit#132 + 13: R6=invP(id=0) R10=fp0 fp-8=mmmmmmmm + 13: (b7) r0 = 0 + 14: R0_w=invP0 R6=invP(id=0) R10=fp0 fp-8=mmmmmmmm + 14: (95) exit + + from 8 to 13: safe + processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0 + OK + +All three commits, that is b121b341e598 ("bpf: Add PTR_TO_BTF_ID_OR_NULL support"), +457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it"), and the +afbf21dce668 ("bpf: Support readonly/readwrite buffers in verifier") suffer the same +cause and their *_OR_NULL type pendants must be rejected in adjust_ptr_min_max_vals(). + +Make the test more robust by reusing reg_type_may_be_null() helper such that we catch +all *_OR_NULL types we have today and in future. + +Note that pointer arithmetic on PTR_TO_BTF_ID, PTR_TO_RDONLY_BUF, and PTR_TO_RDWR_BUF +is generally allowed. + +Fixes: b121b341e598 ("bpf: Add PTR_TO_BTF_ID_OR_NULL support") +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Fixes: afbf21dce668 ("bpf: Support readonly/readwrite buffers in verifier") +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6037,16 +6037,16 @@ static int adjust_ptr_min_max_vals(struc + fallthrough; + case PTR_TO_PACKET_END: + case PTR_TO_SOCKET: +- case PTR_TO_SOCKET_OR_NULL: + case PTR_TO_SOCK_COMMON: +- case PTR_TO_SOCK_COMMON_OR_NULL: + case PTR_TO_TCP_SOCK: +- case PTR_TO_TCP_SOCK_OR_NULL: + case PTR_TO_XDP_SOCK: ++reject: + verbose(env, "R%d pointer arithmetic on %s prohibited\n", + dst, reg_type_str[ptr_reg->type]); + return -EACCES; + default: ++ if (reg_type_may_be_null(ptr_reg->type)) ++ goto reject; + break; + } + diff --git a/queue-5.10/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch b/queue-5.10/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch new file mode 100644 index 00000000000..5b08b4e6e91 --- /dev/null +++ b/queue-5.10/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch @@ -0,0 +1,41 @@ +From e53e97f805cb1abeea000a61549d42f92cb10804 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 24 Nov 2021 11:48:50 +0200 +Subject: mmc: sdhci-pci: Add PCI ID for Intel ADL + +From: Adrian Hunter + +commit e53e97f805cb1abeea000a61549d42f92cb10804 upstream. + +Add PCI ID for Intel ADL eMMC host controller. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211124094850.1783220-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 1 + + drivers/mmc/host/sdhci-pci.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1932,6 +1932,7 @@ static const struct pci_device_id pci_id + SDHCI_PCI_DEVICE(INTEL, JSL_SD, intel_byt_sd), + SDHCI_PCI_DEVICE(INTEL, LKF_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(INTEL, LKF_SD, intel_byt_sd), ++ SDHCI_PCI_DEVICE(INTEL, ADL_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(O2, 8120, o2), + SDHCI_PCI_DEVICE(O2, 8220, o2), + SDHCI_PCI_DEVICE(O2, 8221, o2), +--- a/drivers/mmc/host/sdhci-pci.h ++++ b/drivers/mmc/host/sdhci-pci.h +@@ -59,6 +59,7 @@ + #define PCI_DEVICE_ID_INTEL_JSL_SD 0x4df8 + #define PCI_DEVICE_ID_INTEL_LKF_EMMC 0x98c4 + #define PCI_DEVICE_ID_INTEL_LKF_SD 0x98f8 ++#define PCI_DEVICE_ID_INTEL_ADL_EMMC 0x54c4 + + #define PCI_DEVICE_ID_SYSKONNECT_8000 0x8000 + #define PCI_DEVICE_ID_VIA_95D0 0x95d0 diff --git a/queue-5.10/series b/queue-5.10/series index e6b7f58a45b..fa724995fc7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,2 +1,13 @@ md-revert-io-stats-accounting.patch workqueue-fix-unbind_workers-vs-wq_worker_running-race.patch +bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch +bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch +bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch +bluetooth-btusb-add-support-for-foxconn-mt7922a.patch +bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch +bluetooth-bfusb-fix-division-by-zero-in-send-path.patch +arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch +usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch +usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch +ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch +mmc-sdhci-pci-add-pci-id-for-intel-adl.patch diff --git a/queue-5.10/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch b/queue-5.10/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch new file mode 100644 index 00000000000..2b491e03dd6 --- /dev/null +++ b/queue-5.10/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch @@ -0,0 +1,69 @@ +From 0f663729bb4afc92a9986b66131ebd5b8a9254d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Sat, 1 Jan 2022 14:52:14 -0500 +Subject: USB: core: Fix bug in resuming hub's handling of wakeup requests + +From: Alan Stern + +commit 0f663729bb4afc92a9986b66131ebd5b8a9254d1 upstream. + +Bugzilla #213839 reports a 7-port hub that doesn't work properly when +devices are plugged into some of the ports; the kernel goes into an +unending disconnect/reinitialize loop as shown in the bug report. + +This "7-port hub" comprises two four-port hubs with one plugged into +the other; the failures occur when a device is plugged into one of the +downstream hub's ports. (These hubs have other problems too. For +example, they bill themselves as USB-2.0 compliant but they only run +at full speed.) + +It turns out that the failures are caused by bugs in both the kernel +and the hub. The hub's bug is that it reports a different +bmAttributes value in its configuration descriptor following a remote +wakeup (0xe0 before, 0xc0 after -- the wakeup-support bit has +changed). + +The kernel's bug is inside the hub driver's resume handler. When +hub_activate() sees that one of the hub's downstream ports got a +wakeup request from a child device, it notes this fact by setting the +corresponding bit in the hub->change_bits variable. But this variable +is meant for connection changes, not wakeup events; setting it causes +the driver to believe the downstream port has been disconnected and +then connected again (in addition to having received a wakeup +request). + +Because of this, the hub driver then tries to check whether the device +currently plugged into the downstream port is the same as the device +that had been attached there before. Normally this check succeeds and +wakeup handling continues with no harm done (which is why the bug +remained undetected until now). But with these dodgy hubs, the check +fails because the config descriptor has changed. This causes the hub +driver to reinitialize the child device, leading to the +disconnect/reinitialize loop described in the bug report. + +The proper way to note reception of a downstream wakeup request is +to set a bit in the hub->event_bits variable instead of +hub->change_bits. That way the hub driver will realize that something +has happened to the port but will not think the port and child device +have been disconnected. This patch makes that change. + +Cc: +Tested-by: Jonathan McDowell +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YdCw7nSfWYPKWQoD@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1224,7 +1224,7 @@ static void hub_activate(struct usb_hub + */ + if (portchange || (hub_is_superspeed(hub->hdev) && + port_resumed)) +- set_bit(port1, hub->change_bits); ++ set_bit(port1, hub->event_bits); + + } else if (udev->persist_enabled) { + #ifdef CONFIG_PM diff --git a/queue-5.10/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch b/queue-5.10/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch new file mode 100644 index 00000000000..8badd11c9d1 --- /dev/null +++ b/queue-5.10/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch @@ -0,0 +1,65 @@ +From 1d7d4c07932e04355d6e6528d44a2f2c9e354346 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Dec 2021 21:07:12 -0500 +Subject: USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status + +From: Alan Stern + +commit 1d7d4c07932e04355d6e6528d44a2f2c9e354346 upstream. + +When the USB core code for getting root-hub status reports was +originally written, it was assumed that the hub driver would be its +only caller. But this isn't true now; user programs can use usbfs to +communicate with root hubs and get status reports. When they do this, +they may use a transfer_buffer that is smaller than the data returned +by the HCD, which will lead to a buffer overflow error when +usb_hcd_poll_rh_status() tries to store the status data. This was +discovered by syzbot: + +BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776 +Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062 + +This patch fixes the bug by reducing the amount of status data if it +won't fit in the transfer_buffer. If some data gets discarded then +the URB's completion status is set to -EOVERFLOW rather than 0, to let +the user know what happened. + +Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Cc: +Link: https://lore.kernel.org/r/Yc+3UIQJ2STbxNua@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -754,6 +754,7 @@ void usb_hcd_poll_rh_status(struct usb_h + { + struct urb *urb; + int length; ++ int status; + unsigned long flags; + char buffer[6]; /* Any root hubs with > 31 ports? */ + +@@ -771,11 +772,17 @@ void usb_hcd_poll_rh_status(struct usb_h + if (urb) { + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); + hcd->status_urb = NULL; ++ if (urb->transfer_buffer_length >= length) { ++ status = 0; ++ } else { ++ status = -EOVERFLOW; ++ length = urb->transfer_buffer_length; ++ } + urb->actual_length = length; + memcpy(urb->transfer_buffer, buffer, length); + + usb_hcd_unlink_urb_from_ep(hcd, urb); +- usb_hcd_giveback_urb(hcd, urb, 0); ++ usb_hcd_giveback_urb(hcd, urb, status); + } else { + length = 0; + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);