From: Greg Kroah-Hartman Date: Wed, 10 Nov 2021 17:59:25 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.292~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9bfe100a54256c19ae71684763ae863957a11fad;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: comedi-dt9812-fix-dma-buffers-on-stack.patch comedi-ni_usb6501-fix-null-deref-in-command-paths.patch comedi-vmk80xx-fix-bulk-and-interrupt-message-timeouts.patch comedi-vmk80xx-fix-bulk-buffer-overflow.patch comedi-vmk80xx-fix-transfer-buffer-overflows.patch isofs-fix-out-of-bound-access-for-corrupted-isofs-image.patch rsi-fix-control-message-timeout.patch staging-comedi-drivers-replace-le16_to_cpu-with-usb_endpoint_maxp.patch staging-r8712u-fix-control-message-timeout.patch staging-rtl8192u-fix-control-message-timeouts.patch --- diff --git a/queue-4.4/comedi-dt9812-fix-dma-buffers-on-stack.patch b/queue-4.4/comedi-dt9812-fix-dma-buffers-on-stack.patch new file mode 100644 index 00000000000..44cda22b365 --- /dev/null +++ b/queue-4.4/comedi-dt9812-fix-dma-buffers-on-stack.patch @@ -0,0 +1,209 @@ +From 536de747bc48262225889a533db6650731ab25d3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 11:35:29 +0200 +Subject: comedi: dt9812: fix DMA buffers on stack + +From: Johan Hovold + +commit 536de747bc48262225889a533db6650731ab25d3 upstream. + +USB transfer buffers are typically mapped for DMA and must not be +allocated on the stack or transfers will fail. + +Allocate proper transfer buffers in the various command helpers and +return an error on short transfers instead of acting on random stack +data. + +Note that this also fixes a stack info leak on systems where DMA is not +used as 32 bytes are always sent to the device regardless of how short +the command is. + +Fixes: 63274cd7d38a ("Staging: comedi: add usb dt9812 driver") +Cc: stable@vger.kernel.org # 2.6.29 +Reviewed-by: Ian Abbott +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211027093529.30896-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/dt9812.c | 115 +++++++++++++++++++++++--------- + 1 file changed, 86 insertions(+), 29 deletions(-) + +--- a/drivers/staging/comedi/drivers/dt9812.c ++++ b/drivers/staging/comedi/drivers/dt9812.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + + #include "../comedi_usb.h" +@@ -246,22 +247,42 @@ static int dt9812_read_info(struct comed + { + struct usb_device *usb = comedi_to_usb_dev(dev); + struct dt9812_private *devpriv = dev->private; +- struct dt9812_usb_cmd cmd; ++ struct dt9812_usb_cmd *cmd; ++ size_t tbuf_size; + int count, ret; ++ void *tbuf; + +- cmd.cmd = cpu_to_le32(DT9812_R_FLASH_DATA); +- cmd.u.flash_data_info.address = ++ tbuf_size = max(sizeof(*cmd), buf_size); ++ ++ tbuf = kzalloc(tbuf_size, GFP_KERNEL); ++ if (!tbuf) ++ return -ENOMEM; ++ ++ cmd = tbuf; ++ ++ cmd->cmd = cpu_to_le32(DT9812_R_FLASH_DATA); ++ cmd->u.flash_data_info.address = + cpu_to_le16(DT9812_DIAGS_BOARD_INFO_ADDR + offset); +- cmd.u.flash_data_info.numbytes = cpu_to_le16(buf_size); ++ cmd->u.flash_data_info.numbytes = cpu_to_le16(buf_size); + + /* DT9812 only responds to 32 byte writes!! */ + ret = usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), +- &cmd, 32, &count, DT9812_USB_TIMEOUT); ++ cmd, sizeof(*cmd), &count, DT9812_USB_TIMEOUT); + if (ret) +- return ret; ++ goto out; ++ ++ ret = usb_bulk_msg(usb, usb_rcvbulkpipe(usb, devpriv->cmd_rd.addr), ++ tbuf, buf_size, &count, DT9812_USB_TIMEOUT); ++ if (!ret) { ++ if (count == buf_size) ++ memcpy(buf, tbuf, buf_size); ++ else ++ ret = -EREMOTEIO; ++ } ++out: ++ kfree(tbuf); + +- return usb_bulk_msg(usb, usb_rcvbulkpipe(usb, devpriv->cmd_rd.addr), +- buf, buf_size, &count, DT9812_USB_TIMEOUT); ++ return ret; + } + + static int dt9812_read_multiple_registers(struct comedi_device *dev, +@@ -270,22 +291,42 @@ static int dt9812_read_multiple_register + { + struct usb_device *usb = comedi_to_usb_dev(dev); + struct dt9812_private *devpriv = dev->private; +- struct dt9812_usb_cmd cmd; ++ struct dt9812_usb_cmd *cmd; + int i, count, ret; ++ size_t buf_size; ++ void *buf; ++ ++ buf_size = max_t(size_t, sizeof(*cmd), reg_count); ++ ++ buf = kzalloc(buf_size, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ cmd = buf; + +- cmd.cmd = cpu_to_le32(DT9812_R_MULTI_BYTE_REG); +- cmd.u.read_multi_info.count = reg_count; ++ cmd->cmd = cpu_to_le32(DT9812_R_MULTI_BYTE_REG); ++ cmd->u.read_multi_info.count = reg_count; + for (i = 0; i < reg_count; i++) +- cmd.u.read_multi_info.address[i] = address[i]; ++ cmd->u.read_multi_info.address[i] = address[i]; + + /* DT9812 only responds to 32 byte writes!! */ + ret = usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), +- &cmd, 32, &count, DT9812_USB_TIMEOUT); ++ cmd, sizeof(*cmd), &count, DT9812_USB_TIMEOUT); + if (ret) +- return ret; ++ goto out; + +- return usb_bulk_msg(usb, usb_rcvbulkpipe(usb, devpriv->cmd_rd.addr), +- value, reg_count, &count, DT9812_USB_TIMEOUT); ++ ret = usb_bulk_msg(usb, usb_rcvbulkpipe(usb, devpriv->cmd_rd.addr), ++ buf, reg_count, &count, DT9812_USB_TIMEOUT); ++ if (!ret) { ++ if (count == reg_count) ++ memcpy(value, buf, reg_count); ++ else ++ ret = -EREMOTEIO; ++ } ++out: ++ kfree(buf); ++ ++ return ret; + } + + static int dt9812_write_multiple_registers(struct comedi_device *dev, +@@ -294,19 +335,27 @@ static int dt9812_write_multiple_registe + { + struct usb_device *usb = comedi_to_usb_dev(dev); + struct dt9812_private *devpriv = dev->private; +- struct dt9812_usb_cmd cmd; ++ struct dt9812_usb_cmd *cmd; + int i, count; ++ int ret; + +- cmd.cmd = cpu_to_le32(DT9812_W_MULTI_BYTE_REG); +- cmd.u.read_multi_info.count = reg_count; ++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); ++ if (!cmd) ++ return -ENOMEM; ++ ++ cmd->cmd = cpu_to_le32(DT9812_W_MULTI_BYTE_REG); ++ cmd->u.read_multi_info.count = reg_count; + for (i = 0; i < reg_count; i++) { +- cmd.u.write_multi_info.write[i].address = address[i]; +- cmd.u.write_multi_info.write[i].value = value[i]; ++ cmd->u.write_multi_info.write[i].address = address[i]; ++ cmd->u.write_multi_info.write[i].value = value[i]; + } + + /* DT9812 only responds to 32 byte writes!! */ +- return usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), +- &cmd, 32, &count, DT9812_USB_TIMEOUT); ++ ret = usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), ++ cmd, sizeof(*cmd), &count, DT9812_USB_TIMEOUT); ++ kfree(cmd); ++ ++ return ret; + } + + static int dt9812_rmw_multiple_registers(struct comedi_device *dev, +@@ -315,17 +364,25 @@ static int dt9812_rmw_multiple_registers + { + struct usb_device *usb = comedi_to_usb_dev(dev); + struct dt9812_private *devpriv = dev->private; +- struct dt9812_usb_cmd cmd; ++ struct dt9812_usb_cmd *cmd; + int i, count; ++ int ret; ++ ++ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); ++ if (!cmd) ++ return -ENOMEM; + +- cmd.cmd = cpu_to_le32(DT9812_RMW_MULTI_BYTE_REG); +- cmd.u.rmw_multi_info.count = reg_count; ++ cmd->cmd = cpu_to_le32(DT9812_RMW_MULTI_BYTE_REG); ++ cmd->u.rmw_multi_info.count = reg_count; + for (i = 0; i < reg_count; i++) +- cmd.u.rmw_multi_info.rmw[i] = rmw[i]; ++ cmd->u.rmw_multi_info.rmw[i] = rmw[i]; + + /* DT9812 only responds to 32 byte writes!! */ +- return usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), +- &cmd, 32, &count, DT9812_USB_TIMEOUT); ++ ret = usb_bulk_msg(usb, usb_sndbulkpipe(usb, devpriv->cmd_wr.addr), ++ cmd, sizeof(*cmd), &count, DT9812_USB_TIMEOUT); ++ kfree(cmd); ++ ++ return ret; + } + + static int dt9812_digital_in(struct comedi_device *dev, u8 *bits) diff --git a/queue-4.4/comedi-ni_usb6501-fix-null-deref-in-command-paths.patch b/queue-4.4/comedi-ni_usb6501-fix-null-deref-in-command-paths.patch new file mode 100644 index 00000000000..a262703405c --- /dev/null +++ b/queue-4.4/comedi-ni_usb6501-fix-null-deref-in-command-paths.patch @@ -0,0 +1,54 @@ +From 907767da8f3a925b060c740e0b5c92ea7dbec440 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 11:35:28 +0200 +Subject: comedi: ni_usb6501: fix NULL-deref in command paths + +From: Johan Hovold + +commit 907767da8f3a925b060c740e0b5c92ea7dbec440 upstream. + +The driver uses endpoint-sized USB transfer buffers but had no sanity +checks on the sizes. This can lead to zero-size-pointer dereferences or +overflowed transfer buffers in ni6501_port_command() and +ni6501_counter_command() if a (malicious) device has smaller max-packet +sizes than expected (or when doing descriptor fuzz testing). + +Add the missing sanity checks to probe(). + +Fixes: a03bb00e50ab ("staging: comedi: add NI USB-6501 support") +Cc: stable@vger.kernel.org # 3.18 +Cc: Luca Ellero +Reviewed-by: Ian Abbott +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211027093529.30896-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/ni_usb6501.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -153,6 +153,10 @@ static const u8 READ_COUNTER_RESPONSE[] + 0x00, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00}; + ++/* Largest supported packets */ ++static const size_t TX_MAX_SIZE = sizeof(SET_PORT_DIR_REQUEST); ++static const size_t RX_MAX_SIZE = sizeof(READ_PORT_RESPONSE); ++ + enum commands { + READ_PORT, + WRITE_PORT, +@@ -510,6 +514,12 @@ static int ni6501_find_endpoints(struct + if (!devpriv->ep_rx || !devpriv->ep_tx) + return -ENODEV; + ++ if (usb_endpoint_maxp(devpriv->ep_rx) < RX_MAX_SIZE) ++ return -ENODEV; ++ ++ if (usb_endpoint_maxp(devpriv->ep_tx) < TX_MAX_SIZE) ++ return -ENODEV; ++ + return 0; + } + diff --git a/queue-4.4/comedi-vmk80xx-fix-bulk-and-interrupt-message-timeouts.patch b/queue-4.4/comedi-vmk80xx-fix-bulk-and-interrupt-message-timeouts.patch new file mode 100644 index 00000000000..bbc9bd7bd8d --- /dev/null +++ b/queue-4.4/comedi-vmk80xx-fix-bulk-and-interrupt-message-timeouts.patch @@ -0,0 +1,74 @@ +From a56d3e40bda460edf3f8d6aac00ec0b322b4ab83 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:45:32 +0200 +Subject: comedi: vmk80xx: fix bulk and interrupt message timeouts + +From: Johan Hovold + +commit a56d3e40bda460edf3f8d6aac00ec0b322b4ab83 upstream. + +USB bulk and interrupt message timeouts are specified in milliseconds +and should specifically not vary with CONFIG_HZ. + +Note that the bulk-out transfer timeout was set to the endpoint +bInterval value, which should be ignored for bulk endpoints and is +typically set to zero. This meant that a failing bulk-out transfer +would never time out. + +Assume that the 10 second timeout used for all other transfers is more +than enough also for the bulk-out endpoint. + +Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") +Fixes: 951348b37738 ("staging: comedi: vmk80xx: wait for URBs to complete") +Cc: stable@vger.kernel.org # 2.6.31 +Signed-off-by: Johan Hovold +Reviewed-by: Ian Abbott +Link: https://lore.kernel.org/r/20211025114532.4599-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/vmk80xx.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -100,6 +100,7 @@ enum { + #define IC6_VERSION BIT(1) + + #define MIN_BUF_SIZE 64 ++#define PACKET_TIMEOUT 10000 /* ms */ + + enum vmk80xx_model { + VMK8055_MODEL, +@@ -178,10 +179,11 @@ static void vmk80xx_do_bulk_msg(struct c + tx_size = usb_endpoint_maxp(devpriv->ep_tx); + rx_size = usb_endpoint_maxp(devpriv->ep_rx); + +- usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf, +- tx_size, NULL, devpriv->ep_tx->bInterval); ++ usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf, tx_size, NULL, ++ PACKET_TIMEOUT); + +- usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10); ++ usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, ++ PACKET_TIMEOUT); + } + + static int vmk80xx_read_packet(struct comedi_device *dev) +@@ -200,7 +202,7 @@ static int vmk80xx_read_packet(struct co + pipe = usb_rcvintpipe(usb, ep->bEndpointAddress); + return usb_interrupt_msg(usb, pipe, devpriv->usb_rx_buf, + usb_endpoint_maxp(ep), NULL, +- HZ * 10); ++ PACKET_TIMEOUT); + } + + static int vmk80xx_write_packet(struct comedi_device *dev, int cmd) +@@ -221,7 +223,7 @@ static int vmk80xx_write_packet(struct c + pipe = usb_sndintpipe(usb, ep->bEndpointAddress); + return usb_interrupt_msg(usb, pipe, devpriv->usb_tx_buf, + usb_endpoint_maxp(ep), NULL, +- HZ * 10); ++ PACKET_TIMEOUT); + } + + static int vmk80xx_reset_device(struct comedi_device *dev) diff --git a/queue-4.4/comedi-vmk80xx-fix-bulk-buffer-overflow.patch b/queue-4.4/comedi-vmk80xx-fix-bulk-buffer-overflow.patch new file mode 100644 index 00000000000..c19ed9fd6b6 --- /dev/null +++ b/queue-4.4/comedi-vmk80xx-fix-bulk-buffer-overflow.patch @@ -0,0 +1,55 @@ +From 78cdfd62bd54af615fba9e3ca1ba35de39d3871d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:45:31 +0200 +Subject: comedi: vmk80xx: fix bulk-buffer overflow + +From: Johan Hovold + +commit 78cdfd62bd54af615fba9e3ca1ba35de39d3871d upstream. + +The driver is using endpoint-sized buffers but must not assume that the +tx and rx buffers are of equal size or a malicious device could overflow +the slab-allocated receive buffer when doing bulk transfers. + +Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") +Cc: stable@vger.kernel.org # 2.6.31 +Signed-off-by: Johan Hovold +Reviewed-by: Ian Abbott +Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/vmk80xx.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -168,22 +168,20 @@ static void vmk80xx_do_bulk_msg(struct c + __u8 rx_addr; + unsigned int tx_pipe; + unsigned int rx_pipe; +- size_t size; ++ size_t tx_size; ++ size_t rx_size; + + tx_addr = devpriv->ep_tx->bEndpointAddress; + rx_addr = devpriv->ep_rx->bEndpointAddress; + tx_pipe = usb_sndbulkpipe(usb, tx_addr); + rx_pipe = usb_rcvbulkpipe(usb, rx_addr); +- +- /* +- * The max packet size attributes of the K8061 +- * input/output endpoints are identical +- */ +- size = usb_endpoint_maxp(devpriv->ep_tx); ++ tx_size = usb_endpoint_maxp(devpriv->ep_tx); ++ rx_size = usb_endpoint_maxp(devpriv->ep_rx); + + usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf, +- size, NULL, devpriv->ep_tx->bInterval); +- usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, size, NULL, HZ * 10); ++ tx_size, NULL, devpriv->ep_tx->bInterval); ++ ++ usb_bulk_msg(usb, rx_pipe, devpriv->usb_rx_buf, rx_size, NULL, HZ * 10); + } + + static int vmk80xx_read_packet(struct comedi_device *dev) diff --git a/queue-4.4/comedi-vmk80xx-fix-transfer-buffer-overflows.patch b/queue-4.4/comedi-vmk80xx-fix-transfer-buffer-overflows.patch new file mode 100644 index 00000000000..b32748d77c4 --- /dev/null +++ b/queue-4.4/comedi-vmk80xx-fix-transfer-buffer-overflows.patch @@ -0,0 +1,62 @@ +From a23461c47482fc232ffc9b819539d1f837adf2b1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:45:30 +0200 +Subject: comedi: vmk80xx: fix transfer-buffer overflows + +From: Johan Hovold + +commit a23461c47482fc232ffc9b819539d1f837adf2b1 upstream. + +The driver uses endpoint-sized USB transfer buffers but up until +recently had no sanity checks on the sizes. + +Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize +of usb endpoints found") inadvertently fixed NULL-pointer dereferences +when accessing the transfer buffers in case a malicious device has a +zero wMaxPacketSize. + +Make sure to allocate buffers large enough to handle also the other +accesses that are done without a size check (e.g. byte 18 in +vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond +the buffers, for example, when doing descriptor fuzzing. + +The original driver was for a low-speed device with 8-byte buffers. +Support was later added for a device that uses bulk transfers and is +presumably a full-speed device with a maximum 64-byte wMaxPacketSize. + +Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") +Cc: stable@vger.kernel.org # 2.6.31 +Signed-off-by: Johan Hovold +Reviewed-by: Ian Abbott +Link: https://lore.kernel.org/r/20211025114532.4599-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/vmk80xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -99,6 +99,8 @@ enum { + #define IC3_VERSION BIT(0) + #define IC6_VERSION BIT(1) + ++#define MIN_BUF_SIZE 64 ++ + enum vmk80xx_model { + VMK8055_MODEL, + VMK8061_MODEL +@@ -687,12 +689,12 @@ static int vmk80xx_alloc_usb_buffers(str + struct vmk80xx_private *devpriv = dev->private; + size_t size; + +- size = usb_endpoint_maxp(devpriv->ep_rx); ++ size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); + devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_rx_buf) + return -ENOMEM; + +- size = usb_endpoint_maxp(devpriv->ep_tx); ++ size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_tx_buf) + return -ENOMEM; diff --git a/queue-4.4/isofs-fix-out-of-bound-access-for-corrupted-isofs-image.patch b/queue-4.4/isofs-fix-out-of-bound-access-for-corrupted-isofs-image.patch new file mode 100644 index 00000000000..ef09059d4c0 --- /dev/null +++ b/queue-4.4/isofs-fix-out-of-bound-access-for-corrupted-isofs-image.patch @@ -0,0 +1,32 @@ +From e96a1866b40570b5950cda8602c2819189c62a48 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 18 Oct 2021 12:37:41 +0200 +Subject: isofs: Fix out of bound access for corrupted isofs image + +From: Jan Kara + +commit e96a1866b40570b5950cda8602c2819189c62a48 upstream. + +When isofs image is suitably corrupted isofs_read_inode() can read data +beyond the end of buffer. Sanity-check the directory entry length before +using it. + +Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -1268,6 +1268,8 @@ static int isofs_read_inode(struct inode + + de = (struct iso_directory_record *) (bh->b_data + offset); + de_len = *(unsigned char *) de; ++ if (de_len < sizeof(struct iso_directory_record)) ++ goto fail; + + if (offset + de_len > bufsize) { + int frag1 = bufsize - offset; diff --git a/queue-4.4/rsi-fix-control-message-timeout.patch b/queue-4.4/rsi-fix-control-message-timeout.patch new file mode 100644 index 00000000000..a4b1afacd8e --- /dev/null +++ b/queue-4.4/rsi-fix-control-message-timeout.patch @@ -0,0 +1,36 @@ +From 541fd20c3ce5b0bc39f0c6a52414b6b92416831c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:22 +0200 +Subject: rsi: fix control-message timeout + +From: Johan Hovold + +commit 541fd20c3ce5b0bc39f0c6a52414b6b92416831c upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeout. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: stable@vger.kernel.org # 3.15 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -42,7 +42,7 @@ static int rsi_usb_card_write(struct rsi + buf, + len, + &transfer, +- HZ * 5); ++ USB_CTRL_SET_TIMEOUT); + + if (status < 0) { + rsi_dbg(ERR_ZONE, diff --git a/queue-4.4/series b/queue-4.4/series index e31e4375a99..8d2f6043117 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,13 @@ usb-gadget-mark-usb_fsl_qe-broken-on-64-bit.patch usb-storage-add-compatibility-quirk-flags-for-iodd-2531-2541.patch printk-console-allow-to-disable-console-output-by-using-console-or-console-null.patch usb-hso-fix-error-handling-code-of-hso_create_net_device.patch +isofs-fix-out-of-bound-access-for-corrupted-isofs-image.patch +comedi-dt9812-fix-dma-buffers-on-stack.patch +comedi-ni_usb6501-fix-null-deref-in-command-paths.patch +staging-comedi-drivers-replace-le16_to_cpu-with-usb_endpoint_maxp.patch +comedi-vmk80xx-fix-transfer-buffer-overflows.patch +comedi-vmk80xx-fix-bulk-buffer-overflow.patch +comedi-vmk80xx-fix-bulk-and-interrupt-message-timeouts.patch +staging-r8712u-fix-control-message-timeout.patch +staging-rtl8192u-fix-control-message-timeouts.patch +rsi-fix-control-message-timeout.patch diff --git a/queue-4.4/staging-comedi-drivers-replace-le16_to_cpu-with-usb_endpoint_maxp.patch b/queue-4.4/staging-comedi-drivers-replace-le16_to_cpu-with-usb_endpoint_maxp.patch new file mode 100644 index 00000000000..5f32543f410 --- /dev/null +++ b/queue-4.4/staging-comedi-drivers-replace-le16_to_cpu-with-usb_endpoint_maxp.patch @@ -0,0 +1,109 @@ +From 62190d498c1d1cee970176840f24822fc14d27d1 Mon Sep 17 00:00:00 2001 +From: Cheah Kok Cheong +Date: Fri, 22 Jul 2016 23:29:39 +0800 +Subject: staging: comedi: drivers: replace le16_to_cpu() with usb_endpoint_maxp() + +From: Cheah Kok Cheong + +commit 62190d498c1d1cee970176840f24822fc14d27d1 upstream. + +Use macro introduced in commit 939f325f4a0f +("usb: add usb_endpoint_maxp() macro") + +Signed-off-by: Cheah Kok Cheong +Reviewed-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/dt9812.c | 4 ++-- + drivers/staging/comedi/drivers/ni_usb6501.c | 4 ++-- + drivers/staging/comedi/drivers/vmk80xx.c | 12 ++++++------ + 3 files changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/staging/comedi/drivers/dt9812.c ++++ b/drivers/staging/comedi/drivers/dt9812.c +@@ -717,12 +717,12 @@ static int dt9812_find_endpoints(struct + case 1: + dir = USB_DIR_OUT; + devpriv->cmd_wr.addr = ep->bEndpointAddress; +- devpriv->cmd_wr.size = le16_to_cpu(ep->wMaxPacketSize); ++ devpriv->cmd_wr.size = usb_endpoint_maxp(ep); + break; + case 2: + dir = USB_DIR_IN; + devpriv->cmd_rd.addr = ep->bEndpointAddress; +- devpriv->cmd_rd.size = le16_to_cpu(ep->wMaxPacketSize); ++ devpriv->cmd_rd.size = usb_endpoint_maxp(ep); + break; + case 3: + /* unused write stream */ +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -469,12 +469,12 @@ static int ni6501_alloc_usb_buffers(stru + struct ni6501_private *devpriv = dev->private; + size_t size; + +- size = le16_to_cpu(devpriv->ep_rx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_rx); + devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_rx_buf) + return -ENOMEM; + +- size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_tx_buf) + return -ENOMEM; +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -177,7 +177,7 @@ static void vmk80xx_do_bulk_msg(struct c + * The max packet size attributes of the K8061 + * input/output endpoints are identical + */ +- size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_tx); + + usb_bulk_msg(usb, tx_pipe, devpriv->usb_tx_buf, + size, NULL, devpriv->ep_tx->bInterval); +@@ -199,7 +199,7 @@ static int vmk80xx_read_packet(struct co + ep = devpriv->ep_rx; + pipe = usb_rcvintpipe(usb, ep->bEndpointAddress); + return usb_interrupt_msg(usb, pipe, devpriv->usb_rx_buf, +- le16_to_cpu(ep->wMaxPacketSize), NULL, ++ usb_endpoint_maxp(ep), NULL, + HZ * 10); + } + +@@ -220,7 +220,7 @@ static int vmk80xx_write_packet(struct c + ep = devpriv->ep_tx; + pipe = usb_sndintpipe(usb, ep->bEndpointAddress); + return usb_interrupt_msg(usb, pipe, devpriv->usb_tx_buf, +- le16_to_cpu(ep->wMaxPacketSize), NULL, ++ usb_endpoint_maxp(ep), NULL, + HZ * 10); + } + +@@ -230,7 +230,7 @@ static int vmk80xx_reset_device(struct c + size_t size; + int retval; + +- size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_tx); + memset(devpriv->usb_tx_buf, 0, size); + retval = vmk80xx_write_packet(dev, VMK8055_CMD_RST); + if (retval) +@@ -687,12 +687,12 @@ static int vmk80xx_alloc_usb_buffers(str + struct vmk80xx_private *devpriv = dev->private; + size_t size; + +- size = le16_to_cpu(devpriv->ep_rx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_rx); + devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_rx_buf) + return -ENOMEM; + +- size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); ++ size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); + if (!devpriv->usb_tx_buf) + return -ENOMEM; diff --git a/queue-4.4/staging-r8712u-fix-control-message-timeout.patch b/queue-4.4/staging-r8712u-fix-control-message-timeout.patch new file mode 100644 index 00000000000..b2d4c5123fd --- /dev/null +++ b/queue-4.4/staging-r8712u-fix-control-message-timeout.patch @@ -0,0 +1,33 @@ +From ce4940525f36ffdcf4fa623bcedab9c2a6db893a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:09:10 +0200 +Subject: staging: r8712u: fix control-message timeout + +From: Johan Hovold + +commit ce4940525f36ffdcf4fa623bcedab9c2a6db893a upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Cc: stable@vger.kernel.org # 2.6.37 +Acked-by: Larry Finger +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025120910.6339-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8712/usb_ops_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/usb_ops_linux.c ++++ b/drivers/staging/rtl8712/usb_ops_linux.c +@@ -511,7 +511,7 @@ int r8712_usbctrl_vendorreq(struct intf_ + memcpy(pIo_buf, pdata, len); + } + status = usb_control_msg(udev, pipe, request, reqtype, value, index, +- pIo_buf, len, HZ / 2); ++ pIo_buf, len, 500); + if (status > 0) { /* Success this control transfer. */ + if (requesttype == 0x01) { + /* For Control read transfer, we have to copy the read diff --git a/queue-4.4/staging-rtl8192u-fix-control-message-timeouts.patch b/queue-4.4/staging-rtl8192u-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..bbb605b82c3 --- /dev/null +++ b/queue-4.4/staging-rtl8192u-fix-control-message-timeouts.patch @@ -0,0 +1,105 @@ +From 4cfa36d312d6789448b59a7aae770ac8425017a3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:09:09 +0200 +Subject: staging: rtl8192u: fix control-message timeouts + +From: Johan Hovold + +commit 4cfa36d312d6789448b59a7aae770ac8425017a3 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Cc: stable@vger.kernel.org # 2.6.33 +Acked-by: Larry Finger +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025120910.6339-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192u/r8192U_core.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -267,7 +267,7 @@ void write_nic_byte_E(struct net_device + + status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, +- indx | 0xfe00, 0, usbdata, 1, HZ / 2); ++ indx | 0xfe00, 0, usbdata, 1, 500); + kfree(usbdata); + + if (status < 0) +@@ -287,7 +287,7 @@ int read_nic_byte_E(struct net_device *d + + status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, +- indx | 0xfe00, 0, usbdata, 1, HZ / 2); ++ indx | 0xfe00, 0, usbdata, 1, 500); + *data = *usbdata; + kfree(usbdata); + +@@ -314,7 +314,7 @@ void write_nic_byte(struct net_device *d + status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 1, HZ / 2); ++ usbdata, 1, 500); + kfree(usbdata); + + if (status < 0) +@@ -340,7 +340,7 @@ void write_nic_word(struct net_device *d + status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 2, HZ / 2); ++ usbdata, 2, 500); + kfree(usbdata); + + if (status < 0) +@@ -365,7 +365,7 @@ void write_nic_dword(struct net_device * + status = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + RTL8187_REQ_SET_REGS, RTL8187_REQT_WRITE, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 4, HZ / 2); ++ usbdata, 4, 500); + kfree(usbdata); + + +@@ -390,7 +390,7 @@ int read_nic_byte(struct net_device *dev + status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 1, HZ / 2); ++ usbdata, 1, 500); + *data = *usbdata; + kfree(usbdata); + +@@ -417,7 +417,7 @@ int read_nic_word(struct net_device *dev + status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 2, HZ / 2); ++ usbdata, 2, 500); + *data = *usbdata; + kfree(usbdata); + +@@ -441,7 +441,7 @@ static int read_nic_word_E(struct net_de + + status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, +- indx | 0xfe00, 0, usbdata, 2, HZ / 2); ++ indx | 0xfe00, 0, usbdata, 2, 500); + *data = *usbdata; + kfree(usbdata); + +@@ -467,7 +467,7 @@ int read_nic_dword(struct net_device *de + status = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), + RTL8187_REQ_GET_REGS, RTL8187_REQT_READ, + (indx & 0xff) | 0xff00, (indx >> 8) & 0x0f, +- usbdata, 4, HZ / 2); ++ usbdata, 4, 500); + *data = *usbdata; + kfree(usbdata); +