From: Greg Kroah-Hartman Date: Tue, 23 Apr 2024 12:10:44 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.15.157~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e7c44d8cc47a45cca718bf6add5acefea9d546b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: comedi-vmk80xx-fix-incomplete-endpoint-checking.patch --- diff --git a/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch b/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch new file mode 100644 index 00000000000..b6d74efedc9 --- /dev/null +++ b/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch @@ -0,0 +1,98 @@ +From d1718530e3f640b7d5f0050e725216eab57a85d8 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 8 Apr 2024 10:16:33 -0700 +Subject: comedi: vmk80xx: fix incomplete endpoint checking + +From: Nikita Zhandarovich + +commit d1718530e3f640b7d5f0050e725216eab57a85d8 upstream. + +While vmk80xx does have endpoint checking implemented, some things +can fall through the cracks. Depending on the hardware model, +URBs can have either bulk or interrupt type, and current version +of vmk80xx_find_usb_endpoints() function does not take that fully +into account. While this warning does not seem to be too harmful, +at the very least it will crash systems with 'panic_on_warn' set on +them. + +Fix the issue found by Syzkaller [1] by somewhat simplifying the +endpoint checking process with usb_find_common_endpoints() and +ensuring that only expected endpoint types are present. + +This patch has not been tested on real hardware. + +[1] Syzkaller report: +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 +... +Call Trace: + + usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 + vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] + vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 + comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 + usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 +... + +Similar issue also found by Syzkaller: +Link: https://syzkaller.appspot.com/bug?extid=5205eb2f17de3e01946e + +Reported-and-tested-by: syzbot+5f29dc6a889fc42bd896@syzkaller.appspotmail.com +Cc: stable +Fixes: 49253d542cc0 ("staging: comedi: vmk80xx: factor out usb endpoint detection") +Reviewed-by: Ian Abbott +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20240408171633.31649-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/vmk80xx.c | 35 ++++++++++--------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -642,33 +642,22 @@ static int vmk80xx_find_usb_endpoints(st + struct vmk80xx_private *devpriv = dev->private; + struct usb_interface *intf = comedi_to_usb_interface(dev); + struct usb_host_interface *iface_desc = intf->cur_altsetting; +- struct usb_endpoint_descriptor *ep_desc; +- int i; ++ struct usb_endpoint_descriptor *ep_rx_desc, *ep_tx_desc; ++ int ret; + +- if (iface_desc->desc.bNumEndpoints != 2) +- return -ENODEV; +- +- for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) { +- ep_desc = &iface_desc->endpoint[i].desc; +- +- if (usb_endpoint_is_int_in(ep_desc) || +- usb_endpoint_is_bulk_in(ep_desc)) { +- if (!devpriv->ep_rx) +- devpriv->ep_rx = ep_desc; +- continue; +- } ++ if (devpriv->model == VMK8061_MODEL) ++ ret = usb_find_common_endpoints(iface_desc, &ep_rx_desc, ++ &ep_tx_desc, NULL, NULL); ++ else ++ ret = usb_find_common_endpoints(iface_desc, NULL, NULL, ++ &ep_rx_desc, &ep_tx_desc); + +- if (usb_endpoint_is_int_out(ep_desc) || +- usb_endpoint_is_bulk_out(ep_desc)) { +- if (!devpriv->ep_tx) +- devpriv->ep_tx = ep_desc; +- continue; +- } +- } +- +- if (!devpriv->ep_rx || !devpriv->ep_tx) ++ if (ret) + return -ENODEV; + ++ devpriv->ep_rx = ep_rx_desc; ++ devpriv->ep_tx = ep_tx_desc; ++ + if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx)) + return -EINVAL; + diff --git a/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch b/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch index ce22c01e1bf..76bf408a4a2 100644 --- a/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch +++ b/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch @@ -25,11 +25,9 @@ Signed-off-by: Danilo Krummrich Link: https://patchwork.freedesktop.org/patch/msgid/20240411110854.16701-1-m.kobuk@ispras.ru Signed-off-by: Sasha Levin --- - drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +++++++------ + drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) -diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c -index 66bf2aff4a3ed..adecda51a306d 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bios.c +++ b/drivers/gpu/drm/nouveau/nouveau_bios.c @@ -25,6 +25,7 @@ @@ -40,7 +38,7 @@ index 66bf2aff4a3ed..adecda51a306d 100644 #include "nouveau_reg.h" #include "dispnv04/hw.h" #include "nouveau_encoder.h" -@@ -1674,7 +1675,7 @@ apply_dcb_encoder_quirks(struct drm_device *dev, int idx, u32 *conn, u32 *conf) +@@ -1674,7 +1675,7 @@ apply_dcb_encoder_quirks(struct drm_devi */ if (nv_match_device(dev, 0x0201, 0x1462, 0x8851)) { if (*conn == 0xf2005014 && *conf == 0xffffffff) { @@ -49,7 +47,7 @@ index 66bf2aff4a3ed..adecda51a306d 100644 return false; } } -@@ -1760,26 +1761,26 @@ fabricate_dcb_encoder_table(struct drm_device *dev, struct nvbios *bios) +@@ -1760,26 +1761,26 @@ fabricate_dcb_encoder_table(struct drm_d #ifdef __powerpc__ /* Apple iMac G4 NV17 */ if (of_machine_is_compatible("PowerMac4,5")) { @@ -81,6 +79,3 @@ index 66bf2aff4a3ed..adecda51a306d 100644 } static int --- -2.43.0 - diff --git a/queue-4.19/series b/queue-4.19/series index 386ce761e93..a4ea6acd017 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -19,3 +19,4 @@ netfilter-nf_tables-fix-potential-data-race-in-__nft.patch tun-limit-printing-rate-when-illegal-packet-received.patch rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch drm-nv04-fix-out-of-bounds-access.patch +comedi-vmk80xx-fix-incomplete-endpoint-checking.patch