From: Greg Kroah-Hartman Date: Mon, 11 Nov 2019 09:43:15 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.201~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa64fe5d863f4f96ec90d7cbc112dfcfba7f85c0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: drivers-usb-usbip-add-missing-break-statement-to-switch.patch usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch --- diff --git a/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch b/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch new file mode 100644 index 00000000000..9a01e8fb31d --- /dev/null +++ b/queue-4.9/drivers-usb-usbip-add-missing-break-statement-to-switch.patch @@ -0,0 +1,30 @@ +From 7c92e5fbf4dac0dd4dd41a0383adc54f16f403e2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 9 Feb 2017 01:49:56 -0600 +Subject: drivers: usb: usbip: Add missing break statement to switch + +From: Gustavo A. R. Silva + +commit 7c92e5fbf4dac0dd4dd41a0383adc54f16f403e2 upstream. + +Add missing break statement to prevent the code for case +USB_PORT_FEAT_C_RESET falling through to the default case. + +Addresses-Coverity-ID: 143155 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_hcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -318,6 +318,7 @@ static int vhci_hub_control(struct usb_h + default: + break; + } ++ break; + default: + usbip_dbg_vhci_rh(" ClearPortFeature: default %x\n", + wValue); diff --git a/queue-4.9/series b/queue-4.9/series index 52af13c218f..d4aa3ee06f8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -30,3 +30,7 @@ configfs_register_group-shouldn-t-be-and-isn-t-called-in-rmdirable-parts.patch configfs-new-object-reprsenting-tree-fragments.patch configfs-provide-exclusion-between-io-and-removals.patch configfs-fix-a-deadlock-in-configfs_symlink.patch +usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch +usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch +usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch +drivers-usb-usbip-add-missing-break-statement-to-switch.patch diff --git a/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch b/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch new file mode 100644 index 00000000000..43915f4b67a --- /dev/null +++ b/queue-4.9/usbip-fix-possibility-of-dereference-by-nulll-pointer-in-vhci_hcd.c.patch @@ -0,0 +1,44 @@ +From d79cda045e3bacb7e754a5324cd3d4ce80708eb1 Mon Sep 17 00:00:00 2001 +From: Nobuo Iwata +Date: Thu, 13 Oct 2016 12:49:02 +0900 +Subject: usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c + +From: Nobuo Iwata + +commit d79cda045e3bacb7e754a5324cd3d4ce80708eb1 upstream. + +This patch fixes possibility of dereference by NULLL pointer in "[PATCH +v5 1/3] usbip: vhci extension: modifications to vhci driver" which has +been merged to 4.9-rc1. It occurs when a URB with pointer to invalid +USB/IP device is enqueued in race condition against detach operation. + +A pointer was passed to vdev_to_vhci() before NULL check. +In vdev_to_vhci(), there's a dereference by the pointer. + +This patch moves vdev_to_vhci() after NULL check of the pointer. + +Signed-off-by: Nobuo Iwata +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_hcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -465,13 +465,14 @@ static void vhci_tx_urb(struct urb *urb) + { + struct vhci_device *vdev = get_vdev(urb->dev); + struct vhci_priv *priv; +- struct vhci_hcd *vhci = vdev_to_vhci(vdev); ++ struct vhci_hcd *vhci; + unsigned long flags; + + if (!vdev) { + pr_err("could not get virtual device"); + return; + } ++ vhci = vdev_to_vhci(vdev); + + priv = kzalloc(sizeof(struct vhci_priv), GFP_ATOMIC); + if (!priv) { diff --git a/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch b/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch new file mode 100644 index 00000000000..74fa043963b --- /dev/null +++ b/queue-4.9/usbip-fix-vhci_urb_enqueue-urb-null-transfer-buffer-error-path.patch @@ -0,0 +1,34 @@ +From 2c904963b1dd2acd4bc785b6c72e10a6283c2081 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 24 Jan 2019 14:46:42 -0700 +Subject: usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path + +From: Shuah Khan + +commit 2c904963b1dd2acd4bc785b6c72e10a6283c2081 upstream. + +Fix vhci_urb_enqueue() to print debug msg and return error instead of +failing with BUG_ON. + +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_hcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -512,8 +512,10 @@ static int vhci_urb_enqueue(struct usb_h + } + vdev = &vhci->vdev[portnum-1]; + +- /* patch to usb_sg_init() is in 2.5.60 */ +- BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length); ++ if (!urb->transfer_buffer && urb->transfer_buffer_length) { ++ dev_dbg(dev, "Null URB transfer buffer\n"); ++ return -EINVAL; ++ } + + spin_lock_irqsave(&vhci->lock, flags); + diff --git a/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch b/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch new file mode 100644 index 00000000000..6b84dee87af --- /dev/null +++ b/queue-4.9/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch @@ -0,0 +1,59 @@ +From 10c90120930628e8b959bf58d4a0aaef3ae5d945 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Fri, 15 Dec 2017 10:05:15 -0700 +Subject: usbip: stub_rx: fix static checker warning on unnecessary checks + +From: Shuah Khan + +commit 10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream. + +Fix the following static checker warnings: + +The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path +to handle malicious input" from Dec 7, 2017, leads to the following +static checker warning: + + drivers/usb/usbip/stub_rx.c:346 get_pipe() + warn: impossible condition +'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) => +(s32min-s32max > s32max)' + drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit() + warn: always true condition +'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => +(s32min-s32max <= s32max)' + +Reported-by: Dan Carpenter +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_rx.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -353,14 +353,6 @@ static int get_pipe(struct stub_device * + + epd = &ep->desc; + +- /* validate transfer_buffer_length */ +- if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) { +- dev_err(&sdev->udev->dev, +- "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n", +- pdu->u.cmd_submit.transfer_buffer_length); +- return -1; +- } +- + if (usb_endpoint_xfer_control(epd)) { + if (dir == USBIP_DIR_OUT) + return usb_sndctrlpipe(udev, epnum); +@@ -487,8 +479,7 @@ static void stub_recv_cmd_submit(struct + } + + /* allocate urb transfer buffer, if needed */ +- if (pdu->u.cmd_submit.transfer_buffer_length > 0 && +- pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) { ++ if (pdu->u.cmd_submit.transfer_buffer_length > 0) { + priv->urb->transfer_buffer = + kzalloc(pdu->u.cmd_submit.transfer_buffer_length, + GFP_KERNEL);