From: Greg Kroah-Hartman Date: Mon, 23 Oct 2017 12:41:42 +0000 (+0200) Subject: 4.13-stable patches X-Git-Tag: v3.18.78~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad34ad3ef33792a3de321a3580c17211b4bc1452;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: staging-bcm2835-audio-fix-memory-corruption.patch usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch --- diff --git a/queue-4.13/staging-bcm2835-audio-fix-memory-corruption.patch b/queue-4.13/staging-bcm2835-audio-fix-memory-corruption.patch new file mode 100644 index 00000000000..3421d5c6de4 --- /dev/null +++ b/queue-4.13/staging-bcm2835-audio-fix-memory-corruption.patch @@ -0,0 +1,82 @@ +From c97d96b4e612c7dc1b37d7afc61b598a9a25994d Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Sun, 24 Sep 2017 15:20:49 +0100 +Subject: staging: bcm2835-audio: Fix memory corruption + +From: Phil Elwell + +commit c97d96b4e612c7dc1b37d7afc61b598a9a25994d upstream. + +The previous commit (0adbfd46) fixed a memory leak but also freed a +block in the success case, causing a stale pointer to be used with +potentially fatal results. Only free the vchi_instance block in the +case that vchi_connect fails; once connected, the instance is +retained for subsequent connections. + +Simplifying the code by removing a bunch of gotos and returning errors +directly. + +Signed-off-by: Phil Elwell +Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") +Tested-by: Stefan Wahren +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 19 ++++-------- + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c +@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection + __func__, instance); + instance->alsa_stream = alsa_stream; + alsa_stream->instance = instance; +- ret = 0; // xxx todo -1; +- goto err_free_mem; ++ return 0; + } + + /* Initialize and create a VCHI connection */ +@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection + LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n", + __func__, ret); + +- ret = -EIO; +- goto err_free_mem; ++ return -EIO; + } + ret = vchi_connect(NULL, 0, vchi_instance); + if (ret) { + LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n", + __func__, ret); + +- ret = -EIO; +- goto err_free_mem; ++ kfree(vchi_instance); ++ return -EIO; + } + initted = 1; + } +@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection + if (IS_ERR(instance)) { + LOG_ERR("%s: failed to initialize audio service\n", __func__); + +- ret = PTR_ERR(instance); +- goto err_free_mem; ++ /* vchi_instance is retained for use the next time. */ ++ return PTR_ERR(instance); + } + + instance->alsa_stream = alsa_stream; + alsa_stream->instance = instance; + + LOG_DBG(" success !\n"); +- ret = 0; +-err_free_mem: +- kfree(vchi_instance); + +- return ret; ++ return 0; + } + + int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream) diff --git a/queue-4.13/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch b/queue-4.13/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch new file mode 100644 index 00000000000..484ebc29d60 --- /dev/null +++ b/queue-4.13/usb-devio-revert-usb-devio-don-t-corrupt-user-memory.patch @@ -0,0 +1,67 @@ +From 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 16 Oct 2017 16:21:19 +0200 +Subject: USB: devio: Revert "USB: devio: Don't corrupt user memory" + +From: Hans de Goede + +commit 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 upstream. + +Taking the uurb->buffer_length userspace passes in as a maximum for the +actual urbs transfer_buffer_length causes 2 serious issues: + +1) It breaks isochronous support for all userspace apps using libusb, + as existing libusb versions pass in 0 for uurb->buffer_length, + relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc + descriptors passed in added together as buffer length. + + This for example causes redirection of USB audio and Webcam's into + virtual machines using qemu-kvm to no longer work. This is a userspace + ABI break and as such must be reverted. + + Note that the original commit does not protect other users / the + kernels memory, it only stops the userspace process making the call + from shooting itself in the foot. + +2) It may cause the kernel to program host controllers to DMA over random + memory. Just as the devio code used to only look at the iso_packet_desc + lenghts, the host drivers do the same, relying on the submitter of the + urbs to make sure the entire buffer is large enough and not checking + transfer_buffer_length. + + But the "USB: devio: Don't corrupt user memory" commit now takes the + userspace provided uurb->buffer_length for the buffer-size while copying + over the user-provided iso_packet_desc lengths 1:1, allowing the user + to specify a small buffer size while programming the host controller to + dma a lot more data. + + (Atleast the ohci, uhci, xhci and fhci drivers do not check + transfer_buffer_length for isoc transfers.) + +This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory") +fixing both these issues. + +Cc: Dan Carpenter +Signed-off-by: Hans de Goede +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1576,11 +1576,7 @@ static int proc_do_submiturb(struct usb_ + totlen += isopkt[u].length; + } + u *= sizeof(struct usb_iso_packet_descriptor); +- if (totlen <= uurb->buffer_length) +- uurb->buffer_length = totlen; +- else +- WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d", +- totlen, uurb->buffer_length); ++ uurb->buffer_length = totlen; + break; + + default: