From: Greg Kroah-Hartman Date: Mon, 2 May 2016 16:29:26 +0000 (-0700) Subject: 4.5-stable patches X-Git-Tag: v3.14.68~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb1d5315bc6d5f1544235357a8d125f3082c5c59;p=thirdparty%2Fkernel%2Fstable-queue.git 4.5-stable patches added patches: usb-usbip-fix-potential-out-of-bounds-write.patch --- diff --git a/queue-4.5/asoc-fsl_ssi-remove-explicit-register-defaults.patch b/queue-4.5/asoc-fsl_ssi-remove-explicit-register-defaults.patch deleted file mode 100644 index ba87a475d9b..00000000000 --- a/queue-4.5/asoc-fsl_ssi-remove-explicit-register-defaults.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 6139b1b184d5f6257f692dc814dbcd47e4cf90f1 Mon Sep 17 00:00:00 2001 -From: "Maciej S. Szmigiero" -Date: Mon, 18 Jan 2016 20:07:44 +0100 -Subject: ASoC: fsl_ssi: remove explicit register defaults - -From: Maciej S. Szmigiero - -commit 6139b1b184d5f6257f692dc814dbcd47e4cf90f1 upstream. - -There is no guarantee that on fsl_ssi module load -SSI registers will have their power-on-reset values. - -In fact, if the driver is reloaded the values in -registers will be whatever they were set to previously. - -However, the cache needs to be fully populated at probe -time to avoid non-atomic allocations during register -access. - -Special case here is imx21-class SSI, since -according to datasheet it don't have SACC{ST,EN,DIS} -regs. - -This fixes hard lockup on fsl_ssi module reload, -at least in AC'97 mode. - -Fixes: 05cf237972fe ("ASoC: fsl_ssi: Add driver suspend and resume to support MEGA Fast") -Signed-off-by: Maciej S. Szmigiero -Tested-by: Fabio Estevam -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman - ---- - sound/soc/fsl/fsl_ssi.c | 42 ++++++++++++++++++++++-------------------- - 1 file changed, 22 insertions(+), 20 deletions(-) - ---- a/sound/soc/fsl/fsl_ssi.c -+++ b/sound/soc/fsl/fsl_ssi.c -@@ -112,20 +112,6 @@ struct fsl_ssi_rxtx_reg_val { - struct fsl_ssi_reg_val tx; - }; - --static const struct reg_default fsl_ssi_reg_defaults[] = { -- {CCSR_SSI_SCR, 0x00000000}, -- {CCSR_SSI_SIER, 0x00003003}, -- {CCSR_SSI_STCR, 0x00000200}, -- {CCSR_SSI_SRCR, 0x00000200}, -- {CCSR_SSI_STCCR, 0x00040000}, -- {CCSR_SSI_SRCCR, 0x00040000}, -- {CCSR_SSI_SACNT, 0x00000000}, -- {CCSR_SSI_STMSK, 0x00000000}, -- {CCSR_SSI_SRMSK, 0x00000000}, -- {CCSR_SSI_SACCEN, 0x00000000}, -- {CCSR_SSI_SACCDIS, 0x00000000}, --}; -- - static bool fsl_ssi_readable_reg(struct device *dev, unsigned int reg) - { - switch (reg) { -@@ -190,8 +176,7 @@ static const struct regmap_config fsl_ss - .val_bits = 32, - .reg_stride = 4, - .val_format_endian = REGMAP_ENDIAN_NATIVE, -- .reg_defaults = fsl_ssi_reg_defaults, -- .num_reg_defaults = ARRAY_SIZE(fsl_ssi_reg_defaults), -+ .num_reg_defaults_raw = CCSR_SSI_SACCDIS / sizeof(uint32_t) + 1, - .readable_reg = fsl_ssi_readable_reg, - .volatile_reg = fsl_ssi_volatile_reg, - .precious_reg = fsl_ssi_precious_reg, -@@ -201,6 +186,7 @@ static const struct regmap_config fsl_ss - - struct fsl_ssi_soc_data { - bool imx; -+ bool imx21regs; /* imx21-class SSI - no SACC{ST,EN,DIS} regs */ - bool offline_config; - u32 sisr_write_mask; - }; -@@ -303,6 +289,7 @@ static struct fsl_ssi_soc_data fsl_ssi_m - - static struct fsl_ssi_soc_data fsl_ssi_imx21 = { - .imx = true, -+ .imx21regs = true, - .offline_config = true, - .sisr_write_mask = 0, - }; -@@ -586,8 +573,12 @@ static void fsl_ssi_setup_ac97(struct fs - */ - regmap_write(regs, CCSR_SSI_SACNT, - CCSR_SSI_SACNT_AC97EN | CCSR_SSI_SACNT_FV); -- regmap_write(regs, CCSR_SSI_SACCDIS, 0xff); -- regmap_write(regs, CCSR_SSI_SACCEN, 0x300); -+ -+ /* no SACC{ST,EN,DIS} regs on imx21-class SSI */ -+ if (!ssi_private->soc->imx21regs) { -+ regmap_write(regs, CCSR_SSI_SACCDIS, 0xff); -+ regmap_write(regs, CCSR_SSI_SACCEN, 0x300); -+ } - - /* - * Enable SSI, Transmit and Receive. AC97 has to communicate with the -@@ -1397,6 +1388,7 @@ static int fsl_ssi_probe(struct platform - struct resource *res; - void __iomem *iomem; - char name[64]; -+ struct regmap_config regconfig = fsl_ssi_regconfig; - - of_id = of_match_device(fsl_ssi_ids, &pdev->dev); - if (!of_id || !of_id->data) -@@ -1444,15 +1436,25 @@ static int fsl_ssi_probe(struct platform - return PTR_ERR(iomem); - ssi_private->ssi_phys = res->start; - -+ if (ssi_private->soc->imx21regs) { -+ /* -+ * According to datasheet imx21-class SSI -+ * don't have SACC{ST,EN,DIS} regs. -+ */ -+ regconfig.max_register = CCSR_SSI_SRMSK; -+ regconfig.num_reg_defaults_raw = -+ CCSR_SSI_SRMSK / sizeof(uint32_t) + 1; -+ } -+ - ret = of_property_match_string(np, "clock-names", "ipg"); - if (ret < 0) { - ssi_private->has_ipg_clk_name = false; - ssi_private->regs = devm_regmap_init_mmio(&pdev->dev, iomem, -- &fsl_ssi_regconfig); -+ ®config); - } else { - ssi_private->has_ipg_clk_name = true; - ssi_private->regs = devm_regmap_init_mmio_clk(&pdev->dev, -- "ipg", iomem, &fsl_ssi_regconfig); -+ "ipg", iomem, ®config); - } - if (IS_ERR(ssi_private->regs)) { - dev_err(&pdev->dev, "Failed to init register map\n"); diff --git a/queue-4.5/series b/queue-4.5/series index 7a135cf2809..42aa81f5baa 100644 --- a/queue-4.5/series +++ b/queue-4.5/series @@ -109,7 +109,6 @@ acpica-interpreter-fix-a-regression-triggered-because-of-wrong-linux-ecdt-suppor mmc-sdhci-acpi-reduce-baytrail-emmc-sd-sdio-hangs.patch toshiba_acpi-fix-regression-caused-by-hotkey-enabling-value.patch edac-i7core-sb_edac-don-t-return-notify_bad-from-mce_decoder-callback.patch -asoc-fsl_ssi-remove-explicit-register-defaults.patch asoc-s3c24xx-use-const-snd_soc_component_driver-pointer.patch asoc-ssm4567-reset-device-before-regcache_sync.patch asoc-dapm-make-sure-we-have-a-card-when-displaying-component-widgets.patch @@ -136,3 +135,4 @@ mm-huge_memory-replace-vm_no_thp-vm_bug_on-with-actual-vma-check.patch numa-fix-proc-pid-numa_maps-for-thp.patch mm-vmscan-reclaim-highmem-zone-if-buffer_heads-is-over-limit.patch mm-hwpoison-fix-wrong-num_poisoned_pages-accounting.patch +usb-usbip-fix-potential-out-of-bounds-write.patch diff --git a/queue-4.5/usb-usbip-fix-potential-out-of-bounds-write.patch b/queue-4.5/usb-usbip-fix-potential-out-of-bounds-write.patch new file mode 100644 index 00000000000..a60274c05c5 --- /dev/null +++ b/queue-4.5/usb-usbip-fix-potential-out-of-bounds-write.patch @@ -0,0 +1,47 @@ +From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001 +From: Ignat Korchagin +Date: Thu, 17 Mar 2016 18:00:29 +0000 +Subject: USB: usbip: fix potential out-of-bounds write + +From: Ignat Korchagin + +commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream. + +Fix potential out-of-bounds write to urb->transfer_buffer +usbip handles network communication directly in the kernel. When receiving a +packet from its peer, usbip code parses headers according to protocol. As +part of this parsing urb->actual_length is filled. Since the input for +urb->actual_length comes from the network, it should be treated as untrusted. +Any entity controlling the network may put any value in the input and the +preallocated urb->transfer_buffer may not be large enough to hold the data. +Thus, the malicious entity is able to write arbitrary data to kernel memory. + +Signed-off-by: Ignat Korchagin +Cc: Sasha Levin +Signed-off-by: Paul Gortmaker +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/usbip_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device + if (!(size > 0)) + return 0; + ++ if (size > urb->transfer_buffer_length) { ++ /* should not happen, probably malicious packet */ ++ if (ud->side == USBIP_STUB) { ++ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP); ++ return 0; ++ } else { ++ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); ++ return -EPIPE; ++ } ++ } ++ + ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size); + if (ret != size) { + dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);