From: Greg Kroah-Hartman Date: Tue, 17 Dec 2024 14:27:11 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.288~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ddc891f1512fb3ec973b2c0641257bde9ed24f73;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch --- diff --git a/queue-6.1/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch b/queue-6.1/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch new file mode 100644 index 00000000000..5ba6523d469 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch @@ -0,0 +1,126 @@ +From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 2 Dec 2024 15:57:54 +0300 +Subject: ALSA: usb-audio: Fix a DMA to stack memory bug + +From: Dan Carpenter + +commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream. + +The usb_get_descriptor() function does DMA so we're not allowed +to use a stack buffer for that. Doing DMA to the stack is not portable +all architectures. Move the "new_device_descriptor" from being stored +on the stack and allocate it with kmalloc() instead. + +Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") +Cc: stable@kernel.org +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Benoît Sevens +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -553,7 +553,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -564,15 +564,19 @@ static int snd_usb_extigy_boot_quirk(str + 0x10, 0x43, 0x0001, 0x000a, NULL, 0); + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); ++ ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -904,7 +908,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -939,15 +943,19 @@ static int snd_usb_mbox2_boot_quirk(stru + + dev_dbg(&dev->dev, "device initialised!\n"); + ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; ++ + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) +@@ -1261,7 +1269,7 @@ static void mbox3_setup_48_24_magic(stru + static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + int descriptor_size; + +@@ -1274,15 +1282,19 @@ static int snd_usb_mbox3_boot_quirk(stru + + dev_dbg(&dev->dev, "device initialised!\n"); + ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; ++ + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-6.1/series b/queue-6.1/series index 097bf6e4da1..8b412e5b7cd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -74,3 +74,4 @@ x86-xen-don-t-do-pv-iret-hypercall-through-hypercall-page.patch x86-xen-add-central-hypercall-functions.patch x86-xen-use-new-hypercall-functions-instead-of-hypercall-page.patch x86-xen-remove-hypercall-page.patch +alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch