From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 Dec 2024 15:30:59 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.288~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb69d2371128f84b831bf69d7069b86855844ae4;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch
---

diff --git a/queue-5.4/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch b/queue-5.4/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch
new file mode 100644
index 00000000000..64f2c2b46c6
--- /dev/null
+++ b/queue-5.4/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch
@@ -0,0 +1,96 @@
+From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Mon, 2 Dec 2024 15:57:54 +0300
+Subject: ALSA: usb-audio: Fix a DMA to stack memory bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
+
+The usb_get_descriptor() function does DMA so we're not allowed
+to use a stack buffer for that.  Doing DMA to the stack is not portable
+all architectures.  Move the "new_device_descriptor" from being stored
+on the stack and allocate it with kmalloc() instead.
+
+Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
+Cc: stable@kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: BenoÃ®t Sevens <bsevens@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c |   31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -585,7 +585,7 @@ int snd_usb_create_quirk(struct snd_usb_
+ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)
+ {
+ 	struct usb_host_config *config = dev->actconfig;
+-	struct usb_device_descriptor new_device_descriptor;
++	struct usb_device_descriptor *new_device_descriptor = NULL;
+ 	int err;
+ 
+ 	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
+@@ -596,15 +596,20 @@ static int snd_usb_extigy_boot_quirk(str
+ 				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);
+ 		if (err < 0)
+ 			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);
++
++		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
++		if (!new_device_descriptor)
++			return -ENOMEM;
+ 		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
+-				&new_device_descriptor, sizeof(new_device_descriptor));
++				new_device_descriptor, sizeof(*new_device_descriptor));
+ 		if (err < 0)
+ 			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+-		if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
++		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+ 			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+-				new_device_descriptor.bNumConfigurations);
++				new_device_descriptor->bNumConfigurations);
+ 		else
+-			memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
++			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
++		kfree(new_device_descriptor);
+ 		err = usb_reset_configuration(dev);
+ 		if (err < 0)
+ 			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
+@@ -938,7 +943,7 @@ static void mbox2_setup_48_24_magic(stru
+ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
+ {
+ 	struct usb_host_config *config = dev->actconfig;
+-	struct usb_device_descriptor new_device_descriptor;
++	struct usb_device_descriptor *new_device_descriptor = NULL;
+ 	int err;
+ 	u8 bootresponse[0x12];
+ 	int fwsize;
+@@ -973,15 +978,21 @@ static int snd_usb_mbox2_boot_quirk(stru
+ 
+ 	dev_dbg(&dev->dev, "device initialised!\n");
+ 
++	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
++	if (!new_device_descriptor)
++		return -ENOMEM;
++
+ 	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
+-		&new_device_descriptor, sizeof(new_device_descriptor));
++		new_device_descriptor, sizeof(*new_device_descriptor));
+ 	if (err < 0)
+ 		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+-	if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
++	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+ 		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+-			new_device_descriptor.bNumConfigurations);
++			new_device_descriptor->bNumConfigurations);
+ 	else
+-		memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
++		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
++
++	kfree(new_device_descriptor);
+ 
+ 	err = usb_reset_configuration(dev);
+ 	if (err < 0)
diff --git a/queue-5.4/series b/queue-5.4/series
index d739823ac30..bef85c3259d 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -21,3 +21,4 @@ blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch
 kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch
 tracing-kprobes-skip-symbol-counting-logic-for-module-symbols-in-create_local_trace_kprobe.patch
 xen-netfront-fix-crash-when-removing-device.patch
+alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch