From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 11:44:33 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.13.1~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbed28295873c294ee766e1cc0d0742838724dce;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch input-xpad-add-support-for-wooting-two-he-arm.patch input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch revert-usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch smb-client-fix-uaf-in-async-decryption.patch usb-serial-quatech2-fix-null-ptr-deref-in-qt2_process_read_urb.patch --- diff --git a/queue-6.1/alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch b/queue-6.1/alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch new file mode 100644 index 0000000000..494a4620d1 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch @@ -0,0 +1,37 @@ +From ad5b205f9e022b407d91f952faddd05718be2866 Mon Sep 17 00:00:00 2001 +From: Lianqin Hu +Date: Wed, 15 Jan 2025 09:32:35 +0000 +Subject: ALSA: usb-audio: Add delay quirk for USB Audio Device + +From: Lianqin Hu + +commit ad5b205f9e022b407d91f952faddd05718be2866 upstream. + +Audio control requests that sets sampling frequency sometimes fail on +this card. Adding delay between control messages eliminates that problem. + +usb 1-1: New USB device found, idVendor=0d8c, idProduct=0014 +usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +usb 1-1: Product: USB Audio Device +usb 1-1: Manufacturer: C-Media Electronics Inc. + +Signed-off-by: Lianqin Hu +Cc: +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/TYUPR06MB6217E94D922B9BF422A73F32D2192@TYUPR06MB6217.apcprd06.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2137,6 +2137,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x0c45, 0x6340, /* Sonix HD USB Camera */ + QUIRK_FLAG_GET_SAMPLE_RATE), ++ DEVICE_FLG(0x0d8c, 0x0014, /* USB Audio Device */ ++ QUIRK_FLAG_CTL_MSG_DELAY_1M), + DEVICE_FLG(0x0ecb, 0x205c, /* JBL Quantum610 Wireless */ + QUIRK_FLAG_FIXED_RATE), + DEVICE_FLG(0x0ecb, 0x2069, /* JBL Quantum810 Wireless */ diff --git a/queue-6.1/input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch b/queue-6.1/input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch new file mode 100644 index 0000000000..177f289446 --- /dev/null +++ b/queue-6.1/input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch @@ -0,0 +1,45 @@ +From 907bc9268a5a9f823ffa751957a5c1dd59f83f42 Mon Sep 17 00:00:00 2001 +From: Mark Pearson +Date: Mon, 20 Jan 2025 20:24:08 -0800 +Subject: Input: atkbd - map F23 key to support default copilot shortcut + +From: Mark Pearson + +commit 907bc9268a5a9f823ffa751957a5c1dd59f83f42 upstream. + +Microsoft defined Meta+Shift+F23 as the Copilot shortcut instead of a +dedicated keycode, and multiple vendors have their keyboards emit this +sequence in response to users pressing a dedicated "Copilot" key. +Unfortunately the default keymap table in atkbd does not map scancode +0x6e (F23) and so the key combination does not work even if userspace +is ready to handle it. + +Because this behavior is common between multiple vendors and the +scancode is currently unused map 0x6e to keycode 193 (KEY_F23) so that +key sequence is generated properly. + +MS documentation for the scan code: +https://learn.microsoft.com/en-us/windows/win32/inputdev/about-keyboard-input#scan-codes +Confirmed on Lenovo, HP and Dell machines by Canonical. +Tested on Lenovo T14s G6 AMD. + +Signed-off-by: Mark Pearson +Link: https://lore.kernel.org/r/20250107034554.25843-1-mpearson-lenovo@squebb.ca +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -89,7 +89,7 @@ static const unsigned short atkbd_set2_k + 0, 46, 45, 32, 18, 5, 4, 95, 0, 57, 47, 33, 20, 19, 6,183, + 0, 49, 48, 35, 34, 21, 7,184, 0, 0, 50, 36, 22, 8, 9,185, + 0, 51, 37, 23, 24, 11, 10, 0, 0, 52, 53, 38, 39, 25, 12, 0, +- 0, 89, 40, 0, 26, 13, 0, 0, 58, 54, 28, 27, 0, 43, 0, 85, ++ 0, 89, 40, 0, 26, 13, 0,193, 58, 54, 28, 27, 0, 43, 0, 85, + 0, 86, 91, 90, 92, 0, 14, 94, 0, 79,124, 75, 71,121, 0, 0, + 82, 83, 80, 76, 77, 72, 1, 69, 87, 78, 81, 74, 55, 73, 70, 99, + diff --git a/queue-6.1/input-xpad-add-support-for-wooting-two-he-arm.patch b/queue-6.1/input-xpad-add-support-for-wooting-two-he-arm.patch new file mode 100644 index 0000000000..2c02e79bbe --- /dev/null +++ b/queue-6.1/input-xpad-add-support-for-wooting-two-he-arm.patch @@ -0,0 +1,31 @@ +From 222f3390c15c4452a9f7e26f5b7d9138e75d00d5 Mon Sep 17 00:00:00 2001 +From: Jack Greiner +Date: Fri, 17 Jan 2025 16:51:58 -0800 +Subject: Input: xpad - add support for wooting two he (arm) + +From: Jack Greiner + +commit 222f3390c15c4452a9f7e26f5b7d9138e75d00d5 upstream. + +Add Wooting Two HE (ARM) to the list of supported devices. + +Signed-off-by: Jack Greiner +Signed-off-by: Pavel Rojtberg +Link: https://lore.kernel.org/r/20250107192830.414709-3-rojtberg@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -367,6 +367,7 @@ static const struct xpad_device { + { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1210, "Wooting Lekker", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1220, "Wooting Two HE", 0, XTYPE_XBOX360 }, ++ { 0x31e3, 0x1230, "Wooting Two HE (ARM)", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1300, "Wooting 60HE (AVR)", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1310, "Wooting 60HE (ARM)", 0, XTYPE_XBOX360 }, + { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, diff --git a/queue-6.1/input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch b/queue-6.1/input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch new file mode 100644 index 0000000000..d7884a8f3e --- /dev/null +++ b/queue-6.1/input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch @@ -0,0 +1,35 @@ +From e4940fe6322c851659c17852b671c6e7b1aa9f56 Mon Sep 17 00:00:00 2001 +From: Nilton Perim Neto +Date: Fri, 17 Jan 2025 09:34:18 -0800 +Subject: Input: xpad - add unofficial Xbox 360 wireless receiver clone + +From: Nilton Perim Neto + +commit e4940fe6322c851659c17852b671c6e7b1aa9f56 upstream. + +Although it mimics the Microsoft's VendorID, it is in fact a clone. +Taking into account that the original Microsoft Receiver is not being +manufactured anymore, this drive can solve dpad issues encontered by +those who still use the original 360 Wireless controller +but are using a receiver clone. + +Signed-off-by: Nilton Perim Neto +Signed-off-by: Pavel Rojtberg +Link: https://lore.kernel.org/r/20250107192830.414709-12-rojtberg@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -145,6 +145,7 @@ static const struct xpad_device { + { 0x045e, 0x028e, "Microsoft X-Box 360 pad", 0, XTYPE_XBOX360 }, + { 0x045e, 0x028f, "Microsoft X-Box 360 pad v2", 0, XTYPE_XBOX360 }, + { 0x045e, 0x0291, "Xbox 360 Wireless Receiver (XBOX)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360W }, ++ { 0x045e, 0x02a9, "Xbox 360 Wireless Receiver (Unofficial)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360W }, + { 0x045e, 0x02d1, "Microsoft X-Box One pad", 0, XTYPE_XBOXONE }, + { 0x045e, 0x02dd, "Microsoft X-Box One pad (Firmware 2015)", 0, XTYPE_XBOXONE }, + { 0x045e, 0x02e3, "Microsoft X-Box One Elite pad", MAP_PADDLES, XTYPE_XBOXONE }, diff --git a/queue-6.1/revert-usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch b/queue-6.1/revert-usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch new file mode 100644 index 0000000000..ad1f0ae064 --- /dev/null +++ b/queue-6.1/revert-usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch @@ -0,0 +1,47 @@ +From 086fd062bc3883ae1ce4166cff5355db315ad879 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 17 Jan 2025 09:17:12 +0100 +Subject: Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" + +From: Greg Kroah-Hartman + +commit 086fd062bc3883ae1ce4166cff5355db315ad879 upstream. + +This reverts commit 13014969cbf07f18d62ceea40bd8ca8ec9d36cec. + +It is reported to cause crashes on Tegra systems, so revert it for now. + +Link: https://lore.kernel.org/r/1037c1ad-9230-4181-b9c3-167dbaa47644@nvidia.com +Reported-by: Jon Hunter +Cc: stable +Cc: Lianqin Hu +Link: https://lore.kernel.org/r/2025011711-yippee-fever-a737@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_serial.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1393,10 +1393,6 @@ void gserial_disconnect(struct gserial * + /* REVISIT as above: how best to track this? */ + port->port_line_coding = gser->port_line_coding; + +- /* disable endpoints, aborting down any active I/O */ +- usb_ep_disable(gser->out); +- usb_ep_disable(gser->in); +- + port->port_usb = NULL; + gser->ioport = NULL; + if (port->port.count > 0) { +@@ -1408,6 +1404,10 @@ void gserial_disconnect(struct gserial * + spin_unlock(&port->port_lock); + spin_unlock_irqrestore(&serial_port_lock, flags); + ++ /* disable endpoints, aborting down any active I/O */ ++ usb_ep_disable(gser->out); ++ usb_ep_disable(gser->in); ++ + /* finally, free any unused/unusable I/O buffers */ + spin_lock_irqsave(&port->port_lock, flags); + if (port->port.count == 0) diff --git a/queue-6.1/series b/queue-6.1/series index 6818d9d5bd..0a8d0b2e96 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -39,3 +39,10 @@ ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-ip_tunnel_find.patch scsi-storvsc-ratelimit-warning-logs-to-prevent-vm-denial-of-service.patch wifi-iwlwifi-add-a-few-rate-index-validity-checks.patch +smb-client-fix-uaf-in-async-decryption.patch +usb-serial-quatech2-fix-null-ptr-deref-in-qt2_process_read_urb.patch +revert-usb-gadget-u_serial-disable-ep-before-setting-port-to-null-to-fix-the-crash-caused-by-port-being-null.patch +alsa-usb-audio-add-delay-quirk-for-usb-audio-device.patch +input-atkbd-map-f23-key-to-support-default-copilot-shortcut.patch +input-xpad-add-unofficial-xbox-360-wireless-receiver-clone.patch +input-xpad-add-support-for-wooting-two-he-arm.patch diff --git a/queue-6.1/smb-client-fix-uaf-in-async-decryption.patch b/queue-6.1/smb-client-fix-uaf-in-async-decryption.patch new file mode 100644 index 0000000000..30106755f4 --- /dev/null +++ b/queue-6.1/smb-client-fix-uaf-in-async-decryption.patch @@ -0,0 +1,185 @@ +From b0abcd65ec545701b8793e12bc27dc98042b151a Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Thu, 26 Sep 2024 14:46:13 -0300 +Subject: smb: client: fix UAF in async decryption + +From: Enzo Matsumiya + +commit b0abcd65ec545701b8793e12bc27dc98042b151a upstream. + +Doing an async decryption (large read) crashes with a +slab-use-after-free way down in the crypto API. + +Reproducer: + # mount.cifs -o ...,seal,esize=1 //srv/share /mnt + # dd if=/mnt/largefile of=/dev/null + ... + [ 194.196391] ================================================================== + [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 + [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 + [ 194.197707] + [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 + [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 + [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] + [ 194.200032] Call Trace: + [ 194.200191] + [ 194.200327] dump_stack_lvl+0x4e/0x70 + [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 + [ 194.200809] print_report+0x174/0x505 + [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + [ 194.201352] ? srso_return_thunk+0x5/0x5f + [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 + [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 + [ 194.202128] kasan_report+0xc8/0x150 + [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 + [ 194.202616] gf128mul_4k_lle+0xc1/0x110 + [ 194.202863] ghash_update+0x184/0x210 + [ 194.203103] shash_ahash_update+0x184/0x2a0 + [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 + [ 194.203651] ? srso_return_thunk+0x5/0x5f + [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 + [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 + [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] + [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] + [ 194.208507] ? srso_return_thunk+0x5/0x5f + [ 194.209205] ? srso_return_thunk+0x5/0x5f + [ 194.209925] ? srso_return_thunk+0x5/0x5f + [ 194.210443] ? srso_return_thunk+0x5/0x5f + [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] + [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] + [ 194.214670] ? srso_return_thunk+0x5/0x5f + [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] + +This is because TFM is being used in parallel. + +Fix this by allocating a new AEAD TFM for async decryption, but keep +the existing one for synchronous READ cases (similar to what is done +in smb3_calc_signature()). + +Also remove the calls to aead_request_set_callback() and +crypto_wait_req() since it's always going to be a synchronous operation. + +Signed-off-by: Enzo Matsumiya +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 47 ++++++++++++++++++++++++++++------------------- + fs/smb/client/smb2pdu.c | 6 ++++++ + 2 files changed, 34 insertions(+), 19 deletions(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4488,7 +4488,7 @@ smb2_get_enc_key(struct TCP_Server_Info + */ + static int + crypt_message(struct TCP_Server_Info *server, int num_rqst, +- struct smb_rqst *rqst, int enc) ++ struct smb_rqst *rqst, int enc, struct crypto_aead *tfm) + { + struct smb2_transform_hdr *tr_hdr = + (struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base; +@@ -4499,8 +4499,6 @@ crypt_message(struct TCP_Server_Info *se + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; + u8 *iv; +- DECLARE_CRYPTO_WAIT(wait); +- struct crypto_aead *tfm; + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + void *creq; + +@@ -4511,14 +4509,6 @@ crypt_message(struct TCP_Server_Info *se + return rc; + } + +- rc = smb3_crypto_aead_allocate(server); +- if (rc) { +- cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__); +- return rc; +- } +- +- tfm = enc ? server->secmech.enc : server->secmech.dec; +- + if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); +@@ -4557,11 +4547,7 @@ crypt_message(struct TCP_Server_Info *se + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +- aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, +- crypto_req_done, &wait); +- +- rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) +- : crypto_aead_decrypt(req), &wait); ++ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); +@@ -4650,7 +4636,7 @@ smb3_init_transform_rq(struct TCP_Server + /* fill the 1st iov with a transform header */ + fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type); + +- rc = crypt_message(server, num_rqst, new_rq, 1); ++ rc = crypt_message(server, num_rqst, new_rq, 1, server->secmech.enc); + cifs_dbg(FYI, "Encrypt message returned %d\n", rc); + if (rc) + goto err_free; +@@ -4676,8 +4662,9 @@ decrypt_raw_data(struct TCP_Server_Info + unsigned int npages, unsigned int page_data_size, + bool is_offloaded) + { +- struct kvec iov[2]; ++ struct crypto_aead *tfm; + struct smb_rqst rqst = {NULL}; ++ struct kvec iov[2]; + int rc; + + iov[0].iov_base = buf; +@@ -4692,9 +4679,31 @@ decrypt_raw_data(struct TCP_Server_Info + rqst.rq_pagesz = PAGE_SIZE; + rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE; + +- rc = crypt_message(server, 1, &rqst, 0); ++ if (is_offloaded) { ++ if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || ++ (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) ++ tfm = crypto_alloc_aead("gcm(aes)", 0, 0); ++ else ++ tfm = crypto_alloc_aead("ccm(aes)", 0, 0); ++ if (IS_ERR(tfm)) { ++ rc = PTR_ERR(tfm); ++ cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc); ++ ++ return rc; ++ } ++ } else { ++ if (unlikely(!server->secmech.dec)) ++ return -EIO; ++ ++ tfm = server->secmech.dec; ++ } ++ ++ rc = crypt_message(server, 1, &rqst, 0, tfm); + cifs_dbg(FYI, "Decrypt message returned %d\n", rc); + ++ if (is_offloaded) ++ crypto_free_aead(tfm); ++ + if (rc) + return rc; + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -1105,6 +1105,12 @@ SMB2_negotiate(const unsigned int xid, + else + cifs_server_dbg(VFS, "Missing expected negotiate contexts\n"); + } ++ ++ if (server->cipher_type && !rc) { ++ rc = smb3_crypto_aead_allocate(server); ++ if (rc) ++ cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc); ++ } + neg_exit: + free_rsp_buf(resp_buftype, rsp); + return rc; diff --git a/queue-6.1/usb-serial-quatech2-fix-null-ptr-deref-in-qt2_process_read_urb.patch b/queue-6.1/usb-serial-quatech2-fix-null-ptr-deref-in-qt2_process_read_urb.patch new file mode 100644 index 0000000000..21dce74db6 --- /dev/null +++ b/queue-6.1/usb-serial-quatech2-fix-null-ptr-deref-in-qt2_process_read_urb.patch @@ -0,0 +1,53 @@ +From 575a5adf48b06a2980c9eeffedf699ed5534fade Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz +Date: Mon, 13 Jan 2025 18:00:34 +0000 +Subject: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() + +From: Qasim Ijaz + +commit 575a5adf48b06a2980c9eeffedf699ed5534fade upstream. + +This patch addresses a null-ptr-deref in qt2_process_read_urb() due to +an incorrect bounds check in the following: + + if (newport > serial->num_ports) { + dev_err(&port->dev, + "%s - port change to invalid port: %i\n", + __func__, newport); + break; + } + +The condition doesn't account for the valid range of the serial->port +buffer, which is from 0 to serial->num_ports - 1. When newport is equal +to serial->num_ports, the assignment of "port" in the +following code is out-of-bounds and NULL: + + serial_priv->current_port = newport; + port = serial->port[serial_priv->current_port]; + +The fix checks if newport is greater than or equal to serial->num_ports +indicating it is out-of-bounds. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=506479ebf12fe435d01a +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Cc: # 3.5 +Signed-off-by: Qasim Ijaz +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/quatech2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -511,7 +511,7 @@ static void qt2_process_read_urb(struct + + newport = *(ch + 3); + +- if (newport > serial->num_ports) { ++ if (newport >= serial->num_ports) { + dev_err(&port->dev, + "%s - port change to invalid port: %i\n", + __func__, newport);