From 074c263715643f44a7c9caee2a82d7f0ae711d6c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 28 May 2023 17:28:13 +0100 Subject: [PATCH] 4.19-stable patches added patches: alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch usb-sisusbvga-add-endpoint-checks.patch --- ...inverted-bass-gpio-pin-on-acer-8951g.patch | 78 +++++++++ ...lc671-platform-headset-mic-supported.patch | 31 ++++ queue-4.19/series | 5 + ...eference-in-__sk_mem_raise_allocated.patch | 125 +++++++++++++++ ...s-for-endpoint-checks-in-old-drivers.patch | 150 ++++++++++++++++++ .../usb-sisusbvga-add-endpoint-checks.patch | 79 +++++++++ 6 files changed, 468 insertions(+) create mode 100644 queue-4.19/alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch create mode 100644 queue-4.19/alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch create mode 100644 queue-4.19/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch create mode 100644 queue-4.19/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch create mode 100644 queue-4.19/usb-sisusbvga-add-endpoint-checks.patch diff --git a/queue-4.19/alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch b/queue-4.19/alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch new file mode 100644 index 00000000000..b7095b1f996 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch @@ -0,0 +1,78 @@ +From 336820c4374bc065317f247dc2bb37c0e41b64a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 28 Nov 2019 21:26:30 +0100 +Subject: ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G + +From: Takashi Iwai + +commit 336820c4374bc065317f247dc2bb37c0e41b64a6 upstream. + +We've added the bass speaker support on Acer 8951G by the commit +00066e9733f6 ("Add Acer Aspire Ethos 8951G model quirk"), but it seems +that the GPIO pin was wrongly set: while the commit turns off the bit +to power up the amp, the actual hardware reacts other way round, +i.e. GPIO bit on = amp on. + +So this patch fixes the bug, turning on the GPIO bit 0x02 as default. +Since turning on the GPIO bit can be more easily managed with +alc_setup_gpio() call, we simplify the quirk code by integrating the +GPIO setup into the existing alc662_fixup_aspire_ethos_hp() and +dropping the whole ALC669_FIXUP_ACER_ASPIRE_ETHOS_SUBWOOFER quirk. + +Fixes: 00066e9733f6 ("Add Acer Aspire Ethos 8951G model quirk") +Reported-and-tested-by: Sergey 'Jin' Bostandzhyan +Cc: +Link: https://lore.kernel.org/r/20191128202630.6626-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8540,6 +8540,8 @@ static void alc662_fixup_aspire_ethos_hp + case HDA_FIXUP_ACT_PRE_PROBE: + snd_hda_jack_detect_enable_callback(codec, 0x1b, + alc662_aspire_ethos_mute_speakers); ++ /* subwoofer needs an extra GPIO setting to become audible */ ++ alc_setup_gpio(codec, 0x02); + break; + case HDA_FIXUP_ACT_INIT: + /* Make sure to start in a correct state, i.e. if +@@ -8666,7 +8668,6 @@ enum { + ALC662_FIXUP_USI_HEADSET_MODE, + ALC662_FIXUP_LENOVO_MULTI_CODECS, + ALC669_FIXUP_ACER_ASPIRE_ETHOS, +- ALC669_FIXUP_ACER_ASPIRE_ETHOS_SUBWOOFER, + ALC669_FIXUP_ACER_ASPIRE_ETHOS_HEADSET, + ALC671_FIXUP_HP_HEADSET_MIC2, + ALC662_FIXUP_ACER_X2660G_HEADSET_MODE, +@@ -9007,18 +9008,6 @@ static const struct hda_fixup alc662_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc662_fixup_aspire_ethos_hp, + }, +- [ALC669_FIXUP_ACER_ASPIRE_ETHOS_SUBWOOFER] = { +- .type = HDA_FIXUP_VERBS, +- /* subwoofer needs an extra GPIO setting to become audible */ +- .v.verbs = (const struct hda_verb[]) { +- {0x01, AC_VERB_SET_GPIO_MASK, 0x02}, +- {0x01, AC_VERB_SET_GPIO_DIRECTION, 0x02}, +- {0x01, AC_VERB_SET_GPIO_DATA, 0x00}, +- { } +- }, +- .chained = true, +- .chain_id = ALC669_FIXUP_ACER_ASPIRE_ETHOS_HEADSET +- }, + [ALC669_FIXUP_ACER_ASPIRE_ETHOS] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -9028,7 +9017,7 @@ static const struct hda_fixup alc662_fix + { } + }, + .chained = true, +- .chain_id = ALC669_FIXUP_ACER_ASPIRE_ETHOS_SUBWOOFER ++ .chain_id = ALC669_FIXUP_ACER_ASPIRE_ETHOS_HEADSET + }, + [ALC671_FIXUP_HP_HEADSET_MIC2] = { + .type = HDA_FIXUP_FUNC, diff --git a/queue-4.19/alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch b/queue-4.19/alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch new file mode 100644 index 00000000000..9989e84cef6 --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch @@ -0,0 +1,31 @@ +From f2adbae0cb20c8eaf06914b2187043ea944b0aff Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 5 Feb 2020 15:40:01 +0800 +Subject: ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported + +From: Kailang Yang + +commit f2adbae0cb20c8eaf06914b2187043ea944b0aff upstream. + +HP want to keep BIOS verb table for release platform. +So, it need to add 0x19 pin for quirk. + +Fixes: 5af29028fd6d ("ALSA: hda/realtek - Add Headset Mic supported for HP cPC") +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/74636ccb700a4cbda24c58a99dc430ce@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9290,6 +9290,7 @@ static const struct snd_hda_pin_quirk al + SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, + {0x14, 0x01014010}, + {0x17, 0x90170150}, ++ {0x19, 0x02a11060}, + {0x1b, 0x01813030}, + {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0671, 0x103c, "HP cPC", ALC671_FIXUP_HP_HEADSET_MIC2, diff --git a/queue-4.19/series b/queue-4.19/series index 9ebf3fa72bd..c9bf75cbadf 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -110,3 +110,8 @@ btrfs-use-nofs-when-cleaning-up-aborted-transactions.patch x86-mm-avoid-incomplete-global-invlpg-flushes.patch selftests-memfd-fix-unknown-type-name-build-failure.patch parisc-fix-flush_dcache_page-for-usage-from-irq-context.patch +alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch +alsa-hda-realtek-fix-inverted-bass-gpio-pin-on-acer-8951g.patch +udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch +usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch +usb-sisusbvga-add-endpoint-checks.patch diff --git a/queue-4.19/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch b/queue-4.19/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch new file mode 100644 index 00000000000..959bcb4fca2 --- /dev/null +++ b/queue-4.19/udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch @@ -0,0 +1,125 @@ +From ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Tue, 23 May 2023 09:33:05 -0700 +Subject: udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). + +From: Kuniyuki Iwashima + +commit ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 upstream. + +syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using +IPPROTO_UDPLITE (0x88): + + 14:25:52 executing program 1: + r0 = socket$inet6(0xa, 0x80002, 0x88) + +We had a similar report [1] for probably sk_memory_allocated_add() +in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix +NULL pointer dereference") fixed it by setting .memory_allocated for +udplite_prot and udplitev6_prot. + +To fix the variant, we need to set either .sysctl_wmem_offset or +.sysctl_rmem. + +Now UDP and UDPLITE share the same value for .memory_allocated, so we +use the same .sysctl_wmem_offset for UDP and UDPLITE. + +[0]: +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 +RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline] +RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006 +Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b +RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000 +RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8 +RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000 +R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0 +Call Trace: + + __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077 + udp_rmem_schedule net/ipv4/udp.c:1539 [inline] + __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581 + __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline] + udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775 + udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793 + __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline] + __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013 + ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437 + ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482 + NF_HOOK include/linux/netfilter.h:303 [inline] + NF_HOOK include/linux/netfilter.h:297 [inline] + ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491 + ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585 + dst_input include/net/dst.h:468 [inline] + ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] + NF_HOOK include/linux/netfilter.h:303 [inline] + NF_HOOK include/linux/netfilter.h:297 [inline] + ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309 + __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491 + __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605 + netif_receive_skb_internal net/core/dev.c:5691 [inline] + netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750 + tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553 + tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989 + tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035 + call_write_iter include/linux/fs.h:1868 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x945/0xd50 fs/read_write.c:584 + ksys_write+0x12b/0x250 fs/read_write.c:637 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 +RIP: 0023:0xf7f21579 +Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 +RSP: 002b:00000000f7f1c590 EFLAGS: 00000282 ORIG_RAX: 0000000000000004 +RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000020000040 +RDX: 0000000000000083 RSI: 00000000f734e000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Modules linked in: + +Link: https://lore.kernel.org/netdev/CANaxB-yCk8hhP68L4Q2nFOJht8sqgXGGQO2AftpHs0u1xyGG5A@mail.gmail.com/ [1] +Fixes: 850cbaddb52d ("udp: use it's own memory accounting schema") +Reported-by: syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=444ca0907e96f7c5e48b +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230523163305.66466-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udplite.c | 2 ++ + net/ipv6/udplite.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/net/ipv4/udplite.c ++++ b/net/ipv4/udplite.c +@@ -64,6 +64,8 @@ struct proto udplite_prot = { + .get_port = udp_v4_get_port, + .memory_allocated = &udp_memory_allocated, + .sysctl_mem = sysctl_udp_mem, ++ .sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min), ++ .sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min), + .obj_size = sizeof(struct udp_sock), + .h.udp_table = &udplite_table, + #ifdef CONFIG_COMPAT +--- a/net/ipv6/udplite.c ++++ b/net/ipv6/udplite.c +@@ -58,6 +58,8 @@ struct proto udplitev6_prot = { + .get_port = udp_v6_get_port, + .memory_allocated = &udp_memory_allocated, + .sysctl_mem = sysctl_udp_mem, ++ .sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min), ++ .sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min), + .obj_size = sizeof(struct udp6_sock), + .h.udp_table = &udplite_table, + #ifdef CONFIG_COMPAT diff --git a/queue-4.19/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch b/queue-4.19/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch new file mode 100644 index 00000000000..728b594b151 --- /dev/null +++ b/queue-4.19/usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch @@ -0,0 +1,150 @@ +From 13890626501ffda22b18213ddaf7930473da5792 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Apr 2023 15:37:07 -0400 +Subject: USB: core: Add routines for endpoint checks in old drivers + +From: Alan Stern + +commit 13890626501ffda22b18213ddaf7930473da5792 upstream. + +Many of the older USB drivers in the Linux USB stack were written +based simply on a vendor's device specification. They use the +endpoint information in the spec and assume these endpoints will +always be present, with the properties listed, in any device matching +the given vendor and product IDs. + +While that may have been true back then, with spoofing and fuzzing it +is not true any more. More and more we are finding that those old +drivers need to perform at least a minimum of checking before they try +to use any endpoint other than ep0. + +To make this checking as simple as possible, we now add a couple of +utility routines to the USB core. usb_check_bulk_endpoints() and +usb_check_int_endpoints() take an interface pointer together with a +list of endpoint addresses (numbers and directions). They check that +the interface's current alternate setting includes endpoints with +those addresses and that each of these endpoints has the right type: +bulk or interrupt, respectively. + +Although we already have usb_find_common_endpoints() and related +routines meant for a similar purpose, they are not well suited for +this kind of checking. Those routines find endpoints of various +kinds, but only one (either the first or the last) of each kind, and +they don't verify that the endpoints' addresses agree with what the +caller expects. + +In theory the new routines could be more general: They could take a +particular altsetting as their argument instead of always using the +interface's current altsetting. In practice I think this won't matter +too much; multiple altsettings tend to be used for transferring media +(audio or visual) over isochronous endpoints, not bulk or interrupt. +Drivers for such devices will generally require more sophisticated +checking than these simplistic routines provide. + +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/dd2c8e8c-2c87-44ea-ba17-c64b97e201c9@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/usb.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/usb.h | 5 +++ + 2 files changed, 81 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -210,6 +210,82 @@ int usb_find_common_endpoints_reverse(st + EXPORT_SYMBOL_GPL(usb_find_common_endpoints_reverse); + + /** ++ * usb_find_endpoint() - Given an endpoint address, search for the endpoint's ++ * usb_host_endpoint structure in an interface's current altsetting. ++ * @intf: the interface whose current altsetting should be searched ++ * @ep_addr: the endpoint address (number and direction) to find ++ * ++ * Search the altsetting's list of endpoints for one with the specified address. ++ * ++ * Return: Pointer to the usb_host_endpoint if found, %NULL otherwise. ++ */ ++static const struct usb_host_endpoint *usb_find_endpoint( ++ const struct usb_interface *intf, unsigned int ep_addr) ++{ ++ int n; ++ const struct usb_host_endpoint *ep; ++ ++ n = intf->cur_altsetting->desc.bNumEndpoints; ++ ep = intf->cur_altsetting->endpoint; ++ for (; n > 0; (--n, ++ep)) { ++ if (ep->desc.bEndpointAddress == ep_addr) ++ return ep; ++ } ++ return NULL; ++} ++ ++/** ++ * usb_check_bulk_endpoints - Check whether an interface's current altsetting ++ * contains a set of bulk endpoints with the given addresses. ++ * @intf: the interface whose current altsetting should be searched ++ * @ep_addrs: 0-terminated array of the endpoint addresses (number and ++ * direction) to look for ++ * ++ * Search for endpoints with the specified addresses and check their types. ++ * ++ * Return: %true if all the endpoints are found and are bulk, %false otherwise. ++ */ ++bool usb_check_bulk_endpoints( ++ const struct usb_interface *intf, const u8 *ep_addrs) ++{ ++ const struct usb_host_endpoint *ep; ++ ++ for (; *ep_addrs; ++ep_addrs) { ++ ep = usb_find_endpoint(intf, *ep_addrs); ++ if (!ep || !usb_endpoint_xfer_bulk(&ep->desc)) ++ return false; ++ } ++ return true; ++} ++EXPORT_SYMBOL_GPL(usb_check_bulk_endpoints); ++ ++/** ++ * usb_check_int_endpoints - Check whether an interface's current altsetting ++ * contains a set of interrupt endpoints with the given addresses. ++ * @intf: the interface whose current altsetting should be searched ++ * @ep_addrs: 0-terminated array of the endpoint addresses (number and ++ * direction) to look for ++ * ++ * Search for endpoints with the specified addresses and check their types. ++ * ++ * Return: %true if all the endpoints are found and are interrupt, ++ * %false otherwise. ++ */ ++bool usb_check_int_endpoints( ++ const struct usb_interface *intf, const u8 *ep_addrs) ++{ ++ const struct usb_host_endpoint *ep; ++ ++ for (; *ep_addrs; ++ep_addrs) { ++ ep = usb_find_endpoint(intf, *ep_addrs); ++ if (!ep || !usb_endpoint_xfer_int(&ep->desc)) ++ return false; ++ } ++ return true; ++} ++EXPORT_SYMBOL_GPL(usb_check_int_endpoints); ++ ++/** + * usb_find_alt_setting() - Given a configuration, find the alternate setting + * for the given interface. + * @config: the configuration to search (not necessarily the current config). +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -279,6 +279,11 @@ void usb_put_intf(struct usb_interface * + #define USB_MAXINTERFACES 32 + #define USB_MAXIADS (USB_MAXINTERFACES/2) + ++bool usb_check_bulk_endpoints( ++ const struct usb_interface *intf, const u8 *ep_addrs); ++bool usb_check_int_endpoints( ++ const struct usb_interface *intf, const u8 *ep_addrs); ++ + /* + * USB Resume Timer: Every Host controller driver should drive the resume + * signalling on the bus for the amount of time defined by this macro. diff --git a/queue-4.19/usb-sisusbvga-add-endpoint-checks.patch b/queue-4.19/usb-sisusbvga-add-endpoint-checks.patch new file mode 100644 index 00000000000..bb5a62666d8 --- /dev/null +++ b/queue-4.19/usb-sisusbvga-add-endpoint-checks.patch @@ -0,0 +1,79 @@ +From df05a9b05e466a46725564528b277d0c570d0104 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Apr 2023 15:38:22 -0400 +Subject: USB: sisusbvga: Add endpoint checks + +From: Alan Stern + +commit df05a9b05e466a46725564528b277d0c570d0104 upstream. + +The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver: + +------------[ cut here ]------------ +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +Modules linked in: +CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Workqueue: usb_hub_wq hub_event +RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7 +RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 +RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95 +RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003 +R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600 +FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline] + sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379 + sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline] + sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline] + sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177 + sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869 +... + +The problem was caused by the fact that the driver does not check +whether the endpoints it uses are actually present and have the +appropriate types. This can be fixed by adding a simple check of +the endpoints. + +Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79 +Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/sisusbvga/sisusb.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3016,6 +3016,20 @@ static int sisusb_probe(struct usb_inter + struct usb_device *dev = interface_to_usbdev(intf); + struct sisusb_usb_data *sisusb; + int retval = 0, i; ++ static const u8 ep_addresses[] = { ++ SISUSB_EP_GFX_IN | USB_DIR_IN, ++ SISUSB_EP_GFX_OUT | USB_DIR_OUT, ++ SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT, ++ SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT, ++ SISUSB_EP_BRIDGE_IN | USB_DIR_IN, ++ SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT, ++ 0}; ++ ++ /* Are the expected endpoints present? */ ++ if (!usb_check_bulk_endpoints(intf, ep_addresses)) { ++ dev_err(&intf->dev, "Invalid USB2VGA device\n"); ++ return -EINVAL; ++ } + + dev_info(&dev->dev, "USB2VGA dongle found at address %d\n", + dev->devnum); -- 2.47.3