From 31deee285622bb9789a75c190318701bbef8da4f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 9 Oct 2022 21:10:59 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	usb-mon-make-mmapped-memory-read-only.patch
	usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch
---
 queue-4.9/series                              |  2 +
 ...sb-mon-make-mmapped-memory-read-only.patch | 47 +++++++++++++++++++
 ...al-ftdi_sio-fix-300-bps-rate-for-sio.patch | 31 ++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 queue-4.9/usb-mon-make-mmapped-memory-read-only.patch
 create mode 100644 queue-4.9/usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index 4b2841f27ba..20e39b9067c 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -24,3 +24,5 @@ arm-dts-fix-moxa-sdio-compatible-remove-sdhci-misnom.patch
 net-ieee802154-fix-uninit-value-bug-in-dgram_sendmsg.patch
 um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch
 um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch
+usb-mon-make-mmapped-memory-read-only.patch
+usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch
diff --git a/queue-4.9/usb-mon-make-mmapped-memory-read-only.patch b/queue-4.9/usb-mon-make-mmapped-memory-read-only.patch
new file mode 100644
index 00000000000..e405a8d671a
--- /dev/null
+++ b/queue-4.9/usb-mon-make-mmapped-memory-read-only.patch
@@ -0,0 +1,47 @@
+From a659daf63d16aa883be42f3f34ff84235c302198 Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@linaro.org>
+Date: Mon, 19 Sep 2022 14:59:57 -0700
+Subject: usb: mon: make mmapped memory read only
+
+From: Tadeusz Struk <tadeusz.struk@linaro.org>
+
+commit a659daf63d16aa883be42f3f34ff84235c302198 upstream.
+
+Syzbot found an issue in usbmon module, where the user space client can
+corrupt the monitor's internal memory, causing the usbmon module to
+crash the kernel with segfault, UAF, etc.
+
+The reproducer mmaps the /dev/usbmon memory to user space, and
+overwrites it with arbitrary data, which causes all kinds of issues.
+
+Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set.
+Also clear VM_MAYWRITE to make it impossible to change it to writable
+later.
+
+Cc: "Dmitry Vyukov" <dvyukov@google.com>
+Cc: stable <stable@kernel.org>
+Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon")
+Suggested-by: PaX Team <pageexec@freemail.hu>	# for the VM_MAYRITE portion
+Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a
+Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com
+Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
+Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/mon/mon_bin.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -1265,6 +1265,11 @@ static int mon_bin_mmap(struct file *fil
+ {
+ 	/* don't do anything here: "fault" will set up page table entries */
+ 	vma->vm_ops = &mon_bin_vm_ops;
++
++	if (vma->vm_flags & VM_WRITE)
++		return -EPERM;
++
++	vma->vm_flags &= ~VM_MAYWRITE;
+ 	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
+ 	vma->vm_private_data = filp->private_data;
+ 	mon_bin_vma_open(vma);
diff --git a/queue-4.9/usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch b/queue-4.9/usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch
new file mode 100644
index 00000000000..6c9c764ddec
--- /dev/null
+++ b/queue-4.9/usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch
@@ -0,0 +1,31 @@
+From 7bd7ad3c310cd6766f170927381eea0aa6f46c69 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 13 Sep 2022 16:53:12 +0200
+Subject: USB: serial: ftdi_sio: fix 300 bps rate for SIO
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream.
+
+The 300 bps rate of SIO devices has been mapped to 9600 bps since
+2003... Let's fix the regression.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1340,8 +1340,7 @@ static __u32 get_ftdi_divisor(struct tty
+ 		case 38400: div_value = ftdi_sio_b38400; break;
+ 		case 57600: div_value = ftdi_sio_b57600;  break;
+ 		case 115200: div_value = ftdi_sio_b115200; break;
+-		} /* baud */
+-		if (div_value == 0) {
++		default:
+ 			dev_dbg(dev, "%s - Baudrate (%d) requested is not supported\n",
+ 				__func__,  baud);
+ 			div_value = ftdi_sio_b9600;
-- 
2.47.3