From 459bfd93e46a0a0920310644965afc70a06e6ccb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 27 Nov 2019 14:42:28 +0100 Subject: [PATCH] 4.9-stable patches added patches: media-b2c2-flexcop-usb-add-sanity-checking.patch media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch media-imon-invalid-dereference-in-imon_touch_event.patch media-uvcvideo-fix-error-path-in-control-parsing-failure.patch --- ...b2c2-flexcop-usb-add-sanity-checking.patch | 34 +++++++ ...detect-cxusb_ctrl_msg-error-in-query.patch | 78 ++++++++++++++++ ...alid-dereference-in-imon_touch_event.patch | 88 +++++++++++++++++++ ...rror-path-in-control-parsing-failure.patch | 70 +++++++++++++++ queue-4.9/series | 4 + 5 files changed, 274 insertions(+) create mode 100644 queue-4.9/media-b2c2-flexcop-usb-add-sanity-checking.patch create mode 100644 queue-4.9/media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch create mode 100644 queue-4.9/media-imon-invalid-dereference-in-imon_touch_event.patch create mode 100644 queue-4.9/media-uvcvideo-fix-error-path-in-control-parsing-failure.patch diff --git a/queue-4.9/media-b2c2-flexcop-usb-add-sanity-checking.patch b/queue-4.9/media-b2c2-flexcop-usb-add-sanity-checking.patch new file mode 100644 index 00000000000..f9fa6c9366b --- /dev/null +++ b/queue-4.9/media-b2c2-flexcop-usb-add-sanity-checking.patch @@ -0,0 +1,34 @@ +From 1b976fc6d684e3282914cdbe7a8d68fdce19095c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Jul 2019 09:48:27 +0200 +Subject: media: b2c2-flexcop-usb: add sanity checking + +From: Oliver Neukum + +commit 1b976fc6d684e3282914cdbe7a8d68fdce19095c upstream. + +The driver needs an isochronous endpoint to be present. It will +oops in its absence. Add checking for it. + +Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/b2c2/flexcop-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_ + struct flexcop_device *fc = NULL; + int ret; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) { + err("out of memory\n"); + return -ENOMEM; diff --git a/queue-4.9/media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch b/queue-4.9/media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch new file mode 100644 index 00000000000..d39a98cc64d --- /dev/null +++ b/queue-4.9/media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch @@ -0,0 +1,78 @@ +From ca8f245f284eeffa56f3b7a5eb6fc503159ee028 Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Sun, 13 Oct 2019 23:08:45 -0300 +Subject: media: cxusb: detect cxusb_ctrl_msg error in query + +From: Vito Caputo + +commit ca8f245f284eeffa56f3b7a5eb6fc503159ee028 upstream. + +Don't use uninitialized ircode[] in cxusb_rc_query() when +cxusb_ctrl_msg() fails to populate its contents. + +syzbot reported: + +dvb-usb: bulk message failed: -22 (1/-30591) +===================================================== +BUG: KMSAN: uninit-value in ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline] +BUG: KMSAN: uninit-value in rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline] +BUG: KMSAN: uninit-value in rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816 +CPU: 1 PID: 11436 Comm: kworker/1:2 Not tainted 5.3.0-rc7+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events dvb_usb_read_remote_control +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 + bsearch+0x1dd/0x250 lib/bsearch.c:41 + ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline] + rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline] + rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816 + cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548 + dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 + process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 + worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 + kthread+0x4b5/0x4f0 kernel/kthread.c:256 + ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline] + kmsan_internal_chain_origin+0xd2/0x170 mm/kmsan/kmsan.c:314 + __msan_chain_origin+0x6b/0xe0 mm/kmsan/kmsan_instr.c:184 + rc_g_keycode_from_table drivers/media/rc/rc-main.c:583 [inline] + rc_keydown+0x2c4/0x6f0 drivers/media/rc/rc-main.c:816 + cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548 + dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 + process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 + worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 + kthread+0x4b5/0x4f0 kernel/kthread.c:256 + ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 + +Local variable description: ----ircode@cxusb_rc_query +Variable was created at: + cxusb_rc_query+0x4d/0x360 drivers/media/usb/dvb-usb/cxusb.c:543 + dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 + +Signed-off-by: Vito Caputo +Reported-by: syzbot +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/cxusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -437,7 +437,8 @@ static int cxusb_rc_query(struct dvb_usb + u8 ircode[4]; + int i; + +- cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4); ++ if (cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4) < 0) ++ return 0; + + *event = 0; + *state = REMOTE_NO_KEY_PRESSED; diff --git a/queue-4.9/media-imon-invalid-dereference-in-imon_touch_event.patch b/queue-4.9/media-imon-invalid-dereference-in-imon_touch_event.patch new file mode 100644 index 00000000000..59599d202ee --- /dev/null +++ b/queue-4.9/media-imon-invalid-dereference-in-imon_touch_event.patch @@ -0,0 +1,88 @@ +From f3f5ba42c58d56d50f539854d8cc188944e96087 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Wed, 16 Oct 2019 14:19:15 -0300 +Subject: media: imon: invalid dereference in imon_touch_event + +From: Sean Young + +commit f3f5ba42c58d56d50f539854d8cc188944e96087 upstream. + +The touch timer is set up in intf1. If the second interface does not exist, +the timer and touch input device are not setup and we get the following +error, when touch events are reported via intf0. + +kernel BUG at kernel/time/timer.c:956! +invalid opcode: 0000 [#1] SMP KASAN +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__mod_timer kernel/time/timer.c:956 [inline] +RIP: 0010:__mod_timer kernel/time/timer.c:949 [inline] +RIP: 0010:mod_timer+0x5a2/0xb50 kernel/time/timer.c:1100 +Code: 45 10 c7 44 24 14 ff ff ff ff 48 89 44 24 08 48 8d 45 20 48 c7 44 24 18 00 00 00 00 48 89 04 24 e9 5a fc ff ff e8 ae ce 0e 00 <0f> 0b e8 a7 ce 0e 00 4c 89 74 24 20 e9 37 fe ff ff e8 98 ce 0e 00 +RSP: 0018:ffff8881db209930 EFLAGS: 00010006 +RAX: ffffffff86c2b200 RBX: 00000000ffffa688 RCX: ffffffff83efc583 +RDX: 0000000000000100 RSI: ffffffff812f4d82 RDI: ffff8881d2356200 +RBP: ffff8881d23561e8 R08: ffffffff86c2b200 R09: ffffed103a46abeb +R10: ffffed103a46abea R11: ffff8881d2355f53 R12: dffffc0000000000 +R13: 1ffff1103b64132d R14: ffff8881d2355f50 R15: 0000000000000006 +FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f75e2799000 CR3: 00000001d3b07000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + imon_touch_event drivers/media/rc/imon.c:1348 [inline] + imon_incoming_packet.isra.0+0x2546/0x2f10 drivers/media/rc/imon.c:1603 + usb_rx_callback_intf0+0x151/0x1e0 drivers/media/rc/imon.c:1734 + __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654 + usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719 + dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965 + call_timer_fn+0x179/0x650 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786 + __do_softirq+0x221/0x912 kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0x178/0x1a0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + +RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581 +Code: 90 90 41 56 41 55 65 44 8b 2d 44 3a 8f 7a 41 54 55 53 0f 1f 44 00 00 e8 36 ee d0 fb e9 07 00 00 00 0f 00 2d fa dd 4f 00 fb f4 <65> 44 8b 2d 20 3a 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 +RSP: 0018:ffffffff86c07da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: 0000000000000007 RBX: ffffffff86c2b200 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff86c2ba4c +RBP: fffffbfff0d85640 R08: ffffffff86c2b200 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x3b6/0x500 kernel/sched/idle.c:263 + cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355 + start_kernel+0x82a/0x864 init/main.c:784 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 +Modules linked in: + +Reported-by: syzbot+f49d12d34f2321cf4df2@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/imon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -1644,8 +1644,7 @@ static void imon_incoming_packet(struct + spin_unlock_irqrestore(&ictx->kc_lock, flags); + + /* send touchscreen events through input subsystem if touchpad data */ +- if (ictx->display_type == IMON_DISPLAY_TYPE_VGA && len == 8 && +- buf[7] == 0x86) { ++ if (ictx->touch && len == 8 && buf[7] == 0x86) { + imon_touch_event(ictx, buf); + return; + diff --git a/queue-4.9/media-uvcvideo-fix-error-path-in-control-parsing-failure.patch b/queue-4.9/media-uvcvideo-fix-error-path-in-control-parsing-failure.patch new file mode 100644 index 00000000000..f2a4b67b537 --- /dev/null +++ b/queue-4.9/media-uvcvideo-fix-error-path-in-control-parsing-failure.patch @@ -0,0 +1,70 @@ +From 8c279e9394cade640ed86ec6c6645a0e7df5e0b6 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Mon, 29 Jul 2019 23:14:55 -0300 +Subject: media: uvcvideo: Fix error path in control parsing failure + +From: Laurent Pinchart + +commit 8c279e9394cade640ed86ec6c6645a0e7df5e0b6 upstream. + +When parsing the UVC control descriptors fails, the error path tries to +cleanup a media device that hasn't been initialised, potentially +resulting in a crash. Fix this by initialising the media device before +the error handling path can be reached. + +Fixes: 5a254d751e52 ("[media] uvcvideo: Register a v4l2_device") +Reported-by: syzbot+c86454eb3af9e8a4da20@syzkaller.appspotmail.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2021,6 +2021,21 @@ static int uvc_probe(struct usb_interfac + le16_to_cpu(udev->descriptor.idVendor), + le16_to_cpu(udev->descriptor.idProduct)); + ++ /* Initialize the media device. */ ++#ifdef CONFIG_MEDIA_CONTROLLER ++ dev->mdev.dev = &intf->dev; ++ strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model)); ++ if (udev->serial) ++ strscpy(dev->mdev.serial, udev->serial, ++ sizeof(dev->mdev.serial)); ++ usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info)); ++ dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice); ++ dev->mdev.driver_version = LINUX_VERSION_CODE; ++ media_device_init(&dev->mdev); ++ ++ dev->vdev.mdev = &dev->mdev; ++#endif ++ + /* Parse the Video Class control descriptor. */ + if (uvc_parse_control(dev) < 0) { + uvc_trace(UVC_TRACE_PROBE, "Unable to parse UVC " +@@ -2041,20 +2056,7 @@ static int uvc_probe(struct usb_interfac + "linux-uvc-devel mailing list.\n"); + } + +- /* Initialize the media device and register the V4L2 device. */ +-#ifdef CONFIG_MEDIA_CONTROLLER +- dev->mdev.dev = &intf->dev; +- strlcpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model)); +- if (udev->serial) +- strlcpy(dev->mdev.serial, udev->serial, +- sizeof(dev->mdev.serial)); +- strcpy(dev->mdev.bus_info, udev->devpath); +- dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice); +- dev->mdev.driver_version = LINUX_VERSION_CODE; +- media_device_init(&dev->mdev); +- +- dev->vdev.mdev = &dev->mdev; +-#endif ++ /* Register the V4L2 device. */ + if (v4l2_device_register(&intf->dev, &dev->vdev) < 0) + goto error; + diff --git a/queue-4.9/series b/queue-4.9/series index 07a2c6d71aa..81639f1e696 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -125,3 +125,7 @@ media-vivid-set-vid_cap_streaming-and-vid_out_streaming-to-true.patch media-vivid-fix-wrong-locking-that-causes-race-conditions-on-streaming-stop.patch media-usbvision-fix-races-among-open-close-and-disconnect.patch cpufreq-add-null-checks-to-show-and-store-methods-of-cpufreq.patch +media-uvcvideo-fix-error-path-in-control-parsing-failure.patch +media-b2c2-flexcop-usb-add-sanity-checking.patch +media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch +media-imon-invalid-dereference-in-imon_touch_event.patch -- 2.47.3