From b5b86d02b5e00fc5f4701f9408bf1c7db8b84bd2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Apr 2016 10:44:16 +0900 Subject: [PATCH] 3.14-stable patches added patches: 0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch usbvision-fix-overflow-of-interfaces-array.patch --- ...reference-to-fences-in-radeon_sa_bo_.patch | 50 ++++++++++ ...erence-to-fences-in-radeon_sa_bo_new.patch | 38 ++++++++ ...-clear-bos-field-during-reset-device.patch | 67 ++++++++++++++ queue-3.14/series | 6 ++ ...ng-device-with-invalid-configuration.patch | 49 ++++++++++ ...-on-failure-paths-in-usbvision_probe.patch | 92 +++++++++++++++++++ ...ion-fix-overflow-of-interfaces-array.patch | 39 ++++++++ 7 files changed, 341 insertions(+) create mode 100644 queue-3.14/0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch create mode 100644 queue-3.14/revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch create mode 100644 queue-3.14/revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch create mode 100644 queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch create mode 100644 queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch create mode 100644 queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch diff --git a/queue-3.14/0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch b/queue-3.14/0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch new file mode 100644 index 00000000000..1dbac9b505b --- /dev/null +++ b/queue-3.14/0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch @@ -0,0 +1,50 @@ +>From ad94965f69c2681832f64473d28c23ae71b6e52f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= +Date: Tue, 15 Mar 2016 12:56:45 -0500 +Subject: [PATCH] drm/radeon: hold reference to fences in radeon_sa_bo_new + (3.17 and older) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nicolai Hähnle + +[Backport of upstream commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb, with + an additional NULL pointer guard that is required for kernels 3.17 and older. + + To be precise, any kernel that does *not* have commit 954605ca3 "drm/radeon: + use common fence implementation for fences, v4" requires this additional + NULL pointer guard.] + +An arbitrary amount of time can pass between spin_unlock and +radeon_fence_wait_any, so we need to ensure that nobody frees the +fences from under us. + +Based on the analogous fix for amdgpu. + +Signed-off-by: Nicolai Hähnle +Reviewed-by: Christian König (v1 + fix) +Tested-by: Lutz Euler +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_sa.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_sa.c ++++ b/drivers/gpu/drm/radeon/radeon_sa.c +@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_devic + /* see if we can skip over some allocations */ + } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); + ++ for (i = 0; i < RADEON_NUM_RINGS; ++i) { ++ if (fences[i]) ++ radeon_fence_ref(fences[i]); ++ } ++ + spin_unlock(&sa_manager->wq.lock); + r = radeon_fence_wait_any(rdev, fences, false); ++ for (i = 0; i < RADEON_NUM_RINGS; ++i) ++ radeon_fence_unref(&fences[i]); + spin_lock(&sa_manager->wq.lock); + /* if we have nothing to wait for block */ + if (r == -ENOENT && block) { diff --git a/queue-3.14/revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch b/queue-3.14/revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch new file mode 100644 index 00000000000..ca2fed899b0 --- /dev/null +++ b/queue-3.14/revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 18 10:31:57 JST 2016 +Date: Mon, 18 Apr 2016 10:31:57 +0900 +To: Greg KH +From: Greg Kroah-Hartman +Subject: Revert bad backport of "drm/radeon: hold reference to fences in radeon_sa_bo_new" + +From: Greg Kroah-Hartman + +This reverts commit 50353e6f86eb2ac46ffe3cc0b9f9a11ddc8a9410, which is +commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb upstream, as it was +backported to the 3.14-stable tree incorrectly. A correct fix will +happen next. + +Reported-by: Nicolai Hähnle +Cc: Christian König +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/gpu/drm/radeon/radeon_sa.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_sa.c ++++ b/drivers/gpu/drm/radeon/radeon_sa.c +@@ -349,13 +349,8 @@ int radeon_sa_bo_new(struct radeon_devic + /* see if we can skip over some allocations */ + } while (radeon_sa_bo_next_hole(sa_manager, fences, tries)); + +- for (i = 0; i < RADEON_NUM_RINGS; ++i) +- radeon_fence_ref(fences[i]); +- + spin_unlock(&sa_manager->wq.lock); + r = radeon_fence_wait_any(rdev, fences, false); +- for (i = 0; i < RADEON_NUM_RINGS; ++i) +- radeon_fence_unref(&fences[i]); + spin_lock(&sa_manager->wq.lock); + /* if we have nothing to wait for block */ + if (r == -ENOENT && block) { diff --git a/queue-3.14/revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch b/queue-3.14/revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch new file mode 100644 index 00000000000..99b0360b0f1 --- /dev/null +++ b/queue-3.14/revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch @@ -0,0 +1,67 @@ +From e5bdfd50d6f76077bf8441d130c606229e100d40 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 20 Feb 2016 14:19:34 -0800 +Subject: Revert "usb: hub: do not clear BOS field during reset device" + +From: Greg Kroah-Hartman + +commit e5bdfd50d6f76077bf8441d130c606229e100d40 upstream. + +This reverts commit d8f00cd685f5c8e0def8593e520a7fef12c22407. + +Tony writes: + +This upstream commit is causing an oops: +d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device") + +This patch has already been included in several -stable kernels. Here +are the affected kernels: +4.5.0-rc4 (current git) +4.4.2 +4.3.6 (currently in review) +4.1.18 +3.18.27 +3.14.61 + +How to reproduce the problem: +Boot kernel with slub debugging enabled (otherwise memory corruption +will cause random oopses later instead of immediately) +Plug in USB 3.0 disk to xhci USB 3.0 port +dd if=/dev/sdc of=/dev/null bs=65536 +(where /dev/sdc is the USB 3.0 disk) +Unplug USB cable while dd is still going +Oops is immediate: + +Reported-by: Tony Battersby +Cc: Du, Changbin +Cc: Roger Quadros +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5231,6 +5231,7 @@ static int usb_reset_and_verify_device(s + usb_set_usb2_hardware_lpm(udev, 0); + + bos = udev->bos; ++ udev->bos = NULL; + + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency +@@ -5339,11 +5340,8 @@ done: + usb_set_usb2_hardware_lpm(udev, 1); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); +- /* release the new BOS descriptor allocated by hub_port_init() */ +- if (udev->bos != bos) { +- usb_release_bos_descriptor(udev); +- udev->bos = bos; +- } ++ usb_release_bos_descriptor(udev); ++ udev->bos = bos; + return 0; + + re_enumerate: diff --git a/queue-3.14/series b/queue-3.14/series index 20d724b807f..9f6fb03f8ae 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -29,3 +29,9 @@ usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch ext4-add-lockdep-annotations-for-i_data_sem.patch perf-cure-event-pending_disable-race.patch hid-usbhid-fix-inconsistent-reset-resume-reset-resume-behavior.patch +revert-bad-backport-of-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_new.patch +0001-drm-radeon-hold-reference-to-fences-in-radeon_sa_bo_.patch +usbvision-fix-overflow-of-interfaces-array.patch +usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch +usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch +revert-usb-hub-do-not-clear-bos-field-during-reset-device.patch diff --git a/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch b/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch new file mode 100644 index 00000000000..7f37b5e41bc --- /dev/null +++ b/queue-3.14/usbvision-fix-crash-on-detecting-device-with-invalid-configuration.patch @@ -0,0 +1,49 @@ +From fa52bd506f274b7619955917abfde355e3d19ffe Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Mon, 16 Nov 2015 15:55:11 -0200 +Subject: [media] usbvision: fix crash on detecting device with invalid configuration + +From: Vladis Dronov + +commit fa52bd506f274b7619955917abfde355e3d19ffe upstream. + +The usbvision driver crashes when a specially crafted usb device with invalid +number of interfaces or endpoints is detected. This fix adds checks that the +device has proper configuration expected by the driver. + +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in + + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; +- else ++ else if (ifnum < dev->actconfig->desc.bNumInterfaces) + interface = &dev->actconfig->interface[ifnum]->altsetting[0]; ++ else { ++ dev_err(&intf->dev, "interface %d is invalid, max is %d\n", ++ ifnum, dev->actconfig->desc.bNumInterfaces - 1); ++ ret = -ENODEV; ++ goto err_usb; ++ } ++ ++ if (interface->desc.bNumEndpoints < 2) { ++ dev_err(&intf->dev, "interface %d has %d endpoints, but must" ++ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints); ++ ret = -ENODEV; ++ goto err_usb; ++ } + endpoint = &interface->endpoint[1].desc; ++ + if (!usb_endpoint_xfer_isoc(endpoint)) { + dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n", + __func__, ifnum); diff --git a/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch b/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch new file mode 100644 index 00000000000..32ebdf407a0 --- /dev/null +++ b/queue-3.14/usbvision-fix-leak-of-usb_dev-on-failure-paths-in-usbvision_probe.patch @@ -0,0 +1,92 @@ +From afd270d1a45043cef14341bcceff62ed50e8dc9a Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Fri, 27 Mar 2015 19:39:09 -0300 +Subject: [media] usbvision: fix leak of usb_dev on failure paths in usbvision_probe() + +From: Alexey Khoroshilov + +commit afd270d1a45043cef14341bcceff62ed50e8dc9a upstream. + +There is no usb_put_dev() on failure paths in usbvision_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1522,7 +1522,7 @@ static int usbvision_probe(struct usb_in + const struct usb_host_interface *interface; + struct usb_usbvision *usbvision = NULL; + const struct usb_endpoint_descriptor *endpoint; +- int model, i; ++ int model, i, ret; + + PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u", + dev->descriptor.idVendor, +@@ -1531,7 +1531,8 @@ static int usbvision_probe(struct usb_in + model = devid->driver_info; + if (model < 0 || model >= usbvision_device_data_size) { + PDEBUG(DBG_PROBE, "model out of bounds %d", model); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); +@@ -1553,18 +1554,21 @@ static int usbvision_probe(struct usb_in + __func__, ifnum); + dev_err(&intf->dev, "%s: Endpoint attributes %d", + __func__, endpoint->bmAttributes); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + if (usb_endpoint_dir_out(endpoint)) { + dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n", + __func__, ifnum); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_usb; + } + + usbvision = usbvision_alloc(dev, intf); + if (usbvision == NULL) { + dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_usb; + } + + if (dev->descriptor.bNumConfigurations > 1) +@@ -1583,8 +1587,8 @@ static int usbvision_probe(struct usb_in + usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL); + if (usbvision->alt_max_pkt_size == NULL) { + dev_err(&intf->dev, "usbvision: out of memory!\n"); +- usbvision_release(usbvision); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_pkt; + } + + for (i = 0; i < usbvision->num_alt; i++) { +@@ -1619,6 +1623,12 @@ static int usbvision_probe(struct usb_in + + PDEBUG(DBG_PROBE, "success"); + return 0; ++ ++err_pkt: ++ usbvision_release(usbvision); ++err_usb: ++ usb_put_dev(dev); ++ return ret; + } + + diff --git a/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch b/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch new file mode 100644 index 00000000000..36c1fc209a8 --- /dev/null +++ b/queue-3.14/usbvision-fix-overflow-of-interfaces-array.patch @@ -0,0 +1,39 @@ +From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 27 Oct 2015 09:51:34 -0200 +Subject: [media] usbvision fix overflow of interfaces array + +From: Oliver Neukum + +commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream. + +This fixes the crash reported in: +http://seclists.org/bugtraq/2015/Oct/35 +The interface number needs a sanity check. + +Signed-off-by: Oliver Neukum +Cc: Vladis Dronov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1536,6 +1536,13 @@ static int usbvision_probe(struct usb_in + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); + ++ /* ++ * this is a security check. ++ * an exploit using an incorrect bInterfaceNumber is known ++ */ ++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) ++ return -ENODEV; ++ + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; + else -- 2.47.2