From eee89454a301cd53b18b54456cad8e6bf2276ab4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 26 Feb 2020 10:25:44 +0100 Subject: [PATCH] 4.4-stable patches added patches: staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch staging-rtl8188eu-fix-potential-security-hole.patch usb-fix-novation-sourcecontrol-xl-after-suspend.patch usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch usb-uas-fix-a-plug-unplug-racing.patch --- queue-4.4/series | 5 + ...x-potential-overuse-of-kernel-memory.patch | 38 +++++++ ...tl8188eu-fix-potential-security-hole.patch | 40 +++++++ ...ation-sourcecontrol-xl-after-suspend.patch | 33 ++++++ ...ect-change-event-during-reset-resume.patch | 84 +++++++++++++++ .../usb-uas-fix-a-plug-unplug-racing.patch | 100 ++++++++++++++++++ 6 files changed, 300 insertions(+) create mode 100644 queue-4.4/staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch create mode 100644 queue-4.4/staging-rtl8188eu-fix-potential-security-hole.patch create mode 100644 queue-4.4/usb-fix-novation-sourcecontrol-xl-after-suspend.patch create mode 100644 queue-4.4/usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch create mode 100644 queue-4.4/usb-uas-fix-a-plug-unplug-racing.patch diff --git a/queue-4.4/series b/queue-4.4/series index 9d99150d3c0..51755182aad 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -83,3 +83,8 @@ enic-prevent-waking-up-stopped-tx-queues-over-watchdog-reset.patch floppy-check-fdc-index-for-errors-before-assigning-it.patch staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch +usb-uas-fix-a-plug-unplug-racing.patch +usb-fix-novation-sourcecontrol-xl-after-suspend.patch +usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch +staging-rtl8188eu-fix-potential-security-hole.patch +staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch diff --git a/queue-4.4/staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch b/queue-4.4/staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch new file mode 100644 index 00000000000..04760b3e212 --- /dev/null +++ b/queue-4.4/staging-rtl8188eu-fix-potential-overuse-of-kernel-memory.patch @@ -0,0 +1,38 @@ +From 4ddf8ab8d15ddbc52eefb44eb64e38466ce1f70f Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 10 Feb 2020 12:02:32 -0600 +Subject: staging: rtl8188eu: Fix potential overuse of kernel memory + +From: Larry Finger + +commit 4ddf8ab8d15ddbc52eefb44eb64e38466ce1f70f upstream. + +In routine wpa_supplicant_ioctl(), the user-controlled p->length is +checked to be at least the size of struct ieee_param size, but the code +does not detect the case where p->length is greater than the size +of the struct, thus a malicious user could be wasting kernel memory. +Fixes commit a2c60d42d97c ("Add files for new driver - part 16"). + +Reported by: Pietro Oliva +Cc: Pietro Oliva +Cc: Stable +Fixes commit a2c60d42d97c ("Add files for new driver - part 16"). +Signed-off-by: Larry Finger +Link: https://lore.kernel.org/r/20200210180235.21691-4-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -2054,7 +2054,7 @@ static int wpa_supplicant_ioctl(struct n + struct ieee_param *param; + uint ret = 0; + +- if (p->length < sizeof(struct ieee_param) || !p->pointer) { ++ if (!p->pointer || p->length != sizeof(struct ieee_param)) { + ret = -EINVAL; + goto out; + } diff --git a/queue-4.4/staging-rtl8188eu-fix-potential-security-hole.patch b/queue-4.4/staging-rtl8188eu-fix-potential-security-hole.patch new file mode 100644 index 00000000000..34889a89d21 --- /dev/null +++ b/queue-4.4/staging-rtl8188eu-fix-potential-security-hole.patch @@ -0,0 +1,40 @@ +From 499c405b2b80bb3a04425ba3541d20305e014d3e Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Mon, 10 Feb 2020 12:02:30 -0600 +Subject: staging: rtl8188eu: Fix potential security hole + +From: Larry Finger + +commit 499c405b2b80bb3a04425ba3541d20305e014d3e upstream. + +In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed +to be at least the size of struct ieee_param size, but this assumption is +never checked. This could result in out-of-bounds read/write on kernel +heap in case a p->length less than the size of struct ieee_param is +specified by the user. If p->length is allowed to be greater than the size +of the struct, then a malicious user could be wasting kernel memory. +Fixes commit a2c60d42d97c ("Add files for new driver - part 16"). + +Reported by: Pietro Oliva +Cc: Pietro Oliva +Cc: Stable +Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16") +Signed-off-by: Larry Finger +Link: https://lore.kernel.org/r/20200210180235.21691-2-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +@@ -2859,7 +2859,7 @@ static int rtw_hostapd_ioctl(struct net_ + goto out; + } + +- if (!p->pointer) { ++ if (!p->pointer || p->length != sizeof(struct ieee_param)) { + ret = -EINVAL; + goto out; + } diff --git a/queue-4.4/usb-fix-novation-sourcecontrol-xl-after-suspend.patch b/queue-4.4/usb-fix-novation-sourcecontrol-xl-after-suspend.patch new file mode 100644 index 00000000000..083e8d31067 --- /dev/null +++ b/queue-4.4/usb-fix-novation-sourcecontrol-xl-after-suspend.patch @@ -0,0 +1,33 @@ +From b692056db8ecc7f452b934f016c17348282b7699 Mon Sep 17 00:00:00 2001 +From: Richard Dodd +Date: Wed, 12 Feb 2020 14:22:18 +0000 +Subject: USB: Fix novation SourceControl XL after suspend + +From: Richard Dodd + +commit b692056db8ecc7f452b934f016c17348282b7699 upstream. + +Currently, the SourceControl will stay in power-down mode after resuming +from suspend. This patch resets the device after suspend to power it up. + +Signed-off-by: Richard Dodd +Cc: stable +Link: https://lore.kernel.org/r/20200212142220.36892-1-richard.o.dodd@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -291,6 +291,9 @@ static const struct usb_device_id usb_qu + /* INTEL VALUE SSD */ + { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* novation SoundControl XL */ ++ { USB_DEVICE(0x1235, 0x0061), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + { } /* terminating entry must be last */ + }; + diff --git a/queue-4.4/usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch b/queue-4.4/usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch new file mode 100644 index 00000000000..da247a5ff5a --- /dev/null +++ b/queue-4.4/usb-hub-don-t-record-a-connect-change-event-during-reset-resume.patch @@ -0,0 +1,84 @@ +From 8099f58f1ecddf4f374f4828a3dff8397c7cbd74 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Jan 2020 10:39:26 -0500 +Subject: USB: hub: Don't record a connect-change event during reset-resume + +From: Alan Stern + +commit 8099f58f1ecddf4f374f4828a3dff8397c7cbd74 upstream. + +Paul Zimmerman reports that his USB Bluetooth adapter sometimes +crashes following system resume, when it receives a +Get-Device-Descriptor request while it is busy doing something else. + +Such a request was added by commit a4f55d8b8c14 ("usb: hub: Check +device descriptor before resusciation"). It gets sent when the hub +driver's work thread checks whether a connect-change event on an +enabled port really indicates a new device has been connected, as +opposed to an old device momentarily disconnecting and then +reconnecting (which can happen with xHCI host controllers, since they +automatically enable connected ports). + +The same kind of thing occurs when a port's power session is lost +during system suspend. When the system wakes up it sees a +connect-change event on the port, and if the child device's +persist_enabled flag was set then hub_activate() sets the device's +reset_resume flag as well as the port's bit in hub->change_bits. The +reset-resume code then takes responsibility for checking that the same +device is still attached to the port, and it does this as part of the +device's resume pathway. By the time the hub driver's work thread +starts up again, the device has already been fully reinitialized and +is busy doing its own thing. There's no need for the work thread to +do the same check a second time, and in fact this unnecessary check is +what caused the problem that Paul observed. + +Note that performing the unnecessary check is not actually a bug. +Devices are supposed to be able to send descriptors back to the host +even when they are busy doing something else. The underlying cause of +Paul's problem lies in his Bluetooth adapter. Nevertheless, we +shouldn't perform the same check twice in a row -- and as a nice side +benefit, removing the extra check allows the Bluetooth adapter to work +more reliably. + +The work thread performs its check when it sees that the port's bit is +set in hub->change_bits. In this situation that bit is interpreted as +though a connect-change event had occurred on the port _after_ the +reset-resume, which is not what actually happened. + +One possible fix would be to make the reset-resume code clear the +port's bit in hub->change_bits. But it seems simpler to just avoid +setting the bit during hub_activate() in the first place. That's what +this patch does. + +(Proving that the patch is correct when CONFIG_PM is disabled requires +a little thought. In that setting hub_activate() will be called only +for initialization and resets, since there won't be any resumes or +reset-resumes. During initialization and hub resets the hub doesn't +have any child devices, and so this code path never gets executed.) + +Reported-and-tested-by: Paul Zimmerman +Signed-off-by: Alan Stern +Link: https://marc.info/?t=157949360700001&r=1&w=2 +CC: David Heinzelmann +CC: +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001311037460.1577-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1171,11 +1171,6 @@ static void hub_activate(struct usb_hub + #ifdef CONFIG_PM + udev->reset_resume = 1; + #endif +- /* Don't set the change_bits when the device +- * was powered off. +- */ +- if (test_bit(port1, hub->power_bits)) +- set_bit(port1, hub->change_bits); + + } else { + /* The power session is gone; tell hub_wq */ diff --git a/queue-4.4/usb-uas-fix-a-plug-unplug-racing.patch b/queue-4.4/usb-uas-fix-a-plug-unplug-racing.patch new file mode 100644 index 00000000000..5cedbd25c0e --- /dev/null +++ b/queue-4.4/usb-uas-fix-a-plug-unplug-racing.patch @@ -0,0 +1,100 @@ +From 3e99862c05a9caa5a27969f41566b428696f5a9a Mon Sep 17 00:00:00 2001 +From: EJ Hsu +Date: Thu, 30 Jan 2020 01:25:06 -0800 +Subject: usb: uas: fix a plug & unplug racing + +From: EJ Hsu + +commit 3e99862c05a9caa5a27969f41566b428696f5a9a upstream. + +When a uas disk is plugged into an external hub, uas_probe() +will be called by the hub thread to do the probe. It will +first create a SCSI host and then do the scan for this host. +During the scan, it will probe the LUN using SCSI INQUERY command +which will be packed in the URB and submitted to uas disk. + +There might be a chance that this external hub with uas disk +attached is unplugged during the scan. In this case, uas driver +will fail to submit the URB (due to the NOTATTACHED state of uas +device) and try to put this SCSI command back to request queue +waiting for next chance to run. + +In normal case, this cycle will terminate when hub thread gets +disconnection event and calls into uas_disconnect() accordingly. +But in this case, uas_disconnect() will not be called because +hub thread of external hub gets stuck waiting for the completion +of this SCSI command. A deadlock happened. + +In this fix, uas will call scsi_scan_host() asynchronously to +avoid the blocking of hub thread. + +Signed-off-by: EJ Hsu +Acked-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20200130092506.102760-1-ejh@nvidia.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -46,6 +46,7 @@ struct uas_dev_info { + struct scsi_cmnd *cmnd[MAX_CMNDS]; + spinlock_t lock; + struct work_struct work; ++ struct work_struct scan_work; /* for async scanning */ + }; + + enum { +@@ -115,6 +116,17 @@ out: + spin_unlock_irqrestore(&devinfo->lock, flags); + } + ++static void uas_scan_work(struct work_struct *work) ++{ ++ struct uas_dev_info *devinfo = ++ container_of(work, struct uas_dev_info, scan_work); ++ struct Scsi_Host *shost = usb_get_intfdata(devinfo->intf); ++ ++ dev_dbg(&devinfo->intf->dev, "starting scan\n"); ++ scsi_scan_host(shost); ++ dev_dbg(&devinfo->intf->dev, "scan complete\n"); ++} ++ + static void uas_add_work(struct uas_cmd_info *cmdinfo) + { + struct scsi_pointer *scp = (void *)cmdinfo; +@@ -929,6 +941,7 @@ static int uas_probe(struct usb_interfac + init_usb_anchor(&devinfo->data_urbs); + spin_lock_init(&devinfo->lock); + INIT_WORK(&devinfo->work, uas_do_work); ++ INIT_WORK(&devinfo->scan_work, uas_scan_work); + + result = uas_configure_endpoints(devinfo); + if (result) +@@ -945,7 +958,9 @@ static int uas_probe(struct usb_interfac + if (result) + goto free_streams; + +- scsi_scan_host(shost); ++ /* Submit the delayed_work for SCSI-device scanning */ ++ schedule_work(&devinfo->scan_work); ++ + return result; + + free_streams: +@@ -1113,6 +1128,12 @@ static void uas_disconnect(struct usb_in + usb_kill_anchored_urbs(&devinfo->data_urbs); + uas_zap_pending(devinfo, DID_NO_CONNECT); + ++ /* ++ * Prevent SCSI scanning (if it hasn't started yet) ++ * or wait for the SCSI-scanning routine to stop. ++ */ ++ cancel_work_sync(&devinfo->scan_work); ++ + scsi_remove_host(shost); + uas_free_streams(devinfo); + scsi_host_put(shost); -- 2.47.3