From f3fb40f2890eeae7419308ef0529c2cc0c89735b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 19 Dec 2020 12:55:11 +0100 Subject: [PATCH] 4.4-stable patches added patches: alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch alsa-usb-audio-fix-potential-out-of-bounds-shift.patch serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch usb-add-reset_resume-quirk-for-snapscan-1212.patch usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch usb-sisusbvga-make-console-support-depend-on-broken.patch xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch --- ...ss-fix-potential-out-of-bounds-shift.patch | 46 ++++++++++++++++ ...ol-access-overflow-errors-from-chmap.patch | 50 ++++++++++++++++++ ...io-fix-potential-out-of-bounds-shift.patch | 36 +++++++++++++ ...ifo-corruption-caused-by-mdr1-access.patch | 52 +++++++++++++++++++ queue-4.4/series | 8 +++ ...reset_resume-quirk-for-snapscan-1212.patch | 33 ++++++++++++ ...-fix-uninitialized-array-use-in-init.patch | 40 ++++++++++++++ ...ake-console-support-depend-on-broken.patch | 46 ++++++++++++++++ ...orts-time-to-enter-u3-in-bus-suspend.patch | 43 +++++++++++++++ 9 files changed, 354 insertions(+) create mode 100644 queue-4.4/alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch create mode 100644 queue-4.4/alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch create mode 100644 queue-4.4/alsa-usb-audio-fix-potential-out-of-bounds-shift.patch create mode 100644 queue-4.4/serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch create mode 100644 queue-4.4/usb-add-reset_resume-quirk-for-snapscan-1212.patch create mode 100644 queue-4.4/usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch create mode 100644 queue-4.4/usb-sisusbvga-make-console-support-depend-on-broken.patch create mode 100644 queue-4.4/xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch diff --git a/queue-4.4/alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch b/queue-4.4/alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch new file mode 100644 index 00000000000..5a597e0545a --- /dev/null +++ b/queue-4.4/alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch @@ -0,0 +1,46 @@ +From 175b8d89fe292796811fdee87fa39799a5b6b87a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 9 Dec 2020 09:45:52 +0100 +Subject: ALSA: pcm: oss: Fix potential out-of-bounds shift + +From: Takashi Iwai + +commit 175b8d89fe292796811fdee87fa39799a5b6b87a upstream. + +syzbot spotted a potential out-of-bounds shift in the PCM OSS layer +where it calculates the buffer size with the arbitrary shift value +given via an ioctl. + +Add a range check for avoiding the undefined behavior. +As the value can be treated by a signed integer, the max shift should +be 30. + +Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20201209084552.17109-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2000,11 +2000,15 @@ static int snd_pcm_oss_set_subdivide(str + static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsigned int val) + { + struct snd_pcm_runtime *runtime; ++ int fragshift; + + runtime = substream->runtime; + if (runtime->oss.subdivision || runtime->oss.fragshift) + return -EINVAL; +- runtime->oss.fragshift = val & 0xffff; ++ fragshift = val & 0xffff; ++ if (fragshift >= 31) ++ return -EINVAL; ++ runtime->oss.fragshift = fragshift; + runtime->oss.maxfrags = (val >> 16) & 0xffff; + if (runtime->oss.fragshift < 4) /* < 16 */ + runtime->oss.fragshift = 4; diff --git a/queue-4.4/alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch b/queue-4.4/alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch new file mode 100644 index 00000000000..46c7d4a20e1 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch @@ -0,0 +1,50 @@ +From c6dde8ffd071aea9d1ce64279178e470977b235c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 11 Dec 2020 14:00:48 +0100 +Subject: ALSA: usb-audio: Fix control 'access overflow' errors from chmap + +From: Takashi Iwai + +commit c6dde8ffd071aea9d1ce64279178e470977b235c upstream. + +The current channel-map control implementation in USB-audio driver may +lead to an error message like + "control 3:0:0:Playback Channel Map:0: access overflow" +when CONFIG_SND_CTL_VALIDATION is set. It's because the chmap get +callback clears the whole array no matter which count is set, and +rather the false-positive detection. + +This patch fixes the problem by clearing only the needed array range +at usb_chmap_ctl_get(). + +Cc: +Link: https://lore.kernel.org/r/20201211130048.6358-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -187,16 +187,16 @@ static int usb_chmap_ctl_get(struct snd_ + struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol); + struct snd_usb_substream *subs = info->private_data; + struct snd_pcm_chmap_elem *chmap = NULL; +- int i; ++ int i = 0; + +- memset(ucontrol->value.integer.value, 0, +- sizeof(ucontrol->value.integer.value)); + if (subs->cur_audiofmt) + chmap = subs->cur_audiofmt->chmap; + if (chmap) { + for (i = 0; i < chmap->channels; i++) + ucontrol->value.integer.value[i] = chmap->map[i]; + } ++ for (; i < subs->channels_max; i++) ++ ucontrol->value.integer.value[i] = 0; + return 0; + } + diff --git a/queue-4.4/alsa-usb-audio-fix-potential-out-of-bounds-shift.patch b/queue-4.4/alsa-usb-audio-fix-potential-out-of-bounds-shift.patch new file mode 100644 index 00000000000..38d53a46d32 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-fix-potential-out-of-bounds-shift.patch @@ -0,0 +1,36 @@ +From 43d5ca88dfcd35e43010fdd818e067aa9a55f5ba Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 9 Dec 2020 09:45:51 +0100 +Subject: ALSA: usb-audio: Fix potential out-of-bounds shift + +From: Takashi Iwai + +commit 43d5ca88dfcd35e43010fdd818e067aa9a55f5ba upstream. + +syzbot spotted a potential out-of-bounds shift in the USB-audio format +parser that receives the arbitrary shift value from the USB +descriptor. + +Add a range check for avoiding the undefined behavior. + +Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20201209084552.17109-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/format.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -52,6 +52,8 @@ static u64 parse_audio_format_i_type(str + case UAC_VERSION_1: + default: { + struct uac_format_type_i_discrete_descriptor *fmt = _fmt; ++ if (format >= 64) ++ return 0; /* invalid format */ + sample_width = fmt->bBitResolution; + sample_bytes = fmt->bSubframeSize; + format = 1 << format; diff --git a/queue-4.4/serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch b/queue-4.4/serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch new file mode 100644 index 00000000000..72cd42a51b2 --- /dev/null +++ b/queue-4.4/serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch @@ -0,0 +1,52 @@ +From d96f04d347e4011977abdbb4da5d8f303ebd26f8 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Thu, 10 Dec 2020 06:52:57 +0100 +Subject: serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access + +From: Alexander Sverdlin + +commit d96f04d347e4011977abdbb4da5d8f303ebd26f8 upstream. + +It has been observed that once per 300-1300 port openings the first +transmitted byte is being corrupted on AM3352 ("v" written to FIFO appeared +as "e" on the wire). It only happened if single byte has been transmitted +right after port open, which means, DMA is not used for this transfer and +the corruption never happened afterwards. + +Therefore I've carefully re-read the MDR1 errata (link below), which says +"when accessing the MDR1 registers that causes a dummy under-run condition +that will freeze the UART in IrDA transmission. In UART mode, this may +corrupt the transferred data". Strictly speaking, +omap_8250_mdr1_errataset() performs a read access and if the value is the +same as should be written, exits without errata-recommended FIFO reset. + +A brief check of the serial_omap_mdr1_errataset() from the competing +omap-serial driver showed it has no read access of MDR1. After removing the +read access from omap_8250_mdr1_errataset() the data corruption never +happened any more. + +Link: https://www.ti.com/lit/er/sprz360i/sprz360i.pdf +Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20201210055257.1053028-1-alexander.sverdlin@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_omap.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -155,11 +155,6 @@ static void omap_8250_mdr1_errataset(str + struct omap8250_priv *priv) + { + u8 timeout = 255; +- u8 old_mdr1; +- +- old_mdr1 = serial_in(up, UART_OMAP_MDR1); +- if (old_mdr1 == priv->mdr1) +- return; + + serial_out(up, UART_OMAP_MDR1, priv->mdr1); + udelay(2); diff --git a/queue-4.4/series b/queue-4.4/series index cdbf28f13a4..6de3a85d2db 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -10,3 +10,11 @@ net-mlx4_en-avoid-scheduling-restart-task-if-it-is-already-running.patch tcp-fix-cwnd-limited-bug-for-tso-deferral-where-we-send-nothing.patch net-stmmac-delete-the-eee_ctrl_timer-after-napi-disabled.patch net-bridge-vlan-fix-error-return-code-in-__vlan_add.patch +usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch +usb-add-reset_resume-quirk-for-snapscan-1212.patch +alsa-usb-audio-fix-potential-out-of-bounds-shift.patch +alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch +xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch +usb-sisusbvga-make-console-support-depend-on-broken.patch +alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch +serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch diff --git a/queue-4.4/usb-add-reset_resume-quirk-for-snapscan-1212.patch b/queue-4.4/usb-add-reset_resume-quirk-for-snapscan-1212.patch new file mode 100644 index 00000000000..9d9e04dd8f4 --- /dev/null +++ b/queue-4.4/usb-add-reset_resume-quirk-for-snapscan-1212.patch @@ -0,0 +1,33 @@ +From 08a02f954b0def3ada8ed6d4b2c7bcb67e885e9c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 7 Dec 2020 14:03:23 +0100 +Subject: USB: add RESET_RESUME quirk for Snapscan 1212 + +From: Oliver Neukum + +commit 08a02f954b0def3ada8ed6d4b2c7bcb67e885e9c upstream. + +I got reports that some models of this old scanner need +this when using runtime PM. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20201207130323.23857-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -189,6 +189,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x06a3, 0x0006), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* Agfa SNAPSCAN 1212U */ ++ { USB_DEVICE(0x06bd, 0x0001), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Guillemot Webcam Hercules Dualpix Exchange (2nd ID) */ + { USB_DEVICE(0x06f8, 0x0804), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-4.4/usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch b/queue-4.4/usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch new file mode 100644 index 00000000000..2d037551f85 --- /dev/null +++ b/queue-4.4/usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch @@ -0,0 +1,40 @@ +From e90cfa813da7a527785033a0b247594c2de93dd8 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Fri, 4 Dec 2020 06:24:49 +0000 +Subject: USB: dummy-hcd: Fix uninitialized array use in init() + +From: Bui Quang Minh + +commit e90cfa813da7a527785033a0b247594c2de93dd8 upstream. + +This error path + + err_add_pdata: + for (i = 0; i < mod_data.num; i++) + kfree(dum[i]); + +can be triggered when not all dum's elements are initialized. + +Fix this by initializing all dum's elements to NULL. + +Acked-by: Alan Stern +Cc: stable +Signed-off-by: Bui Quang Minh +Link: https://lore.kernel.org/r/1607063090-3426-1-git-send-email-minhquangbui99@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -2741,7 +2741,7 @@ static int __init init(void) + { + int retval = -ENOMEM; + int i; +- struct dummy *dum[MAX_NUM_UDC]; ++ struct dummy *dum[MAX_NUM_UDC] = {}; + + if (usb_disabled()) + return -ENODEV; diff --git a/queue-4.4/usb-sisusbvga-make-console-support-depend-on-broken.patch b/queue-4.4/usb-sisusbvga-make-console-support-depend-on-broken.patch new file mode 100644 index 00000000000..c11727b3575 --- /dev/null +++ b/queue-4.4/usb-sisusbvga-make-console-support-depend-on-broken.patch @@ -0,0 +1,46 @@ +From 862ee699fefe1e6d6f2c1518395f0b999b8beb15 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 19 Oct 2020 12:06:30 +0200 +Subject: USB: sisusbvga: Make console support depend on BROKEN + +From: Thomas Gleixner + +commit 862ee699fefe1e6d6f2c1518395f0b999b8beb15 upstream. + +The console part of sisusbvga is broken vs. printk(). It uses in_atomic() +to detect contexts in which it cannot sleep despite the big fat comment in +preempt.h which says: Do not use in_atomic() in driver code. + +in_atomic() does not work on kernels with CONFIG_PREEMPT_COUNT=n which +means that spin/rw_lock held regions are not detected by it. + +There is no way to make this work by handing context information through to +the driver and this only can be solved once the core printk infrastructure +supports sleepable console drivers. + +Make it depend on BROKEN for now. + +Fixes: 1bbb4f2035d9 ("[PATCH] USB: sisusb[vga] update") +Signed-off-by: Thomas Gleixner +Cc: Thomas Winischhofer +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201019101109.603244207@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/sisusbvga/Kconfig ++++ b/drivers/usb/misc/sisusbvga/Kconfig +@@ -15,7 +15,7 @@ config USB_SISUSBVGA + + config USB_SISUSBVGA_CON + bool "Text console and mode switching support" if USB_SISUSBVGA +- depends on VT ++ depends on VT && BROKEN + select FONT_8x16 + ---help--- + Say Y here if you want a VGA text console via the USB dongle or diff --git a/queue-4.4/xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch b/queue-4.4/xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch new file mode 100644 index 00000000000..f0d752a3768 --- /dev/null +++ b/queue-4.4/xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch @@ -0,0 +1,43 @@ +From c1373f10479b624fb6dba0805d673e860f1b421d Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Tue, 8 Dec 2020 11:29:12 +0200 +Subject: xhci: Give USB2 ports time to enter U3 in bus suspend + +From: Li Jun + +commit c1373f10479b624fb6dba0805d673e860f1b421d upstream. + +If a USB2 device wakeup is not enabled/supported the link state may +still be in U0 in xhci_bus_suspend(), where it's then manually put +to suspended U3 state. + +Just as with selective suspend the device needs time to enter U3 +suspend before continuing with further suspend operations +(e.g. system suspend), otherwise we may enter system suspend with link +state in U0. + +[commit message rewording -Mathias] + +Cc: +Signed-off-by: Li Jun +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20201208092912.1773650-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1400,6 +1400,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd + hcd->state = HC_STATE_SUSPENDED; + bus_state->next_statechange = jiffies + msecs_to_jiffies(10); + spin_unlock_irqrestore(&xhci->lock, flags); ++ ++ if (bus_state->bus_suspended) ++ usleep_range(5000, 10000); ++ + return 0; + } + -- 2.47.3