From f5c89d743323e671539fd680676b5371060d3f79 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 18 Aug 2021 20:54:22 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...dia-usb-fix-memory-leak-in-zr364xx_p.patch | 80 +++++++ ...ia-zr364xx-fix-memory-leaks-in-probe.patch | 186 +++++++++++++++++ ...opagate-errors-from-zr364xx_start_re.patch | 92 ++++++++ ...hange-cma-mutex-to-irq-safe-spinlock.patch | 197 ++++++++++++++++++ queue-5.4/series | 5 + ...arnings-for-0-length-descriptor-requ.patch | 52 +++++ 6 files changed, 612 insertions(+) create mode 100644 queue-5.4/media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch create mode 100644 queue-5.4/media-zr364xx-fix-memory-leaks-in-probe.patch create mode 100644 queue-5.4/media-zr364xx-propagate-errors-from-zr364xx_start_re.patch create mode 100644 queue-5.4/mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch create mode 100644 queue-5.4/usb-core-avoid-warnings-for-0-length-descriptor-requ.patch diff --git a/queue-5.4/media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch b/queue-5.4/media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch new file mode 100644 index 00000000000..24fc3fbac03 --- /dev/null +++ b/queue-5.4/media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch @@ -0,0 +1,80 @@ +From efd6c12fcac286518d994653c0c985f535aaa60e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 21:38:26 +0100 +Subject: media: drivers/media/usb: fix memory leak in zr364xx_probe + +From: Pavel Skripkin + +[ Upstream commit 9c39be40c0155c43343f53e3a439290c0fec5542 ] + +syzbot reported memory leak in zr364xx_probe()[1]. +The problem was in invalid error handling order. +All error conditions rigth after v4l2_ctrl_handler_init() +must call v4l2_ctrl_handler_free(). + +Reported-by: syzbot+efe9aefc31ae1e6f7675@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/zr364xx/zr364xx.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c +index b3f01de9cf37..25f16ff6dcc7 100644 +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -1436,7 +1436,7 @@ static int zr364xx_probe(struct usb_interface *intf, + if (hdl->error) { + err = hdl->error; + dev_err(&udev->dev, "couldn't register control\n"); +- goto unregister; ++ goto free_hdlr_and_unreg_dev; + } + /* save the init method used by this camera */ + cam->method = id->driver_info; +@@ -1509,7 +1509,7 @@ static int zr364xx_probe(struct usb_interface *intf, + if (!cam->read_endpoint) { + err = -ENOMEM; + dev_err(&intf->dev, "Could not find bulk-in endpoint\n"); +- goto unregister; ++ goto free_hdlr_and_unreg_dev; + } + + /* v4l */ +@@ -1521,7 +1521,7 @@ static int zr364xx_probe(struct usb_interface *intf, + /* load zr364xx board specific */ + err = zr364xx_board_init(cam); + if (err) +- goto unregister; ++ goto free_hdlr_and_unreg_dev; + err = v4l2_ctrl_handler_setup(hdl); + if (err) + goto board_uninit; +@@ -1539,7 +1539,7 @@ static int zr364xx_probe(struct usb_interface *intf, + err = video_register_device(&cam->vdev, VFL_TYPE_GRABBER, -1); + if (err) { + dev_err(&udev->dev, "video_register_device failed\n"); +- goto free_handler; ++ goto board_uninit; + } + cam->v4l2_dev.release = zr364xx_release; + +@@ -1547,11 +1547,10 @@ static int zr364xx_probe(struct usb_interface *intf, + video_device_node_name(&cam->vdev)); + return 0; + +-free_handler: +- v4l2_ctrl_handler_free(hdl); + board_uninit: + zr364xx_board_uninit(cam); +-unregister: ++free_hdlr_and_unreg_dev: ++ v4l2_ctrl_handler_free(hdl); + v4l2_device_unregister(&cam->v4l2_dev); + free_cam: + kfree(cam); +-- +2.30.2 + diff --git a/queue-5.4/media-zr364xx-fix-memory-leaks-in-probe.patch b/queue-5.4/media-zr364xx-fix-memory-leaks-in-probe.patch new file mode 100644 index 00000000000..c226fe179bf --- /dev/null +++ b/queue-5.4/media-zr364xx-fix-memory-leaks-in-probe.patch @@ -0,0 +1,186 @@ +From f8f32b1cb35ddf80a67703cf7be0babab3133a7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 07:44:00 +0100 +Subject: media: zr364xx: fix memory leaks in probe() + +From: Dan Carpenter + +[ Upstream commit ea354b6ddd6f09be29424f41fa75a3e637fea234 ] + +Syzbot discovered that the probe error handling doesn't clean up the +resources allocated in zr364xx_board_init(). There are several +related bugs in this code so I have re-written the error handling. + +1) Introduce a new function zr364xx_board_uninit() which cleans up + the resources in zr364xx_board_init(). +2) In zr364xx_board_init() if the call to zr364xx_start_readpipe() + fails then release the "cam->buffer.frame[i].lpvbits" memory + before returning. This way every function either allocates + everything successfully or it cleans up after itself. +3) Re-write the probe function so that each failure path goto frees + the most recent allocation. That way we don't free anything + before it has been allocated and we can also verify that + everything is freed. +4) Originally, in the probe function the "cam->v4l2_dev.release" + pointer was set to "zr364xx_release" near the start but I moved + that assignment to the end, after everything had succeeded. The + release function was never actually called during the probe cleanup + process, but with this change I wanted to make it clear that we + don't want to call zr364xx_release() until everything is + allocated successfully. + +Next I re-wrote the zr364xx_release() function. Ideally this would +have been a simple matter of copy and pasting the cleanup code from +probe and adding an additional call to video_unregister_device(). But +there are a couple quirks to note. + +1) The probe function does not call videobuf_mmap_free() and I don't + know where the videobuf_mmap is allocated. I left the code as-is to + avoid introducing a bug in code I don't understand. +2) The zr364xx_board_uninit() has a call to zr364xx_stop_readpipe() + which is a change from the original behavior with regards to + unloading the driver. Calling zr364xx_stop_readpipe() on a stopped + pipe is not a problem so this is safe and is potentially a bugfix. + +Reported-by: syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/zr364xx/zr364xx.c | 49 ++++++++++++++++++----------- + 1 file changed, 31 insertions(+), 18 deletions(-) + +diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c +index 22b34690a016..b3f01de9cf37 100644 +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -1187,15 +1187,11 @@ static int zr364xx_open(struct file *file) + return err; + } + +-static void zr364xx_release(struct v4l2_device *v4l2_dev) ++static void zr364xx_board_uninit(struct zr364xx_camera *cam) + { +- struct zr364xx_camera *cam = +- container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev); + unsigned long i; + +- v4l2_device_unregister(&cam->v4l2_dev); +- +- videobuf_mmap_free(&cam->vb_vidq); ++ zr364xx_stop_readpipe(cam); + + /* release sys buffers */ + for (i = 0; i < FRAMES; i++) { +@@ -1206,9 +1202,19 @@ static void zr364xx_release(struct v4l2_device *v4l2_dev) + cam->buffer.frame[i].lpvbits = NULL; + } + +- v4l2_ctrl_handler_free(&cam->ctrl_handler); + /* release transfer buffer */ + kfree(cam->pipe->transfer_buffer); ++} ++ ++static void zr364xx_release(struct v4l2_device *v4l2_dev) ++{ ++ struct zr364xx_camera *cam = ++ container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev); ++ ++ videobuf_mmap_free(&cam->vb_vidq); ++ v4l2_ctrl_handler_free(&cam->ctrl_handler); ++ zr364xx_board_uninit(cam); ++ v4l2_device_unregister(&cam->v4l2_dev); + kfree(cam); + } + +@@ -1382,11 +1388,14 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) + /* start read pipe */ + err = zr364xx_start_readpipe(cam); + if (err) +- goto err_free; ++ goto err_free_frames; + + DBG(": board initialized\n"); + return 0; + ++err_free_frames: ++ for (i = 0; i < FRAMES; i++) ++ vfree(cam->buffer.frame[i].lpvbits); + err_free: + kfree(cam->pipe->transfer_buffer); + cam->pipe->transfer_buffer = NULL; +@@ -1415,12 +1424,10 @@ static int zr364xx_probe(struct usb_interface *intf, + if (!cam) + return -ENOMEM; + +- cam->v4l2_dev.release = zr364xx_release; + err = v4l2_device_register(&intf->dev, &cam->v4l2_dev); + if (err < 0) { + dev_err(&udev->dev, "couldn't register v4l2_device\n"); +- kfree(cam); +- return err; ++ goto free_cam; + } + hdl = &cam->ctrl_handler; + v4l2_ctrl_handler_init(hdl, 1); +@@ -1429,7 +1436,7 @@ static int zr364xx_probe(struct usb_interface *intf, + if (hdl->error) { + err = hdl->error; + dev_err(&udev->dev, "couldn't register control\n"); +- goto fail; ++ goto unregister; + } + /* save the init method used by this camera */ + cam->method = id->driver_info; +@@ -1502,7 +1509,7 @@ static int zr364xx_probe(struct usb_interface *intf, + if (!cam->read_endpoint) { + err = -ENOMEM; + dev_err(&intf->dev, "Could not find bulk-in endpoint\n"); +- goto fail; ++ goto unregister; + } + + /* v4l */ +@@ -1513,10 +1520,11 @@ static int zr364xx_probe(struct usb_interface *intf, + + /* load zr364xx board specific */ + err = zr364xx_board_init(cam); +- if (!err) +- err = v4l2_ctrl_handler_setup(hdl); + if (err) +- goto fail; ++ goto unregister; ++ err = v4l2_ctrl_handler_setup(hdl); ++ if (err) ++ goto board_uninit; + + spin_lock_init(&cam->slock); + +@@ -1531,16 +1539,21 @@ static int zr364xx_probe(struct usb_interface *intf, + err = video_register_device(&cam->vdev, VFL_TYPE_GRABBER, -1); + if (err) { + dev_err(&udev->dev, "video_register_device failed\n"); +- goto fail; ++ goto free_handler; + } ++ cam->v4l2_dev.release = zr364xx_release; + + dev_info(&udev->dev, DRIVER_DESC " controlling device %s\n", + video_device_node_name(&cam->vdev)); + return 0; + +-fail: ++free_handler: + v4l2_ctrl_handler_free(hdl); ++board_uninit: ++ zr364xx_board_uninit(cam); ++unregister: + v4l2_device_unregister(&cam->v4l2_dev); ++free_cam: + kfree(cam); + return err; + } +-- +2.30.2 + diff --git a/queue-5.4/media-zr364xx-propagate-errors-from-zr364xx_start_re.patch b/queue-5.4/media-zr364xx-propagate-errors-from-zr364xx_start_re.patch new file mode 100644 index 00000000000..279cf8e2c2c --- /dev/null +++ b/queue-5.4/media-zr364xx-propagate-errors-from-zr364xx_start_re.patch @@ -0,0 +1,92 @@ +From c3126b1734f065689a2ee93cb6894f410ea3199d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 19:21:22 +0200 +Subject: media: zr364xx: propagate errors from zr364xx_start_readpipe() + +From: Evgeny Novikov + +[ Upstream commit af0321a5be3e5647441eb6b79355beaa592df97a ] + +zr364xx_start_readpipe() can fail but callers do not care about that. +This can result in various negative consequences. The patch adds missed +error handling. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/zr364xx/zr364xx.c | 31 ++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c +index 02458c9cb5dc..22b34690a016 100644 +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -1331,6 +1331,7 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) + { + struct zr364xx_pipeinfo *pipe = cam->pipe; + unsigned long i; ++ int err; + + DBG("board init: %p\n", cam); + memset(pipe, 0, sizeof(*pipe)); +@@ -1363,9 +1364,8 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) + + if (i == 0) { + printk(KERN_INFO KBUILD_MODNAME ": out of memory. Aborting\n"); +- kfree(cam->pipe->transfer_buffer); +- cam->pipe->transfer_buffer = NULL; +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_free; + } else + cam->buffer.dwFrames = i; + +@@ -1380,9 +1380,17 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) + /*** end create system buffers ***/ + + /* start read pipe */ +- zr364xx_start_readpipe(cam); ++ err = zr364xx_start_readpipe(cam); ++ if (err) ++ goto err_free; ++ + DBG(": board initialized\n"); + return 0; ++ ++err_free: ++ kfree(cam->pipe->transfer_buffer); ++ cam->pipe->transfer_buffer = NULL; ++ return err; + } + + static int zr364xx_probe(struct usb_interface *intf, +@@ -1579,10 +1587,19 @@ static int zr364xx_resume(struct usb_interface *intf) + if (!cam->was_streaming) + return 0; + +- zr364xx_start_readpipe(cam); ++ res = zr364xx_start_readpipe(cam); ++ if (res) ++ return res; ++ + res = zr364xx_prepare(cam); +- if (!res) +- zr364xx_start_acquire(cam); ++ if (res) ++ goto err_prepare; ++ ++ zr364xx_start_acquire(cam); ++ return 0; ++ ++err_prepare: ++ zr364xx_stop_readpipe(cam); + return res; + } + #endif +-- +2.30.2 + diff --git a/queue-5.4/mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch b/queue-5.4/mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch new file mode 100644 index 00000000000..c7df4d1ea52 --- /dev/null +++ b/queue-5.4/mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch @@ -0,0 +1,197 @@ +From 6f985bb70e108d80eab25dcd0146721bab8f36fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 18:34:44 -0700 +Subject: mm/cma: change cma mutex to irq safe spinlock + +From: Mike Kravetz + +[ Upstream commit 0ef7dcac998fefc4767b7f10eb3b6df150c38a4e ] + +Patch series "make hugetlb put_page safe for all calling contexts", v5. + +This effort is the result a recent bug report [1]. Syzbot found a +potential deadlock in the hugetlb put_page/free_huge_page_path. WARNING: +SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected Since the +free_huge_page_path already has code to 'hand off' page free requests to a +workqueue, a suggestion was proposed to make the in_irq() detection +accurate by always enabling PREEMPT_COUNT [2]. The outcome of that +discussion was that the hugetlb put_page path (free_huge_page) path should +be properly fixed and safe for all calling contexts. + +[1] https://lore.kernel.org/linux-mm/000000000000f1c03b05bc43aadc@google.com/ +[2] http://lkml.kernel.org/r/20210311021321.127500-1-mike.kravetz@oracle.com + +This patch (of 8): + +cma_release is currently a sleepable operatation because the bitmap +manipulation is protected by cma->lock mutex. Hugetlb code which relies +on cma_release for CMA backed (giga) hugetlb pages, however, needs to be +irq safe. + +The lock doesn't protect any sleepable operation so it can be changed to a +(irq aware) spin lock. The bitmap processing should be quite fast in +typical case but if cma sizes grow to TB then we will likely need to +replace the lock by a more optimized bitmap implementation. + +Link: https://lkml.kernel.org/r/20210409205254.242291-1-mike.kravetz@oracle.com +Link: https://lkml.kernel.org/r/20210409205254.242291-2-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Acked-by: Michal Hocko +Reviewed-by: David Hildenbrand +Acked-by: Roman Gushchin +Cc: Shakeel Butt +Cc: Oscar Salvador +Cc: Muchun Song +Cc: David Rientjes +Cc: Miaohe Lin +Cc: Peter Zijlstra +Cc: Matthew Wilcox +Cc: HORIGUCHI NAOYA +Cc: "Aneesh Kumar K . V" +Cc: Waiman Long +Cc: Peter Xu +Cc: Mina Almasry +Cc: Hillf Danton +Cc: Joonsoo Kim +Cc: Barry Song +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 18 +++++++++--------- + mm/cma.h | 2 +- + mm/cma_debug.c | 8 ++++---- + 3 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/mm/cma.c b/mm/cma.c +index 7de520c0a1db..b895b2ca8800 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -24,7 +24,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -84,13 +83,14 @@ static void cma_clear_bitmap(struct cma *cma, unsigned long pfn, + unsigned int count) + { + unsigned long bitmap_no, bitmap_count; ++ unsigned long flags; + + bitmap_no = (pfn - cma->base_pfn) >> cma->order_per_bit; + bitmap_count = cma_bitmap_pages_to_bits(cma, count); + +- mutex_lock(&cma->lock); ++ spin_lock_irqsave(&cma->lock, flags); + bitmap_clear(cma->bitmap, bitmap_no, bitmap_count); +- mutex_unlock(&cma->lock); ++ spin_unlock_irqrestore(&cma->lock, flags); + } + + static void __init cma_activate_area(struct cma *cma) +@@ -124,7 +124,7 @@ static void __init cma_activate_area(struct cma *cma) + init_cma_reserved_pageblock(pfn_to_page(base_pfn)); + } while (--i); + +- mutex_init(&cma->lock); ++ spin_lock_init(&cma->lock); + + #ifdef CONFIG_CMA_DEBUGFS + INIT_HLIST_HEAD(&cma->mem_head); +@@ -376,7 +376,7 @@ static void cma_debug_show_areas(struct cma *cma) + unsigned long nr_part, nr_total = 0; + unsigned long nbits = cma_bitmap_maxno(cma); + +- mutex_lock(&cma->lock); ++ spin_lock_irq(&cma->lock); + pr_info("number of available pages: "); + for (;;) { + next_zero_bit = find_next_zero_bit(cma->bitmap, nbits, start); +@@ -391,7 +391,7 @@ static void cma_debug_show_areas(struct cma *cma) + start = next_zero_bit + nr_zero; + } + pr_cont("=> %lu free of %lu total pages\n", nr_total, cma->count); +- mutex_unlock(&cma->lock); ++ spin_unlock_irq(&cma->lock); + } + #else + static inline void cma_debug_show_areas(struct cma *cma) { } +@@ -436,12 +436,12 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align, + return NULL; + + for (;;) { +- mutex_lock(&cma->lock); ++ spin_lock_irq(&cma->lock); + bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap, + bitmap_maxno, start, bitmap_count, mask, + offset); + if (bitmap_no >= bitmap_maxno) { +- mutex_unlock(&cma->lock); ++ spin_unlock_irq(&cma->lock); + break; + } + bitmap_set(cma->bitmap, bitmap_no, bitmap_count); +@@ -450,7 +450,7 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align, + * our exclusive use. If the migration fails we will take the + * lock again and unmark it. + */ +- mutex_unlock(&cma->lock); ++ spin_unlock_irq(&cma->lock); + + pfn = cma->base_pfn + (bitmap_no << cma->order_per_bit); + mutex_lock(&cma_mutex); +diff --git a/mm/cma.h b/mm/cma.h +index 33c0b517733c..043bfbff9225 100644 +--- a/mm/cma.h ++++ b/mm/cma.h +@@ -7,7 +7,7 @@ struct cma { + unsigned long count; + unsigned long *bitmap; + unsigned int order_per_bit; /* Order of pages represented by one bit */ +- struct mutex lock; ++ spinlock_t lock; + #ifdef CONFIG_CMA_DEBUGFS + struct hlist_head mem_head; + spinlock_t mem_head_lock; +diff --git a/mm/cma_debug.c b/mm/cma_debug.c +index a7dd9e8e10d5..d27881adce19 100644 +--- a/mm/cma_debug.c ++++ b/mm/cma_debug.c +@@ -36,10 +36,10 @@ static int cma_used_get(void *data, u64 *val) + struct cma *cma = data; + unsigned long used; + +- mutex_lock(&cma->lock); ++ spin_lock_irq(&cma->lock); + /* pages counter is smaller than sizeof(int) */ + used = bitmap_weight(cma->bitmap, (int)cma_bitmap_maxno(cma)); +- mutex_unlock(&cma->lock); ++ spin_unlock_irq(&cma->lock); + *val = (u64)used << cma->order_per_bit; + + return 0; +@@ -53,7 +53,7 @@ static int cma_maxchunk_get(void *data, u64 *val) + unsigned long start, end = 0; + unsigned long bitmap_maxno = cma_bitmap_maxno(cma); + +- mutex_lock(&cma->lock); ++ spin_lock_irq(&cma->lock); + for (;;) { + start = find_next_zero_bit(cma->bitmap, bitmap_maxno, end); + if (start >= bitmap_maxno) +@@ -61,7 +61,7 @@ static int cma_maxchunk_get(void *data, u64 *val) + end = find_next_bit(cma->bitmap, bitmap_maxno, start); + maxchunk = max(end - start, maxchunk); + } +- mutex_unlock(&cma->lock); ++ spin_unlock_irq(&cma->lock); + *val = (u64)maxchunk << cma->order_per_bit; + + return 0; +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 71ffdb95c7e..e3d24eaabe4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,8 @@ ath-export-ath_hw_keysetmac.patch ath-modify-ath_key_delete-to-not-need-full-key-entry.patch ath9k-postpone-key-cache-entry-deletion-for-txq-frames-reference-it.patch mtd-cfi_cmdset_0002-fix-crash-when-erasing-writing-amd-cards.patch +media-zr364xx-propagate-errors-from-zr364xx_start_re.patch +media-zr364xx-fix-memory-leaks-in-probe.patch +media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch +mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch +usb-core-avoid-warnings-for-0-length-descriptor-requ.patch diff --git a/queue-5.4/usb-core-avoid-warnings-for-0-length-descriptor-requ.patch b/queue-5.4/usb-core-avoid-warnings-for-0-length-descriptor-requ.patch new file mode 100644 index 00000000000..19d09ebaac4 --- /dev/null +++ b/queue-5.4/usb-core-avoid-warnings-for-0-length-descriptor-requ.patch @@ -0,0 +1,52 @@ +From a01dc8a012e1071693c56a3bab98180edee46ee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 11:23:07 -0400 +Subject: USB: core: Avoid WARNings for 0-length descriptor requests + +From: Alan Stern + +[ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ] + +The USB core has utility routines to retrieve various types of +descriptors. These routines will now provoke a WARN if they are asked +to retrieve 0 bytes (USB "receive" requests must not have zero +length), so avert this by checking the size argument at the start. + +CC: Johan Hovold +Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com +Reviewed-by: Johan Hovold +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/message.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 041c68ea329f..7ca908704777 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -647,6 +647,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type, + int i; + int result; + ++ if (size <= 0) /* No point in asking for no data */ ++ return -EINVAL; ++ + memset(buf, 0, size); /* Make sure we parse really received data */ + + for (i = 0; i < 3; ++i) { +@@ -695,6 +698,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid, + int i; + int result; + ++ if (size <= 0) /* No point in asking for no data */ ++ return -EINVAL; ++ + for (i = 0; i < 3; ++i) { + /* retry on length 0 or stall; some devices are flakey */ + result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), +-- +2.30.2 + -- 2.47.3