4.19-stable patches

added patches:
	comedi-vmk80xx-fix-incomplete-endpoint-checking.patch

diff --git a/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch b/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch
new file mode 100644 (file)
index 0000000..b6d74ef
--- /dev/null
+++ b/queue-4.19/comedi-vmk80xx-fix-incomplete-endpoint-checking.patch
@@ -0,0 +1,98 @@
+From d1718530e3f640b7d5f0050e725216eab57a85d8 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Mon, 8 Apr 2024 10:16:33 -0700
+Subject: comedi: vmk80xx: fix incomplete endpoint checking
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit d1718530e3f640b7d5f0050e725216eab57a85d8 upstream.
+
+While vmk80xx does have endpoint checking implemented, some things
+can fall through the cracks. Depending on the hardware model,
+URBs can have either bulk or interrupt type, and current version
+of vmk80xx_find_usb_endpoints() function does not take that fully
+into account. While this warning does not seem to be too harmful,
+at the very least it will crash systems with 'panic_on_warn' set on
+them.
+
+Fix the issue found by Syzkaller [1] by somewhat simplifying the
+endpoint checking process with usb_find_common_endpoints() and
+ensuring that only expected endpoint types are present.
+
+This patch has not been tested on real hardware.
+
+[1] Syzkaller report:
+usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
+...
+Call Trace:
+ <TASK>
+ usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59
+ vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]
+ vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818
+ comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067
+ usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399
+...
+
+Similar issue also found by Syzkaller:
+Link: https://syzkaller.appspot.com/bug?extid=5205eb2f17de3e01946e
+
+Reported-and-tested-by: syzbot+5f29dc6a889fc42bd896@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Fixes: 49253d542cc0 ("staging: comedi: vmk80xx: factor out usb endpoint detection")
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://lore.kernel.org/r/20240408171633.31649-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/vmk80xx.c |   35 ++++++++++---------------------
+ 1 file changed, 12 insertions(+), 23 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/vmk80xx.c
++++ b/drivers/staging/comedi/drivers/vmk80xx.c
+@@ -642,33 +642,22 @@ static int vmk80xx_find_usb_endpoints(st
+       struct vmk80xx_private *devpriv = dev->private;
+       struct usb_interface *intf = comedi_to_usb_interface(dev);
+       struct usb_host_interface *iface_desc = intf->cur_altsetting;
+-      struct usb_endpoint_descriptor *ep_desc;
+-      int i;
++      struct usb_endpoint_descriptor *ep_rx_desc, *ep_tx_desc;
++      int ret;
+ 
+-      if (iface_desc->desc.bNumEndpoints != 2)
+-              return -ENODEV;
+-
+-      for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+-              ep_desc = &iface_desc->endpoint[i].desc;
+-
+-              if (usb_endpoint_is_int_in(ep_desc) ||
+-                  usb_endpoint_is_bulk_in(ep_desc)) {
+-                      if (!devpriv->ep_rx)
+-                              devpriv->ep_rx = ep_desc;
+-                      continue;
+-              }
++      if (devpriv->model == VMK8061_MODEL)
++              ret = usb_find_common_endpoints(iface_desc, &ep_rx_desc,
++                                              &ep_tx_desc, NULL, NULL);
++      else
++              ret = usb_find_common_endpoints(iface_desc, NULL, NULL,
++                                              &ep_rx_desc, &ep_tx_desc);
+ 
+-              if (usb_endpoint_is_int_out(ep_desc) ||
+-                  usb_endpoint_is_bulk_out(ep_desc)) {
+-                      if (!devpriv->ep_tx)
+-                              devpriv->ep_tx = ep_desc;
+-                      continue;
+-              }
+-      }
+-
+-      if (!devpriv->ep_rx || !devpriv->ep_tx)
++      if (ret)
+               return -ENODEV;
+ 
++      devpriv->ep_rx = ep_rx_desc;
++      devpriv->ep_tx = ep_tx_desc;
++
+       if (!usb_endpoint_maxp(devpriv->ep_rx) || !usb_endpoint_maxp(devpriv->ep_tx))
+               return -EINVAL;
+ 

diff --git a/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch b/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch
index ce22c01e1bf6d8e74cb2e7a442a277f9339ac573..76bf408a4a2bd1fdcb7c419092a6b9f39d12796f 100644 (file)
--- a/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch
+++ b/queue-4.19/drm-nv04-fix-out-of-bounds-access.patch
@@ -25,11 +25,9 @@ Signed-off-by: Danilo Krummrich <dakr@redhat.com>
 Link: https://patchwork.freedesktop.org/patch/msgid/20240411110854.16701-1-m.kobuk@ispras.ru
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +++++++------
+ drivers/gpu/drm/nouveau/nouveau_bios.c |   13 +++++++------
  1 file changed, 7 insertions(+), 6 deletions(-)
 
-diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c
-index 66bf2aff4a3ed..adecda51a306d 100644
 --- a/drivers/gpu/drm/nouveau/nouveau_bios.c
 +++ b/drivers/gpu/drm/nouveau/nouveau_bios.c
 @@ -25,6 +25,7 @@
@@ -40,7 +38,7 @@ index 66bf2aff4a3ed..adecda51a306d 100644
  #include "nouveau_reg.h"
  #include "dispnv04/hw.h"
  #include "nouveau_encoder.h"
-@@ -1674,7 +1675,7 @@ apply_dcb_encoder_quirks(struct drm_device *dev, int idx, u32 *conn, u32 *conf)
+@@ -1674,7 +1675,7 @@ apply_dcb_encoder_quirks(struct drm_devi
         */
        if (nv_match_device(dev, 0x0201, 0x1462, 0x8851)) {
                if (*conn == 0xf2005014 && *conf == 0xffffffff) {
@@ -49,7 +47,7 @@ index 66bf2aff4a3ed..adecda51a306d 100644
                        return false;
                }
        }
-@@ -1760,26 +1761,26 @@ fabricate_dcb_encoder_table(struct drm_device *dev, struct nvbios *bios)
+@@ -1760,26 +1761,26 @@ fabricate_dcb_encoder_table(struct drm_d
  #ifdef __powerpc__
        /* Apple iMac G4 NV17 */
        if (of_machine_is_compatible("PowerMac4,5")) {
@@ -81,6 +79,3 @@ index 66bf2aff4a3ed..adecda51a306d 100644
  }
  
  static int
--- 
-2.43.0
-

diff --git a/queue-4.19/series b/queue-4.19/series
index 386ce761e93a5f119555d3f59f54cedf78cd6600..a4ea6acd0176e4e35a278a5cc23ef324a136dd12 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -19,3 +19,4 @@ netfilter-nf_tables-fix-potential-data-race-in-__nft.patch
 tun-limit-printing-rate-when-illegal-packet-received.patch
 rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch
 drm-nv04-fix-out-of-bounds-access.patch
+comedi-vmk80xx-fix-incomplete-endpoint-checking.patch