--- /dev/null
+From 32d2545462c6cede998267b86e57cda5d1dc2225 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 27 Feb 2020 20:28:22 +0800
+Subject: ahci: Add Intel Comet Lake H RAID PCI ID
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 32d2545462c6cede998267b86e57cda5d1dc2225 upstream.
+
+Add the PCI ID to the driver list to support this new device.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -401,6 +401,7 @@ static const struct pci_device_id ahci_p
+ { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */
++ { PCI_VDEVICE(INTEL, 0x06d7), board_ahci }, /* Comet Lake-H RAID */
+ { PCI_VDEVICE(INTEL, 0x0f22), board_ahci_mobile }, /* Bay Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x0f23), board_ahci_mobile }, /* Bay Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x22a3), board_ahci_mobile }, /* Cherry Tr. AHCI */
--- /dev/null
+From a65cab7d7f05c2061a3e2490257d3086ff3202c6 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sat, 7 Mar 2020 18:38:49 -0800
+Subject: libfs: fix infoleak in simple_attr_read()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a65cab7d7f05c2061a3e2490257d3086ff3202c6 upstream.
+
+Reading from a debugfs file at a nonzero position, without first reading
+at position 0, leaks uninitialized memory to userspace.
+
+It's a bit tricky to do this, since lseek() and pread() aren't allowed
+on these files, and write() doesn't update the position on them. But
+writing to them with splice() *does* update the position:
+
+ #define _GNU_SOURCE 1
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ int main()
+ {
+ int pipes[2], fd, n, i;
+ char buf[32];
+
+ pipe(pipes);
+ write(pipes[1], "0", 1);
+ fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
+ splice(pipes[0], NULL, fd, NULL, 1, 0);
+ n = read(fd, buf, sizeof(buf));
+ for (i = 0; i < n; i++)
+ printf("%02x", buf[i]);
+ printf("\n");
+ }
+
+Output:
+ 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
+
+Fix the infoleak by making simple_attr_read() always fill
+simple_attr::get_buf if it hasn't been filled yet.
+
+Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
+Reported-by: Alexander Potapenko <glider@google.com>
+Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/libfs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode
+ {
+ struct simple_attr *attr;
+
+- attr = kmalloc(sizeof(*attr), GFP_KERNEL);
++ attr = kzalloc(sizeof(*attr), GFP_KERNEL);
+ if (!attr)
+ return -ENOMEM;
+
+@@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *fi
+ if (ret)
+ return ret;
+
+- if (*ppos) { /* continued read */
++ if (*ppos && attr->get_buf[0]) {
++ /* continued read */
+ size = strlen(attr->get_buf);
+- } else { /* first read */
++ } else {
++ /* first read */
+ u64 val;
+ ret = attr->get(attr->data, &val);
+ if (ret)
--- /dev/null
+From f52981019ad8d6718de79b425a574c6bddf81f7c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:12 +0100
+Subject: media: dib0700: fix rc endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f52981019ad8d6718de79b425a574c6bddf81f7c upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid submitting an URB to an invalid endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge Nova-TD")
+Cc: stable <stable@vger.kernel.org> # 3.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dib0700_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_core.c
++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
+@@ -818,7 +818,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
+
+ /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+
+- if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
++ if (intf->cur_altsetting->desc.bNumEndpoints < rc_ep + 1)
+ return -ENODEV;
+
+ purb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -838,7 +838,7 @@ int dib0700_rc_setup(struct dvb_usb_devi
+ * Some devices like the Hauppauge NovaTD model 52009 use an interrupt
+ * endpoint, while others use a bulk one.
+ */
+- e = &intf->altsetting[0].endpoint[rc_ep].desc;
++ e = &intf->cur_altsetting->endpoint[rc_ep].desc;
+ if (usb_endpoint_dir_in(e)) {
+ if (usb_endpoint_xfer_bulk(e)) {
+ pipe = usb_rcvbulkpipe(d->udev, rc_ep);
--- /dev/null
+From 998912346c0da53a6dbb71fab3a138586b596b30 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:09 +0100
+Subject: media: ov519: add missing endpoint sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 998912346c0da53a6dbb71fab3a138586b596b30 upstream.
+
+Make sure to check that we have at least one endpoint before accessing
+the endpoint array to avoid dereferencing a NULL-pointer on stream
+start.
+
+Note that these sanity checks are not redundant as the driver is mixing
+looking up altsettings by index and by number, which need not coincide.
+
+Fixes: 1876bb923c98 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge")
+Fixes: b282d87332f5 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)")
+Cc: stable <stable@vger.kernel.org> # 2.6.31
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/ov519.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/media/usb/gspca/ov519.c
++++ b/drivers/media/usb/gspca/ov519.c
+@@ -3477,6 +3477,11 @@ static void ov511_mode_init_regs(struct
+ return;
+ }
+
++ if (alt->desc.bNumEndpoints < 1) {
++ sd->gspca_dev.usb_err = -ENODEV;
++ return;
++ }
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);
+
+@@ -3603,6 +3608,11 @@ static void ov518_mode_init_regs(struct
+ return;
+ }
+
++ if (alt->desc.bNumEndpoints < 1) {
++ sd->gspca_dev.usb_err = -ENODEV;
++ return;
++ }
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);
+
--- /dev/null
+From 485b06aadb933190f4bc44e006076bc27a23f205 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:10 +0100
+Subject: media: stv06xx: add missing descriptor sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream.
+
+Make sure to check that we have two alternate settings and at least one
+endpoint before accessing the second altsetting structure and
+dereferencing the endpoint arrays.
+
+This specifically avoids dereferencing NULL-pointers or corrupting
+memory when a device does not have the expected descriptors.
+
+Note that the sanity checks in stv06xx_start() and pb0100_start() are
+not redundant as the driver is mixing looking up altsettings by index
+and by number, which may not coincide.
+
+Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
+Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing")
+Cc: stable <stable@vger.kernel.org> # 2.6.31
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 19 ++++++++++++++++++-
+ drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c | 4 ++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_de
+ return -EIO;
+ }
+
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
+ if (err < 0)
+@@ -306,11 +309,21 @@ out:
+
+ static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
+ {
++ struct usb_interface_cache *intfc;
+ struct usb_host_interface *alt;
+ struct sd *sd = (struct sd *) gspca_dev;
+
++ intfc = gspca_dev->dev->actconfig->intf_cache[0];
++
++ if (intfc->num_altsetting < 2)
++ return -ENODEV;
++
++ alt = &intfc->altsetting[1];
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
+- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ alt->endpoint[0].desc.wMaxPacketSize =
+ cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
+
+@@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspc
+ struct usb_host_interface *alt;
+ struct sd *sd = (struct sd *) gspca_dev;
+
++ /*
++ * Existence of altsetting and endpoint was verified in
++ * stv06xx_isoc_init()
++ */
+ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
+@@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd)
+ alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
+ if (!alt)
+ return -ENODEV;
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+
+ /* If we don't have enough bandwidth use a lower framerate */
--- /dev/null
+From 6990570f7e0a6078e11b9c5dc13f4b6e3f49a398 Mon Sep 17 00:00:00 2001
+From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+Date: Wed, 19 Feb 2020 16:25:54 +0100
+Subject: media: v4l2-core: fix a use-after-free bug of sd->devnode
+
+From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+
+commit 6990570f7e0a6078e11b9c5dc13f4b6e3f49a398 upstream.
+
+sd->devnode is released after calling
+v4l2_subdev_release. Therefore it should be set
+to NULL so that the subdev won't hold a pointer
+to a released object. This fixes a reference
+after free bug in function
+v4l2_device_unregister_subdev
+
+Fixes: 0e43734d4c46e ("media: v4l2-subdev: add release() internal op")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/v4l2-core/v4l2-device.c
++++ b/drivers/media/v4l2-core/v4l2-device.c
+@@ -179,6 +179,7 @@ static void v4l2_subdev_release(struct v
+
+ if (sd->internal_ops && sd->internal_ops->release)
+ sd->internal_ops->release(sd);
++ sd->devnode = NULL;
+ module_put(owner);
+ }
+
--- /dev/null
+From a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 3 Jan 2020 17:35:11 +0100
+Subject: media: xirlink_cit: add missing descriptor sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 upstream.
+
+Make sure to check that we have two alternate settings and at least one
+endpoint before accessing the second altsetting structure and
+dereferencing the endpoint arrays.
+
+This specifically avoids dereferencing NULL-pointers or corrupting
+memory when a device does not have the expected descriptors.
+
+Note that the sanity check in cit_get_packet_size() is not redundant as
+the driver is mixing looking up altsettings by index and by number,
+which may not coincide.
+
+Fixes: 659fefa0eb17 ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01")
+Fixes: 59f8b0bf3c12 ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting")
+Cc: stable <stable@vger.kernel.org> # 2.6.37
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/xirlink_cit.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/xirlink_cit.c
++++ b/drivers/media/usb/gspca/xirlink_cit.c
+@@ -1442,6 +1442,9 @@ static int cit_get_packet_size(struct gs
+ return -EIO;
+ }
+
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ }
+
+@@ -2626,6 +2629,7 @@ static int sd_start(struct gspca_dev *gs
+
+ static int sd_isoc_init(struct gspca_dev *gspca_dev)
+ {
++ struct usb_interface_cache *intfc;
+ struct usb_host_interface *alt;
+ int max_packet_size;
+
+@@ -2641,8 +2645,17 @@ static int sd_isoc_init(struct gspca_dev
+ break;
+ }
+
++ intfc = gspca_dev->dev->actconfig->intf_cache[0];
++
++ if (intfc->num_altsetting < 2)
++ return -ENODEV;
++
++ alt = &intfc->altsetting[1];
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
+- alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
+
+ return 0;
+@@ -2665,6 +2678,9 @@ static int sd_isoc_nego(struct gspca_dev
+ break;
+ }
+
++ /*
++ * Existence of altsetting and endpoint was verified in sd_isoc_init()
++ */
+ alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ if (packet_size <= min_packet_size)
staging-wfx-add-proper-compatible-string.patch
staging-wfx-fix-init-remove-vs-irq-race.patch
staging-wfx-annotate-nested-gc_list-vs-tx-queue-locking.patch
+ahci-add-intel-comet-lake-h-raid-pci-id.patch
+libfs-fix-infoleak-in-simple_attr_read.patch
+media-ov519-add-missing-endpoint-sanity-checks.patch
+media-dib0700-fix-rc-endpoint-lookup.patch
+media-stv06xx-add-missing-descriptor-sanity-checks.patch
+media-xirlink_cit-add-missing-descriptor-sanity-checks.patch
+media-v4l2-core-fix-a-use-after-free-bug-of-sd-devnode.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
