--- /dev/null
+From 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Sat, 2 Jan 2021 14:59:09 +0100
+Subject: crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 upstream.
+
+Pavel reports that commit 17858b140bf4 ("crypto: ecdh - avoid unaligned
+accesses in ecdh_set_secret()") fixes one problem but introduces another:
+the unconditional memcpy() introduced by that commit may overflow the
+target buffer if the source data is invalid, which could be the result of
+intentional tampering.
+
+So check params.key_size explicitly against the size of the target buffer
+before validating the key further.
+
+Fixes: 17858b140bf4 ("crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()")
+Reported-by: Pavel Machek <pavel@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ecdh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/ecdh.c
++++ b/crypto/ecdh.c
+@@ -43,7 +43,8 @@ static int ecdh_set_secret(struct crypto
+ struct ecdh params;
+ unsigned int ndigits;
+
+- if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0)
++ if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0 ||
++ params.key_size > sizeof(ctx->private_key))
+ return -EINVAL;
+
+ ndigits = ecdh_supported_curve(params.curve_id);
net-systemport-set-dev-max_mtu-to-umac_max_mtu_size.patch
bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
video-hyperv_fb-fix-the-mmap-regression-for-v5.4.y-a.patch
+crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch
+staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch
+usb-gadget-enable-super-speed-plus.patch
+usb-cdc-acm-blacklist-another-ir-droid-device.patch
+usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch
--- /dev/null
+From d887d6104adeb94d1b926936ea21f07367f0ff9f Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 13 Dec 2020 16:35:13 +0100
+Subject: staging: mt7621-dma: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit d887d6104adeb94d1b926936ea21f07367f0ff9f upstream.
+
+If an error occurs after calling 'mtk_hsdma_init()', it must be undone by
+a corresponding call to 'mtk_hsdma_uninit()' as already done in the
+remove function.
+
+Fixes: 0853c7a53eb3 ("staging: mt7621-dma: ralink: add rt2880 dma engine")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201213153513.138723-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/mt7621-dma/mtk-hsdma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/mt7621-dma/mtk-hsdma.c
++++ b/drivers/staging/mt7621-dma/mtk-hsdma.c
+@@ -723,7 +723,7 @@ static int mtk_hsdma_probe(struct platfo
+ ret = dma_async_device_register(dd);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register dma device\n");
+- return ret;
++ goto err_uninit_hsdma;
+ }
+
+ ret = of_dma_controller_register(pdev->dev.of_node,
+@@ -739,6 +739,8 @@ static int mtk_hsdma_probe(struct platfo
+
+ err_unregister:
+ dma_async_device_unregister(dd);
++err_uninit_hsdma:
++ mtk_hsdma_uninit(hsdma);
+ return ret;
+ }
+
--- /dev/null
+From 0ffc76539e6e8d28114f95ac25c167c37b5191b3 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 27 Dec 2020 13:45:02 +0000
+Subject: USB: cdc-acm: blacklist another IR Droid device
+
+From: Sean Young <sean@mess.org>
+
+commit 0ffc76539e6e8d28114f95ac25c167c37b5191b3 upstream.
+
+This device is supported by the IR Toy driver.
+
+Reported-by: Georgi Bakalski <georgi.bakalski@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201227134502.4548-2-sean@mess.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1939,6 +1939,10 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x04d8, 0x0083), /* Bootloader mode */
+ .driver_info = IGNORE_DEVICE,
+ },
++
++ { USB_DEVICE(0x04d8, 0xf58b),
++ .driver_info = IGNORE_DEVICE,
++ },
+ #endif
+
+ /*Samsung phone in firmware update mode */
--- /dev/null
+From 5e5ff0b4b6bcb4d17b7a26ec8bcfc7dd4651684f Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Sun, 20 Dec 2020 00:25:53 +0900
+Subject: USB: cdc-wdm: Fix use after free in service_outstanding_interrupt().
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 5e5ff0b4b6bcb4d17b7a26ec8bcfc7dd4651684f upstream.
+
+syzbot is reporting UAF at usb_submit_urb() [1], for
+service_outstanding_interrupt() is not checking WDM_DISCONNECTING
+before calling usb_submit_urb(). Close the race by doing same checks
+wdm_read() does upon retry.
+
+Also, while wdm_read() checks WDM_DISCONNECTING with desc->rlock held,
+service_interrupt_work() does not hold desc->rlock. Thus, it is possible
+that usb_submit_urb() is called from service_outstanding_interrupt() from
+service_interrupt_work() after WDM_DISCONNECTING was set and kill_urbs()
+ from wdm_disconnect() completed. Thus, move kill_urbs() in
+wdm_disconnect() to after cancel_work_sync() (which makes sure that
+service_interrupt_work() is no longer running) completed.
+
+Although it seems to be safe to dereference desc->intf->dev in
+service_outstanding_interrupt() even if WDM_DISCONNECTING was already set
+because desc->rlock or cancel_work_sync() prevents wdm_disconnect() from
+reaching list_del() before service_outstanding_interrupt() completes,
+let's not emit error message if WDM_DISCONNECTING is set by
+wdm_disconnect() while usb_submit_urb() is in progress.
+
+[1] https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf
+
+Reported-by: syzbot <syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/620e2ee0-b9a3-dbda-a25b-a93e0ed03ec5@i-love.sakura.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -465,13 +465,23 @@ static int service_outstanding_interrupt
+ if (!desc->resp_count || !--desc->resp_count)
+ goto out;
+
++ if (test_bit(WDM_DISCONNECTING, &desc->flags)) {
++ rv = -ENODEV;
++ goto out;
++ }
++ if (test_bit(WDM_RESETTING, &desc->flags)) {
++ rv = -EIO;
++ goto out;
++ }
++
+ set_bit(WDM_RESPONDING, &desc->flags);
+ spin_unlock_irq(&desc->iuspin);
+ rv = usb_submit_urb(desc->response, GFP_KERNEL);
+ spin_lock_irq(&desc->iuspin);
+ if (rv) {
+- dev_err(&desc->intf->dev,
+- "usb_submit_urb failed with result %d\n", rv);
++ if (!test_bit(WDM_DISCONNECTING, &desc->flags))
++ dev_err(&desc->intf->dev,
++ "usb_submit_urb failed with result %d\n", rv);
+
+ /* make sure the next notification trigger a submit */
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -1026,9 +1036,9 @@ static void wdm_disconnect(struct usb_in
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+ mutex_lock(&desc->wlock);
+- kill_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
++ kill_urbs(desc);
+ mutex_unlock(&desc->wlock);
+ mutex_unlock(&desc->rlock);
+
--- /dev/null
+From e2459108b5a0604c4b472cae2b3cb8d3444c77fb Mon Sep 17 00:00:00 2001
+From: "taehyun.cho" <taehyun.cho@samsung.com>
+Date: Thu, 7 Jan 2021 00:46:25 +0900
+Subject: usb: gadget: enable super speed plus
+
+From: taehyun.cho <taehyun.cho@samsung.com>
+
+commit e2459108b5a0604c4b472cae2b3cb8d3444c77fb upstream.
+
+Enable Super speed plus in configfs to support USB3.1 Gen2.
+This ensures that when a USB gadget is plugged in, it is
+enumerated as Gen 2 and connected at 10 Gbps if the host and
+cable are capable of it.
+
+Many in-tree gadget functions (fs, midi, acm, ncm, mass_storage,
+etc.) already have SuperSpeed Plus support.
+
+Tested: plugged gadget into Linux host and saw:
+[284907.385986] usb 8-2: new SuperSpeedPlus Gen 2 USB device number 3 using xhci_hcd
+
+Tested-by: Lorenzo Colitti <lorenzo@google.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: taehyun.cho <taehyun.cho@samsung.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Link: https://lore.kernel.org/r/20210106154625.2801030-1-lorenzo@google.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1505,7 +1505,7 @@ static const struct usb_gadget_driver co
+ .suspend = configfs_composite_suspend,
+ .resume = configfs_composite_resume,
+
+- .max_speed = USB_SPEED_SUPER,
++ .max_speed = USB_SPEED_SUPER_PLUS,
+ .driver = {
+ .owner = THIS_MODULE,
+ .name = "configfs-gadget",
+@@ -1545,7 +1545,7 @@ static struct config_group *gadgets_make
+ gi->composite.unbind = configfs_do_nothing;
+ gi->composite.suspend = NULL;
+ gi->composite.resume = NULL;
+- gi->composite.max_speed = USB_SPEED_SUPER;
++ gi->composite.max_speed = USB_SPEED_SUPER_PLUS;
+
+ spin_lock_init(&gi->spinlock);
+ mutex_init(&gi->lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
