From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Jun 2020 12:12:45 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.4.47~22
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a027373f81c30d695a1b03b030f8304fdce7fd2;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
	media-dvb_frontend-ensure-that-inital-front-end-status-initialized.patch
---

diff --git a/queue-4.9/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch b/queue-4.9/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
new file mode 100644
index 00000000000..6297c768fe5
--- /dev/null
+++ b/queue-4.9/can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
@@ -0,0 +1,54 @@
+From da2311a6385c3b499da2ed5d9be59ce331fa93e9 Mon Sep 17 00:00:00 2001
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Date: Sat, 7 Dec 2019 22:40:24 +0800
+Subject: can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix this by using kzalloc() instead of kmalloc().
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
+Cc: linux-stable <stable@vger.kernel.org> # >= v4.19
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+[bwh: Backported to 4.9: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -791,7 +791,7 @@ static int kvaser_usb_simple_msg_async(s
+ 	if (!urb)
+ 		return -ENOMEM;
+ 
+-	buf = kmalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
++	buf = kzalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
+ 	if (!buf) {
+ 		usb_free_urb(urb);
+ 		return -ENOMEM;
+@@ -1459,7 +1459,7 @@ static int kvaser_usb_set_opt_mode(const
+ 	struct kvaser_msg *msg;
+ 	int rc;
+ 
+-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
++	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+ 	if (!msg)
+ 		return -ENOMEM;
+ 
+@@ -1592,7 +1592,7 @@ static int kvaser_usb_flush_queue(struct
+ 	struct kvaser_msg *msg;
+ 	int rc;
+ 
+-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
++	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+ 	if (!msg)
+ 		return -ENOMEM;
+ 
diff --git a/queue-4.9/media-dvb_frontend-ensure-that-inital-front-end-status-initialized.patch b/queue-4.9/media-dvb_frontend-ensure-that-inital-front-end-status-initialized.patch
new file mode 100644
index 00000000000..3efcdd60219
--- /dev/null
+++ b/queue-4.9/media-dvb_frontend-ensure-that-inital-front-end-status-initialized.patch
@@ -0,0 +1,50 @@
+From a9e4998073d49a762a154a6b48a332ec6cb8e6b1 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 20 Jul 2017 18:12:07 -0400
+Subject: media: dvb_frontend: ensure that inital front end status initialized
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit a9e4998073d49a762a154a6b48a332ec6cb8e6b1 upstream.
+
+The fe_status variable s is not initialized meaning it can have any
+random garbage status.  This could be problematic if fe->ops.tune is
+false as s is not updated by the call to fe->ops.tune() and a
+subsequent check on the change status will using a garbage value.
+Fix this by adding FE_NONE to the enum fe_status and initializing
+s to this.
+
+Detected by CoverityScan, CID#112887 ("Uninitialized scalar variable")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-core/dvb_frontend.c |    2 +-
+ include/uapi/linux/dvb/frontend.h     |    1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -629,7 +629,7 @@ static int dvb_frontend_thread(void *dat
+ 	struct dvb_frontend *fe = data;
+ 	struct dtv_frontend_properties *c = &fe->dtv_property_cache;
+ 	struct dvb_frontend_private *fepriv = fe->frontend_priv;
+-	enum fe_status s;
++	enum fe_status s = FE_NONE;
+ 	enum dvbfe_algo algo;
+ 	bool re_tune = false;
+ 	bool semheld = false;
+--- a/include/uapi/linux/dvb/frontend.h
++++ b/include/uapi/linux/dvb/frontend.h
+@@ -127,6 +127,7 @@ enum fe_sec_mini_cmd {
+  *			to reset DiSEqC, tone and parameters
+  */
+ enum fe_status {
++	FE_NONE			= 0x00,
+ 	FE_HAS_SIGNAL		= 0x01,
+ 	FE_HAS_CARRIER		= 0x02,
+ 	FE_HAS_VITERBI		= 0x04,
diff --git a/queue-4.9/series b/queue-4.9/series
index c889403973c..5d24573a157 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -49,3 +49,5 @@ mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
 fat-don-t-allow-to-mount-if-the-fat-length-0.patch
 perf-add-cond_resched-to-task_function_call.patch
 agp-intel-reinforce-the-barrier-after-gtt-updates.patch
+can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch
+media-dvb_frontend-ensure-that-inital-front-end-status-initialized.patch