From: Greg Kroah-Hartman Date: Tue, 12 May 2020 10:42:34 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.19.123~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3c0e884ee86832899c4a26e827f95d03e909e864;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: geneve-only-configure-or-fill-udp_zero_csum6_rx-tx-info-when-config_ipv6.patch hid-usbhid-fix-race-between-usbhid_close-and-usbhid_stop.patch hid-wacom-read-hid_dg_contactmax-directly-for-non-generic-devices.patch ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch usb-uas-add-quirk-for-lacie-2big-quadra.patch --- diff --git a/queue-4.14/geneve-only-configure-or-fill-udp_zero_csum6_rx-tx-info-when-config_ipv6.patch b/queue-4.14/geneve-only-configure-or-fill-udp_zero_csum6_rx-tx-info-when-config_ipv6.patch new file mode 100644 index 00000000000..0afbe19ceba --- /dev/null +++ b/queue-4.14/geneve-only-configure-or-fill-udp_zero_csum6_rx-tx-info-when-config_ipv6.patch @@ -0,0 +1,75 @@ +From f9094b7603c011d27db7ba109e69881c72fa611d Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Thu, 23 Nov 2017 11:27:24 +0800 +Subject: geneve: only configure or fill UDP_ZERO_CSUM6_RX/TX info when CONFIG_IPV6 + +From: Hangbin Liu + +commit f9094b7603c011d27db7ba109e69881c72fa611d upstream. + +Stefano pointed that configure or show UDP_ZERO_CSUM6_RX/TX info doesn't +make sense if we haven't enabled CONFIG_IPV6. Fix it by adding +if IS_ENABLED(CONFIG_IPV6) check. + +Fixes: abe492b4f50c ("geneve: UDP checksum configuration via netlink") +Fixes: fd7eafd02121 ("geneve: fix fill_info when link down") +Signed-off-by: Hangbin Liu +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/geneve.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1369,21 +1369,33 @@ static int geneve_nl2info(struct nlattr + } + + if (data[IFLA_GENEVE_UDP_ZERO_CSUM6_TX]) { ++#if IS_ENABLED(CONFIG_IPV6) + if (changelink) { + attrtype = IFLA_GENEVE_UDP_ZERO_CSUM6_TX; + goto change_notsup; + } + if (nla_get_u8(data[IFLA_GENEVE_UDP_ZERO_CSUM6_TX])) + info->key.tun_flags &= ~TUNNEL_CSUM; ++#else ++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_GENEVE_UDP_ZERO_CSUM6_TX], ++ "IPv6 support not enabled in the kernel"); ++ return -EPFNOSUPPORT; ++#endif + } + + if (data[IFLA_GENEVE_UDP_ZERO_CSUM6_RX]) { ++#if IS_ENABLED(CONFIG_IPV6) + if (changelink) { + attrtype = IFLA_GENEVE_UDP_ZERO_CSUM6_RX; + goto change_notsup; + } + if (nla_get_u8(data[IFLA_GENEVE_UDP_ZERO_CSUM6_RX])) + *use_udp6_rx_checksums = false; ++#else ++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_GENEVE_UDP_ZERO_CSUM6_RX], ++ "IPv6 support not enabled in the kernel"); ++ return -EPFNOSUPPORT; ++#endif + } + + return 0; +@@ -1559,11 +1571,13 @@ static int geneve_fill_info(struct sk_bu + goto nla_put_failure; + + if (metadata && nla_put_flag(skb, IFLA_GENEVE_COLLECT_METADATA)) +- goto nla_put_failure; ++ goto nla_put_failure; + ++#if IS_ENABLED(CONFIG_IPV6) + if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX, + !geneve->use_udp6_rx_checksums)) + goto nla_put_failure; ++#endif + + return 0; + diff --git a/queue-4.14/hid-usbhid-fix-race-between-usbhid_close-and-usbhid_stop.patch b/queue-4.14/hid-usbhid-fix-race-between-usbhid_close-and-usbhid_stop.patch new file mode 100644 index 00000000000..28d19e3762b --- /dev/null +++ b/queue-4.14/hid-usbhid-fix-race-between-usbhid_close-and-usbhid_stop.patch @@ -0,0 +1,168 @@ +From 0ed08faded1da03eb3def61502b27f81aef2e615 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 22 Apr 2020 16:18:48 -0400 +Subject: HID: usbhid: Fix race between usbhid_close() and usbhid_stop() + +From: Alan Stern + +commit 0ed08faded1da03eb3def61502b27f81aef2e615 upstream. + +The syzbot fuzzer discovered a bad race between in the usbhid driver +between usbhid_stop() and usbhid_close(). In particular, +usbhid_stop() does: + + usb_free_urb(usbhid->urbin); + ... + usbhid->urbin = NULL; /* don't mess up next start */ + +and usbhid_close() does: + + usb_kill_urb(usbhid->urbin); + +with no mutual exclusion. If the two routines happen to run +concurrently so that usb_kill_urb() is called in between the +usb_free_urb() and the NULL assignment, it will access the +deallocated urb structure -- a use-after-free bug. + +This patch adds a mutex to the usbhid private structure and uses it to +enforce mutual exclusion of the usbhid_start(), usbhid_stop(), +usbhid_open() and usbhid_close() callbacks. + +Reported-and-tested-by: syzbot+7bf5a7b0f0a1f9446f4c@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 37 +++++++++++++++++++++++++++++-------- + drivers/hid/usbhid/usbhid.h | 1 + + 2 files changed, 30 insertions(+), 8 deletions(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -680,16 +680,21 @@ static int usbhid_open(struct hid_device + struct usbhid_device *usbhid = hid->driver_data; + int res; + ++ mutex_lock(&usbhid->mutex); ++ + set_bit(HID_OPENED, &usbhid->iofl); + +- if (hid->quirks & HID_QUIRK_ALWAYS_POLL) +- return 0; ++ if (hid->quirks & HID_QUIRK_ALWAYS_POLL) { ++ res = 0; ++ goto Done; ++ } + + res = usb_autopm_get_interface(usbhid->intf); + /* the device must be awake to reliably request remote wakeup */ + if (res < 0) { + clear_bit(HID_OPENED, &usbhid->iofl); +- return -EIO; ++ res = -EIO; ++ goto Done; + } + + usbhid->intf->needs_remote_wakeup = 1; +@@ -723,6 +728,9 @@ static int usbhid_open(struct hid_device + msleep(50); + + clear_bit(HID_RESUME_RUNNING, &usbhid->iofl); ++ ++ Done: ++ mutex_unlock(&usbhid->mutex); + return res; + } + +@@ -730,6 +738,8 @@ static void usbhid_close(struct hid_devi + { + struct usbhid_device *usbhid = hid->driver_data; + ++ mutex_lock(&usbhid->mutex); ++ + /* + * Make sure we don't restart data acquisition due to + * a resumption we no longer care about by avoiding racing +@@ -741,12 +751,13 @@ static void usbhid_close(struct hid_devi + clear_bit(HID_IN_POLLING, &usbhid->iofl); + spin_unlock_irq(&usbhid->lock); + +- if (hid->quirks & HID_QUIRK_ALWAYS_POLL) +- return; ++ if (!(hid->quirks & HID_QUIRK_ALWAYS_POLL)) { ++ hid_cancel_delayed_stuff(usbhid); ++ usb_kill_urb(usbhid->urbin); ++ usbhid->intf->needs_remote_wakeup = 0; ++ } + +- hid_cancel_delayed_stuff(usbhid); +- usb_kill_urb(usbhid->urbin); +- usbhid->intf->needs_remote_wakeup = 0; ++ mutex_unlock(&usbhid->mutex); + } + + /* +@@ -1056,6 +1067,8 @@ static int usbhid_start(struct hid_devic + unsigned int n, insize = 0; + int ret; + ++ mutex_lock(&usbhid->mutex); ++ + clear_bit(HID_DISCONNECTED, &usbhid->iofl); + + usbhid->bufsize = HID_MIN_BUFFER_SIZE; +@@ -1170,6 +1183,8 @@ static int usbhid_start(struct hid_devic + usbhid_set_leds(hid); + device_set_wakeup_enable(&dev->dev, 1); + } ++ ++ mutex_unlock(&usbhid->mutex); + return 0; + + fail: +@@ -1180,6 +1195,7 @@ fail: + usbhid->urbout = NULL; + usbhid->urbctrl = NULL; + hid_free_buffers(dev, hid); ++ mutex_unlock(&usbhid->mutex); + return ret; + } + +@@ -1195,6 +1211,8 @@ static void usbhid_stop(struct hid_devic + usbhid->intf->needs_remote_wakeup = 0; + } + ++ mutex_lock(&usbhid->mutex); ++ + clear_bit(HID_STARTED, &usbhid->iofl); + spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ + set_bit(HID_DISCONNECTED, &usbhid->iofl); +@@ -1215,6 +1233,8 @@ static void usbhid_stop(struct hid_devic + usbhid->urbout = NULL; + + hid_free_buffers(hid_to_usb_dev(hid), hid); ++ ++ mutex_unlock(&usbhid->mutex); + } + + static int usbhid_power(struct hid_device *hid, int lvl) +@@ -1375,6 +1395,7 @@ static int usbhid_probe(struct usb_inter + INIT_WORK(&usbhid->reset_work, hid_reset); + setup_timer(&usbhid->io_retry, hid_retry_timeout, (unsigned long) hid); + spin_lock_init(&usbhid->lock); ++ mutex_init(&usbhid->mutex); + + ret = hid_add_device(hid); + if (ret) { +--- a/drivers/hid/usbhid/usbhid.h ++++ b/drivers/hid/usbhid/usbhid.h +@@ -93,6 +93,7 @@ struct usbhid_device { + dma_addr_t outbuf_dma; /* Output buffer dma */ + unsigned long last_out; /* record of last output for timeouts */ + ++ struct mutex mutex; /* start/stop/open/close */ + spinlock_t lock; /* fifo spinlock */ + unsigned long iofl; /* I/O flags (CTRL_RUNNING, OUT_RUNNING) */ + struct timer_list io_retry; /* Retry timer */ diff --git a/queue-4.14/hid-wacom-read-hid_dg_contactmax-directly-for-non-generic-devices.patch b/queue-4.14/hid-wacom-read-hid_dg_contactmax-directly-for-non-generic-devices.patch new file mode 100644 index 00000000000..5360d73d2a0 --- /dev/null +++ b/queue-4.14/hid-wacom-read-hid_dg_contactmax-directly-for-non-generic-devices.patch @@ -0,0 +1,48 @@ +From 778fbf4179991e7652e97d7f1ca1f657ef828422 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Wed, 1 Apr 2020 14:23:29 -0700 +Subject: HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices + +From: Jason Gerecke + +commit 778fbf4179991e7652e97d7f1ca1f657ef828422 upstream. + +We've recently switched from extracting the value of HID_DG_CONTACTMAX +at a fixed offset (which may not be correct for all tablets) to +injecting the report into the driver for the generic codepath to handle. +Unfortunately, this change was made for *all* tablets, even those which +aren't generic. Because `wacom_wac_report` ignores reports from non- +generic devices, the contact count never gets initialized. Ultimately +this results in the touch device itself failing to probe, and thus the +loss of touch input. + +This commit adds back the fixed-offset extraction for non-generic devices. + +Link: https://github.com/linuxwacom/input-wacom/issues/155 +Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report") +Signed-off-by: Jason Gerecke +Reviewed-by: Aaron Armstrong Skomra +CC: stable@vger.kernel.org # 5.3+ +Signed-off-by: Benjamin Tissoires +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -132,9 +132,11 @@ static void wacom_feature_mapping(struct + data[0] = field->report->id; + ret = wacom_get_report(hdev, HID_FEATURE_REPORT, + data, n, WAC_CMD_RETRIES); +- if (ret == n) { ++ if (ret == n && features->type == HID_GENERIC) { + ret = hid_report_raw_event(hdev, + HID_FEATURE_REPORT, data, n, 0); ++ } else if (ret == 2 && features->type != HID_GENERIC) { ++ features->touch_max = data[1]; + } else { + features->touch_max = 16; + hid_warn(hdev, "wacom_feature_mapping: " diff --git a/queue-4.14/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch b/queue-4.14/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch new file mode 100644 index 00000000000..44f67b5f832 --- /dev/null +++ b/queue-4.14/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch @@ -0,0 +1,64 @@ +From afe49de44c27a89e8e9631c44b5ffadf6ace65e2 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Tue, 28 Aug 2018 13:40:51 +0200 +Subject: ipv6: fix cleanup ordering for ip6_mr failure + +From: Sabrina Dubroca + +commit afe49de44c27a89e8e9631c44b5ffadf6ace65e2 upstream. + +Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()") +moved the cleanup label for ipmr_fail, but should have changed the +contents of the cleanup labels as well. Now we can end up cleaning up +icmpv6 even though it hasn't been initialized (jump to icmp_fail or +ipmr_fail). + +Simply undo things in the reverse order of their initialization. + +Example of panic (triggered by faking a failure of icmpv6_init): + + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI + [...] + RIP: 0010:__list_del_entry_valid+0x79/0x160 + [...] + Call Trace: + ? lock_release+0x8a0/0x8a0 + unregister_pernet_operations+0xd4/0x560 + ? ops_free_list+0x480/0x480 + ? down_write+0x91/0x130 + ? unregister_pernet_subsys+0x15/0x30 + ? down_read+0x1b0/0x1b0 + ? up_read+0x110/0x110 + ? kmem_cache_create_usercopy+0x1b4/0x240 + unregister_pernet_subsys+0x1d/0x30 + icmpv6_cleanup+0x1d/0x30 + inet6_init+0x1b5/0x23f + +Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/af_inet6.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -1088,11 +1088,11 @@ netfilter_fail: + igmp_fail: + ndisc_cleanup(); + ndisc_fail: +- ip6_mr_cleanup(); ++ icmpv6_cleanup(); + icmp_fail: +- unregister_pernet_subsys(&inet6_net_ops); ++ ip6_mr_cleanup(); + ipmr_fail: +- icmpv6_cleanup(); ++ unregister_pernet_subsys(&inet6_net_ops); + register_pernet_fail: + sock_unregister(PF_INET6); + rtnl_unregister_all(PF_INET6); diff --git a/queue-4.14/kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch b/queue-4.14/kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch new file mode 100644 index 00000000000..f49f7835873 --- /dev/null +++ b/queue-4.14/kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch @@ -0,0 +1,49 @@ +From 1c32ca5dc6d00012f0c964e5fdd7042fcc71efb1 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 14 Apr 2020 15:10:08 +0100 +Subject: KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Zyngier + +commit 1c32ca5dc6d00012f0c964e5fdd7042fcc71efb1 upstream. + +When deciding whether a guest has to be stopped we check whether this +is a private interrupt or not. Unfortunately, there's an off-by-one bug +here, and we fail to recognize a whole range of interrupts as being +global (GICv2 SPIs 32-63). + +Fix the condition from > to be >=. + +Cc: stable@vger.kernel.org +Fixes: abd7229626b93 ("KVM: arm/arm64: Simplify active_change_prepare and plug race") +Reported-by: André Przywara +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-mmio.c ++++ b/virt/kvm/arm/vgic/vgic-mmio.c +@@ -260,7 +260,7 @@ static void vgic_mmio_change_active(stru + static void vgic_change_active_prepare(struct kvm_vcpu *vcpu, u32 intid) + { + if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 || +- intid > VGIC_NR_PRIVATE_IRQS) ++ intid >= VGIC_NR_PRIVATE_IRQS) + kvm_arm_halt_guest(vcpu->kvm); + } + +@@ -268,7 +268,7 @@ static void vgic_change_active_prepare(s + static void vgic_change_active_finish(struct kvm_vcpu *vcpu, u32 intid) + { + if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 || +- intid > VGIC_NR_PRIVATE_IRQS) ++ intid >= VGIC_NR_PRIVATE_IRQS) + kvm_arm_resume_guest(vcpu->kvm); + } + diff --git a/queue-4.14/series b/queue-4.14/series index 9b524449992..3f3dde3a545 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,11 @@ net-mlx5-fix-command-entry-leak-in-internal-error-state.patch bnxt_en-improve-aer-slot-reset.patch bnxt_en-fix-vf-anti-spoof-filter-setup.patch net-stricter-validation-of-untrusted-gso-packets.patch +ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch +hid-wacom-read-hid_dg_contactmax-directly-for-non-generic-devices.patch +geneve-only-configure-or-fill-udp_zero_csum6_rx-tx-info-when-config_ipv6.patch +hid-usbhid-fix-race-between-usbhid_close-and-usbhid_stop.patch +usb-uas-add-quirk-for-lacie-2big-quadra.patch +usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch +tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch +kvm-arm-vgic-fix-limit-condition-when-writing-to-gicd_iactiver.patch diff --git a/queue-4.14/tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch b/queue-4.14/tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch new file mode 100644 index 00000000000..de180213dfb --- /dev/null +++ b/queue-4.14/tracing-add-a-vmalloc_sync_mappings-for-safe-measure.patch @@ -0,0 +1,62 @@ +From 11f5efc3ab66284f7aaacc926e9351d658e2577b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 6 May 2020 10:36:18 -0400 +Subject: tracing: Add a vmalloc_sync_mappings() for safe measure + +From: Steven Rostedt (VMware) + +commit 11f5efc3ab66284f7aaacc926e9351d658e2577b upstream. + +x86_64 lazily maps in the vmalloc pages, and the way this works with per_cpu +areas can be complex, to say the least. Mappings may happen at boot up, and +if nothing synchronizes the page tables, those page mappings may not be +synced till they are used. This causes issues for anything that might touch +one of those mappings in the path of the page fault handler. When one of +those unmapped mappings is touched in the page fault handler, it will cause +another page fault, which in turn will cause a page fault, and leave us in +a loop of page faults. + +Commit 763802b53a42 ("x86/mm: split vmalloc_sync_all()") split +vmalloc_sync_all() into vmalloc_sync_unmappings() and +vmalloc_sync_mappings(), as on system exit, it did not need to do a full +sync on x86_64 (although it still needed to be done on x86_32). By chance, +the vmalloc_sync_all() would synchronize the page mappings done at boot up +and prevent the per cpu area from being a problem for tracing in the page +fault handler. But when that synchronization in the exit of a task became a +nop, it caused the problem to appear. + +Link: https://lore.kernel.org/r/20200429054857.66e8e333@oasis.local.home + +Cc: stable@vger.kernel.org +Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") +Reported-by: "Tzvetomir Stoyanov (VMware)" +Suggested-by: Joerg Roedel +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7666,6 +7666,19 @@ static int allocate_trace_buffers(struct + */ + allocate_snapshot = false; + #endif ++ ++ /* ++ * Because of some magic with the way alloc_percpu() works on ++ * x86_64, we need to synchronize the pgd of all the tables, ++ * otherwise the trace events that happen in x86_64 page fault ++ * handlers can't cope with accessing the chance that a ++ * alloc_percpu()'d memory might be touched in the page fault trace ++ * event. Oh, and we need to audit all other alloc_percpu() and vmalloc() ++ * calls in tracing, because something might get triggered within a ++ * page fault trace event! ++ */ ++ vmalloc_sync_mappings(); ++ + return 0; + } + diff --git a/queue-4.14/usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch b/queue-4.14/usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch new file mode 100644 index 00000000000..5d0268b0fa9 --- /dev/null +++ b/queue-4.14/usb-serial-garmin_gps-add-sanity-checking-for-data-length.patch @@ -0,0 +1,35 @@ +From e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 15 Apr 2020 16:03:04 +0200 +Subject: USB: serial: garmin_gps: add sanity checking for data length + +From: Oliver Neukum + +commit e9b3c610a05c1cdf8e959a6d89c38807ff758ee6 upstream. + +We must not process packets shorter than a packet ID + +Signed-off-by: Oliver Neukum +Reported-and-tested-by: syzbot+d29e9263e13ce0b9f4fd@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -1161,8 +1161,8 @@ static void garmin_read_process(struct g + send it directly to the tty port */ + if (garmin_data_p->flags & FLAGS_QUEUING) { + pkt_add(garmin_data_p, data, data_length); +- } else if (bulk_data || +- getLayerId(data) == GARMIN_LAYERID_APPL) { ++ } else if (bulk_data || (data_length >= sizeof(u32) && ++ getLayerId(data) == GARMIN_LAYERID_APPL)) { + + spin_lock_irqsave(&garmin_data_p->lock, flags); + garmin_data_p->flags |= APP_RESP_SEEN; diff --git a/queue-4.14/usb-uas-add-quirk-for-lacie-2big-quadra.patch b/queue-4.14/usb-uas-add-quirk-for-lacie-2big-quadra.patch new file mode 100644 index 00000000000..de3de8ed387 --- /dev/null +++ b/queue-4.14/usb-uas-add-quirk-for-lacie-2big-quadra.patch @@ -0,0 +1,41 @@ +From 9f04db234af691007bb785342a06abab5fb34474 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 29 Apr 2020 17:52:18 +0200 +Subject: USB: uas: add quirk for LaCie 2Big Quadra +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver Neukum + +commit 9f04db234af691007bb785342a06abab5fb34474 upstream. + +This device needs US_FL_NO_REPORT_OPCODES to avoid going +through prolonged error handling on enumeration. + +Signed-off-by: Oliver Neukum +Reported-by: Julian Groß +Cc: stable +Link: https://lore.kernel.org/r/20200429155218.7308-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -41,6 +41,13 @@ + * and don't forget to CC: the USB development list + */ + ++/* Reported-by: Julian Groß */ ++UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999, ++ "LaCie", ++ "2Big Quadra USB3", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_REPORT_OPCODES), ++ + /* + * Apricorn USB3 dongle sometimes returns "USBSUSBSUSBS" in response to SCSI + * commands in UAS mode. Observed with the 1.28 firmware; are there others?