From: Sasha Levin <sashal@kernel.org>
Date: Thu, 15 Aug 2024 12:20:08 +0000 (-0400)
Subject: Fixes for 5.15
X-Git-Tag: v4.19.320~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53246af69f9570993ccffa717736d23612c60dd0;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.15/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch b/queue-5.15/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
new file mode 100644
index 00000000000..201349310b1
--- /dev/null
+++ b/queue-5.15/binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
@@ -0,0 +1,60 @@
+From d4d34278cd03d01f05e7877290755150d984ef7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 12:51:23 -0700
+Subject: binfmt_flat: Fix corruption when not offsetting data start
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 3eb3cd5992f7a0c37edc8d05b4c38c98758d8671 ]
+
+Commit 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+introduced a RISC-V specific variant of the FLAT format which does
+not allocate any space for the (obsolete) array of shared library
+pointers. However, it did not disable the code which initializes the
+array, resulting in the corruption of sizeof(long) bytes before the DATA
+segment, generally the end of the TEXT segment.
+
+Introduce MAX_SHARED_LIBS_UPDATE which depends on the state of
+CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET to guard the initialization of
+the shared library pointer region so that it will only be initialized
+if space is reserved for it.
+
+Fixes: 04d82a6d0881 ("binfmt_flat: allow not offsetting data start")
+Co-developed-by: Stefan O'Rear <sorear@fastmail.com>
+Signed-off-by: Stefan O'Rear <sorear@fastmail.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Acked-by: Greg Ungerer <gerg@linux-m68k.org>
+Link: https://lore.kernel.org/r/20240807195119.it.782-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_flat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
+index 7ca3e0db06ffa..250651cdce0a6 100644
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -76,8 +76,10 @@
+ 
+ #ifdef CONFIG_BINFMT_FLAT_NO_DATA_START_OFFSET
+ #define DATA_START_OFFSET_WORDS		(0)
++#define MAX_SHARED_LIBS_UPDATE		(0)
+ #else
+ #define DATA_START_OFFSET_WORDS		(MAX_SHARED_LIBS)
++#define MAX_SHARED_LIBS_UPDATE		(MAX_SHARED_LIBS)
+ #endif
+ 
+ struct lib_info {
+@@ -991,7 +993,7 @@ static int load_flat_binary(struct linux_binprm *bprm)
+ 		return res;
+ 
+ 	/* Update data segment pointers for all libraries */
+-	for (i = 0; i < MAX_SHARED_LIBS; i++) {
++	for (i = 0; i < MAX_SHARED_LIBS_UPDATE; i++) {
+ 		if (!libinfo.lib_list[i].loaded)
+ 			continue;
+ 		for (j = 0; j < MAX_SHARED_LIBS; j++) {
+-- 
+2.43.0
+
diff --git a/queue-5.15/series b/queue-5.15/series
index 86fccd3bbf0..e2078273a1e 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -478,3 +478,5 @@ arm64-dts-qcom-msm8996-correct-clock-cells-for-qmp-phy-nodes.patch
 arm64-cpufeature-fix-the-visibility-of-compat-hwcaps.patch
 exec-fix-toctou-between-perm-check-and-set-uid-gid-usage.patch
 nvme-pci-add-apst-quirk-for-lenovo-n60z-laptop.patch
+usb-gadget-u_audio-check-return-codes-from-usb_ep_en.patch
+binfmt_flat-fix-corruption-when-not-offsetting-data-.patch
diff --git a/queue-5.15/usb-gadget-u_audio-check-return-codes-from-usb_ep_en.patch b/queue-5.15/usb-gadget-u_audio-check-return-codes-from-usb_ep_en.patch
new file mode 100644
index 00000000000..05a3d5a739a
--- /dev/null
+++ b/queue-5.15/usb-gadget-u_audio-check-return-codes-from-usb_ep_en.patch
@@ -0,0 +1,111 @@
+From b1e635f332da4386d41558e5e30c09d0aa0c10e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 15:23:15 -0400
+Subject: usb: gadget: u_audio: Check return codes from usb_ep_enable and
+ config_ep_by_speed.
+
+From: Chris Wulff <crwulff@gmail.com>
+
+[ Upstream commit 76a7bfc445b8e9893c091e24ccfd4f51dfdc0a70 ]
+
+These functions can fail if descriptors are malformed, or missing,
+for the selected USB speed.
+
+Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core")
+Fixes: 24f779dac8f3 ("usb: gadget: f_uac2/u_audio: add feedback endpoint support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chris Wulff <crwulff@gmail.com>
+Link: https://lore.kernel.org/r/20240721192314.3532697-2-crwulff@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 42 ++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
+index 5e34a7ff1b63d..6bd908c7bfe63 100644
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -474,15 +474,24 @@ int u_audio_start_capture(struct g_audio *audio_dev)
+ 	struct usb_ep *ep, *ep_fback;
+ 	struct uac_rtd_params *prm;
+ 	struct uac_params *params = &audio_dev->params;
+-	int req_len, i;
++	int req_len, i, ret;
+ 
+ 	ep = audio_dev->out_ep;
+ 	prm = &uac->c_prm;
+-	config_ep_by_speed(gadget, &audio_dev->func, ep);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed for out_ep failed (%d)\n", ret);
++		return ret;
++	}
++
+ 	req_len = ep->maxpacket;
+ 
+ 	prm->ep_enabled = true;
+-	usb_ep_enable(ep);
++	ret = usb_ep_enable(ep);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for out_ep (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	for (i = 0; i < params->req_number; i++) {
+ 		if (!prm->reqs[i]) {
+@@ -508,9 +517,18 @@ int u_audio_start_capture(struct g_audio *audio_dev)
+ 		return 0;
+ 
+ 	/* Setup feedback endpoint */
+-	config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep_fback);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed in_ep_fback failed (%d)\n", ret);
++		return ret; // TODO: Clean up out_ep
++	}
++
+ 	prm->fb_ep_enabled = true;
+-	usb_ep_enable(ep_fback);
++	ret = usb_ep_enable(ep_fback);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for in_ep_fback (%d)\n", ret);
++		return ret; // TODO: Clean up out_ep
++	}
+ 	req_len = ep_fback->maxpacket;
+ 
+ 	req_fback = usb_ep_alloc_request(ep_fback, GFP_ATOMIC);
+@@ -565,11 +583,15 @@ int u_audio_start_playback(struct g_audio *audio_dev)
+ 	struct uac_params *params = &audio_dev->params;
+ 	unsigned int factor;
+ 	const struct usb_endpoint_descriptor *ep_desc;
+-	int req_len, i;
++	int req_len, i, ret;
+ 
+ 	ep = audio_dev->in_ep;
+ 	prm = &uac->p_prm;
+-	config_ep_by_speed(gadget, &audio_dev->func, ep);
++	ret = config_ep_by_speed(gadget, &audio_dev->func, ep);
++	if (ret < 0) {
++		dev_err(dev, "config_ep_by_speed for in_ep failed (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	ep_desc = ep->desc;
+ 
+@@ -598,7 +620,11 @@ int u_audio_start_playback(struct g_audio *audio_dev)
+ 	uac->p_residue = 0;
+ 
+ 	prm->ep_enabled = true;
+-	usb_ep_enable(ep);
++	ret = usb_ep_enable(ep);
++	if (ret < 0) {
++		dev_err(dev, "usb_ep_enable failed for in_ep (%d)\n", ret);
++		return ret;
++	}
+ 
+ 	for (i = 0; i < params->req_number; i++) {
+ 		if (!prm->reqs[i]) {
+-- 
+2.43.0
+