From: Greg Kroah-Hartman Date: Thu, 4 Jun 2020 10:14:21 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.7.1~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75293ba93b453d22fbfcf447d68f5df4a5799121;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: esp6-fix-memleak-on-error-path-in-esp6_input.patch scsi-scsi_devinfo-fixup-string-compare.patch usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch --- diff --git a/queue-4.9/esp6-fix-memleak-on-error-path-in-esp6_input.patch b/queue-4.9/esp6-fix-memleak-on-error-path-in-esp6_input.patch new file mode 100644 index 00000000000..a425d02b16a --- /dev/null +++ b/queue-4.9/esp6-fix-memleak-on-error-path-in-esp6_input.patch @@ -0,0 +1,38 @@ +From 7284fdf39a912322ce97de2d30def3c6068a418c Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Wed, 27 Jun 2018 11:49:28 +0800 +Subject: esp6: fix memleak on error path in esp6_input + +From: Zhen Lei + +commit 7284fdf39a912322ce97de2d30def3c6068a418c upstream. + +This ought to be an omission in e6194923237 ("esp: Fix memleaks on error +paths."). The memleak on error path in esp6_input is similar to esp_input +of esp4. + +Fixes: e6194923237 ("esp: Fix memleaks on error paths.") +Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always") +Signed-off-by: Zhen Lei +Signed-off-by: Steffen Klassert +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/esp6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -426,8 +426,10 @@ static int esp6_input(struct xfrm_state + + sg_init_table(sg, nfrags); + ret = skb_to_sgvec(skb, sg, 0, skb->len); +- if (unlikely(ret < 0)) ++ if (unlikely(ret < 0)) { ++ kfree(tmp); + goto out; ++ } + + aead_request_set_crypt(req, sg, sg, elen + ivlen, iv); + aead_request_set_ad(req, assoclen); diff --git a/queue-4.9/scsi-scsi_devinfo-fixup-string-compare.patch b/queue-4.9/scsi-scsi_devinfo-fixup-string-compare.patch new file mode 100644 index 00000000000..6312b208c99 --- /dev/null +++ b/queue-4.9/scsi-scsi_devinfo-fixup-string-compare.patch @@ -0,0 +1,83 @@ +From b8018b973c7cefa5eb386540130fa47315b8e337 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Mon, 2 Oct 2017 16:26:37 +0200 +Subject: scsi: scsi_devinfo: fixup string compare + +From: Hannes Reinecke + +commit b8018b973c7cefa5eb386540130fa47315b8e337 upstream. + +When checking the model and vendor string we need to use the minimum +value of either string, otherwise we'll miss out on wildcard matches. + +And we should take care when matching with zero size strings; results +might be unpredictable. With this patch the rules for matching devinfo +strings are as follows: + +- Vendor strings must match exactly +- Empty Model strings will only match if the devinfo model + is also empty +- Model strings shorter than the devinfo model string will + not match + +Fixes: 5e7ff2c ("SCSI: fix new bug in scsi_dev_info_list string matching") +Signed-off-by: Hannes Reinecke +Reviewed-by: Alan Stern +Reviewed-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_devinfo.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -394,8 +394,8 @@ EXPORT_SYMBOL(scsi_dev_info_list_add_key + + /** + * scsi_dev_info_list_find - find a matching dev_info list entry. +- * @vendor: vendor string +- * @model: model (product) string ++ * @vendor: full vendor string ++ * @model: full model (product) string + * @key: specify list to use + * + * Description: +@@ -410,7 +410,7 @@ static struct scsi_dev_info_list *scsi_d + struct scsi_dev_info_list *devinfo; + struct scsi_dev_info_list_table *devinfo_table = + scsi_devinfo_lookup_by_key(key); +- size_t vmax, mmax; ++ size_t vmax, mmax, mlen; + const char *vskip, *mskip; + + if (IS_ERR(devinfo_table)) +@@ -449,15 +449,18 @@ static struct scsi_dev_info_list *scsi_d + dev_info_list) { + if (devinfo->compatible) { + /* +- * Behave like the older version of get_device_flags. ++ * vendor strings must be an exact match + */ +- if (memcmp(devinfo->vendor, vskip, vmax) || +- (vmax < sizeof(devinfo->vendor) && +- devinfo->vendor[vmax])) ++ if (vmax != strlen(devinfo->vendor) || ++ memcmp(devinfo->vendor, vskip, vmax)) + continue; +- if (memcmp(devinfo->model, mskip, mmax) || +- (mmax < sizeof(devinfo->model) && +- devinfo->model[mmax])) ++ ++ /* ++ * @model specifies the full string, and ++ * must be larger or equal to devinfo->model ++ */ ++ mlen = strlen(devinfo->model); ++ if (mmax < mlen || memcmp(devinfo->model, mskip, mlen)) + continue; + return devinfo; + } else { diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..00ce3f37906 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,3 @@ +scsi-scsi_devinfo-fixup-string-compare.patch +usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch +esp6-fix-memleak-on-error-path-in-esp6_input.patch diff --git a/queue-4.9/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch b/queue-4.9/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch new file mode 100644 index 00000000000..92ed4a893bd --- /dev/null +++ b/queue-4.9/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch @@ -0,0 +1,226 @@ +From e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Thu, 21 Jun 2018 17:22:46 +0200 +Subject: usb: gadget: f_uac2: fix error handling in afunc_bind (again) + +From: Eugeniu Rosca + +commit e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6 upstream. + +If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor), +we expect afunc_bind() to fail (i.e. return a negative error code). + +However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix +error handling at afunc_bind"), afunc_bind() returns zero, telling the +caller that it succeeded. This then generates NULL pointer dereference +in below scenario on Rcar H3-ES20-Salvator-X target: + +rcar-gen3:/home/root# modprobe g_audio +[ 626.521155] g_audio gadget: afunc_bind:565 Error! +[ 626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012 +[ 626.533405] g_audio gadget: g_audio ready +rcar-gen3:/home/root# +rcar-gen3:/home/root# modprobe -r g_audio +[ 728.256707] ================================================================== +[ 728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545 +[ 728.279309] +[ 728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G WC 4.14.47+ #152 +[ 728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) +[ 728.296454] Call trace: +[ 728.299151] [] dump_backtrace+0x0/0x364 +[ 728.304808] [] show_stack+0x14/0x1c +[ 728.310081] [] dump_stack+0x108/0x174 +[ 728.315522] [] kasan_report+0x1fc/0x354 +[ 728.321134] [] __asan_load8+0x24/0x94 +[ 728.326600] [] u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.333735] [] afunc_disable+0x44/0x60 [usb_f_uac2] +[ 728.340503] [] usb_remove_function+0x9c/0x210 [libcomposite] +[ 728.348060] [] remove_config.isra.2+0x1d8/0x218 [libcomposite] +[ 728.355788] [] __composite_unbind+0x104/0x1f8 [libcomposite] +[ 728.363339] [] composite_unbind+0x10/0x18 [libcomposite] +[ 728.370536] [] usb_gadget_remove_driver+0xc0/0x170 [udc_core] +[ 728.378172] [] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core] +[ 728.386274] [] usb_composite_unregister+0x10/0x18 [libcomposite] +[ 728.394116] [] audio_driver_exit+0x14/0x28 [g_audio] +[ 728.400878] [] SyS_delete_module+0x288/0x32c +[ 728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000) +[ 728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8 +[ 728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000 +[ 728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005 +[ 728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000 +[ 728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0 +[ 728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428 +[ 728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000 +[ 728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010 +[ 728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a +[ 728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 728.494434] [] el0_svc_naked+0x34/0x38 +[ 728.499957] ================================================================== +[ 728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0 +[ 728.517742] Mem abort info: +[ 728.520993] Exception class = DABT (current EL), IL = 32 bits +[ 728.527375] SET = 0, FnV = 0 +[ 728.530731] EA = 0, S1PTW = 0 +[ 728.534361] Data abort info: +[ 728.537650] ISV = 0, ISS = 0x00000006 +[ 728.541863] CM = 0, WnR = 0 +[ 728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000 +[ 728.552156] [00000000000000a0] *pgd=0000000716a8d003 +[ 728.557519] , *pud=00000007116fc003 +[ 728.561259] , *pmd=0000000000000000 +[ 728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 728.570815] Modules linked in: +[ 728.574023] usb_f_uac2 +[ 728.576560] u_audio +[ 728.578827] g_audio(-) +[ 728.581361] libcomposite +[ 728.584071] configfs +[ 728.586428] aes_ce_blk +[ 728.588960] sata_rcar +[ 728.591421] crypto_simd +[ 728.594039] cryptd +[ 728.596217] libata +[ 728.598396] aes_ce_cipher +[ 728.601188] crc32_ce +[ 728.603542] ghash_ce +[ 728.605896] gf128mul +[ 728.608250] aes_arm64 +[ 728.610692] scsi_mod +[ 728.613046] sha2_ce +[ 728.615313] xhci_plat_hcd +[ 728.618106] sha256_arm64 +[ 728.620811] sha1_ce +[ 728.623077] renesas_usbhs +[ 728.625869] xhci_hcd +[ 728.628243] renesas_usb3 +[ 728.630948] sha1_generic +[ 728.633670] ravb_streaming(C) +[ 728.636814] udc_core +[ 728.639168] cpufreq_dt +[ 728.641697] rcar_gen3_thermal +[ 728.644840] usb_dmac +[ 728.647194] pwm_rcar +[ 728.649548] thermal_sys +[ 728.652165] virt_dma +[ 728.654519] mch_core(C) +[ 728.657137] pwm_bl +[ 728.659315] snd_soc_rcar +[ 728.662020] snd_aloop +[ 728.664462] snd_soc_generic_card +[ 728.667869] snd_soc_ak4613 +[ 728.670749] ipv6 +[ 728.672768] autofs4 +[ 728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G B WC 4.14.47+ #152 +[ 728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) +[ 728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000 +[ 728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.708964] pc : [] lr : [] pstate: 60000145 +[ 728.716620] sp : ffff8006cf6c7a50 +[ 728.720154] x29: ffff8006cf6c7a50 +[ 728.723760] x28: ffff8006ced38000 +[ 728.727272] x27: ffff200008fd7000 +[ 728.730857] x26: ffff2000021d2340 +[ 728.734361] x25: 0000000000000000 +[ 728.737948] x24: ffff200009e94b08 +[ 728.741452] x23: 00000000000000a0 +[ 728.745052] x22: 00000000000000a8 +[ 728.748558] x21: 1ffff000d9ed8f7c +[ 728.752142] x20: ffff8006d671a800 +[ 728.755646] x19: 0000000000000000 +[ 728.759231] x18: 0000000000000000 +[ 728.762736] x17: 0000ffffbc7c8f40 +[ 728.766320] x16: ffff200008213c4c +[ 728.769823] x15: 0000000000000000 +[ 728.773408] x14: 0720072007200720 +[ 728.776912] x13: 0720072007200720 +[ 728.780497] x12: ffffffffffffffff +[ 728.784001] x11: 0000000000000040 +[ 728.787598] x10: 0000000000001600 +[ 728.791103] x9 : ffff8006cf6c77a0 +[ 728.794689] x8 : ffff8006ced39660 +[ 728.798193] x7 : ffff20000811c738 +[ 728.801794] x6 : 0000000000000000 +[ 728.805299] x5 : dfff200000000000 +[ 728.808885] x4 : ffff8006ced38000 +[ 728.812390] x3 : ffff200008fb46e8 +[ 728.815976] x2 : 0000000000000007 +[ 728.819480] x1 : 3ba68643e7431500 +[ 728.823066] x0 : 0000000000000000 +[ 728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000) +[ 728.833704] Call trace: +[ 728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50) +[ 728.842987] 7900: 0000000000000000 3ba68643e7431500 +[ 728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000 +[ 728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0 +[ 728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720 +[ 728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40 +[ 728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c +[ 728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000 +[ 728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50 +[ 728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145 +[ 728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500 +[ 728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618 +[ 728.928880] [] u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.936032] [] afunc_disable+0x44/0x60 [usb_f_uac2] +[ 728.942822] [] usb_remove_function+0x9c/0x210 [libcomposite] +[ 728.950385] [] remove_config.isra.2+0x1d8/0x218 [libcomposite] +[ 728.958134] [] __composite_unbind+0x104/0x1f8 [libcomposite] +[ 728.965689] [] composite_unbind+0x10/0x18 [libcomposite] +[ 728.972882] [] usb_gadget_remove_driver+0xc0/0x170 [udc_core] +[ 728.980522] [] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core] +[ 728.988638] [] usb_composite_unregister+0x10/0x18 [libcomposite] +[ 728.996472] [] audio_driver_exit+0x14/0x28 [g_audio] +[ 729.003231] [] SyS_delete_module+0x288/0x32c +[ 729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000) +[ 729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8 +[ 729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000 +[ 729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005 +[ 729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000 +[ 729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0 +[ 729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428 +[ 729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000 +[ 729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010 +[ 729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a +[ 729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 729.096733] [] el0_svc_naked+0x34/0x38 +[ 729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275) +[ 729.108617] ---[ end trace 7560c5fa3d100243 ]--- + +After this patch is applied, the issue is fixed: +rcar-gen3:/home/root# modprobe g_audio +[ 59.217127] g_audio gadget: afunc_bind:565 Error! +[ 59.222329] g_audio ee020000.usb: failed to start g_audio: -19 +modprobe: ERROR: could not insert 'g_audio': No such device +rcar-gen3:/home/root# modprobe -r g_audio +rcar-gen3:/home/root# + +Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind") +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uac2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1069,13 +1069,13 @@ afunc_bind(struct usb_configuration *cfg + agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc); + if (!agdev->out_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + agdev->in_ep = usb_ep_autoconfig(gadget, &fs_epin_desc); + if (!agdev->in_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + uac2->p_prm.uac2 = uac2;