From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 11:19:25 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.325~104 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8abd73f4dba057bdaad1e77c4baf2b5bebacee9c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch --- diff --git a/queue-5.15/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch b/queue-5.15/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch new file mode 100644 index 00000000000..e4af7f44566 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch @@ -0,0 +1,90 @@ +From a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Nov 2024 15:46:16 +0100 +Subject: ALSA: usb-audio: Fix out of bounds reads when finding clock sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. + +The current USB-audio driver code doesn't check bLength of each +descriptor at traversing for clock descriptors. That is, when a +device provides a bogus descriptor with a shorter bLength, the driver +might hit out-of-bounds reads. + +For addressing it, this patch adds sanity checks to the validator +functions for the clock descriptor traversal. When the descriptor +length is shorter than expected, it's skipped in the loop. + +For the clock source and clock multiplier descriptors, we can just +check bLength against the sizeof() of each descriptor type. +OTOH, the clock selector descriptor of UAC2 and UAC3 has an array +of bNrInPins elements and two more fields at its tail, hence those +have to be checked in addition to the sizeof() check. + +Reported-by: Benoît Sevens +Cc: +Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com +Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/clock.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -36,6 +36,12 @@ union uac23_clock_multiplier_desc { + struct uac_clock_multiplier_descriptor v3; + }; + ++/* check whether the descriptor bLength has the minimal length */ ++#define DESC_LENGTH_CHECK(p, proto) \ ++ ((proto) == UAC_VERSION_3 ? \ ++ ((p)->v3.bLength >= sizeof((p)->v3)) : \ ++ ((p)->v2.bLength >= sizeof((p)->v2))) ++ + #define GET_VAL(p, proto, field) \ + ((proto) == UAC_VERSION_3 ? (p)->v3.field : (p)->v2.field) + +@@ -58,6 +64,8 @@ static bool validate_clock_source(void * + { + union uac23_clock_source_desc *cs = p; + ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; + return GET_VAL(cs, proto, bClockID) == id; + } + +@@ -65,13 +73,27 @@ static bool validate_clock_selector(void + { + union uac23_clock_selector_desc *cs = p; + +- return GET_VAL(cs, proto, bClockID) == id; ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; ++ if (GET_VAL(cs, proto, bClockID) != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ if (proto == UAC_VERSION_3) ++ return cs->v3.bLength >= sizeof(cs->v3) + cs->v3.bNrInPins + ++ 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; ++ else ++ return cs->v2.bLength >= sizeof(cs->v2) + cs->v2.bNrInPins + ++ 1 /* bmControls */ + 1 /* iClockSelector */; + } + + static bool validate_clock_multiplier(void *p, int id, int proto) + { + union uac23_clock_multiplier_desc *cs = p; + ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; + return GET_VAL(cs, proto, bClockID) == id; + } + diff --git a/queue-5.15/series b/queue-5.15/series index c43c427bb3a..00d89ce56b8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -284,3 +284,6 @@ alsa-hda-realtek-update-alc256-depop-procedure.patch apparmor-fix-do-simple-duplicate-message-elimination.patch parisc-fix-a-possible-dma-corruption.patch ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch +xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch +alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch +usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch diff --git a/queue-5.15/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch b/queue-5.15/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch new file mode 100644 index 00000000000..41bd46ec0b5 --- /dev/null +++ b/queue-5.15/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch @@ -0,0 +1,50 @@ +From 40c974826734836402abfd44efbf04f63a2cc1c1 Mon Sep 17 00:00:00 2001 +From: Vitalii Mordan +Date: Fri, 15 Nov 2024 02:03:10 +0300 +Subject: usb: ehci-spear: fix call balance of sehci clk handling routines + +From: Vitalii Mordan + +commit 40c974826734836402abfd44efbf04f63a2cc1c1 upstream. + +If the clock sehci->clk was not enabled in spear_ehci_hcd_drv_probe, +it should not be disabled in any path. + +Conversely, if it was enabled in spear_ehci_hcd_drv_probe, it must be disabled +in all error paths to ensure proper cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Klever. + +Fixes: 7675d6ba436f ("USB: EHCI: make ehci-spear a separate driver") +Cc: stable@vger.kernel.org +Signed-off-by: Vitalii Mordan +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20241114230310.432213-1-mordan@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ehci-spear.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ehci-spear.c ++++ b/drivers/usb/host/ehci-spear.c +@@ -108,7 +108,9 @@ static int spear_ehci_hcd_drv_probe(stru + /* registers start at offset 0x0 */ + hcd_to_ehci(hcd)->caps = hcd->regs; + +- clk_prepare_enable(sehci->clk); ++ retval = clk_prepare_enable(sehci->clk); ++ if (retval) ++ goto err_put_hcd; + retval = usb_add_hcd(hcd, irq, IRQF_SHARED); + if (retval) + goto err_stop_ehci; +@@ -133,8 +135,7 @@ static int spear_ehci_hcd_drv_remove(str + + usb_remove_hcd(hcd); + +- if (sehci->clk) +- clk_disable_unprepare(sehci->clk); ++ clk_disable_unprepare(sehci->clk); + usb_put_hcd(hcd); + + return 0; diff --git a/queue-5.15/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch b/queue-5.15/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch new file mode 100644 index 00000000000..d685a7d8ef7 --- /dev/null +++ b/queue-5.15/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch @@ -0,0 +1,66 @@ +From afc545da381ba0c651b2658966ac737032676f01 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Tue, 5 Nov 2024 21:09:19 +0800 +Subject: xen: Fix the issue of resource not being properly released in xenbus_dev_probe() + +From: Qiu-ji Chen + +commit afc545da381ba0c651b2658966ac737032676f01 upstream. + +This patch fixes an issue in the function xenbus_dev_probe(). In the +xenbus_dev_probe() function, within the if (err) branch at line 313, the +program incorrectly returns err directly without releasing the resources +allocated by err = drv->probe(dev, id). As the return value is non-zero, +the upper layers assume the processing logic has failed. However, the probe +operation was performed earlier without a corresponding remove operation. +Since the probe actually allocates resources, failing to perform the remove +operation could lead to problems. + +To fix this issue, we followed the resource release logic of the +xenbus_dev_remove() function by adding a new block fail_remove before the +fail_put block. After entering the branch if (err) at line 313, the +function will use a goto statement to jump to the fail_remove block, +ensuring that the previously acquired resources are correctly released, +thus preventing the reference count leak. + +This bug was identified by an experimental static analysis tool developed +by our team. The tool specializes in analyzing reference count operations +and detecting potential issues where resources are not properly managed. +In this case, the tool flagged the missing release operation as a +potential problem, which led to the development of this patch. + +Fixes: 4bac07c993d0 ("xen: add the Xenbus sysfs and virtual device hotplug driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Reviewed-by: Juergen Gross +Message-ID: <20241105130919.4621-1-chenqiuji666@gmail.com> +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -308,7 +308,7 @@ int xenbus_dev_probe(struct device *_dev + if (err) { + dev_warn(&dev->dev, "watch_otherend on %s failed.\n", + dev->nodename); +- return err; ++ goto fail_remove; + } + + dev->spurious_threshold = 1; +@@ -317,6 +317,12 @@ int xenbus_dev_probe(struct device *_dev + dev->nodename); + + return 0; ++fail_remove: ++ if (drv->remove) { ++ down(&dev->reclaim_sem); ++ drv->remove(dev); ++ up(&dev->reclaim_sem); ++ } + fail_put: + module_put(drv->driver.owner); + fail: