From: Greg Kroah-Hartman Date: Mon, 11 Jan 2021 07:36:30 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.251~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a6f3c6db018f966a0c0a7f6ee0af2f416cb77653;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: crypto-asym_tpm-correct-zero-out-potential-secrets.patch crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch powerpc-handle-.text.-hot-unlikely-.-in-linker-script.patch staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch usb-cdc-acm-blacklist-another-ir-droid-device.patch usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch usb-gadget-enable-super-speed-plus.patch --- diff --git a/queue-5.4/crypto-asym_tpm-correct-zero-out-potential-secrets.patch b/queue-5.4/crypto-asym_tpm-correct-zero-out-potential-secrets.patch new file mode 100644 index 00000000000..06627cc7f79 --- /dev/null +++ b/queue-5.4/crypto-asym_tpm-correct-zero-out-potential-secrets.patch @@ -0,0 +1,35 @@ +From f93274ef0fe972c120c96b3207f8fce376231a60 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 4 Dec 2020 09:01:36 +0100 +Subject: crypto: asym_tpm: correct zero out potential secrets + +From: Greg Kroah-Hartman + +commit f93274ef0fe972c120c96b3207f8fce376231a60 upstream. + +The function derive_pub_key() should be calling memzero_explicit() +instead of memset() in case the complier decides to optimize away the +call to memset() because it "knows" no one is going to touch the memory +anymore. + +Cc: stable +Reported-by: Ilil Blum Shem-Tov +Tested-by: Ilil Blum Shem-Tov +Link: https://lore.kernel.org/r/X8ns4AfwjKudpyfe@kroah.com +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/asym_tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/asymmetric_keys/asym_tpm.c ++++ b/crypto/asymmetric_keys/asym_tpm.c +@@ -370,7 +370,7 @@ static uint32_t derive_pub_key(const voi + memcpy(cur, e, sizeof(e)); + cur += sizeof(e); + /* Zero parameters to satisfy set_pub_key ABI. */ +- memset(cur, 0, SETKEY_PARAMS_SIZE); ++ memzero_explicit(cur, SETKEY_PARAMS_SIZE); + + return cur - buf; + } diff --git a/queue-5.4/crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch b/queue-5.4/crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch new file mode 100644 index 00000000000..fa2d4d65e0c --- /dev/null +++ b/queue-5.4/crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch @@ -0,0 +1,41 @@ +From 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 2 Jan 2021 14:59:09 +0100 +Subject: crypto: ecdh - avoid buffer overflow in ecdh_set_secret() + +From: Ard Biesheuvel + +commit 0aa171e9b267ce7c52d3a3df7bc9c1fc0203dec5 upstream. + +Pavel reports that commit 17858b140bf4 ("crypto: ecdh - avoid unaligned +accesses in ecdh_set_secret()") fixes one problem but introduces another: +the unconditional memcpy() introduced by that commit may overflow the +target buffer if the source data is invalid, which could be the result of +intentional tampering. + +So check params.key_size explicitly against the size of the target buffer +before validating the key further. + +Fixes: 17858b140bf4 ("crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()") +Reported-by: Pavel Machek +Cc: +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ecdh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/ecdh.c ++++ b/crypto/ecdh.c +@@ -39,7 +39,8 @@ static int ecdh_set_secret(struct crypto + struct ecdh params; + unsigned int ndigits; + +- if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0) ++ if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0 || ++ params.key_size > sizeof(ctx->private_key)) + return -EINVAL; + + ndigits = ecdh_supported_curve(params.curve_id); diff --git a/queue-5.4/powerpc-handle-.text.-hot-unlikely-.-in-linker-script.patch b/queue-5.4/powerpc-handle-.text.-hot-unlikely-.-in-linker-script.patch new file mode 100644 index 00000000000..8af8607edcd --- /dev/null +++ b/queue-5.4/powerpc-handle-.text.-hot-unlikely-.-in-linker-script.patch @@ -0,0 +1,57 @@ +From 3ce47d95b7346dcafd9bed3556a8d072cb2b8571 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 4 Jan 2021 13:59:53 -0700 +Subject: powerpc: Handle .text.{hot,unlikely}.* in linker script + +From: Nathan Chancellor + +commit 3ce47d95b7346dcafd9bed3556a8d072cb2b8571 upstream. + +Commit eff8728fe698 ("vmlinux.lds.h: Add PGO and AutoFDO input +sections") added ".text.unlikely.*" and ".text.hot.*" due to an LLVM +change [1]. + +After another LLVM change [2], these sections are seen in some PowerPC +builds, where there is a orphan section warning then build failure: + +$ make -skj"$(nproc)" \ + ARCH=powerpc CROSS_COMPILE=powerpc64le-linux-gnu- LLVM=1 O=out \ + distclean powernv_defconfig zImage.epapr +ld.lld: warning: kernel/built-in.a(panic.o):(.text.unlikely.) is being placed in '.text.unlikely.' +... +ld.lld: warning: address (0xc000000000009314) of section .text is not a multiple of alignment (256) +... +ERROR: start_text address is c000000000009400, should be c000000000008000 +ERROR: try to enable LD_HEAD_STUB_CATCH config option +ERROR: see comments in arch/powerpc/tools/head_check.sh +... + +Explicitly handle these sections like in the main linker script so +there is no more build failure. + +[1]: https://reviews.llvm.org/D79600 +[2]: https://reviews.llvm.org/D92493 + +Fixes: 83a092cf95f2 ("powerpc: Link warning for orphan sections") +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://github.com/ClangBuiltLinux/linux/issues/1218 +Link: https://lore.kernel.org/r/20210104205952.1399409-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -98,7 +98,7 @@ SECTIONS + ALIGN_FUNCTION(); + #endif + /* careful! __ftr_alt_* sections need to be close to .text */ +- *(.text.hot TEXT_MAIN .text.fixup .text.unlikely .fixup __ftr_alt_* .ref.text); ++ *(.text.hot .text.hot.* TEXT_MAIN .text.fixup .text.unlikely .text.unlikely.* .fixup __ftr_alt_* .ref.text); + #ifdef CONFIG_PPC64 + *(.tramp.ftrace.text); + #endif diff --git a/queue-5.4/series b/queue-5.4/series index f7652e9c096..0384c17164e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -46,3 +46,10 @@ net-sched-sch_taprio-ensure-to-reset-destroy-all-child-qdiscs.patch kbuild-don-t-hardcode-depmod-path.patch bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch video-hyperv_fb-fix-the-mmap-regression-for-v5.4.y-a.patch +crypto-ecdh-avoid-buffer-overflow-in-ecdh_set_secret.patch +crypto-asym_tpm-correct-zero-out-potential-secrets.patch +powerpc-handle-.text.-hot-unlikely-.-in-linker-script.patch +staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch +usb-gadget-enable-super-speed-plus.patch +usb-cdc-acm-blacklist-another-ir-droid-device.patch +usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch diff --git a/queue-5.4/staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch b/queue-5.4/staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..a4702fef626 --- /dev/null +++ b/queue-5.4/staging-mt7621-dma-fix-a-resource-leak-in-an-error-handling-path.patch @@ -0,0 +1,43 @@ +From d887d6104adeb94d1b926936ea21f07367f0ff9f Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 13 Dec 2020 16:35:13 +0100 +Subject: staging: mt7621-dma: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +commit d887d6104adeb94d1b926936ea21f07367f0ff9f upstream. + +If an error occurs after calling 'mtk_hsdma_init()', it must be undone by +a corresponding call to 'mtk_hsdma_uninit()' as already done in the +remove function. + +Fixes: 0853c7a53eb3 ("staging: mt7621-dma: ralink: add rt2880 dma engine") +Signed-off-by: Christophe JAILLET +Cc: stable +Link: https://lore.kernel.org/r/20201213153513.138723-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/mt7621-dma/mtk-hsdma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/mt7621-dma/mtk-hsdma.c ++++ b/drivers/staging/mt7621-dma/mtk-hsdma.c +@@ -714,7 +714,7 @@ static int mtk_hsdma_probe(struct platfo + ret = dma_async_device_register(dd); + if (ret) { + dev_err(&pdev->dev, "failed to register dma device\n"); +- return ret; ++ goto err_uninit_hsdma; + } + + ret = of_dma_controller_register(pdev->dev.of_node, +@@ -730,6 +730,8 @@ static int mtk_hsdma_probe(struct platfo + + err_unregister: + dma_async_device_unregister(dd); ++err_uninit_hsdma: ++ mtk_hsdma_uninit(hsdma); + return ret; + } + diff --git a/queue-5.4/usb-cdc-acm-blacklist-another-ir-droid-device.patch b/queue-5.4/usb-cdc-acm-blacklist-another-ir-droid-device.patch new file mode 100644 index 00000000000..fd571178f09 --- /dev/null +++ b/queue-5.4/usb-cdc-acm-blacklist-another-ir-droid-device.patch @@ -0,0 +1,35 @@ +From 0ffc76539e6e8d28114f95ac25c167c37b5191b3 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 27 Dec 2020 13:45:02 +0000 +Subject: USB: cdc-acm: blacklist another IR Droid device + +From: Sean Young + +commit 0ffc76539e6e8d28114f95ac25c167c37b5191b3 upstream. + +This device is supported by the IR Toy driver. + +Reported-by: Georgi Bakalski +Signed-off-by: Sean Young +Acked-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20201227134502.4548-2-sean@mess.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1907,6 +1907,10 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x04d8, 0x0083), /* Bootloader mode */ + .driver_info = IGNORE_DEVICE, + }, ++ ++ { USB_DEVICE(0x04d8, 0xf58b), ++ .driver_info = IGNORE_DEVICE, ++ }, + #endif + + /*Samsung phone in firmware update mode */ diff --git a/queue-5.4/usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch b/queue-5.4/usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch new file mode 100644 index 00000000000..96dcebc66d8 --- /dev/null +++ b/queue-5.4/usb-cdc-wdm-fix-use-after-free-in-service_outstanding_interrupt.patch @@ -0,0 +1,80 @@ +From 5e5ff0b4b6bcb4d17b7a26ec8bcfc7dd4651684f Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 20 Dec 2020 00:25:53 +0900 +Subject: USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). + +From: Tetsuo Handa + +commit 5e5ff0b4b6bcb4d17b7a26ec8bcfc7dd4651684f upstream. + +syzbot is reporting UAF at usb_submit_urb() [1], for +service_outstanding_interrupt() is not checking WDM_DISCONNECTING +before calling usb_submit_urb(). Close the race by doing same checks +wdm_read() does upon retry. + +Also, while wdm_read() checks WDM_DISCONNECTING with desc->rlock held, +service_interrupt_work() does not hold desc->rlock. Thus, it is possible +that usb_submit_urb() is called from service_outstanding_interrupt() from +service_interrupt_work() after WDM_DISCONNECTING was set and kill_urbs() + from wdm_disconnect() completed. Thus, move kill_urbs() in +wdm_disconnect() to after cancel_work_sync() (which makes sure that +service_interrupt_work() is no longer running) completed. + +Although it seems to be safe to dereference desc->intf->dev in +service_outstanding_interrupt() even if WDM_DISCONNECTING was already set +because desc->rlock or cancel_work_sync() prevents wdm_disconnect() from +reaching list_del() before service_outstanding_interrupt() completes, +let's not emit error message if WDM_DISCONNECTING is set by +wdm_disconnect() while usb_submit_urb() is in progress. + +[1] https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Cc: stable +Link: https://lore.kernel.org/r/620e2ee0-b9a3-dbda-a25b-a93e0ed03ec5@i-love.sakura.ne.jp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-wdm.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -465,13 +465,23 @@ static int service_outstanding_interrupt + if (!desc->resp_count || !--desc->resp_count) + goto out; + ++ if (test_bit(WDM_DISCONNECTING, &desc->flags)) { ++ rv = -ENODEV; ++ goto out; ++ } ++ if (test_bit(WDM_RESETTING, &desc->flags)) { ++ rv = -EIO; ++ goto out; ++ } ++ + set_bit(WDM_RESPONDING, &desc->flags); + spin_unlock_irq(&desc->iuspin); + rv = usb_submit_urb(desc->response, GFP_KERNEL); + spin_lock_irq(&desc->iuspin); + if (rv) { +- dev_err(&desc->intf->dev, +- "usb_submit_urb failed with result %d\n", rv); ++ if (!test_bit(WDM_DISCONNECTING, &desc->flags)) ++ dev_err(&desc->intf->dev, ++ "usb_submit_urb failed with result %d\n", rv); + + /* make sure the next notification trigger a submit */ + clear_bit(WDM_RESPONDING, &desc->flags); +@@ -1026,9 +1036,9 @@ static void wdm_disconnect(struct usb_in + wake_up_all(&desc->wait); + mutex_lock(&desc->rlock); + mutex_lock(&desc->wlock); +- kill_urbs(desc); + cancel_work_sync(&desc->rxwork); + cancel_work_sync(&desc->service_outs_intr); ++ kill_urbs(desc); + mutex_unlock(&desc->wlock); + mutex_unlock(&desc->rlock); + diff --git a/queue-5.4/usb-gadget-enable-super-speed-plus.patch b/queue-5.4/usb-gadget-enable-super-speed-plus.patch new file mode 100644 index 00000000000..57c3ee61a9a --- /dev/null +++ b/queue-5.4/usb-gadget-enable-super-speed-plus.patch @@ -0,0 +1,52 @@ +From e2459108b5a0604c4b472cae2b3cb8d3444c77fb Mon Sep 17 00:00:00 2001 +From: "taehyun.cho" +Date: Thu, 7 Jan 2021 00:46:25 +0900 +Subject: usb: gadget: enable super speed plus + +From: taehyun.cho + +commit e2459108b5a0604c4b472cae2b3cb8d3444c77fb upstream. + +Enable Super speed plus in configfs to support USB3.1 Gen2. +This ensures that when a USB gadget is plugged in, it is +enumerated as Gen 2 and connected at 10 Gbps if the host and +cable are capable of it. + +Many in-tree gadget functions (fs, midi, acm, ncm, mass_storage, +etc.) already have SuperSpeed Plus support. + +Tested: plugged gadget into Linux host and saw: +[284907.385986] usb 8-2: new SuperSpeedPlus Gen 2 USB device number 3 using xhci_hcd + +Tested-by: Lorenzo Colitti +Acked-by: Felipe Balbi +Signed-off-by: taehyun.cho +Signed-off-by: Lorenzo Colitti +Link: https://lore.kernel.org/r/20210106154625.2801030-1-lorenzo@google.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1505,7 +1505,7 @@ static const struct usb_gadget_driver co + .suspend = configfs_composite_suspend, + .resume = configfs_composite_resume, + +- .max_speed = USB_SPEED_SUPER, ++ .max_speed = USB_SPEED_SUPER_PLUS, + .driver = { + .owner = THIS_MODULE, + .name = "configfs-gadget", +@@ -1545,7 +1545,7 @@ static struct config_group *gadgets_make + gi->composite.unbind = configfs_do_nothing; + gi->composite.suspend = NULL; + gi->composite.resume = NULL; +- gi->composite.max_speed = USB_SPEED_SUPER; ++ gi->composite.max_speed = USB_SPEED_SUPER_PLUS; + + spin_lock_init(&gi->spinlock); + mutex_init(&gi->lock);