From 0d52953c7fbcbe7a9674fbe39964a8202200ce87 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 5 Jan 2019 09:36:59 +0100 Subject: [PATCH] 4.9-stable patches added patches: alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch alsa-hda-tegra-clear-pending-irq-handlers.patch alsa-pcm-fix-potential-spectre-v1-vulnerability.patch alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch mtd-atmel-quadspi-disallow-building-on-ebsa110.patch usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch usb-serial-option-add-fibocom-nl678-series.patch usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch --- ...potential-spectre-v1-vulnerabilities.patch | 62 ++++++++++++++++ ...potential-spectre-v1-vulnerabilities.patch | 69 ++++++++++++++++++ ...-led-support-for-hp-elitebook-840-g4.patch | 36 ++++++++++ ...hda-tegra-clear-pending-irq-handlers.patch | 43 +++++++++++ ...x-potential-spectre-v1-vulnerability.patch | 51 +++++++++++++ ...x-potential-spectre-v1-vulnerability.patch | 71 +++++++++++++++++++ ...quadspi-disallow-building-on-ebsa110.patch | 46 ++++++++++++ queue-4.9/series | 10 +++ ...ree-bug-in-r8a66597_endpoint_disable.patch | 67 +++++++++++++++++ ...rial-option-add-fibocom-nl678-series.patch | 67 +++++++++++++++++ ...hewlett-packard-hp-pos-pole-displays.patch | 61 ++++++++++++++++ 11 files changed, 583 insertions(+) create mode 100644 queue-4.9/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch create mode 100644 queue-4.9/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch create mode 100644 queue-4.9/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch create mode 100644 queue-4.9/alsa-hda-tegra-clear-pending-irq-handlers.patch create mode 100644 queue-4.9/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch create mode 100644 queue-4.9/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch create mode 100644 queue-4.9/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch create mode 100644 queue-4.9/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch create mode 100644 queue-4.9/usb-serial-option-add-fibocom-nl678-series.patch create mode 100644 queue-4.9/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch diff --git a/queue-4.9/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.9/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..ae44706752a --- /dev/null +++ b/queue-4.9/alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,62 @@ +From 5ae4f61f012a097df93de2285070ec8e34716d29 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 18 Dec 2018 11:52:16 -0600 +Subject: ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities + +From: Gustavo A. R. Silva + +commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream. + +ipcm->substream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) +sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) + +Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/emu10k1/emufx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + if (ipcm->channels > 32) + return -EINVAL; + pcm = &emu->fx8010.pcm[ipcm->substream]; +@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + pcm = &emu->fx8010.pcm[ipcm->substream]; + mutex_lock(&emu->fx8010.lock); + spin_lock_irq(&emu->reg_lock); diff --git a/queue-4.9/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch b/queue-4.9/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..3eded9009f1 --- /dev/null +++ b/queue-4.9/alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,69 @@ +From 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 12 Dec 2018 11:20:49 -0600 +Subject: ALSA: emux: Fix potential Spectre v1 vulnerabilities + +From: Gustavo A. R. Silva + +commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream. + +info.mode and info.port are indirectly controlled by user-space, +hence leading to a potential exploitation of the Spectre variant 1 +vulnerability. + +These issues were detected with the help of Smatch: + +sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap) + +Fix this by sanitizing both info.mode and info.port before using them +to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and +emu->portptrs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/synth/emux/emux_hwdep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/synth/emux/emux_hwdep.c ++++ b/sound/synth/emux/emux_hwdep.c +@@ -22,9 +22,9 @@ + #include + #include + #include ++#include + #include "emux_voice.h" + +- + #define TMP_CLIENT_ID 0x1001 + + /* +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux + return -EFAULT; + if (info.mode < 0 || info.mode >= EMUX_MD_END) + return -EINVAL; ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END); + + if (info.port < 0) { + for (i = 0; i < emu->num_ports; i++) + emu->portptrs[i]->ctrls[info.mode] = info.value; + } else { +- if (info.port < emu->num_ports) ++ if (info.port < emu->num_ports) { ++ info.port = array_index_nospec(info.port, emu->num_ports); + emu->portptrs[info.port]->ctrls[info.mode] = info.value; ++ } + } + return 0; + } diff --git a/queue-4.9/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch b/queue-4.9/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch new file mode 100644 index 00000000000..2ccf9ff5951 --- /dev/null +++ b/queue-4.9/alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch @@ -0,0 +1,36 @@ +From 40906ebe3af6a48457151b3c6726b480f6a6cb13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= +Date: Sun, 16 Dec 2018 15:44:47 +0200 +Subject: ALSA: hda: add mute LED support for HP EliteBook 840 G4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mantas Mikulėnas + +commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream. + +Tested with 4.19.9. + +v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because + that's what the existing fixups for EliteBooks use. + +Signed-off-by: Mantas Mikulėnas +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), diff --git a/queue-4.9/alsa-hda-tegra-clear-pending-irq-handlers.patch b/queue-4.9/alsa-hda-tegra-clear-pending-irq-handlers.patch new file mode 100644 index 00000000000..de68b5b334b --- /dev/null +++ b/queue-4.9/alsa-hda-tegra-clear-pending-irq-handlers.patch @@ -0,0 +1,43 @@ +From 63d2a9ec310d8bcc955574220d4631aa55c1a80c Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Wed, 26 Dec 2018 16:04:49 +0530 +Subject: ALSA: hda/tegra: clear pending irq handlers + +From: Sameer Pujar + +commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream. + +Even after disabling interrupts on the module, it could be possible +that irq handlers are still running. System hang is seen during +suspend path. It was found that, there were pending writes on the +HDA bus and clock was disabled by that time. + +Above mentioned issue is fixed by clearing any pending irq handlers +before disabling clocks and returning from hda suspend. + +Suggested-by: Mohan Kumar +Suggested-by: Dara Ramesh +Signed-off-by: Sameer Pujar +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_tegra.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct devi + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip = card->private_data; + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip); ++ struct hdac_bus *bus = azx_bus(chip); + + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot); + + azx_stop_chip(chip); ++ synchronize_irq(bus->irq); + azx_enter_link_reset(chip); + hda_tegra_disable_clocks(hda); + diff --git a/queue-4.9/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch b/queue-4.9/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..458df714704 --- /dev/null +++ b/queue-4.9/alsa-pcm-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,51 @@ +From 94ffb030b6d31ec840bb811be455dd2e26a4f43e Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 12 Dec 2018 15:36:28 -0600 +Subject: ALSA: pcm: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream. + +stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap) + +Fix this by sanitizing stream before using it to index pcm->streams + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct + return -EFAULT; + if (stream < 0 || stream > 1) + return -EINVAL; ++ stream = array_index_nospec(stream, 2); + if (get_user(subdevice, &info->subdevice)) + return -EFAULT; + mutex_lock(®ister_mutex); diff --git a/queue-4.9/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch b/queue-4.9/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..bc068ae47a3 --- /dev/null +++ b/queue-4.9/alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,71 @@ +From 0b84304ef5da92add8dc75a1b07879c5374cdb05 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 18 Dec 2018 11:18:34 -0600 +Subject: ALSA: rme9652: Fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream. + +info->channel is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap) + +Fix this by sanitizing info->channel before using it to index hdsp->channel_map + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +Also, notice that I refactored the code a bit in order to get rid of the +following checkpatch warning: + +ERROR: do not use assignment in if condition +FILE: sound/pci/rme9652/hdsp.c:4103: + if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/rme9652/hdsp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct + struct snd_pcm_channel_info *info) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- int mapped_channel; ++ unsigned int channel = info->channel; + +- if (snd_BUG_ON(info->channel >= hdsp->max_channels)) ++ if (snd_BUG_ON(channel >= hdsp->max_channels)) + return -EINVAL; ++ channel = array_index_nospec(channel, hdsp->max_channels); + +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) ++ if (hdsp->channel_map[channel] < 0) + return -EINVAL; + +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES; ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES; + info->first = 0; + info->step = 32; + return 0; diff --git a/queue-4.9/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch b/queue-4.9/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch new file mode 100644 index 00000000000..622b7c0c873 --- /dev/null +++ b/queue-4.9/mtd-atmel-quadspi-disallow-building-on-ebsa110.patch @@ -0,0 +1,46 @@ +From 2a9d92fb3a1282a4659f1bb6d5684018846537b7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 21:38:16 +0100 +Subject: mtd: atmel-quadspi: disallow building on ebsa110 + +From: Arnd Bergmann + +commit 2a9d92fb3a1282a4659f1bb6d5684018846537b7 upstream. + +I ran into a link-time error with the atmel-quadspi driver on the +EBSA110 platform: + +drivers/mtd/built-in.o: In function `atmel_qspi_run_command': +:(.text+0x1ee3c): undefined reference to `_memcpy_toio' +:(.text+0x1ee48): undefined reference to `_memcpy_fromio' + +The problem is that _memcpy_toio/_memcpy_fromio are not available on +that platform, and we have to prevent building the driver there. + +In case we want to backport this to older kernels: between linux-4.8 +and linux-4.20, the Kconfig entry was in drivers/mtd/spi-nor/Kconfig +but had the same problem. + +Link: https://lore.kernel.org/patchwork/patch/812860/ +Fixes: 161aaab8a067 ("mtd: atmel-quadspi: add driver for Atmel QSPI controller") +Signed-off-by: Arnd Bergmann +Reviewed-by: Boris Brezillon +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/spi-nor/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/Kconfig ++++ b/drivers/mtd/spi-nor/Kconfig +@@ -31,7 +31,7 @@ config MTD_SPI_NOR_USE_4K_SECTORS + + config SPI_ATMEL_QUADSPI + tristate "Atmel Quad SPI Controller" +- depends on ARCH_AT91 || (ARM && COMPILE_TEST) ++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110) + depends on OF && HAS_IOMEM + help + This enables support for the Quad SPI controller in master mode. diff --git a/queue-4.9/series b/queue-4.9/series index e96777967dd..90476c3a351 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -27,3 +27,13 @@ net-mlx5e-remove-the-false-indication-of-software-timestamping-support.patch net-mlx5-typo-fix-in-del_sw_hw_rule.patch sock-make-sock-sk_stamp-thread-safe.patch ptr_ring-wrap-back-producer-in-__ptr_ring_swap_queue.patch +alsa-rme9652-fix-potential-spectre-v1-vulnerability.patch +alsa-emu10k1-fix-potential-spectre-v1-vulnerabilities.patch +alsa-pcm-fix-potential-spectre-v1-vulnerability.patch +alsa-emux-fix-potential-spectre-v1-vulnerabilities.patch +mtd-atmel-quadspi-disallow-building-on-ebsa110.patch +alsa-hda-add-mute-led-support-for-hp-elitebook-840-g4.patch +alsa-hda-tegra-clear-pending-irq-handlers.patch +usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch +usb-serial-option-add-fibocom-nl678-series.patch +usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch diff --git a/queue-4.9/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch b/queue-4.9/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch new file mode 100644 index 00000000000..6bb995236bd --- /dev/null +++ b/queue-4.9/usb-r8a66597-fix-a-possible-concurrency-use-after-free-bug-in-r8a66597_endpoint_disable.patch @@ -0,0 +1,67 @@ +From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 18 Dec 2018 20:04:25 +0800 +Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() + +From: Jia-Ju Bai + +commit c85400f886e3d41e69966470879f635a2b50084c upstream. + +The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may +be concurrently executed. +The two functions both access a possible shared variable "hep->hcpriv". + +This shared variable is freed by r8a66597_endpoint_disable() via the +call path: +r8a66597_endpoint_disable + kfree(hep->hcpriv) (line 1995 in Linux-4.19) + +This variable is read by r8a66597_urb_enqueue() via the call path: +r8a66597_urb_enqueue + spin_lock_irqsave(&r8a66597->lock) + init_pipe_info + enable_r8a66597_pipe + pipe = hep->hcpriv (line 802 in Linux-4.19) + +The read operation is protected by a spinlock, but the free operation +is not protected by this spinlock, thus a concurrency use-after-free bug +may occur. + +To fix this bug, the spin-lock and spin-unlock function calls in +r8a66597_endpoint_disable() are moved to protect the free operation. + +Signed-off-by: Jia-Ju Bai +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/r8a66597-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct u + + static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + struct usb_host_endpoint *hep) ++__acquires(r8a66597->lock) ++__releases(r8a66597->lock) + { + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(st + return; + pipenum = pipe->info.pipenum; + ++ spin_lock_irqsave(&r8a66597->lock, flags); + if (pipenum == 0) { + kfree(hep->hcpriv); + hep->hcpriv = NULL; ++ spin_unlock_irqrestore(&r8a66597->lock, flags); + return; + } + +- spin_lock_irqsave(&r8a66597->lock, flags); + pipe_stop(r8a66597, pipe); + pipe_irq_disable(r8a66597, pipenum); + disable_irq_empty(r8a66597, pipenum); diff --git a/queue-4.9/usb-serial-option-add-fibocom-nl678-series.patch b/queue-4.9/usb-serial-option-add-fibocom-nl678-series.patch new file mode 100644 index 00000000000..953ad559fe6 --- /dev/null +++ b/queue-4.9/usb-serial-option-add-fibocom-nl678-series.patch @@ -0,0 +1,67 @@ +From 4b2c01ad902ec02fa962b233decd2f14be3714ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= +Date: Fri, 21 Dec 2018 14:40:44 +0100 +Subject: USB: serial: option: add Fibocom NL678 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörgen Storvist + +commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream. + +Added USB serial option driver support for Fibocom NL678 series cellular +module: VID 2cb7 and PIDs 0x0104 and 0x0105. +Reserved network and ADB interfaces. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0104 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0105 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist +Cc: stable +Acked-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1956,6 +1956,10 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ ++ .driver_info = RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */ ++ .driver_info = RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-4.9/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch b/queue-4.9/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch new file mode 100644 index 00000000000..8b1043b2f2f --- /dev/null +++ b/queue-4.9/usb-serial-pl2303-add-ids-for-hewlett-packard-hp-pos-pole-displays.patch @@ -0,0 +1,61 @@ +From 8d503f206c336677954160ac62f0c7d9c219cd89 Mon Sep 17 00:00:00 2001 +From: Scott Chen +Date: Thu, 13 Dec 2018 06:01:47 -0500 +Subject: USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays + +From: Scott Chen + +commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream. + +Add device ids to pl2303 for the HP POS pole displays: +LM920: 03f0:026b +TD620: 03f0:0956 +LD960TA: 03f0:4439 +LD220TA: 03f0:4349 +LM940: 03f0:5039 + +Signed-off-by: Scott Chen +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 5 +++++ + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -86,9 +86,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) }, + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) }, + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) }, + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) }, + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -123,10 +123,15 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LM920_PRODUCT_ID 0x026b ++#define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 + #define HP_LCM220_PRODUCT_ID 0x3139 + #define HP_LCM960_PRODUCT_ID 0x3239 + #define HP_LD220_PRODUCT_ID 0x3524 ++#define HP_LD220TA_PRODUCT_ID 0x4349 ++#define HP_LD960TA_PRODUCT_ID 0x4439 ++#define HP_LM940_PRODUCT_ID 0x5039 + + /* Cressi Edy (diving computer) PC interface */ + #define CRESSI_VENDOR_ID 0x04b8 -- 2.47.3