Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-08-20 15:49:14 +0200
committerTakashi Iwai <tiwai@suse.de>2019-08-20 15:49:14 +0200
commit8c3e0060daae157e3f8d3b1766394d34f4c8bf4e (patch)
treec1c863ec8cde83087389e19d57afe0a67fb2aaa3
parentf2d253678e643e749c25560bf538b229e0e2560d (diff)
parentea8f73442c88c05fea0f158cafd4b0291cf914c9 (diff)
Merge branch 'users/oneukum/SLE15/for-next' into SLE15
Pull USB fixes from Oliver Neukum
-rw-r--r--patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch45
-rw-r--r--patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch56
-rw-r--r--series.conf2
3 files changed, 103 insertions, 0 deletions
diff --git a/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch b/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
new file mode 100644
index 0000000000..b3327c93f4
--- /dev/null
+++ b/patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
@@ -0,0 +1,45 @@
+From 54364278fb3cabdea51d6398b07c87415065b3fc Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 13 Aug 2019 11:35:41 +0200
+Subject: [PATCH] USB: CDC: fix sanity checks in CDC union parser
+Git-commit: 54364278fb3cabdea51d6398b07c87415065b3fc
+Patch-mainline: v5.3-rc5
+References: bsc#1142635
+
+A few checks checked for the size of the pointer to a structure
+instead of the structure itself. Copy & paste issue presumably.
+
+Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+45a53506b65321c1fe91@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/message.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index e844bb7b5676..5adf489428aa 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -2218,14 +2218,14 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
+ (struct usb_cdc_dmm_desc *)buffer;
+ break;
+ case USB_CDC_MDLM_TYPE:
+- if (elength < sizeof(struct usb_cdc_mdlm_desc *))
++ if (elength < sizeof(struct usb_cdc_mdlm_desc))
+ goto next_desc;
+ if (desc)
+ return -EINVAL;
+ desc = (struct usb_cdc_mdlm_desc *)buffer;
+ break;
+ case USB_CDC_MDLM_DETAIL_TYPE:
+- if (elength < sizeof(struct usb_cdc_mdlm_detail_desc *))
++ if (elength < sizeof(struct usb_cdc_mdlm_detail_desc))
+ goto next_desc;
+ if (detail)
+ return -EINVAL;
+--
+2.16.4
+
diff --git a/patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch b/patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
new file mode 100644
index 0000000000..a57409795f
--- /dev/null
+++ b/patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
@@ -0,0 +1,56 @@
+From c52873e5a1ef72f845526d9f6a50704433f9c625 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 16:21:19 +0200
+Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough
+Git-commit: c52873e5a1ef72f845526d9f6a50704433f9c625
+Patch-mainline: v5.3-rc5
+References: bsc#1142635
+
+destroy() will decrement the refcount on the interface, so that
+it needs to be taken so early that it never undercounts.
+
+Fixes: 7fb57a019f94e ("USB: cdc-acm: Fix potential deadlock (lockdep warning)")
+Cc: stable <stable@vger.kernel.org>
+Reported-and-tested-by: syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808142119.7998-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1342,10 +1342,6 @@ made_compressed_probe:
+ if (acm == NULL)
+ goto alloc_fail;
+
+- minor = acm_alloc_minor(acm);
+- if (minor < 0)
+- goto alloc_fail1;
+-
+ ctrlsize = usb_endpoint_maxp(epctrl);
+ readsize = usb_endpoint_maxp(epread) *
+ (quirks == SINGLE_RX_URB ? 1 : 2);
+@@ -1353,6 +1349,13 @@ made_compressed_probe:
+ acm->writesize = usb_endpoint_maxp(epwrite) * 20;
+ acm->control = control_interface;
+ acm->data = data_interface;
++
++ usb_get_intf(acm->control); /* undone in destruct() */
++
++ minor = acm_alloc_minor(acm);
++ if (minor < 0)
++ goto alloc_fail1;
++
+ acm->minor = minor;
+ acm->dev = usb_dev;
+ if (h.usb_cdc_acm_descriptor)
+@@ -1501,7 +1504,6 @@ skip_countries:
+ usb_driver_claim_interface(&acm_driver, data_interface, acm);
+ usb_set_intfdata(data_interface, acm);
+
+- usb_get_intf(control_interface);
+ tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
+ &control_interface->dev);
+ if (IS_ERR(tty_dev)) {
diff --git a/series.conf b/series.conf
index 49d19d3a24..7da51cf3cb 100644
--- a/series.conf
+++ b/series.conf
@@ -23409,6 +23409,8 @@
patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
patches.fixes/nvme-multipath-revalidate-nvme_ns_head-gendisk-in-nv.patch
+ patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
+ patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch